Updates from: 08/16/2022 05:47:53
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Howto Authentication Use Email Signin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md
In the current preview state, the following limitations apply to email as an alt
* On some Microsoft sites and apps, such as Microsoft Office, the *Account Manager* control typically displayed in the upper right may display the user's UPN instead of the non-UPN email used to sign in. * **Unsupported flows** - Some flows are currently not compatible with non-UPN emails, such as the following:
- * Identity Protection doesn't match non-UPN emails with *Leaked Credentials* risk detection. This risk detection uses the UPN to match credentials that have been leaked. For more information, see [Azure AD Identity Protection risk detection and remediation][identity-protection].
+ * Identity Protection doesn't match non-UPN emails with *Leaked Credentials* risk detection. This risk detection uses the UPN to match credentials that have been leaked. For more information, see [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
* When a user is signed-in with a non-UPN email, they cannot change their password. Azure AD self-service password reset (SSPR) should work as expected. During SSPR, the user may see their UPN if they verify their identity using a non-UPN email. * **Unsupported scenarios** - The following scenarios are not supported. Sign-in with non-UPN email for:
To support this hybrid authentication approach, you synchronize your on-premises
In both configuration options, the user submits their username and password to Azure AD, which validates the credentials and issues a ticket. When users sign in to Azure AD, it removes the need for your organization to host and manage an AD FS infrastructure.
-One of the user attributes that's automatically synchronized by Azure AD Connect is *ProxyAddresses*. If users have an email address defined in the on-prem AD DS environment as part of the *ProxyAddresses* attribute, it's automatically synchronized to Azure AD. This email address can then be used directly in the Azure AD sign-in process as an alternate login ID.
+One of the user attributes that's automatically synchronized by Azure AD Connect is *ProxyAddresses*. If users have an email address defined in the on-premesis AD DS environment as part of the *ProxyAddresses* attribute, it's automatically synchronized to Azure AD. This email address can then be used directly in the Azure AD sign-in process as an alternate login ID.
> [!IMPORTANT] > Only emails in verified domains for the tenant are synchronized to Azure AD. Each Azure AD tenant has one or more verified domains, for which you have proven ownership, and are uniquely bound to your tenant.
For more information on hybrid identity operations, see [how password hash sync]
[hybrid-overview]: ../hybrid/cloud-governed-management-for-on-premises.md [phs-overview]: ../hybrid/how-to-connect-password-hash-synchronization.md [pta-overview]: ../hybrid/how-to-connect-pta-how-it-works.md
-[identity-protection]: ../identity-protection/overview-identity-protection.md#risk-detection-and-remediation
[sign-in-logs]: ../reports-monitoring/concept-sign-ins.md <!-- EXTERNAL LINKS -->
active-directory Howto Mfa Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md
You can control the authentication methods available in your tenant. For example
| Authentication method | Manage from | Scoping | |--|-||
-| Microsoft Authenticator (Push notification and passwordless phone sign in) | MFA settings or Authentication methods policy | Authenticator passwordless phone sign in can be scoped to users and groups |
+| Microsoft Authenticator (Push notification and passwordless phone sign-in) | MFA settings or Authentication methods policy | Authenticator passwordless phone sign-in can be scoped to users and groups |
| FIDO2 security key | Authentication methods policy | Can be scoped to users and groups | | Software or Hardware OATH tokens | MFA settings | |
-| SMS verification | MFA settings <br/>Manage SMS sign in for primary authentication in authentication policy | SMS sign in can be scoped to users and groups. |
+| SMS verification | MFA settings <br/>Manage SMS sign-in for primary authentication in authentication policy | SMS sign-in can be scoped to users and groups. |
| Voice calls | Authentication methods policy | |
Common use cases to require Azure AD Multi-Factor Authentication include:
### Named locations
-To manage your Conditional Access policies, the location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users. We recommend to use [Named Locations](../conditional-access/location-condition.md) so that you can create logical groupings of IP address ranges or countries and regions. This creates a policy for all apps that blocks sign in from that named location. Be sure to exempt your administrators from this policy.
+To manage your Conditional Access policies, the location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users. We recommend using [Named Locations](../conditional-access/location-condition.md) so that you can create logical groupings of IP address ranges or countries and regions. This creates a policy for all apps that blocks sign-in from that named location. Be sure to exempt your administrators from this policy.
### Risk-based policies
-If your organization uses [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) to detect risk signals, consider using [risk-based policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) instead of named locations. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign in is deemed [risky by events](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation) such as leaked credentials, sign ins from anonymous IP addresses, and more.
+If your organization uses [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) to detect risk signals, consider using [risk-based policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) instead of named locations. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed [at risk](../identity-protection/howto-identity-protection-configure-risk-policies.md) such as leaked credentials, sign-ins from anonymous IP addresses, and more.
Risk policies include: - [Require all users to register for Azure AD Multi-Factor Authentication](../identity-protection/howto-identity-protection-configure-mfa-policy.md)-- [Require a password change for users that are high-risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#enable-policies)-- [Require MFA for users with medium or high sign in risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#enable-policies)
+- [Require a password change for users that are high-risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-with-conditional-access)
+- [Require MFA for users with medium or high sign in risk](../identity-protection/howto-identity-protection-configure-risk-policies.md#sign-in-risk-with-conditional-access)
### Convert users from per-user MFA to Conditional Access based MFA
Get-MsolUser -All | Set-MfaState -State Disabled
When planning your multifactor authentication deployment, it's important to think about how frequently you would like to prompt your users. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt. Azure AD has multiple settings that determine how often you need to reauthenticate. Understand the needs of your business and users and configure settings that provide the best balance for your environment.
-We recommend using devices with Primary Refresh Tokens (PRT) for improved end user experience and reduce the session lifetime with sign in frequency policy only on specific business use cases.
+We recommend using devices with Primary Refresh Tokens (PRT) for improved end user experience and reduce the session lifetime with sign-in frequency policy only on specific business use cases.
For more information, see [Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Authentication](concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
It's critical to inform users about upcoming changes, registration requirements,
### Registration with Identity Protection
-Azure AD Identity Protection contributes both a registration policy for and automated risk detection and remediation policies to the Azure AD Multi-Factor Authentication story. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign in is deemed risky.
+Azure AD Identity Protection contributes both a registration policy for and automated risk detection and remediation policies to the Azure AD Multi-Factor Authentication story. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed risky.
If you use Azure AD Identity Protection, [configure the Azure AD MFA registration policy](../identity-protection/howto-identity-protection-configure-mfa-policy.md) to prompt your users to register the next time they sign in interactively. ### Registration without Identity Protection
-If you don't have licenses that enable Azure AD Identity Protection, users are prompted to register the next time that MFA is required at sign in.
+If you don't have licenses that enable Azure AD Identity Protection, users are prompted to register the next time that MFA is required at sign-in.
To require users to use MFA, you can use Conditional Access policies and target frequently used applications like HR systems. If a user's password is compromised, it could be used to register for MFA, taking control of their account. We therefore recommend [securing the security registration process with conditional access policies](../conditional-access/howto-conditional-access-policy-registration.md) requiring trusted devices and locations. You can further secure the process by also requiring a [Temporary Access Pass](howto-authentication-temporary-access-pass.md). A time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. ### Increase the security of registered users
-If you have users registered for MFA using SMS or voice calls, you may want to move them to more secure methods such as the Microsoft Authenticator app. Microsoft now offers a public preview of functionality that allows you to prompt users to set up the Microsoft Authenticator app during sign in. You can set these prompts by group, controlling who is prompted, enabling targeted campaigns to move users to the more secure method.
+If you have users registered for MFA using SMS or voice calls, you may want to move them to more secure methods such as the Microsoft Authenticator app. Microsoft now offers a public preview of functionality that allows you to prompt users to set up the Microsoft Authenticator app during sign-in. You can set these prompts by group, controlling who is prompted, enabling targeted campaigns to move users to the more secure method.
### Plan recovery scenarios
This section provides reporting and troubleshooting information for Azure AD Mul
### Reporting and Monitoring
-Azure AD has reports that provide technical and business insights, follow the progress of your deployment and check if your users are successful at sign in with MFA. Have your business and technical application owners assume ownership of and consume these reports based on your organization's requirements.
+Azure AD has reports that provide technical and business insights, follow the progress of your deployment and check if your users are successful at sign-in with MFA. Have your business and technical application owners assume ownership of and consume these reports based on your organization's requirements.
You can monitor authentication method registration and usage across your organization using the [Authentication Methods Activity dashboard](howto-authentication-methods-activity.md). This helps you understand what methods are being registered and how they're being used. #### Sign in report to review MFA events
-The Azure AD sign in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication.
+The Azure AD sign-in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication.
NPS extension and AD FS logs can be viewed from **Security** > **MFA** > **Activity report**. Inclusion of this activity in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md) is currently in Preview.
active-directory Block Legacy Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/block-legacy-authentication.md
Last updated 06/21/2022 -+
active-directory Concept Condition Filters For Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Last updated 04/28/2022 -+
active-directory Concept Conditional Access Cloud Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Last updated 08/09/2022
-+
active-directory Concept Conditional Access Conditions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-conditions.md
Last updated 04/27/2022
-+
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-grant.md
Last updated 08/05/2022 -+
active-directory Concept Conditional Access Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policies.md
Last updated 08/05/2022
-+
active-directory Concept Conditional Access Policy Common https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policy-common.md
Last updated 11/05/2021
-+
active-directory Concept Conditional Access Report Only https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-report-only.md
Last updated 05/01/2020
-+
active-directory Concept Conditional Access Session https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-session.md
Last updated 04/21/2022
-+
active-directory Concept Conditional Access Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
Last updated 08/05/2022
-+
active-directory Concept Continuous Access Evaluation Workload https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md
Last updated 07/22/2022
-+
active-directory Concept Continuous Access Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
Last updated 03/25/2022
-+
active-directory Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/controls.md
Last updated 08/26/2020
-+
active-directory Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/faqs.md
Last updated 10/16/2020
-+
active-directory Howto Conditional Access Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-apis.md
Last updated 09/10/2020
-+
active-directory Howto Conditional Access Insights Reporting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md
Last updated 08/27/2020
-+
active-directory Howto Conditional Access Policy Admin Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md
Last updated 11/05/2021
-+
active-directory Howto Conditional Access Policy All Users Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md
Last updated 03/28/2022
-+
active-directory Howto Conditional Access Policy Azure Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md
Last updated 02/03/2022
-+
active-directory Howto Conditional Access Policy Block Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-access.md
Last updated 02/14/2022
-+
active-directory Howto Conditional Access Policy Block Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md
Last updated 11/05/2021
-+
active-directory Howto Conditional Access Policy Compliant Device https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md
Last updated 03/28/2022
-+
active-directory Howto Conditional Access Policy Location https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-location.md
Last updated 11/05/2021
-+
active-directory Howto Conditional Access Policy Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md
Last updated 11/15/2021
-+
active-directory Howto Conditional Access Policy Risk User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk-user.md
Last updated 03/21/2022
-+
active-directory Howto Conditional Access Policy Risk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk.md
Last updated 03/21/2022
-+
active-directory Howto Conditional Access Session Lifetime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
Last updated 07/06/2022
-+
active-directory Howto Continuous Access Evaluation Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot.md
Last updated 06/09/2022
-+
active-directory Howto Policy Approved App Or App Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-approved-app-or-app-protection.md
Last updated 11/08/2021
-+
active-directory Location Condition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/location-condition.md
Title: Location condition in Azure Active Directory Conditional Access
-description: Use the location condition to control access based on user location.
+description: Use the location condition to control access based on user physical or network location.
Previously updated : 12/02/2021 Last updated : 08/15/2022 -+ -- # Using the location condition in a Conditional Access policy
As explained in the [overview article](overview.md) Conditional Access policies
Organizations can use this location for common tasks like: -- Requiring multi-factor authentication for users accessing a service when they're off the corporate network.
+- Requiring multifactor authentication for users accessing a service when they're off the corporate network.
- Blocking access for users accessing a service from specific countries or regions. The location is determined by the public IP address a client provides to Azure Active Directory or GPS coordinates provided by the Microsoft Authenticator app. Conditional Access policies by default apply to all IPv4 and IPv6 addresses.
Named locations defined by IPv4/IPv6 address ranges are subject to the following
- Configure up to 195 named locations - Configure up to 2000 IP ranges per named location - Both IPv4 and IPv6 ranges are supported-- Private IP ranges cannot be configured
+- Private IP ranges can't be configured
- The number of IP addresses contained in a range is limited. Only CIDR masks greater than /8 are allowed when defining an IP range. #### Trusted locations Administrators can name locations defined by IP address ranges to be trusted named locations.
-Sign-ins from trusted named locations improve the accuracy of Azure AD Identity Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted. Additionally, trusted named locations can be targeted in Conditional Access policies. For example, you may [restrict multi-factor authentication registration to trusted locations](howto-conditional-access-policy-registration.md).
+Sign-ins from trusted named locations improve the accuracy of Azure AD Identity Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted. Additionally, trusted named locations can be targeted in Conditional Access policies. For example, you may [restrict multifactor authentication registration to trusted locations](howto-conditional-access-policy-registration.md).
### Countries
If you select **Determine location by GPS coordinates**, the user will need to h
The first time the user is required to share their location from the Microsoft Authenticator app, the user will receive a notification in the app. The user will need to open the app and grant location permissions.
-For the next 24 hours, if the user is still accessing the resource and granted the app permission to run in the background, the device's location is shared silently once per hour. After 24 hours, the user must open the app and approve the notification. Every time the user shares their GPS location, the app does jailbreak detection (Using the same logic as the Intune MAM SDK). If the device is jailbroken, the location isn't considered valid and the user isn't granted access.
+For the next 24 hours, if the user is still accessing the resource and granted the app permission to run in the background, the device's location is shared silently once per hour.
+
+- After 24 hours, the user must open the app and approve the notification.
+- Users who have number matching or additional context enabled in the Microsoft Authenticator app won't receive notifications silently and must open the app to approve notifications.
+
+Every time the user shares their GPS location, the app does jailbreak detection (Using the same logic as the Intune MAM SDK). If the device is jailbroken, the location isn't considered valid, and the user isn't granted access.
A Conditional Access policy with GPS-based named locations in report-only mode prompts users to share their GPS location, even though they aren't blocked from signing in.
Some IP addresses aren't mapped to a specific country or region, including all I
### Configure MFA trusted IPs
-You can also configure IP address ranges representing your organization's local intranet in the [multi-factor authentication service settings](https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx). This feature enables you to configure up to 50 IP address ranges. The IP address ranges are in CIDR format. For more information, see [Trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips).
+You can also configure IP address ranges representing your organization's local intranet in the [multifactor authentication service settings](https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx). This feature enables you to configure up to 50 IP address ranges. The IP address ranges are in CIDR format. For more information, see [Trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips).
If you have Trusted IPs configured, they show up as **MFA Trusted IPs** in the list of locations for the location condition.
-#### Skipping multi-factor authentication
+#### Skipping multifactor authentication
-On the multi-factor authentication service settings page, you can identify corporate intranet users by selecting **Skip multi-factor authentication for requests from federated users on my intranet**. This setting indicates that the inside corporate network claim, which is issued by AD FS, should be trusted and used to identify the user as being on the corporate network. For more information, see [Enable the Trusted IPs feature by using Conditional Access](../authentication/howto-mfa-mfasettings.md#enable-the-trusted-ips-feature-by-using-conditional-access).
+On the multifactor authentication service settings page, you can identify corporate intranet users by selecting **Skip multifactor authentication for requests from federated users on my intranet**. This setting indicates that the inside corporate network claim, which is issued by AD FS, should be trusted and used to identify the user as being on the corporate network. For more information, see [Enable the Trusted IPs feature by using Conditional Access](../authentication/howto-mfa-mfasettings.md#enable-the-trusted-ips-feature-by-using-conditional-access).
After checking this option, including the named location **MFA Trusted IPs** will apply to any policies with this option selected.
This option applies to:
### Selected locations
-With this option, you can select one or more named locations. For a policy with this setting to apply, a user needs to connect from any of the selected locations. When you **Select** the named network selection control that shows the list of named networks opens. The list also shows if the network location has been marked as trusted. The named location called **MFA Trusted IPs** is used to include the IP settings that can be configured in the multi-factor authentication service setting page.
+With this option, you can select one or more named locations. For a policy with this setting to apply, a user needs to connect from any of the selected locations. When you **Select** the named network selection control that shows the list of named networks opens. The list also shows if the network location has been marked as trusted. The named location called **MFA Trusted IPs** is used to include the IP settings that can be configured in the multifactor authentication service setting page.
## IPv6 traffic
A preview version of the Graph API for named locations is available, for more in
## Next steps -- Configure a Conditional Access policy using location, see the article [Conditional Access: Block access by location](howto-conditional-access-policy-location.md).
+- Configure an example Conditional Access policy using location, see the article [Conditional Access: Block access by location](howto-conditional-access-policy-location.md).
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/overview.md
Last updated 08/05/2022
-+
active-directory Plan Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/plan-conditional-access.md
Last updated 08/11/2022 --++
active-directory Policy Migration Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration-mfa.md
Last updated 05/26/2020
-+
active-directory Policy Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration.md
Last updated 12/04/2019
-+
active-directory Reference Office 365 Application Contents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/reference-office-365-application-contents.md
Last updated 02/08/2022
-+
active-directory Require Tou https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/require-tou.md
Last updated 08/05/2022 -+
active-directory Resilience Defaults https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/resilience-defaults.md
Last updated 02/25/2022
-+
active-directory Service Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/service-dependencies.md
Last updated 07/06/2022
-+
active-directory Terms Of Use https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md
Last updated 05/26/2022
-+
active-directory Troubleshoot Conditional Access What If https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access-what-if.md
Last updated 06/17/2022
-+
active-directory Troubleshoot Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md
Last updated 07/06/2022
-+
active-directory Troubleshoot Policy Changes Audit Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md
Last updated 08/09/2021
-+
active-directory What If Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/what-if-tool.md
Last updated 08/09/2022
-+
active-directory Workload Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/workload-identity.md
Last updated 03/25/2022
-+
active-directory Assign Local Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md
Last updated 02/15/2022
-+ #Customer intent: As an IT admin, I want to manage the local administrators group assignment during an Azure AD join, so that I can control who can manage Azure AD joined devices
active-directory Azuread Join Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/azuread-join-sso.md
Last updated 02/08/2022
-+
active-directory Azuread Joined Devices Frx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/azuread-joined-devices-frx.md
Last updated 06/28/2019
-+ #Customer intent: As a user, I want to join my corporate device during a first-run so that I can access my corporate resources
active-directory Azureadjoin Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/azureadjoin-plan.md
Last updated 02/15/2022
-+
active-directory Concept Azure Ad Join Hybrid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-azure-ad-join-hybrid.md
Last updated 02/15/2022
-+
active-directory Concept Azure Ad Join https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-azure-ad-join.md
Last updated 02/07/2022
-+
active-directory Concept Azure Ad Register https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-azure-ad-register.md
Last updated 02/15/2022
-+
active-directory Concept Primary Refresh Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-primary-refresh-token.md
Last updated 02/15/2022
-+
active-directory Device Management Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-management-azure-portal.md
Last updated 07/18/2022
-+
active-directory Device Registration How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-registration-how-it-works.md
Last updated 02/15/2022
-+
active-directory Enterprise State Roaming Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-enable.md
Last updated 02/15/2022
-+
active-directory Enterprise State Roaming Group Policy Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-group-policy-settings.md
Last updated 02/15/2022
-+
active-directory Enterprise State Roaming Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md
Last updated 02/25/2022
-+
active-directory Enterprise State Roaming Windows Settings Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-windows-settings-reference.md
Last updated 03/01/2022
-+
active-directory Howto Device Identity Virtual Desktop Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md
Last updated 07/05/2022
-+ # Customer intent: As an administrator, I want to provide staff with secured workstations to reduce the risk of breach due to misconfiguration or compromise.
active-directory Howto Hybrid Azure Ad Join https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-hybrid-azure-ad-join.md
Last updated 04/06/2022
-+
active-directory Howto Hybrid Join Downlevel https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-hybrid-join-downlevel.md
Last updated 01/20/2022
-+
active-directory Howto Hybrid Join Verify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-hybrid-join-verify.md
Last updated 04/06/2022
-+
active-directory Howto Vm Sign In Azure Ad Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md
Last updated 06/20/2022
-+
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Last updated 06/16/2022
-+
active-directory Hybrid Azuread Join Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-control.md
Last updated 04/06/2022
-+
active-directory Hybrid Azuread Join Manual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-manual.md
Last updated 07/05/2022
-+
active-directory Hybrid Azuread Join Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-plan.md
Last updated 02/15/2022
-+
active-directory Manage Stale Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md
Last updated 06/01/2022
-+ #Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data.
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/overview.md
Last updated 02/07/2022
-+
active-directory Reference Device Registration Tls 1 2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/reference-device-registration-tls-1-2.md
Last updated 07/10/2020
-+
active-directory Troubleshoot Device Dsregcmd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-dsregcmd.md
Last updated 11/21/2019
-+
active-directory Troubleshoot Hybrid Join Windows Current https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md
Last updated 02/15/2022
-+ #Customer intent: As an IT admin, I want to fix issues with my hybrid Azure AD-joined devices so that my users can use this feature.
active-directory Troubleshoot Hybrid Join Windows Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-legacy.md
Last updated 02/15/2022
-+ #Customer intent: As an IT admin, I want to fix issues with my hybrid Azure AD joined devices so that I can my users can use this feature.
active-directory Active Directory Deployment Checklist P2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-deployment-checklist-p2.md
Last updated 12/07/2021
-+
active-directory Concept Fundamentals Block Legacy Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication.md
Last updated 01/26/2021
-+
active-directory Concept Fundamentals Security Defaults https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md
Last updated 04/07/2022
-+
active-directory Concept Secure Remote Workers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-secure-remote-workers.md
Last updated 04/27/2020
-+
active-directory Identity Secure Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/identity-secure-score.md
Last updated 06/09/2022
-+ #Customer intent: As an IT admin, I want understand the identity secure score, so that I can maximize the security posture of my tenant.
active-directory Protect M365 From On Premises Attacks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/protect-m365-from-on-premises-attacks.md
Monitor the following key scenarios, in addition to any scenarios specific to yo
- **Suspicious activity**
- Monitor all Azure AD risk events for suspicious activity. See [Risk detection and remediation](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation). Azure AD Identity Protection is natively integrated with Microsoft Defender for Cloud. See [What is Identity Protection](../identity-protection/overview-identity-protection.md).
+ Monitor all Azure AD risk events for suspicious activity. See [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). Azure AD Identity Protection is natively integrated with [Microsoft Defender for Identity](/defender-for-identity/what-is).
- Define the network named locations to avoid noisy detections on location-based signals. See [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md).
+ Define network named locations to avoid noisy detections on location-based signals. See [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md).
- **User and Entity Behavioral Analytics (UEBA) alerts**
active-directory Access Reviews Downloadable Review History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-downloadable-review-history.md
Title: Create and manage downloadable access review history report - Azure Activ
description: Using Azure Active Directory access reviews, you can download a review history for access reviews in your organization. documentationcenter: ''-+
na
Last updated 02/18/2022-+ # Create and manage downloadable access review history report in Azure AD access reviews
active-directory Access Reviews External Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-external-users.md
Title: Use Azure AD Identity Governance to review and remove external users who
description: Use Access Reviews to extend of remove access from members of partner organizations documentationcenter: ''-+
na
Last updated 09/06/2020-+ # Use Azure Active Directory (Azure AD) Identity Governance to review and remove external users who no longer have resource access
active-directory Access Reviews Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-overview.md
Title: What are access reviews? - Azure Active Directory | Microsoft Docs
description: Using Azure Active Directory access reviews, you can control group membership and application access to meet governance, risk management, and compliance initiatives in your organization. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 10/29/2020-+
active-directory Complete Access Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/complete-access-review.md
Title: Complete an access review of groups & applications - Azure AD
description: Learn how to complete an access review of group members or application access in Azure Active Directory access reviews. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 02/18/2022-+
active-directory Conditional Access Exclusion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/conditional-access-exclusion.md
Title: Manage users excluded from Conditional Access policies
description: Learn how to use Azure Active Directory (Azure AD) access reviews to manage users that have been excluded from Conditional Access policies documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 12/23/2020-+
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md
Title: Plan an Azure Active Directory access reviews deployment
description: Planning guide for a successful access reviews deployment. documentationCenter: ''-+ editor:
na
Last updated 04/16/2021-+
active-directory Identity Governance Applications Define https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-define.md
Title: Define organizational policies for governing access to applications in yo
description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. You can define policies for how users should obtain access to your business critical applications integrated with Azure AD. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 7/28/2022-+
active-directory Identity Governance Applications Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-deploy.md
Title: Deploying policies for governing access to applications integrated with A
description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. You can use entitlement management and other identity governance features to enforce the policies for access. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 6/28/2022-+
active-directory Identity Governance Applications Integrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-integrate.md
Title: Integrate your applications for identity governance and establishing a ba
description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. You can integrate your existing business critical third party on-premises and cloud-based applications with Azure AD for identity governance scenarios. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 7/29/2022-+
active-directory Identity Governance Applications Prepare https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-prepare.md
Title: Govern access for applications in your environment - Azure AD
description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. These features can be used for your existing business critical third party on-premises and cloud-based applications. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 6/28/2022-+
active-directory Identity Governance Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-automation.md
Title: Automate Azure AD Identity Governance tasks with Azure Automation
description: Learn how to write PowerShell scripts in Azure Automation to interact with Azure Active Directory entitlement management and other features. documentationCenter: ''-+ editor:
ms.devlang: na
Last updated 1/20/2022-+
active-directory Identity Governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-overview.md
Title: Identity Governance - Azure Active Directory | Microsoft Docs
description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 8/10/2022-+
active-directory Manage Access Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-access-review.md
Title: Manage access with access reviews - Azure AD
description: Learn how to manage user and guest access as membership of a group or assignment to an application with Azure Active Directory access reviews documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 08/20/2021-+
active-directory Manage Guest Access With Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-guest-access-with-access-reviews.md
Title: Manage guest access with access reviews - Azure AD
description: Manage guest users as members of a group or assigned to an application with Azure Active Directory access reviews documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 4/16/2021-+
active-directory Manage User Access With Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-user-access-with-access-reviews.md
Title: Manage user access with access reviews - Azure AD
description: Learn how to manage users' access as membership of a group or assignment to an application with Azure Active Directory access reviews documentationcenter: ''-+ editor: markwahl-msft
na
Last updated 06/21/2018-+
active-directory Perform Access Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/perform-access-review.md
Title: Review access to groups & applications in access reviews - Azure AD description: Learn how to review access of group members or application access in Azure Active Directory access reviews. -+ editor: markwahl-msft
na
Last updated 7/18/2022-+
active-directory Review Your Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/review-your-access.md
Title: Review your access to groups & apps in access reviews - Azure AD description: Learn how to review your own access to groups or applications in Azure Active Directory access reviews. -+ editor: markwahl-msft
na
Last updated 12/22/2020-+
active-directory Self Access Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/self-access-review.md
Title: Review your access to resources in access reviews - Azure AD description: Learn how to review your own access to resources in Azure Active Directory access reviews. -+ editor: markwahl-msft
na
Last updated 08/27/2021-+
active-directory Concept Identity Protection B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-b2b.md
Last updated 05/03/2021
-+
active-directory Concept Identity Protection Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-policies.md
Last updated 05/20/2020
-+
active-directory Concept Identity Protection Risks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-risks.md
Last updated 04/15/2022
-+
active-directory Concept Identity Protection Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-security-overview.md
Last updated 07/02/2020
-+
active-directory Concept Identity Protection User Experience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-user-experience.md
Last updated 01/21/2022
-+
active-directory Concept Workload Identity Risk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-workload-identity-risk.md
Last updated 02/07/2022
-+
active-directory Howto Export Risk Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-export-risk-data.md
Last updated 02/18/2022
-+
active-directory Howto Identity Protection Configure Mfa Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md
Last updated 06/05/2020
-+
active-directory Howto Identity Protection Configure Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-notifications.md
Last updated 09/23/2021
-+
active-directory Howto Identity Protection Configure Risk Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md
Last updated 03/18/2022
-+
active-directory Howto Identity Protection Graph Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-graph-api.md
Last updated 01/25/2021
-+
active-directory Howto Identity Protection Investigate Risk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-investigate-risk.md
Last updated 01/24/2022
-+
active-directory Howto Identity Protection Remediate Unblock https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md
Last updated 02/17/2022
-+
active-directory Howto Identity Protection Risk Feedback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-risk-feedback.md
Last updated 06/05/2020
-+
active-directory Howto Identity Protection Simulate Risk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md
Last updated 06/05/2020
-+
active-directory Overview Identity Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/overview-identity-protection.md
Title: What is Azure Active Directory Identity Protection?
-description: Detect, remediate, investigate, and analyze risk with Azure AD Identity Protection
+description: Automation to detect, remediate, investigate, and analyze risk data with Azure AD Identity Protection
Previously updated : 05/31/2022 Last updated : 08/15/2022 -+ -- # What is Identity Protection?
-Identity Protection is a tool that allows organizations to accomplish three key tasks:
+Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats. Identity Protection allows organizations to accomplish three key tasks:
- [Automate the detection and remediation of identity-based risks](howto-identity-protection-configure-risk-policies.md). - [Investigate risks](howto-identity-protection-investigate-risk.md) using data in the portal.-- [Export risk detection data to your SIEM](../../sentinel/data-connectors-reference.md#azure-active-directory-identity-protection).-
-Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.
+- [Export risk detection data to other tools](howto-export-risk-data.md).
-The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization's enforced policies.
+The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation.
## Why is automation important?
-In the blog post *[Cyber Signals: Defending against cyber threats with the latest research, insights, and trends](https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/)* dated February 3, 2022 we shared a thread intelligence brief including the following statistics:
+In the blog post *[Cyber Signals: Defending against cyber threats with the latest research, insights, and trends](https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/)* dated February 3, 2022 we shared a threat intelligence brief including the following statistics:
> * Analyzed ...24 trillion security signals combined with intelligence we track by monitoring more than 40 nation-state groups and over 140 threat groups... > * ...From January 2021 through December 2021, weΓÇÖve blocked more than 25.6 billion Azure AD brute force authentication attacks...
-This scale of signals and attacks requires some level of automation to be able to keep up.
-## Risk detection and remediation
+The sheer scale of signals and attacks requires some level of automation to be able to keep up.
+
+## Detect risk
-Identity Protection identifies risks of many types, including:
+Identity Protection detects [risks](concept-identity-protection-risks.md) of many types, including:
- Anonymous IP address use - Atypical travel
Identity Protection identifies risks of many types, including:
- Password spray - and more...
-More detail on these and other risks including how or when they're calculated can be found in the article, [What is risk](concept-identity-protection-risks.md).
+The risk signals can trigger remediation efforts such as requiring: perform multifactor authentication, reset their password using self-service password reset, or block access until an administrator takes action.
-The risk signals can trigger remediation efforts such as requiring users to: perform Azure AD Multi-Factor Authentication, reset their password using self-service password reset, or blocking until an administrator takes action.
+More detail on these and other risks including how or when they're calculated can be found in the article, [What is risk](concept-identity-protection-risks.md).
-## Risk investigation
+## Investigate risk
Administrators can review detections and take manual action on them if needed. There are three key reports that administrators use for investigations in Identity Protection:
More information can be found in the article, [How To: Investigate risk](howto-i
Identity Protection categorizes risk into tiers: low, medium, and high.
-While Microsoft doesn't provide specific details about how risk is calculated, we'll say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
+Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
-## Exporting risk data
+## Make further use of risk information
Data from Identity Protection can be exported to other tools for archive and further investigation and correlation. The Microsoft Graph based APIs allow organizations to collect this data for further processing in a tool such as their SIEM. Information about how to access the Identity Protection API can be found in the article, [Get started with Azure Active Directory Identity Protection and Microsoft Graph](howto-identity-protection-graph-api.md) Information about integrating Identity Protection information with Microsoft Sentinel can be found in the article, [Connect data from Azure AD Identity Protection](../../sentinel/data-connectors-reference.md#azure-active-directory-identity-protection).
-Additionally, organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD to send RiskyUsers and UserRiskEvents data to a Log Analytics workspace, archive data to a storage account, stream data to Event Hubs, or send data to a partner solution. Detailed information about how to do so can be found in the article, [How To: Export risk data](howto-export-risk-data.md).
+Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD. They can choose to send data to a Log Analytics workspace, archive data to a storage account, stream data to Event Hubs, or send data to a partner solution. Detailed information about how to do so can be found in the article, [How To: Export risk data](howto-export-risk-data.md).
-## Permissions
+## Required roles
Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access.
Identity Protection requires users be a Security Reader, Security Operator, Secu
| | | | | Global administrator | Full access to Identity Protection | | | Security administrator | Full access to Identity Protection | Reset password for a user |
-| Security operator | View all Identity Protection reports and Overview blade <br><br> Dismiss user risk, confirm safe sign-in, confirm compromise | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts |
-| Security reader | View all Identity Protection reports and Overview blade | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts <br><br> Give feedback on detections |
+| Security operator | View all Identity Protection reports and Overview <br><br> Dismiss user risk, confirm safe sign-in, confirm compromise | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts |
+| Security reader | View all Identity Protection reports and Overview | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts <br><br> Give feedback on detections |
+| Global reader | Read-only access to Identity Protection | |
Currently, the security operator role can't access the Risky sign-ins report.
-Conditional Access administrators can also create policies that factor in sign-in risk as a condition. Find more information in the article [Conditional Access: Conditions](../conditional-access/concept-conditional-access-conditions.md#sign-in-risk).
+Conditional Access administrators can create policies that factor in user or sign-in risk as a condition. Find more information in the article [Conditional Access: Conditions](../conditional-access/concept-conditional-access-conditions.md#sign-in-risk).
## License requirements
active-directory Reference Identity Protection Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/reference-identity-protection-glossary.md
Last updated 10/18/2019
-+
active-directory Training Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/training-platform-tutorial.md
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Training Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Training Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
aks Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-security.md
When an AKS cluster is created or scaled up, the nodes are automatically deploye
> [!NOTE] > AKS clusters using:
-> * Kubernetes version 1.19 and greater for Linux node pools use `containerd` as its container runtime. Using `containerd` with Windows Server 2019 node pools is currently in preview. For more details, see [Add a Windows Server node pool with `containerd`][/learn/aks-add-np-containerd].
+> * Kubernetes version 1.19 and greater for Linux node pools use `containerd` as its container runtime. Using `containerd` with Windows Server 2019 node pools is currently in preview. For more details, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].
> * Kubernetes prior to v1.19 for Linux node pools use Docker as its container runtime. For Windows Server 2019 node pools, Docker is the default container runtime. ### Node security patches
For more information on core Kubernetes and AKS concepts, see:
[aks-daemonsets]: concepts-clusters-workloads.md#daemonsets [aks-upgrade-cluster]: upgrade-cluster.md [aks-aad]: ./managed-aad.md
-[aks-add-np-containerd]: windows-container-cli.md#add-a-windows-server-node-pool-with-containerd
+[aks-add-np-containerd]: learn/quick-windows-container-deploy-cli.md#add-a-windows-server-node-pool-with-containerd
[aks-concepts-clusters-workloads]: concepts-clusters-workloads.md [aks-concepts-identity]: concepts-identity.md [aks-concepts-scale]: concepts-scale.md
aks Use Byo Cni https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-byo-cni.md
Title: Bring your own Container Network Interface (CNI) plugin (preview)
+ Title: Bring your own Container Network Interface (CNI) plugin
description: Learn how to utilize Azure Kubernetes Service with your own Container Network Interface (CNI) plugin Previously updated : 3/30/2022 Last updated : 8/12/2022
-# Bring your own Container Network Interface (CNI) plugin with Azure Kubernetes Service (AKS) (preview)
+# Bring your own Container Network Interface (CNI) plugin with Azure Kubernetes Service (AKS)
Kubernetes does not provide a network interface system by default; this functionality is provided by [network plugins][kubernetes-cni]. Azure Kubernetes Service provides several supported CNI plugins. Documentation for supported plugins can be found from the [networking concepts page][aks-network-concepts].
While the supported plugins meet most networking needs in Kubernetes, advanced u
This article shows how to deploy an AKS cluster with no CNI plugin pre-installed, which allows for installation of any third-party CNI plugin that works in Azure. - ## Support BYOCNI has support implications - Microsoft support will not be able to assist with CNI-related issues in clusters deployed with BYOCNI. For example, CNI-related issues would cover most east/west (pod to pod) traffic, along with `kubectl proxy` and similar commands. If CNI-related support is desired, a supported AKS network plugin can be used or support could be procured for the BYOCNI plugin from a third-party vendor.
Support will still be provided for non-CNI-related issues.
## Prerequisites
-* For ARM/Bicep, use at least template version 2022-01-02-preview
-* For Azure CLI, use at least version 0.5.55 of the `aks-preview` extension
+* For ARM/Bicep, use at least template version 2022-01-02-preview or 2022-06-01
+* For Azure CLI, use at least version 2.39.0
* The virtual network for the AKS cluster must allow outbound internet connectivity. * AKS clusters may not use `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` for the Kubernetes service address range, pod address range, or cluster virtual network address range. * The cluster identity used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:
Support will still be provided for non-CNI-related issues.
## Cluster creation steps
-### Install the aks-preview CLI extension
-
-```azurecli-interactive
-# Install the aks-preview extension
-az extension add --name aks-preview
-
-# Update the extension to make sure you have the latest version installed
-az extension update --name aks-preview
-```
- ### Deploy a cluster # [Azure CLI](#tab/azure-cli)
When using an Azure Resource Manager template to deploy, pass `none` to the `net
"resources": [ { "type": "Microsoft.ContainerService/managedClusters",
- "apiVersion": "2022-02-02-preview",
+ "apiVersion": "2022-06-01",
"name": "[parameters('clusterName')]", "location": "[parameters('location')]", "identity": {
param kubernetesVersion string = '1.22'
param nodeCount int = 3 param nodeSize string = 'Standard_B2ms'
-resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-02-02-preview' = {
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-06-01' = {
name: clusterName location: location identity: {
api-management Api Management Howto Configure Custom Domain Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-custom-domain-gateway.md
Add a custom domain certificate (.PFX) file to your API Management instance, or
> This setting is shared by all domain names configured for the gateway. 9. Select **Add** to assign the custom domain name to the selected self-hosted gateway.
+> [!NOTE]
+> If clients connecting to the self-hosted gateway using the custom domain expect to be presented with all intermediate certificates in the chain, you must upload individual CA certificates to your API Management Service and associate them with the self-hosted gateway. For instructions on how to achieve this, see [Create custom CA for self-hosted gateway](api-management-howto-ca-certificates.md#create-custom-ca-for-self-hosted-gateway) .
## Next steps [Upgrade and scale your service](upgrade-and-scale.md)
availability-zones Migrate App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/availability-zones/migrate-app-service.md
You can create an App Service with availability zones using the [Azure CLI](/cli
To enable availability zones using the Azure CLI, include the `--zone-redundant` parameter when you create your App Service plan. You can also include the `--number-of-workers` parameter to specify capacity. If you don't specify a capacity, the platform defaults to three. Capacity should be set based on the workload requirement, but no less than three. A good rule of thumb to choose capacity is to ensure sufficient instances for the application such that losing one zone of instances leaves sufficient capacity to handle expected load. ```azurecli
-az appservice plan create --resource-group MyResourceGroup --name MyPlan --zone-redundant --number-of-workers 6
+az appservice plan create --resource-group MyResourceGroup --name MyPlan --sku P1v2 --zone-redundant --number-of-workers 6
``` > [!TIP]
azure-app-configuration Concept Geo Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-geo-replication.md
Replicating your configuration store adds the following benefits:
- **Redistribution of Request Limits:** You can customize in code which replica endpoint your application uses letting you distribute your request load to avoid exhausting request limits. For example, if your applications run in multiple regions and only send requests to one region, you may begin exhausting App Configuration request limits. You can help redistribute this load by creating replicas in the regions your applications are running in. Each replica has isolated request limits, equal in size to the request limits of the origin. Exhausting the request limits in one replica has no impact on the request limits in another replica. - **Regional Compartmentalization:** Accessing multiple regions can improve latency between your application and configuration store, leading to faster request responses and better performance if an application sends requests to its closest replica. Specifying replica access also allows you to limit data storage and flow between different regions based on your preferences.
-<!-- Learn more about enabling geo-replication in our **how-to (add link to how to doc here)**. -->
+To enable this feature in your store, reference the [how-to to enable geo-replication document](./howto-geo-replication.md).
## Sample use case
Each replica created will add extra charges. Reference the [App Configuration pr
## Next steps > [!div class="nextstepaction"]
-> [How to enable Geo replication](./quickstart-feature-flag-aspnet-core.md)
+> [How to enable Geo replication](./howto-geo-replication.md)
> [Resiliency and Disaster Recovery](./concept-disaster-recovery.md)
azure-cache-for-redis Cache How To Active Geo Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-active-geo-replication.md
Title: Configure active geo-replication for Enterprise Azure Cache for Redis instances description: Learn how to replicate your Azure Cache for Redis Enterprise instances across Azure regions. + Previously updated : 06/15/2022 Last updated : 08/15/2022
You should remove the unavailable cache because the remaining caches in the repl
:::image type="content" source="media/cache-how-to-active-geo-replication/cache-cache-active-geo-replication-unlink.png" alt-text="Screenshot of unlinking in active geo-replication.":::
-1. Once the affected region's availability is restored, you need to delete the affected cache and recreate it to add it back to your replication group.
+1. Once the affected region's availability is restored, you need to delete the affected cache, and recreate it to add it back to your replication group.
+
+## Set up active geo-replication using the Azure CLI or PowerShell
+
+### Azure CLI
+
+Use the Azure CLI for creating a new cache and geo-replication group, or to add a new cache to an existing geo-replication group. For more information, see [az redisenterprise create](/cli/azure/redisenterprise#az-redisenterprise-create).
+
+#### Create new Enterprise instance in a new geo-replication group using Azure CLI
+
+This example creates a new Azure Cache for Redis Enterprise E10 cache instance called _Cache1_ in the East US region. Then, the cache is added to a new active geo-replication group called `replicationGroup`:
+
+```azurecli-interactive
+az redisenterprise create --location "East US" --cluster-name "Cache1" --sku "Enterprise_E10" --resource-group "myResourceGroup" --group-nickname "replicationGroup" --linked-databases id="/subscriptions/34b6ecbd-ab5c-4768-b0b8-bf587aba80f6/resourceGroups/myResourceGroup/providers/Microsoft.Cache/redisEnterprise/Cache1/databases/default"
+```
+
+To configure active geo-replication properly, the ID of the cache instance being created must be added with the `--linked-databases` parameter. The ID is in the format:
+
+`/subscriptions/\<your-subscription-ID>/resourceGroups/\<your-resource-group-name>/providers/Microsoft.Cache/redisEnterprise/\<your-cache-name>/databases/default`
+
+#### Create new Enterprise instance in an existing geo-replication group using Azure CLI
+
+This example creates a new Cache for Redis Enterprise E10 instance called _Cache2_ in the West US region. Then, the cache is added to the `replicationGroup` active geo-replication group created above. This way, it's linked in an active-active configuration with Cache1.
+<!-- love the simple, declarative sentences. I am once again add the full product name -->
+
+```azurecli-interactive
+az redisenterprise create --location "West US" --cluster-name "Cache2" --sku "Enterprise_E10" --resource-group "myResourceGroup" --group-nickname "replicationGroup" --linked-databases id="/subscriptions/34b6ecbd-ab5c-4768-b0b8-bf587aba80f6/resourceGroups/myResourceGroup/providers/Microsoft.Cache/redisEnterprise/Cache1/databases/default" --linked-databases id="/subscriptions/34b6ecbd-ab5c-4768-b0b8-bf587aba80f6/resourceGroups/myResourceGroup/providers/Microsoft.Cache/redisEnterprise/Cache2/databases/default"
+```
+
+As before, you need to list both _Cache1_ and _Cache2_ using the `--linked-databases` parameter.
+
+### Azure PowerShell
+
+Use Azure PowerShell to create a new cache and geo-replication group, or to add a new cache to an existing geo-replication group. For more information, see [New-AzRedisEnterpriseCache](/powershell/module/az.redisenterprisecache/new-azredisenterprisecache).
+
+#### Create new Enterprise instance in a new geo-replication group using PowerShell
+
+This example creates a new Azure Cache for Redis Enterprise E10 cache instance called "Cache1" in the East US region. Then, the cache is added to a new active geo-replication group called `replicationGroup`:
+
+```powershell-interactive
+New-AzRedisEnterpriseCache -Name "Cache1" -ResourceGroupName "myResourceGroup" -Location "East US" -Sku "Enterprise_E10" -GroupNickname "replicationGroup" -LinkedDatabase '{id:"/subscriptions/34b6ecbd-ab5c-4768-b0b8-bf587aba80f6/resourceGroups/myResourceGroup/providers/Microsoft.Cache/redisEnterprise/Cache1/databases/default"}'
+```
+
+To configure active geo-replication properly, the ID of the cache instance being created must be added with the `-LinkedDatabase` parameter. The ID is in the format:
+
+`id:"/subscriptions/\<your-subscription-ID>/resourceGroups/\<your-resource-group-name>/providers/Microsoft.Cache/redisEnterprise/\<your-cache-name>/databases/default`
+
+#### Create new Enterprise instance in an existing geo-replication group using PowerShell
+
+This example creates a new Azure Cache for Redis E10 instance called _Cache2_ in the West US region. Then, the cache is added to the "replicationGroup" active geo-replication group created above. This way, it's linked in an active-active configuration with _Cache1_.
+
+```powershell-interactive
+New-AzRedisEnterpriseCache -Name "Cache2" -ResourceGroupName "myResourceGroup" -Location "West US" -Sku "Enterprise_E10" -GroupNickname "replicationGroup" -LinkedDatabase '{id:"/subscriptions/34b6ecbd-ab5c-4768-b0b8-bf587aba80f6/resourceGroups/myResourceGroup/providers/Microsoft.Cache/redisEnterprise/Cache1/databases/default"}', '{id:"/subscriptions/34b6ecbd-ab5c-4768-b0b8-bf587aba80f6/resourceGroups/myResourceGroup/providers/Microsoft.Cache/redisEnterprise/Cache2/databases/default"}'
+```
+
+As before, you need to list both _Cache1_ and _Cache2_ using the `-LinkedDatabase` parameter.
## Next steps
azure-functions Durable Functions Monitor Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-monitor-python.md
POST https://{host}/orchestrators/E3_Monitor
Content-Length: 77 Content-Type: application/json
-{ "repo": "<your github handle>/<a new github repo under your user>", "phone": "+1425XXXXXXX" }
+{ "repo": "<your GitHub handle>/<a new GitHub repo under your user>", "phone": "+1425XXXXXXX" }
``` For example, if your GitHub username is `foo` and your repository is `bar` then your value for `"repo"` should be `"foo/bar"`.
azure-functions Durable Functions Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-monitor.md
The monitor pattern refers to a flexible *recurring* process in a workflow - for
# [JavaScript](#tab/javascript) * [Complete the quickstart article](quickstart-js-vscode.md)
-* [Clone or download the samples project from GitHub](https://github.com/Azure/azure-functions-durable-extension/tree/main/samples/javascript)
+* [Clone or download the samples project from GitHub](https://github.com/Azure/azure-functions-durable-js/tree/main/samples)
azure-functions Functions Add Output Binding Cosmos Db Vs Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-add-output-binding-cosmos-db-vs-code.md
zone_pivot_groups: programming-languages-set-functions-temp ms.devlang: csharp, javascript-+ # Connect Azure Functions to Azure Cosmos DB using Visual Studio Code
Before you get started, make sure to install the [Azure Databases extension](htt
> [!IMPORTANT] > [Azure Cosmos DB serverless](../cosmos-db/serverless.md) is now generally available. This consumption-based mode makes Azure Cosmos DB a strong option for serverless workloads. To use Azure Cosmos DB in serverless mode, choose **Serverless** as the **Capacity mode** when creating your account.
-1. In Visual Studio Code, choose the Azure icon in the Activity bar.
-
-1. In the **Azure: Databases** area, right-click (Ctrl+click on macOS) on the Azure subscription where you created your function app in the [previous article](./create-first-function-vs-code-csharp.md), and select **Create Server...**
-
- :::image type="content" source="./media/functions-add-output-binding-cosmos-db-vs-code/create-account.png" alt-text="Creating a new Azure Cosmos DB account from Visual Studio code" border="true":::
+1. In Visual Studio Code, select **View** > **Command Pallete...** then in the command pallete search for `Azure Databases: Create Server...`
1. Provide the following information at the prompts:
Before you get started, make sure to install the [Azure Databases extension](htt
## Create an Azure Cosmos DB database and container
-1. Right-click your account and select **Create database...**.
+1. Select the Azure icon in the Activity bar, expand **Resources** > **Azure Cosmos DB**, right-click (Ctrl+click on macOS) your account, and select **Create database...**.
1. Provide the following information at the prompts:
In the [previous quickstart article](./create-first-function-vs-code-csharp.md),
|**Enter new app setting name**| Type `CosmosDbConnectionString`.| |**Enter value for "CosmosDbConnectionString"**| Paste the connection string of your Azure Cosmos DB account you just copied.|
- This creates a application setting named connection `CosmosDbConnectionString` in your function app in Azure. Now, you can download this setting to your local.settings.json file.
+ This creates an application setting named connection `CosmosDbConnectionString` in your function app in Azure. Now, you can download this setting to your local.settings.json file.
1. Press <kbd>F1</kbd> again to open the command palette, then search for and run the command `Azure Functions: Download Remote Settings...`.
azure-functions Functions Bindings Cosmosdb V2 Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-cosmosdb-v2-trigger.md
The trigger requires a second collection that it uses to store _leases_ over the
::: zone pivot="programming-language-csharp" >[!IMPORTANT]
-> If multiple functions are configured to use a Cosmos DB trigger for the same collection, each of the functions should use a dedicated lease collection or specify a different `LeaseCollectionPrefix` for each function. Otherwise, only one of the functions will be triggered. For information about the prefix, see the [Configuration section](#configuration).
+> If multiple functions are configured to use a Cosmos DB trigger for the same collection, each of the functions should use a dedicated lease collection or specify a different `LeaseCollectionPrefix` for each function. Otherwise, only one of the functions is triggered. For information about the prefix, see the [Attributes section](#attributes).
::: zone-end
-
+>[!IMPORTANT]
+> If multiple functions are configured to use a Cosmos DB trigger for the same collection, each of the functions should use a dedicated lease collection or specify a different `leaseCollectionPrefix` for each function. Otherwise, only one of the functions is triggered. For information about the prefix, see the [Annotations section](#annotations).
>[!IMPORTANT] > If multiple functions are configured to use a Cosmos DB trigger for the same collection, each of the functions should use a dedicated lease collection or specify a different `leaseCollectionPrefix` for each function. Otherwise, only one of the functions will be triggered. For information about the prefix, see the [Configuration section](#configuration). ::: zone-end
azure-functions Functions Bindings Storage Blob Input https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-storage-blob-input.md
For information on setup and configuration details, see the [overview](./functio
# [In-process](#tab/in-process)
-```csharp
- The following example is a [C# function](functions-dotnet-class-library.md) that uses a queue trigger and an input blob binding. The queue message contains the name of the blob, and the function logs the size of the blob.
+```csharp
+ [FunctionName("BlobInput")] public static void Run( [QueueTrigger("myqueue-items")] string myQueueItem,
azure-monitor Ip Addresses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ip-addresses.md
Title: IP addresses used by Azure Monitor | Microsoft Docs
-description: This article discusses server firewall exceptions that are required by Application Insights.
+description: This article discusses server firewall exceptions that are required by Azure Monitor
Last updated 01/27/2020
azure-monitor Metrics Aggregation Explained https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/metrics-aggregation-explained.md
Previously updated : 08/31/2021 Last updated : 08/31/2022
azure-monitor Query Packs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/query-packs.md
Title: Query packs in Azure Monitor
description: Query packs in Azure Monitor provide a way to share collections of log queries in multiple Log Analytics workspaces. -+ Last updated 06/22/2022
-# Query packs in Azure Monitor Logs (preview)
-A query pack is a Resource Manager object that acts as a container for log queries in Azure Monitor that provide a way to save log queries and share them across multiple workspaces and other contexts in Log Analytics.
+# Query packs in Azure Monitor Logs
+Query packs act as containers for log queries in Azure Monitor and let you save log queries and share them across workspaces and other contexts in Log Analytics.
## View query packs You can view and manage query packs in the Azure portal from the **Log Analytics query packs** menu. Select a query pack to view and edit its permissions. See below for details on creating a query pack using the API.
You can create a query pack in the Azure portal on the Log Analytics query packs
### Create token You require a token for authentication of the API request. There are multiple methods to get a token including using **armclient**.
-First login to Azure using the following command:
+First log in to Azure using the following command:
``` armclient login
The payload of the request is the JSON defining one or more queries and the loca
Use the following request to create a new query pack using the REST API. The request should use bearer token authorization. Content type should be application/json. ```rest
-POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Insights/querypacks/my-query-pack?api-version=2019-09-01-preview
+POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Insights/querypacks/my-query-pack?api-version=2019-09-01
``` Use a tool that can submit a REST API request such as Fiddler or Postman to submit the request using the payload described in the previous section. The query ID will be generated and returned in the payload.
Use a tool that can submit a REST API request such as Fiddler or Postman to subm
To update a query pack, submit the following request with an updated payload. This command requires the query pack ID. ```rest
-POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Insights/querypacks/my-query-pack/queries/query-id/?api-version=2019-09-01-preview
+POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Insights/querypacks/my-query-pack/queries/query-id/?api-version=2019-09-01
``` ## Next steps
azure-monitor Save Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/save-query.md
Title: Save a query in Azure Monitor Log Analytics (preview)
description: Describes how to save a query in Log Analytics. -+ Last updated 06/22/2022
To save a query to a query pack, select **Save as Log Analytics Query** from the
When you save a query to a query pack, the following dialog box is displayed where you can provide values for the query properties. The query properties are used for filtering and grouping of similar queries to help you find the query you're looking for. See [Query properties](queries.md#query-properties) for a detailed description of each property.
-Most users should leave the option to **Save to the default query pack** which will save the query in the [default query pack](query-packs.md#default-query-pack). Uncheck this box if there are other query packs in your subscription. See [Query packs in Azure Monitor Logs (preview)](query-packs.md) for details on creating a new query pack.
+Most users should leave the option to **Save to the default query pack** which will save the query in the [default query pack](query-packs.md#default-query-pack). Uncheck this box if there are other query packs in your subscription. See [Query packs in Azure Monitor Logs](query-packs.md) for details on creating a new query pack.
[![Save query dialog](media/save-query/save-query-dialog.png)](media/save-query/save-query-dialog.png#lightbox)
azure-netapp-files Backup Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-requirements-considerations.md
na Previously updated : 05/23/2022 Last updated : 08/15/2022 # Requirements and considerations for Azure NetApp Files backup
Azure NetApp Files backup in a region can only protect an Azure NetApp Files vol
* There can be a delay of up to 5 minutes in displaying a backup after the backup is actually completed.
+* For large volumes (greater than 10 TB), it can take multiple hours to transfer all the data from the backup media.
+ * Currently, the Azure NetApp Files backup feature supports backing up the daily, weekly, and monthly local snapshots created by the associated snapshot policy to the Azure storage. Hourly backups are not currently supported. * Azure NetApp Files backup uses the [Zone-Redundant storage](../storage/common/storage-redundancy.md#redundancy-in-the-primary-region) (ZRS) account that replicates the data synchronously across three Azure availability zones in the region, except for the regions listed below where only [Locally Redundant Storage](../storage/common/storage-redundancy.md#redundancy-in-the-primary-region) (LRS) storage is supported:
azure-netapp-files Create Active Directory Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-active-directory-connections.md
na Previously updated : 08/05/2022 Last updated : 08/15/2022 # Create and manage Active Directory connections for Azure NetApp Files
Several features of Azure NetApp Files require that you have an Active Directory
If you use Azure AD DS (AAD DS), you should use the IP addresses of the AAD DS domain controllers for Primary DNS and Secondary DNS respectively. * **AD DNS Domain Name (required)** This is the fully qualified domain name of the AD DS that will be used with Azure NetApp Files (for example, `contoso.com`).
- * **AD Site Name**
+ * **AD Site Name (required)**
This is the AD DS site name that will be used by Azure NetApp Files for domain controller discovery. >[!NOTE]
Several features of Azure NetApp Files require that you have an Active Directory
If you're using Azure NetApp Files with Azure Active Directory Domain Services (AAD DS), the organizational unit path is `OU=AADDC Computers`
- ![Screenshot of the Join Active Directory input fields.](../media/azure-netapp-files/azure-netapp-files-join-active-directory.png)
+ :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-join-active-directory.png" alt-text="Screenshot of the Join Active Directory input fields.":::
* <a name="aes-encryption"></a>**AES Encryption** This option enables AES encryption authentication support for the admin account of the AD connection.
- ![Screenshot of the AES description field which is a checkbox.](../media/azure-netapp-files/active-directory-aes-encryption.png)
+ ![Screenshot of the AES description field. The field is a checkbox.](../media/azure-netapp-files/active-directory-aes-encryption.png)
See [Requirements for Active Directory connections](#requirements-for-active-directory-connections) for requirements. ![Active Directory AES encryption](../media/azure-netapp-files/active-directory-aes-encryption.png)
Several features of Azure NetApp Files require that you have an Active Directory
| `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. | | `SeTakeOwnershipPrivilege` | Take ownership of files or other objects. | | `SeSecurityPrivilege` | Manage log operations. |
- | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. | <!-- tHIS option IS REMOVED -->
+ | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. |
* Credentials, including your **username** and **password**
You can also use [Azure CLI commands](/cli/azure/feature) `az feature register`
Alternately, navigate to the **Volumes** menu. Identify the volume for which you want to reset the Active Directory account and select the three dots (`...`) at the end of the row. Select **Reset Active Directory Account**. :::image type="content" source="../media/azure-netapp-files/active-directory-reset-list.png" alt-text="Azure volume list with the Reset Active Directory Account button highlighted." lightbox="../media/azure-netapp-files/active-directory-reset-list.png"::: 2. A warning message that explains the implications of this action will pop up. Type **yes** in the text box to proceed. ## Next steps
azure-netapp-files Understand Guidelines Active Directory Domain Service Site https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md
na Previously updated : 07/26/2022 Last updated : 08/15/2022 # Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files
A separate discovery process for AD DS LDAP servers occurs when LDAP is enabled
Incorrect or incomplete AD DS site topology or configuration can result in volume creation failures, problems with client queries, authentication failures, and failures to modify Azure NetApp Files AD connections.
-If the **AD Site Name** field is not specified in the Azure NetApp Files AD connection, Azure NetApp Files domain controller discovery will attempt to discover all domain controllers in the AD DS domain. Enumerating all domain controllers and the associated services hosted on them can be a slow process. In this scenario, Azure NetApp Files might select a domain controller that is not in an optimal network location for supporting good communication with Azure NetApp Files or might even be unreachable. As a result, this behavior can result in slow share enumeration. It might also result in inconsistent or no access to Azure NetApp Files volumes that rely on AD DS domain controller communication.
+The AD Site Name field is required to create an Azure NetApp Files AD connection. The AD DS site defined must exist and be properly configured.
+
+Azure NetApp Files uses the AD DS Site to discover the domain controllers and subnets assigned to the AD DS Site defined in the AD Site Name. All domain controllers assigned to the AD DS Site must have good network connectivity from the Azure virtual network interfaces used by ANF and be reachable. AD DS domain controller VMs assigned to the AD DS Site that are used by Azure NetApp Files must be excluded from cost management policies that shut down VMs.
+
+You must update the AD DS Site configuration whenever new domain controllers are deployed into a subnet assigned to the AD DS site that is used by the Azure NetApp Files AD Connection. Ensure that the DNS SRV records for the site reflect any changes to the domain controllers assigned to the AD DS Site used by Azure NetApp Files.
> [!NOTE] > Azure NetApp Files doesn't support the use of AD DS Read-only Domain Controllers (RODC). To prevent Azure NetApp Files from using an RODC, do not configure the **AD Site Name** filed of the AD connections with an RODC.
azure-resource-manager Networking Move Limitations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-limitations/networking-move-limitations.md
Title: Move Azure Networking resources to new subscription or resource group description: Use Azure Resource Manager to move virtual networks and other networking resources to a new resource group or subscription. Previously updated : 03/31/2022 Last updated : 08/15/2022 # Move networking resources to new resource group or subscription
If you want to move networking resources to a new region, see [Tutorial: Move Az
## Dependent resources > [!NOTE]
-> Please note that VPN Gateways associated with Public IP Standard SKU addresses are not currently able to move between resource groups or subscriptions.
-
-> [!NOTE]
-> Please note that any resource associated with Public IP Standard SKU addresses are not currently able to move across subscriptions.
+> Please note that any resource, including VPN Gateways, associated with Public IP Standard SKU addresses are not currently able to move across subscriptions.
When moving a resource, you must also move its dependent resources (for example - public IP addresses, virtual network gateways, all associated connection resources). Local network gateways can be in a different resource group.
To move a peered virtual network, you must first disable the virtual network pee
You can't move a virtual network to a different subscription if the virtual network contains a subnet with resource navigation links. For example, if an Azure Cache for Redis resource is deployed into a subnet, that subnet has a resource navigation link.
+## Private endpoints
+
+The following [private-link resources](../../../private-link/private-endpoint-overview.md#private-link-resource) support move:
+
+* Microsoft.aadiam/privateLinkForAzureAD
+* Microsoft.DocumentDB/databaseAccounts
+* Microsoft.Kusto/clusters
+* Microsoft.Search/searchServices
+* Microsoft.SignalRService/SignalR
+* Microsoft.SignalRService/webPubSub
+* Microsoft.Sql/servers
+* Microsoft.StorageSync/storageSyncServices
+* Microsoft.Synapse/workspaces
+* Microsoft.Synapse/privateLinkHubs
+
+All other private-link resources don't support move.
+ ## Next steps For commands to move resources, see [Move resources to new resource group or subscription](../move-resource-group-and-subscription.md).
azure-resource-manager Move Support Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-support-resources.md
Title: Move operation support by resource type description: Lists the Azure resource types that can be moved to a new resource group, subscription, or region. Previously updated : 06/27/2022 Last updated : 08/15/2022 # Move operation support for resources
Jump to a resource provider namespace:
> | privatednszones / virtualnetworklinks | Yes | Yes | No | > | privatednszonesinternal | No | No | No | > | privateendpointredirectmaps | No | No | No |
-> | privateendpoints | Yes | Yes | Yes |
+> | privateendpoints | Yes - for [supported private-link resources](./move-limitations/networking-move-limitations.md#private-endpoints)<br>No - for all other private-link resources | Yes - for [supported private-link resources](./move-limitations/networking-move-limitations.md#private-endpoints)<br>No - for all other private-link resources | No |
> | privatelinkservices | No | No | No |
-> | publicipaddresses | Yes | Yes - Basic SKU<br>No - Standard SKU | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP address configurations (IP addresses are not retained). |
+> | publicipaddresses | Yes | Yes | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP address configurations (IP addresses are not retained). |
> | publicipprefixes | Yes | Yes | No | > | routefilters | No | No | No | > | routetables | Yes | Yes | No |
azure-signalr Concept Service Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/concept-service-mode.md
So if you have a SignalR application and want to integrate with SignalR service,
In default mode, there will be websocket connections between hub server and SignalR service (called server connections). These connections are used to transfer messages between server and client. When a new client is connected, SignalR service will route the client to one hub server (assume you have more than one server) through existing server connections. Then the client connection will stick to the same hub server during its lifetime. When client sends messages, they always go to the same hub server. With this behavior, you can safely maintain some states for individual connections on your hub server. For example, if you want to stream something between server and client, you don't need to consider the case that data packets go to different servers. > [!IMPORTANT]
-> This also means in default mode client cannot connect without server being connected first. If all your hub servers are disconnected due to network interruption or server reboot, your client connect will get an error telling you no server is connected. So it's your responsibility to make sure at any time there is at least one hub server connected to SignalR service (for example, have multiple hub servers and make sure they won't go offline at the same time for things like maintenance).
+> This also means in default mode a client cannot connect without server being connected first. If all your hub servers are disconnected due to network interruption or server reboot, your client connections will get an error telling you no server is connected. So it's your responsibility to make sure at any time there is at least one hub server connected to SignalR service (for example, have multiple hub servers and make sure they won't go offline at the same time for things like maintenance).
This routing model also means when a hub server goes offline, the connections routed that server will be dropped. So you should expect connection drop when your hub server is offline for maintenance and handle reconnect properly so that it won't have negative impact to your application. ## Serverless mode
-Serverless mode, as its name implies, is a mode that you cannot have any hub server. Comparing to default mode, in this mode client doesn't require hub server to get connected. All connections are connected to service in a "serverless" mode and service is responsible for maintaining client connections like handling client pings (in default mode this is handled by hub servers).
+In Serverless mode, you don't have a hub server. Unlike default mode, the client doesn't require a hub server to be running. All connections are connected in a "serverless" mode and the Azure SignalR service is responsible for maintaining client connections like handling client pings (in default mode this is handled by hub servers).
Also there is no server connection in this mode (if you try to use service SDK to establish server connection, you will get an error). Therefore there is also no connection routing and server-client stickiness (as described in the default mode section). But you can still have server-side application to push messages to clients. This can be done in two ways, use [REST APIs](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md) for one-time send, or through a websocket connection so that you can send multiple messages more efficiently (note this websocket connection is different than server connection).
To learn more about how to use default and serverless mode, read the following a
* [Azure SignalR Service internals](signalr-concept-internals.md)
-* [Azure Functions development and configuration with Azure SignalR Service](signalr-concept-serverless-development-config.md)
+* [Azure Functions development and configuration with Azure SignalR Service](signalr-concept-serverless-development-config.md)
azure-video-indexer Create Account Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/create-account-portal.md
Last updated 06/10/2022 -
-# Get started with Azure Video Indexer in Azure portal
+
+# Tutorial: create an account with Azure portal
[!INCLUDE [Gate notice](./includes/face-limited-access.md)]
-This Quickstart walks you through the steps to get started with Azure Video Indexer. You'll create an Azure Video Indexer account and its accompanying resources by using the Azure portal.
-
-To start using Azure Video Indexer, you'll need to create an Azure Video Indexer account. The account needs to be associated with a [Media Services][docs-ms] resource and a [managed identity][docs-uami]. The managed identity will need to have Contributor permissions role on the Media Services.
-## Prerequisites
-### Account types
+This tutorial walks you through the steps of creating an Azure Video Indexer account and its accompanying resources by using the Azure portal. The account created is an Azure Resource Manager (ARM) based account which is enabled with all Video Indexer features and capabilities. For information about different Azure Video Indexer account types, see the [Overview of account types](accounts-overview.md) topic.
-Before creating a new account, review [Account types](accounts-overview.md).
-
-### Azure level
+## Prerequisites
-* This user should be a member of your Azure subscription with either an **Owner** role, or both **Contributor** and **User Access Administrator** roles. A user can be added twice, with two roles. Once with Contributor and once with user Access Administrator. For more information, see [View the access a user has to Azure resources](../role-based-access-control/check-access.md).
+* You should be a member of your Azure subscription with either an **Owner** role, or both **Contributor** and **User Access Administrator** roles. You can be added twice, with two roles, once with **Contributor** and once with **User Access Administrator**. For more information, see [View the access a user has to Azure resources](../role-based-access-control/check-access.md).
* Register the **EventGrid** resource provider using the Azure portal. In the [Azure portal](https://portal.azure.com), go to **Subscriptions**->[<*subscription*>]->**ResourceProviders**.
-Search for **Microsoft.Media** and **Microsoft.EventGrid**. If not in the "Registered" state, select **Register**. It takes a couple of minutes to register.
-
-### Azure Video Indexer
-
-* Owner<sup>*</sup> role assignment on the Subscription level.
-
- * Owner* role assignment on the related Azure Media Services (AMS)
- * Owner* role assignment on the related Managed Identity
-
-<sup>*</sub>Or both **Contributor** and **User Access Administrator** roles
-
-## Azure portal
-
-### Create an Azure Video Indexer account in the Azure portal
+Search for **Microsoft.Media** and **Microsoft.EventGrid**. If not in the registered state, select **Register**. It takes a couple of minutes to register.
+* Have an **Owner** role (or **Contributor** and **User Access Administrator** roles) assignment on the associated Azure Media Services (AMS). You select the AMS account during the Azure Video Indexer account creation, as described below.
+* Have an **Owner** role (or **Contributor** and **User Access Administrator** roles) assignment on the related managed identity.
+
+## Use the Azure portal to create an Azure Video Indexer account
-1. Sign into the [Azure portal](https://portal.azure.com/).
-1. Using the search bar at the top, enter **"Azure Video Indexer"**.
-1. Select *Azure Video Indexer* under *Services*.
+1. Sign into the [Azure portal](https://portal.azure.com/).
- ![Image of search bar](media/create-account-portal/search-bar.png)
+ Alternatively, you can start creating the **unlimited** account from the [videoindexer.ai](https://www.videoindexer.ai) website.
+1. Using the search bar at the top, enter **"Video Indexer"**.
+1. Select **Video Indexer** under **Services**.
1. Select **Create**.
-1. In the **Create an Azure Video Indexer resource** section enter required values.
+1. In the Create an Azure Video Indexer resource section, enter required values (the descriptions follow after the image).
- ![Image of how to create an Azure Video Indexer resource.](media/create-account-portal/avi-create-blade.png)
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/create-account-portal/avi-create-blade.png" alt-text="Screenshot showing how to create an Azure Video Indexer resource." lightbox="./media/create-account-portal/avi-create-blade.png":::
Here are the definitions: | Name | Description| |||
- |**Subscription**|Choose the subscription that you're using to create the Azure Video Indexer account.|
- |**Resource Group**|Choose a resource group where you're creating the Azure Video Indexer account, or select **Create new** to create a resource group.|
- |**Azure Video Indexer account**|Select *Create a new account* option.|
- |**Resource name**|Enter the name of the new Azure Video Indexer account, the name can contain letters, numbers and dashes with no spaces.|
- |**Region**|Select the geographic region that will be used to deploy the Azure Video Indexer account. The location matches the **resource group location** you chose, if you'd like to change the selected location change the selected resource group or create a new one in the preferred location. [Azure region in which Azure Video Indexer is available](https://azure.microsoft.com/global-infrastructure/services/?products=cognitive-services&regions=all)|
- |**Media Services account name**|Select a Media Services that the new Azure Video Indexer account will use to process the videos. You can select an existing Media Services or you can create a new one. The Media Services must be in the same location you selected.|
- |**Managed identity**|Select an existing **user-assigned** managed identity or **system-assigned** managed identity or both when creating the account. The new Azure Video Indexer account will use the selected managed identity to access the Media Services associated with the account. If both user-assigned and system assigned managed identities will be selected during the account creation the **default** managed identity is the user assigned managed identity. A Contributor role should be assigned on the Media Services.|
+ |**Subscription**|Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If there are multiple choices, choose a subscription in which your user has the required role.
+ |**Resource group**|Select an existing resource group or create a new one. A resource group is a collection of resources that share lifecycle, permissions, and policies. Learn more [here](../azure-resource-manager/management/overview.md#resource-groups).|
+ |**Resource name**|This will be the name of the new Azure Video Indexer account. The name can contain letters, numbers and dashes with no spaces.|
+ |**Region**|Select the Azure region that will be used to deploy the Azure Video Indexer account. The region matches the resource group region you chose. If you'd like to change the selected region, change the selected resource group or create a new one in the preferred region. [Azure region in which Azure Video Indexer is available](https://azure.microsoft.com/global-infrastructure/services/?products=cognitive-services&regions=all)|
+ |**Existing content**|If you have existing classic Video Indexer accounts, you can choose to have the videos, files, and data associated with an existing classic account connected to the new account. See the following article to learn more [Connect the classic account to ARM](connect-classic-account-to-arm.md)
+ |**Available classic accounts**|Classic accounts available in the chosen subscription, resource group, and region.|
+ |**Media Services account name**|Select a Media Services that the new Azure Video Indexer account will use to process the videos. You can select an existing Media Services or you can create a new one. The Media Services must be in the same region you selected for your Azure Video Indexer account.|
+ |**Storage account** (appears when creating a new AMS account)|Choose or create a new storage account in the same resource group.|
+ |**Managed identity**|Select an existing user-assigned managed identity or system-assigned managed identity or both when creating the account. The new Azure Video Indexer account will use the selected managed identity to access the Media Services associated with the account. If both user-assigned and system assigned managed identities will be selected during the account creation the **default** managed identity is the user-assigned managed identity. A contributor role should be assigned on the Media Services.|
1. Select **Review + create** at the bottom of the form. ### Review deployed resource You can use the Azure portal to validate the Azure Video Indexer account and other resources that were created. After the deployment is finished, select **Go to resource** to see your new Azure Video Indexer account.
-### Overview
+## The Overview tab of the account
-![Image of Azure Video Indexer overview blade.](media/create-account-portal/avi-overview.png)
+This tab enables you to view details about your account.
-Select *Explore Azure Video Indexer's portal* to view your new account on the [Azure Video Indexer portal](https://aka.ms/vi-portal-link).
+Select **Explore Azure Video Indexer's portal** to view your new account on the [Azure Video Indexer website](https://aka.ms/vi-portal-link).
-#### Unique essentials
+### Essential details
|Name|Description| |||
-|Status| When the resource is connected properly, status is **Active**. When there's a problem with the connection between the managed identity and the Media Service instance status will be *Connection to Azure Media Services failed*. Contributor role assignment on the Media Services should be added to the proper managed identity.|
-|Managed identity |The name of the default managed identity, user-assigned or system-assigned. The default managed identity can be updated using the *Change* button.|
+|Status| When the resource is connected properly, the status is **Active**. When there's a problem with the connection between the managed identity and the Media Service instance, the status will be *Connection to Azure Media Services failed*. Contributor role assignment on the Media Services should be added to the proper managed identity.|
+|Managed identity |The name of the default managed identity, user-assigned or system-assigned. The default managed identity can be updated using the **Change** button.|
+
+## The Management tab of the account
+
+This tab contains sections for:
-### Management API
+* getting an access token for the account
+* managing identities
-![Image of Generate-access-token.](media/create-account-portal/generate-access-token.png)
+### Management API
-Use the *Management API* tab to manually generate access tokens for the account.
+Use the **Management API** tab to manually generate access tokens for the account.
This token can be used to authenticate API calls for this account. Each token is valid for one hour.
+#### To get the access token
+ Choose the following:+ * Permission type: **Contributor** or **Reader** * Scope: **Account**, **Project** or **Video**
- * For **Project** or **Video** you should also insert the matching ID
+
+ * For **Project** or **Video** you should also insert the matching ID.
* Select **Generate**
-### Identity
+### Identity
-Use the *Identity* tab to manually update the managed identities associated with the Azure Video Indexer resource.
-Add new managed identities, switch the default managed identity between user-assigned and system-assigned or set a new user-assigned managed identity.
+Use the **Identity** tab to manually update the managed identities associated with the Azure Video Indexer resource.
-
+Add new managed identities, switch the default managed identity between user-assigned and system-assigned or set a new user-assigned managed identity.
-### Next steps
+## Next steps
Learn how to [Upload a video using C#](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/ApiUsage/ArmBased).
azure-vmware Deploy Disaster Recovery Using Jetstream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-disaster-recovery-using-jetstream.md
# Deploy disaster recovery using JetStream DR software - [JetStream DR](https://www.jetstreamsoft.com/product-portfolio/jetstream-dr/) is a cloud-native disaster recovery solution designed to minimize downtime of virtual machines (VMs) if there was a disaster. Instances of JetStream DR are deployed at both the protected and recovery sites. JetStream is built on the foundation of Continuous Data Protection (CDP), using [VMware vSphere API for I/O filtering (VAIO) framework](https://core.vmware.com/resource/vmware-vsphere-apis-io-filtering-vaio), which enables minimal or close to no data loss. JetStream DR provides the level of protection wanted for business and mission-critical applications. It also enables cost-effective DR by using minimal resources at the DR site and using cost-effective cloud storage, such as [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs/).
cognitive-services Create Manage Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/create-manage-workspace.md
Previously updated : 01/20/2022 Last updated : 08/15/2022
> [!IMPORTANT] > Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
- Workspaces are places to manage your documents, projects, and models. When you create a workspace, you can choose to use the workspace independently or share it with teammates to divide up the work.
+ Workspaces are places to manage your documents, projects, and models. When you create a workspace, you can choose to use the workspace independently, or share it with teammates to divide up the work.
## Create workspace
-1. After you sign in to Custom Translator, you will be asked for permission to read your profile from the Microsoft identity platform to request your user access token and refresh token. Both tokens are needed for authentication and to ensure that you aren't signed out during your live session or while training your models. </br>Select **Yes**.
+1. After you sign in to Custom Translator, you'll be asked for permission to read your profile from the Microsoft identity platform to request your user access token and refresh token. Both tokens are needed for authentication and to ensure that you aren't signed out during your live session or while training your models. </br>Select **Yes**.
:::image type="content" source="../media/quickstart/first-time-user.png" alt-text="Screenshot illustrating first-time sign-in.":::
1. Select **Done**
- >[!Note]
- > Region must match the region that was selected during the resource creation. You can use **KEY 1** or **KEY 2.**
+ > [!NOTE]
+ > Region must match the region that was selected during the resource creation. You can use **KEY 1** or **KEY 2**.
:::image type="content" source="../media/quickstart/resource-key.png" alt-text="Screenshot illustrating the resource key.":::
+ > [!NOTE]
+ > All uploaded customer content, custom model binaries, custom model configurations, and training logs are kept encrypted-at-rest in the selected region.
+ :::image type="content" source="../media/quickstart/create-workspace-1.png" alt-text="Screenshot illustrating workspace creation."::: ## Manage workspace settings Select a workspace and navigate to **Workspace settings**. You can manage the following workspace settings:
-* Change the resource key for global regions. If you are using a regional specific resource, you cannot change your resource key.
+* Change the resource key for global regions. If you're using a regional specific resource, you can't change your resource key.
* Change the workspace name.
The person who created the workspace is the owner. Within **Workspace settings**
* **Owner**. An owner has full permissions within the workspace.
-* **Editor**. An editor can add documents, train models, and delete documents and projects. They cannot modify who the workspace is shared with, delete the workspace, or change the workspace name.
+* **Editor**. An editor can add documents, train models, and delete documents and projects. They can't modify who the workspace is shared with, delete the workspace, or change the workspace name.
* **Reader**. A reader can view (and download if available) all information in the workspace.
cognitive-services V3 0 Translate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/reference/v3-0-translate.md
Previously updated : 05/09/2022 Last updated : 08/15/2022
Request parameters passed on the query string are:
### Optional parameters -- | Query parameter | Description | | | | - | Query parameter | Description | | | | | from | _Optional parameter_. <br>Specifies the language of the input text. Find which languages are available to translate from by looking up [supported languages](../reference/v3-0-languages.md) using the `translation` scope. If the `from` parameter isn't specified, automatic language detection is applied to determine the source language. <br> <br>You must use the `from` parameter rather than autodetection when using the [dynamic dictionary](../dynamic-dictionary.md) feature. |
Request parameters passed on the query string are:
| suggestedFrom | _Optional parameter_. <br>Specifies a fallback language if the language of the input text can't be identified. Language autodetection is applied when the `from` parameter is omitted. If detection fails, the `suggestedFrom` language will be assumed. | | fromScript | _Optional parameter_. <br>Specifies the script of the input text. | | toScript | _Optional parameter_. <br>Specifies the script of the translated text. |
-| allowFallback | _Optional parameter_. <br>Specifies that the service is allowed to fall back to a general system when a custom system doesn't exist. Possible values are: `true` (default) or `false`. <br> <br>`allowFallback=false` specifies that the translation should only use systems trained for the `category` specified by the request. If a translation for language X to language Y requires chaining through a pivot language E, then all the systems in the chain (X->E and E->Y) will need to be custom and have the same category. If no system is found with the specific category, the request will return a 400 status code. `allowFallback=true` specifies that the service is allowed to fall back to a general system when a custom system doesn't exist. |
+| allowFallback | _Optional parameter_. <br>Specifies that the service is allowed to fall back to a general system when a custom system doesn't exist. Possible values are: `true` (default) or `false`. <br> <br>`allowFallback=false` specifies that the translation should only use systems trained for the `category` specified by the request. If a translation for language X to language Y requires chaining through a pivot language E, then all the systems in the chain (X → E and E → Y) will need to be custom and have the same category. If no system is found with the specific category, the request will return a 400 status code. `allowFallback=true` specifies that the service is allowed to fall back to a general system when a custom system doesn't exist. |
Request headers include:
The body of the request is a JSON array. Each array element is a JSON object wit
] ```
-The following limitations apply:
-
-* The array can have at most 100 elements.
-* The entire text included in the request can't exceed 10,000 characters including spaces.
+For information on character and array limits, _see_ [Request limits](../request-limits.md#character-and-array-limits-per-request).
## Response body
A successful response is a JSON array with one result for each string in the inp
* `score`: A float value indicating the confidence in the result. The score is between zero and one and a low score indicates a low confidence.
- The `detectedLanguage` property is only present in the result object when language autodetection is requested.
+ The `detectedLanguage` property is only present in the result object when language auto-detection is requested.
* `translations`: An array of translation results. The size of the array matches the number of target languages specified through the `to` query parameter. Each element in the array includes:
If you want to avoid getting profanity in the translation, regardless of the pre
| ProfanityAction | Action | | | | | `NoAction` | NoAction is the default behavior. Profanity will pass from source to target. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a jack. |
-| `Deleted` | Profane words will be removed from the output without replacement. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a. |
+| `Deleted` | Profane words will be removed from the output without replacement. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a** |
| `Marked` | Profane words are replaced by a marker in the output. The marker depends on the `ProfanityMarker` parameter. <br> <br>For `ProfanityMarker=Asterisk`, profane words are replaced with `***`: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a \\*\\*\\*. <br> <br>For `ProfanityMarker=Tag`, profane words are surrounded by XML tags &lt;profanity&gt; and &lt;/profanity&gt;: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a &lt;profanity&gt;jack&lt;/profanity&gt;. | For example:
The result is:
] ```
-This feature works the same way with `textType=text` or with `textType=html`. The feature should be used sparingly. The appropriate and far better way of customizing translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you've or can afford to create training data that shows your work or phrase in context, you get much better results. [Learn more about Custom Translator](../customization.md).
+This dynamic-dictionary feature works the same way with `textType=text` or with `textType=html`. The feature should be used sparingly. The appropriate and far better way of customizing translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you can create training data that shows your work or phrase in context, you'll get much better results. [Learn more about Custom Translator](../customization.md).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Try the Translator quickstart](../quickstart-translator.md)
cognitive-services Request Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/request-limits.md
Previously updated : 04/19/2021 Last updated : 08/15/2022
This article provides throttling limits for the Translator translation, translit
## Character and array limits per request
-Each translate request is limited to 50,000 characters, across all the target languages you are translating to. For example, sending a translate request of 3,000 characters to translate to three different languages results in a request size of 3000x3 = 9,000 characters, which satisfy the request limit. You're charged per character, not by the number of requests. It's recommended to send shorter requests.
+Each translate request is limited to 50,000 characters, across all the target languages you're translating to. For example, sending a translate request of 3,000 characters to translate to three different languages results in a request size of 3000x3 = 9,000 characters, which satisfy the request limit. You're charged per character, not by the number of requests. It's recommended to send shorter requests.
The following table lists array element and character limits for each operation of the Translator.
The following table lists array element and character limits for each operation
Your character limit per hour is based on your Translator subscription tier.
-The hourly quota should be consumed evenly throughout the hour. For example, at the F0 tier limit of 2 million characters per hour, characters should be consumed no faster than roughly 33,300 characters per minute sliding window (2 million characters divided by 60 minutes).
+The hourly quota should be consumed evenly throughout the hour. For example, at the F0 tier limit of 2 million characters per hour, characters should be consumed no faster than roughly 33,300 characters per minute. The sliding window range is 2 million characters divided by 60 minutes.
-If you reach or surpass these limits, or send too large of a portion of the quota in a short period of time, you'll likely receive an out of quota response. There are no limits on concurrent requests.
+You're likely to receive an out-of-quota response under the following circumstances:
+
+* You've reached or surpass the quota limit.
+* You've sent a large portion of the quota in too short a period of time.
+
+There are no limits on concurrent requests.
| Tier | Character limit | ||--|
The Translator has a maximum latency of 15 seconds using standard models and 120
## Sentence length limits
-When using the [BreakSentence](./reference/v3-0-break-sentence.md) function, sentence length is limited to 275 characters. There are exceptions for these languages:
+When you're using the [BreakSentence](./reference/v3-0-break-sentence.md) function, sentence length is limited to 275 characters. There are exceptions for these languages:
| Language | Code | Character limit | |-||--|
-| Chinese | zh | 166 |
-| German | de | 800 |
-| Italian | it | 800 |
-| Japanese | ja | 166 |
-| Portuguese | pt | 800 |
-| Spanish | es | 800 |
-| Thai | th | 180 |
+| Chinese | `zh` | 166 |
+| German | `de` | 800 |
+| Italian | `it` | 800 |
+| Japanese | `ja` | 166 |
+| Portuguese | `pt` | 800 |
+| Spanish | `es` | 800 |
+| Thai | `th` | 180 |
> [!NOTE] > This limit doesn't apply to translations.
cognitive-services Model Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/concepts/model-lifecycle.md
Previously updated : 07/27/2022 Last updated : 08/15/2022
Language service features utilize AI models that are versioned. We update the la
### Expiration timeline
-Our standard (not customized) language service is built upon AI models that we call pre-trained models. We update the language service with new model versions every few months to improve model accuracy, support, and quality.
+Our standard (not customized) language service features are built upon AI models that we call pre-trained models. We update the language service with new model versions every few months to improve model accuracy, support, and quality.
-Pre-built Model Capabilities: As new models and new functionality become available and older, less accurate models are retired. Unless otherwise noted, retired pre-built models will be automatically updated to the newest model version.
+As new models and functionalities become available, older less accurate models are deprecated. To ensure you are using the latest model version and avoid interruptions to your applications, we highly recommend using the default model-version parameter (`latest`) in your API calls. After their deprecation date, pre-built model versions will no longer be functional and your implementation may be broken.
-During the model version deprecation period, API calls to the soon-to-be retired model versions will return a warning. After model-version deprecation, API calls to deprecated model-versions will return responses using the newest model version with an additional warning message. So, your implementation will never break, but results might change.
-
-The model-version retirement period is defined as: the period of time from a release of a newer model-version for the capability, until a specific older version is deprecated. This period is defined as six months for stable model versions, and three months for previews. For example, a stable model-version `2021-01-01` will be deprecated six months after a successor model-version `2021-07-01` is released, on January 1, 2022. Preview capabilities in preview APIs do not maintain a minimum retirement period and can be deprecated at any time.
+Stable (not preview) model versions are deprecated six months after the release of another stable model version. Features in preview don't maintain a minimum retirement period and may be deprecated at any time.
#### Choose the model-version used on your data
-By default, API requests will use the latest Generally Available model. You can use an optional parameter to select the version of the model to be used.
+By default, API requests will use the latest Generally Available model. You can use an optional parameter to select the version of the model to be used (not recommended).
> [!TIP] > If youΓÇÖre using the SDK for C#, Java, JavaScript or Python, see the reference documentation for information on the appropriate model-version parameter.+ For synchronous endpoints, use the `model-version` query parameter. For example: `POST <your-language-resource-endpoint>/language/:analyze-text?api-version=2022-05-01&model-version=2022-06-01`.
The model-version used in your API request will be included in the response obje
Use the table below to find which model versions are supported by each feature:
-| Feature | Supported versions | Latest Generally Available version | Latest preview version |
-|--||||
-| Sentiment Analysis and opinion mining | `2019-10-01`, `2020-04-01`, `2021-10-01`, `2022-06-01` | `2022-06-01` | |
-| Language Detection | `2021-11-20` | `2021-11-20` | |
-| Entity Linking | `2021-06-01` | `2021-06-01` | |
-| Named Entity Recognition (NER) | `2021-06-01` | `2021-06-01` | |
-| Personally Identifiable Information (PII) detection | `2020-07-01`, `2021-01-15` | `2021-01-15` | |
-| PII detection for conversations (Preview) | `2022-05-15-preview` | | `2022-05-15-preview` |
-| Question answering | `2021-10-01` | `2021-10-01` | |
-| Text Analytics for health | `2021-05-15`, `2022-03-01` | `2022-03-01` | |
-| Key phrase extraction | `2019-10-01`, `2020-07-01`, `2021-06-01`, `2022-07-01` | `2022-07-01` | |
-| Document summarization (preview) | `2021-08-01` | | `2021-08-01` |
-| Conversation summarization (preview) | `2022-05-15-preview` | | `2022-05-15-preview` |
+| Feature | Supported versions | Model versions to be deprecated |
+|--|--||
+| Sentiment Analysis and opinion mining | `2021-10-01`, `2022-06-01*` | `2019-10-01`, `2020-04-01` |
+| Language Detection | `2021-11-20*` | `2019-10-01`, `2020-07-01`, `2020-09-01`, `2021-01-05` |
+| Entity Linking | `2021-06-01*` | `2019-10-01`, `2020-02-01` |
+| Named Entity Recognition (NER) | `2021-06-01*` | `2019-10-01`, `2020-02-01`, `2020-04-01`, `2021-01-15` |
+| Personally Identifiable Information (PII) detection | `2020-07-01`, `2021-01-15*` | `2019-10-01`, `2020-02-01`, `2020-04-01`, `2020-07-01` |
+| PII detection for conversations (Preview) | `2022-05-15-preview**` | |
+| Question answering | `2021-10-01*` | |
+| Text Analytics for health | `2021-05-15`, `2022-03-01*` | |
+| Key phrase extraction | `2021-06-01`, `2022-07-01*` | `2019-10-01`, `2020-07-01` |
+| Document summarization (preview) | `2021-08-01*` | |
+| Conversation summarization (preview) | `2022-05-15-preview**` | |
+
+\* Latest Generally Available (GA) model version
+
+\*\* Latest preview version
+
+> [!IMPORTANT]
+> The versions listed for deprecation will be unavailable for use after October 30, 2022.
## Custom features
cognitive-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/key-phrase-extraction/quickstart.md
Previously updated : 06/21/2022 Last updated : 08/15/2022 ms.devlang: csharp, java, javascript, python
cognitive-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/personally-identifiable-information/quickstart.md
Previously updated : 07/11/2022 Last updated : 08/15/2022 ms.devlang: csharp, java, javascript, python
cognitive-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/sentiment-opinion-mining/quickstart.md
Previously updated : 07/11/2022 Last updated : 08/15/2022 ms.devlang: csharp, java, javascript, python
cognitive-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/text-analytics-for-health/quickstart.md
Previously updated : 07/11/2022 Last updated : 08/15/2022 ms.devlang: csharp, java, javascript, python
communication-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/overview.md
Azure Communication Services supports various communication formats:
- [Voice and Video Calling](concepts/voice-video-calling/calling-sdk-features.md) - [Rich Text Chat](concepts/chat/concepts.md) - [SMS](concepts/sms/concepts.md)
+- [Email](concepts/email/email-overview.md)
-You can connect custom client apps, custom services, and the publicly switched telephony network (PSTN) to your communications experience. You can acquire [phone numbers](./concepts/telephony/plan-solution.md) directly through Azure Communication Services REST APIs, SDKs, or the Azure portal; and use these numbers for SMS or calling applications. Azure Communication Services [direct routing](./concepts/telephony/plan-solution.md) allows you to use SIP and session border controllers to connect your own PSTN carriers and bring your own phone numbers.
+You can connect custom client apps, custom services, and the publicly switched telephony network (PSTN) to your communications experience. You can acquire [phone numbers](./concepts/telephony/plan-solution.md) directly through Azure Communication Services REST APIs, SDKs, or the Azure portal; and use these numbers for SMS or calling applications or you can simply integrate email capabilities to your applications using production-ready email SDKs. Azure Communication Services [direct routing](./concepts/telephony/plan-solution.md) allows you to use SIP and session border controllers to connect your own PSTN carriers and bring your own phone numbers.
In addition to REST APIs, [Azure Communication Services client libraries](./concepts/sdk-options.md) are available for various platforms and languages, including Web browsers (JavaScript), iOS (Swift), Android (Java), Windows (.NET). A [UI library](https://aka.ms/acsstorybook) can accelerate development for Web, iOS, and Android apps. Azure Communication Services is identity agnostic and you control how end users are identified and authenticated.
To learn more, check out our [Microsoft Mechanics video](https://www.youtube.com
|**[Create a Communication Services resource](./quickstarts/create-communication-resource.md)**|Begin using Azure Communication Services by using the Azure portal or Communication Services SDK to provision your first Communication Services resource. Once you have your Communication Services resource connection string, you can provision your first user access tokens.| |**[Get a phone number](./quickstarts/telephony/get-phone-number.md)**|Use Azure Communication Services to provision and release telephone numbers. These telephone numbers can be used to initiate or receive phone calls and build SMS solutions.| |**[Send an SMS from your app](./quickstarts/sms/send.md)**| Azure Communication Services SMS REST APIs and SDKs is used send and receive SMS messages from service applications.|
+|**[Send an Email from your app](./quickstarts/email/send-email.md)**| Azure Communication Services Email REST APIs and SDKs is used send an email messages from service applications.|
After creating a Communication Services resource you can start building client scenarios, such as voice and video calling or text chat:
Learn more about the Azure Communication Services SDKs with the resources below.
|**[Calling SDK overview](./concepts/voice-video-calling/calling-sdk-features.md)**|Review the Communication Services Calling SDK overview.| |**[Chat SDK overview](./concepts/chat/sdk-features.md)**|Review the Communication Services Chat SDK overview.| |**[SMS SDK overview](./concepts/sms/sdk-features.md)**|Review the Communication Services SMS SDK overview.|
+|**[Email SDK overview](./concepts/email/sdk-features.md)**|Review the Communication Services SMS SDK overview.|
|**[UI Library overview](https://aka.ms/acsstorybook)**| Review the UI Library for the Communication Services | ## Design resources
container-registry Container Registry Get Started Geo Replication Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-get-started-geo-replication-template.md
Title: Quickstart - Create geo-replicated registry - Azure Resource Manager template description: Learn how to create a geo-replicated Azure container registry by using an Azure Resource Manager template. -- Previously updated : 10/06/2020++ Last updated : 08/15/2022
This quickstart shows how to create an Azure Container Registry instance by usin
[!INCLUDE [About Azure Resource Manager](../../includes/resource-manager-quickstart-introduction.md)]
+The registry with replications does not support the ARM/Bicep template Complete mode deployments.
+ If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal. [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.containerregistry%2Fcontainer-registry-geo-replication%2Fazuredeploy.json)
cost-management-billing Find Tenant Id Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/find-tenant-id-domain.md
+
+ Title: Find tenant ID and primary domain
+
+description: Describes how to find ID and primary domain for your Azure AD tenant.
++
+tags: billing
+++ Last updated : 08/04/2022+++
+# Locate tenant ID and primary domain
+
+This article describes how to use the Azure portal to locate the following information for a user:
+
+- The Microsoft Azure Active Directory (Azure AD) tenant ID of the user's organization
+- The primary domain name of the organization associated with the Azure AD tenant
+
+## Find the tenant ID and primary domain name
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for *Azure Active Directory*.
+ :::image type="content" source="./media/find-tenant-id-domain/search-azure-active-directory.png" alt-text="Screenshot showing Search in the Azure portal for Azure Active Directory." lightbox="./media/find-tenant-id-domain/search-azure-active-directory.png" :::
+1. In the Azure Active Directory Overview page, you can find the Azure AD tenant ID and primary domain name in the **Basic information** section.
+ :::image type="content" source="./media/find-tenant-id-domain/azure-active-directory-overview.png" alt-text="Screenshot showing the Overview page of Azure Active Directory." lightbox="./media/find-tenant-id-domain/azure-active-directory-overview.png" :::
+1. You can also find the tenant ID in the properties page.
+ 1. Search for **Azure Active Directory**.
+ 1. In the left menu, select **Properties**.
+ 1. The tenant ID is displayed on the Properties page.
+ :::image type="content" source="./media/find-tenant-id-domain/azure-active-directory-properties.png" alt-text="Screenshot showing the Properties page of Azure Active Directory." lightbox="./media/find-tenant-id-domain/azure-active-directory-properties.png" :::
+
+## Need help? contact support
+
+If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly.
+
+## Next steps
+
+- [Managing billing across tenants](manage-billing-across-tenants.md)
+- [Billing administrative roles](understand-mca-roles.md)
cost-management-billing Manage Billing Across Tenants https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/manage-billing-across-tenants.md
+
+ Title: Manage billing across multiple tenants
+
+description: Describes how to use associated billing tenants to manage billing across tenants and move subscriptions in different tenants.
++
+tags: billing
+++ Last updated : 08/04/2022+++
+# Manage billing across multiple tenants using associated billing tenants
+
+You can simplify billing management for your organization by creating multi-tenant billing relationships using associated billing tenants. A multi-tenant billing relationship lets you securely share your organizationΓÇÖs billing account with other tenants, while maintaining control over your billing data. You can move subscriptions in different tenants and provide users in those tenants with access to your organizationΓÇÖs billing account. This relationship lets users on those tenants do billing activities like viewing and downloading invoices or managing licenses.
+
+## Understand tenant types
+
+Primary billing tenant: The primary billing tenant is the tenant used when the billing account is set up. By default, all subscriptions are created in this tenant and only users from this tenant can get access to the billing account.
+
+Associated billing tenants: An associated billing tenant is a tenant that is linked to your primary billing tenantΓÇÖs billing account. You can move Microsoft 365 subscriptions to these tenants. You can also assign billing account roles to users in associated billing tenants.
+
+> [!IMPORTANT]
+> Adding associated billing tenants, moving subscriptions and assigning roles to users in associated billing tenants are only available for billing accounts of type Microsoft Customer Agreement that are created by working with a Microsoft sales representative. To learn more about types of billing accounts, see [Billing accounts and scopes in the Azure portal](view-all-accounts.md).
+
+## Access settings for associated billing tenants
+
+When you add an associated billing tenant, you can enable one or both of the following access settings:
+
+- **Billing management**: Billing management lets billing account owners assign roles to users in an associated billing tenant, giving them permission to access billing information and make purchasing decisions.
+- **Provisioning**: Provisioning allows you to move Microsoft 365 subscriptions to the associated billing tenants.
+
+## Add an associated billing tenant
+
+Before you begin, make sure you have either the tenant ID, or the primary domain name for the tenant you want to add. For more information, see [Find a tenant ID or domain name](find-tenant-id-domain.md).
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for **Cost Management + Billing**.
+ :::image type="content" source="./media/manage-billing-across-tenants/billing-search-cost-management-billing.png" alt-text="Screenshot showing Search in the Azure portal for Cost Management + Billing." lightbox="./media/manage-billing-across-tenants/billing-search-cost-management-billing.png" :::
+1. Select **Access control (IAM)** on the left side of the page.
+1. On the Access control (IAM) page, select **Associated billing tenants** at the top of the page.
+ :::image type="content" source="./media/manage-billing-across-tenants/access-management-associated-tenants.png" alt-text="Screenshot showing the Access control page while adding an associated tenant." lightbox="./media/manage-billing-across-tenants/access-management-associated-tenants.png" :::
+1. On the Associated billing tenants page, select **Add** at the top of the page.
+ :::image type="content" source="./media/manage-billing-across-tenants/associated-tenants-list-add.png" alt-text="Screenshot showing the Add option for Associated billing tenants." lightbox="./media/manage-billing-across-tenants/associated-tenants-list-add.png" :::
+1. On the Add tenant page, enter a tenant ID or domain name, provide a friendly name and then select one or both options for access settings. For more information about access settings, see [Access settings for associated billing tenant](#access-settings-for-associated-billing-tenants).
+ :::image type="content" source="./media/manage-billing-across-tenants/associated-tenants-add.png" alt-text="Screenshot showing associated billing tenants form." lightbox="./media/manage-billing-across-tenants/associated-tenants-add.png" :::
+ > [!NOTE]
+ > The friendly name of an associated billing tenant is used to easily identify the tenant in the Cost management + Billing section. The name is different from the display name of the tenant in Azure active directory.
+1. Select **Save**.
+
+If the Provisioning access setting is turned on, a unique link is created for you to send to the global administrator of the associated billing tenant. They must accept the request before you can move subscriptions to their tenant.
++
+## Assign roles to users from the associated billing tenant
+
+Before assigning roles, make sure you [add a tenant as an associated billing tenant and enable billing management access setting](#add-an-associated-billing-tenant).
+
+### To assign roles and send an email invitation
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for **Cost Management + Billing**.
+ :::image type="content" source="./media/manage-billing-across-tenants/billing-search-cost-management-billing.png" alt-text="Screenshot showing Search in the Azure portal for cost management + billing" lightbox="./media/manage-billing-across-tenants/billing-search-cost-management-billing.png" :::
+1. Select **Access control (IAM)** on the left side of the page.
+1. On the Access control (IAM) page, select **Add** at the top of the page.
+ :::image type="content" source="./media/manage-billing-across-tenants/access-management-add-role-assignment-button.png" alt-text="Screenshot showing access control page while assigning roles." lightbox="./media/manage-billing-across-tenants/access-management-add-role-assignment-button.png" :::
+1. In the Add role assignment pane, select a role, select the associated billing tenant from the tenant dropdown, then enter the email address of the users, groups or apps to whom you want to assign roles.
+1. Select **Add**.
+ :::image type="content" source="./media/manage-billing-across-tenants/associated-tenants-add-role-assignment.png" alt-text="Screenshot showing saving a role assignment." lightbox="./media/manage-billing-across-tenants/associated-tenants-add-role-assignment.png" :::
+1. The users receive an email with a link to review the role assignment request. After they accept the role, they have access to your billing account.
+
+### To manually share the invitation link
+
+If the users can't receive emails, you can copy the review link and share it with them. Follow the steps in the preceding section then:
+
+1. Select **Manage requests** at the top of the **Access control (IAM)** page.
+ :::image type="content" source="./media/manage-billing-across-tenants/access-management-manage-requests.png" alt-text="Screenshot showing the Manage requests option." lightbox="./media/manage-billing-across-tenants/access-management-manage-requests.png" :::
+1. Select the role assignment request.
+ :::image type="content" source="./media/manage-billing-across-tenants/access-management-requests-list.png" alt-text="Screenshot showing billing access requests list." lightbox="./media/manage-billing-across-tenants/access-management-requests-list.png" :::
+1. Copy the request URL.
+ :::image type="content" source="./media/manage-billing-across-tenants/role-assignment-request-details.png" alt-text="Screenshot showing the invitation URL for role assignment request." lightbox="./media/manage-billing-across-tenants/role-assignment-request-details.png" :::
+1. Manually share the link with the user.
+
+### Role assignments through associated billing tenants vs Azure B2B
+
+Choosing to assign roles to users from associated billing tenants might be the right approach, depending on the needs of your organization. The following illustrations and table compare using associated billing tenants and Azure B2B to help you decide which approach is right for your organization. To learn more about Azure B2B, see [B2B collaboration overview](../../active-directory/external-identities/what-is-b2b.md)
+++
+| Consideration |Associated billing tenants |Azure B2B |
+||||
+|Security | The users that you invite to share your billing account will follow their tenant's security policies. | The users that you invite to share your billing account will follow your tenant's security policies. |
+|Access | The users get access to your billing account in their own tenant and can manage billing and make purchases without switching tenants. | External guest identities are created for users in your tenant and these identities get access to your billing account. Users would have to switch tenant to manage billing and make purchases. |
+
+## Move Microsoft 365 subscriptions to a billing tenant
+
+Before moving subscriptions, make sure you [add a tenant as an associated billing tenant and enable provisioning access setting](#add-an-associated-billing-tenant). Also the global administrator of the associated billing tenant must accept the provisioning request from your billing account.
+
+> [!IMPORTANT]
+> You can only move a subscription to an associated billing tenant if all licenses in the subscription are available. If any licenses are assigned, you canΓÇÖt move the subscription.
+
+1. Go to the [Microsoft admin center](https://admin.microsoft.com).
+1. In the admin center, go to the **Billing > Your products page**.
+1. Select the name of the product that you want to move to the associated billing tenant.
+1. On the product details page, in the **Licenses assigned from all subscriptions** section, select **Move to another tenant**.
+1. In the **Move subscription to a different tenant** pane, search for a tenant name or select a tenant from the list, then select **Move subscription**.
+
+## Move Azure subscriptions to an associated billing tenant
+
+The provisioning setting that you enable for an associated billing tenant doesn't apply for Azure subscriptions. To move Azure subscriptions to an associated billing tenant, see [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
+
+## Need help? Contact support
+
+If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly.
+
+## Next steps
+
+- [Billing administrative roles](understand-mca-roles.md)
+- [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
ddos-protection Manage Ddos Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-template.md
na
Previously updated : 04/26/2021 Last updated : 08/12/2022 # Quickstart: Create an Azure DDoS Protection Standard using ARM template
defender-for-cloud Auto Deploy Azure Monitoring Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/auto-deploy-azure-monitoring-agent.md
+
+ Title: Deploy the Azure Monitor Agent with auto provisioning
+description: Learn how to deploy the Azure Monitor Agent on your Azure, multicloud, and on-premises servers with auto provisioning to support Microsoft Defender for Cloud protections.
+++ Last updated : 08/03/2022+++
+# Auto provision the Azure Monitor Agent to protect your servers with Microsoft Defender for Cloud
+
+To make sure that your server resources are secure, Microsoft Defender for Cloud uses agents installed on your servers to send information about your servers to Microsoft Defender for Cloud for analysis. You can use auto provisioning to quietly deploy the Azure Monitor Agent on your servers.
+
+In this article, we're going to show you how to use auto provisioning to deploy the agent so that you can protect your servers.
+
+## Availability
++
+## Prerequisites
+
+Before you enable auto provisioning, you must have the following prerequisites:
+
+- Make sure your multicloud and on-premises machines have Azure Arc installed.
+ - AWS and GCP machines
+ - [Onboard your AWS connector](quickstart-onboard-aws.md) and auto provision Azure Arc.
+ - [Onboard your GCP connector](quickstart-onboard-gcp.md) and auto provision Azure Arc.
+ - Other clouds and on-premises machines
+ - [Install Azure Arc](/azure/azure-arc/servers/learn/quick-enable-hybrid-vm).
+- Make sure the Defender plans that you want the Azure Monitor Agent to support are enabled:
+ - [Enable Defender for Servers Plan 2 on Azure and on-premises VMs](enable-enhanced-security.md)
+ - [Enable Defender plans on the subscriptions for your AWS VMs](quickstart-onboard-aws.md)
+ - [Enable Defender plans on the subscriptions for your GCP VMs](quickstart-onboard-gcp.md)
+
+## Deploy the Azure Monitor Agent with auto provisioning
+
+To deploy the Azure Monitor Agent with auto provisioning:
+
+1. From Defender for Cloud's menu, open **Environment settings**.
+1. Select the relevant subscription.
+1. Open the **Auto provisioning** page.
+
+ :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/select-auto-provisioning.png" alt-text="Screenshot of the auto provisioning menu item for enabling the Azure Monitor Agent.":::
+
+1. Enable deployment of the Azure Monitor Agent:
+
+ 1. For the **Log Analytics agent/Azure Monitor Agent**, select the **On** status.
+
+ In the Configuration column, you can see the enabled agent type. When you enable auto provisioning, Defender for Cloud decides which agent to provision based on your environment. In most cases, the default is the Log Analytics agent.
+
+ :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/turn-on-azure-monitor-agent-auto-provision.png" alt-text="Screenshot of the auto provisioning page for enabling the Azure Monitor Agent." lightbox="media/auto-deploy-azure-monitoring-agent/turn-on-azure-monitor-agent-auto-provision.png":::
+
+ 1. For the **Log Analytics agent/Azure Monitor Agent**, select **Edit configuration**.
+
+ :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/configure-azure-monitor-agent-auto-provision.png " alt-text="Screenshot of editing the Azure Monitor Agent configuration." lightbox="media/auto-deploy-azure-monitoring-agent/configure-azure-monitor-agent-auto-provision.png":::
+
+ 1. For the Auto-provisioning configuration agent type, select **Azure Monitor Agent**.
+
+ :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/select-azure-monitor-agent-auto-provision.png" alt-text="Screenshot of selecting the Azure Monitor Agent." lightbox="media/auto-deploy-azure-monitoring-agent/select-azure-monitor-agent-auto-provision.png":::
+
+ By default:
+
+ - The Azure Monitor Agent is installed on all existing machines in the selected subscription, and on all new machines created in the subscription.
+ - The Log Analytics agent isn't uninstalled from machines that already have it installed. You can [leave the Log Analytics agent](#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) on the machine, or you can manually [remove the Log Analytics agent](/azure/azure-monitor/agents/azure-monitor-agent-migration) if you don't require it for other protections.
+ - The agent sends data to the default workspace for the subscription. You can also [configure a custom workspace](#configure-custom-destination-log-analytics-workspace) to send data to.
+ - You can't enable [collection of additional security events](#additional-security-events-collection).
+
+## Impact of running with both the Log Analytics and Azure Monitor Agents
+
+You can run both the Log Analytics and Azure Monitor Agents on the same machine, but you should be aware of these considerations:
+
+- Certain recommendations or alerts are reported by both agents and appear twice in Defender for Cloud.
+- Each machine is billed once in Defender for Cloud, but make sure you track billing of other services connected to the Log Analytics and Azure Monitor, such as the Log Analytics workspace data ingestion.
+- Both agents have performance impact on the machine.
+
+When you enable auto provisioning, Defender for Cloud decides which agent to provision. In most cases, the default is the Log Analytics agent.
+
+Learn more about [migrating to the Azure Monitor Agent](/azure/azure-monitor/agents/azure-monitor-agent-migration).
+
+## Custom configurations
+
+### Configure custom destination Log Analytics workspace
+
+When you install the Azure Monitor Agent with auto-provisioning, you can define the destination workspace of the installed extensions. By default, the destination is the ΓÇ£default workspaceΓÇ¥ that Defender for Cloud creates for each region in the subscription: `defaultWorkspace-<subscriptionId>-<regionShortName>`. Defender for Cloud automatically configures the data collection rules, workspace solution, and additional extensions for that workspace.
+
+If you configure a custom Log Analytics workspace:
+
+- Defender for Cloud only configures the data collection rules and additional extensions for the custom workspace. You'll have to configure the workspace solution on the custom workspace.
+- Machines with Log Analytics agent that report to a Log Analytics workspace with the security solution are billed even when the Defender for Servers plan isn't enabled. Machines with the Azure Monitor Agent are billed only when the plan is enabled on the subscription. The security solution is still required on the workspace to work with the plans features and to be eligible for the 500-MB benefit.
+
+To configure a custom destination workspace for the Azure Monitor Agent:
+
+1. From Defender for Cloud's menu, open **Environment settings**.
+1. Select the relevant subscription.
+1. Open the **Auto provisioning** page.
+1. For the **Log Analytics agent/Azure Monitor Agent**, select **Edit configuration**.
+1. Select **Custom workspace**, and select the workspace that you want to send data to.
+
+### Log analytics workspace solutions
+
+The Azure Monitor Agent requires Log analytics workspace solutions. These solutions are automatically installed when you auto-provision the Azure Monitor Agent with the default workspace.
+
+The required [Log Analytics workspace solutions](/azure/azure-monitor/insights/solutions) for the data that you're collecting are:
+
+ - Security posture management (CSPM) ΓÇô **SecurityCenterFree solution**
+ - Defender for Servers Plan 2 ΓÇô **Security solution**
+
+### Additional extensions for Defender for Cloud
+
+The Azure Monitor Agent requires additional extensions. The ASA extension, which supports endpoint protection recommendations and fileless attack detection, is automatically installed when you auto-provision the Azure Monitor Agent.
+
+### Additional security events collection
+
+When you auto-provision the Log Analytics agent in Defender for Cloud, you can choose to collect additional security events to the workspace. When you auto-provision the Log Analytics agent in Defender for Cloud, the option to collect additional security events to the workspace isn't available. Defender for Cloud doesn't rely on these security events, but they can be helpful for investigations through Microsoft Sentinel.
+
+If you want to collect security events when you auto-provision the Azure Monitor Agent, you can create a [Data Collection Rule](/azure-monitor/essentials/data-collection-rule-overview) to collect the required events.
+
+Like for Log Analytics workspaces, Defender for Cloud users are eligible for [500-MB of free data](enhanced-security-features-overview.md#faqpricing-and-billing) daily on defined data types that include security events.
+
+## Next steps
+
+Now that you enabled the Azure Monitor Agent, check out the features that are supported by the agent:
+
+- [Endpoint protection assessment](endpoint-protection-recommendations-technical.md)
+- [Adaptive application controls](adaptive-application-controls.md)
+- [Fileless attack detection](defender-for-servers-introduction.md#plan-features)
defender-for-cloud Defender For Sql Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-sql-introduction.md
Microsoft Defender for Azure SQL databases protects:
- [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) - [Dedicated SQL pool in Azure Synapse](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md)
-When you enabled **Microsoft Defender for Azure SQL**, all supported resources that exist within the subscription are protected. Future resources created on the same subscription are also be protected.
+When you enabled **Microsoft Defender for Azure SQL**, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.
> [!NOTE] > Microsoft Defender for Azure SQL database currently works for read-write replicas only.
defender-for-cloud Enable Data Collection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/enable-data-collection.md
Title: Configure auto provisioning of agents for Microsoft Defender for Cloud description: This article describes how to set up auto provisioning of the Log Analytics agent and other agents and extensions used by Microsoft Defender for Cloud++ Previously updated : 07/06/2022 Last updated : 08/14/2022 # Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud Microsoft Defender for Cloud collects data from your resources using the relevant agent or extensions for that resource and the type of data collection you've enabled. Use the procedures below to auto-provision the necessary agents and extensions used by Defender for Cloud to your resources.
+When you enable auto provisioning of any of the supported extensions, the extensions are installed on existing and future machines in the subscription. When you **disable** auto provisioning for an extension, the extension is not installed on future machines, but it is also not uninstalled from existing machines.
-> [!NOTE]
-> When you enable auto provisioning of any of the supported extensions, you'll potentially impact *existing* and *future* machines. But when you **disable** auto provisioning for an extension, you'll only affect the *future* machines: nothing is uninstalled by disabling auto provisioning.
## Prerequisites
This table shows the availability details for the auto provisioning **feature**
| Policy-based: | :::image type="icon" source="./media/icons/no-icon.png"::: No | :::image type="icon" source="./media/icons/yes-icon.png"::: Yes | | Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government, Azure China 21Vianet | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Azure China 21Vianet |
+### [**Azure Monitor Agent**](#tab/autoprovision-ama)
++
+Learn more about [using the Azure Monitor Agent with Defender for Cloud](auto-deploy-azure-monitoring-agent.md).
+ ### [**Vulnerability assessment**](#tab/autoprovision-va) | Aspect | Details |
By default, auto provisioning is enabled when you enable Defender for Containers
-> [!TIP]
-> For items marked in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
## How does Defender for Cloud collect data?
Data is collected using:
- The **Log Analytics agent**, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user. - **Security extensions**, such as the [Azure Policy Add-on for Kubernetes](../governance/policy/concepts/policy-for-kubernetes.md), which can also provide data to Defender for Cloud regarding specialized resource types.
-> [!TIP]
-> As Defender for Cloud has grown, the types of resources that can be monitored has also grown. The number of extensions has also grown. Auto provisioning has expanded to support additional resource types by leveraging the capabilities of Azure Policy.
- ## Why use auto provisioning? Any of the agents and extensions described on this page *can* be installed manually (see [Manual installation of the Log Analytics agent](#manual-agent)). However, **auto provisioning** reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources.
defender-for-cloud Quickstart Enable Database Protections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/quickstart-enable-database-protections.md
Last updated 07/28/2022
# Enable Microsoft Defender for Cloud database plans
-This article explains how to enable Microsoft Defender for Cloud's database protections for the most common database types, Azure, hybrid, and multicloud environments.
+This article explains how to enable Microsoft Defender for Cloud's database protections for the most common database types, within Azure, hybrid, and multicloud environments.
-Defender for Cloud database protections lets you protect your entire database estate with attack detection and threat response for the most popular database types in Azure. Defender for Cloud provides protection for the database engines and for data types, according to their attack surface and security risks.
+Defender for Cloud database protections let you protect your entire database estate with attack detection and threat response for the most popular database types in Azure. Defender for Cloud provides protection for the database engines and for data types, according to their attack surface and security risks.
Database protection includes:
defender-for-cloud Release Notes Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes-archive.md
description: A description of what's new and changed in Microsoft Defender for C
Previously updated : 07/13/2022 Last updated : 08/14/2022 # Archive for what's new in Defender for Cloud?
This page provides you with information about:
- Bug fixes - Deprecated functionality
+## February 2022
+
+Updates in February include:
+
+- [Kubernetes workload protection for Arc-enabled Kubernetes clusters](#kubernetes-workload-protection-for-arc-enabled-kubernetes-clusters)
+- [Native CSPM for GCP and threat protection for GCP compute instances](#native-cspm-for-gcp-and-threat-protection-for-gcp-compute-instances)
+- [Microsoft Defender for Azure Cosmos DB plan released for preview](#microsoft-defender-for-azure-cosmos-db-plan-released-for-preview)
+- [Threat protection for Google Kubernetes Engine (GKE) clusters](#threat-protection-for-google-kubernetes-engine-gke-clusters)
+
+### Kubernetes workload protection for Arc-enabled Kubernetes clusters
+
+Defender for Containers previously only protected Kubernetes workloads running in Azure Kubernetes Service. We've now extended the protective coverage to include Azure Arc-enabled Kubernetes clusters.
+
+Learn how to [set up your Kubernetes workload protection](kubernetes-workload-protections.md#set-up-your-workload-protection) for AKS and Azure Arc enabled Kubernetes clusters.
+
+### Native CSPM for GCP and threat protection for GCP compute instances
+
+The new automated onboarding of GCP environments allows you to protect GCP workloads with Microsoft Defender for Cloud. Defender for Cloud protects your resources with the following plans:
+
+- **Defender for Cloud's CSPM** features extend to your GCP resources. This agentless plan assesses your GCP resources according to the GCP-specific security recommendations, which are provided with Defender for Cloud. GCP recommendations are included in your secure score, and the resources will be assessed for compliance with the built-in GCP CIS standard. Defender for Cloud's asset inventory page is a multicloud enabled feature helping you manage your resources across Azure, AWS, and GCP.
+
+- **Microsoft Defender for Servers** brings threat detection and advanced defenses to your GCP compute instances. This plan includes the integrated license for Microsoft Defender for Endpoint, vulnerability assessment scanning, and more.
+
+ For a full list of available features, see [Supported features for virtual machines and servers](supported-machines-endpoint-solutions-clouds-servers.md). Automatic onboarding capabilities will allow you to easily connect any existing, and new compute instances discovered in your environment.
+
+Learn how to protect, and [connect your GCP projects](quickstart-onboard-gcp.md) with Microsoft Defender for Cloud.
+
+### Microsoft Defender for Azure Cosmos DB plan released for preview
+
+We have extended Microsoft Defender for CloudΓÇÖs database coverage. You can now enable protection for your Azure Cosmos DB databases.
+
+Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects any attempt to exploit databases in your Azure Cosmos DB accounts. Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.
+
+It continuously analyzes the customer data stream generated by the Azure Cosmos DB services.
+
+When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.
+
+There's no impact on database performance when enabling the service, because Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data.
+
+Learn more at [Overview of Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md).
+
+We're also introducing a new enablement experience for database security. You can now enable Microsoft Defender for Cloud protection on your subscription to protect all database types, such as, Azure Cosmos DB, Azure SQL Database, Azure SQL servers on machines, and Microsoft Defender for open-source relational databases through one enablement process. Specific resource types can be included, or excluded by configuring your plan.
+
+Learn how to [enable your database security at the subscription level](quickstart-enable-database-protections.md#enable-database-protection-on-your-subscription).
+
+### Threat protection for Google Kubernetes Engine (GKE) clusters
+
+Following our recent announcement [Native CSPM for GCP and threat protection for GCP compute instances](#native-cspm-for-gcp-and-threat-protection-for-gcp-compute-instances), Microsoft Defender for Containers has extended its Kubernetes threat protection, behavioral analytics, and built-in admission control policies to Google's Kubernetes Engine (GKE) Standard clusters. You can easily onboard any existing, or new GKE Standard clusters to your environment through our Automatic onboarding capabilities. Check out [Container security with Microsoft Defender for Cloud](defender-for-containers-introduction.md#vulnerability-assessment), for a full list of available features.
+ ## January 2022 Updates in January include:
defender-for-cloud Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md
Title: Release notes for Microsoft Defender for Cloud description: A description of what's new and changed in Microsoft Defender for Cloud Previously updated : 08/02/2022 Last updated : 08/14/2022 # What's new in Microsoft Defender for Cloud?
To learn about *planned* changes that are coming soon to Defender for Cloud, see
> [!TIP] > If you're looking for items older than six months, you'll find them in the [Archive for What's new in Microsoft Defender for Cloud](release-notes-archive.md).
+## August 2022
+
+Updates in August include:
+
+- [Auto-deployment of Azure Monitor Agent (Preview)](#auto-deployment-of-azure-monitor-agent-preview)
+
+### Auto-deployment of Azure Monitor Agent (Preview)
+
+The [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.
+
+The [Azure Monitor Agent is now integrated](enable-data-collection.md?tabs=autoprovision-ama#tabpanel_1_autoprovision-ama) into Microsoft Defender for Cloud. You can [auto-provision Azure Monitor Agent](auto-deploy-azure-monitoring-agent.md) to all of your cloud and on-premises servers with Defender for Cloud. Also, Defender for Cloud protections can use data collected by the Azure Monitor Agent.
+ ## July 2022 Updates in July include: - [General availability (GA) of the Cloud-native security agent for Kubernetes runtime protection](#general-availability-ga-of-the-cloud-native-security-agent-for-kubernetes-runtime-protection) - [Defender for Container's VA adds support for the detection of language specific packages (Preview)](#defender-for-containers-va-adds-support-for-the-detection-of-language-specific-packages-preview)-- [Protect against the Operations Management Suite vulnerability CVE-2022-29149](#protect-against-the-operations-management-suite-vulnerability-cve-2022-29149)
+- [Protect against the Operations Management Infrastructure vulnerability CVE-2022-29149](#protect-against-the-operations-management-infrastructure-vulnerability-cve-2022-29149)
- [Integration with Entra Permissions Management](#integration-with-entra-permissions-management) - [Key Vault recommendations changed to "audit"](#key-vault-recommendations-changed-to-audit) - [Deprecate API App policies for App Service](#deprecate-api-app-policies-for-app-service)
This feature is in `preview` and is only available for Linux images.
To see all of the included language specific packages that have been added, check out Defender for Container's full list of [features and their availability](supported-machines-endpoint-solutions-clouds-containers.md#registries-and-images).
-### Protect against the Operations Management Suite vulnerability CVE-2022-29149
+### Protect against the Operations Management Infrastructure vulnerability CVE-2022-29149
-Operations Management Suite (OMS) is a collection of cloud-based services for managing on-premises and cloud environments from one single place. Rather than deploying and managing on-premises resources, OMS components are entirely hosted in Azure.
+Operations Management Infrastructure (OMI) is a collection of cloud-based services for managing on-premises and cloud environments from one single place. Rather than deploying and managing on-premises resources, OMI components are entirely hosted in Azure.
-Log Analytics integrated with Azure HDInsight running OMS version 13 requires a patch to remediate [CVE-2022-29149](https://nvd.nist.gov/vuln/detail/CVE-2022-29149). Review the report about this vulnerability in the [Microsoft Security Update guide](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29149) for information about how to identify resources that are affected by this vulnerability and remediation steps.
+Log Analytics integrated with Azure HDInsight running OMI version 13 requires a patch to remediate [CVE-2022-29149](https://nvd.nist.gov/vuln/detail/CVE-2022-29149). Review the report about this vulnerability in the [Microsoft Security Update guide](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29149) for information about how to identify resources that are affected by this vulnerability and remediation steps.
If you have Defender for Servers enabled with Vulnerability Assessment, you can use [this workbook](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/OMI%20Vulnerability%20Dashboard) to identify affected resources.
Learn how to protect and connect your [AWS environment](quickstart-onboard-aws.m
Registry scan for Windows images is now supported in Azure Government and Azure China 21Vianet. This addition is currently in preview. Learn more about our [feature's availability](supported-machines-endpoint-solutions-clouds-containers.md).-
-## February 2022
-
-Updates in February include:
--- [Kubernetes workload protection for Arc-enabled Kubernetes clusters](#kubernetes-workload-protection-for-arc-enabled-kubernetes-clusters)-- [Native CSPM for GCP and threat protection for GCP compute instances](#native-cspm-for-gcp-and-threat-protection-for-gcp-compute-instances)-- [Microsoft Defender for Azure Cosmos DB plan released for preview](#microsoft-defender-for-azure-cosmos-db-plan-released-for-preview)-- [Threat protection for Google Kubernetes Engine (GKE) clusters](#threat-protection-for-google-kubernetes-engine-gke-clusters)-
-### Kubernetes workload protection for Arc-enabled Kubernetes clusters
-
-Defender for Containers previously only protected Kubernetes workloads running in Azure Kubernetes Service. We've now extended the protective coverage to include Azure Arc-enabled Kubernetes clusters.
-
-Learn how to [set up your Kubernetes workload protection](kubernetes-workload-protections.md#set-up-your-workload-protection) for AKS and Azure Arc enabled Kubernetes clusters.
-
-### Native CSPM for GCP and threat protection for GCP compute instances
-
-The new automated onboarding of GCP environments allows you to protect GCP workloads with Microsoft Defender for Cloud. Defender for Cloud protects your resources with the following plans:
--- **Defender for Cloud's CSPM** features extend to your GCP resources. This agentless plan assesses your GCP resources according to the GCP-specific security recommendations, which are provided with Defender for Cloud. GCP recommendations are included in your secure score, and the resources will be assessed for compliance with the built-in GCP CIS standard. Defender for Cloud's asset inventory page is a multicloud enabled feature helping you manage your resources across Azure, AWS, and GCP.--- **Microsoft Defender for Servers** brings threat detection and advanced defenses to your GCP compute instances. This plan includes the integrated license for Microsoft Defender for Endpoint, vulnerability assessment scanning, and more.-
- For a full list of available features, see [Supported features for virtual machines and servers](supported-machines-endpoint-solutions-clouds-servers.md). Automatic onboarding capabilities will allow you to easily connect any existing, and new compute instances discovered in your environment.
-
-Learn how to protect, and [connect your GCP projects](quickstart-onboard-gcp.md) with Microsoft Defender for Cloud.
-
-### Microsoft Defender for Azure Cosmos DB plan released for preview
-
-We have extended Microsoft Defender for CloudΓÇÖs database coverage. You can now enable protection for your Azure Cosmos DB databases.
-
-Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects any attempt to exploit databases in your Azure Cosmos DB accounts. Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.
-
-It continuously analyzes the customer data stream generated by the Azure Cosmos DB services.
-
-When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.
-
-There's no impact on database performance when enabling the service, because Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data.
-
-Learn more at [Overview of Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md).
-
-We're also introducing a new enablement experience for database security. You can now enable Microsoft Defender for Cloud protection on your subscription to protect all database types, such as, Azure Cosmos DB, Azure SQL Database, Azure SQL servers on machines, and Microsoft Defender for open-source relational databases through one enablement process. Specific resource types can be included, or excluded by configuring your plan.
-
-Learn how to [enable your database security at the subscription level](quickstart-enable-database-protections.md#enable-database-protection-on-your-subscription).
-
-### Threat protection for Google Kubernetes Engine (GKE) clusters
-
-Following our recent announcement [Native CSPM for GCP and threat protection for GCP compute instances](#native-cspm-for-gcp-and-threat-protection-for-gcp-compute-instances), Microsoft Defender for Containers has extended its Kubernetes threat protection, behavioral analytics, and built-in admission control policies to Google's Kubernetes Engine (GKE) Standard clusters. You can easily onboard any existing, or new GKE Standard clusters to your environment through our Automatic onboarding capabilities. Check out [Container security with Microsoft Defender for Cloud](defender-for-containers-introduction.md#vulnerability-assessment), for a full list of available features.
defender-for-iot Faqs Eiot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/faqs-eiot.md
This article provides a list of frequently asked questions and answers about Ent
## What is the difference between OT and Enterprise IoT?
-### OT
+### Operational Technology (OT)
OT network sensors use agentless, patented technology to discover, learn, and continuously monitor network devices for a deep visibility into Operational Technology (OT) / Industrial Control System (ICS) risks. Sensors carry out data collection, analysis, and alerting on-site, making them ideal for locations with low bandwidth or high latency.
If you haven't changed your plan from a trial to a monthly commitment by the tim
To change your plan from a trial to a monthly commitment before the end of the trial, you'll need to cancel your trial plan and onboard a new plan in Defender for Endpoint. For more information, see [Defender for IoT integration](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).
-## How is the Defender for IoT pricing affected now that support for Enterprise IoT networks is in General Availability?
+## How is the Defender for IoT pricing affected now that support for Enterprise IoT networks is in general availability?
For more information, see the [Microsoft Defender for IoT pricing](https://azure.microsoft.com/pricing/details/iot-defender/) page.
defender-for-iot Faqs Ot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/faqs-ot.md
Last updated 07/07/2022
-# OT networks frequently asked questions
+# Operational Technology (OT) networks frequently asked questions
This article provides a list of frequently asked questions and answers about OT networks in Defender for IoT.
You can also use our [UI and CLI tools](how-to-troubleshoot-the-sensor-and-on-pr
For more information, see [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md).
-## Next Steps
+## Next steps
- [Tutorial: Get started with Microsoft Defender for IoT for OT security](tutorial-onboarding.md)
dev-box Concept Dev Box Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/concept-dev-box-concepts.md
+
+ Title: Microsoft Dev Box key concepts
+
+description: Learn key concepts and terminology for Microsoft Dev Box.
+++++ Last updated : 08/10/2022+++
+<!--
+ Customer intent:
+ As a developer I want to understand Dev Box concepts and terminology so that I can set up Dev Box environment.
+ -->
+# Microsoft Dev Box key concepts
+
+This article describes the key concepts and components of Microsoft Dev Box.
+
+## Dev center
+
+A dev center is a collection of projects that require similar settings. Dev centers enable dev infrastructure managers to manage the images and SKUs available to the projects using [dev box definitions](concept-dev-box-concepts.md#dev-box-definition), and configure the networks the development teams consume using [network connections](./concept-dev-box-concepts.md#network-connection).
+
+## Projects
+
+A project is the point of access for the development team members. When you associate a project with a dev center, all the settings at the dev center level will be applied to the project automatically. Each project can be associated with only one dev center. Dev managers can configure the dev boxes available for the project by specifying the [dev box definitions](./concept-dev-box-concepts.md#dev-box-definition) appropriate for their workloads.
+
+## Dev box definition
+
+A dev box definition specifies a source image and size, including compute size and storage size. You can use a source image from the marketplace, or a custom image from your own [Azure Compute Gallery](./how-to-configure-azure-compute-gallery.md). You can use dev box definitions across multiple projects in a dev center.
+
+## Network connection
+
+IT administrators and dev infrastructure managers configure the network used for dev box creation in accordance with their organizational policies. Network connections store configuration information like Active Directory join type and virtual network that dev boxes use to connect to network resources.
+
+When creating a network connection, you must choose whether to use a native Azure Active Directory (Azure AD) join or a hybrid Azure AD join. If your dev boxes need to connect exclusively to cloud-based resources, use a native Azure AD join. Use a hybrid Azure AD join if your dev boxes need to connect to on-premises resources and cloud-based resources. To learn more about Azure AD and hybrid Azure AD joined devices, [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment).
+
+The virtual network specified in a network connection also determines the region for the dev box. You can create multiple network connections based on the regions where you support developers and use them when creating different dev box pools to ensure dev box users create a dev box in a region close to them. Using a region close to the dev box user provides the best experience.
+
+## Dev box pool
+A dev box pool is a collection of dev boxes that you manage together that you manage together and to which you apply similar settings. You can create multiple dev box pools to support the needs of hybrid teams working in different regions or on different workloads.
+
+## Dev box
+A dev box is a preconfigured ready-to-code workstation that you create through the self-service developer portal. The new dev box has all the tools, binaries, and configuration required for a dev box user to be productive immediately. You can create and manage multiple dev boxes to work on multiple work streams. As a dev box user you have control over your own dev boxes - you can create more as you need them, and delete them when you have finished using them.
dev-box How To Configure Azure Compute Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/how-to-configure-azure-compute-gallery.md
+
+ Title: Configure an Azure Compute Gallery
+
+description: 'Learn how to create a repository for managing and sharing Dev Box images.'
++++ Last updated : 07/28/2022+++
+# Configure an Azure Compute Gallery
+
+ An Azure Compute Gallery is a repository in Azure for managing and sharing images. It's stored in your Azure subscription and helps you build structure and organization around your image resources. You can use Azure Compute Gallery to provide custom images for your dev box users.
+
+Advantages of using a gallery include:
+- You maintain the images in a single location and use them across dev centers, projects, and pools.
+- Development teams can use the *latest* image version of an image definition to ensure they always receive the most recent image when creating dev boxes.
+- Development teams can use a specific image version to standardize on a supported image version until a newer version is validated.
++
+You can learn more about Azure Compute Galleries and how to create them here:
+- [Store and share images in an Azure Compute Gallery](../virtual-machines/shared-image-galleries.md)
+- [Create a gallery for storing and sharing resources](../virtual-machines/create-gallery.md#create-a-gallery-for-storing-and-sharing-resources)
+
+## Pre-requisites
+- A dev center. If don't have an available dev center, follow these steps: [Create a dev center](./quickstart-configure-dev-box-service.md#create-a-dev-center).
+- An Azure Compute Gallery. In order to use this gallery to configure Dev Box definitions, it must have at least [one image definition and one image version](../virtual-machines/image-version.md).
+ - The image definition must have [Trusted Launch enabled as the Security Type](../virtual-machines/trusted-launch.md). You configure the security type when creating the image definition.
+ - The image version must meet the [Windows 365 image requirements](/windows-365/enterprise/device-images#image-requirements).
+ - Generation 2
+ - Hyper-V v2
+ - Windows OS
+ - Generalized image
+
+ :::image type="content" source="media/how-to-configure-azure-compute-gallery/image-definition.png" alt-text="Screenshot showing the Windows 365 image requirement settings.":::
+
+> [!IMPORTANT]
+> If you have existing images that do not meet the Windows 365 image requirements, those images will not be listed for image creation.
+
+## Provide permissions for services to access the gallery
+When using an Azure Compute Gallery image to create a dev box definition, the Windows 365 service validates the image to ensure that it meets the requirements to be provisioned for a dev box. In addition, the Dev Box service replicates the image to the regions specified in the attached network connections so the images are present in the region required for dev box creation.
+
+To allow the services to perform these actions, you must provide permissions to your gallery as follows:
+
+### Add a user assigned identity to dev center
+1. Use these steps to [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. In the search box, type *Dev box* and select **Dev centers** from the list.
+1. Open your DevCenter and select **Identity** from the left menu.
+1. On the **User assigned** tab, select **+ Add**.
+1. In Add user assigned managed identity, select the user-assigned managed identity that you created in step 1 and then select **Add**.
+
+ :::image type="content" source="media/how-to-configure-azure-compute-gallery/assign-managed-id.png" alt-text="Screenshot showing the Add user assigned managed identity pane, with the managed ID highlighted.":::
+
+### How does the Dev Box service assign permissions?
+The Dev Box service behaves differently depending how you attach your gallery.
+- When you use the Azure portal to attach the gallery to your Dev center, the Dev Box service creates the necessary role assignments automatically when you attach the gallery.
+- When you use the CLI to attach the gallery to your Dev center, you must manually create the Windows 365 Service Principal and dev center Managed Identity role assignments before attempting to attach the gallery.
+
+Follow these steps to manually assign each role:
+
+#### Windows 365 Service Principal
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box, type *Azure Compute Gallery* and select the gallery you want to attach to the dev center.
+
+1. Select the **Access Control (IAM)** menu item.
+
+1. Select **+ Add** > **Add role assignment**.
+
+1. On the Role tab, select **Reader**, and then select **Next**.
+
+1. On the Members tab, select **+ Select Members**.
+
+1. In Select members, search for and select **Cloud PC**, and then select **Select**.
+
+1. On the Members tab, select **Next**.
+
+1. On the Review + assign tab, select **Review + assign**.
+
+#### Dev center Managed Identity
+1. Open the gallery you want to attach to the dev center from the [Azure portal](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2Fgalleries). You can also search for Azure Compute Galleries to find your gallery.
+
+1. Select **Access Control (IAM)** from the left menu.
+
+1. Select **+ Add** > **Add role assignment**.
+
+1. On the Role tab, select the **Owner** role, and then select **Next**.
+
+1. On the Members tab, under **Assign access to**, select **Managed Identity**, and then select **+ Select Members**.
+
+1. In Select managed identities, search for and select the user assigned managed identity you created in "Create a Dev center Managed Identity" and then select
+**Select**.
+
+1. On the Members tab, select **Next**.
+
+1. On the Review + assign tab, select **Review + assign**.
+
+You can use the same managed identity in multiple DevCenters and Azure Compute Galleries. Any DevCenter with the managed identity added will have the necessary permissions to the images in the Azure Compute Gallery you've added the owner role assignment to.
+
+## Attach a gallery to a dev center
+In order to use the images from a gallery in dev box definitions, you must first associate it with the dev center.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. In the search box, type *Dev box* and select **Dev centers** from the list.
+
+3. Select the dev center you want to attach the gallery to.
+
+
+4. From the left menu, select **Azure compute galleries** to list the galleries attached to this dev center.
+
+
+5. Select **+ Add** to select a gallery to attach.
+
+6. In Add Azure compute gallery, select your gallery. If you have access to more than one gallery with the same name, the subscription name is shown in parentheses.
+
+
+7. If there's a name conflict in the dev center, then you must provide a unique name to use for this gallery.
+
+8. Select **Add**.
+
+
+After successful addition, the images in the gallery will be available to select from when creating and updating dev box definitions.
+
+## Remove a gallery from a dev center
+You can detach galleries from dev centers so that their images can no longer be used to create dev box definitions in the dev center. Galleries that are being actively used in dev box definitions cannot be removed from the dev center. The associated dev box definition must be deleted or updated to use an image from a different gallery before you can remove the gallery.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. In the search box, type *Dev box* and select **Dev centers** from the list.
+
+3. Select the dev center you want to remove the gallery from.
+
+4. From the left menu, select **Azure compute galleries** to list the galleries attached to this dev center.
+
+5. Select the gallery you want to remove, and then select **Remove**.
+
+ :::image type="content" source="media/how-to-configure-azure-compute-gallery/remove-gallery-from-devcenter.png" alt-text="Screenshot showing the Azure compute galleries page with a gallery selected and the Remove button highlighted.":::
+
+6. Select **Continue** from the confirmation dialog.
+
+The gallery will be detached from the dev center. The gallery and its images won't be deleted, and you can reattach it if necessary.
+
+## Next steps
+Learn more about Microsoft Dev Box:
+- [Microsoft Dev Box key concepts](./concept-dev-box-concepts.md)
dev-box How To Dev Box User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/how-to-dev-box-user.md
+
+ Title: Provide access to dev box users
+
+description: Learn how to provide access to projects for dev box users so that they can create and manage dev boxes.
++++ Last updated : 04/15/2022+++
+# Provide access to projects for dev box users
+
+Team members must have access to a specific Dev Box project before they can create dev boxes. By using the built-in DevCenter Dev Box User role, you can assign permissions to Active Directory Users or Groups at the project level.
+
+A DevCenter Dev Box User can:
+
+- View pools within a project.
+- Create dev boxes.
+- Connect to a dev box.
+- Manage dev boxes that they created.
+- Delete dev boxes that they created.
+
+## Assign permissions to dev box users
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box, type *Dev box* and select **Projects**.
+
+1. Select the project you want to provide your team members access to.
+
+ :::image type="content" source="./media/how-to-dev-box-user/projects-grid.png" alt-text="Screenshot showing the list of existing projects.":::
+
+1. Select **Access Control (IAM)** from the left menu.
+
+ :::image type="content" source="./media/how-to-dev-box-user/access-control-tab.png " alt-text="Screenshot showing the Project Access control page with the Access Control link highlighted.":::
+
+1. Select **Add** > **Add role assignment**.
+
+ :::image type="content" source="./media/how-to-dev-box-user/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::
+
+1. On the Add role assignment page, on the Role tab, search for *devcenter dev box user*, select the **DevCenter Dev Box User** built-in role, and then select **Next**.
+
+ :::image type="content" source="./media/how-to-dev-box-user/dev-box-user-role.png" alt-text="Screenshot showing the search box.":::
+
+1. On the Members tab, select **+ Select Members**.
+
+ :::image type="content" source="./media/how-to-dev-box-user/dev-box-user-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::
+
+1. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.
+
+ :::image type="content" source="./media/how-to-dev-box-user/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::
+
+1. On the Members tab, select **Review + assign**.
+
+The user will now be able to view the project and all the pools within it. Dev box users can create dev boxes from any of the pools and manage those dev boxes from the [developer portal](https://aka.ms/devbox-portal).
+
+## Next steps
+
+- [Quickstart: Create a dev box by using the developer portal](quickstart-create-dev-box.md)
dev-box How To Project Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/how-to-project-admin.md
+
+ Title: Manage Dev Box projects
+
+description: Learn how to manage multiple projects by delegating permissions to project admins.
++++ Last updated : 07/29/2022+++
+# Provide access to projects for project admins
+
+You can create multiple projects in the dev center to align with each team's specific requirements. By using the built-in DevCenter Project Admin role, you can delegate project administration to a member of a team. Project Admins can use the network connections and dev box definitions configured at the dev center level to create and manage dev box pools within their project.
+
+A Dev Center Project Admin can manage a project by:
+
+- Viewing the network connections attached to the dev center.
+- Viewing the dev box definitions attached to the dev center.
+- Creating, viewing, updating, deleting dev box pools in the project.
+
+## Assign permissions to project admins
+
+Follow the instructions below to add role assignments for this role.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box, type *Dev box* and select **Projects**.
+
+1. Select the project you want to provide your team members access to.
+
+ :::image type="content" source="./media/how-to-project-admin/projects-grid.png" alt-text="Screenshot showing the list of existing projects.":::
+
+1. Select **Access Control (IAM)** from the left menu.
+
+ :::image type="content" source="./media/how-to-project-admin/access-control-tab.png" alt-text="Screenshot showing the Project Access control page with the Access Control link highlighted.":::
+
+1. Select **Add** > **Add role assignment**.
+
+ :::image type="content" source="./media/how-to-project-admin/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::
+
+1. On the Add role assignment page, on the Role tab, search for *devcenter project admin*, select the **DevCenter Project Admin** built-in role, and then select **Next**.
+
+ :::image type="content" source="./media/how-to-project-admin/project-admin-role.png" alt-text="Screenshot showing the search box highlighted.":::
+
+1. On the Members tab, select **+ Select Members**.
+
+ :::image type="content" source="./media/how-to-project-admin/project-admin-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::
+
+1. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.
+
+ :::image type="content" source="./media/how-to-project-admin/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::
+
+1. On the Members tab, select **Review + assign**.
+
+The user will now be able to manage the project and create dev box pools within it.
+
+## Next steps
+
+- [Quickstart: Configure the Microsoft Dev Box service](quickstart-configure-dev-box-service.md)
dev-box Overview What Is Microsoft Dev Box https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/overview-what-is-microsoft-dev-box.md
+
+ Title: What is Microsoft Dev Box?
+description: Microsoft Dev Box gives you self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations.
+++++ Last updated : 03/21/2022
+adobe-target: true
++
+# What is Microsoft Dev Box Preview?
+
+Microsoft Dev Box gives you self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations called dev boxes. You can set up dev boxes with the tools, source code, and pre-built binaries specific to your project, so you can immediately start work. Whether youΓÇÖre a developer, tester, or QA professional, you can use dev boxes in your day-to-day workflows.
+
+The Dev Box service was designed with three distinct personas in mind: dev infra admins, project admins, and dev box users.
+
+Dev infra admins are responsible for providing developer infrastructure and tools to the dev teams. Dev infra admins create and manage dev centers, which represent the units of organization within an enterprise. Any user with sufficient permissions on the subscription or resource group can create a dev center. Dev infra admins create projects and define the images that are used to create dev boxes. Dev box image definitions can use any developer IDE, SDK, or internal tool that runs on Windows.
+
+Project admins are experienced developers with in depth knowledge of their projects who can assist with day-to-day administrative tasks. Project admins create and manage dev box pools, enabling developers in different regions to self-serve dev boxes.
+
+Dev box users are members of a development team. They can self-serve one or more dev boxes on demand from a set of dev box pools that have been enabled for the project. Dev box users can work on multiple projects or tasks by creating multiple dev boxes.
+
+Microsoft Dev Box bridges the gap between development teams and IT, bringing control of project resources closer to the development team.
+
+## Key capabilities
+### For development teams
+- **Get started quickly**
+ - Create multiple dev boxes from a predefined pool whenever you need them and delete them when you're done.
+ - Use separate dev boxes for separate projects or tasks.
+- **Use multiple dev boxes to isolate and parallelize work**
+ - Tasks that take considerable time, like a full rebuild before submitting a PR can run in the background while you use a different dev box to start the next task.
+ - Safely test changes in your code, or make significant edits without affecting your primary workspace.
+- **Access from anywhere**
+ - Dev boxes can be accessed from any device and from any OS. Use a web browser while on the road or remote desktop from your Windows, Mac, or Linux desktop.
+
+### For dev managers
+- **Use dev box pools to separate workloads**
+ - Create dev box pools, add appropriate dev box definitions, and assign access for only dev box users working on those specific projects.
+ - Each pool brings together a SKU, an image, and a network configuration that automatically joins the dev box to your native Azure Active Directory (Azure AD) or Active Directory domain. This combination gives teams flexibility to define specific development environments for any scenario.
+- **Control costs**
+ - Dev Box brings cost control within the reach of project admins.
+- **Team scenarios**
+ - Create dev boxes for various roles on a team. Standard dev boxes might be configured with admin rights, giving full-time developers greater control, while more restricted permissions are applied for contractors.
+
+### For dev infrastructure admins
+- **Configure dev centers**
+ - Create dev centers and define the SKUs and images that the development teams use to self-serve dev boxes.
+- **Configure the network connection**
+ - Define the network configuration that the development teams consume. The network connection defines the region where the dev box is created.
+- **Manage projects**
+ - Grant access to the development team so that they can self-serve dev boxes.
+
+### For IT admins
+- **Manage Dev Boxes like any other device**
+ - Dev boxes are automatically enrolled in Intune. Use Microsoft Endpoint Manager Portal to manage the dev boxes just like any other device on your network.
+ - Keep all Windows devices up to date by using IntuneΓÇÖs expedited quality updates to deploy zero-day patches across your organization.
+ - If a dev box is compromised, you can isolate it while helping the dev box user get back up and running on a new dev box.
+- **Provide secure access in a secure environment**
+ - Access controls in Azure AD enable you to organize access by project or user type. You can automatically:
+ - Join dev boxes natively to an Azure AD or Active Directory domain.
+ - Set conditional access policies that require users to connect via a compliant device.
+ - Require multi-factor authentication (MFA) sign-in.
+ - Configure risk-based sign-in policies for Dev Boxes that access sensitive source code and customer data.
++
+## Next steps
+
+Start using Microsoft Dev Box:
+- [Quickstart: Configure the Microsoft Dev Box service](./quickstart-configure-dev-box-service.md)
+- [Quickstart: Configure a Microsoft Dev Box Project](./quickstart-configure-dev-box-project.md)
+- [Quickstart: Create a Dev Box](./quickstart-create-dev-box.md)
dev-box Quickstart Configure Dev Box Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-configure-dev-box-project.md
+
+ Title: Configure a Microsoft Dev Box project
+description: 'This quickstart shows you how to configure a Microsoft Dev Box project, create a dev box pool and provide access to dev boxes for your users.'
+++++ Last updated : 07/03/2022+
+<!--
+ Customer intent:
+ As a Dev Box Project Admin I want to configure projects so that I can provide Dev Boxes for my users.
+ -->
+
+# Quickstart: Configure a Microsoft Dev Box project
+To enable developers to self-serve dev boxes in projects, you must configure dev box pools that specify the dev box definitions and network connections used when dev boxes are created. Dev box users create dev boxes using the dev box pool.
+
+In this quickstart, you'll perform the following tasks:
+
+* [Create a dev box pool](#create-a-dev-box-pool)
+* [Provide access to a dev box project](#provide-access-to-a-dev-box-project)
+
+## Create a dev box pool
+A dev box pool is a collection of dev boxes that you manage together. You must have a pool before users can create a dev box, and all dev boxes created in the pool will be in the same region.
+
+The following steps show you how to create a dev box pool associated with a project. You'll use an existing dev box definition and network connection in the dev center to configure a dev box pool.
+
+If you don't have an available dev center with an existing dev box definition and network connection, follow the steps in [Quickstart: Configure the Microsoft Dev Box service](quickstart-configure-dev-box-service.md) to create them.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. In the search box, type *Projects* and then select **Projects** from the list.
+
+ <!-- :::image type="content" source="./media/quickstart-configure-dev-box-projects/discovery-via-azure-portal.png" alt-text="Screenshot showing the Azure portal with the search box highlighted."::: -->
+
+3. Open the project in which you want to create the dev box pool.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::
+
+4. Select **Dev box pools** and then select **+ Add**.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-pool-grid-empty.png" alt-text="Screenshot of the list of dev box pools within a project. The list is empty.":::
+
+5. On the **Create a dev box pool** page, enter the following values:
+
+ |Name|Value|
+ |-|-|
+ |**Name**|Enter a name for the pool. The pool name is visible to developers to select when they're creating dev boxes, and must be unique within a project.|
+ |**Dev box definition**|Select an existing dev box definition. The definition determines the base image and size for the dev boxes created within this pool.|
+ |**Network connection**|Select an existing network connection. The network connection determines the region of the dev boxes created within this pool.|
+ |**Dev Box Creator Privileges**|Select Local Administrator or Standard User.|
+ |**Licensing**| Select this check box if your organization has Azure Hybrid Benefit licenses that you want to apply to the dev boxes in this pool. |
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-pool-create.png" alt-text="Screenshot of the Create dev box pool dialog.":::
+
+6. Select **Add**.
+
+7. Verify that the new dev box pool appears in the list. You may need to refresh the screen.
+
+The dev box pool will be deployed and health checks will be run to ensure the image and network pass the validation criteria to be used for dev boxes. The screenshot below shows four dev box pools, each with a different status.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-pool-grid-populated.png" alt-text="Screenshot showing a list of existing pools.":::
+
+## Provide access to a dev box project
+Before users can create dev boxes based on the dev box pools in a project, you must provide access for them through a role assignment. The Dev Box User role enables dev box users to create, manage and delete their own dev boxes. You must have sufficient permissions to a project before you can add users to it.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box, type *Projects* and then select **Projects** from the list.
+
+1. Select the project you want to provide your team members access to.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::
+
+1. Select **Access Control (IAM)** from the left menu.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/access-control-tab.png" alt-text="Screenshot showing the Project Access control page with the Access Control link highlighted.":::
+
+1. Select **Add** > **Add role assignment**.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::
+
+1. On the Add role assignment page, search for *devcenter dev box user*, select the **DevCenter Dev Box User** built-in role, and then select **Next**.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-user-role.png" alt-text="Screenshot showing the Add role assignment search box highlighted.":::
+
+1. On the Members page, select **+ Select Members**.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-user-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::
+
+1. On the **Select members** pane, select the Active Directory Users or Groups you want to add, and then select **Select**.
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-projects/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::
+
+1. On the Add role assignment page, select **Review + assign**.
+
+The user will now be able to view the project and all the pools within it. They can create dev boxes from any of the pools and manage those dev boxes from the [developer portal](https://aka.ms/devbox-portal).
+
+## Project admins
+
+The Microsoft Dev Box service makes it possible for you to delegate administration of projects to a member of the project team. Project administrators can assist with the day-to-day management of projects for their team, like creating and managing dev box pools. To provide users permissions to manage projects, add them to the DevCenter Project Admin role. The tasks in this quickstart can be performed by project admins. To learn how to add a user to the Project Admin role, see [Provide access to projects for project admins](how-to-project-admin.md).
+
+## Next steps
+
+In this quickstart, you created a dev box pool within an existing project and assigned a user permission to create dev boxes based on the new pool.
+
+To learn about how to create to your dev box and connect to it, advance to the next quickstart:
+
+> [!div class="nextstepaction"]
+> [Create a dev box](./quickstart-create-dev-box.md)
dev-box Quickstart Configure Dev Box Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-configure-dev-box-service.md
+
+ Title: Configure the Microsoft Dev Box service
+description: 'This quickstart shows you how to configure the Microsoft Dev Box service to provide dev boxes for your users. You will create a dev center, add a network connection, and then create a dev box definition, and a project.'
+++++ Last updated : 07/22/2022++
+<!--
+ Customer intent:
+ As an enterprise admin I want to understand how to create and configure dev box components so that I can provide dev box projects my users.
+ -->
+
+# Quickstart: Configure the Microsoft Dev Box service
+
+This quickstart describes how to configure the Microsoft Dev Box service by using the Azure portal to enable development teams to self-serve dev boxes.
+
+In this quickstart, you'll perform the following tasks:
+
+* [Create a dev center](#create-a-dev-center)
+* [Create a network connection](#create-a-network-connection)
+* [Attach a network connection to a dev center](#attach-network-connection-to-dev-center)
+* [Create a dev box definition](#create-a-dev-box-definition)
+* [Create a project](#create-a-project)
++
+## Prerequisites
+
+To complete this quick start, make sure that you have:
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+- Owner or Contributor permissions on an Azure Subscription or a specific resource group.
+- Network Contributor permissions on an existing virtual network (owner or contributor) or permission to create a new virtual network and subnet.
+
+## Create a dev center
+
+The following steps show you how to create and configure a dev center.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box, type *Dev centers* and then select **Dev centers** from the list.
+
+ <!-- :::image type="content" source="./media/quickstart-configure-dev-box-service/discovery-via-azure-portal.png" alt-text="Screenshot showing the Azure portal with the search box highlighted."::: -->
+
+1. On the dev centers page, select **+Create**.
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-dev-center.png" alt-text="Screenshot showing the Azure portal Dev center with create highlighted.":::
+
+1. On the **Create a dev center** page, on the **Basics** tab, enter the following values:
+
+ |Name|Value|
+ |-|-|
+ |**Subscription**|Select the subscription in which you want to create the dev center.|
+ |**Resource group**|Select an existing resource group or select **Create new**, and enter a name for the resource group.|
+ |**Name**|Enter a name for your dev center.|
+ |**Location**|Select the location/region you want the dev center to be created in.|
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-devcenter-basics.png" alt-text="Screenshot showing the Create dev center Basics tab.":::
+
+ The currently supported Azure locations with capacity are listed here: [Microsoft Dev Box](https://aka.ms/devbox_acom).
+
+1. [Optional] On the **Tags** tab, enter a name and value pair that you want to assign.
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-devcenter-tags.png" alt-text="Screenshot showing the Create dev center Tags tab.":::
+
+1. Select **Review + Create**.
+
+1. On the **Review** tab, select **Create**.
+
+1. You can check on the progress of the dev center creation from any page in the Azure portal by opening the notifications pane.
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/azure-notifications.png" alt-text="Screenshot showing Azure portal notifications pane.":::
+
+1. When the deployment is complete, select **Go to resource**. You'll see the dev center page.
++
+## Create a network connection
+Network connections determine the region into which dev boxes are deployed and allow them to be connected to your existing virtual networks. The following steps show you how to create and configure a network connection in Microsoft Dev Box.
+
+To perform the steps in this section, you must have an existing virtual network (vnet) and subnet. If you don't have a vnet and subnet available, follow the instructions here: [Quickstart: Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md) to create them.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box, type *Network connections* and then select **Network connections** from the list.
+
+1. On the **Network Connections** page, select **+Create**.
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/network-connections-empty.png" alt-text="Screenshot showing the Network Connections page with Create highlighted.":::
+
+1. Follow the steps on the appropriate tab to create your network connection.
+ #### [Azure AD join](#tab/AzureADJoin/)
+
+ On the **Create a network connection** page, on the **Basics** tab, enter the following values:
+
+ |Name|Value|
+ |-|-|
+ |**Domain join type**|Select **Azure active directory join**.|
+ |**Subscription**|Select the subscription in which you want to create the network connection.|
+ |**Resource group**|Select an existing resource group or select **Create new**, and enter a name for the resource group.|
+ |**Name**|Enter a descriptive name for your network connection.|
+ |**Virtual network**|Select the virtual network you want the network connection to use.|
+ |**Subnet**|Select the subnet you want the network connection to use.|
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-native-network-connection-full-blank.png" alt-text="Screenshot showing the create network connection basics tab with Azure Active Directory join highlighted.":::
+
+ #### [Hybrid Azure AD join](#tab/HybridAzureADJoin/)
+
+ On the **Create a network connection** page, on the **Basics** tab, enter the following values:
+
+ |Name|Value|
+ |-|-|
+ |**Domain join type**|Select **Hybrid Azure active directory join**.|
+ |**Subscription**|Select the subscription in which you want to create the network connection.|
+ |**Resource group**|Select an existing resource group or select **Create new**, and enter a name for the resource group.|
+ |**Name**|Enter a descriptive name for your network connection.|
+ |**Virtual network**|Select the virtual network you want the network connection to use.|
+ |**Subnet**|Select the subnet you want the network connection to use.|
+ |**AD DNS domain name**| The DNS name of the Active Directory domain that you want to use for connecting and provisioning Cloud PCs. For example, corp.contoso.com. |
+ |**Organizational unit**| An organizational unit (OU) is a container within an Active Directory domain, which can hold users, groups, and computers. |
+ |**AD username UPN**| The username, in user principal name (UPN) format, that you want to use for connecting the Cloud PCs to your Active Directory domain. For example, svcDomainJoin@corp.contoso.com. This service account must have permission to join computers to the domain and, if set, the target OU. |
+ |**AD domain password**| The password for the user specified above. |
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-hybrid-network-connection-full-blank.png" alt-text="Screenshot showing the create network connection basics tab with Hybrid Azure Active Directory join highlighted.":::
+
+
+
+5. Select **Review + Create**.
+
+1. On the **Review** tab, select **Create**.
+
+1. When the deployment is complete, select **Go to resource**. You'll see the Network Connection overview page.
+
+## Attach network connection to dev center
+You need to attach a network connection to a dev center before it can be used in projects to create dev box pools.
+
+1. In the [Azure portal](https://portal.azure.com), in the search box, type *Dev centers* and then select **Dev centers** from the list.
+
+1. Select the dev center you created and select **Networking**.
+
+1. Select **+ Add**.
+
+1. In the **Add network connection** pane, select the network connection you created earlier, and then select **Add**.
+
+After creation, several health checks are run on the network. You can view the status of the checks on the resource overview page. Network connections that pass all the health checks can be added to a dev center and used in the creation of dev box pools. The dev boxes within the dev box pools will be created and domain joined in the location of the vnet assigned to the network connection.
++
+To resolve any errors, refer to the [Troubleshoot Azure network connections](/windows-365/enterprise/troubleshoot-azure-network-connection).
+
+## Create a dev box definition
+The following steps show you how to create and configure a dev box definition. You can use dev box definitions across multiple projects in the same dev center. Dev box definitions define the image and SKU (compute + storage) that will be used in creation of the dev boxes.
+
+1. Open the dev center in which you want to create the dev box definition.
+
+1. Select **Dev box definitions**.
+
+1. On the **Dev box definitions** page, select **+Create**.
+
+1. On the **Create dev box definition** page, enter the following values:
+
+ Enter the following values:
+
+ |Name|Value|Note|
+ |-|-|-|
+ |**Name**|Enter a descriptive name for your dev box definition.|
+ |**Image**|Select the base operating system for the dev box. You can select an image from the marketplace or from an Azure Compute Gallery.|To use custom images while creating a dev box definition, you can attach an Azure Compute Gallery that has the custom images. Learn [How to configure an Azure Compute Gallery](./how-to-configure-azure-compute-gallery.md).|
+ |**Image version**|Select a specific, numbered version to ensure all the dev boxes in the pool always use the same version of the image. Select **Latest** to ensure new dev boxes use the latest image available.|Selecting the Latest image version enables the dev box pool to use the most recent image version for your chosen image from the gallery. This way, the dev boxes created will stay up to date with the latest tools and code on your image. Existing dev boxes will not be modified when an image version is updated.|
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/dev-box-definition-create.png" alt-text="Screenshot showing the create dev box definition page with suggested images highlighted.":::
+
+ While selecting the gallery image, consider using either of the two images:
+ - Windows 11 Enterprise + Microsoft 365 Apps 21H2
+ - Windows 10 Enterprise + Microsoft 365 Apps 21H2
+
+ These images are preconfigured with productivity tools like Microsoft Teams and configured for optimal performance.
+
+1. Select **Create**.
+
+## Create a project
+
+The following steps show you how to create and configure a project in dev box.
+
+1. In the [Azure portal](https://portal.azure.com), in the search box, type *Projects* and then select **Projects** from the list.
+
+1. On the Projects page, select **+Create**.
+
+1. On the **Create a project** page, on the **Basics** tab, enter the following values:
+
+ |Name|Value|
+ |-|-|
+ |**Subscription**|Select the subscription in which you want to create the project.|
+ |**Resource group**|Select an existing resource group or select **Create new**, and enter a name for the resource group.|
+ |**Dev center**|Select the dev center to which you want to associate this project. All the dev center level settings will be applied to the project.|
+ |**Name**|Enter a name for your project. |
+ |**Description**|Enter a brief description of the project. |
+
+ :::image type="content" source="./media/quickstart-configure-dev-box-service/dev-box-project-create.png" alt-text="Screenshot of the Create a dev box project basics tab.":::
+
+1. [Optional] On the **Tags** tab, enter a name and value pair that you want to assign.
+
+1. Select **Review + Create**.
+
+1. On the **Review** tab, select **Create**.
+
+1. Confirm that the project is created successfully by checking the notifications. Select **Go to resource**.
+
+1. Verify that you see the **Project** page.
+
+## Next steps
+
+In this quickstart, you created a dev box project and the resources necessary to support it. You created a dev center, added a network connection, created a dev box definition, and a project.
+
+To learn about how to manage dev box projects, advance to the next quickstart:
+
+> [!div class="nextstepaction"]
+> [Configure a dev box project](./quickstart-configure-dev-box-project.md)
+
dev-box Quickstart Create Dev Box https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-create-dev-box.md
+
+ Title: Create a Microsoft Dev Box
+description: This quickstart shows you how to create a Microsoft Dev Box and connect to it through a browser.
+++++ Last updated : 07/29/2022+
+<!--
+ Customer intent:
+ As a Dev Box User I want to understand how to create and access a dev box so that I can start work.
+ -->
+
+# Quickstart: Create a dev box by using the developer portal
+
+Get started with Microsoft Dev Box by creating a dev box through the developer portal. After creating the dev box, you connect to it with a remote desktop (RD) session through a browser, or through a remote desktop app.
+
+You can create and manage multiple dev boxes as a dev box user. Create a dev box for each task that you're working on, and create multiple dev boxes within a single project to help streamline your workflow.
+
+In this quickstart, you will:
+
+* [Create a dev box](#create-a-dev-box)
+* [Connect to a dev box](#connect-to-a-dev-box)
+
+## Prerequisites
+
+- Permissions as a [Dev Box User](./quickstart-configure-dev-box-project.md#provide-access-to-a-dev-box-project) for a project that has an available dev box pool. If you don't have permissions to a project, contact your administrator.
+
+## Create a dev box
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+2. Select **+ Add dev box**.
+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-welcome.png" alt-text="Screenshot of the developer portal showing the Add dev box button.":::
+
+3. In **Add a dev box**, enter the following values:
+
+ |Name|Value|
+ |-|-|
+ |**Name**|A name for your dev box. Dev box names must be unique within a project.|
+ |**Project**|Select a project from the dropdown list. |
+ |**Dev box pool**|Select a pool from the dropdown list. The dev box pool dropdown lists all the dev box pools for the selected project. |
+
+ :::image type="content" source="./media/quickstart-create-dev-box/add-dev-box.png" alt-text="Screenshot of the Add a dev box dialog box.":::
+
+4. Select **Add** to begin creating your dev box.
+
+5. You can track the progress of creation in the developer portal home page.
+
+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-creating.png" alt-text="Screenshot of the developer portal showing the dev box card with the status Creating.":::
+
+## Connect to a dev box
+Once you've provisioned your dev box, you can access it in multiple ways.
+
+### Browser
+
+For quick access in a browser tab, the developer portal links directly to a browser session through which you can connect to and use your dev box.
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. To connect to a dev box, select **Open in browser**.
+
+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-card-rdp.png" alt-text="Screenshot of dev box card showing the Open in browser option.":::
+
+A new tab will open with an RD session to your dev box.
+
+## Clean up resources
+
+When no longer needed, you can delete your dev box.
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. For the dev box you want to delete, from the setting menu, select **Delete**.
+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-delete-dev-box.png" alt-text="Screenshot of the dev box Settings menu with the Delete option highlighted.":::
+
+1. To confirm the deletion, select **Delete**.
+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-delete-dev-box-confirm.png" alt-text="Screenshot of the Delete dev box confirmation message with the Delete button highlighted.":::
+
+## Next steps
+
+In this quickstart, you created a dev box through the developer portal. To learn how to connect to a dev box using a remote desktop app, see [Tutorial: Use the Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).
dev-box Tutorial Connect To Dev Box With Remote Desktop App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/tutorial-connect-to-dev-box-with-remote-desktop-app.md
+
+ Title: 'Tutorial: Use the Remote Desktop client to connect to a dev box'
+description: In this tutorial, you learn how to download a Remote Desktop client and connect to a dev box.
+++++ Last updated : 07/28/2022+++
+# Tutorial: Use the Remote Desktop client to connect to a dev box
+
+In this tutorial, you'll learn how to download a remote desktop app from the [developer portal](https://aka.ms/devbox-portal) and connect to a dev box by using the remote desktop client.
+
+Remote desktop apps let you use and control a dev box from almost any device. For your desktop or laptop, you can choose to download the Remote Desktop client for Windows Desktop or the Microsoft Remote Desktop for Mac. You can also download a Remote Desktop app for your mobile device: Microsoft Remote Desktop for iOS or Microsoft Remote Desktop for Android.
+
+You can view the dev boxes you're connected to in your Remote Desktop client's [Workspaces](/windows-server/remote/remote-desktop-services/clients/windowsdesktop#workspaces).
+
+In this tutorial, you'll learn how to:
+
+> [!div class="checklist"]
+> * Download the Remote Desktop client (Windows and non-Windows).
+> * Use the Remote Desktop client to connect to a dev box.
+
+## Prerequisites
+
+- [Add a dev box](./quickstart-create-dev-box.md#create-a-dev-box) on the [developer portal](https://aka.ms/devbox-portal).
+
+## Download the Remote Desktop client (Windows)
+
+To download and set up the Remote Desktop app for Windows, follow these steps:
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. Select **Open in RDP client** for the dev box you want to connect.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the Your dev box card showing the Open in RDP client option.":::
+
+1. Choose **Download Windows Desktop** to download the Remote Desktop client.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-windows-desktop.png" alt-text="Screenshot of the download windows desktop option on the connect dialog.":::
+
+1. Once install of the Windows Desktop client completes, return to the dev portal and [connect to your dev box](#connect-to-your-dev-box)
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/install-complete-return-prompt.png" alt-text="Screenshot of the return prompt after download and install of the RDP client is completed.":::
+
+## Connect to your dev box
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. Select **Open in RDP client** for the dev box you want to connect.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the Open in RDP client option.":::
+
+1. Choose **Open Windows Desktop** to connect to your dev box in the Remote Desktop client.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/open-windows-desktop.png" alt-text="Screenshot of the Open Windows Desktop option on the Connect dialog.":::
+
+## Download the Remote Desktop client (non-Windows) and connect to your dev box
+
+To use a non-Windows Remote Desktop client to connect to your dev box, follow these steps:
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. Select **Configure Remote Desktop** from **Quick actions**.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/configure-remote-desktop-non-windows.png" alt-text="Screenshot of Configure Remote Desktop in Quick actions.":::
+
+1. Choose **Download** to download the Remote Desktop client.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-non-windows-rdp-client.png" alt-text="Screenshot of the non-Windows Remote Desktop client download option on the Configure Remote Desktop dialog.":::
+
+1. Copy the subscription feed URL from step(2) of the **Configure Remote Desktop** card. Once Remote Desktop client is installed, you'll connect to your dev box with this subscription feed URL.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/copy-subscription-url-non-windows.png" alt-text="Screenshot of the subscription feed URL copied from the Configure Remote Desktop card.":::
+
+1. Open the Remote Desktop client, select **Add Workspace** and paste the subscription feed URL.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-subscription-feed.png" alt-text="Screenshot of the non-Windows Remote Desktop client Add Workspace dialog.":::
+
+1. Your dev box will appear in the Remote Desktop client's Workspaces. Double-click to connect.
+
+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-connect-dev-box.png" alt-text="Screenshot of the non-Windows Remote Desktop client workspace with dev box.":::
+
+## Next steps
+To learn about managing Microsoft Dev Box, see:
+
+- [Provide access to project admins](./how-to-project-admin.md)
+- [Provide access to dev box users](./how-to-dev-box-user.md)
digital-twins Concepts Data Explorer Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-data-explorer-plugin.md
The simplest way to ingest IoT data from Azure Digital Twins into Azure Data Exp
### Direct ingestion
-You can also opt to [ingest IoT data directly into your Azure Data Explorer cluster from IoT Hub](/azure/data-explorer/ingest-data-iot-hub), or from other sources. Then, the Azure Digital Twins graph will be used to contextualize the time series data using joint Azure Digital Twins/Azure Data Explorer queries. This option is a good choice for direct-ingestion workloads. For more information about this process, continue through the rest of this section.
+You can also opt to [ingest IoT data directly into your Azure Data Explorer cluster from IoT Hub](/azure/data-explorer/ingest-data-iot-hub), or from other sources. Then, the Azure Digital Twins graph will be used to contextualize the time series data using joint Azure Digital Twins/Azure Data Explorer queries. This option is a good choice for direct-ingestion workloadsΓÇöhowever, you won't be able to leverage Azure Digital Twins' event-based architecture to update other twins, trigger downstream services, or emit notifications when twins change state. For more information about this process, continue through the rest of this section.
#### Mapping data across Azure Data Explorer and Azure Digital Twins
firewall Integrate With Nat Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/integrate-with-nat-gateway.md
# Scale SNAT ports with Azure Virtual Network NAT
-Azure Firewall provides 2496 SNAT ports per public IP address configured per backend virtual machine scale set instance (Minimum of 2 instances), and you can associate up to [250 public IP addresses](./deploy-multi-public-ip-powershell.md). Depending on your architecture and traffic patterns, you might need more than the 512,000 available SNAT ports with this configuration. For example, when you use it to protect large [Azure Virtual Desktop deployments](./protect-azure-virtual-desktop.md) that integrate with Microsoft 365 Apps.
+Azure Firewall provides 2,496 SNAT ports per public IP address configured per backend virtual machine scale set instance (Minimum of 2 instances), and you can associate up to [250 public IP addresses](./deploy-multi-public-ip-powershell.md). Depending on your architecture and traffic patterns, you might need more than the 512,000 available SNAT ports with this configuration. For example, when you use it to protect large [Azure Virtual Desktop deployments](./protect-azure-virtual-desktop.md) that integrate with Microsoft 365 Apps.
Another challenge with using a large number of public IP addresses is when there are downstream IP address filtering requirements. Azure Firewall randomly selects the source public IP address to use for a connection, so you need to allow all public IP addresses associated with it. Even if you use [Public IP address prefixes](../virtual-network/ip-services/public-ip-address-prefix.md) and you need to associate 250 public IP addresses to meet your outbound SNAT port requirements, you still need to create and allow 16 public IP address prefixes.
-A better option to scale outbound SNAT ports is to use an [Azure Virtual Network NAT](../virtual-network/nat-gateway/nat-overview.md) as a NAT gateway. It provides 64,000 SNAT ports per public IP address and supports up to 16 public IP addresses, effectively providing up to 1,024,000 outbound SNAT ports.
+A better option to scale outbound SNAT ports is to use an [Azure Virtual Network NAT](../virtual-network/nat-gateway/nat-overview.md) as a NAT gateway. It provides 64,512 SNAT ports per public IP address and supports up to 16 public IP addresses, effectively providing up to 1,032,192 outbound SNAT ports.
When a NAT gateway resource is associated with an Azure Firewall subnet, all outbound Internet traffic automatically uses the public IP address of the NAT gateway. ThereΓÇÖs no need to configure [User Defined Routes](../virtual-network/tutorial-create-route-table-portal.md). Response traffic uses the Azure Firewall public IP address to maintain flow symmetry. If there are multiple IP addresses associated with the NAT gateway, the IP address is randomly selected. It isn't possible to specify what address to use.
az network vnet subnet update --name AzureFirewallSubnet --vnet-name nat-vnet --
## Next steps -- [Design virtual networks with NAT gateway](../virtual-network/nat-gateway/nat-gateway-resource.md)
+- [Design virtual networks with NAT gateway](../virtual-network/nat-gateway/nat-gateway-resource.md)
governance Machine Configuration Policy Effects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/machine-configuration/machine-configuration-policy-effects.md
evaluation the machine is no longer in the desired state. The agent reports
the status as "NonCompliant" and doesn't automatically remediate. To enable this behavior, set the
-[assignmentType property](/rest/api/guestconfiguration/machine-configuration-assignments/get#assignmenttype)
+[assignmentType property](/rest/api/guestconfiguration/guest-configuration-assignments/get#assignmenttype)
of the machine configuration assignment to "ApplyandMonitor". Each time the assignment is processed within the machine, for each resource the [Test](/powershell/dsc/resources/get-test-set#test)
or if the method returns "false" the agent reports "NonCompliant".
Machine configuration supports the concept of "continuous remediation". If the machine drifts out of compliance for a configuration, the next time it's evaluated the configuration is corrected automatically. Unless an error occurs, the machine always reports status as "Compliant" for the configuration. There's no way to report when a drift was automatically corrected when using continuous remediation. To enable this behavior, set the
-[assignmentType property](/rest/api/guestconfiguration/machine-configuration-assignments/get#assignmenttype)
+[assignmentType property](/rest/api/guestconfiguration/guest-configuration-assignments/get#assignmenttype)
of the machine configuration assignment to "ApplyandAutoCorrect". Each time the assignment is processed within the machine, for each resource the [Test](/powershell/dsc/resources/get-test-set#test)
If enforcement is set to "Disabled", the configuration assignment
audits the state of the machine until the behavior is changed by a [remediation task](../policy/how-to/remediate-resources.md). By default, machine configuration definitions update the
-[assignmentType property](/rest/api/guestconfiguration/machine-configuration-assignments/get#assignmenttype) from "Audit" to "ApplyandMonitor" so the configuration
+[assignmentType property](/rest/api/guestconfiguration/guest-configuration-assignments/get#assignmenttype) from "Audit" to "ApplyandMonitor" so the configuration
is applied one time and then it won't apply again until a remediation is triggered.
experience by updating a guest assignment resource, even if the update
doesn't make changes to the resource properties. When a machine configuration assignment is created, the
-[complianceStatus property](/rest/api/guestconfiguration/machine-configuration-assignments/get#compliancestatus)
+[complianceStatus property](/rest/api/guestconfiguration/guest-configuration-assignments/get#compliancestatus)
is set to "Pending". The machine configuration service inside the machine (delivered to Azure virtual machines by the
hdinsight Apache Hadoop Use Hive Beeline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-use-hive-beeline.md
This example is based on using the Beeline client from [an SSH connection](../hd
```bash beeline -u 'jdbc:hive2://headnodehost:10001/;transportMode=http' ```
+ > [!NOTE]
+ > Refer to "To HDInsight Enterprise Security Package (ESP) cluster using Kerberos" part in [Connect to HiveServer2 using Beeline or install Beeline locally to connect from your local](connect-install-beeline.md#to-hdinsight-enterprise-security-package-esp-cluster-using-kerberos) if you are using an Enterprise Security Package (ESP) enabled cluster
+ >
+ > Dropping an external table does **not** delete the data, only the table definition.
3. Beeline commands begin with a `!` character, for example `!help` displays help. However the `!` can be omitted for some commands. For example, `help` also works.
iot-develop Libraries Sdks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/libraries-sdks.md
The IoT Plug and Play libraries and SDKs enable developers to build IoT solution
| C - Device | [vcpkg 1.3.9](https://github.com/Azure/azure-iot-sdk-c/blob/master/doc/setting_up_vcpkg.md) | [GitHub](https://github.com/Azure/azure-iot-sdk-c) | [Samples](https://github.com/Azure/azure-iot-sdk-c/tree/master/iothub_client/samples/pnp) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/azure/iot-hub/iot-c-sdk-ref/) | | .NET - Device | [NuGet 1.31.0](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/) | [Samples](https://github.com/Azure-Samples/azure-iot-samples-csharp/tree/main/iot-hub/Samples/device/PnpDeviceSamples) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/dotnet/api/microsoft.azure.devices.client) | | Java - Device | [Maven 1.26.0](https://mvnrepository.com/artifact/com.microsoft.azure.sdk.iot/iot-device-client) | [GitHub](https://github.com/Azure/azure-iot-sdk-jav) | [Reference](/java/api/com.microsoft.azure.sdk.iot.device) |
-| Python - Device | [pip 2.3.0](https://pypi.org/project/azure-iot-device/) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/azure-iot-device/samples/pnp) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/python/api/azure-iot-device/azure.iot.device) |
+| Python - Device | [pip 2.3.0](https://pypi.org/project/azure-iot-device/) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples/pnp) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/python/api/azure-iot-device/azure.iot.device) |
| Node - Device | [npm 1.17.2](https://www.npmjs.com/package/azure-iot-device)  | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples/javascript/) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/javascript/api/azure-iot-device/) | | Embedded C - Device | N/A | [GitHub](https://github.com/Azure/azure-sdk-for-c/)| [Samples](tutorial-connect-device.md?pivots=programming-language-embedded-c#samples) | [How to use Embedded C](tutorial-connect-device.md?pivots=programming-language-embedded-c) | N/A
The IoT Plug and Play libraries and SDKs enable developers to build IoT solution
| .NET - IoT Hub service | [NuGet 1.27.1](https://www.nuget.org/packages/Microsoft.Azure.Devices ) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp) | [Samples](https://github.com/Azure-Samples/azure-iot-samples-csharp/tree/main/iot-hub/Samples/service/PnpServiceSamples) | N/A | [Reference](/dotnet/api/microsoft.azure.devices) | | Java - IoT Hub service | [Maven 1.26.0](https://mvnrepository.com/artifact/com.microsoft.azure.sdk.iot/iot-service-client/1.26.0) | [GitHub](https://github.com/Azure/azure-iot-sdk-java) | [Samples](https://github.com/Azure/azure-iot-sdk-java/tree/main/service/iot-service-samples/pnp-service-sample) | N/A | [Reference](/java/api/com.microsoft.azure.sdk.iot.service) | | Node - IoT Hub service | [npm 1.13.0](https://www.npmjs.com/package/azure-iothub) | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/service/samples) | N/A | [Reference](/javascript/api/azure-iothub/) |
-| Python - Digital Twins service | [pip 2.2.3](https://pypi.org/project/azure-iot-hub) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/azure-iot-hub/samples) | [Interact with IoT Hub Digital Twins API](tutorial-service.md) | N/A |
+| Python - Digital Twins service | [pip 2.2.3](https://pypi.org/project/azure-iot-hub) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples) | [Interact with IoT Hub Digital Twins API](tutorial-service.md) | N/A |
| Node - Digital Twins service | [npm 1.13.0](https://www.npmjs.com/package/azure-iot-digitaltwins-service) | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/service/samples/javascript) | [Interact with IoT Hub Digital Twins API](tutorial-service.md) | N/A | ## Next steps
iot-hub Iot Hub Csharp Csharp Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-csharp-csharp-twin-getstarted.md
In this article, you create two .NET console apps:
[!INCLUDE [iot-hub-include-find-custom-connection-string](../../includes/iot-hub-include-find-custom-connection-string.md)]
-## Create the service app
-
-In this section, you create a .NET console app, using C#, that adds location metadata to the device twin associated with **myDeviceId**. The app queries IoT hub for devices located in the US and then queries devices that report a cellular network connection.
-
-1. In Visual Studio, select **File > New > Project**. In **Create a new project**, select **Console App (.NET Framework)**, and then select **Next**.
-
-1. In **Configure your new project**, name the project **AddTagsAndQuery**, the select **Next**.
-
- :::image type="content" source="./media/iot-hub-csharp-csharp-twin-getstarted/config-addtagsandquery-app.png" alt-text="Screenshot of how to create a new Visual Studio project." lightbox="./media/iot-hub-csharp-csharp-twin-getstarted/config-addtagsandquery-app.png":::
-
-1. Accept the default version of the .NET Framework, then select **Create** to create the project.
-
-1. In Solution Explorer, right-click the **AddTagsAndQuery** project, and then select **Manage NuGet Packages**.
-
-1. Select **Browse** and search for and select **Microsoft.Azure.Devices**. Select **Install**.
-
- ![NuGet Package Manager window](./media/iot-hub-csharp-csharp-twin-getstarted/nuget-package-addtagsandquery-app.png)
-
- This step downloads, installs, and adds a reference to the [Azure IoT service SDK](https://www.nuget.org/packages/Microsoft.Azure.Devices/) NuGet package and its dependencies.
-
-1. Add the following `using` statements at the top of the **Program.cs** file:
-
- ```csharp
- using Microsoft.Azure.Devices;
- ```
-
-1. Add the following fields to the **Program** class. Replace `{iot hub connection string}` with the IoT Hub connection string that you copied in [Get the IoT hub connection string](#get-the-iot-hub-connection-string).
-
- ```csharp
- static RegistryManager registryManager;
- static string connectionString = "{iot hub connection string}";
- ```
-
-1. Add the following method to the **Program** class:
-
- ```csharp
- public static async Task AddTagsAndQuery()
- {
- var twin = await registryManager.GetTwinAsync("myDeviceId");
- var patch =
- @"{
- tags: {
- location: {
- region: 'US',
- plant: 'Redmond43'
- }
- }
- }";
- await registryManager.UpdateTwinAsync(twin.DeviceId, patch, twin.ETag);
-
- var query = registryManager.CreateQuery(
- "SELECT * FROM devices WHERE tags.location.plant = 'Redmond43'", 100);
- var twinsInRedmond43 = await query.GetNextAsTwinAsync();
- Console.WriteLine("Devices in Redmond43: {0}",
- string.Join(", ", twinsInRedmond43.Select(t => t.DeviceId)));
-
- query = registryManager.CreateQuery("SELECT * FROM devices WHERE tags.location.plant = 'Redmond43' AND properties.reported.connectivity.type = 'cellular'", 100);
- var twinsInRedmond43UsingCellular = await query.GetNextAsTwinAsync();
- Console.WriteLine("Devices in Redmond43 using cellular network: {0}",
- string.Join(", ", twinsInRedmond43UsingCellular.Select(t => t.DeviceId)));
- }
- ```
-
- The **RegistryManager** class exposes all the methods required to interact with device twins from the service. The previous code first initializes the **registryManager** object, then retrieves the device twin for **myDeviceId**, and finally updates its tags with the desired location information.
-
- After updating, it executes two queries: the first selects only the device twins of devices located in the **Redmond43** plant, and the second refines the query to select only the devices that are also connected through cellular network.
-
- The previous code, when it creates the **query** object, specifies a maximum number of returned documents. The **query** object contains a **HasMoreResults** boolean property that you can use to invoke the **GetNextAsTwinAsync** methods multiple times to retrieve all results. A method called **GetNextAsJson** is available for results that are not device twins, for example, results of aggregation queries.
-
-1. Finally, add the following lines to the **Main** method:
-
- ```csharp
- registryManager = RegistryManager.CreateFromConnectionString(connectionString);
- AddTagsAndQuery().Wait();
- Console.WriteLine("Press Enter to exit.");
- Console.ReadLine();
- ```
-
-1. Run this application by right-clicking on the **AddTagsAndQuery** project and selecting **Debug**, followed by **Start new instance**. You should see one device in the results for the query asking for all devices located in **Redmond43** and none for the query that restricts the results to devices that use a cellular network.
-
- ![Query results in window](./media/iot-hub-csharp-csharp-twin-getstarted/addtagapp.png)
-
-In the next section, you create a device app that reports connectivity information and changes the result of the query in the previous section.
-
-## Create the device app
+## Create a device app with a direct method
In this section, you create a .NET console app that connects to your hub as **myDeviceId**, and then updates its reported properties to confirm that it's connected using a cellular network.
-1. In Visual Studio, select **File** > **New** > **Project**. In **Create new project**, choose **Console App (.NET Framework)**, and then select **Next**.
+1. Open Visual Studio and select **Create new project**.
+
+1. Choose **Console App (.NET Framework)**, then select **Next**.
-1. In **Configure your new project**, name the project **ReportConnectivity**. For **Solution**, choose **Add to solution**, and then select **Create**.
+1. In **Configure your new project**, name the project **ReportConnectivity**, then select **Next**.
1. In Solution Explorer, right-click the **ReportConnectivity** project, and then select **Manage NuGet Packages**.
+1. Keep the default .NET Framework, then select **Create** to create the project.
+ 1. Select **Browse** and search for and choose **Microsoft.Azure.Devices.Client**. Select **Install**. This step downloads, installs, and adds a reference to the [Azure IoT device SDK](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client/) NuGet package and its dependencies.
In this section, you create a .NET console app that connects to your hub as **my
![Device connectivity reported successfully](./media/iot-hub-csharp-csharp-twin-getstarted/tagappsuccess.png)
+## Create a service app to trigger a reboot
+
+In this section, you create a .NET console app, using C#, that adds location metadata to the device twin associated with **myDeviceId**. The app queries IoT hub for devices located in the US and then queries devices that report a cellular network connection.
+
+1. In Visual Studio, select **File > New > Project**. In **Create a new project**, select **Console App (.NET Framework)**, and then select **Next**.
+
+1. In **Configure your new project**, name the project **AddTagsAndQuery**, the select **Next**.
+
+ :::image type="content" source="./media/iot-hub-csharp-csharp-twin-getstarted/config-addtagsandquery-app.png" alt-text="Screenshot of how to create a new Visual Studio project." lightbox="./media/iot-hub-csharp-csharp-twin-getstarted/config-addtagsandquery-app.png":::
+
+1. Accept the default version of the .NET Framework, then select **Create** to create the project.
+
+1. In Solution Explorer, right-click the **AddTagsAndQuery** project, and then select **Manage NuGet Packages**.
+
+1. Select **Browse** and search for and select **Microsoft.Azure.Devices**. Select **Install**.
+
+ ![NuGet Package Manager window](./media/iot-hub-csharp-csharp-twin-getstarted/nuget-package-addtagsandquery-app.png)
+
+ This step downloads, installs, and adds a reference to the [Azure IoT service SDK](https://www.nuget.org/packages/Microsoft.Azure.Devices/) NuGet package and its dependencies.
+
+1. Add the following `using` statements at the top of the **Program.cs** file:
+
+ ```csharp
+ using Microsoft.Azure.Devices;
+ ```
+
+1. Add the following fields to the **Program** class. Replace `{iot hub connection string}` with the IoT Hub connection string that you copied in [Get the IoT hub connection string](#get-the-iot-hub-connection-string).
+
+ ```csharp
+ static RegistryManager registryManager;
+ static string connectionString = "{iot hub connection string}";
+ ```
+
+1. Add the following method to the **Program** class:
+
+ ```csharp
+ public static async Task AddTagsAndQuery()
+ {
+ var twin = await registryManager.GetTwinAsync("myDeviceId");
+ var patch =
+ @"{
+ tags: {
+ location: {
+ region: 'US',
+ plant: 'Redmond43'
+ }
+ }
+ }";
+ await registryManager.UpdateTwinAsync(twin.DeviceId, patch, twin.ETag);
+
+ var query = registryManager.CreateQuery(
+ "SELECT * FROM devices WHERE tags.location.plant = 'Redmond43'", 100);
+ var twinsInRedmond43 = await query.GetNextAsTwinAsync();
+ Console.WriteLine("Devices in Redmond43: {0}",
+ string.Join(", ", twinsInRedmond43.Select(t => t.DeviceId)));
+
+ query = registryManager.CreateQuery("SELECT * FROM devices WHERE tags.location.plant = 'Redmond43' AND properties.reported.connectivity.type = 'cellular'", 100);
+ var twinsInRedmond43UsingCellular = await query.GetNextAsTwinAsync();
+ Console.WriteLine("Devices in Redmond43 using cellular network: {0}",
+ string.Join(", ", twinsInRedmond43UsingCellular.Select(t => t.DeviceId)));
+ }
+ ```
+
+ The **RegistryManager** class exposes all the methods required to interact with device twins from the service. The previous code first initializes the **registryManager** object, then retrieves the device twin for **myDeviceId**, and finally updates its tags with the desired location information.
+
+ After updating, it executes two queries: the first selects only the device twins of devices located in the **Redmond43** plant, and the second refines the query to select only the devices that are also connected through cellular network.
+
+ The previous code, when it creates the **query** object, specifies a maximum number of returned documents. The **query** object contains a **HasMoreResults** boolean property that you can use to invoke the **GetNextAsTwinAsync** methods multiple times to retrieve all results. A method called **GetNextAsJson** is available for results that are not device twins, for example, results of aggregation queries.
+
+1. Finally, add the following lines to the **Main** method:
+
+ ```csharp
+ registryManager = RegistryManager.CreateFromConnectionString(connectionString);
+ AddTagsAndQuery().Wait();
+ Console.WriteLine("Press Enter to exit.");
+ Console.ReadLine();
+ ```
+
+1. Run this application by right-clicking on the **AddTagsAndQuery** project and selecting **Debug**, followed by **Start new instance**. You should see one device in the results for the query asking for all devices located in **Redmond43** and none for the query that restricts the results to devices that use a cellular network.
+
+ ![Query results in window](./media/iot-hub-csharp-csharp-twin-getstarted/addtagapp.png)
+ In this article, you: * Configured a new IoT hub in the Azure portal
iot-hub Iot Hub Java Java Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-java-java-twin-getstarted.md
In this article, you create two Java console apps:
[!INCLUDE [iot-hub-include-find-custom-connection-string](../../includes/iot-hub-include-find-custom-connection-string.md)]
-## Create the service app
+## Create a device app with a direct method
+
+In this section, you create a Java console app that connects to your hub as **myDeviceId**, and then updates its device twin's reported properties to confirm that it's connected using a cellular network.
+
+1. In the **iot-java-twin-getstarted** folder, create a Maven project named **simulated-device** using the following command at your command prompt:
+
+ ```cmd/sh
+ mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=simulated-device -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
+ ```
+
+2. At your command prompt, navigate to the **simulated-device** folder.
+
+3. Using a text editor, open the **pom.xml** file in the **simulated-device** folder and add the following dependencies to the **dependencies** node. This dependency enables you to use the **iot-device-client** package in your app to communicate with your IoT hub.
+
+ ```xml
+ <dependency>
+ <groupId>com.microsoft.azure.sdk.iot</groupId>
+ <artifactId>iot-device-client</artifactId>
+ <version>1.17.5</version>
+ </dependency>
+ ```
+
+ > [!NOTE]
+ > You can check for the latest version of **iot-device-client** using [Maven search](https://search.maven.org/#search%7Cga%7C1%7Ca%3A%22iot-device-client%22%20g%3A%22com.microsoft.azure.sdk.iot%22).
+
+4. Add the following dependency to the **dependencies** node. This dependency configures a NOP for the Apache [SLF4J](https://www.slf4j.org/) logging facade, which is used by the device client SDK to implement logging. This configuration is optional, but, if you omit it, you may see a warning in the console when you run the app. For more information about logging in the device client SDK, see [Logging](https://github.com/Azure/azure-iot-sdk-jav#logging) in the *Samples for the Azure IoT device SDK for Java* readme file.
+
+ ```xml
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-nop</artifactId>
+ <version>1.7.28</version>
+ </dependency>
+ ```
+
+5. Add the following **build** node after the **dependencies** node. This configuration instructs Maven to use Java 1.8 to build the app:
+
+ ```xml
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>3.3</version>
+ <configuration>
+ <source>1.8</source>
+ <target>1.8</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ ```
+
+6. Save and close the **pom.xml** file.
+
+7. Using a text editor, open the **simulated-device\src\main\java\com\mycompany\app\App.java** file.
+
+8. Add the following **import** statements to the file:
+
+ ```java
+ import com.microsoft.azure.sdk.iot.device.*;
+ import com.microsoft.azure.sdk.iot.device.DeviceTwin.*;
+
+ import java.io.IOException;
+ import java.net.URISyntaxException;
+ import java.util.Scanner;
+ ```
+
+9. Add the following class-level variables to the **App** class. Replace `{yourdeviceconnectionstring}` with the device connection string you saw when you registered a device in the IoT Hub:
+
+ ```java
+ private static String connString = "{yourdeviceconnectionstring}";
+ private static IotHubClientProtocol protocol = IotHubClientProtocol.MQTT;
+ private static String deviceId = "myDeviceId";
+ ```
+
+ This sample app uses the **protocol** variable when it instantiates a **DeviceClient** object.
+
+10. Add the following method to the **App** class to print information about twin updates:
+
+ ```java
+ protected static class DeviceTwinStatusCallBack implements IotHubEventCallback {
+ @Override
+ public void execute(IotHubStatusCode status, Object context) {
+ System.out.println("IoT Hub responded to device twin operation with status " + status.name());
+ }
+ }
+ ```
+
+11. Replace the code in the **main** method with the following code to:
+
+ * Create a device client to communicate with IoT Hub.
+
+ * Create a **Device** object to store the device twin properties.
+
+ ```java
+ DeviceClient client = new DeviceClient(connString, protocol);
+
+ // Create a Device object to store the device twin properties
+ Device dataCollector = new Device() {
+ // Print details when a property value changes
+ @Override
+ public void PropertyCall(String propertyKey, Object propertyValue, Object context) {
+ System.out.println(propertyKey + " changed to " + propertyValue);
+ }
+ };
+ ```
+
+12. Add the following code to the **main** method to create a **connectivityType** reported property and send it to IoT Hub:
+
+ ```java
+ try {
+ // Open the DeviceClient and start the device twin services.
+ client.open();
+ client.startDeviceTwin(new DeviceTwinStatusCallBack(), null, dataCollector, null);
+
+ // Create a reported property and send it to your IoT hub.
+ dataCollector.setReportedProp(new Property("connectivityType", "cellular"));
+ client.sendReportedProperties(dataCollector.getReportedProp());
+ }
+ catch (Exception e) {
+ System.out.println("On exception, shutting down \n" + " Cause: " + e.getCause() + " \n" + e.getMessage());
+ dataCollector.clean();
+ client.closeNow();
+ System.out.println("Shutting down...");
+ }
+ ```
+
+13. Add the following code to the end of the **main** method. Waiting for the **Enter** key allows time for IoT Hub to report the status of the device twin operations.
+
+ ```java
+ System.out.println("Press any key to exit...");
+
+ Scanner scanner = new Scanner(System.in);
+ scanner.nextLine();
+
+ dataCollector.clean();
+ client.close();
+ ```
+
+14. Modify the signature of the **main** method to include the exceptions as follows:
+
+ ```java
+ public static void main(String[] args) throws URISyntaxException, IOException
+ ```
+
+15. Save and close the **simulated-device\src\main\java\com\mycompany\app\App.java** file.
+
+16. Build the **simulated-device** app and correct any errors. At your command prompt, navigate to the **simulated-device** folder and run the following command:
+
+ ```cmd/sh
+ mvn clean package -DskipTests
+ ```
+
+## Create a service app to trigger a reboot
In this section, you create a Java app that adds location metadata as a tag to the device twin in IoT Hub associated with **myDeviceId**. The app queries IoT hub for devices located in the US and then queries devices that report a cellular network connection.
In this section, you create a Java app that adds location metadata as a tag to t
mvn clean package -DskipTests ```
-In the next section, you create a device app that reports connectivity information and changes the result of the query in the previous section.
-
-## Create the device app
-
-In this section, you create a Java console app that connects to your hub as **myDeviceId**, and then updates its device twin's reported properties to confirm that it's connected using a cellular network.
-
-1. In the **iot-java-twin-getstarted** folder, create a Maven project named **simulated-device** using the following command at your command prompt:
-
- ```cmd/sh
- mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=simulated-device -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
- ```
-
-2. At your command prompt, navigate to the **simulated-device** folder.
-
-3. Using a text editor, open the **pom.xml** file in the **simulated-device** folder and add the following dependencies to the **dependencies** node. This dependency enables you to use the **iot-device-client** package in your app to communicate with your IoT hub.
-
- ```xml
- <dependency>
- <groupId>com.microsoft.azure.sdk.iot</groupId>
- <artifactId>iot-device-client</artifactId>
- <version>1.17.5</version>
- </dependency>
- ```
-
- > [!NOTE]
- > You can check for the latest version of **iot-device-client** using [Maven search](https://search.maven.org/#search%7Cga%7C1%7Ca%3A%22iot-device-client%22%20g%3A%22com.microsoft.azure.sdk.iot%22).
-
-4. Add the following dependency to the **dependencies** node. This dependency configures a NOP for the Apache [SLF4J](https://www.slf4j.org/) logging facade, which is used by the device client SDK to implement logging. This configuration is optional, but, if you omit it, you may see a warning in the console when you run the app. For more information about logging in the device client SDK, see [Logging](https://github.com/Azure/azure-iot-sdk-jav#logging) in the *Samples for the Azure IoT device SDK for Java* readme file.
-
- ```xml
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-nop</artifactId>
- <version>1.7.28</version>
- </dependency>
- ```
-
-5. Add the following **build** node after the **dependencies** node. This configuration instructs Maven to use Java 1.8 to build the app:
-
- ```xml
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <version>3.3</version>
- <configuration>
- <source>1.8</source>
- <target>1.8</target>
- </configuration>
- </plugin>
- </plugins>
- </build>
- ```
-
-6. Save and close the **pom.xml** file.
-
-7. Using a text editor, open the **simulated-device\src\main\java\com\mycompany\app\App.java** file.
-
-8. Add the following **import** statements to the file:
-
- ```java
- import com.microsoft.azure.sdk.iot.device.*;
- import com.microsoft.azure.sdk.iot.device.DeviceTwin.*;
-
- import java.io.IOException;
- import java.net.URISyntaxException;
- import java.util.Scanner;
- ```
-
-9. Add the following class-level variables to the **App** class. Replace `{yourdeviceconnectionstring}` with the device connection string you saw when you registered a device in the IoT Hub:
-
- ```java
- private static String connString = "{yourdeviceconnectionstring}";
- private static IotHubClientProtocol protocol = IotHubClientProtocol.MQTT;
- private static String deviceId = "myDeviceId";
- ```
-
- This sample app uses the **protocol** variable when it instantiates a **DeviceClient** object.
-
-10. Add the following method to the **App** class to print information about twin updates:
-
- ```java
- protected static class DeviceTwinStatusCallBack implements IotHubEventCallback {
- @Override
- public void execute(IotHubStatusCode status, Object context) {
- System.out.println("IoT Hub responded to device twin operation with status " + status.name());
- }
- }
- ```
-
-11. Replace the code in the **main** method with the following code to:
-
- * Create a device client to communicate with IoT Hub.
-
- * Create a **Device** object to store the device twin properties.
-
- ```java
- DeviceClient client = new DeviceClient(connString, protocol);
-
- // Create a Device object to store the device twin properties
- Device dataCollector = new Device() {
- // Print details when a property value changes
- @Override
- public void PropertyCall(String propertyKey, Object propertyValue, Object context) {
- System.out.println(propertyKey + " changed to " + propertyValue);
- }
- };
- ```
-
-12. Add the following code to the **main** method to create a **connectivityType** reported property and send it to IoT Hub:
-
- ```java
- try {
- // Open the DeviceClient and start the device twin services.
- client.open();
- client.startDeviceTwin(new DeviceTwinStatusCallBack(), null, dataCollector, null);
-
- // Create a reported property and send it to your IoT hub.
- dataCollector.setReportedProp(new Property("connectivityType", "cellular"));
- client.sendReportedProperties(dataCollector.getReportedProp());
- }
- catch (Exception e) {
- System.out.println("On exception, shutting down \n" + " Cause: " + e.getCause() + " \n" + e.getMessage());
- dataCollector.clean();
- client.closeNow();
- System.out.println("Shutting down...");
- }
- ```
-
-13. Add the following code to the end of the **main** method. Waiting for the **Enter** key allows time for IoT Hub to report the status of the device twin operations.
-
- ```java
- System.out.println("Press any key to exit...");
-
- Scanner scanner = new Scanner(System.in);
- scanner.nextLine();
-
- dataCollector.clean();
- client.close();
- ```
-
-14. Modify the signature of the **main** method to include the exceptions as follows:
-
- ```java
- public static void main(String[] args) throws URISyntaxException, IOException
- ```
-
-15. Save and close the **simulated-device\src\main\java\com\mycompany\app\App.java** file.
-
-16. Build the **simulated-device** app and correct any errors. At your command prompt, navigate to the **simulated-device** folder and run the following command:
-
- ```cmd/sh
- mvn clean package -DskipTests
- ```
- ## Run the apps You are now ready to run the console apps.
iot-hub Iot Hub Node Node Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-node-node-twin-getstarted.md
To complete this article, you need:
[!INCLUDE [iot-hub-include-find-custom-connection-string](../../includes/iot-hub-include-find-custom-connection-string.md)]
-## Create the service app
+## Create a device app with a direct method
+
+In this section, you create a Node.js console app that connects to your hub as **myDeviceId**, and then updates its device twin's reported properties to confirm that it's connected using a cellular network.
+
+1. Create a new empty folder called **reportconnectivity**. In the **reportconnectivity** folder, create a new package.json file using the following command at your command prompt. The `--yes` parameter accepts all the defaults.
+
+ ```cmd/sh
+ npm init --yes
+ ```
+
+2. At your command prompt in the **reportconnectivity** folder, run the following command to install the **azure-iot-device**, and **azure-iot-device-mqtt** packages:
+
+ ```cmd/sh
+ npm install azure-iot-device azure-iot-device-mqtt --save
+ ```
+
+3. Using a text editor, create a new **ReportConnectivity.js** file in the **reportconnectivity** folder.
+
+4. Add the following code to the **ReportConnectivity.js** file. Replace `{device connection string}` with the device connection string you saw when you registered a device in the IoT Hub:
+
+ ```javascript
+ 'use strict';
+ var Client = require('azure-iot-device').Client;
+ var Protocol = require('azure-iot-device-mqtt').Mqtt;
+
+ var connectionString = '{device connection string}';
+ var client = Client.fromConnectionString(connectionString, Protocol);
+
+ client.open(function(err) {
+ if (err) {
+ console.error('could not open IotHub client');
+ } else {
+ console.log('client opened');
+
+ client.getTwin(function(err, twin) {
+ if (err) {
+ console.error('could not get twin');
+ } else {
+ var patch = {
+ connectivity: {
+ type: 'cellular'
+ }
+ };
+
+ twin.properties.reported.update(patch, function(err) {
+ if (err) {
+ console.error('could not update twin');
+ } else {
+ console.log('twin state reported');
+ process.exit();
+ }
+ });
+ }
+ });
+ }
+ });
+ ```
+
+ The **Client** object exposes all the methods you require to interact with device twins from the device. The previous code, after it initializes the **Client** object, retrieves the device twin for **myDeviceId** and updates its reported property with the connectivity information.
+
+5. Run the device app
+
+ ```cmd/sh
+ node ReportConnectivity.js
+ ```
+
+ You should see the message `twin state reported`.
+
+6. Now that the device reported its connectivity information, it should appear in both queries. Go back in the **addtagsandqueryapp** folder and run the queries again:
+
+ ```cmd/sh
+ node AddTagsAndQuery.js
+ ```
+
+ This time **myDeviceId** should appear in both query results.
+
+ ![Show myDeviceId in both query results](media/iot-hub-node-node-twin-getstarted/service2.png)
+
+## Create a service app to trigger a reboot
In this section, you create a Node.js console app that adds location metadata to the device twin associated with **myDeviceId**. The app queries IoT hub for devices located in the US and then queries devices that report a cellular network connection.
In this section, you create a Node.js console app that adds location metadata to
![See the one device in the query results](media/iot-hub-node-node-twin-getstarted/service1.png)
-In the next section, you create a device app that reports connectivity information and changes the result of the query in the previous section.
-
-## Create the device app
-
-In this section, you create a Node.js console app that connects to your hub as **myDeviceId**, and then updates its device twin's reported properties to confirm that it's connected using a cellular network.
-
-1. Create a new empty folder called **reportconnectivity**. In the **reportconnectivity** folder, create a new package.json file using the following command at your command prompt. The `--yes` parameter accepts all the defaults.
-
- ```cmd/sh
- npm init --yes
- ```
-
-2. At your command prompt in the **reportconnectivity** folder, run the following command to install the **azure-iot-device**, and **azure-iot-device-mqtt** packages:
-
- ```cmd/sh
- npm install azure-iot-device azure-iot-device-mqtt --save
- ```
-
-3. Using a text editor, create a new **ReportConnectivity.js** file in the **reportconnectivity** folder.
-
-4. Add the following code to the **ReportConnectivity.js** file. Replace `{device connection string}` with the device connection string you saw when you registered a device in the IoT Hub:
-
- ```javascript
- 'use strict';
- var Client = require('azure-iot-device').Client;
- var Protocol = require('azure-iot-device-mqtt').Mqtt;
-
- var connectionString = '{device connection string}';
- var client = Client.fromConnectionString(connectionString, Protocol);
-
- client.open(function(err) {
- if (err) {
- console.error('could not open IotHub client');
- } else {
- console.log('client opened');
-
- client.getTwin(function(err, twin) {
- if (err) {
- console.error('could not get twin');
- } else {
- var patch = {
- connectivity: {
- type: 'cellular'
- }
- };
-
- twin.properties.reported.update(patch, function(err) {
- if (err) {
- console.error('could not update twin');
- } else {
- console.log('twin state reported');
- process.exit();
- }
- });
- }
- });
- }
- });
- ```
-
- The **Client** object exposes all the methods you require to interact with device twins from the device. The previous code, after it initializes the **Client** object, retrieves the device twin for **myDeviceId** and updates its reported property with the connectivity information.
-
-5. Run the device app
-
- ```cmd/sh
- node ReportConnectivity.js
- ```
-
- You should see the message `twin state reported`.
-
-6. Now that the device reported its connectivity information, it should appear in both queries. Go back in the **addtagsandqueryapp** folder and run the queries again:
-
- ```cmd/sh
- node AddTagsAndQuery.js
- ```
-
- This time **myDeviceId** should appear in both query results.
-
- ![Show myDeviceId in both query results](media/iot-hub-node-node-twin-getstarted/service2.png)
- In this article, you: * Configured a new IoT hub in the Azure portal
iot-hub Iot Hub Python Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-python-twin-getstarted.md
In this article, you create two Python console apps:
[!INCLUDE [iot-hub-include-find-custom-connection-string](../../includes/iot-hub-include-find-custom-connection-string.md)]
-## Create the service app
-
-In this section, you create a Python console app that adds location metadata to the device twin associated with your **{Device ID}**. The app queries IoT hub for devices located in the US and then queries devices that report a cellular network connection.
-
-1. In your working directory, open a command prompt and install the **Azure IoT Hub Service SDK for Python**.
-
- ```cmd/sh
- pip install azure-iot-hub
- ```
-
-2. Using a text editor, create a new **AddTagsAndQuery.py** file.
-
-3. Add the following code to import the required modules from the service SDK:
-
- ```python
- import sys
- from time import sleep
- from azure.iot.hub import IoTHubRegistryManager
- from azure.iot.hub.models import Twin, TwinProperties, QuerySpecification, QueryResult
- ```
-
-4. Add the following code. Replace `[IoTHub Connection String]` with the IoT hub connection string you copied in [Get the IoT hub connection string](#get-the-iot-hub-connection-string). Replace `[Device Id]` with the device ID (the name) from your registered device in the IoT Hub.
-
- ```python
- IOTHUB_CONNECTION_STRING = "[IoTHub Connection String]"
- DEVICE_ID = "[Device Id]"
- ```
-
-5. Add the following code to the **AddTagsAndQuery.py** file:
-
- ```python
- def iothub_service_sample_run():
- try:
- iothub_registry_manager = IoTHubRegistryManager(IOTHUB_CONNECTION_STRING)
-
- new_tags = {
- 'location' : {
- 'region' : 'US',
- 'plant' : 'Redmond43'
- }
- }
-
- twin = iothub_registry_manager.get_twin(DEVICE_ID)
- twin_patch = Twin(tags=new_tags, properties= TwinProperties(desired={'power_level' : 1}))
- twin = iothub_registry_manager.update_twin(DEVICE_ID, twin_patch, twin.etag)
-
- # Add a delay to account for any latency before executing the query
- sleep(1)
-
- query_spec = QuerySpecification(query="SELECT * FROM devices WHERE tags.location.plant = 'Redmond43'")
- query_result = iothub_registry_manager.query_iot_hub(query_spec, None, 100)
- print("Devices in Redmond43 plant: {}".format(', '.join([twin.device_id for twin in query_result.items])))
-
- print()
-
- query_spec = QuerySpecification(query="SELECT * FROM devices WHERE tags.location.plant = 'Redmond43' AND properties.reported.connectivity = 'cellular'")
- query_result = iothub_registry_manager.query_iot_hub(query_spec, None, 100)
- print("Devices in Redmond43 plant using cellular network: {}".format(', '.join([twin.device_id for twin in query_result.items])))
-
- except Exception as ex:
- print("Unexpected error {0}".format(ex))
- return
- except KeyboardInterrupt:
- print("IoT Hub Device Twin service sample stopped")
- ```
-
- The **IoTHubRegistryManager** object exposes all the methods required to interact with device twins from the service. The code first initializes the **IoTHubRegistryManager** object, then updates the device twin for **DEVICE_ID**, and finally runs two queries. The first selects only the device twins of devices located in the **Redmond43** plant, and the second refines the query to select only the devices that are also connected through a cellular network.
-
-6. Add the following code at the end of **AddTagsAndQuery.py** to implement the **iothub_service_sample_run** function:
-
- ```python
- if __name__ == '__main__':
- print("Starting the Python IoT Hub Device Twin service sample...")
- print()
-
- iothub_service_sample_run()
- ```
-
-7. Run the application with:
-
- ```cmd/sh
- python AddTagsAndQuery.py
- ```
-
- You should see one device in the results for the query asking for all devices located in **Redmond43** and none for the query that restricts the results to devices that use a cellular network.
-
- ![first query showing all devices in Redmond](./media/iot-hub-python-twin-getstarted/service-1.png)
-
-In the next section, you create a device app that reports connectivity information and changes the result of the query in the previous section.
-
-## Create the device app
+## Create a device app with a direct method
In this section, you create a Python console app that connects to your hub as your **{Device ID}** and then updates its device twin's reported properties to confirm that it's connected using a cellular network.
In this section, you create a Python console app that connects to your hub as yo
![receive desired properties on device app](./media/iot-hub-python-twin-getstarted/device-2.png)
+## Create a service app to trigger a reboot
+
+In this section, you create a Python console app that adds location metadata to the device twin associated with your **{Device ID}**. The app queries IoT hub for devices located in the US and then queries devices that report a cellular network connection.
+
+1. In your working directory, open a command prompt and install the **Azure IoT Hub Service SDK for Python**.
+
+ ```cmd/sh
+ pip install azure-iot-hub
+ ```
+
+2. Using a text editor, create a new **AddTagsAndQuery.py** file.
+
+3. Add the following code to import the required modules from the service SDK:
+
+ ```python
+ import sys
+ from time import sleep
+ from azure.iot.hub import IoTHubRegistryManager
+ from azure.iot.hub.models import Twin, TwinProperties, QuerySpecification, QueryResult
+ ```
+
+4. Add the following code. Replace `[IoTHub Connection String]` with the IoT hub connection string you copied in [Get the IoT hub connection string](#get-the-iot-hub-connection-string). Replace `[Device Id]` with the device ID (the name) from your registered device in the IoT Hub.
+
+ ```python
+ IOTHUB_CONNECTION_STRING = "[IoTHub Connection String]"
+ DEVICE_ID = "[Device Id]"
+ ```
+
+5. Add the following code to the **AddTagsAndQuery.py** file:
+
+ ```python
+ def iothub_service_sample_run():
+ try:
+ iothub_registry_manager = IoTHubRegistryManager(IOTHUB_CONNECTION_STRING)
+
+ new_tags = {
+ 'location' : {
+ 'region' : 'US',
+ 'plant' : 'Redmond43'
+ }
+ }
+
+ twin = iothub_registry_manager.get_twin(DEVICE_ID)
+ twin_patch = Twin(tags=new_tags, properties= TwinProperties(desired={'power_level' : 1}))
+ twin = iothub_registry_manager.update_twin(DEVICE_ID, twin_patch, twin.etag)
+
+ # Add a delay to account for any latency before executing the query
+ sleep(1)
+
+ query_spec = QuerySpecification(query="SELECT * FROM devices WHERE tags.location.plant = 'Redmond43'")
+ query_result = iothub_registry_manager.query_iot_hub(query_spec, None, 100)
+ print("Devices in Redmond43 plant: {}".format(', '.join([twin.device_id for twin in query_result.items])))
+
+ print()
+
+ query_spec = QuerySpecification(query="SELECT * FROM devices WHERE tags.location.plant = 'Redmond43' AND properties.reported.connectivity = 'cellular'")
+ query_result = iothub_registry_manager.query_iot_hub(query_spec, None, 100)
+ print("Devices in Redmond43 plant using cellular network: {}".format(', '.join([twin.device_id for twin in query_result.items])))
+
+ except Exception as ex:
+ print("Unexpected error {0}".format(ex))
+ return
+ except KeyboardInterrupt:
+ print("IoT Hub Device Twin service sample stopped")
+ ```
+
+ The **IoTHubRegistryManager** object exposes all the methods required to interact with device twins from the service. The code first initializes the **IoTHubRegistryManager** object, then updates the device twin for **DEVICE_ID**, and finally runs two queries. The first selects only the device twins of devices located in the **Redmond43** plant, and the second refines the query to select only the devices that are also connected through a cellular network.
+
+6. Add the following code at the end of **AddTagsAndQuery.py** to implement the **iothub_service_sample_run** function:
+
+ ```python
+ if __name__ == '__main__':
+ print("Starting the Python IoT Hub Device Twin service sample...")
+ print()
+
+ iothub_service_sample_run()
+ ```
+
+7. Run the application with:
+
+ ```cmd/sh
+ python AddTagsAndQuery.py
+ ```
+
+ You should see one device in the results for the query asking for all devices located in **Redmond43** and none for the query that restricts the results to devices that use a cellular network.
+
+ ![first query showing all devices in Redmond](./media/iot-hub-python-twin-getstarted/service-1.png)
++ In this article, you: * Configured a new IoT hub in the Azure portal
lab-services Capacity Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/capacity-limits.md
These actions may be disabled if there no more cores that can be enabled for you
:::image type="content" source="./media/capacity-limits/warning-message.png" alt-text="Screenshot of core limit warning in Azure Lab Services.":::
+> [!NOTE]
+> Azure Lab Services capacity limits are set per subscription.
++ ## Request a limit increase If you reach the cores limit, you can request a limit increase to continue using Azure Lab Services. The request process is a checkpoint to ensure your subscription isn't involved in any cases of fraud or unintentional, sudden large-scale deployments.
logic-apps Logic Apps Securing A Logic App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-securing-a-logic-app.md
This list includes information about TLS/SSL self-signed certificates:
* For Consumption logic apps in the multi-tenant Azure Logic Apps environment, HTTP operations don't permit self-signed TLS/SSL certificates. If your logic app makes an HTTP call to a server and presents a TLS/SSL self-signed certificate, the HTTP call fails with a `TrustFailure` error.
-* For Standard logic apps in the single-tenant Azure Logic Apps environment, HTTP operations support self-signed TLS/SSL certificates. However, you have to complete a few extra steps for this authentication type. Otherwise, the call fails. For more information, review [TSL/SSL certificate authentication for single-tenant Azure Logic Apps](../connectors/connectors-native-http.md#tlsssl-certificate-authentication).
+* For Standard logic apps in the single-tenant Azure Logic Apps environment, HTTP operations support self-signed TLS/SSL certificates. However, you have to complete a few extra steps for this authentication type. Otherwise, the call fails. For more information, review [TLS/SSL certificate authentication for single-tenant Azure Logic Apps](../connectors/connectors-native-http.md#tlsssl-certificate-authentication).
If you want to use client certificate or Azure Active Directory Open Authentication (Azure AD OAuth) with the "Certificate" credential type instead, you still have to complete a few extra steps for this authentication type. Otherwise, the call fails. For more information, review [Client certificate or Azure Active Directory Open Authentication (Azure AD OAuth) with the "Certificate" credential type for single-tenant Azure Logic Apps](../connectors/connectors-native-http.md#client-certificate-authentication).
machine-learning How To Enable Preview Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-enable-preview-features.md
+
+ Title: Manage preview features
+
+description: Learn about, and enable, preview features available with Azure Machine Learning.
+++++++ Last updated : 07/25/2022+++
+# Enable preview features for Azure Machine Learning
+
+In Azure Machine Learning, new features and improvements are often first released as preview features before they're made generally available (GA). As new features are introduced, you can turn them on or off in the Azure Machine Learning studio at your convenience. That way, you get a chance to use the latest features, evaluate how they fit your work needs and provide feedback to shape the product. Your feedback is very valuable and it helps us constantly improve the product.
+
+Some preview features provide access to entire new functionality while others may reflect a change to the user interface, but little or no change in functionality.
+
+> [!NOTE]
+> The amount of time a feature remains in preview can vary based on user feedback, quality checks, and long-term road maps.
+
+> [!IMPORTANT]
+> The preview features are provided without a service-level agreement, and are not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+++
+## Prerequisites
+
+* An Azure Machine Learning workspace. For more information, see [Quickstart: Create workspace resources](quickstart-create-resources.md).
+
+## How do I enable preview features?
+
+You can enable or disable preview features anytime in [Azure Machine Learning studio](https://ml.azure.com/). Use the following steps to discover preview features:
+
+1. From the [Azure Machine Learning studio](https://ml.azure.com/), select the __megaphone icon__ from the top-right corner of the page. The __Preview Features__ panel will appear.
+
+ :::image type="content" source="./media/how-to-enable-preview-features/megaphone-icon.png" alt-text="Screenshot of the megaphone icon in Azure Machine Learning studio.":::
+
+1. Find the feature you would like to try out and select the toggle next to it to enable or disable the feature.
+
+ > [!TIP]
+ > When you disable a feature, a text box will appear that can be used to provide feedback on the feature. To learn how to provide feedback without disabling a feature, see [How do I provide feedback?](#how-do-i-provide-feedback).
+
+ :::image type="content" source="./media/how-to-enable-preview-features/enable-feature.png" alt-text="Screenshot of the preview features panel with toggle highlighted.":::
+
+## How do I provide feedback?
+
+Use the following steps to provide feedback on a feature.
+
+1. From the [Azure Machine Learning studio](https://ml.azure.com/), select the __megaphone icon__ from the top-right corner of the page. The __Preview Features__ panel will appear.
+2. Find the feature you would like to provide feedback on and select the __smile__ or __frown__. A text box will appear where you can provide more details.
+
+ :::image type="content" source="./media/how-to-enable-preview-features/provide-feature-feedback.png" alt-text="Screenshot of the preview features panel with feedback highlighted.":::
+
+ The text box will also appear when you disable a feature.
+
+## Next steps
+
+* [Feature availability across cloud regions](reference-machine-learning-cloud-parity.md)
machine-learning How To Log View Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-log-view-metrics.md
Select the logged metrics to render charts on the right side.
:::image type="content" source="media/how-to-log-view-metrics/metrics-old.png" alt-text="Screenshot of the current metrics view.":::
+For a customizable view of your job metrics (preview), use the [preview panel](./how-to-enable-preview-features.md) to enable the feature. Once enabled, you can add/remove charts and customize them by applying smoothing, changing the color, or plotting multiple metrics on a single graph. You can also resize and rearrange the layout as you wish. Once you have created your desired view, you can save it for future use and share it with your teammates using a direct link.
++ ### View and download diagnostic logs Log files are an essential resource for debugging the Azure ML workloads. After submitting a training job, drill down to a specific run to view its logs and outputs:
machine-learning How To Train With Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-train-with-rest.md
To create a sweep job with the same LightGBM example, use the following commands
## Next steps
-Now that you have a trained model, learn [how to deploy your model](how-to-deploy-and-where.md).
+Now that you have a trained model, learn [how to deploy your model](how-to-deploy-managed-online-endpoints.md).
machine-learning Reference Yaml Component Command https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/reference-yaml-component-command.md
Previously updated : 03/31/2022 Last updated : 08/08/2022
The source JSON schema can be found at https://azuremlschemas.azureedge.net/late
| | - | -- | -- | - | | `$schema` | string | The YAML schema. If you use the Azure Machine Learning VS Code extension to author the YAML file, including `$schema` at the top of your file enables you to invoke schema and resource completions. | | | | `type` | const | The type of component. | `command` | `command` |
-| `name` | string | **Required.** Name of the component. | | |
+| `name` | string | **Required.** Name of the component. Must start with lowercase letter. Allowed characters are lowercase letters, numbers, and underscore(_). Maximum length is 255 characters.| | |
| `version` | string | Version of the component. If omitted, Azure ML will autogenerate a version. | | | | `display_name` | string | Display name of the component in the studio UI. Can be non-unique within the workspace. | | | | `description` | string | Description of the component. | | |
The source JSON schema can be found at https://azuremlschemas.azureedge.net/late
| Key | Type | Description | Allowed values | Default value | | | - | -- | -- | - |
-| `type` | string | **Required.** The type of component input. <br><br> Use `type: uri_file/uri_folder` if you want the runtime job input value to be a data URI or registered Azure ML data asset when the component is run. | `number`, `integer`, `boolean`, `string`, `uri_file`, `uri_folder` | |
+| `type` | string | **Required.** The type of component input. [Learn more about data access](concept-data.md) | `number`, `integer`, `boolean`, `string`, `uri_file`, `uri_folder`, `mltable`, `mlflow_model`| |
| `description` | string | Description of the input. | | | | `default` | number, integer, boolean, or string | The default value for the input. | | | | `optional` | boolean | Whether the input is required. | | `false` | | `min` | integer or number | The minimum accepted value for the input. This field can only be specified if `type` field is `number` or `integer`. | | | `max` | integer or number | The maximum accepted value for the input. This field can only be specified if `type` field is `number` or `integer`. | |
-| `enum` | array | The list of allowed values for the input. Not applicable if `type` field is `boolean`. | |
+| `enum` | array | The list of allowed values for the input. Only applicable if `type` field is `string`.| |
### Component output | Key | Type | Description | Allowed values | Default value | | | - | -- | -- | - |
-| `type` | string | **Required.** The type of component output. | `uri_folder` | |
+| `type` | string | **Required.** The type of component output. | `uri_file`, `uri_folder`, `mltable`, `mlflow_model` | |
| `description` | string | Description of the output. | | | ## Remarks
Command component examples are available in the examples GitHub repository. Sele
Examples are available in the [examples GitHub repository](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components). Several are shown below.
-## Hello world command component
+## YAML: Hello world command component
:::code language="yaml" source="~/azureml-examples-main/cli/jobs/pipelines-with-components/basics/2a_basic_component/component.yml":::
+## YAML: Component with different input types
++ ## Next steps - [Install and use the CLI (v2)](how-to-configure-cli.md)
+- [Create ML pipelines using components (CLI v2)](how-to-create-component-pipelines-cli.md)
machine-learning How To Auto Train Nlp Models V1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-auto-train-nlp-models-v1.md
https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-
* [Named entity recognition](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/automl-nlp-ner/automl-nlp-ner.ipynb) ## Next steps
-+ Learn more about [how and where to deploy a model](../how-to-deploy-and-where.md).
++ Learn more about [how and where to deploy a model](../how-to-deploy-managed-online-endpoints.md). + [Troubleshoot automated ML experiments](../how-to-troubleshoot-auto-ml.md).
marketplace Azure Vm Get Sas Uri https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/marketplace/azure-vm-get-sas-uri.md
Previously updated : 06/23/2021 Last updated : 08/15/2022 # Generate a SAS URI for a VM image
network-watcher Network Watcher Nsg Flow Logging Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md
Flow logs data is collected outside of the path of your network traffic, and the
To use a Storage account behind a firewall, you have to provide an exception for Trusted Microsoft Services to access your storage account: -- Navigate to the storage account by typing the storage account's name in the global search on the portal or from the [Storage Accounts page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts)-- Under the **SETTINGS** section, select **Firewalls and virtual networks**-- In **Allow access from**, select **Selected networks**. Then under **Exceptions**, tick the box next to ****Allow trusted Microsoft services to access this storage account****-- If it is already selected, no change is needed.-- Locate your target NSG on the [NSG Flow Logs overview page](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/flowLogs) and enable NSG Flow Logs with the above storage account selected.
+- Navigate to the Storage account by typing the Storage account's name in global search on the portal or from the [Storage accounts page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts)
+- Under the **Networking** section, select **Firewalls and virtual networks** at top of page.
+- Under the **Public network access**, select:
+ ☑️ **Enabled from selected virtual networks and IP addresses**
+- Under **Firewall** select:
+ ☑️ **Add your Client IP Address**
+
+ > [!Note]
+ > A client IP Address is provided here by default, verify this IP matches the machine you are using to access Storage Account using `ipconfig`. If the Client IP Address does not match your machine, you may receive Unauthorized when attempting to access the storage account to read NSG Flow Logs.
+
+- Under **Exceptions**, select:
+ ☑️ **Allow Azure service on the trusted services list to access this storage account.**
+- If the above items are already configured, no change is needed.
+- Locate your target NSG on the [NSG Flow Logs overview page](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/flowLogs) and enable NSG Flow Logs using the above configured storage account.
You can check the storage logs after a few minutes, you should see an updated TimeStamp or a new JSON file created.
postgresql Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/overview.md
$$ New server deployments are temporarily blocked in these regions. Already prov
The service runs the community version of PostgreSQL. This allows full application compatibility and requires minimal refactoring cost to migrate an existing application developed on PostgreSQL engine to Flexible Server.
+- **Single Server to Flexible Server Migration tool (Preview)** - [This tool](../migrate/concepts-single-to-flexible.md) provides an easier migration capability from Single server to Flexible Server.
- **Dump and Restore** ΓÇô For offline migrations, where users can afford some downtime, dump and restore using community tools like pg_dump and pg_restore can provide fastest way to migrate. See [Migrate using dump and restore](../howto-migrate-using-dump-and-restore.md) for details. - **Azure Database Migration Service** ΓÇô For seamless and simplified migrations to flexible server with minimal downtime, Azure Database Migration Service can be leveraged. See [DMS via portal](../../dms/tutorial-postgresql-azure-postgresql-online-portal.md) and [DMS via CLI](../../dms/tutorial-postgresql-azure-postgresql-online.md). You can migrate from your Azure Database for PostgreSQL - Single Server to Flexible Server. See this [DMS article](../../dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal.md) for details. ## Frequently asked questions
- Will Flexible Server replace Single Server or Will Single Server be retired soon?
+**1. Will Flexible Server replace Single Server? Will Single Server be retired soon?**
We continue to support Single Server and encourage you to adopt Flexible Server which has richer capabilities such as zone resilient HA, predictable performance, maximum control, custom maintenance window, cost optimization controls and simplified developer experience suitable for your enterprise workloads. If we decide to retire any service, feature, API or SKU, you'll receive advance notice including a migration or transition path. Learn more about Microsoft Lifecycle policies [here](/lifecycle/faq/general-lifecycle). + ## Contacts For any questions or suggestions you might have on Azure Database for PostgreSQL flexible server, send an email to the Azure Database for PostgreSQL Team ([@Ask Azure DB for PostgreSQL](mailto:AskAzureDBforPostgreSQL@service.microsoft.com)). Please note that this email address isn't a technical support alias.
purview Register Scan Hdfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/register-scan-hdfs.md
This article outlines how to register Hadoop Distributed File System (HDFS), and
When scanning HDFS source, Microsoft Purview supports extracting technical metadata including HDFS: - Namenode-- Folder-- File-- Resource set
+- Folders
+- Files
+- Resource sets
When setting up scan, you can choose to scan the entire HDFS or selective folders. Learn about the supported file format [here](microsoft-purview-connector-overview.md#file-types-supported-for-scanning).
+The connector uses *webhdfs* protocol to connect to HDFS and retrieve metadata. MapR Hadoop distribution is not supported.
+ ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
search Search Synapseml Cognitive Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-synapseml-cognitive-services.md
Last updated 08/09/2022
In this Azure Cognitive Search article, learn how to add data exploration and full text search to a SynapseML solution.
-[SynapseML](/research/blog/synapseml-a-simple-multilingual-and-massively-parallel-machine-learning-library/) is an open source library that supports massively parallel machine learning over big data. One of the ways in which machine learning is exposed is through *transformers* that perform specialized tasks. Transformers tap into a wide range of AI capabilities, but in this article, we'll focus on just those that call Cognitive Services and Cognitive Search.
+[SynapseML](https://www.microsoft.com/research/blog/synapseml-a-simple-multilingual-and-massively-parallel-machine-learning-library/) is an open source library that supports massively parallel machine learning over big data. In SynapseML, one of the ways in which machine learning is exposed is through *transformers* that perform specialized tasks. Transformers tap into a wide range of AI capabilities. In this article, we'll focus on just those that call Cognitive Services and Cognitive Search.
In this walkthrough, you'll set up a workbook that does the following:
In this walkthrough, you'll set up a workbook that does the following:
> + Write the output to a search index in Azure Cognitive Search > + Explore and search over the content you created
-Although Azure Cognitive Search has native [AI enrichment](cognitive-search-concept-intro.md), this walkthrough shows you how to access AI capabilities outside of Cognitive Search. By using SynapseML instead of indexers or skills, you're not subject to data limits or any other constraint associated with those objects.
+Although Azure Cognitive Search has native [AI enrichment](cognitive-search-concept-intro.md), this walkthrough shows you how to access AI capabilities outside of Cognitive Search. By using SynapseML instead of indexers or skills, you're not subject to data limits or other constraints associated with those objects.
> [!TIP]
-> Watch a demo at [https://www.youtube.com/watch?v=iXnBLwp7f88](https://www.youtube.com/watch?v=iXnBLwp7f88). The demo expands on this walkthrough with more steps and visuals.
+> Watch a short video of this demo at [https://www.youtube.com/watch?v=iXnBLwp7f88](https://www.youtube.com/watch?v=iXnBLwp7f88). The video expands on this walkthrough with more steps and visuals.
## Prerequisites
display(analyzed_df)
Paste the following code into the fourth cell and run it. No modifications are required.
-This code loads [FormOntologyLearner](https://mmlspark.blob.windows.net/docs/0.10.0/pyspark/synapse.ml.cognitive.html?highlight=formontologylearner#module-synapse.ml.cognitive.FormOntologyLearner), a transformer that analyzes the output of Form Recognizer transformers and infers a tabular data structure. The output of AnalyzeInvoices is dynamic and varies based on the features detected in your content. Furthermore, the AnalyzeInvoices transformer consolidates output into a single column. Because the output is dynamic and consolidated, it's difficult to use in downstream transformations that require more structure.
+This code loads [FormOntologyLearner](https://mmlspark.blob.core.windows.net/docs/0.10.0/pyspark/synapse.ml.cognitive.html#module-synapse.ml.cognitive.FormOntologyTransformer), a transformer that analyzes the output of Form Recognizer transformers and infers a tabular data structure. The output of AnalyzeInvoices is dynamic and varies based on the features detected in your content. Furthermore, the AnalyzeInvoices transformer consolidates output into a single column. Because the output is dynamic and consolidated, it's difficult to use in downstream transformations that require more structure.
FormOntologyLearner extends the utility of the AnalyzeInvoices transformer by looking for patterns that can be used to create a tabular data structure. Organizing the output into multiple columns and rows makes the content consumable in other transformers, like AzureSearchWriter.
In this walkthrough, you learned about the [AzureSearchWriter](https://microsoft
As a next step, review the other SynapseML tutorials that produce transformed content you might want to explore through Azure Cognitive Search: > [!div class="nextstepaction"]
-> [Tutorial: Text Analytics with Cognitive Service](/azure/synapse-analytics/machine-learning/tutorial-text-analytics-use-mmlspark)
+> [Tutorial: Text Analytics with Cognitive Services](/azure/synapse-analytics/machine-learning/tutorial-text-analytics-use-mmlspark)
storage Storage Use Azcopy V10 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-v10.md
The following table lists all AzCopy v10 commands. Each command links to a refer
|[azcopy jobs remove](storage-ref-azcopy-jobs-remove.md?toc=/azure/storage/blobs/toc.json)|Remove all files associated with the given job ID.| |[azcopy jobs resume](storage-ref-azcopy-jobs-resume.md?toc=/azure/storage/blobs/toc.json)|Resumes the existing job with the given job ID.| |[azcopy jobs show](storage-ref-azcopy-jobs-show.md?toc=/azure/storage/blobs/toc.json)|Shows detailed information for the given job ID.|
-|[azcopy jobs](storage-ref-azcopy-jobs.md?toc=/azure/storage/blobs/toc.json)|Subcommands related to managing jobs.|
|[azcopy list](storage-ref-azcopy-list.md?toc=/azure/storage/blobs/toc.json)|Lists the entities in a given resource.| |[azcopy login](storage-ref-azcopy-login.md?toc=/azure/storage/blobs/toc.json)|Logs in to Azure Active Directory to access Azure Storage resources.| |[azcopy login status](storage-ref-azcopy-login-status.md)|Lists the entities in a given resource.|
storage Storage Files Identity Ad Ds Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-enable.md
The cmdlets above should return the key value. Once you have the kerb1 key, crea
1. Set the SPN to **cifs/your-storage-account-name-here.file.core.windows.net** either in the AD GUI or by running the `Setspn` command from the Windows command line as administrator (remember to replace the example text with your storage account name): ```shell
- Setspn -S cifs/your-storage-account-name-here.file.core.windows.net
+ Setspn -S cifs/your-storage-account-name-here.file.core.windows.net <ADAccountName>
``` 2. Use PowerShell to set the AD account password to the value of the kerb1 key (you must have AD PowerShell cmdlets installed):
Keep the SID of the newly created identity, you'll need it for the next step. Th
### Enable the feature on your storage account
-Modify the following command to include configuration details for the domain properties in the following command, then run it to enable the feature. The storage account SID required in the following command is the SID of the identity you created in your AD DS in [the previous section](#create-an-identity-representing-the-storage-account-in-your-ad-manually).
+Modify the following command to include configuration details for the domain properties in the following command, then run it to enable the feature. The storage account SID required in the following command is the SID of the identity you created in your AD DS in [the previous section](#create-an-identity-representing-the-storage-account-in-your-ad-manually). Make sure that you provide the **ActiveDirectorySamAccountName** property without the trailing '$' sign.
```PowerShell # Set the feature flag on the target storage account and provide the required AD domain information
storage Storage Files Planning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-planning.md
For more information about encryption in transit, see [requiring secure transfer
Azure Files has a multi-layered approach to ensuring your data is backed up, recoverable, and protected from security threats. ### Soft delete
-Soft delete for file shares is a storage-account level setting that allows you to recover your file share when it is accidentally deleted. When a file share is deleted, it transitions to a soft deleted state instead of being permanently erased. You can configure the amount of time soft deleted data is recoverable before it's permanently deleted, and undelete the share anytime during this retention period.
+Soft delete is a storage-account level setting for SMB file shares that allows you to recover your file share when it's accidentally deleted. When a file share is deleted, it transitions to a soft deleted state instead of being permanently erased. You can configure the amount of time soft deleted data is recoverable before it's permanently deleted, and undelete the share anytime during this retention period.
-We recommend turning on soft delete for most file shares. If you have a workflow where share deletion is common and expected, you may decide to have a short retention period or not have soft delete enabled at all.
+We recommend turning on soft delete for most SMB file shares. If you have a workflow where share deletion is common and expected, you may decide to have a short retention period or not have soft delete enabled at all. Soft delete doesn't work for NFS shares, even if it's enabled for the storage account.
For more information about soft delete, see [Prevent accidental data deletion](./storage-files-prevent-file-share-deletion.md).
storage Storage Files Prevent File Share Deletion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-prevent-file-share-deletion.md
# Prevent accidental deletion of Azure file shares
-Azure Files offers soft delete for file shares. Soft delete allows you to recover your file share when it is mistakenly deleted by an application or other storage account user.
+Azure Files offers soft delete for SMB file shares. Soft delete allows you to recover your file share when it is mistakenly deleted by an application or other storage account user.
## Applies to | File share type | SMB | NFS |
Azure Files offers soft delete for file shares. Soft delete allows you to recove
| Premium file shares (FileStorage), LRS/ZRS | ![Yes](../media/icons/yes-icon.png) | ![No](../media/icons/no-icon.png) | ## How soft delete works
-When soft delete for Azure file shares is enabled, if a file share is deleted, it transitions to a soft deleted state instead of being permanently erased. You can configure the amount of time soft deleted data is recoverable before it's permanently deleted, and undelete the share anytime during this retention period. After being undeleted, the share and all of contents, including snapshots, will be restored to the state it was in prior to deletion. Soft delete only works on a file share level - individual files that are deleted will still be permanently erased.
+When soft delete for Azure file shares is enabled on a storage account, if a file share is deleted, it transitions to a soft deleted state instead of being permanently erased. You can configure the amount of time soft deleted data is recoverable before it's permanently deleted, and undelete the share anytime during this retention period. After being undeleted, the share and all of contents, including snapshots, will be restored to the state it was in prior to deletion. Soft delete only works on a file share level - individual files that are deleted will still be permanently erased.
-Soft delete can be enabled on either new or existing file shares. Soft delete is also backwards compatible, so you don't have to make any changes to your applications to take advantage of the protections of soft delete.
+Soft delete can be enabled on either new or existing file shares. Soft delete is also backwards compatible, so you don't have to make any changes to your applications to take advantage of the protections of soft delete. Soft delete doesn't work for NFS shares, even if it's enabled for the storage account.
To permanently delete a file share in a soft delete state before its expiry time, you must undelete the share, disable soft delete, and then delete the share again. Then you should re-enable soft delete, since any other file shares in that storage account will be vulnerable to accidental deletion while soft delete is off.
stream-analytics Machine Learning Udf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/machine-learning-udf.md
You can implement machine learning models as a user-defined function (UDF) in yo
Complete the following steps before you add a machine learning model as a function to your Stream Analytics job:
-1. Use Azure Machine Learning to [deploy your model as a web service](../machine-learning/how-to-deploy-and-where.md).
+1. Use Azure Machine Learning to [deploy your model as a web service](../machine-learning/how-to-deploy-managed-online-endpoints.md).
2. Your machine learning endpoint must have an associated [swagger](../machine-learning/how-to-deploy-advanced-entry-script.md) that helps Stream Analytics understand the schema of the input and output. You can use this [sample swagger definition](https://github.com/Azure/azure-stream-analytics/blob/master/Samples/AzureML/asa-mlswagger.json) as a reference to ensure you have set it up correctly. 3. Make sure your web service accepts and returns JSON serialized data.
-4. Deploy your model on [Azure Kubernetes Service](../machine-learning/how-to-deploy-and-where.md#choose-a-compute-target) for high-scale production deployments. If the web service is not able to handle the number of requests coming from your job, the performance of your Stream Analytics job will be degraded, which impacts latency. Models deployed on Azure Container Instances are supported only when you use the Azure portal.
+4. Deploy your model on [Azure Kubernetes Service](../machine-learning/how-to-deploy-managed-online-endpoints.md#use-different-cpu-and-gpu-instance-types) for high-scale production deployments. If the web service is not able to handle the number of requests coming from your job, the performance of your Stream Analytics job will be degraded, which impacts latency. Models deployed on Azure Container Instances are supported only when you use the Azure portal.
## Add a machine learning model to your job
virtual-desktop Autoscale Scaling Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/autoscale-scaling-plan.md
Title: Create an autoscale scaling plan for Azure Virtual Desktop
description: How to create an autoscale scaling plan to optimize deployment costs. Previously updated : 08/08/2022 Last updated : 08/15/2022
For best results, we recommend using autoscale with VMs you deployed with Azure
> - Central US > - East US > - East US 2
+> - Japan East
> - North Central US > - North Europe > - South Central US
+> - UK South
+> - UK West
> - West Central US > - West Europe > - West US > - West US 2
+> - West US 3
## Prerequisites
virtual-desktop Autoscale Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/autoscale-scenarios.md
Title: Autoscale scaling plans and example scenarios in Azure Virtual Desktop
description: Information about autoscale and a collection of four example scenarios that illustrate how various parts of autoscale for Azure Virtual Desktop work. Previously updated : 08/03/2022 Last updated : 08/15/2022
For best results, we recommend using autoscale with VMs you deployed with Azure
> - Central US > - East US > - East US 2
+> - Japan East
> - North Central US > - North Europe > - South Central US
+> - UK South
+> - UK West
> - West Central US > - West Europe > - West US > - West US 2
+> - West US 3
## How a scaling plan works
virtual-desktop Set Up Customize Master Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/set-up-customize-master-image.md
This article tells you how to prepare a master virtual hard disk (VHD) image for upload to Azure, including how to create virtual machines (VMs) and install software on them. These instructions are for a Azure Virtual Desktop-specific configuration that can be used with your organization's existing processes. >[!IMPORTANT]
->We recommend you use an image from the Azure Image Gallery. However, if you do need to use a customized image, make sure you don't already have the Azure Virtual Desktop Agent installed on your VM. Using a customized image with the Azure Virtual Desktop Agent can cause problems with the image, such as blocking registration and preventing user session connections.
+>We recommend you use an image from the Azure Image Gallery. However, if you do need to use a customized image, make sure you don't already have the Azure Virtual Desktop Agent installed on your VM. Using a customized image with the Azure Virtual Desktop Agent can cause problems with the image, such as blocking registration as the host pool registration token will have expired which will prevent user session connections.
## Create a VM
virtual-desktop Set Up Golden Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/set-up-golden-image.md
Make sure you've done the following things before taking the final snapshot:
> 1. If your machine will include an antivirus app, it may cause issues when you start sysprep. To avoid this, disable all antivirus programs before running sysprep. > > 1. [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter) (UWF) is not supported for session hosts. Please ensure it is not enabled in your image.
+>
+> 1. Do not join your golden image VM to a host pool, by deploying the Azure Virtual Desktop Agent. If you do this when you create additional session hosts from this image at a later time, they will fail to join the host pool as the Registration token will have expired. The host pool deployment process will automatically join the session hosts to the required host pool during the provisioning process.
+ ### Take the final snapshot When you are done installing your applications to the image VM, take a final snapshot of the disk. If sysprep or capture fails, you will be able to create a new base VM with your applications already installed from this snapshot. ### Run sysprep