Updates from: 08/19/2022 01:13:51
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-domain-services Concepts Migration Benefits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-migration-benefits.md
Previously updated : 05/26/2020 Last updated : 08/17/2022
active-directory-domain-services Concepts Replica Sets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-replica-sets.md
Previously updated : 03/30/2021 Last updated : 08/17/2022
active-directory-domain-services Create Gmsa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-gmsa.md
Previously updated : 07/06/2020 Last updated : 08/17/2022
active-directory-domain-services Create Ou https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-ou.md
Previously updated : 07/06/2020 Last updated : 08/17/2022
active-directory-domain-services Deploy Azure App Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-azure-app-proxy.md
Previously updated : 03/07/2022 Last updated : 08/17/2022
active-directory-domain-services Deploy Kcd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-kcd.md
Previously updated : 07/06/2020 Last updated : 08/17/2022
active-directory-domain-services Deploy Sp Profile Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-sp-profile-sync.md
Previously updated : 10/05/2021 Last updated : 08/17/2022
active-directory-domain-services Manage Dns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/manage-dns.md
Previously updated : 09/16/2021 Last updated : 08/17/2022
active-directory-domain-services Manage Group Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/manage-group-policy.md
Previously updated : 07/26/2021 Last updated : 08/17/2022
active-directory-domain-services Mismatched Tenant Error https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/mismatched-tenant-error.md
Previously updated : 07/09/2020 Last updated : 08/17/2022
active-directory-domain-services Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/notifications.md
Previously updated : 07/06/2020 Last updated : 08/17/2022
active-directory-domain-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/overview.md
Previously updated : 06/15/2022 Last updated : 08/17/2022
active-directory-domain-services Password Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/password-policy.md
Previously updated : 08/11/2021 Last updated : 08/17/2022
active-directory-domain-services Powershell Create Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-create-instance.md
Previously updated : 06/17/2022 Last updated : 08/17/2022
active-directory-domain-services Powershell Scoped Synchronization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-scoped-synchronization.md
Previously updated : 03/07/2022 Last updated : 08/17/2022
active-directory-domain-services Secure Remote Vm Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-remote-vm-access.md
Previously updated : 07/09/2020 Last updated : 08/17/2022
active-directory-domain-services Secure Your Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-your-domain.md
Previously updated : 07/21/2021 Last updated : 08/17/2022
active-directory-domain-services Security Audit Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/security-audit-events.md
Previously updated : 07/06/2020 Last updated : 08/07/2022
active-directory-domain-services Suspension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/suspension.md
Previously updated : 07/09/2020 Last updated : 08/17/2022
active-directory-domain-services Template Create Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/template-create-instance.md
Previously updated : 03/04/2022 Last updated : 08/17/2022
active-directory-domain-services Troubleshoot Account Lockout https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot-account-lockout.md
Previously updated : 12/15/2021 Last updated : 08/17/2022 #Customer intent: As a directory administrator, I want to troubleshoot why user accounts are locked out in an Azure Active Directory Domain Services managed domain.
active-directory-domain-services Troubleshoot Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot-alerts.md
Previously updated : 06/07/2021 Last updated : 08/17/2022
active-directory-domain-services Troubleshoot Domain Join https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot-domain-join.md
Previously updated : 07/06/2020 Last updated : 08/07/2022 #Customer intent: As a directory administrator, I want to troubleshoot why VMs can't join an Azure Active Directory Domain Services managed domain.
active-directory-domain-services Troubleshoot Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot-sign-in.md
Previously updated : 07/06/2020 Last updated : 08/07/2022 #Customer intent: As a directory administrator, I want to troubleshoot user account sign in problems in an Azure Active Directory Domain Services managed domain.
active-directory-domain-services Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot.md
Previously updated : 07/06/2020 Last updated : 08/17/2022
active-directory-domain-services Tshoot Ldaps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tshoot-ldaps.md
Previously updated : 07/09/2020 Last updated : 08/17/2022
active-directory Accidental Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/accidental-deletions.md
Title: Enable accidental deletions prevention in Application Provisioning in Azu
description: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory. -+
active-directory Application Provisioning Config Problem No Users Provisioned https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md
Title: Users are not being provisioned in my application
description: How to troubleshoot common issues faced when you don't see users appearing in an Azure AD Gallery Application you have configured for user provisioning with Azure AD -+
active-directory Application Provisioning Config Problem Scim Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Title: Known issues with System for Cross-Domain Identity Management (SCIM) 2.0
description: How to solve common protocol compatibility issues faced when adding a non-gallery application that supports SCIM 2.0 to Azure AD -+
active-directory Application Provisioning Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem.md
Title: Problem configuring user provisioning to an Azure Active Directory Galler
description: How to troubleshoot common issues faced when configuring user provisioning to an application already listed in the Azure Active Directory Application Gallery -+
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
Title: Configure provisioning using Microsoft Graph APIs
description: Learn how to save time by using the Microsoft Graph APIs to automate the configuration of automatic provisioning. -+
active-directory Application Provisioning Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md
Title: Understand how Provisioning integrates with Azure Monitor logs in Azure A
description: Understand how Provisioning integrates with Azure Monitor logs in Azure Active Directory. -+
active-directory Application Provisioning Quarantine Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md
Title: Quarantine status in Azure Active Directory Application Provisioning
description: When you've configured an application for automatic user provisioning, learn what a provisioning status of Quarantine means and how to clear it. -+
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
Title: Find out when a specific user will be able to access an app in Azure Acti
description: How to find out when a critically important user be able to access an application you have configured for user provisioning with Azure Active Directory -+
active-directory Check Status User Account Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/check-status-user-account-provisioning.md
Title: Report automatic user account provisioning from Azure Active Directory to
description: 'Learn how to check the status of automatic user account provisioning jobs, and how to troubleshoot the provisioning of individual users.' -+
active-directory Configure Automatic User Provisioning Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Title: User provisioning management for enterprise apps in Azure Active Director
description: Learn how to manage user account provisioning for enterprise apps using the Azure Active Directory. -+
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md
Title: Tutorial - Customize Azure Active Directory attribute mappings in Applica
description: Learn what attribute mappings for Software as a Service (SaaS) apps in Azure Active Directory Application Provisioning are how you can modify them to address your business needs. -+
active-directory Define Conditional Rules For Provisioning User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md
Title: Use scoping filters in Azure Active Directory Application Provisioning
description: Learn how to use scoping filters to prevent objects in apps that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements in Azure Active Directory Application Provisioning. -+
active-directory Export Import Provisioning Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/export-import-provisioning-configuration.md
Title: Export Application Provisioning configuration and roll back to a known go
description: Learn how to export your Application Provisioning configuration and roll back to a known good state for disaster recovery in Azure Active Directory. -+
active-directory Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/expression-builder.md
Title: Understand how expression builder works with Application Provisioning in
description: Understand how expression builder works with Application Provisioning in Azure Active Directory. -+
active-directory Functions For Customizing Application Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Title: Reference for writing expressions for attribute mappings in Azure Active Directory Application Provisioning description: Learn how to use expression mappings to transform attribute values into an acceptable format during automated provisioning of SaaS app objects in Azure Active Directory. Includes a reference list of functions. -+
active-directory How Provisioning Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/how-provisioning-works.md
Title: Understand how Application Provisioning in Azure Active Directory
description: Understand how Application Provisioning works in Azure Active Directory. -+
active-directory Hr Attribute Retrieval Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-attribute-retrieval-issues.md
Title: Troubleshoot attribute retrieval issues with HR provisioning description: Learn how to troubleshoot attribute retrieval issues with HR provisioning -+
active-directory Hr Manager Update Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-manager-update-issues.md
Title: Troubleshoot manager update issues with HR provisioning description: Learn how to troubleshoot manager update issues with HR provisioning -+
active-directory Hr User Creation Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-user-creation-issues.md
Title: Troubleshoot user creation issues with HR provisioning description: Learn how to troubleshoot user creation issues with HR provisioning -+
active-directory Hr User Update Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-user-update-issues.md
Title: Troubleshoot user update issues with HR provisioning description: Learn how to troubleshoot user update issues with HR provisioning -+
active-directory Hr Writeback Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-writeback-issues.md
Title: Troubleshoot write back issues with HR provisioning description: Learn how to troubleshoot write back issues with HR provisioning -+
active-directory Isv Automatic Provisioning Multi Tenant Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md
Title: Enable automatic user provisioning for multi-tenant applications in Azure
description: A guide for independent software vendors for enabling automated provisioning in Azure Active Directory -+
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/known-issues.md
Title: Known issues for application provisioning in Azure Active Directory
description: Learn about known issues when you work with automated application provisioning in Azure Active Directory. -+
active-directory On Premises Application Provisioning Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Title: 'Azure AD on-premises application provisioning architecture | Microsoft D
description: Presents an overview of on-premises application provisioning architecture. -+
active-directory On Premises Ecma Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
Title: 'Troubleshooting issues with provisioning to on-premises applications'
description: Describes how to troubleshoot various issues you might encounter when you install and use the ECMA Connector Host. -+
active-directory On Premises Ldap Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ldap-connector-configure.md
Title: Azure AD Provisioning to LDAP directories (preview)
description: This document describes how to configure Azure AD to provision users into an LDAP directory. -+
active-directory On Premises Migrate Microsoft Identity Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Title: 'Export a Microsoft Identity Manager connector for use with the Azure AD
description: Describes how to create and export a connector from MIM Sync to be used with the Azure AD ECMA Connector Host. -+
active-directory On Premises Scim Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Title: Azure AD on-premises app provisioning to SCIM-enabled apps description: This article describes how to use the Azure AD provisioning service to provision users into an on-premises app that's SCIM enabled. -+
active-directory On Premises Sql Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-sql-connector-configure.md
Title: Provisioning users into SQL based applications using the ECMA Connector h
description: Provisioning users into SQL based applications using the ECMA Connector host -+
active-directory Partner Driven Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/partner-driven-integrations.md
Title: 'Use partner driven integrations to provision accounts into all your appl
description: Use partner driven integrations to provision accounts into all your applications. -+
active-directory Plan Auto User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md
Title: Plan an automatic user provisioning deployment for Azure Active Directory
description: Guidance for planning and executing automatic user provisioning in Azure Active Directory -+
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Title: Plan cloud HR application to Azure Active Directory user provisioning
description: This article describes the deployment process of integrating cloud HR systems, such as Workday and SuccessFactors, with Azure Active Directory. Integrating Azure AD with your cloud HR system results in a complete identity lifecycle management system. -+
active-directory Provision On Demand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md
Title: Provision a user or group on demand using the Azure Active Directory prov
description: Learn how to provision users on demand in Azure Active Directory. -+
active-directory Provisioning Agent Release Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provisioning-agent-release-version-history.md
Title: Azure Active Directory Connect Provisioning Agent - Version release histo
description: This article lists all releases of Azure Active Directory Connect Provisioning Agent and describes new features and fixed issues. -+
active-directory Sap Successfactors Attribute Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-attribute-reference.md
Title: SAP SuccessFactors attribute reference for Azure Active Directory
description: Learn which attributes from SuccessFactors are supported by SuccessFactors-HR driven provisioning in Azure Active Directory. -+
active-directory Sap Successfactors Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md
Title: Azure Active Directory and SAP SuccessFactors integration reference
description: Technical deep dive into SAP SuccessFactors-HR driven provisioning for Azure Active Directory. -+
active-directory Scim Graph Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/scim-graph-scenarios.md
Title: Use SCIM, Microsoft Graph, and Azure Active Directory to provision users
description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs in Azure Active Directory. -+
active-directory Tutorial Ecma Sql Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/tutorial-ecma-sql-connector.md
Title: Azure AD Provisioning to SQL applications (preview)
description: This tutorial describes how to provision users from Azure AD into a SQL database. -+
active-directory Use Scim To Build Users And Groups Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-build-users-and-groups-endpoints.md
Title: Build a SCIM endpoint for user provisioning to apps from Azure Active Dir
description: Learn to develop a SCIM endpoint, integrate your SCIM API with Azure Active Directory, and automatically provision users and groups into your cloud applications. -+ Previously updated : 05/11/2021 Last updated : 08/18/2022 # Tutorial: Develop a sample SCIM endpoint in Azure Active Directory
-No one wants to build a new endpoint from scratch, so we created some [reference code](https://aka.ms/scimreferencecode) for you to get started with [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview). You can get your SCIM endpoint up and running with no code in just five minutes.
-
-This tutorial describes how to deploy the SCIM reference code in Azure and test it by using Postman or by integrating with the Azure Active Directory (Azure AD) SCIM client. This tutorial is intended for developers who want to get started with SCIM, or anyone interested in testing a SCIM endpoint.
+This tutorial describes how to deploy the SCIM [reference code](https://aka.ms/scimreferencecode) with [Azure App Service](../../app-service/index.yml). Then, test the code by using Postman or by integrating with the Azure Active Directory (Azure AD) Provisioning Service. The tutorial is intended for developers who want to get started with SCIM, or anyone interested in testing a [SCIM endpoint](./use-scim-to-provision-users-and-groups.md).
In this tutorial, you learn how to:
In this tutorial, you learn how to:
## Deploy your SCIM endpoint in Azure
-The steps here deploy the SCIM endpoint to a service by using [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) and [Azure App Service](../../app-service/index.yml). The SCIM reference code can also be run locally, hosted by an on-premises server, or deployed to another external service.
-1. Go to the [reference code](https://github.com/AzureAD/SCIMReferenceCode) from GitHub and select **Clone or download**.
+The steps here deploy the SCIM endpoint to a service by using [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) and [Visual Studio Code](https://code.visualstudio.com/) with [Azure App Service](../../app-service/index.yml). The SCIM reference code can run locally, hosted by an on-premises server, or deployed to another external service.
+
+### Get and deploy the sample app
+
+Go to the [reference code](https://github.com/AzureAD/SCIMReferenceCode) from GitHub and select **Clone or download**. Select **Open in Desktop**, or copy the link, open Visual Studio, and select **Clone or check out code** to enter the copied link and make a local copy. Save the files into a folder where the total length of the path is 260 or fewer characters.
-1. Select **Open in Desktop**, or copy the link, open Visual Studio, and select **Clone or check out code** to enter the copied link and make a local copy.
+# [Visual Studio](#tab/visual-studio)
1. In Visual Studio, make sure to sign in to the account that has access to your hosting resources.
The steps here deploy the SCIM endpoint to a service by using [Visual Studio 201
![Screenshot that shows publishing a new app service.](media/use-scim-to-build-users-and-groups-endpoints/cloud-publish-4.png)
-1. Go to the application in **Azure App Service** > **Configuration** and select **New application setting** to add the *Token__TokenIssuer* setting with the value `https://sts.windows.net/<tenant_id>/`. Replace `<tenant_id>` with your Azure AD tenant ID. If you want to test the SCIM endpoint by using [Postman](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint), add an *ASPNETCORE_ENVIRONMENT* setting with the value `Development`.
- ![Screenshot that shows the Application settings window.](media/use-scim-to-build-users-and-groups-endpoints/app-service-settings.png)
+# [Visual Studio Code](#tab/visual-studio-code)
+
+1. In Visual Studio Code, make sure to sign in to the account that has access to your hosting resources.
+
+1. In Visual Studio Code, open the folder that contains the *Microsoft.SCIM.sln* file.
+
+1. Open the Visual Studio Code integrated [terminal](https://code.visualstudio.com/docs/terminal/basics) and run the [dotnet restore](/nuget/consume-packages/install-use-packages-dotnet-cli#restore-packages) command. This command restores the packages listed in the project files.
+
+1. In the terminal, change the directory using the `cd Microsoft.SCIM.WebHostSample` command
+
+1. To run your app locally, in the terminal, run the .NET CLI command below. The [dotnet run](/dotnet/core/tools/dotnet-run) runs the Microsoft.SCIM.WebHostSample project using the [development environment](/aspnet/core/fundamentals/environments#set-environment-on-the-command-line).
+
+ ```dotnetcli
+ dotnet run --environment Development
+ ```
+
+1. If not installed, add [Azure App Service for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureappservice) extension.
+
+1. To deploy the Microsoft.SCIM.WebHostSample app to Azure App Services, [create a new App Services](/azure/app-service/tutorial-dotnetcore-sqldb-app#2create-the-app-service).
+
+1. In the Visual Studio Code terminal, run the .NET CLI command below. This command generates a deployable publish folder for the app in the bin/debug/publish directory.
+
+ ```dotnetcli
+ dotnet publish -c Debug
+ ```
+
+1. In the Visual Studio Code explorer, right-click on the generated **publish** folder, and select Deploy to Web App.
+1. A new workflow will open in the command palette at the top of the screen. Select the **Subscription** you would like to publish your app to.
+1. Select the **App Service** web app you created earlier.
+1. If Visual Studio Code prompts you to confirm, select **Deploy**. The deployment process may take a few moments. When the process completes, a notification should appear in the bottom right corner prompting you to browse to the deployed app.
+++
+### Configure the App Service
+
+Go to the application in **Azure App Service** > **Configuration** and select **New application setting** to add the *Token__TokenIssuer* setting with the value `https://sts.windows.net/<tenant_id>/`. Replace `<tenant_id>` with your Azure AD tenant ID. If you want to test the SCIM endpoint by using [Postman](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint), add an *ASPNETCORE_ENVIRONMENT* setting with the value `Development`.
+
+![Screenshot that shows the Application settings window.](media/use-scim-to-build-users-and-groups-endpoints/app-service-settings.png)
- When you test your endpoint with an enterprise application in the [Azure portal](use-scim-to-provision-users-and-groups.md#integrate-your-scim-endpoint-with-the-azure-ad-scim-client), you have two options. You can keep the environment in `Development` and provide the testing token from the `/scim/token` endpoint, or you can change the environment to `Production` and leave the token field empty.
+When you test your endpoint with an enterprise application in the [Azure portal](use-scim-to-provision-users-and-groups.md#integrate-your-scim-endpoint-with-the-azure-ad-provisioning-service), you have two options. You can keep the environment in `Development` and provide the testing token from the `/scim/token` endpoint, or you can change the environment to `Production` and leave the token field empty.
That's it! Your SCIM endpoint is now published, and you can use the Azure App Service URL to test the SCIM endpoint.
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Title: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Azu
description: System for Cross-domain Identity Management (SCIM) standardizes automatic user provisioning. In this tutorial, you learn to develop a SCIM endpoint, integrate your SCIM API with Azure Active Directory, and start automating provisioning users and groups into your cloud applications. -+ Previously updated : 05/25/2022 Last updated : 08/17/2022 # Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory
-As an application developer, you can use the System for Cross-Domain Identity Management (SCIM) user management API to enable automatic provisioning of users and groups between your application and Azure AD. This article describes how to build a SCIM endpoint and integrate with the Azure AD provisioning service. The SCIM specification provides a common user schema for provisioning. When used in conjunction with federation standards like SAML or OpenID Connect, SCIM gives administrators an end-to-end, standards-based solution for access management.
+As an application developer, you can use the System for Cross-Domain Identity Management (SCIM) user management API to enable automatic provisioning of users and groups between your application and Azure Active Directory (Azure AD). This article describes how to build a SCIM endpoint and integrate with the Azure AD provisioning service. The SCIM specification provides a common user schema for provisioning. When used with federation standards like SAML or OpenID Connect, SCIM gives administrators an end-to-end, standards-based solution for access management.
![Provisioning from Azure AD to an app with SCIM](media/use-scim-to-provision-users-and-groups/scim-provisioning-overview.png)
-SCIM is a standardized definition of two endpoints: a `/Users` endpoint and a `/Groups` endpoint. It uses common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email. Apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API. For example, any compliant SCIM client knows how to make an HTTP POST of a JSON object to the `/Users` endpoint to create a new user entry. Instead of needing a slightly different API for the same basic actions, apps that conform to the SCIM standard can instantly take advantage of pre-existing clients, tools, and code.
+SCIM 2.0 is a standardized definition of two endpoints: a `/Users` endpoint and a `/Groups` endpoint. It uses common REST API endpoints to create, update, and delete objects. The SCIM consists of a pre-defined schema for common attributes like group name, username, first name, last name and email.
-The standard user object schema and rest APIs for management defined in SCIM 2.0 (RFC [7642](https://tools.ietf.org/html/rfc7642), [7643](https://tools.ietf.org/html/rfc7643), [7644](https://tools.ietf.org/html/rfc7644)) allow identity providers and apps to more easily integrate with each other. Application developers that build a SCIM endpoint can integrate with any SCIM-compliant client without having to do custom work.
+Apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API. For example, any compliant SCIM client knows how to make an HTTP POST of a JSON object to the `/Users` endpoint to create a new user entry. Instead of needing a slightly different API for the same basic actions, apps that conform to the SCIM standard can instantly take advantage of pre-existing clients, tools, and code.
-To automate provisioning to an application will require building and integrating a SCIM endpoint with the Azure AD SCIM client. Use the following steps to start provisioning users and groups into your application.
-
-1. Design your user and group schema
+The standard user object schema and rest APIs for management defined in SCIM 2.0 (RFC [7642](https://tools.ietf.org/html/rfc7642), [7643](https://tools.ietf.org/html/rfc7643), [7644](https://tools.ietf.org/html/rfc7644)) allow identity providers and apps to more easily integrate with each other. Application developers that build a SCIM endpoint can integrate with any SCIM-compliant client without having to do custom work.
- Identify the application's objects and attributes to determine how they map to the user and group schema supported by the Azure AD SCIM implementation.
+To automate provisioning to an application, it requires building and integrating a SCIM endpoint that is access by the Azure AD Provisioning Service. Use the following steps to start provisioning users and groups into your application.
-1. Understand the Azure AD SCIM implementation
- Understand how the Azure AD SCIM client is implemented to model your SCIM protocol request handling and responses.
+1. [Design your user and group schema](#design-your-user-and-group-schema) - Identify the application's objects and attributes to determine how they map to the user and group schema supported by the Azure AD SCIM implementation.
-1. Build a SCIM endpoint
+1. [Understand the Azure AD SCIM implementation](#understand-the-azure-ad-scim-implementation) - Understand how the Azure AD Provisioning Service is implemented to model your SCIM protocol request handling and responses.
- An endpoint must be SCIM 2.0-compatible to integrate with the Azure AD provisioning service. As an option, use Microsoft Common Language Infrastructure (CLI) libraries and code samples to build your endpoint. These samples are for reference and testing only; we recommend against using them as dependencies in your production app.
+1. [Build a SCIM endpoint](#build-a-scim-endpoint) - An endpoint must be SCIM 2.0-compatible to integrate with the Azure AD provisioning service. As an option, use Microsoft Common Language Infrastructure (CLI) libraries and code samples to build your endpoint. These samples are for reference and testing only; we recommend against using them as dependencies in your production app.
-1. Integrate your SCIM endpoint with the Azure AD SCIM client
- If your organization uses a third-party application to implement a profile of SCIM 2.0 that Azure AD supports, you can quickly automate both provisioning and deprovisioning of users and groups.
+1. [Integrate your SCIM endpoint](#integrate-your-scim-endpoint-with-the-azure-ad-provisioning-service) with the Azure AD Provisioning Service. If your organization uses a third-party application to implement a profile of SCIM 2.0 that Azure AD supports, you can quickly automate both provisioning and deprovisioning of users and groups.
-1. Publish your application to the Azure AD application gallery
- Make it easy for customers to discover your application and easily configure provisioning.
+1. [Optional] [Publish your application to the Azure AD application gallery](#publish-your-application-to-the-azure-ad-application-gallery) - Make it easy for customers to discover your application and easily configure provisioning.
-![Steps for integrating a SCIM endpoint with Azure AD](media/use-scim-to-provision-users-and-groups/process.png)
+![Diagram that shows the required steps for integrating a SCIM endpoint with Azure AD.](media/use-scim-to-provision-users-and-groups/process.png)
## Design your user and group schema
For example, if your application requires both a user's email and userΓÇÖs manag
To design your schema, follow these steps:
-1. List the attributes your application requires, then categorize as attributes needed for authentication (e.g. loginName and email), attributes needed to manage the user lifecycle (e.g. status / active), and all other attributes needed for the application to work (e.g. manager, tag).
+1. List the attributes your application requires, then categorize as attributes needed for authentication (for example, loginName and email). Attributes are needed to manage the user lifecycle (for example, status / active), and all other attributes needed for the application to work (for example, manager, tag).
1. Check if the attributes are already defined in the **core** user schema or **enterprise** user schema. If not, you must define an extension to the user schema that covers the missing attributes. See example below for an extension to the user to allow provisioning a user `tag`.
-1. Map SCIM attributes to the user attributes in Azure AD. If one of the attributes you have defined in your SCIM endpoint does not have a clear counterpart on the Azure AD user schema, guide the tenant administrator to extend their schema or use an extension attribute as shown below for the `tags` property.
+1. Map SCIM attributes to the user attributes in Azure AD. If one of the attributes you've defined in your SCIM endpoint doesn't have a clear counterpart on the Azure AD user schema, guide the tenant administrator to extend their schema, or use an extension attribute as shown below for the `tags` property.
+
+The following table lists an example of required attributes:
|Required app attribute|Mapped SCIM attribute|Mapped Azure AD attribute| |--|--|--|
To design your schema, follow these steps:
|tag|urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag|extensionAttribute1| |status|active|isSoftDeleted (computed value not stored on user)|
-**Example list of required attributes**
+The following JSON payload shows an example SCIM schema:
```json {
To design your schema, follow these steps:
} } ```
-**Example schema defined by a JSON payload**
+ > [!NOTE] > In addition to the attributes required for the application, the JSON representation also includes the required `id`, `externalId`, and `meta` attributes.
To design your schema, follow these steps:
It helps to categorize between `/User` and `/Group` to map any default user attributes in Azure AD to the SCIM RFC, see [how customize attributes are mapped between Azure AD and your SCIM endpoint](customize-application-attributes.md).
-| Azure Active Directory user | "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" |
+The following table lists an example of user attributes:
+
+| Azure AD user | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User |
| | | | IsSoftDeleted |active |
-|department|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|
+|department| `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department`|
| displayName |displayName |
-|employeeId|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|
+|employeeId|`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber`|
| Facsimile-TelephoneNumber |phoneNumbers[type eq "fax"].value | | givenName |name.givenName | | jobTitle |title | | mail |emails[type eq "work"].value | | mailNickname |externalId |
-| manager |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager |
+| manager |`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager` |
| mobile |phoneNumbers[type eq "mobile"].value | | postalCode |addresses[type eq "work"].postalCode | | proxy-Addresses |emails[type eq "other"].Value |
It helps to categorize between `/User` and `/Group` to map any default user attr
| telephone-Number |phoneNumbers[type eq "work"].value | | user-PrincipalName |userName |
-**Example list of user and group attributes**
+The following table lists an example of group attributes:
-| Azure Active Directory group | urn:ietf:params:scim:schemas:core:2.0:Group |
+| Azure AD group | urn:ietf:params:scim:schemas:core:2.0:Group |
| | | | displayName |displayName | | members |members | | objectId |externalId |
-**Example list of group attributes**
> [!NOTE] > You are not required to support both users and groups, or all the attributes shown here, it's only a reference on how attributes in Azure AD are often mapped to properties in the SCIM protocol.
-There are several endpoints defined in the SCIM RFC. You can start with the `/User` endpoint and then expand from there.
+There are several endpoints defined in the SCIM RFC. You can start with the `/User` endpoint and then expand from there. The following table lists some of the SCIM endpoints:
|Endpoint|Description| |--|--| |/User|Perform CRUD operations on a user object.| |/Group|Perform CRUD operations on a group object.| |/Schemas|The set of attributes supported by each client and service provider can vary. One service provider might include `name`, `title`, and `emails`, while another service provider uses `name`, `title`, and `phoneNumbers`. The schemas endpoint allows for discovery of the attributes supported.|
-|/Bulk|Bulk operations allow you to perform operations on a large collection of resource objects in a single operation (e.g. update memberships for a large group).|
-|/ServiceProviderConfig|Provides details about the features of the SCIM standard that are supported, for example the resources that are supported and the authentication method.|
+|/Bulk|Bulk operations allow you to perform operations on a large collection of resource objects in a single operation (for example, update memberships for a large group).|
+|/ServiceProviderConfig|Provides details about the features of the SCIM standard that are supported, for example, the resources that are supported and the authentication method.|
|/ResourceTypes|Specifies metadata about each resource.|
-**Example list of endpoints**
- > [!NOTE] > Use the `/Schemas` endpoint to support custom attributes or if your schema changes frequently as it enables a client to retrieve the most up-to-date schema automatically. Use the `/Bulk` endpoint to support groups. ## Understand the Azure AD SCIM implementation
-To support a SCIM 2.0 user management API, this section describes how the Azure AD SCIM client is implemented and shows how to model your SCIM protocol request handling and responses.
+To support a SCIM 2.0 user management API, this section describes how the Azure AD Provisioning Service is implemented and shows how to model your SCIM protocol request handling and responses.
> [!IMPORTANT] > The behavior of the Azure AD SCIM implementation was last updated on December 18, 2018. For information on what changed, see [SCIM 2.0 protocol compliance of the Azure AD User Provisioning service](application-provisioning-config-problem-scim-compatibility.md).
To support a SCIM 2.0 user management API, this section describes how the Azure
Within the [SCIM 2.0 protocol specification](http://www.simplecloud.info/#Specification), your application must support these requirements: |Requirement|Reference notes (SCIM protocol)|
-|-|-|
-|Create users, and optionally also groups|[section 3.3](https://tools.ietf.org/html/rfc7644#section-3.3)|
-|Modify users or groups with PATCH requests|[section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Supporting ensures that groups and users are provisioned in a performant manner.|
-|Retrieve a known resource for a user or group created earlier|[section 3.4.1](https://tools.ietf.org/html/rfc7644#section-3.4.1)|
-|Query users or groups|[section 3.4.2](https://tools.ietf.org/html/rfc7644#section-3.4.2). By default, users are retrieved by their `id` and queried by their `username` and `externalId`, and groups are queried by `displayName`.|
-|The filter [excludedAttributes=members](#get-group) when querying the group resource|section 3.4.2.5|
+|||
+|Create users, and optionally also groups|[Section 3.3](https://tools.ietf.org/html/rfc7644#section-3.3)|
+|Modify users or groups with PATCH requests|[Section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Supporting ensures that groups and users are provisioned in a performant manner.|
+|Retrieve a known resource for a user or group created earlier|[Section 3.4.1](https://tools.ietf.org/html/rfc7644#section-3.4.1)|
+|Query users or groups|[Section 3.4.2](https://tools.ietf.org/html/rfc7644#section-3.4.2). By default, users are retrieved by their `id` and queried by their `username` and `externalId`, and groups are queried by `displayName`.|
+|The filter [excludedAttributes=members](#get-group) when querying the group resource|Section [3.4.2.2](https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2)|
+|Support listing users and paginating|[Section 3.4.2.4](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.4).|
+|Soft-deleting a user `active=false` and restoring the user `active=true`|The user object should be returned in a request whether or not the user is active. The only time the user shouldn't be returned is when it's hard deleted from the application.|
+|Support the /Schemas endpoint|[Section 7](https://tools.ietf.org/html/rfc7643#page-30) The schema discovery endpoint will be used to discover more attributes.|
|Accept a single bearer token for authentication and authorization of Azure AD to your application.||
-|Soft-deleting a user `active=false` and restoring the user `active=true`|The user object should be returned in a request whether or not the user is active. The only time the user should not be returned is when it is hard deleted from the application.|
-|Support the /Schemas endpoint|[section 7](https://tools.ietf.org/html/rfc7643#page-30) The schema discovery endpoint will be used to discover additional attributes.|
-|Support listing users and paginating|[section 3.4.2.4](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.4).|
Use the general guidelines when implementing a SCIM endpoint to ensure compatibility with Azure AD:
-##### General:
-* `id` is a required property for all resources. Every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero members.
-* Values sent should be stored in the same format as what they were sent in. Invalid values should be rejected with a descriptive, actionable error message. Transformations of data should not happen between data being sent by Azure AD and data being stored in the SCIM application. (e.g. A phone number sent as 55555555555 should not be saved/returned as +5 (555) 555-5555)
+### General:
+
+* `id` is a required property for all resources. Every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero elements.
+* Values sent should be stored in the same format as what they were sent in. Invalid values should be rejected with a descriptive, actionable error message. Transformations of data shouldn't happen between data being sent by Azure AD and data being stored in the SCIM application. (for example. A phone number sent as 55555555555 shouldn't be saved/returned as +5 (555) 555-5555)
* It isn't necessary to include the entire resource in the **PATCH** response. * Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Azure AD emits the values of `op` as **Add**, **Replace**, and **Remove**. * Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow in the [Azure portal](https://portal.azure.com). * Support HTTPS on your SCIM endpoint.
-* Custom complex and multivalued attributes are supported but Azure AD does not have many complex data structures to pull data from in these cases. Simple paired name/value type complex attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes are not well supported at this time.
-* The "type" sub-attribute values of multivalued complex attributes must be unique. For example, there cannot be two different email addresses with the "work" sub-type.
+* Custom complex and multivalued attributes are supported but Azure AD doesn't have many complex data structures to pull data from in these cases. Simple paired name/value type complex attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes aren't well supported at this time.
+* The "type" subattribute values of multivalued complex attributes must be unique. For example, there can't be two different email addresses with the "work" subtype.
+
+### Retrieving Resources:
-##### Retrieving Resources:
* Response to a query/filter request should always be a `ListResponse`. * Microsoft Azure AD only uses the following operators: `eq`, `and` * The attribute that the resources can be queried on should be set as a matching attribute on the application in the [Azure portal](https://portal.azure.com), see [Customizing User Provisioning Attribute Mappings](customize-application-attributes.md).
-##### /Users:
-* The entitlements attribute is not supported.
-* Any attributes that are considered for user uniqueness must be usable as part of a filtered query. (e.g. if user uniqueness is evaluated for both userName and emails[type eq "work"], a GET to /Users with a filter must allow for both _userName eq "user@contoso.com"_ and _emails[type eq "work"].value eq "user@contoso.com"_ queries.
+### /Users:
+
+* The entitlements attribute isn't supported.
+* Any attributes that are considered for user uniqueness must be usable as part of a filtered query. (for example, if user uniqueness is evaluated for both userName and emails[type eq "work"], a GET to /Users with a filter must allow for both _userName eq "user@contoso.com"_ and _emails[type eq "work"].value eq "user@contoso.com"_ queries.
+
+### /Groups:
-##### /Groups:
* Groups are optional, but only supported if the SCIM implementation supports **PATCH** requests.
-* Groups must have uniqueness on the 'displayName' value for the purpose of matching between Azure Active Directory and the SCIM application. This is not a requirement of the SCIM protocol, but is a requirement for integrating a SCIM service with Azure Active Directory.
+* Groups must have uniqueness on the 'displayName' value to match with Azure AD and the SCIM application. The uniqueness isn't a requirement of the SCIM protocol, but is a requirement for integrating a SCIM endpoint with Azure AD.
-##### /Schemas (Schema discovery):
+### /Schemas (Schema discovery):
* [Sample request/response](#schema-discovery)
-* Schema discovery is not currently supported on the custom non-gallery SCIM application, but it is being used on certain gallery applications. Going forward, schema discovery will be used as the sole method to add additional attributes to the schema of an existing gallery SCIM application.
-* If a value is not present, do not send null values.
-* Property values should be camel cased (e.g. readWrite).
+* Schema discovery isn't currently supported on the custom non-gallery SCIM application, but it's being used on certain gallery applications. Going forward, schema discovery will be used as the sole method to add more attributes to the schema of an existing gallery SCIM application.
+* If a value isn't present, don't send null values.
+* Property values should be camel cased (for example, readWrite).
* Must return a list response.
-* The /schemas request will be made by the Azure AD SCIM client every time someone saves the provisioning configuration in the Azure portal or every time a user lands on the edit provisioning page in the Azure portal. Any additional attributes discovered will be surfaced to customers in the attribute mappings under the target attribute list. Schema discovery only leads to additional target attributes being added. It will not result in attributes being removed.
+* The /schemas request will be made by the Azure AD Provisioning Service every time someone saves the provisioning configuration in the Azure portal or every time a user lands on the edit provisioning page in the Azure portal. Other attributes discovered will be surfaced to customers in the attribute mappings under the target attribute list. Schema discovery only leads to more target attributes being added. It will not result in attributes being removed.
-
### User provisioning and deprovisioning
-The following illustration shows the messages that Azure AD sends to a SCIM service to manage the lifecycle of a user in your application's identity store.
+The following diagram shows the messages that Azure AD sends to a SCIM endpoint to manage the lifecycle of a user in your application's identity store.
-![Shows the user provisioning and deprovisioning sequence](media/use-scim-to-provision-users-and-groups/scim-figure-4.png)<br/>
-*User provisioning and deprovisioning sequence*
+[![Diagram that shows the user deprovisioning sequence.](media/use-scim-to-provision-users-and-groups/scim-figure-4.png)](media/use-scim-to-provision-users-and-groups/scim-figure-4.png#lightbox)
### Group provisioning and deprovisioning
-Group provisioning and deprovisioning are optional. When implemented and enabled, the following illustration shows the messages that Azure AD sends to a SCIM service to manage the lifecycle of a group in your application's identity store. Those messages differ from the messages about users in two ways:
+Group provisioning and deprovisioning are optional. When implemented and enabled, the following illustration shows the messages that Azure AD sends to a SCIM endpoint to manage the lifecycle of a group in your application's identity store. Those messages differ from the messages about users in two ways:
* Requests to retrieve groups specify that the members attribute is to be excluded from any resource provided in response to the request. * Requests to determine whether a reference attribute has a certain value are requests about the members attribute.
-![Shows the group provisioning and deprovisioning sequence](media/use-scim-to-provision-users-and-groups/scim-figure-5.png)<br/>
-*Group provisioning and deprovisioning sequence*
+The following diagram shows the group deprovisioning sequence:
+
+[![Diagram that shows the group deprovisioning sequence.](media/use-scim-to-provision-users-and-groups/scim-figure-5.png)](media/use-scim-to-provision-users-and-groups/scim-figure-5.png#lightbox)
### SCIM protocol requests and responses
-This section provides example SCIM requests emitted by the Azure AD SCIM client and example expected responses. For best results, you should code your app to handle these requests in this format and emit the expected responses.
+
+This article provides example SCIM requests emitted by the Azure Active Directory (Azure AD) Provisioning Service and example expected responses. For best results, you should code your app to handle these requests in this format and emit the expected responses.
> [!IMPORTANT] > To understand how and when the Azure AD user provisioning service emits the operations described below, see the section [Provisioning cycles: Initial and incremental](how-provisioning-works.md#provisioning-cycles-initial-and-incremental) in [How provisioning works](how-provisioning-works.md). [User Operations](#user-operations)
- - [Create User](#create-user) ([Request](#request) / [Response](#response))
- - [Get User](#get-user) ([Request](#request-1) / [Response](#response-1))
- - [Get User by query](#get-user-by-query) ([Request](#request-2) / [Response](#response-2))
- - [Get User by query - Zero results](#get-user-by-queryzero-results) ([Request](#request-3) / [Response](#response-3))
- - [Update User [Multi-valued properties]](#update-user-multi-valued-properties) ([Request](#request-4) / [Response](#response-4))
- - [Update User [Single-valued properties]](#update-user-single-valued-properties) ([Request](#request-5) / [Response](#response-5))
- - [Disable User](#disable-user) ([Request](#request-14) / [Response](#response-14))
- - [Delete User](#delete-user) ([Request](#request-6) / [Response](#response-6))
+
+- [Create User](#create-user) ([Request](#request) / [Response](#response))
+- [Get User](#get-user) ([Request](#request-1) / [Response](#response-1))
+- [Get User by query](#get-user-by-query) ([Request](#request-2) / [Response](#response-2))
+- [Get User by query - Zero results](#get-user-by-queryzero-results) ([Request](#request-3) / [Response](#response-3))
+- [Update User [Multi-valued properties]](#update-user-multi-valued-properties) ([Request](#request-4) / [Response](#response-4))
+- [Update User [Single-valued properties]](#update-user-single-valued-properties) ([Request](#request-5) / [Response](#response-5))
+- [Disable User](#disable-user) ([Request](#request-14) / [Response](#response-14))
+- [Delete User](#delete-user) ([Request](#request-6) / [Response](#response-6))
[Group Operations](#group-operations)
- - [Create Group](#create-group) ([Request](#request-7) / [Response](#response-7))
- - [Get Group](#get-group) ([Request](#request-8) / [Response](#response-8))
- - [Get Group by displayName](#get-group-by-displayname) ([Request](#request-9) / [Response](#response-9))
- - [Update Group [Non-member attributes]](#update-group-non-member-attributes) ([Request](#request-10) / [Response](#response-10))
- - [Update Group [Add Members]](#update-group-add-members) ([Request](#request-11) / [Response](#response-11))
- - [Update Group [Remove Members]](#update-group-remove-members) ([Request](#request-12) / [Response](#response-12))
- - [Delete Group](#delete-group) ([Request](#request-13) / [Response](#response-13))
+
+- [Create Group](#create-group) ([Request](#request-7) / [Response](#response-7))
+- [Get Group](#get-group) ([Request](#request-8) / [Response](#response-8))
+- [Get Group by displayName](#get-group-by-displayname) ([Request](#request-9) / [Response](#response-9))
+- [Update Group [Non-member attributes]](#update-group-non-member-attributes) ([Request](#request-10) / [Response](#response-10))
+- [Update Group [Add Members]](#update-group-add-members) ([Request](#request-11) / [Response](#response-11))
+- [Update Group [Remove Members]](#update-group-remove-members) ([Request](#request-12) / [Response](#response-12))
+- [Delete Group](#delete-group) ([Request](#request-13) / [Response](#response-13))
[Schema discovery](#schema-discovery)
- - [Discover schema](#discover-schema) ([Request](#request-15) / [Response](#response-15))
+
+- [Discover schema](#discover-schema) ([Request](#request-15) / [Response](#response-15))
### User Operations
This section provides example SCIM requests emitted by the Azure AD SCIM client
``` ###### Request+ *GET /Users/5171a35d82074e068ce2*
-###### Response (User not found. Note that the detail is not required, only status.)
+###### Response (User not found. The detail isn't required, only status.)
```json {
This section provides example SCIM requests emitted by the Azure AD SCIM client
##### <a name="request-14"></a>Request *PATCH /Users/5171a35d82074e068ce2 HTTP/1.1*+ ```json { "Operations": [
This section provides example SCIM requests emitted by the Azure AD SCIM client
} } ```+ #### Delete User ##### <a name="request-6"></a>Request
This section provides example SCIM requests emitted by the Azure AD SCIM client
*GET /Groups/40734ae655284ad3abcc?excludedAttributes=members HTTP/1.1* ##### <a name="response-8"></a>Response+ *HTTP/1.1 200 OK*+ ```json { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
This section provides example SCIM requests emitted by the Azure AD SCIM client
#### Get Group by displayName ##### <a name="request-9"></a>Request+ *GET /Groups?excludedAttributes=members&filter=displayName eq "displayName" HTTP/1.1* ##### <a name="response-9"></a>Response *HTTP/1.1 200 OK*+ ```json { "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
This section provides example SCIM requests emitted by the Azure AD SCIM client
##### <a name="request-10"></a>Request *PATCH /Groups/fa2ce26709934589afc5 HTTP/1.1*+ ```json { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
This section provides example SCIM requests emitted by the Azure AD SCIM client
##### <a name="request-11"></a>Request *PATCH /Groups/a99962b9f99d4c4fac67 HTTP/1.1*+ ```json { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
This section provides example SCIM requests emitted by the Azure AD SCIM client
*HTTP/1.1 204 No Content* ### Schema discovery+ #### Discover schema ##### <a name="request-15"></a>Request+ *GET /Schemas* + ##### <a name="response-15"></a>Response+ *HTTP/1.1 200 OK*+ ```json { "schemas": [
organization.",
} ``` + ### Security requirements+ **TLS Protocol Versions** The only acceptable TLS protocol versions are TLS 1.2 and TLS 1.3. No other versions of TLS are permitted. No version of SSL is permitted. + - RSA keys must be at least 2,048 bits. - ECC keys must be at least 256 bits, generated using an approved elliptic curve
All services must use X.509 certificates generated using cryptographic keys of s
**Cipher Suites**
-All services must be configured to use the following cipher suites, in the exact order specified below. Note that if you only have an RSA certificate, installed the ECDSA cipher suites do not have any effect. </br>
+All services must be configured to use the following cipher suites, in the exact order specified below. If you only have an RSA certificate, installed the ECDSA cipher suites don't have any effect. </br>
TLS 1.2 Cipher Suites minimum bar:
TLS 1.2 Cipher Suites minimum bar:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ### IP Ranges
-The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. Note that you will need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).
+
+The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. You'll need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).
Azure AD also supports an agent based solution to provide connectivity to applications in private networks (on-premises, hosted in Azure, hosted in AWS, etc.). Customers can deploy a lightweight agent, which provides connectivity to Azure AD without opening any inbound ports, on a server in their private network. Learn more [here](./on-premises-scim-provisioning.md). ## Build a SCIM endpoint
-Now that you have designed your schema and understood the Azure AD SCIM implementation, you can get started developing your SCIM endpoint. Rather than starting from scratch and building the implementation completely on your own, you can rely on a number of open source SCIM libraries published by the SCIM community.
+Now that you've designed your schema and understood the Azure AD SCIM implementation, you can get started developing your SCIM endpoint. Rather than starting from scratch and building the implementation completely on your own, you can rely on many open source SCIM libraries published by the SCIM community.
For guidance on how to build a SCIM endpoint including examples, see [Develop a sample SCIM endpoint](use-scim-to-build-users-and-groups-endpoints.md).
-The open source .NET Core [reference code example](https://aka.ms/SCIMReferenceCode) published by the Azure AD provisioning team is one such resource that can jump start your development. Once you have built your SCIM endpoint, you will want to test it out. You can use the collection of [postman tests](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint) provided as part of the reference code or run through the sample requests / responses provided [above](#user-operations).
+The open source .NET Core [reference code example](https://aka.ms/SCIMReferenceCode) published by the Azure AD provisioning team is one such resource that can jump start your development. Once you have built your SCIM endpoint, you'll want to test it out. You can use the collection of [Postman tests](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint) provided as part of the reference code or run through the sample requests / responses provided [above](#user-operations).
> [!Note] > The reference code is intended to help you get started building your SCIM endpoint and is provided "AS IS." Contributions from the community are welcome to help build and maintain the code.
The _Microsoft.SCIM_ project is the library that defines the components of the w
![Breakdown: A request translated into calls to the provider's methods](media/use-scim-to-provision-users-and-groups/scim-figure-3.png)
-The _Microsoft.SCIM.WebHostSample_ project is a Visual Studio ASP.NET Core Web Application, based on the _Empty_ template. This allows the sample code to be deployed as standalone, hosted in containers or within Internet Information Services. It also implements the _Microsoft.SCIM.IProvider_ interface keeping classes in memory as a sample identity store.
+The _Microsoft.SCIM.WebHostSample_ project is an ASP.NET Core Web Application, based on the _Empty_ template. It allows the sample code to be deployed as standalone, hosted in containers or within Internet Information Services. It also implements the _Microsoft.SCIM.IProvider_ interface keeping classes in memory as a sample identity store.
```csharp
- public class Startup
- {
- ...
- public IMonitor MonitoringBehavior { get; set; }
- public IProvider ProviderBehavior { get; set; }
+public class Startup
+{
+ ...
+ public IMonitor MonitoringBehavior { get; set; }
+ public IProvider ProviderBehavior { get; set; }
- public Startup(IWebHostEnvironment env, IConfiguration configuration)
- {
- ...
- this.MonitoringBehavior = new ConsoleMonitor();
- this.ProviderBehavior = new InMemoryProvider();
- }
+ public Startup(IWebHostEnvironment env, IConfiguration configuration)
+ {
...
+ this.MonitoringBehavior = new ConsoleMonitor();
+ this.ProviderBehavior = new InMemoryProvider();
+ }
+ ...
``` ### Building a custom SCIM endpoint
-The SCIM service must have an HTTP address and server authentication certificate of which the root certification authority is one of the following names:
+The SCIM endpoint must have an HTTP address and server authentication certificate of which the root certification authority is one of the following names:
* CNNIC * Comodo
The SCIM service must have an HTTP address and server authentication certificate
The .NET Core SDK includes an HTTPS development certificate that can be used during development, the certificate is installed as part of the first-run experience. Depending on how you run the ASP.NET Core Web Application it will listen to a different port:
-* Microsoft.SCIM.WebHostSample: https://localhost:5001
-* IIS Express: https://localhost:44359/
+* Microsoft.SCIM.WebHostSample: <https://localhost:5001>
+* IIS Express: <https://localhost:44359/>
For more information on HTTPS in ASP.NET Core use the following link: [Enforce HTTPS in ASP.NET Core](/aspnet/core/security/enforcing-ssl) ### Handling endpoint authentication
-Requests from Azure Active Directory include an OAuth 2.0 bearer token. Any service receiving the request should authenticate the issuer as being Azure Active Directory for the expected Azure Active Directory tenant.
+Requests from Azure AD Provisioning Service include an OAuth 2.0 bearer token. The bearer token is a security token that's issued by an authorization server, such as Azure AD and is trusted by your application. You can configure the Azure AD provisions service to use one of the following tokens:
-In the token, the issuer is identified by an iss claim, like `"iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/"`. In this example, the base address of the claim value, `https://sts.windows.net`, identifies Azure Active Directory as the issuer, while the relative address segment, _cbb1a5ac-f33b-45fa-9bf5-f37db0fed422_, is a unique identifier of the Azure Active Directory tenant for which the token was issued.
+- A long-lived bearer token. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. In a development environment, you can use the testing token from the `/scim/token` endpoint. Test tokens shouldn't be used in production environments.
-The audience for the token will be the application template ID for the application in the gallery, each of the applications registered in a single tenant may receive the same `iss` claim with SCIM requests. The application template ID for all custom apps is _8adf8e6e-67b2-4cf2-a259-e3dc5476c621_. The token generated by the Azure AD provisioning service should only be used for testing. It should not be used in production environments.
+- Azure AD bearer token. If **Secret Token** field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token.
-In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using the bearer token issued by Azure Active Directory for a specified tenant:
+ - The application that receives requests should validate the token issuer as being Azure AD for an expected Azure AD tenant.
+ - In the token, the issuer is identified by an `iss` claim. For example, `"iss":"https://sts.windows.net/12345678-0000-0000-0000-000000000000/"`. In this example, the base address of the claim value, `https://sts.windows.net` identifies Azure AD as the issuer, while the relative address segment, _12345678-0000-0000-0000-000000000000_, is a unique identifier of the Azure AD tenant for which the token was issued.
+ - The audience for a token is the **Application ID** for the application in the gallery. Applications registered in a single tenant receive the same `iss` claim with SCIM requests. The application ID for all custom apps is _8adf8e6e-67b2-4cf2-a259-e3dc5476c621_. The token generated by the Azure AD provisioning service should only be used for testing. It shouldn't be used in production environments.
+++
+In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using the bearer token issued by Azure AD for a specified tenant:
```csharp
- public void ConfigureServices(IServiceCollection services)
+public void ConfigureServices(IServiceCollection services)
+{
+ if (_env.IsDevelopment())
+ {
+ ...
+ }
+ else
+ {
+ services.AddAuthentication(options =>
{
- if (_env.IsDevelopment())
+ options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+ options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+ })
+ .AddJwtBearer(options =>
{
+ options.Authority = " https://sts.windows.net/12345678-0000-0000-0000-000000000000/";
+ options.Audience = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621";
...
- }
- else
- {
- services.AddAuthentication(options =>
- {
- options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
- options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
- })
- .AddJwtBearer(options =>
- {
- options.Authority = " https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/";
- options.Audience = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621";
- ...
- });
- }
- ...
- }
+ });
+ }
+ ...
+}
- public void Configure(IApplicationBuilder app)
- {
- ...
- app.UseAuthentication();
- app.UseAuthorization();
- ...
- }
+public void Configure(IApplicationBuilder app)
+{
+ ...
+ app.UseAuthentication();
+ app.UseAuthorization();
+ ...
+}
```
-A bearer token is also required to use of the provided [postman tests](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint) and perform local debugging using localhost. The sample code uses ASP.NET Core environments to change the authentication options during development stage and enable the use a self-signed token.
+A bearer token is also required to use of the provided [Postman tests](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint) and perform local debugging using localhost. The sample code uses ASP.NET Core environments to change the authentication options during development stage and enable the use a self-signed token.
For more information on multiple environments in ASP.NET Core, see [Use multiple environments in ASP.NET Core](/aspnet/core/fundamentals/environments).
private string GenerateJSONWebToken()
***Example 1. Query the service for a matching user***
-Azure Active Directory queries the service for a user with an `externalId` attribute value matching the mailNickname attribute value of a user in Azure AD. The query is expressed as a Hypertext Transfer Protocol (HTTP) request such as this example, wherein jyoung is a sample of a mailNickname of a user in Azure Active Directory.
+Azure AD queries the service for a user with an `externalId` attribute value matching the mailNickname attribute value of a user in Azure AD. The query is expressed as a Hypertext Transfer Protocol (HTTP) request such as this example, wherein jyoung is a sample of a mailNickname of a user in Azure AD.
>[!NOTE] > This is an example only. Not all users will have a mailNickname attribute, and the value a user has may not be unique in the directory. Also, the attribute used for matching (which in this case is `externalId`) is configurable in the [Azure AD attribute mappings](customize-application-attributes.md).
GET https://.../scim/Users?filter=externalId eq jyoung HTTP/1.1
Authorization: Bearer ... ```
-In the sample code the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. Here is the signature of that method:
+In the sample code, the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. Here's the signature of that method:
```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll.
In the sample query, for a user with a given value for the `externalId` attribut
***Example 2. Provision a user***
-If the response to a query to the web service for a user with an `externalId` attribute value that matches the mailNickname attribute value of a user doesn't return any users, then Azure AD requests that the service provision a user corresponding to the one in Azure AD. Here is an example of such a request:
+If the response to a query to the SCIM endpoint for a user with an `externalId` attribute value that matches the mailNickname attribute value of a user doesn't return any users, then Azure AD requests that the service provision a user corresponding to the one in Azure AD. Here's an example of such a request:
-```
+```http
POST https://.../scim/Users HTTP/1.1 Authorization: Bearer ... Content-type: application/scim+json
Content-type: application/scim+json
"manager":null} ```
-In the sample code the request is translated into a call to the CreateAsync method of the serviceΓÇÖs provider. Here is the signature of that method:
+In the sample code, the request is translated into a call to the CreateAsync method of the serviceΓÇÖs provider. Here's the signature of that method:
```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll.
In the sample code the request is translated into a call to the CreateAsync meth
Task<Resource> CreateAsync(IRequest<Resource> request); ```
-In a request to provision a user, the value of the resource argument is an instance of the Microsoft.SCIM.Core2EnterpriseUser class, defined in the Microsoft.SCIM.Schemas library. If the request to provision the user succeeds, then the implementation of the method is expected to return an instance of the Microsoft.SCIM.Core2EnterpriseUser class, with the value of the Identifier property set to the unique identifier of the newly provisioned user.
+In a request to a user provisioning, the value of the resource argument is an instance of the Microsoft.SCIM.Core2EnterpriseUser class, defined in the Microsoft.SCIM.Schemas library. If the request to provision the user succeeds, then the implementation of the method is expected to return an instance of the Microsoft.SCIM.Core2EnterpriseUser class, with the value of the Identifier property set to the unique identifier of the newly provisioned user.
***Example 3. Query the current state of a user***
-To update a user known to exist in an identity store fronted by an SCIM, Azure Active Directory proceeds by requesting the current state of that user from the service with a request such as:
+To update a user known to exist in an identity store fronted by an SCIM, Azure AD proceeds by requesting the current state of that user from the service with a request such as:
``` GET ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1 Authorization: Bearer ... ```
-In the sample code the request is translated into a call to the RetrieveAsync method of the serviceΓÇÖs provider. Here is the signature of that method:
+In the sample code, the request is translated into a call to the RetrieveAsync method of the serviceΓÇÖs provider. Here's the signature of that method:
```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll.
Task<Resource> RetrieveAsync(IRequest<IResourceRetrievalParameters> request);
In the example of a request to retrieve the current state of a user, the values of the properties of the object provided as the value of the parameters argument are as follows: * Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
-* SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+* SchemaIdentifier: `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`
***Example 4. Query the value of a reference attribute to be updated***
-If a reference attribute is to be updated, then Azure Active Directory queries the service to determine whether the current value of the reference attribute in the identity store fronted by the service already matches the value of that attribute in Azure Active Directory. For users, the only attribute of which the current value is queried in this way is the manager attribute. Here is an example of a request to determine whether the manager attribute of a user object currently has a certain value:
-In the sample code the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. The value of the properties of the object provided as the value of the parameters argument are as follows:
+If a reference attribute is to be updated, then Azure AD queries the service to determine whether the current value of the reference attribute in the identity store fronted by the service already matches the value of that attribute in Azure AD. For users, the only attribute of which the current value is queried in this way is the manager attribute. Here's an example of a request to determine whether the manager attribute of a user object currently has a certain value:
+In the sample code, the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. The value of the properties of the object provided as the value of the parameters argument are as follows:
* parameters.AlternateFilters.Count: 2 * parameters.AlternateFilters.ElementAt(x).AttributePath: "ID"
In the sample code the request is translated into a call to the QueryAsync metho
* parameters.AlternateFilters.ElementAt(y).ComparisonOperator: ComparisonOperator.Equals * parameters.AlternateFilter.ElementAt(y).ComparisonValue: "2819c223-7f76-453a-919d-413861904646" * parameters.RequestedAttributePaths.ElementAt(0): "ID"
-* parameters.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+* parameters.SchemaIdentifier: `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`
-Here, the value of the index x can be 0 and the value of the index y can be 1, or the value of x can be 1 and the value of y can be 0, depending on the order of the expressions of the filter query parameter.
+The value of the index x can be `0` and the value of the index y can be `1`. Or the value of x can be `1` and the value of y can be `0`. It depends on the order of the expressions of the filter query parameter.
-***Example 5. Request from Azure AD to an SCIM service to update a user***
+***Example 5. Request from Azure AD to an SCIM endpoint to update a user***
-Here is an example of a request from Azure Active Directory to an SCIM service to update a user:
+Here's an example of a request from Azure AD to an SCIM endpoint to update a user:
-```
+```http
PATCH ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1 Authorization: Bearer ... Content-type: application/scim+json
Content-type: application/scim+json
"value":"2819c223-7f76-453a-919d-413861904646"}]}]} ```
-In the sample code the request is translated into a call to the UpdateAsync method of the serviceΓÇÖs provider. Here is the signature of that method:
+In the sample code, the request is translated into a call to the UpdateAsync method of the serviceΓÇÖs provider. Here's the signature of that method:
```csharp // System.Threading.Tasks.Tasks and
In the example of a request to update a user, the object provided as the value o
|Argument|Value| |-|-|
-|ResourceIdentifier.Identifier|"54D382A4-2050-4C03-94D1-E769F1D15682"|
-|ResourceIdentifier.SchemaIdentifier|"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"|
-|(PatchRequest as PatchRequest2).Operations.Count|1|
-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).OperationName|OperationName.Add|
-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Path.AttributePath|"manager"|
-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.Count|1|
-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Reference|http://.../scim/Users/2819c223-7f76-453a-919d-413861904646|
-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Value| 2819c223-7f76-453a-919d-413861904646|
+|`ResourceIdentifier.Identifier`|"54D382A4-2050-4C03-94D1-E769F1D15682"|
+|`ResourceIdentifier.SchemaIdentifier`| `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`|
+|`(PatchRequest as PatchRequest2).Operations.Count`|1|
+|`(PatchRequest as PatchRequest2).Operations.ElementAt(0).OperationName`| `OperationName.Add`|
+|`(PatchRequest as PatchRequest2).Operations.ElementAt(0).Path.AttributePath`| Manager|
+|`(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.Count`|1|
+|`(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Reference`|`http://.../scim/Users/2819c223-7f76-453a-919d-413861904646`|
+|`(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Value`| 2819c223-7f76-453a-919d-413861904646|
***Example 6. Deprovision a user***
-To deprovision a user from an identity store fronted by an SCIM service, Azure AD sends a request such as:
+To deprovision a user from an identity store fronted by an SCIM endpoint, Azure AD sends a request such as:
-```
+```http
DELETE ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1 Authorization: Bearer ... ```
-In the sample code the request is translated into a call to the DeleteAsync method of the serviceΓÇÖs provider. Here is the signature of that method:
+In the sample code, the request is translated into a call to the DeleteAsync method of the serviceΓÇÖs provider. Here's the signature of that method:
```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll.
Task DeleteAsync(IRequest<IResourceIdentifier> request);
The object provided as the value of the resourceIdentifier argument has these property values in the example of a request to deprovision a user: * ResourceIdentifier.Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
-* ResourceIdentifier.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+* ResourceIdentifier.SchemaIdentifier: `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`
-## Integrate your SCIM endpoint with the Azure AD SCIM client
+## Integrate your SCIM endpoint with the Azure AD Provisioning Service
Azure AD can be configured to automatically provision assigned users and groups to applications that implement a specific profile of the [SCIM 2.0 protocol](https://tools.ietf.org/html/rfc7644). The specifics of the profile are documented in [Understand the Azure AD SCIM implementation](#understand-the-azure-ad-scim-implementation). Check with your application provider, or your application provider's documentation for statements of compatibility with these requirements. > [!IMPORTANT]
-> The Azure AD SCIM implementation is built on top of the Azure AD user provisioning service, which is designed to constantly keep users in sync between Azure AD and the target application, and implements a very specific set of standard operations. It's important to understand these behaviors to understand the behavior of the Azure AD SCIM client. For more information, see the section [Provisioning cycles: Initial and incremental](how-provisioning-works.md#provisioning-cycles-initial-and-incremental) in [How provisioning works](how-provisioning-works.md).
+> The Azure AD SCIM implementation is built on top of the Azure AD user provisioning service, which is designed to constantly keep users in sync between Azure AD and the target application, and implements a very specific set of standard operations. It's important to understand these behaviors to understand the behavior of the Azure AD Provisioning Service. For more information, see the section [Provisioning cycles: Initial and incremental](how-provisioning-works.md#provisioning-cycles-initial-and-incremental) in [How provisioning works](how-provisioning-works.md).
### Getting started
-Applications that support the SCIM profile described in this article can be connected to Azure Active Directory using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 40 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.
+Applications that support the SCIM profile described in this article can be connected to Azure AD using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 40 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.
**To connect an application that supports SCIM:**
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com). Note that you can get access a free trial for Azure Active Directory with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/office/dev-program)
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com). You can get access a free trial for Azure AD with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/office/dev-program)
1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery. 1. Select **+ New application** > **+ Create your own application**. 1. Enter a name for your application, choose the option "*integrate any other application you don't find in the gallery*" and select **Add** to create an app object. The new app is added to the list of enterprise applications and opens to its app management screen.
+
+ The following screenshot shows the Azure AD application gallery:
- ![Screenshot shows the Azure AD application gallery](media/use-scim-to-provision-users-and-groups/scim-figure-2b-1.png)
- *Azure AD application gallery*
+ ![Screenshot shows the Azure AD application gallery.](media/use-scim-to-provision-users-and-groups/scim-figure-2b-1.png)
+
> [!NOTE] > If you are using the old app gallery experience, follow the screen guide below.
+ The following screenshot shows the Azure AD old app gallery experience:
+ ![Screenshot shows the Azure AD old app gallery experience](media/use-scim-to-provision-users-and-groups/scim-figure-2a.png)
- *Azure AD old app gallery experience*
+
1. In the app management screen, select **Provisioning** in the left panel. 1. In the **Provisioning Mode** menu, select **Automatic**.
+
+ The following screenshot shows the configuring provisioning settings in the Azure portal:
- ![Example: An app's Provisioning page in the Azure portal](media/use-scim-to-provision-users-and-groups/scim-figure-2b.png)<br/>
- *Configuring provisioning in the Azure portal*
+ ![Screenshot of app provisioning page in the Azure portal.](media/use-scim-to-provision-users-and-groups/scim-figure-2b.png)
1. In the **Tenant URL** field, enter the URL of the application's SCIM endpoint. Example: `https://api.contoso.com/scim/` 1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token. > [!NOTE] > It's ***not*** recommended to leave this field blank and rely on a token generated by Azure AD. This option is primarily available for testing purposes.
-1. Select **Test Connection** to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed.
+1. Select **Test Connection** to have Azure AD attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed.
> [!NOTE] > **Test Connection** queries the SCIM endpoint for a user that doesn't exist, using a random GUID as the matching property selected in the Azure AD configuration. The expected correct response is HTTP 200 OK with an empty SCIM ListResponse message. 1. If the attempts to connect to the application succeed, then select **Save** to save the admin credentials.
-1. In the **Mappings** section, there are two selectable sets of [attribute mappings](customize-application-attributes.md): one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure Active Directory to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes.
+1. In the **Mappings** section, there are two selectable sets of [attribute mappings](customize-application-attributes.md): one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure AD to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes.
> [!NOTE] > You can optionally disable syncing of group objects by disabling the "groups" mapping.
Applications that support the SCIM profile described in this article can be conn
1. Under **Settings**, the **Scope** field defines which users and groups are synchronized. Select **Sync only assigned users and groups** (recommended) to only sync users and groups assigned in the **Users and groups** tab. 1. Once your configuration is complete, set the **Provisioning Status** to **On**. 1. Select **Save** to start the Azure AD provisioning service.
-1. If syncing only assigned users and groups (recommended), be sure to select the **Users and groups** tab and assign the users or groups you want to sync.
+1. If syncing only assigned users and groups (recommended), select the **Users and groups** tab. Then, assign the users or groups you want to sync.
Once the initial cycle has started, you can select **Provisioning logs** in the left panel to monitor progress, which shows all actions done by the provisioning service on your app. For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](check-status-user-account-provisioning.md).
Once the initial cycle has started, you can select **Provisioning logs** in the
## Publish your application to the Azure AD application gallery
-If you're building an application that will be used by more than one tenant, you can make it available in the Azure AD application gallery. This will make it easy for organizations to discover the application and configure provisioning. Publishing your app in the Azure AD gallery and making provisioning available to others is easy. Check out the steps [here](../manage-apps/v2-howto-app-gallery-listing.md). Microsoft will work with you to integrate your application into our gallery, test your endpoint, and release onboarding [documentation](../saas-apps/tutorial-list.md) for customers to use.
+If you're building an application that will be used by more than one tenant, you can make it available in the Azure AD application gallery. It's easy for organizations to discover the application and configure provisioning. Publishing your app in the Azure AD gallery and making provisioning available to others is easy. Check out the steps [here](../manage-apps/v2-howto-app-gallery-listing.md). Microsoft will work with you to integrate your application into our gallery, test your endpoint, and release onboarding [documentation](../saas-apps/tutorial-list.md) for customers to use.
### Gallery onboarding checklist Use the checklist to onboard your application quickly and customers have a smooth deployment experience. The information will be gathered from you when onboarding to the gallery.
The SCIM spec doesn't define a SCIM-specific scheme for authentication and autho
|Authorization method|Pros|Cons|Support| |--|--|--|--| |Username and password (not recommended or supported by Azure AD)|Easy to implement|Insecure - [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984)|Not supported for new gallery or non-gallery apps.|
-|Long-lived bearer token|Long-lived tokens do not require a user to be present. They are easy for admins to use when setting up provisioning.|Long-lived tokens can be hard to share with an admin without using insecure methods such as email. |Supported for gallery and non-gallery apps. |
-|OAuth authorization code grant|Access tokens are much shorter-lived than passwords, and have an automated refresh mechanism that long-lived bearer tokens do not have. A real user must be present during initial authorization, adding a level of accountability. |Requires a user to be present. If the user leaves the organization, the token is invalid and authorization will need to be completed again.|Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth code grant on non-gallery is in our backlog, in addition to support for configurable auth / token URLs on the gallery app.|
-|OAuth client credentials grant|Access tokens are much shorter-lived than passwords, and have an automated refresh mechanism that long-lived bearer tokens do not have. Both the authorization code grant and the client credentials grant create the same type of access token, so moving between these methods is transparent to the API. Provisioning can be completely automated, and new tokens can be silently requested without user interaction. ||Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth client credentials grant on non-gallery is in our backlog.|
+|Long-lived bearer token|Long-lived tokens don't require a user to be present. They're easy for admins to use when setting up provisioning.|Long-lived tokens can be hard to share with an admin without using insecure methods such as email. |Supported for gallery and non-gallery apps. |
+|OAuth authorization code grant|Access tokens are much shorter-lived than passwords, and have an automated refresh mechanism that long-lived bearer tokens don't have. A real user must be present during initial authorization, adding a level of accountability. |Requires a user to be present. If the user leaves the organization, the token is invalid, and authorization will need to be completed again.|Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth code grant on non-gallery is in our backlog, in addition to support for configurable auth / token URLs on the gallery app.|
+|OAuth client credentials grant|Access tokens are much shorter-lived than passwords, and have an automated refresh mechanism that long-lived bearer tokens don't have. Both the authorization code grant and the client credentials grant create the same type of access token, so moving between these methods is transparent to the API. Provisioning can be automated, and new tokens can be silently requested without user interaction. ||Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth client credentials grant on non-gallery is in our backlog.|
> [!NOTE] > It's not recommended to leave the token field blank in the Azure AD provisioning configuration custom app UI. The token generated is primarily available for testing purposes.
The provisioning service supports the [authorization code grant](https://tools.i
- **Token exchange URL**, a URL by the client to exchange an authorization grant for an access token, typically with client authentication. -- **Client ID**, the authorization server issues the registered client a client identifier, which is a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and **must not** be used alone for client authentication.
+- **Client ID**, the authorization server issues the registered client a client identifier, which is a unique string representing the registration information provided by the client. The client identifier isn't a secret; it's exposed to the resource owner and **must not** be used alone for client authentication.
- **Client secret**, a secret generated by the authorization server that should be a unique value known only to the authorization server.
Best practices (recommended, but not required):
* Support multiple redirect URLs. Administrators can configure provisioning from both "portal.azure.com" and "aad.portal.azure.com". Supporting multiple redirect URLs will ensure that users can authorize access from either portal. * Support multiple secrets for easy renewal, without downtime.
-#### How to setup OAuth code grant flow
+#### How to set up OAuth code grant flow
1. Sign in to the Azure portal, go to **Enterprise applications** > **Application** > **Provisioning** and select **Authorize**.
Best practices (recommended, but not required):
1. Third party app redirects user back to Azure portal and provides the grant code
- 1. Azure AD provisioning services calls the token URL and provides the grant code. The third party application responds with the access token, refresh token, and expiry date
+ 1. Azure AD Provisioning Service calls the token URL and provides the grant code. The third party application responds with the access token, refresh token, and expiry date
1. When the provisioning cycle begins, the service checks if the current access token is valid and exchanges it for a new token if needed. The access token is provided in each request made to the app and the validity of the request is checked before each request. > [!NOTE]
-> While it's not possible to setup OAuth on the non-gallery applications, you can manually generate an access token from your authorization server and input it as the secret token to a non-gallery application. This allows you to verify compatibility of your SCIM server with the Azure AD SCIM client before onboarding to the app gallery, which does support the OAuth code grant.
+> While it's not possible to setup OAuth on the non-gallery applications, you can manually generate an access token from your authorization server and input it as the secret token to a non-gallery application. This allows you to verify compatibility of your SCIM server with the Azure AD Provisioning Service before onboarding to the app gallery, which does support the OAuth code grant.
-**Long-lived OAuth bearer tokens:** If your application doesn't support the OAuth authorization code grant flow, instead generate a long lived OAuth bearer token that an administrator can use to setup the provisioning integration. The token should be perpetual, or else the provisioning job will be [quarantined](application-provisioning-quarantine-status.md) when the token expires.
+**Long-lived OAuth bearer tokens:** If your application doesn't support the OAuth authorization code grant flow, instead generate a long lived OAuth bearer token that an administrator can use to set up the provisioning integration. The token should be perpetual, or else the provisioning job will be [quarantined](application-provisioning-quarantine-status.md) when the token expires.
-For additional authentication and authorization methods, let us know on [UserVoice](https://aka.ms/appprovisioningfeaturerequest).
+For more authentication and authorization methods, let us know on [UserVoice](https://aka.ms/appprovisioningfeaturerequest).
### Gallery go-to-market launch check list
-To help drive awareness and demand of our joint integration, we recommend you update your existing documentation and amplify the integration in your marketing channels. The below is a set of checklist activities we recommend you complete to support the launch
+To help drive awareness and demand of our joint integration, we recommend you update your existing documentation and amplify the integration in your marketing channels. We recommend you to complete the following checklist to support the launch:
> [!div class="checklist"] > * Ensure your sales and customer support teams are aware, ready, and can speak to the integration capabilities. Brief your teams, provide them with FAQs and include the integration into your sales materials.
-> * Craft a blog post or press release that describes the joint integration, the benefits and how to get started. [Example: Imprivata and Azure Active Directory Press Release](https://www.imprivata.com/company/press/imprivata-introduces-iam-cloud-platform-healthcare-supported-microsoft)
+> * Craft a blog post or press release that describes the joint integration, the benefits and how to get started. [Example: Imprivata and Azure AD Press Release](https://www.imprivata.com/company/press/imprivata-introduces-iam-cloud-platform-healthcare-supported-microsoft)
> * Leverage your social media like Twitter, Facebook or LinkedIn to promote the integration to your customers. Be sure to include @AzureAD so we can retweet your post. [Example: Imprivata Twitter Post](https://twitter.com/azuread/status/1123964502909779968) > * Create or update your marketing pages/website (e.g. integration page, partner page, pricing page, etc.) to include the availability of the joint integration. [Example: Pingboard integration Page](https://pingboard.com/org-chart-for), [Smartsheet integration page](https://www.smartsheet.com/marketplace/apps/microsoft-azure-ad), [Monday.com pricing page](https://monday.com/pricing/)
-> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure Active Directory integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/
+> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure AD integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/
) > * Alert customers of the new integration through your customer communication (monthly newsletters, email campaigns, product release notes).
active-directory User Provisioning Sync Attributes For Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md
Title: Synchronize attributes to Azure Active Directory for mapping
description: When configuring user provisioning with Azure Active Directory and SaaS apps, use the directory extension feature to add source attributes that aren't synchronized by default. -+
active-directory User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning.md
Title: What is automated app user provisioning in Azure Active Directory description: An introduction to how you can use Azure Active Directory to automatically provision, de-provision, and continuously update user accounts across multiple third-party applications. -+
active-directory What Is Hr Driven Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/what-is-hr-driven-provisioning.md
Title: 'What is HR driven provisioning with Azure Active Directory? | Microsoft
description: Describes overview of HR driven provisioning. -+
active-directory Workday Attribute Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-attribute-reference.md
Title: Workday attribute reference for Azure Active Directory
description: Learn which which attributes that you can fetch from Workday using XPATH queries in Azure Active Directory. -+
active-directory Workday Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-integration-reference.md
Title: Azure Active Directory and Workday integration reference
description: Technical deep dive into Workday-HR driven provisioning in Azure Active Directory -+
active-directory Workday Retrieve Pronoun Information https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-retrieve-pronoun-information.md
Title: Retrieve pronoun information from Workday
description: Learn how to retrieve pronoun information from Workday -+
active-directory Active Directory App Proxy Protect Ndes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/active-directory-app-proxy-protect-ndes.md
Title: Integrate with Azure Active Directory Application Proxy on an NDES server
description: Guidance on deploying an Azure Active Directory Application Proxy to protect your NDES server. -+
active-directory Application Proxy Add On Premises Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md
Title: Tutorial - Add an on-premises app - Application Proxy in Azure Active Dir
description: Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. This tutorial shows you how to prepare your environment for use with Application Proxy. Then, it uses the Azure portal to add an on-premises application to your Azure AD tenant. -+
active-directory Application Proxy Application Gateway Waf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-application-gateway-waf.md
To ensure the connector VMs send requests to the Application Gateway, an [Azure
### Test the application.
-After [adding a user for testing](/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application.
+After [adding a user for testing](./application-proxy-add-on-premises-application.md#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application.
![Screenshot of authentication step.](./media/application-proxy-waf/sign-in-2.png) ![Screenshot of server response.](./media/application-proxy-waf/application-gateway-response.png)
The Application Gateway [Firewall logs][waf-logs] provide more details about the
## Next steps
-To prevent false positives, learn how to [Customize Web Application Firewall rules](/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal), configure [Web Application Firewall exclusion lists](/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal), or [Web Application Firewall custom rules](/azure/web-application-firewall/ag/create-custom-waf-rules).
-
-[waf-overview]: /azure/web-application-firewall/ag/ag-overview
-[appgw_quick]: /azure/application-gateway/quick-create-portal
-[appproxy-add-app]: /azure/active-directory/app-proxy/application-proxy-add-on-premises-application
-[appproxy-optimize]: /azure/active-directory/app-proxy/application-proxy-network-topology
-[appproxy-custom-domain]: /azure/active-directory/app-proxy/application-proxy-configure-custom-domain
-[private-dns]: /azure/dns/private-dns-getstarted-portal
-[waf-logs]: /azure/application-gateway/application-gateway-diagnostics#firewall-log
+To prevent false positives, learn how to [Customize Web Application Firewall rules](../../web-application-firewall/ag/application-gateway-customize-waf-rules-portal.md), configure [Web Application Firewall exclusion lists](../../web-application-firewall/ag/application-gateway-waf-configuration.md?tabs=portal), or [Web Application Firewall custom rules](../../web-application-firewall/ag/create-custom-waf-rules.md).
+[waf-overview]: ../../web-application-firewall/ag/ag-overview.md
+[appgw_quick]: ../../application-gateway/quick-create-portal.md
+[appproxy-add-app]: ./application-proxy-add-on-premises-application.md
+[appproxy-optimize]: ./application-proxy-network-topology.md
+[appproxy-custom-domain]: ./application-proxy-configure-custom-domain.md
+[private-dns]: ../../dns/private-dns-getstarted-portal.md
+[waf-logs]: ../../application-gateway/application-gateway-diagnostics.md#firewall-log
active-directory Application Proxy Back End Kerberos Constrained Delegation How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md
Title: Troubleshoot Kerberos constrained delegation - App Proxy
description: Troubleshoot Kerberos Constrained Delegation configurations for Application Proxy -+
active-directory Application Proxy Config How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-how-to.md
Title: How to configure an Azure Active Directory Application Proxy application
description: Learn how to create and configure an Azure Active Directory Application Proxy application in a few simple steps -+
active-directory Application Proxy Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-problem.md
Title: Problem creating an Azure Active Directory Application Proxy application
description: How to troubleshoot issues creating Application Proxy applications in the Azure Active Directory Admin portal -+
active-directory Application Proxy Config Sso How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-sso-how-to.md
Title: Understand single sign-on with an on-premises app using Application Proxy
description: Understand single sign-on with an on-premises app using Application Proxy. -+
active-directory Application Proxy Configure Complex Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-complex-application.md
Title: Complex applications for Azure Active Directory Application Proxy
description: Provides an understanding of complex application in Azure Active Directory Application Proxy, and how to configure one. -+
active-directory Application Proxy Configure Connectors With Proxy Servers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-connectors-with-proxy-servers.md
Title: Work with existing on-premises proxy servers and Azure Active Directory
description: Covers how to work with existing on-premises proxy servers with Azure Active Directory. -+
active-directory Application Proxy Configure Cookie Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md
Title: Application Proxy cookie settings - Azure Active Directory
description: Azure Active Directory (Azure AD) has access and session cookies for accessing on-premises applications through Application Proxy. In this article, you'll find out how to use and configure the cookie settings. -+
active-directory Application Proxy Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
Title: Custom domains in Azure Active Directory Application Proxy
description: Configure and manage custom domains in Azure Active Directory Application Proxy. -+
active-directory Application Proxy Configure Custom Home Page https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md
Title: Custom home page for published apps - Azure Active Directory Application
description: Covers the basics about Azure Active Directory Application Proxy connectors -+
active-directory Application Proxy Configure For Claims Aware Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-for-claims-aware-applications.md
Title: Claims-aware apps - Azure Active Directory Application Proxy
description: How to publish on-premises ASP.NET applications that accept AD FS claims for secure remote access by your users. -+
active-directory Application Proxy Configure Hard Coded Link Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-hard-coded-link-translation.md
Title: Translate links and URLs Azure Active Directory Application Proxy
description: Learn how to redirect hard-coded links for apps published with Azure Active Directory Application Proxy. -+
active-directory Application Proxy Configure Native Client Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-native-client-application.md
Title: Publish native client apps - Azure Active Directory
description: Covers how to enable native client apps to communicate with Azure Active Directory Application Proxy Connector to provide secure remote access to your on-premises apps. -+
active-directory Application Proxy Configure Single Sign On On Premises Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md
Title: SAML single sign-on for on-premises apps with Azure Active Directory Appl
description: Learn how to provide single sign-on for on-premises applications that are secured with SAML authentication. Provide remote access to on-premises apps with Application Proxy. -+
active-directory Application Proxy Configure Single Sign On Password Vaulting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md
Title: Single sign-on to apps with Azure Active Directory Application Proxy
description: Turn on single sign-on for your published on-premises applications with Azure Active Directory Application Proxy in the Azure portal. -+
active-directory Application Proxy Configure Single Sign On With Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md
Title: Header-based single sign-on for on-premises apps with Azure AD App Proxy
description: Learn how to provide single sign-on for on-premises applications that are secured with header-based authentication. -+
active-directory Application Proxy Configure Single Sign On With Kcd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.md
Title: Kerberos-based single sign-on (SSO) in Azure Active Directory with Applic
description: Covers how to provide single sign-on using Azure Active Directory Application Proxy. -+
active-directory Application Proxy Connectivity No Working Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectivity-no-working-connector.md
Title: No working connector group found for an Azure Active Directory Applicatio
description: Address problems you might encounter when there is no working Connector in a Connector Group for your application with the Azure Active Directory Application Proxy -+
active-directory Application Proxy Connector Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-groups.md
Title: Publish apps on separate networks via connector groups - Azure Active Dir
description: Covers how to create and manage groups of connectors in Azure Active Directory Application Proxy. -+
active-directory Application Proxy Connector Installation Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-installation-problem.md
Title: Problem installing the Azure Active Directory Application Proxy Agent Con
description: How to troubleshoot issues you might face when installing the Application Proxy Agent Connector for Azure Active Directory. -+
active-directory Application Proxy Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectors.md
Title: Understand Azure Active Directory Application Proxy connectors
description: Learn about the Azure Active Directory Application Proxy connectors. -+
active-directory Application Proxy Debug Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-debug-apps.md
Title: Debug Application Proxy applications - Azure Active Directory
description: Debug issues with Azure Active Directory (Azure AD) Application Proxy applications. -+
active-directory Application Proxy Debug Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-debug-connectors.md
Title: Debug Application Proxy connectors - Azure Active Directory
description: Debug issues with Azure Active Directory (Azure AD) Application Proxy connectors. -+
active-directory Application Proxy Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-deployment-plan.md
Title: Plan an Azure Active Directory Application Proxy Deployment
description: An end-to-end guide for planning the deployment of Application proxy within your organization -+
active-directory Application Proxy High Availability Load Balancing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-high-availability-load-balancing.md
Title: High availability and load balancing - Azure Active Directory Application
description: How traffic distribution works with your Application Proxy deployment. Includes tips for how to optimize connector performance and use load balancing for back-end servers. -+
active-directory Application Proxy Integrate With Microsoft Cloud Application Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security.md
Title: Use Application Proxy to integrate on-premises apps with Defender for Cloud Apps - Azure Active Directory description: Configure an on-premises application in Azure Active Directory to work with Microsoft Defender for Cloud Apps. Use the Defender for Cloud Apps Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Azure Active Directory (Azure AD). -+
active-directory Application Proxy Integrate With Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-power-bi.md
Title: Enable remote access to Power BI with Azure Active Directory Application
description: Covers the basics about how to integrate an on-premises Power BI with Azure Active Directory Application Proxy. -+
active-directory Application Proxy Integrate With Remote Desktop Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services.md
Title: Publish Remote Desktop with Azure Active Directory Application Proxy
description: Covers how to configure App Proxy with Remote Desktop Services (RDS) -+
active-directory Application Proxy Integrate With Sharepoint Server Saml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server-saml.md
Title: Publish an on-premises SharePoint farm with Azure Active Directory Applic
description: Covers the basics about how to integrate an on-premises SharePoint farm with Azure Active Directory Application Proxy for SAML. -+
active-directory Application Proxy Integrate With Sharepoint Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server.md
Title: Enable remote access to SharePoint - Azure Active Directory Application P
description: Covers the basics about how to integrate on-premises SharePoint Server with Azure Active Directory Application Proxy. -+
active-directory Application Proxy Integrate With Tableau https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-tableau.md
Title: Azure Active Directory Application Proxy and Tableau
description: Learn how to use Azure Active Directory (Azure AD) Application Proxy to provide remote access for your Tableau deployment. -+
active-directory Application Proxy Integrate With Teams https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-teams.md
Title: Access Azure Active Directory Application Proxy apps in Teams
description: Use Azure Active Directory Application Proxy to access your on-premises application through Microsoft Teams. -+
active-directory Application Proxy Network Topology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-network-topology.md
Title: Network topology considerations for Azure Active Directory Application Pr
description: Covers network topology considerations when using Azure Active Directory Application Proxy. -+
active-directory Application Proxy Page Appearance Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-appearance-broken-problem.md
Title: App page doesn't display correctly for Application Proxy app
description: Guidance when the page isnΓÇÖt displaying correctly in an Application Proxy Application you have integrated with Azure Active Directory -+
active-directory Application Proxy Page Links Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-links-broken-problem.md
Title: Links on the page don't work for an Azure Active Directory Application Pr
description: How to troubleshoot issues with broken links on Application Proxy applications you have integrated with Azure Active Directory -+
active-directory Application Proxy Page Load Speed Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-load-speed-problem.md
Title: An Azure Active Directory Application Proxy application takes too long to
description: Troubleshoot page load performance issues with Azure Active Directory Application Proxy -+
active-directory Application Proxy Ping Access Publishing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md
Title: Header-based authentication with PingAccess for Azure Active Directory Ap
description: Publish applications with PingAccess and App Proxy to support header-based authentication. -+
active-directory Application Proxy Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-powershell-samples.md
Title: PowerShell samples for Azure Active Directory Application Proxy
description: Use these PowerShell samples for Azure Active Directory Application Proxy to get information about Application Proxy apps and connectors in your directory, assign users and groups to apps, and get certificate information. -+
active-directory Application Proxy Qlik https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-qlik.md
Title: Azure Active Directory Application Proxy and Qlik Sense
description: Integrate Azure Active Directory Application Proxy with Qlik Sense. -+
active-directory Application Proxy Register Connector Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-register-connector-powershell.md
Title: Silent install Azure Active Directory Application Proxy connector
description: Covers how to perform an unattended installation of Azure Active Directory Application Proxy Connector to provide secure remote access to your on-premises apps. -+
active-directory Application Proxy Release Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-release-version-history.md
Title: 'Azure Active Directory Application Proxy: Version release history'
description: This article lists all releases of Azure Active Directory Application Proxy and describes new features and fixed issues. -+
active-directory Application Proxy Remove Personal Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-remove-personal-data.md
Title: Remove personal data - Azure Active Directory Application Proxy description: Remove personal data from connectors installed on devices for Azure Active Directory Application Proxy. -+
active-directory Application Proxy Secure Api Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-secure-api-access.md
Title: Access on-premises APIs with Azure Active Directory Application Proxy
description: Azure Active Directory's Application Proxy lets native apps securely access APIs and business logic you host on-premises or on cloud VMs. -+
active-directory Application Proxy Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-security.md
Title: Security considerations for Azure Active Directory Application Proxy
description: Covers security considerations for using Azure AD Application Proxy -+
active-directory Application Proxy Sign In Bad Gateway Timeout Error https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-sign-in-bad-gateway-timeout-error.md
Title: Can't access this Corporate Application error with Azure Active Directory
description: How to resolve common access issues with Azure Active Directory Application Proxy applications. -+
active-directory Application Proxy Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-troubleshoot.md
Title: Troubleshoot Azure Active Directory Application Proxy
description: Covers how to troubleshoot errors in Azure Active Directory Application Proxy. -+
active-directory Application Proxy Understand Cors Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-understand-cors-issues.md
Title: Understand and solve Azure Active Directory Application Proxy CORS issues
description: Provides an understanding of CORS in Azure Active Directory Application Proxy, and how to identify and solve CORS issues. -+
active-directory Application Proxy Wildcard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-wildcard.md
Title: Wildcard applications in Azure Active Directory Application Proxy
description: Learn how to use Wildcard applications in Azure Active Directory Application Proxy. -+
active-directory Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy.md
Title: Remote access to on-premises apps - Azure AD Application Proxy
description: Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications. -+
active-directory Application Sign In Problem On Premises Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-sign-in-problem-on-premises-application-proxy.md
Title: Problem signing in to on-premises app using Azure Active Directory Applic
description: Troubleshooting common issues faced when you are unable to sign in to an on-premises application integrated using the Azure Active Directory Application Proxy -+
active-directory Powershell Assign Group To App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-group-to-app.md
Title: PowerShell sample - Assign group to an Azure Active Directory Application
description: PowerShell example that assigns a group to an Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Assign User To App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-user-to-app.md
Title: PowerShell sample - Assign user to an Azure Active Directory Application
description: PowerShell example that assigns a user to an Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Display Users Group Of App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-display-users-group-of-app.md
Title: PowerShell sample - List users & groups for an Azure Active Directory App
description: PowerShell example that lists all the users and groups assigned to a specific Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Get All App Proxy Apps Basic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-basic.md
Title: PowerShell sample - List basic info for Application Proxy apps
description: PowerShell example that lists Azure Active Directory (Azure AD) Application Proxy applications along with the application ID (AppId), name (DisplayName), and object ID (ObjId). -+
active-directory Powershell Get All App Proxy Apps By Connector Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md
Title: List Azure Active Directory Application Proxy connector groups for apps
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy Connector groups with the assigned applications. -+
active-directory Powershell Get All App Proxy Apps Extended https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended.md
Title: PowerShell sample - List extended info for Azure Active Directory Applica
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications along with the application ID (AppId), name (DisplayName), external URL (ExternalUrl), internal URL (InternalUrl), and authentication type (ExternalAuthenticationType). -+
active-directory Powershell Get All App Proxy Apps With Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md
Title: PowerShell sample - List all Azure Active Directory Application Proxy app
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications in your directory that have a lifetime token policy. -+
active-directory Powershell Get All Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-connectors.md
Title: PowerShell sample - List all Azure Active Directory Application Proxy con
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy connector groups and connectors in your directory. -+
active-directory Powershell Get All Custom Domain No Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domain-no-cert.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps with no
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using custom domains but do not have a valid TLS/SSL certificate uploaded. -+
active-directory Powershell Get All Custom Domains And Certs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps using c
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using custom domains and certificate information. -+
active-directory Powershell Get All Default Domain Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-default-domain-apps.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps using d
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using default domains (.msappproxy.net). -+
active-directory Powershell Get All Wildcard Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-wildcard-apps.md
Title: PowerShell sample - List Azure Active Directory Application Proxy apps us
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using wildcards. -+
active-directory Powershell Get Custom Domain Identical Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-identical-cert.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps with id
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are published with the identical certificate. -+
active-directory Powershell Get Custom Domain Replace Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md
Title: PowerShell sample - Replace certificate in Azure Active Directory Applica
description: PowerShell example that bulk replaces a certificate across Azure Active Directory (Azure AD) Application Proxy applications. -+
active-directory Powershell Move All Apps To Connector Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-move-all-apps-to-connector-group.md
Title: PowerShell sample - Move Azure Active Directory Application Proxy apps to
description: Azure Active Directory (Azure AD) Application Proxy PowerShell example used to move all applications currently assigned to a connector group to a different connector group. -+
active-directory What Is Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/what-is-application-proxy.md
Title: Publish on-premises apps with Azure Active Directory Application Proxy
description: Understand why to use Application Proxy to publish on-premises web applications externally to remote users. Learn about Application Proxy architecture, connectors, authentication methods, and security benefits. -+
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/whats-new-docs.md
-+ # Azure Active Directory application proxy: What's new
active-directory Concept Authentication Methods https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-methods.md
Previously updated : 07/01/2021 Last updated : 08/17/2022
active-directory Concept Resilient Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-resilient-controls.md
Previously updated : 05/04/2022 Last updated : 08/17/2022
active-directory Concept Sspr Howitworks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-howitworks.md
Previously updated : 06/14/2021 Last updated : 08/17/2022
active-directory Howto Mfa Userdevicesettings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md
Previously updated : 11/04/2020 Last updated : 08/17/2022
active-directory Howto Mfa Userstates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userstates.md
Previously updated : 06/01/2022 Last updated : 08/17/2022
active-directory Howto Password Ban Bad On Premises Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md
Previously updated : 03/05/2020 Last updated : 08/17/2022
active-directory Troubleshoot Sspr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-sspr.md
Previously updated : 06/28/2021 Last updated : 08/17/2022
active-directory Msal Net Token Cache Serialization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-token-cache-serialization.md
Here are examples of possible distributed caches:
services.Configure<MsalDistributedTokenCacheAdapterOptions>(options => { // Optional: Disable the L1 cache in apps that don't use session affinity
- // by setting DisableL1Cache to 'false'.
+ // by setting DisableL1Cache to 'true'.
options.DisableL1Cache = false; // Or limit the memory (by default, this is 500 MB)
active-directory Single Page App Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-quickstart.md
Title: "Quickstart: Sign in users in single-page apps (SPA) with auth code"
+ Title: "Quickstart: Sign in users in single-page apps (SPA) with authorization code"
description: In this quickstart, learn how a JavaScript single-page application (SPA) can sign in users of personal accounts, work accounts, and school accounts by using the authorization code flow.
Previously updated : 12/06/2021 Last updated : 08/17/2022 zone_pivot_groups: single-page-app-quickstart #Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my single-page app can sign in users of personal accounts, work accounts, and school accounts.
-# Quickstart: Sign in users in single-page apps (SPA) via the auth code flow
+# Quickstart: Sign in users in single-page apps (SPA) via the authorization code flow
::: zone pivot="devlang-angular" [!INCLUDE [angular](./includes/single-page-app/quickstart-angular.md)]
active-directory Spa Quickstart Portal Javascript Auth Code Angular https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/spa-quickstart-portal-javascript-auth-code-angular.md
+
+ Title: "Quickstart: Sign in users in JavaScript Angular single-page apps (SPA) with auth code and call Microsoft Graph"
+description: In this quickstart, learn how a JavaScript Angular single-page application (SPA) can sign in users of personal accounts, work accounts, and school accounts by using the authorization code flow and call Microsoft Graph.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my JavaScript Angular app can sign in users of personal accounts, work accounts, and school accounts.
++
+# Quickstart: Sign in and get an access token in an Angular SPA using the auth code flow
++
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: Angular single-page app with user sign-in](single-page-app-quickstart.md?pivots=devlang-angular)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Sign in and get an access token in an Angular SPA using the auth code flow
+>
+> In this quickstart, you download and run a code sample that demonstrates how a JavaScript Angular single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow. The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.
+>
+> See [How the sample works](#how-the-sample-works) for an illustration.
+>
+> This quickstart uses MSAL Angular v2 with the authorization code flow.
+>
+> ## Prerequisites
+>
+> * Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)
+> * [Node.js](https://nodejs.org/en/download/)
+> * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+>
+> #### Step 1: Configure your application in the Azure portal
+> For the code sample in this quickstart to work, add a **Redirect URI** of `http://localhost:4200/`.
+>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-javascript/green-check.png) Your application is configured with these attributes.
+>
+> #### Step 2: Download the project
+>
+> Run the project with a web server by using Node.js
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> > [!div class="sxs-lookup"]
+> > > [!NOTE]
+> > > `Enter_the_Supported_Account_Info_Here`
+>
+>
+> #### Step 3: Your app is configured and ready to run
+>
+> We have configured your project with values of your app's properties.
+>
+> #### Step 4: Run the project
+>
+> Run the project with a web server by using Node.js:
+>
+> 1. To start the server, run the following commands from within the project directory:
+> ```console
+> npm install
+> npm start
+> ```
+> 1. Browse to `http://localhost:4200/`.
+>
+> 1. Select **Login** to start the sign-in process and then call the Microsoft Graph API.
+>
+> The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, click the **Profile** button to display your user information on the page.
+>
+> ## More information
+>
+> ### How the sample works
+>
+> ![Diagram showing the authorization code flow for a single-page application.](media/quickstart-v2-javascript-auth-code/diagram-01-auth-code-flow.png)
+>
+> ### msal.js
+>
+> The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.
+>
+> If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):
+>
+> ```console
+> npm install @azure/msal-browser @azure/msal-angular@2
+> ```
+>
+> ## Next steps
+>
+> For a detailed step-by-step guide on building the auth code flow application using vanilla JavaScript, see the following tutorial:
+>
+> > [!div class="nextstepaction"]
+> > [Tutorial: Sign in users and call Microsoft Graph](./tutorial-v2-javascript-auth-code.md)
active-directory Spa Quickstart Portal Javascript Auth Code React https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/spa-quickstart-portal-javascript-auth-code-react.md
+
+ Title: "Quickstart: Sign in users in JavaScript React single-page apps (SPA) with auth code and call Microsoft Graph"
+description: In this quickstart, learn how a JavaScript React single-page application (SPA) can sign in users of personal accounts, work accounts, and school accounts by using the authorization code flow and call Microsoft Graph.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an app developer, I want to learn how to login, logout, conditionally render components to authenticated users, and acquire an access token for a protected resource such as Microsoft Graph by using the Microsoft identity platform so that my JavaScript React app can sign in users of personal accounts, work accounts, and school accounts.
+
+> # Quickstart: Sign in and get an access token in a React SPA using the auth code flow
++
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: React single-page app with user sign-in](single-page-app-quickstart.md?pivots=devlang-react)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Sign in and get an access token in a React SPA using the auth code flow
+> In this quickstart, you download and run a code sample that demonstrates how a JavaScript React single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow. The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.
+>
+> See [How the sample works](#how-the-sample-works) for an illustration.
+>
+> ## Prerequisites
+>
+> * Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)
+> * [Node.js](https://nodejs.org/en/download/)
+> * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+>
+> #### Step 1: Configure your application in the Azure portal
+>
+> This code samples requires a **Redirect URI** of `http://localhost:3000/`.
+>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-javascript/green-check.png) Your application is configured with these attributes.
+>
+> #### Step 2: Download the project
+>
+> Run the project with a web server by using Node.js
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> > [!div class="sxs-lookup"]
+> > > [!NOTE]
+> > > `Enter_the_Supported_Account_Info_Here`
+>
+>
+> #### Step 3: Your app is configured and ready to run
+> We have configured your project with values of your app's properties.
+>
+> #### Step 4: Run the project
+>
+> Run the project with a web server by using Node.js:
+>
+> 1. To start the server, run the following commands from within the project directory:
+> ```console
+> npm install
+> npm start
+> ```
+> 1. Browse to `http://localhost:3000/`.
+>
+> 1. Select **Sign In** to start the sign-in process and then call the Microsoft Graph API.
+>
+> The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, click on the **Request Profile Information** to display your profile information on the page.
+>
+> ## More information
+>
+> ### How the sample works
+>
+> ![Diagram showing the authorization code flow for a single-page application.](media/quickstart-v2-javascript-auth-code/diagram-01-auth-code-flow.png)
+>
+> ### msal.js
+>
+> The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.
+>
+> If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):
+>
+> ```console
+> npm install @azure/msal-browser @azure/msal-react
+> ```
+>
+> ## Next steps
+>
+> Next, try a step-by-step tutorial to learn how to build a React SPA from scratch that signs in users and calls the > Microsoft Graph API to get user profile data:
+>
+> > [!div class="nextstepaction"]
+> > [Tutorial: Sign in users and call Microsoft Graph from a React single-page app](tutorial-v2-react.md)
active-directory Spa Quickstart Portal Javascript Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/spa-quickstart-portal-javascript-auth-code.md
+
+ Title: "Quickstart: Sign in users in JavaScript single-page apps (SPA) with auth code"
+description: In this quickstart, learn how a JavaScript single-page application (SPA) can sign in users of personal accounts, work accounts, and school accounts by using the authorization code flow.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
++
+# Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow with PKCE
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: JavaScript single-page app with user sign-in](single-page-app-quickstart.md?pivots=devlang-javascript)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow with PKCE
+>
+> In this quickstart, you download and run a code sample that demonstrates how a JavaScript single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow with Proof Key for Code Exchange (PKCE). The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.
+>
+> See [How the sample works](#how-the-sample-works) for an illustration.
+>
+> ## Prerequisites
+>
+> * Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)
+> * [Node.js](https://nodejs.org/en/download/)
+> * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+>
+>
+> ### Step 1: Configure your application in the Azure portal
+> For the code sample in this quickstart to work, add a **Redirect URI** of `http://localhost:3000/`.
+>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-javascript/green-check.png) Your application is configured with these attributes.
+>
+> ### Step 2: Download the project
+>
+> Run the project with a web server by using Node.js
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> > [!div class="sxs-lookup"]
+> > > [!NOTE]
+> > > `Enter_the_Supported_Account_Info_Here`
+>
+> #### Step 3: Your app is configured and ready to run
+>
+> We have configured your project with values of your app's properties.
+>
+> Run the project with a web server by using Node.js.
+>
+> 1. To start the server, run the following commands from within the project directory:
+>
+> ```console
+> npm install
+> npm start
+> ```
+>
+> 1. Go to `http://localhost:3000/`.
+>
+> 1. Select **Sign In** to start the sign-in process and then call the Microsoft Graph API.
+>
+> The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, your user profile information is displayed on the page.
+>
+> ## More information
+>
+> ### How the sample works
+>
+> ![Diagram showing the authorization code flow for a single-page application.](media/quickstart-v2-javascript-auth-code/diagram-01-auth-code-flow.png)
+>
+> ### MSAL.js
+>
+> The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by Microsoft > identity platform. The sample's *https://docsupdatetracker.net/index.html* file contains a reference to the library:
+>
+> ```html
+> <script type="text/javascript" src="https://alcdn.msauth.net/browser/2.0.0-beta.0/js/msal-browser.js" integrity=
+> "sha384-r7Qxfs6PYHyfoBR6zG62DGzptfLBxnREThAlcJyEfzJ4dq5rqExc1Xj3TPFE/9TH" crossorigin="anonymous"></script>
+> ```
+>
+> If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):
+>
+> ```console
+> npm install @azure/msal-browser
+> ```
+>
+> ## Next steps
+>
+> For a more detailed step-by-step guide on building the application used in this quickstart, see the following tutorial:
+>
+> > [!div class="nextstepaction"]
+> > [Tutorial: Sign in users and call Microsoft Graph](./tutorial-v2-javascript-auth-code.md)
active-directory Web Api Quickstart Portal Aspnet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-quickstart-portal-aspnet-core.md
+
+ Title: "Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform"
+description: In this quickstart, you download and modify a code sample that demonstrates how to protect an ASP.NET Core web API by using the Microsoft identity platform for authorization.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an application developer, I want to know how to write an ASP.NET Core web API that uses the Microsoft identity platform to authorize API requests from clients.
++
+# Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart:Protect an ASP.NET Core web API](web-api-quickstart.md?pivots=devlang-aspnet-core)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform
+>
+> In this quickstart, you download an ASP.NET Core web API code sample and review the way it restricts resource access to authorized accounts only. The sample supports authorization of personal Microsoft accounts and accounts in any Azure Active Directory (Azure AD) organization.
+>
+> ## Prerequisites
+>
+> - Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+> - [Azure Active Directory tenant](quickstart-create-new-tenant.md)
+> - [.NET Core SDK 3.1+](https://dotnet.microsoft.com/)
+> - [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)
+>
+> ## Step 1: Register the application
+>
+> First, register the web API in your Azure AD tenant and add a scope by following these steps:
+>
+> 1. Sign in to the [Azure portal](https://portal.azure.com/).
+> 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+> 1. Search for and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. For **Name**, enter a name for your application. For example, enter **AspNetCoreWebApi-Quickstart**. Users of your app will see this name, and you can change it later.
+> 1. Select **Register**.
+> 1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, accept the default by selecting **Save and continue**, and then enter the following details:
+> - **Scope name**: `access_as_user`
+> - **Who can consent?**: **Admins and users**
+> - **Admin consent display name**: `Access AspNetCoreWebApi-Quickstart`
+> - **Admin consent description**: `Allows the app to access AspNetCoreWebApi-Quickstart as the signed-in user.`
+> - **User consent display name**: `Access AspNetCoreWebApi-Quickstart`
+> - **User consent description**: `Allow the application to access AspNetCoreWebApi-Quickstart on your behalf.`
+> - **State**: **Enabled**
+> 1. Select **Add scope** to complete the scope addition.
+>
+> ## Step 2: Download the ASP.NET Core project
+>
+> [Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/archive/aspnetcore3-1.zip) from GitHub.
+>
+> [!INCLUDE [active-directory-develop-path-length-tip](../../../includes/active-directory-develop-path-length-tip.md)]
+>
+> ## Step 3: Configure the ASP.NET Core project
+>
+> In this step, configure the sample code to work with the app registration that you created earlier.
+>
+> 1. Extract the .zip archive into a folder near the root of your drive. For example, extract into *C:\Azure-Samples*.
+>
+> We recommend extracting the archive into a directory near the root of your drive to avoid errors caused by path length limitations on Windows.
+>
+> 1. Open the solution in the *webapi* folder in your code editor.
+> 1. Open the *appsettings.json* file and modify the following code:
+>
+> ```json
+> "ClientId": "Enter_the_Application_Id_here",
+> "TenantId": "Enter_the_Tenant_Info_Here"
+> ```
+>
+> - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered in the Azure portal. You can find the application (client) ID on the app's **Overview** page.
+> - Replace `Enter_the_Tenant_Info_Here` with one of the following:
+> - If your application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or tenant name (for example, `contoso.onmicrosoft.com`). You can find the directory (tenant) ID on the app's **Overview** page.
+> - If your application supports **Accounts in any organizational directory**, replace this value with `organizations`.
+> - If your application supports **All Microsoft account users**, leave this value as `common`.
+>
+> For this quickstart, don't change any other values in the *appsettings.json* file.
+>
+> ## How the sample works
+>
+> The web API receives a token from a client application, and the code in the web API validates the token. This scenario is explained in more detail in [Scenario: Protected web API](scenario-protected-web-api-overview.md).
+>
+> ### Startup class
+>
+> The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that's executed when the hosting process starts. In its `ConfigureServices` method, the `AddMicrosoftIdentityWebApi` extension method provided by *Microsoft.Identity.Web* is called.
+>
+> ```csharp
+> public void ConfigureServices(IServiceCollection services)
+> {
+> services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+> .AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
+> }
+> ```
+>
+> The `AddAuthentication()` method configures the service to add JwtBearer-based authentication.
+>
+> The line that contains `.AddMicrosoftIdentityWebApi` adds the Microsoft identity platform authorization to your web API. It's then configured to validate access tokens issued by the Microsoft identity platform based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
+>
+> | *appsettings.json* key | Description |
+> ||-|
+> | `ClientId` | Application (client) ID of the application registered in the Azure portal. |
+> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
+> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |
+>
+> The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality:
+>
+> ```csharp
+> // The runtime calls this method. Use this method to configure the HTTP request pipeline.
+> public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+> {
+> // more code
+> app.UseAuthentication();
+> app.UseAuthorization();
+> // more code
+> }
+> ```
+>
+> ### Protecting a controller, a controller's method, or a Razor page
+>
+> You can protect a controller or controller methods by using the `[Authorize]` attribute. This attribute restricts access to the controller or methods by allowing only authenticated users. An authentication challenge can be started to access the controller if the user isn't authenticated.
+>
+> ```csharp
+> namespace webapi.Controllers
+> {
+> [Authorize]
+> [ApiController]
+> [Route("[controller]")]
+> public class WeatherForecastController : ControllerBase
+> ```
+>
+> ### Validation of scope in the controller
+>
+> The code in the API verifies that the required scopes are in the token by using `HttpContext.VerifyUserHasAnyAcceptedScope> (scopeRequiredByApi);`:
+>
+> ```csharp
+> namespace webapi.Controllers
+> {
+> [Authorize]
+> [ApiController]
+> [Route("[controller]")]
+> public class WeatherForecastController : ControllerBase
+> {
+> // The web API will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
+> static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };
+>
+> [HttpGet]
+> public IEnumerable<WeatherForecast> Get()
+> {
+> HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+>
+> // some code here
+> }
+> }
+> }
+> ```
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+>
+> The GitHub repository that contains this ASP.NET Core web API code sample includes instructions and more code samples that show you how to:
+>
+> - Add authentication to a new ASP.NET Core web API.
+> - Call the web API from a desktop application.
+> - Call downstream APIs like Microsoft Graph and other Microsoft APIs.
+>
+> > [!div class="nextstepaction"]
+> > [ASP.NET Core web API tutorials on GitHub](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2)
active-directory Web Api Quickstart Portal Dotnet Native Aspnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-quickstart-portal-dotnet-native-aspnet.md
+
+ Title: "Quickstart: Call an ASP.NET web API that is protected by the Microsoft identity platform"
+description: In this quickstart, learn how to call an ASP.NET web API that's protected by the Microsoft identity platform from a Windows Desktop (WPF) application.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an application developer, I want to know how to set up OpenId Connect authentication in a web application that's built by using Node.js with Express.
++
+# Quickstart: Call an ASP.NET web API that's protected by Microsoft identity platform
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: Call a protected ASP.NET web API](web-api-quickstart.md?pivots=devlang-aspnet)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Call an ASP.NET web API that's protected by Microsoft identity platform
+>
+> In this quickstart, you download and run a code sample that demonstrates how to protect an ASP.NET web API by restricting access to its resources to authorized accounts only. The sample supports authorization of personal Microsoft accounts and accounts in any Azure Active Directory (Azure AD) organization.
+>
+> The article also uses a Windows Presentation Foundation (WPF) app to demonstrate how you can request an access token to access a web API.
+>
+> ## Prerequisites
+>
+> * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+> * Visual Studio 2017 or 2019. Download [Visual Studio for free](https://www.visualstudio.com/downloads/).
+>
+> ## Clone or download the sample
+>
+> You can obtain the sample in either of two ways:
+>
+> * Clone it from your shell or command line:
+>
+> ```console
+> git clone https://github.com/AzureADQuickStarts/AppModelv2-NativeClient-DotNet.git
+> ```
+>
+> * [Download it as a ZIP file](https://github.com/AzureADQuickStarts/AppModelv2-NativeClient-DotNet/archive/complete.zip).
+>
+> [!INCLUDE [active-directory-develop-path-length-tip](../../../includes/active-directory-develop-path-length-tip.md)]
+>
+> ## Register the web API (TodoListService)
+>
+> Register your web API in **App registrations** in the Azure portal.
+>
+> 1. Sign in to the [Azure portal](https://portal.azure.com/).
+> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+> 1. Find and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Enter a **Name** for your application, for example `AppModelv2-NativeClient-DotNet-TodoListService`. Users of your app might see this name, and you can change it later.
+> 1. For **Supported account types**, select **Accounts in any organizational directory**.
+> 1. Select **Register** to create the application.
+> 1. On the app **Overview** page, look for the **Application (client) ID** value, and then record it for later use. You'll need it to configure the Visual Studio configuration file for this project (that is, `ClientId` in the *TodoListService\Web.config* file).
+> 1. Under **Manage**, select **Expose an API** > **Add a scope**. Accept the proposed Application ID URI (`api://{clientId}> `) by selecting **Save and continue**, and then enter the following information:
+>
+> 1. For **Scope name**, enter `access_as_user`.
+> 1. For **Who can consent**, ensure that the **Admins and users** option is selected.
+> 1. In the **Admin consent display name** box, enter `Access TodoListService as a user`.
+> 1. In the **Admin consent description** box, enter `Accesses the TodoListService web API as a user`.
+> 1. In the **User consent display name** box, enter `Access TodoListService as a user`.
+> 1. In the **User consent description** box, enter `Accesses the TodoListService web API as a user`.
+> 1. For **State**, keep **Enabled**.
+> 1. Select **Add scope**.
+>
+> ### Configure the service project
+>
+> Configure the service project to match the registered web API.
+>
+> 1. Open the solution in Visual Studio, and then open the *Web.config* file under the root of the TodoListService project.
+>
+> 1. Replace the value of the `ida:ClientId` parameter with the Client ID (Application ID) value from the application you registered in the **App registrations** portal.
+>
+> ### Add the new scope to the app.config file
+>
+> To add the new scope to the TodoListClient *app.config* file, follow these steps:
+>
+> 1. In the TodoListClient project root folder, open the *app.config* file.
+>
+> 1. Paste the Application ID from the application that you registered for your TodoListService project in the `TodoListServiceScope` parameter, replacing the `{Enter the Application ID of your TodoListService from the app registration portal}` string.
+>
+> > [!NOTE]
+> > Make sure that the Application ID uses the following format: `api://{TodoListService-Application-ID}/access_as_user` (where `{TodoListService-Application-ID}` is the GUID representing the Application ID for your TodoListService app).
+>
+> ## Register the web app (TodoListClient)
+>
+> Register your TodoListClient app in **App registrations** in the Azure portal, and then configure the code in the TodoListClient project. If the client and server are considered the same application, you can reuse the application that's registered in step 2. Use the same application if you want users to sign in with a personal Microsoft account.
+>
+> ### Register the app
+>
+> To register the TodoListClient app, follow these steps:
+>
+> 1. Go to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
+> 1. Select **New registration**.
+> 1. When the **Register an application page** opens, enter your application's registration information:
+>
+> 1. In the **Name** section, enter a meaningful application name that will be displayed to users of the app (for example, **NativeClient-DotNet-TodoListClient**).
+> 1. For **Supported account types**, select **Accounts in any organizational directory**.
+> 1. Select **Register** to create the application.
+>
+> > [!NOTE]
+> > In the TodoListClient project *app.config* file, the default value of `ida:Tenant` is set to `common`. The possible values are:
+> >
+> > - `common`: You can sign in by using a work or school account or a personal Microsoft account (because you selected **Accounts in any organizational directory** in a previous step).
+> > - `organizations`: You can sign in by using a work or school account.
+> > - `consumers`: You can sign in only by using a Microsoft personal account.
+>
+> 1. On the app **Overview** page, select **Authentication**, and then complete these steps to add a platform:
+>
+> 1. Under **Platform configurations**, select the **Add a platform** button.
+> 1. For **Mobile and desktop applications**, select **Mobile and desktop applications**.
+> 1. For **Redirect URIs**, select the `https://login.microsoftonline.com/common/oauth2/nativeclient` check box.
+> 1. Select **Configure**.
+>
+> 1. Select **API permissions**, and then complete these steps to add permissions:
+>
+> 1. Select the **Add a permission** button.
+> 1. Select the **My APIs** tab.
+> 1. In the list of APIs, select **AppModelv2-NativeClient-DotNet-TodoListService API** or the name you entered for the web API.
+> 1. Select the **access_as_user** permission check box if it's not already selected. Use the Search box if necessary.
+> 1. Select the **Add permissions** button.
+>
+> ### Configure your project
+>
+> Configure your TodoListClient project by adding the Application ID to the *app.config* file.
+>
+> 1. In the **App registrations** portal, on the **Overview** page, copy the value of the **Application (client) ID**.
+>
+> 1. From the TodoListClient project root folder, open the *app.config* file, and then paste the Application ID value in the `ida:ClientId` parameter.
+>
+> ## Run your projects
+>
+> Start both projects. If you are using Visual Studio:
+>
+> 1. Right click on the Visual Studio solution and select **Properties**
+>
+> 1. In the **Common Properties** select **Startup Project** and then **Multiple startup projects**.
+>
+> 1. For both projects choose **Start** as the action
+>
+> 1. Ensure the TodoListService service starts first by moving it to the fist position in the list, using the up arrow.
+>
+> Sign in to run your TodoListClient project.
+>
+> 1. Press F5 to start the projects. The service page opens, as well as the desktop application.
+>
+> 1. In the TodoListClient, at the upper right, select **Sign in**, and then sign in with the same credentials you used to register your application, or sign in as a user in the same directory.
+>
+> If you're signing in for the first time, you might be prompted to consent to the TodoListService web API.
+>
+> To help you access the TodoListService web API and manipulate the *To-Do* list, the sign-in also requests an access token to the *access_as_user* scope.
+>
+> ## Pre-authorize your client application
+>
+> You can allow users from other directories to access your web API by pre-authorizing the client application to access your web API. You do this by adding the Application ID from the client app to the list of pre-authorized applications for your web API. By adding a pre-authorized client, you're allowing users to access your web API without having to provide consent.
+>
+> 1. In the **App registrations** portal, open the properties of your TodoListService app.
+> 1. In the **Expose an API** section, under **Authorized client applications**, select **Add a client application**.
+> 1. In the **Client ID** box, paste the Application ID of the TodoListClient app.
+> 1. In the **Authorized scopes** section, select the scope for the `api://<Application ID>/access_as_user` web API.
+> 1. Select **Add application**.
+>
+> ### Run your project
+>
+> 1. Press <kbd>F5</kbd> to run your project. Your TodoListClient app opens.
+> 1. At the upper right, select **Sign in**, and then sign in by using a personal Microsoft account, such as a *live.com* or *hotmail.com* account, or a work or school account.
+>
+> ## Optional: Limit sign-in access to certain users
+>
+> By default, any personal accounts, such as *outlook.com* or *live.com* accounts, or work or school accounts from organizations that are integrated with Azure AD can request tokens and access your web API.
+>
+> To specify who can sign in to your application, use one of the following options:
+>
+> ### Option 1: Limit access to a single organization (single tenant)
+>
+> You can limit sign-in access to your application to user accounts that are in a single Azure AD tenant, including guest accounts of that tenant. This scenario is common for line-of-business applications.
+>
+> 1. Open the *App_Start\Startup.Auth* file, and then change the value of the metadata endpoint that's passed into the `OpenIdConnectSecurityTokenProvider` to `https://login.microsoftonline.com/{Tenant ID}/v2.0/.well-known/openid-configuration`. You can also use the tenant name, such as `contoso.onmicrosoft.com`.
+> 1. In the same file, set the `ValidIssuer` property on the `TokenValidationParameters` to `https://sts.windows.net/{Tenant ID}/`, and set the `ValidateIssuer` argument to `true`.
+>
+> ### Option 2: Use a custom method to validate issuers
+>
+> You can implement a custom method to validate issuers by using the `IssuerValidator` parameter. For more information about this parameter, see [TokenValidationParameters class](/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters).
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+>
+> Learn more about the protected web API scenario that the Microsoft identity platform supports.
+> > [!div class="nextstepaction"]
+> > [Protected web API scenario](scenario-protected-web-api-overview.md)
active-directory Web App Quickstart Portal Aspnet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-aspnet-core.md
+
+ Title: "Quickstart: Add sign-in with Microsoft Identity to an ASP.NET Core web app"
+description: In this quickstart, you learn how an app implements Microsoft sign-in on an ASP.NET Core web app by using OpenID Connect
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an application developer, I want to know how to write an ASP.NET Core web app that can sign in personal accounts, as well as work and school accounts, from any Azure Active Directory instance.
++
+# Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app
++
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: ASP.NET Core web app with user sign-in](web-app-quickstart.md?pivots=devlang-aspnet-core)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app
+>
+> In this quickstart, you download and run a code sample that demonstrates how an ASP.NET Core web app can sign in users from any Azure Active Directory (Azure AD) organization.
+>
+> ### Step 1: Configure your application in the Azure portal
+> For the code sample in this quickstart to work:
+> - For **Redirect URI**, enter **https://localhost:44321/** and **https://localhost:44321/signin-oidc**.
+> - For **Front-channel logout URL**, enter **https://localhost:44321/signout-oidc**.
+>
+> The authorization endpoint will issue request ID tokens.
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-aspnet-webapp/green-check.png) Your application is configured with these attributes.
+>
+> ### Step 2: Download the ASP.NET Core project
+>
+> Run the project.
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> [!INCLUDE [active-directory-develop-path-length-tip](../../../includes/active-directory-develop-path-length-tip.md)]
+>
+>
+> #### Step 3: Your app is configured and ready to run
+> We've configured your project with values of your app's properties, and it's ready to run.
+>
+> > [!NOTE]
+> > `Enter_the_Supported_Account_Info_Here`
+>
+> ## More information
+>
+> This section gives an overview of the code required to sign in users. This overview can be useful to understand how the code works, what the main arguments are, and how to add sign-in to an existing ASP.NET Core application.
+>
+> > [!div class="sxs-lookup"]
+> > ### How the sample works
+> >
+> > ![Diagram of the interaction between the web browser, the web app, and the Microsoft identity platform in the sample app.](media/quickstart-v2-aspnet-core-webapp/aspnetcorewebapp-intro.svg)
+>
+> ### Startup class
+>
+> The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that's run when the hosting process starts:
+>
+> ```csharp
+> public void ConfigureServices(IServiceCollection services)
+> {
+> services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+> .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
+>
+> services.AddControllersWithViews(options =>
+> {
+> var policy = new AuthorizationPolicyBuilder()
+> .RequireAuthenticatedUser()
+> .Build();
+> options.Filters.Add(new AuthorizeFilter(policy));
+> });
+> services.AddRazorPages()
+> .AddMicrosoftIdentityUI();
+> }
+> ```
+>
+> The `AddAuthentication()` method configures the service to add cookie-based authentication. This authentication is used in browser scenarios and to set the challenge to OpenID Connect.
+>
+> The line that contains `.AddMicrosoftIdentityWebApp` adds Microsoft identity platform authentication to your application. The application is then configured to sign in users based on the following information in the `AzureAD` section of the *appsettings.json* configuration file:
+>
+> | *appsettings.json* key | Description |
+> ||-|
+> | `ClientId` | Application (client) ID of the application registered in the Azure portal. |
+> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
+> | `TenantId` | Name of your tenant or the tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |
+>
+> The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality. Also in the `Configure()` method, you must register Microsoft Identity Web routes with at least one call to `endpoints.MapControllerRoute()` or a call to `endpoints.MapControllers()`:
+>
+> ```csharp
+> app.UseAuthentication();
+> app.UseAuthorization();
+>
+> app.UseEndpoints(endpoints =>
+> {
+> endpoints.MapControllerRoute(
+> name: "default",
+> pattern: "{controller=Home}/{action=Index}/{id?}");
+> endpoints.MapRazorPages();
+> });
+> ```
+>
+> ### Attribute for protecting a controller or methods
+>
+> You can protect a controller or controller methods by using the `[Authorize]` attribute. This attribute restricts access to the controller or methods by allowing only authenticated users. An authentication challenge can then be started to access the controller if the user isn't authenticated.
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+>
+> The GitHub repo that contains this ASP.NET Core tutorial includes instructions and more code samples that show you how to:
+>
+> - Add authentication to a new ASP.NET Core web application.
+> - Call Microsoft Graph, other Microsoft APIs, or your own web APIs.
+> - Add authorization.
+> - Sign in users in national clouds or with social identities.
+>
+> > [!div class="nextstepaction"]
+> > [ASP.NET Core web app tutorials on GitHub](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/)
active-directory Web App Quickstart Portal Aspnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-aspnet.md
+
+ Title: "Quickstart: ASP.NET web app that signs in users"
+description: Download and run a code sample that shows how an ASP.NET web app can sign in Azure AD users.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an application developer, I want to see a sample ASP.NET web app that can sign in Azure AD users.
++
+# Quickstart: ASP.NET web app that signs in Azure AD users
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: ASP.NET web app that signs in users](web-app-quickstart.md?pivots=devlang-aspnet)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: ASP.NET web app that signs in Azure AD users
+>
+> In this quickstart, you download and run a code sample that demonstrates an ASP.NET web application that can sign in users with Azure Active Directory (Azure AD) accounts.
+>
+> #### Step 1: Configure your application in the Azure portal
+> For the code sample in this quickstart to work, enter **https://localhost:44368/** for **Redirect URI**.
+>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-aspnet-webapp/green-check.png) Your application is configured with this attribute.
+>
+> #### Step 2: Download the project
+>
+> Run the project by using Visual Studio 2019.
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> [!INCLUDE [active-directory-develop-path-length-tip](../../../includes/active-directory-develop-path-length-tip.md)]
+>
+>
+> #### Step 3: Your app is configured and ready to run
+> We've configured your project with values of your app's properties.
+>
+> 1. Extract the .zip file to a local folder that's close to the root folder. For example, extract to *C:\Azure-Samples*.
+>
+> We recommend extracting the archive into a directory near the root of your drive to avoid errors caused by path length limitations on Windows.
+> 2. Open the solution in Visual Studio (*AppModelv2-WebApp-OpenIDConnect-DotNet.sln*).
+> 3. Depending on the version of Visual Studio, you might need to right-click the project > **AppModelv2-WebApp-OpenIDConnect-DotNet** and then select **Restore NuGet packages**.
+> 4. Open the Package Manager Console by selecting **View** > **Other Windows** > **Package Manager Console**. Then run `Update-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform -r`.
+>
+> > [!NOTE]
+> > `Enter_the_Supported_Account_Info_Here`
+>
+> ## More information
+>
+> This section gives an overview of the code required to sign in users. This overview can be useful to understand how the code works, what the main arguments are, and how to add sign-in to an existing ASP.NET application.
+>
+>
+> ### How the sample works
+>
+> ![Diagram of the interaction between the web browser, the web app, and the Microsoft identity platform in the sample app.](media/quickstart-v2-aspnet-webapp/aspnetwebapp-intro.svg)
+>
+> ### OWIN middleware NuGet packages
+>
+> You can set up the authentication pipeline with cookie-based authentication by using OpenID Connect in ASP.NET with OWIN middleware packages. You can install these packages by running the following commands in Package Manager Console within Visual Studio:
+>
+> ```powershell
+> Install-Package Microsoft.Owin.Security.OpenIdConnect
+> Install-Package Microsoft.Owin.Security.Cookies
+> Install-Package Microsoft.Owin.Host.SystemWeb
+> ```
+>
+> ### OWIN startup class
+>
+> The OWIN middleware uses a *startup class* that runs when the hosting process starts. In this quickstart, the *startup.cs* file is in the root folder. The following code shows the parameters that this quickstart uses:
+>
+> ```csharp
+> public void Configuration(IAppBuilder app)
+> {
+> app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
+>
+> app.UseCookieAuthentication(new CookieAuthenticationOptions());
+> app.UseOpenIdConnectAuthentication(
+> new OpenIdConnectAuthenticationOptions
+> {
+> // Sets the client ID, authority, and redirect URI as obtained from Web.config
+> ClientId = clientId,
+> Authority = authority,
+> RedirectUri = redirectUri,
+> // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it's using the home page
+> PostLogoutRedirectUri = redirectUri,
+> Scope = OpenIdConnectScope.OpenIdProfile,
+> // ResponseType is set to request the code id_token, which contains basic information about the signed-in user
+> ResponseType = OpenIdConnectResponseType.CodeIdToken,
+> // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
+> // To only allow users from a single organization, set ValidateIssuer to true and the 'tenant' setting in Web.> config to the tenant name
+> // To allow users from only a list of specific organizations, set ValidateIssuer to true and use the ValidIssuers parameter
+> TokenValidationParameters = new TokenValidationParameters()
+> {
+> ValidateIssuer = false // Simplification (see note below)
+> },
+> // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to > the OnAuthenticationFailed method
+> Notifications = new OpenIdConnectAuthenticationNotifications
+> {
+> AuthenticationFailed = OnAuthenticationFailed
+> }
+> }
+> );
+> }
+> ```
+>
+> > |Where | Description |
+> > |||
+> > | `ClientId` | The application ID from the application registered in the Azure portal. |
+> > | `Authority` | The security token service (STS) endpoint for the user to authenticate. It's usually `https://login.microsoftonline.com/{tenant}/v2.0` for the public cloud. In that URL, *{tenant}* is the name of your tenant, your tenant ID, or `common` for a reference to the common endpoint. (The common endpoint is used for multitenant applications.) |
+> > | `RedirectUri` | The URL where users are sent after authentication against the Microsoft identity platform. |
+> > | `PostLogoutRedirectUri` | The URL where users are sent after signing off. |
+> > | `Scope` | The list of scopes being requested, separated by spaces. |
+> > | `ResponseType` | The request that the response from authentication contains an authorization code and an ID token. |
+> > | `TokenValidationParameters` | A list of parameters for token validation. In this case, `ValidateIssuer` is set to `false` to indicate that it can accept sign-ins from any personal, work, or school account type. |
+> > | `Notifications` | A list of delegates that can be run on `OpenIdConnect` messages. |
+>
+>
+> > [!NOTE]
+> > Setting `ValidateIssuer = false` is a simplification for this quickstart. In real applications, validate the issuer. See the samples to understand how to do that.
+>
+> ### Authentication challenge
+>
+> You can force a user to sign in by requesting an authentication challenge in your controller:
+>
+> ```csharp
+> public void SignIn()
+> {
+> if (!Request.IsAuthenticated)
+> {
+> HttpContext.GetOwinContext().Authentication.Challenge(
+> new AuthenticationProperties{ RedirectUri = "/" },
+> OpenIdConnectAuthenticationDefaults.AuthenticationType);
+> }
+> }
+> ```
+>
+> > [!TIP]
+> > Requesting an authentication challenge by using this method is optional. You'd normally use it when you want a view to be accessible from both authenticated and unauthenticated users. Alternatively, you can protect controllers by using the method described in the next section.
+>
+> ### Attribute for protecting a controller or a controller actions
+>
+> You can protect a controller or controller actions by using the `[Authorize]` attribute. This attribute restricts access to the controller or actions by allowing only authenticated users to access the actions in the controller. An authentication challenge will then happen automatically when an unauthenticated user tries to access one of the actions or controllers decorated by the `[Authorize]` attribute.
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+>
+> For a complete step-by-step guide on building applications and new features, including a full explanation of this quickstart, try out the ASP.NET tutorial.
+>
+> > [!div class="nextstepaction"]
+> > [Add sign-in to an ASP.NET web app](tutorial-v2-asp-webapp.md)
active-directory Web App Quickstart Portal Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-java.md
+
+ Title: "Quickstart: Add sign-in with Microsoft to a Java web app"
+description: In this quickstart, you'll learn how to add sign-in with Microsoft to a Java web application by using OpenID Connect.
+++++++ Last updated : 08/16/2022++++
+# Quickstart: Add sign-in with Microsoft to a Java web app
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: Java web app with user sign-in](web-app-quickstart.md?pivots=devlang-java)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> > [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Add sign-in with Microsoft to a Java web app
+>
+> In this quickstart, you download and run a code sample that demonstrates how a Java web application can sign in users and call the Microsoft Graph API. Users from any Azure Active Directory (Azure AD) organization can sign in to the application.
+>
+> For an overview, see the [diagram of how the sample works](#how-the-sample-works).
+>
+> ## Prerequisites
+>
+> To run this sample, you need:
+>
+> - [Java Development Kit (JDK)](https://openjdk.java.net/) 8 or later.
+> - [Maven](https://maven.apache.org/).
+>
+>
+> #### Step 1: Configure your application in the Azure portal
+>
+> To use the code sample in this quickstart:
+>
+> 1. Add reply URLs `https://localhost:8443/msal4jsample/secure/aad` and `https://localhost:8443/msal4jsample/graph/me`.
+> 1. Create a client secret.
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-aspnet-webapp/green-check.png) Your application is configured with these attributes.
+>
+> #### Step 2: Download the code sample
+>
+> Download the project and extract the .zip file into a folder near the root of your drive. For example, *C:\Azure-Samples*.
+>
+> To use HTTPS with localhost, provide the `server.ssl.key` properties. To generate a self-signed certificate, use the keytool utility (included in JRE).
+>
+> Here's an example:
+> ```
+> keytool -genkeypair -alias testCert -keyalg RSA -storetype PKCS12 -keystore keystore.p12 -storepass password
+>
+> server.ssl.key-store-type=PKCS12
+> server.ssl.key-store=classpath:keystore.p12
+> server.ssl.key-store-password=password
+> server.ssl.key-alias=testCert
+> ```
+> Put the generated keystore file in the *resources* folder.
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> > [!div class="sxs-lookup"]
+> > > [!NOTE]
+> > > `Enter_the_Supported_Account_Info_Here`
+>
+> > [!div class="sxs-lookup"]
+>
+> #### Step 3: Run the code sample
+>
+> To run the project, take one of these steps:
+>
+> - Run it directly from your IDE by using the embedded Spring Boot server.
+> - Package it to a WAR file by using [Maven](https://maven.apache.org/plugins/maven-war-plugin/usage.html), and then deploy it to a J2EE container solution like [Apache Tomcat](http://tomcat.apache.org/).
+>
+> ##### Running the project from an IDE
+>
+> To run the web application from an IDE, select run, and then go to the home page of the project. For this sample, the standard home page URL is https://localhost:8443.
+>
+> 1. On the front page, select the **Login** button to redirect users to Azure Active Directory and prompt them for credentials.
+>
+> 1. After users are authenticated, they're redirected to `https://localhost:8443/msal4jsample/secure/aad`. They're now signed in, and the page will show information about the user account. The sample UI has these buttons:
+> - **Sign Out**: Signs the current user out of the application and redirects that user to the home page.
+> - **Show User Info**: Acquires a token for Microsoft Graph and calls Microsoft Graph with a request that contains the token, which returns basic information about the signed-in user.
+>
+> ##### Running the project from Tomcat
+>
+> If you want to deploy the web sample to Tomcat, make a couple changes to the source code.
+>
+> 1. Open *ms-identity-java-webapp/src/main/java/com.microsoft.azure.msalwebsample/MsalWebSampleApplication*.
+>
+> - Delete all source code and replace it with this code:
+>
+> ```Java
+> package com.microsoft.azure.msalwebsample;
+>
+> import org.springframework.boot.SpringApplication;
+> import org.springframework.boot.autoconfigure.SpringBootApplication;
+> import org.springframework.boot.builder.SpringApplicationBuilder;
+> import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
+>
+> @SpringBootApplication
+> public class MsalWebSampleApplication extends SpringBootServletInitializer {
+>
+> public static void main(String[] args) {
+> SpringApplication.run(MsalWebSampleApplication.class, args);
+> }
+>
+> @Override
+> protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) {
+> return builder.sources(MsalWebSampleApplication.class);
+> }
+> }
+> ```
+>
+> 2. Tomcat's default HTTP port is 8080, but you need an HTTPS connection over port 8443. To configure this setting:
+> - Go to *tomcat/conf/server.xml*.
+> - Search for the `<connector>` tag, and replace the existing connector with this connector:
+>
+> ```xml
+> <Connector
+> protocol="org.apache.coyote.http11.Http11NioProtocol"
+> port="8443" maxThreads="200"
+> scheme="https" secure="true" SSLEnabled="true"
+> keystoreFile="C:/Path/To/Keystore/File/keystore.p12" keystorePass="KeystorePassword"
+> clientAuth="false" sslProtocol="TLS"/>
+> ```
+>
+> 3. Open a Command Prompt window. Go to the root folder of this sample (where the pom.xml file is located), and run `mvn > package` to build the project.
+> - This command will generate a *msal-web-sample-0.1.0.war* file in your */targets* directory.
+> - Rename this file to *msal4jsample.war*.
+> - Deploy the WAR file by using Tomcat or any other J2EE container solution.
+> - To deploy the msal4jsample.war file, copy it to the */webapps/* directory in your Tomcat installation, and then start the Tomcat server.
+>
+> 4. After the file is deployed, go to https://localhost:8443/msal4jsample by using a browser.
+>
+> > [!IMPORTANT]
+> > This quickstart application uses a client secret to identify itself as a confidential client. Because the client secret is added as plain text to your project files, for security reasons we recommend that you use a certificate instead of a client secret before using the application in a production environment. For more information on how to use a certificate, see [Certificate credentials for application authentication](./active-directory-certificate-credentials.md).
+>
+> ## More information
+>
+> ### How the sample works
+> ![Diagram that shows how the sample app generated by this quickstart works.](media/quickstart-v2-java-webapp/java-quickstart.svg)
+>
+> ### Get MSAL
+>
+> MSAL for Java (MSAL4J) is the Java library used to sign in users and request tokens that are used to access an API that's protected by the Microsoft identity platform.
+>
+> Add MSAL4J to your application by using Maven or Gradle to manage your dependencies by making the following changes to the > application's pom.xml (Maven) or build.gradle (Gradle) file.
+>
+> In pom.xml:
+>
+> ```xml
+> <dependency>
+> <groupId>com.microsoft.azure</groupId>
+> <artifactId>msal4j</artifactId>
+> <version>1.0.0</version>
+> </dependency>
+> ```
+>
+> In build.gradle:
+>
+> ```$xslt
+> compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.0.0'
+> ```
+>
+> ### Initialize MSAL
+>
+> Add a reference to MSAL for Java by adding the following code at the start of the file where you'll be using MSAL4J:
+>
+> ```Java
+> import com.microsoft.aad.msal4j.*;
+> ```
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+>
+> For a more in-depth discussion of building web apps that sign in users on the Microsoft identity platform, see the multipart scenario series:
+>
+> > [!div class="nextstepaction"]
+> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md?tabs=java)
active-directory Web App Quickstart Portal Node Js Passport https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-node-js-passport.md
+
+ Title: "Quickstart: Add user sign-in to a Node.js web app"
+description: In this quickstart, you learn how to implement authentication in a Node.js web application using OpenID Connect.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an application developer, I want to know how to set up OpenID Connect authentication in a web application built using Node.js with Express.
++
+# Quickstart: Add sign in using OpenID Connect to a Node.js web app
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: Add user sign-in to a Node.js web app built with the Express framework](web-app-quickstart.md?pivots=devlang-nodejs-passport)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Add sign in using OpenID Connect to a Node.js web app
+>
+> In this quickstart, you download and run a code sample that demonstrates how to set up OpenID Connect authentication in a web application built using Node.js with Express. The sample is designed to run on any platform.
+>
+> ## Prerequisites
+>
+> - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+> - [Node.js](https://nodejs.org/en/download/).
+>
+> ## Register your application
+>
+> 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+> 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+> 1. Search for and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Enter a **Name** for your application, for example `MyWebApp`. Users of your app might see this name, and you can change it later.
+> 1. In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**.
+>
+> If there are more than one redirect URIs, add these from the **Authentication** tab later after the app has been successfully created.
+>
+> 1. Select **Register** to create the app.
+> 1. On the app's **Overview** page, find the **Application (client) ID** value and record it for later. You'll need this > value to configure the application later in this project.
+> 1. Under **Manage**, select **Authentication**.
+> 1. Select **Add a platform** > **Web**.
+> 1. In the **Redirect URIs** section, enter `http://localhost:3000/auth/openid/return`.
+> 1. Enter a **Front-channel logout URL** `https://localhost:3000`.
+> 1. In the **Implicit grant and hybrid flows** section, select **ID tokens** as this sample requires the [Implicit grant flow](./v2-oauth2-implicit-grant-flow.md) to be enabled to sign-in the user.
+> 1. Select **Configure**.
+> 1. Under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.
+> 1. Enter a key description (for instance app secret).
+> 1. Select a key duration of either **In 1 year, In 2 years,** or **Never Expires**.
+> 1. Select **Add**. The key value will be displayed. Copy the key value and save it in a safe location for later use.
+>
+>
+> ## Download the sample application and modules
+>
+> Next, clone the sample repo and install the NPM modules.
+>
+> From your shell or command line:
+>
+> `$ git clone git@github.com:AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-nodejs.git`
+>
+> or
+>
+> `$ git clone https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-nodejs.git`
+>
+> From the project root directory, run the command:
+>
+> `$ npm install`
+>
+> ## Configure the application
+>
+> Provide the parameters in `exports.creds` in config.js as instructed.
+>
+> * Update `<tenant_name>` in `exports.identityMetadata` with the Azure AD tenant name of the format \*.onmicrosoft.com.
+> * Update `exports.clientID` with the Application ID noted from app registration.
+> * Update `exports.clientSecret` with the Application secret noted from app registration.
+> * Update `exports.redirectUrl` with the Redirect URI noted from app registration.
+>
+> **Optional configuration for production apps:**
+>
+> * Update `exports.destroySessionUrl` in config.js, if you want to use a different `post_logout_redirect_uri`.
+>
+> * Set `exports.useMongoDBSessionStore` in config.js to true, if you want to use [mongoDB](https://www.mongodb.com) or other [compatible session stores](https://github.com/expressjs/session#compatible-session-stores).
+> The default session store in this sample is `express-session`. The default session store is not suitable for production.
+>
+> * Update `exports.databaseUri`, if you want to use mongoDB session store and a different database URI.
+>
+> * Update `exports.mongoDBSessionMaxAge`. Here you can specify how long you want to keep a session in mongoDB. The unit is second(s).
+>
+> ## Build and run the application
+>
+> Start mongoDB service. If you are using mongoDB session store in this app, you have to [install mongoDB](http://www.mongodb.org/) and start the service first. If you are using the default session store, you can skip this step.
+>
+> Run the app using the following command from your command line.
+>
+> ```
+> $ node app.js
+> ```
+>
+> **Is the server output hard to understand?:** We use `bunyan` for logging in this sample. The console won't make much sense to you unless you also install bunyan and run the server like above but pipe it through the bunyan binary:
+>
+> ```
+> $ npm install -g bunyan
+>
+> $ node app.js | bunyan
+> ```
+>
+> ### You're done!
+>
+> You will have a server successfully running on `http://localhost:3000`.
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+> Learn more about the web app scenario that the Microsoft identity platform supports:
+> > [!div class="nextstepaction"]
+> > [Web app that signs in users scenario](scenario-web-app-sign-user-overview.md)
active-directory Web App Quickstart Portal Node Js https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-node-js.md
+
+ Title: "Quickstart: Add authentication to a Node.js web app with MSAL Node"
+description: In this quickstart, you learn how to implement authentication with a Node.js web app and the Microsoft Authentication Library (MSAL) for Node.js.
+++++++ Last updated : 08/16/2022+++
+#Customer intent: As an application developer, I want to know how to set up authentication in a web application built using Node.js and MSAL Node.
+
+# Quickstart: Sign in users and get an access token in a Node.js web app using the authorization code flow
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: Node.js web app that signs in users with MSAL Node](web-app-quickstart.md?pivots=devlang-nodejs-msal)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Sign in users and get an access token in a Node.js web app using the authorization code flow
+>
+> In this quickstart, you download and run a code sample that demonstrates how a Node.js web app can sign in users by using the authorization code flow. The code sample also demonstrates how to get an access token to call Microsoft Graph API.
+>
+> See [How the sample works](#how-the-sample-works) for an illustration.
+>
+> This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node) with the authorization code flow.
+>
+> ## Prerequisites
+>
+> * An Azure subscription. [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+> * [Node.js](https://nodejs.org/en/download/)
+> * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+>
+> #### Step 1: Configure the application in Azure portal
+> For the code sample for this quickstart to work, you need to create a client secret and add the following reply URL: `http:/> /localhost:3000/redirect`.
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-windows-desktop/green-check.png) Your application is configured with these > attributes.
+>
+> #### Step 2: Download the project
+>
+> Run the project with a web server by using Node.js.
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> #### Step 3: Your app is configured and ready to run
+>
+> Run the project by using Node.js.
+>
+> 1. To start the server, run the following commands from within the project directory:
+>
+> ```console
+> npm install
+> npm start
+> ```
+>
+> 1. Go to `http://localhost:3000/`.
+>
+> 1. Select **Sign In** to start the sign-in process.
+>
+> The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, you will see a log message in the command line.
+>
+> ## More information
+>
+> ### How the sample works
+>
+> The sample hosts a web server on localhost, port 3000. When a web browser accesses this site, the sample immediately redirects the user to a Microsoft authentication page. Because of this, the sample does not contain any HTML or display elements. Authentication success displays the message "OK".
+>
+> ### MSAL Node
+>
+> The MSAL Node library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform. You can download the latest version by using the Node.js Package Manager (npm):
+>
+> ```console
+> npm install @azure/msal-node
+> ```
+>
+> ## Next steps
+>
+> > [!div class="nextstepaction"]
+> > [Adding Auth to an existing web app - GitHub code sample >](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/auth-code)
active-directory Web App Quickstart Portal Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-python.md
+
+ Title: "Quickstart: Add sign-in with Microsoft to a Python web app"
+description: In this quickstart, learn how a Python web app can sign in users, get an access token from the Microsoft identity platform, and call the Microsoft Graph API.
+++++++ Last updated : 08/16/2022++++
+# Quickstart: Add sign-in with Microsoft to a Python web app
+
+> [!div renderon="docs"]
+> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
+>
+> > [Quickstart: Python web app with user sign-in](web-app-quickstart.md?pivots=devlang-python)
+>
+> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
+
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
+> # Quickstart: Add sign-in with Microsoft to a Python web app
+>
+> In this quickstart, you download and run a code sample that demonstrates how a Python web application can sign in users and get an access token to call the Microsoft Graph API. Users with a personal Microsoft Account or an account in any Azure Active Directory (Azure AD) organization can sign into the application.
+>
+> See [How the sample works](#how-the-sample-works) for an illustration.
+>
+> ## Prerequisites
+>
+> - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+> - [Python 2.7+](https://www.python.org/downloads/release/python-2713) or [Python 3+](https://www.python.org/downloads/release/python-364/)
+> - [Flask](http://flask.pocoo.org/), [Flask-Session](https://pypi.org/project/Flask-Session/), [requests](https://github.com/psf/requests/graphs/contributors)
+> - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python)
+>
+> #### Step 1: Configure your application in Azure portal
+>
+> For the code sample in this quickstart to work:
+>
+> 1. Add a reply URL as `http://localhost:5000/getAToken`.
+> 1. Create a Client Secret.
+> 1. Add Microsoft Graph API's User.ReadBasic.All delegated permission.
+>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](./media/quickstart-v2-aspnet-webapp/green-check.png) Your application is configured with this attribute
+>
+> #### Step 2: Download your project
+>
+> Download the project and extract the zip file to a local folder closer to the root folder - for example, **C:\Azure-Samples**
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
+>
+> > [!NOTE]
+> > `Enter_the_Supported_Account_Info_Here`
+>
+> #### Step 3: Run the code sample
+>
+> 1. You will need to install MSAL Python library, Flask framework, Flask-Sessions for server-side session management and requests using pip as follows:
+>
+> ```shell
+> pip install -r requirements.txt
+> ```
+>
+> 2. Run `app.py` from shell or command line:
+>
+> ```shell
+> python app.py
+> ```
+>
+> > [!IMPORTANT]
+> > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](./active-directory-certificate-credentials.md).
+>
+> ## More information
+>
+> ### How the sample works
+> ![Shows how the sample app generated by this quickstart works](media/quickstart-v2-python-webapp/python-quickstart.svg)
+>
+> ### Getting MSAL
+> MSAL is the library used to sign in users and request tokens used to access an API protected by the Microsoft identity Platform.
+> You can add MSAL Python to your application using Pip.
+>
+> ```Shell
+> pip install msal
+> ```
+>
+> ### MSAL initialization
+> You can add the reference to MSAL Python by adding the following code to the top of the file where you will be using MSAL:
+>
+> ```Python
+> import msal
+> ```
+>
+> [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+>
+> ## Next steps
+>
+> Learn more about web apps that sign in users in our multi-part scenario series.
+>
+> > [!div class="nextstepaction"]
+> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md)
active-directory Directory Delegated Administration Primer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delegated-administration-primer.md
Title: Delegated administration in Azure Active Directory
description: The relationship between older delegated admin permissions and new granular delegated admin permissions in Azure Active Directory keywords: -+ Last updated 06/23/2022
active-directory Directory Delete Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md
description: Explains how to prepare an Azure AD tenant for deletion, including
documentationcenter: '' -+
active-directory Directory Overview User Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-overview-user-model.md
Title: Users, groups, licensing, and roles in Azure Active Directory
description: The relationship between users and licenses assigned, administrator roles, group membership in Azure Active Directory keywords: -+ Last updated 06/23/2022
active-directory Directory Self Service Signup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-self-service-signup.md
description: Use self-service sign-up in an Azure Active Directory (Azure AD) or
documentationcenter: '' -+ editor: ''
active-directory Directory Service Limits Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-service-limits-restrictions.md
description: Usage constraints and other service limits for the Azure Active Dir
documentationcenter: '' -+ editor: ''
active-directory Domains Admin Takeover https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-admin-takeover.md
description: How to take over a DNS domain name in an unmanaged Azure AD organiz
documentationcenter: '' -+
active-directory Domains Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-manage.md
description: Management concepts and how-tos for managing a domain name in Azure
documentationcenter: '' -+
active-directory Domains Verify Custom Subdomain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md
description: Change default subdomain authentication settings inherited from roo
documentationcenter: '' -+
active-directory Groups Assign Sensitivity Labels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md
description: Learn how to assign sensitivity labels to groups. See troubleshooti
documentationcenter: '' -+
active-directory Groups Bulk Download Members https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-download-members.md
description: Add users in bulk in the Azure admin center.
-+ Last updated 06/23/2022
active-directory Groups Bulk Download https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-download.md
description: Download group properties in bulk in the Azure admin center in Azur
-+ Last updated 03/24/2022
active-directory Groups Bulk Import Members https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-import-members.md
description: Add group members in bulk in the Azure Active Directory admin cente
-+ Last updated 06/24/2022
active-directory Groups Bulk Remove Members https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-remove-members.md
description: Remove group members in bulk operations in the Azure admin center.
-+ Last updated 09/22/2021
active-directory Groups Change Type https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-change-type.md
description: Learn how to convert existing groups from static to dynamic members
documentationcenter: '' -+
active-directory Groups Create Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-create-rule.md
description: How to create or update a group membership rule in the Azure portal
documentationcenter: '' -+
active-directory Groups Dynamic Membership https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-membership.md
description: How to create membership rules to automatically populate groups, an
documentationcenter: '' -+ Previously updated : 06/23/2022 Last updated : 08/18/2022
The following device attributes can be used.
accountEnabled | true false | device.accountEnabled -eq true deviceCategory | a valid device category name | device.deviceCategory -eq "BYOD" deviceId | a valid Azure AD device ID | device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d"
- deviceManagementAppId | a valid MDM application ID in Azure AD | device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000" for Intune MDM app ID
+ deviceManagementAppId | a valid MDM application ID in Azure AD | device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000" for Microsoft Intune managed or "54b943f8-d761-4f8d-951e-9cea1846db5a" for System Center Configuration Manager Co-managed devices
deviceManufacturer | any string value | device.deviceManufacturer -eq "Samsung" deviceModel | any string value | device.deviceModel -eq "iPad Air" displayName | any string value | device.displayName -eq "Rob iPhone"
active-directory Groups Dynamic Rule More Efficient https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-rule-more-efficient.md
description: How to optimize your membership rules to automatically populate gro
documentationcenter: '' -+
active-directory Groups Dynamic Rule Validation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-rule-validation.md
description: How to test members against a membership rule for a dynamic group i
documentationcenter: '' -+
active-directory Groups Dynamic Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-tutorial.md
description: In this tutorial, you use groups with user membership rules to add
documentationcenter: '' -+
active-directory Groups Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-lifecycle.md
description: How to set up expiration for Microsoft 365 groups in Azure Active D
documentationcenter: '' -+ editor: ''
active-directory Groups Members Owners Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-members-owners-search.md
description: Search and filter groups members and owners in the Azure portal.
documentationcenter: '' -+
active-directory Groups Naming Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-naming-policy.md
description: How to set up naming policy for Microsoft 365 groups in Azure Activ
documentationcenter: '' -+
active-directory Groups Quickstart Expiration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-quickstart-expiration.md
description: Expiration for Microsoft 365 groups - Azure Active Directory
documentationcenter: '' -+
active-directory Groups Quickstart Naming Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-quickstart-naming-policy.md
description: Explains how to add new users or delete existing users in Azure Act
documentationcenter: '' -+
active-directory Groups Restore Deleted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-restore-deleted.md
Title: Restore a deleted Microsoft 365 group - Azure AD | Microsoft Docs
description: How to restore a deleted group, view restorable groups, and permanently delete a group in Azure Active Directory -+
active-directory Groups Saasapps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-saasapps.md
description: How to use groups in Azure Active Directory to assign access to Saa
documentationcenter: '' -+
active-directory Groups Self Service Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md
description: Create and manage security groups or Microsoft 365 groups in Azure
documentationcenter: '' -+ editor: ''
active-directory Groups Settings Cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-cmdlets.md
description: How manage the settings for groups using Azure Active Directory cmd
documentationcenter: '' -+
active-directory Groups Settings V2 Cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-v2-cmdlets.md
description: This page provides PowerShell examples to help you manage your grou
keywords: Azure AD, Azure Active Directory, PowerShell, Groups, Group management -+
active-directory Groups Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-troubleshooting.md
Title: Fix problems with dynamic group memberships - Azure AD | Microsoft Docs
description: Troubleshooting tips for dynamic group membership in Azure Active Directory -+
active-directory Groups Write Back Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-write-back-portal.md
Title: Group writeback portal operations (preview) in Azure Active Directory
description: The access points for group writeback to on-premises Active Directory in the Azure Active Directory admin center. keywords: -+ Previously updated : 07/21/2022 Last updated : 08/18/2022
active-directory Licensing Directory Independence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-directory-independence.md
description: Understanding the data independence of your Azure Active Directory
documentationcenter: '' -+
active-directory Licensing Group Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-group-advanced.md
keywords: Azure AD licensing documentationcenter: '' -+
active-directory Licensing Groups Assign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-assign.md
keywords: Azure AD licensing documentationcenter: '' -+
active-directory Licensing Groups Change Licenses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-change-licenses.md
keywords: Azure AD licensing documentationcenter: '' -+ editor: ''
active-directory Licensing Groups Migrate Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-migrate-users.md
keywords: Azure AD licensing documentationcenter: '' -+ editor: ''
active-directory Licensing Groups Resolve Problems https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md
keywords: Azure AD licensing documentationcenter: '' -+
active-directory Licensing Ps Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-ps-examples.md
keywords: Azure AD licensing documentationcenter: '' -+
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
keywords: Azure Active Directory licensing service plans documentationcenter: '' -+ editor: ''
active-directory Linkedin Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-integration.md
Title: Admin consent for LinkedIn account connections - Azure AD | Microsoft Doc
description: Explains how to enable or disable LinkedIn integration account connections in Microsoft apps in Azure Active Directory -+
active-directory Linkedin User Consent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-user-consent.md
Title: LinkedIn data sharing and consent - Azure Active Directory | Microsoft Do
description: Explains how LinkedIn integration shares data via Microsoft apps in Azure Active Directory -+
active-directory Signin Account Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/signin-account-support.md
Title: Does my Azure AD sign-in page accept Microsoft accounts | Microsoft Docs
description: How on-screen messaging reflects username lookup during sign-in -+
active-directory Signin Realm Discovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/signin-realm-discovery.md
Title: Username lookup during sign-in - Azure Active Directory | Microsoft Docs
description: How on-screen messaging reflects username lookup during sign-in in Azure Active Directory -+
active-directory Users Bulk Add https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-add.md
description: Add users in bulk in the Azure AD admin center in Azure Active Dire
-+ Last updated 06/24/2022
active-directory Users Bulk Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-delete.md
description: Delete users in bulk in the Azure admin center in Azure Active Dire
-+ Last updated 06/24/2022
active-directory Users Bulk Download https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-download.md
description: Download user records in bulk in the Azure admin center in Azure Ac
-+ Last updated 06/24/2022
active-directory Users Bulk Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-restore.md
description: Restore deleted users in bulk in the Azure AD admin center in Azure
-+ Last updated 06/24/2022
active-directory Users Close Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-close-account.md
Title: Close a work or school account in an unmanaged Azure AD organization
description: How to close your work or school account in an unmanaged Azure Active Directory. -+
active-directory Users Restrict Guest Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-restrict-guest-permissions.md
description: Restrict guest user access permissions using the Azure portal, Powe
-+ Last updated 06/24/2022
active-directory Users Revoke Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-revoke-access.md
-+ Last updated 06/24/2022
active-directory Users Search Enhanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-search-enhanced.md
description: Describes how Azure Active Directory enables user search, filtering
documentationcenter: '' -+ editor: ''
active-directory Users Sharing Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-sharing-accounts.md
description: Describes how Azure Active Directory enables organizations to secur
documentationcenter: '' -+ editor: ''
active-directory Cross Tenant Access Settings B2b Collaboration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md
With outbound settings, you select which of your users and groups will be able t
- When you're done selecting the users and groups you want to add, choose **Select**. > [!NOTE]
- > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
+ > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](../authentication/howto-authentication-sms-signin.md). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
1. Select the **External applications** tab.
When you remove an organization from your Organizational settings, the default c
## Next steps - See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.-- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)
+- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)
active-directory External Collaboration Settings Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-collaboration-settings-configure.md
Previously updated : 05/05/2022 Last updated : 08/22/2022
For B2B collaboration with other Azure AD organizations, you should also review
- **Guest users have limited access to properties and memberships of directory objects**: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all non-hidden groups. [Learn more about default guest permissions](../fundamentals/users-default-permissions.md#member-and-guest-users).
- - **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**: With this setting, guests can access only their own profiles. Guests are not allowed to see other users' profiles, groups, or group memberships.
+ - **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**: With this setting, guests can access only their own profiles. Guests aren't allowed to see other users' profiles, groups, or group memberships.
1. Under **Guest invite settings**, choose the appropriate settings: ![Screenshot showing Guest invite settings.](./media/external-collaboration-settings-configure/guest-invite-settings.png)
- - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button.
+ - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests in the organization to invite other guests including those who aren't members of an organization, select this radio button.
- **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**: To allow member users and users who have specific administrator roles to invite guests, select this radio button. - **Only users assigned to specific admin roles can invite guest users**: To allow only those users with administrator roles to invite guests, select this radio button. The administrator roles include [Global Administrator](../roles/permissions-reference.md#global-administrator), [User Administrator](../roles/permissions-reference.md#user-administrator), and [Guest Inviter](../roles/permissions-reference.md#guest-inviter). - **No one in the organization can invite guest users including admins (most restrictive)**: To deny everyone in the organization from inviting guests, select this radio button.
For B2B collaboration with other Azure AD organizations, you should also review
![Screenshot showing Self-service sign up via user flows setting.](./media/external-collaboration-settings-configure/self-service-sign-up-setting.png)
+1. Under **External user leave settings**, you can control whether external users can remove themselves from your organization. If you set this option to **No**, external users will need to contact your admin or privacy contact to be removed.
+
+ - **Yes**: Users can leave the organization themselves without approval from your admin or privacy contact.
+ - **No**: Users can't leave your organization themselves. They'll see a message guiding them to contact your admin or privacy contact to request removal from your organization.
+
+ > [!IMPORTANT]
+ > You can configure **External user leave settings** only if you have [added your privacy information](../fundamentals/active-directory-properties-area.md) to your Azure AD tenant. Otherwise, this setting will be unavailable.
+
+ ![Screenshot showing External user leave settings in the portal.](media/external-collaboration-settings-configure/external-user-leave-settings.png)
+ 1. Under **Collaboration restrictions**, you can choose whether to allow or deny invitations to the domains you specify and enter specific domain names in the text boxes. For multiple domains, enter each domain on a new line. For more information, see [Allow or block invitations to B2B users from specific organizations](allow-deny-list.md). ![Screenshot showing Collaboration restrictions settings.](./media/external-collaboration-settings-configure/collaboration-restrictions.png)
active-directory Leave The Organization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/leave-the-organization.md
Previously updated : 06/30/2022 Last updated : 08/22/2022
adobe-target: true
# Leave an organization as an external user
-An Azure Active Directory (Azure AD) B2B collaboration or B2B direct connect user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association.
+As an Azure Active Directory (Azure AD) B2B collaboration or B2B direct connect user, you can decide to leave an organization at any time if you no longer need to use apps from that organization or maintain any association.
-B2B collaboration and B2B direct connect users can usually leave an organization on their own without having to contact an administrator. This option won't be available if it's not allowed by the organization, or if the user's account has been disabled. The user will need to contact the tenant admin, who can delete the account.
+You can usually leave an organization on your own without having to contact an administrator. However, in some cases this option won't be available and you'll need to contact your tenant admin, who can delete your account in the external organization.
[!INCLUDE [GDPR-related guidance](../../../includes/gdpr-dsr-and-stp-note.md)]
-## Leave an organization
+## What organizations do I belong to?
-In your My Account portal, on the Organizations page, you can view and manage the organizations you have access to:
--- **Home organization**: Your home organization is listed first. This is the organization that owns your work or school account. Because your account is managed by your administrator, you're not allowed to leave your home organization. (If you don't have an assigned home organization, you'll just see a single heading that says Organizations with the list of your associated organizations.)
-
-- **Other organizations you collaborate with**: You'll also see the other organizations that you've signed in to previously using your work or school account. You can leave any of these organizations at any time.-
-To leave an organization, follow these steps.
-
-1. Go to your **My Account** page by doing one of the following:
+1. To view the organizations you belong to, first open your **My Account** page by doing one of the following:
- If you're using a work or school account, go to https://myaccount.microsoft.com and sign in. - If you're using a personal account, go to https://myapps.microsoft.com and sign in, and then select your account icon in the upper right and select **View account**. Or, use a My Account URL that includes your tenant information to go directly to your My Account page (examples are shown in the following note). + > [!NOTE] > If you use the email one-time passcode feature when signing in, you'll need to use a My Account URL that includes your tenant name or tenant ID, for example: `https://myaccount.microsoft.com?tenantId=wingtiptoys.onmicrosoft.com` or `https://myaccount.microsoft.com?tenantId=ab123456-cd12-ef12-gh12-ijk123456789`. 1. Select **Organizations** from the left navigation pane or select the **Manage organizations** link from the **Organizations** block.
-1. Under **Other organizations you collaborate with**, find the organization that you want to leave, and select **Leave**.
+1. The **Organizations** page appears, where you can view and manage the organizations you belong to.
+
+ ![Screenshot showing the list of organizations you belong to.](media/leave-the-organization/organization-list.png)
+
+ - **Home organization**: Your home organization is listed first. This is the organization that owns your work or school account. Because your account is managed by your administrator, you're not allowed to leave your home organization (you'll see there's no option to **Leave**). If you don't have an assigned home organization, you'll just see a single heading that says **Organizations** with the list of your associated organizations.
+
+ - **Other organizations you collaborate with**: You'll also see the other organizations that you've signed in to previously using your work or school account. You can decide to leave any of these organizations at any time.
+
+## How to leave an organization
+
+If your organization allows users to remove themselves from external organizations, you can follow these steps to leave an organization.
+
+1. Open your **Organizations** page. (Follow the steps in [What organizations do I belong to](#what-organizations-do-i-belong-to), above.)
+
+1. Under **Other organizations you collaborate with** (or **Organizations** if you don't have a home organization), find the organization that you want to leave, and then select **Leave**.
![Screenshot showing Leave organization option in the user interface.](media/leave-the-organization/leave-org.png)+ 1. When asked to confirm, select **Leave**.
+1. If you select **Leave** for an organization but you see the following message, it means youΓÇÖll need to contact the organization's admin or privacy contact and ask them to remove you from their organization.
+
+ ![Screenshot showing the message when you need permission to leave an organization.](media/leave-the-organization/need-permission-leave.png)
+
+## Why canΓÇÖt I leave an organization?
+
+In the **Home organization** section, there's no option to **Leave** your organization. Only an administrator can remove your account from your home organization.
-## Account removal
+For the external organizations listed under **Other organizations you collaborate with**, you might not be able to leave on your own, for example when:
-When a B2B collaboration user leaves an organization, the user's account is "soft deleted" in the directory. By default, the user object moves to the **Deleted users** area in Azure AD, but permanent deletion doesn't start for 30 days. This soft deletion enables the administrator to restore the user account, including groups and permissions, if the user makes a request to restore the account before it's permanently deleted.
+
+- the organization you want to leave doesnΓÇÖt allow users to leave by themselves
+- your account has been disabled
+
+In these cases, you can select **Leave**, but then you'll see a message saying you need to contact the admin or privacy contact for that organization to ask them to remove you.
+
+## More information for administrators
+
+Administrators can use the **External user leave settings** to control whether external users can remove themselves from their organization. If you disallow the ability for external users to remove themselves from your organization, external users will need to contact your admin or privacy contact to be removed.
+
+> [!IMPORTANT]
+> You can configure **External user leave settings** only if you have [added your privacy information](../fundamentals/active-directory-properties-area.md) to your Azure AD tenant. Otherwise, this setting will be unavailable. We recommend adding your privacy information to allow external users to review your policies and email your privacy contact when necessary.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account and open the Azure Active Directory service.
+
+1. Select **External Identities** > **External collaboration settings**.
+
+1. Under **External user leave** settings, choose whether to allow external users to leave your organization themselves:
+
+ - **Yes**: Users can leave the organization themselves without approval from your admin or privacy contact.
+ - **No**: Users can't leave your organization themselves. They'll see a message guiding them to contact your admin or privacy contact to request removal from your organization.
+
+ ![Screenshot showing External user leave settings in the portal.](media/leave-the-organization/external-user-leave-settings.png)
+
+### Account removal
+
+When a B2B collaboration user leaves an organization, the user's account is "soft deleted" in the directory. By default, the user object moves to the **Deleted users** area in Azure AD, but permanent deletion doesn't start for 30 days. This soft deletion enables the administrator to restore the user account, including groups and permissions, if the user makes a request to restore the account before it's permanently deleted.
If desired, a tenant administrator can permanently delete the account at any time during the soft-delete period with the following steps. This action is irrevocable. 1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**.
-2. Under **Manage**, select **Users**.
-3. Select **Deleted users**.
-4. Select the check box next to a deleted user, and then select **Delete permanently**.
+
+1. Under **Manage**, select **Users**.
+
+1. Select **Deleted users**.
+
+1. Select the check box next to a deleted user, and then select **Delete permanently**.
Once permanent deletion begins, whether it's initiated by the admin or the end of the soft deletion period, it can take up to an additional 30 days for data removal ([learn more](/compliance/regulatory/gdpr-dsr-azure#step-5-delete)).
active-directory 5 Secure Access B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/5-secure-access-b2b.md
Some organizations use a list of known ΓÇÿbad actorΓÇÖ domains provided by their
You can control both inbound and outbound access using Cross Tenant Access Settings. In addition, you can trust MFA, Compliant device, and hybrid Azure Active Directory joined device (HAADJ) claims from all or a subset of external Azure AD tenants. When you configure an organization specific policy, it applies to the entire Azure AD tenant and will cover all users from that tenant regardless of the userΓÇÖs domain suffix.
-You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](/azure/active-directory/external-identities/cross-cloud-settings).
+You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](../external-identities/cross-cloud-settings.md).
If you wish to allow inbound access to only specific tenants (allowlist), you can set the default policy to block access and then create organization policies to granularly allow access on a per user, group, and application basis.
See the following articles on securing external access to resources. We recommen
8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
active-directory Active Directory Access Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
Title: Quickstart - Access & create new tenant - Azure AD
description: Instructions about how to find Azure Active Directory and how to create a new tenant for your organization. -+ Previously updated : 12/22/2021 Last updated : 08/17/2022
If you're not going to continue to use this application, you can delete the tena
- Ensure that you're signed in to the directory that you want to delete through the **Directory + subscription** filter in the Azure portal. Switch to the target directory if needed. - Select **Azure Active Directory**, and then on the **Contoso - Overview** page, select **Delete directory**.
- The tenant and its associated information is deleted.
+ The tenant and its associated information are deleted.
![Overview page, with highlighted Delete directory button](media/active-directory-access-create-new-tenant/azure-ad-delete-new-tenant.png) ## Next steps -- Change or add additional domain names, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md)
+- Change or add other domain names, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md)
- Add users, see [Add or delete a new user](add-users-azure-active-directory.md)
active-directory Active Directory Accessmanagement Managing Group Owners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners.md
Title: Add or remove group owners - Azure Active Directory | Microsoft Docs
description: Instructions about how to add or remove group owners using Azure Active Directory. -+ Previously updated : 09/11/2018 Last updated : 08/17/2022 # Add or remove group owners in Azure Active Directory+ Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners can be users or service principals, and are able to manage the group including membership. Only existing group owners or group-managing administrators can assign group owners. Group owners aren't required to be members of the group.
-When a group has no owner, group-managing administrators are still able to manage the group. It is recommended for every group to have at least one owner. Once owners are assigned to a group, the last owner of the group cannot be removed. Please make sure to select another owner before removing the last owner from the group.
+When a group has no owner, group-managing administrators are still able to manage the group. It is recommended for every group to have at least one owner. Once owners are assigned to a group, the last owner of the group can't be removed. Make sure to select another owner before removing the last owner from the group.
## Add an owner to a group Below are instructions for adding a user as an owner to a group using the Azure AD portal. To add a service principal as an owner of a group, follow the instructions to do so using [PowerShell](/powershell/module/Azuread/Add-AzureADGroupOwner).
Remove an owner from a group using Azure AD.
![User's information page with Remove option highlighted](media/active-directory-accessmanagement-managing-group-owners/remove-owner-info-blade.png)
- After you remove the owner, you can return to the **Owners** page and see the name has been removed from the list of owners.
+ After you remove the owner, you can return to the **Owners** page, and see the name has been removed from the list of owners.
## Next steps - [Managing access to resources with Azure Active Directory groups](active-directory-manage-groups.md)
active-directory Active Directory Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-architecture.md
Title: Architecture overview - Azure Active Directory | Microsoft Docs
description: Learn what an Azure Active Directory tenant is and how to manage Azure using Azure Active Directory. -+ Previously updated : 07/08/2022 Last updated : 08/17/2022
All directory *reads* are serviced from *secondary replicas*, which are at datac
Scalability is the ability of a service to expand to meet increasing performance demands. Write scalability is achieved by partitioning the data. Read scalability is achieved by replicating data from one partition to multiple secondary replicas distributed throughout the world.
-Requests from directory applications are routed to the datacenter that they are physically closest to. Writes are transparently redirected to the primary replica to provide read-write consistency. Secondary replicas significantly extend the scale of partitions because the directories are typically serving reads most of the time.
+Requests from directory applications are routed to the closest datacenter. Writes are transparently redirected to the primary replica to provide read-write consistency. Secondary replicas significantly extend the scale of partitions because the directories are typically serving reads most of the time.
Directory applications connect to the nearest datacenters. This connection improves performance, and therefore scaling out is possible. Since a directory partition can have many secondary replicas, secondary replicas can be placed closer to the directory clients. Only internal directory service components that are write-intensive target the active primary replica directly.
Azure ADΓÇÖs partition design is simplified compared to the enterprise AD design
#### Fault tolerance
-A system is more available if it is tolerant to hardware, network, and software failures. For each partition on the directory, a highly available master replica exists: The primary replica. Only writes to the partition are performed at this replica. This replica is being continuously and closely monitored, and writes can be immediately shifted to another replica (which becomes the new primary) if a failure is detected. During failover, there could be a loss of write availability typically of 1-2 minutes. Read availability is not affected during this time.
+A system is more available if it is tolerant to hardware, network, and software failures. For each partition on the directory, a highly available master replica exists: The primary replica. Only writes to the partition are performed at this replica. This replica is being continuously and closely monitored, and writes can be immediately shifted to another replica (which becomes the new primary) if a failure is detected. During failover, there could be a loss of write availability typically of 1-2 minutes. Read availability isn't affected during this time.
Read operations (which outnumber writes by many orders of magnitude) only go to secondary replicas. Since secondary replicas are idempotent, loss of any one replica in a given partition is easily compensated by directing the reads to another replica, usually in the same datacenter. #### Data durability
-A write is durably committed to at least two datacenters prior to it being acknowledged. This happens by first committing the write on the primary, and then immediately replicating the write to at least one other datacenter. This write action ensures that a potential catastrophic loss of the datacenter hosting the primary does not result in data loss.
+A write is durably committed to at least two datacenters prior to it being acknowledged. This happens by first committing the write on the primary, and then immediately replicating the write to at least one other datacenter. This write action ensures that a potential catastrophic loss of the datacenter hosting the primary doesn't result in data loss.
Azure AD maintains a zero [Recovery Time Objective (RTO)](https://en.wikipedia.org/wiki/Recovery_time_objective) to not lose data on failovers. This includes:
Azure ADΓÇÖs replicas are stored in datacenters located throughout the world. Fo
Azure AD operates across datacenters with the following characteristics: * Authentication, Graph, and other AD services reside behind the Gateway service. The Gateway manages load balancing of these services. It will fail over automatically if any unhealthy servers are detected using transactional health probes. Based on these health probes, the Gateway dynamically routes traffic to healthy datacenters.
-* For *reads*, the directory has secondary replicas and corresponding front-end services in an active-active configuration operating in multiple datacenters. In case of a failure of an entire datacenter, traffic will be automatically routed to a different datacenter.
-* For *writes*, the directory will fail over primary (master) replica across datacenters via planned (new primary is synchronized to old primary) or emergency failover procedures. Data durability is achieved by replicating any commit to at least two datacenters.
+* For *reads*, the directory has secondary replicas and corresponding front-end services in an active-active configuration operating in multiple datacenters. If a datacenter fails, traffic is automatically routed to a different datacenter.
+* For *writes*, the directory will fail over the primary replica across datacenters via planned (new primary is synchronized to old primary) or emergency failover procedures. Data durability is achieved by replicating any commit to at least two datacenters.
#### Data consistency
The directory model is one of eventual consistencies. One typical problem with d
Azure AD provides read-write consistency for applications targeting a secondary replica by routing its writes to the primary replica, and synchronously pulling the writes back to the secondary replica.
-Application writes using the Microsoft Graph API of Azure AD are abstracted from maintaining affinity to a directory replica for read-write consistency. The Microsoft Graph API service maintains a logical session, which has affinity to a secondary replica used for reads; affinity is captured in a ΓÇ£replica tokenΓÇ¥ that the service caches using a distributed cache in the secondary replica datacenter. This token is then used for subsequent operations in the same logical session. To continue using the same logical session, subsequent requests must be routed to the same Azure AD datacenter. It is not possible to continue a logical session if the directory client requests are being routed to multiple Azure AD datacenters; if this happens then the client has multiple logical sessions which have independent read-write consistencies.
+Application writes using the Microsoft Graph API of Azure AD are abstracted from maintaining affinity to a directory replica for read-write consistency. The Microsoft Graph API service maintains a logical session, which has affinity to a secondary replica used for reads; affinity is captured in a ΓÇ£replica tokenΓÇ¥ that the service caches using a distributed cache in the secondary replica datacenter. This token is then used for subsequent operations in the same logical session. To continue using the same logical session, subsequent requests must be routed to the same Azure AD datacenter. It isn't possible to continue a logical session if the directory client requests are being routed to multiple Azure AD datacenters; if this happens then the client has multiple logical sessions that have independent read-write consistencies.
>[!NOTE] >Writes are immediately replicated to the secondary replica to which the logical session's reads were issued. #### Service-level backup
-Azure AD implements daily backup of directory data and can use these backups to restore data in case of any service-wide issue.
+Azure AD implements daily backup of directory data and can use these backups to restore data if there is any service-wide issue.
The directory also implements soft deletes instead of hard deletes for selected object types. The tenant administrator can undo any accidental deletions of these objects within 30 days. For more information, see the [API to restore deleted objects](/graph/api/directory-deleteditems-restore).
The directory also implements soft deletes instead of hard deletes for selected
Running a high availability service requires world-class metrics and monitoring capabilities. Azure AD continually analyzes and reports key service health metrics and success criteria for each of its services. There is also continuous development and tuning of metrics and monitoring and alerting for each scenario, within each Azure AD service and across all services.
-If any Azure AD service is not working as expected, action is immediately taken to restore functionality as quickly as possible. The most important metric Azure AD tracks is how quickly live site issues can be detected and mitigated for customers. We invest heavily in monitoring and alerts to minimize time to detect (TTD Target: <5 minutes) and operational readiness to minimize time to mitigate (TTM Target: <30 minutes).
+If any Azure AD service isn't working as expected, action is immediately taken to restore functionality as quickly as possible. The most important metric Azure AD tracks is how quickly live site issues can be detected and mitigated for customers. We invest heavily in monitoring and alerts to minimize time to detect (TTD Target: <5 minutes) and operational readiness to minimize time to mitigate (TTM Target: <30 minutes).
#### Secure operations
-Using operational controls such as multi-factor authentication (MFA) for any operation, as well as auditing of all operations. In addition, using a just-in-time elevation system to grant necessary temporary access for any operational task-on-demand on an ongoing basis. For more information, see [The Trusted Cloud](https://azure.microsoft.com/support/trust-center).
+Using operational controls such as multi-factor authentication (MFA) for any operation, and auditing of all operations. In addition, using a just-in-time elevation system to grant necessary temporary access for any operational task-on-demand on an ongoing basis. For more information, see [The Trusted Cloud](https://azure.microsoft.com/support/trust-center).
## Next steps
active-directory Active Directory Compare Azure Ad To Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
Previously updated : 12/23/2021 Last updated : 08/17/2022
active-directory Active Directory Data Storage Australia Newzealand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-australia-newzealand.md
Title: Customer data storage for Australian and New Zealand customers - Azure AD
description: Learn about where Azure Active Directory stores customer-related data for its Australian and New Zealand customers. -+ Previously updated : 01/12/2022 Last updated : 08/17/2022 # Customer Data storage for Australian and New Zealand customers in Azure Active Directory
-Azure Active Directory (Azure AD) stores its Customer Data in a geographical location based on the country you provided when you signed up for a Microsoft Online service. Microsoft Online services include Microsoft 365 and Azure.
+Azure AD stores identity data in a location chosen based on the address provided by your organization when subscribing to a Microsoft service like Microsoft 365 or Azure. Microsoft Online services include Microsoft 365 and Azure.
For information about where Azure AD and other Microsoft services' data is located, see the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center. From February 26, 2020, Microsoft began storing Azure ADΓÇÖs Customer Data for new tenants with an Australian or New Zealand billing address within the Australian datacenters.
-Additionally, certain Azure AD features do not yet support storage of Customer Data in Australia. Please go to the [Azure AD data map](https://msit.powerbi.com/view?r=eyJrIjoiYzEyZTc5OTgtNTdlZS00ZTVkLWExN2ItOTM0OWU4NjljOGVjIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9), for specific feature information. For example, Microsoft Azure AD Multi-Factor Authentication stores Customer Data in the US and processes it globally. See [Data residency and customer data for Azure AD Multi-Factor Authentication](../authentication/concept-mfa-data-residency.md).
+Additionally, certain Azure AD features don't yet support storage of Customer Data in Australia. Go to the [Azure AD data map](https://msit.powerbi.com/view?r=eyJrIjoiYzEyZTc5OTgtNTdlZS00ZTVkLWExN2ItOTM0OWU4NjljOGVjIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9), for specific feature information. For example, Microsoft Azure AD Multi-Factor Authentication stores Customer Data in the US and processes it globally. See [Data residency and customer data for Azure AD Multi-Factor Authentication](../authentication/concept-mfa-data-residency.md).
> [!NOTE] > Microsoft products, services, and third-party applications that integrate with Azure AD have access to Customer Data. Evaluate each product, service, and application you use to determine how Customer Data is processed by that specific product, service, and application, and whether they meet your company's data storage requirements. For more information about Microsoft services' data residency, see the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.
active-directory Active Directory Data Storage Australia https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-australia.md
Title: Identity data storage for Australian and New Zealand customers - Azure AD
description: Learn about where Azure Active Directory stores identity-related data for its Australian and New Zealand customers. -+ Previously updated : 12/13/2019 Last updated : 08/17/2022 # Identity data storage for Australian and New Zealand customers in Azure Active Directory
-Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when subscribing for a Microsoft Online service such as Microsoft 365 and Azure. For information on where your Identity Customer Data is stored, you can use the [Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located) section of the Microsoft Trust Center.
+Azure AD stores identity data in a location chosen based on the address provided by your organization when subscribing to a Microsoft service like Microsoft 365 or Azure. For information on where your Identity Customer Data is stored, you can use the [Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located) section of the Microsoft Trust Center.
> [!NOTE] > Services and applications that integrate with Azure AD have access to Identity Customer Data. Evaluate each service and application you use to determine how Identity Customer Data is processed by that specific service and application, and whether they meet your company's data storage requirements. For more information about Microsoft services' data residency, see the Where is your data located? section of the Microsoft Trust Center.
All other Azure AD services store customer data in global datacenters. To locate
## Microsoft Azure AD Multi-Factor Authentication (MFA)
-MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Azure AD MFA and Azure MFA Server, see [Azure Multi-Factor Authentication user data collection](../authentication/concept-mfa-data-residency.md).
+MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Azure AD MFA and Azure AD Multi-Factor Authentication Server, see [Azure Active Directory Multi-Factor Authentication user data collection](../authentication/concept-mfa-data-residency.md).
## Next steps+ For more information about any of the features and functionality described above, see these articles: - [What is Multi-Factor Authentication?](../authentication/concept-mfa-howitworks.md)
active-directory Active Directory Data Storage Eu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-eu.md
Title: Identity data storage for European customers - Azure AD
description: Learn about where Azure Active Directory stores identity-related data for its European customers. -+ Previously updated : 07/20/2022 Last updated : 08/17/2022 # Identity data storage for European customers in Azure Active Directory
-Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when it subscribed for a Microsoft Online service such as Microsoft 365 and Azure. For information on where your identity data is stored, you can use the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.
+Azure AD stores identity data in a location chosen based on the address provided by your organization when subscribing to a Microsoft service like Microsoft 365 or Azure. For information on where your identity data is stored, you can use the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.
For customers who provided an address in Europe, Azure AD keeps most of the identity data within European datacenters. This document provides information on any data that is stored outside of Europe by Azure AD services.
For cloud-based Azure AD Multi-Factor Authentication, authentication is complete
* Device vendor-specific services, such as Apple Push Notifications, may be outside Europe. * Multi-factor authentication requests using OATH codes that originate from EU datacenters are validated in the EU.
-For more information about what user information is collected by Azure Multi-Factor Authentication Server (MFA Server) and cloud-based Azure AD MFA, see [Azure Multi-Factor Authentication user data collection](../authentication/howto-mfa-reporting-datacollection.md).
+For more information about what user information is collected by Azure Active Directory Multi-Factor Authentication Server (MFA Server) and cloud-based Azure AD MFA, see [Azure Active Directory Multi-Factor Authentication user data collection](../authentication/howto-mfa-reporting-datacollection.md).
## Microsoft Azure Active Directory B2B (Azure AD B2B)
For more info about federation in Microsoft Exchange server, see the [Federation
## Other considerations
-Services and applications that integrate with Azure AD have access to identity data. Evaluate each service and application you use to determine how identity data is processed by that specific service and application, and whether they meet your company's data storage requirements.
+Services and applications that integrate with Azure AD have access to identity data. Review how each service and application processes identity data, and verify that they meet your company's data storage requirements.
For more information about Microsoft services' data residency, see the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center. ## Next steps+ For more information about any of the features and functionality described above, see these articles:+ - [What is Multi-Factor Authentication?](../authentication/concept-mfa-howitworks.md) - [Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md)
active-directory Active Directory Get Started Premium https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-get-started-premium.md
Title: Sign up for premium editions - Azure Active Directory| Microsoft Docs
description: Instructions about how to sign up for Azure Active Directory Premium editions. -+ Previously updated : 09/07/2017 Last updated : 08/17/2022
# Sign up for Azure Active Directory Premium editions+ You can purchase and associate Azure Active Directory (Azure AD) Premium editions with your Azure subscription. If you need to create a new Azure subscription, you'll also need to activate your licensing plan and Azure AD service access. Before you sign up for Active Directory Premium 1 or Premium 2, you must first determine which of your existing subscription or plan to use:
Before you sign up for Active Directory Premium 1 or Premium 2, you must first d
Signing up using your Azure subscription with previously purchased and activated Azure AD licenses, automatically activates the licenses in the same directory. If that's not the case, you must still activate your license plan and your Azure AD access. For more information about activating your license plan, see [Activate your new license plan](#activate-your-new-license-plan). For more information about activating your Azure AD access, see [Activate your Azure AD access](#activate-your-azure-ad-access). ## Sign up using your existing Azure or Microsoft 365 subscription+ As an Azure or Microsoft 365 subscriber, you can purchase the Azure Active Directory Premium editions online. For detailed steps, see [Buy or remove licenses](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide&preserve-view=true). ## Sign up using your Enterprise Mobility + Security licensing plan+ Enterprise Mobility + Security is a suite, comprised of Azure AD Premium, Azure Information Protection, and Microsoft Intune. If you already have an EMS license, you can get started with Azure AD, using one of these licensing options: For more information about EMS, see [Enterprise Mobility + Security web site](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
For more information about EMS, see [Enterprise Mobility + Security web site](ht
- Purchase [Enterprise Mobility + Security E3 licenses](https://signup.microsoft.com/Signup?OfferId=4BBA281F-95E8-4136-8B0F-037D6062F54C&ali=1) ## Sign up using your Microsoft Volume Licensing plan+ Through your Microsoft Volume Licensing plan, you can sign up for Azure AD Premium using one of these two programs, based on the number of licenses you want to get: - **For 250 or more licenses.** [Microsoft Enterprise Agreement](https://www.microsoft.com/en-us/licensing/licensing-programs/enterprise.aspx)
Through your Microsoft Volume Licensing plan, you can sign up for Azure AD Premi
For more information about volume licensing purchase options, see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/licensing/how-to-buy/how-to-buy.aspx). ## Activate your new license plan+ If you signed up using a new Azure AD license plan, you must activate it for your organization, using the confirmation email sent after purchase. ### To activate your license plan-- Open the confirmation email you received from Microsoft after you signed up, and then click either **Sign In** or **Sign Up**.+
+- Open the confirmation email you received from Microsoft after you signed up, and then select either **Sign In** or **Sign Up**.
![Confirmation email with sign in and sign up links](media/active-directory-get-started-premium/MOLSEmail.png)
If you signed up using a new Azure AD license plan, you must activate it for you
![Create account profile page, with sample information](media/active-directory-get-started-premium/MOLSAccountProfile.png)
-When you're done, you will see a confirmation box thanking you for activating the license plan for your tenant.
+When you're done, you'll see a confirmation box thanking you for activating the license plan for your tenant.
![Confirmation box with thank you](media/active-directory-get-started-premium/MOLSThankYou.png)
After your purchased licenses are provisioned in your directory, you'll receive
### To activate your Azure AD access
-1. Open the **Welcome email**, and then click **Sign In**.
+1. Open the **Welcome email**, and then select **Sign In**.
![Welcome email, with highlighted sign in link](media/active-directory-get-started-premium/AADEmail.png)
active-directory Active Directory Groups Create Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-create-azure-portal.md
Title: Create a basic group and add members - Azure Active Directory | Microsoft
description: Instructions about how to create a basic group using Azure Active Directory. -+ Previously updated : 06/05/2020 Last updated : 08/17/2022
# Create a basic group and add members using Azure Active Directory+ You can create a basic group using the Azure Active Directory (Azure AD) portal. For the purposes of this article, a basic group is added to a single resource by the resource owner (administrator) and includes specific members (employees) that need to access that resource. For more complex scenarios, including dynamic memberships and rule creation, see the [Azure Active Directory user management documentation](../enterprise-users/index.yml). ## Group and membership types+ There are several group and membership types. The following information explains each group and membership type and why they are used, to help you decide which options to use when you create a group. ### Group types:
There are several group and membership types. The following information explains
- **Microsoft 365**. Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. A Microsoft 365 group can have only users as its members. Both users and service principals can be owners of a Microsoft 365 group. For more info about Microsoft 365 Groups, see [Learn about Microsoft 365 Groups](https://support.office.com/article/learn-about-office-365-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2). ### Membership types:+ - **Assigned.** Lets you add specific users to be members of this group and to have unique permissions. For the purposes of this article, we're using this option.-- **Dynamic user.** Lets you use dynamic membership rules to automatically add and remove members. If a member's attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
+- **Dynamic user.** Lets you use dynamic membership rules to automatically add and remove members. If a member's attributes change, the system looks at your directory's dynamic group rules to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
- **Dynamic device.** Lets you use dynamic group rules to automatically add and remove devices. If a device's attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed). > [!IMPORTANT]
You can create a basic group and add your members at the same time. To create a
## Turn off group welcome email
-When any new Microsoft 365 group is created, whether with dynamic or static membership, a welcome notification is sent to all users who are added to the group. When any attributes of a user or device change, all dynamic group rules in the organization are processed for potential membership changes. Users who are added then also receive the welcome notification. You can turn this behavior off in [Exchange PowerShell](/powershell/module/exchange/users-and-groups/Set-UnifiedGroup).
+When any new Microsoft 365 group is created, whether with dynamic or static membership, a welcome notification is sent to all users who are added to the group. When any user or device attributes change, all dynamic group rules in the organization are processed for potential membership changes. Users who are added then also receive the welcome notification. You can turn off this behavior in [Exchange PowerShell](/powershell/module/exchange/users-and-groups/Set-UnifiedGroup).
## Next steps
active-directory Active Directory Groups Delete Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-delete-group.md
Title: Delete a group - Azure Active Directory | Microsoft Docs
description: Instructions about how to delete a group using Azure Active Directory. -+ Previously updated : 08/29/2018 Last updated : 08/17/2022
# Delete a group using Azure Active Directory+ You can delete an Azure Active Directory (Azure AD) group for any number of reasons, but typically it will be because you: - Incorrectly set the **Group type** to the wrong option.
You can delete an Azure Active Directory (Azure AD) group for any number of reas
- No longer need the group. ## To delete a group+ 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory. 2. Select **Azure Active Directory**, and then select **Groups**.
active-directory Active Directory Groups Members Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-members-azure-portal.md
Title: Add or remove group members - Azure Active Directory | Microsoft Docs
description: Instructions about how to add or remove members from a group using Azure Active Directory. -+ Previously updated : 08/23/2018 Last updated : 08/17/2022
active-directory Active Directory Groups Membership Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-membership-azure-portal.md
Title: Add or remove a group from another group - Azure AD
description: Instructions about how to add or remove a group from another group using Azure Active Directory. -+ Previously updated : 10/19/2018 Last updated : 08/17/2022
# Add or remove a group from another group using Azure Active Directory+ This article helps you to add and remove a group from another group using Azure Active Directory. >[!Note] >If you're trying to delete the parent group, see [How to update or delete a group and its members](active-directory-groups-delete-group.md). ## Add a group to another group+ You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.
->[!Important]
+>[!IMPORTANT]
>We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Microsoft 365 groups.</li><li>Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li><li>Adding distribution groups in nesting scenarios.</li><li>Adding security groups as members of mail-enabled security groups</li><li> Adding groups as members of a role-assignable group.</li></ul> ### To add a group as a member of another group
You can add an existing Security group to another existing Security group (also
3. On the **Groups - All groups** page, search for and select the group that's to become a member of another group. For this exercise, we're using the **MDM policy - West** group.
- >[!Note]
+ >[!NOTE]
>You can add your group as a member to only one group at a time. Additionally, the **Select Group** box filters the display based on matching your entry to any part of a user or device name. However, wildcard characters aren't supported. ![Groups - All groups page with MDM policy - West group selected](media/active-directory-groups-membership-azure-portal/group-all-groups-screen.png)
You can add an existing Security group to another existing Security group (also
6. For a more detailed view of the group and member relationship, select the group name (**MDM policy - All org**) and take a look at the **MDM policy - West** page details. ## Remove a group from another group+ You can remove an existing Security group from another Security group. However, removing the group also removes any inherited attributes and properties for its members. ### To remove a member group from another group+ 1. On the **Groups - All groups** page, search for and select the group that's to be removed as a member of another group. For this exercise, we're again using the **MDM policy - West** group. 2. On the **MDM policy - West overview** page, select **Group memberships**.
You can remove an existing Security group from another Security group. However,
![Group membership page showing both the member and the group details](media/active-directory-groups-membership-azure-portal/group-membership-remove.png) ## Additional information+ These articles provide additional information on Azure Active Directory. - [View your groups and members](active-directory-groups-view-azure-portal.md)
active-directory Active Directory Groups Settings Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-settings-azure-portal.md
Title: Edit your group information - Azure Active Directory | Microsoft Docs
description: Instructions about how to edit your group's information using Azure Active Directory. -+ Previously updated : 08/27/2018 Last updated : 08/17/2022
Using Azure Active Directory (Azure AD), you can edit a group's settings, including updating its name, description, or membership type. ## To edit your group settings+ 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory. 2. Select **Azure Active Directory**, and then select **Groups**.
Using Azure Active Directory (Azure AD), you can edit a group's settings, includ
- **Object ID.** You can't change the Object ID, but you can copy it to use in your PowerShell commands for the group. For more info about using PowerShell cmdlets, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-v2-cmdlets.md). ## Next steps+ These articles provide additional information on Azure Active Directory. - [View your groups and members](active-directory-groups-view-azure-portal.md)
active-directory Active Directory Groups View Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-view-azure-portal.md
Title: Quickstart - View groups & members - Azure AD
description: Instructions about how to search for and view your organization's groups and their assigned members. -+ Previously updated : 09/24/2018 Last updated : 08/17/2022
# Quickstart: View your organization's groups and members in Azure Active Directory+ You can view your organization's existing groups and group members using the Azure portal. Groups are used to manage users (members) that all need the same access and permissions for potentially restricted apps and services. In this quickstart, youΓÇÖll view all of your organization's existing groups and view the assigned members.
In this quickstart, youΓÇÖll view all of your organization's existing groups and
If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. ## Prerequisites+ Before you begin, youΓÇÖll need to: - Create an Azure Active Directory tenant. For more information, see [Access the Azure Active Directory portal and create a new tenant](active-directory-access-create-new-tenant.md). ## Sign in to the Azure portal+ You must sign in to the [Azure portal](https://portal.azure.com/) using a Global administrator account for the directory. ## Create a new group + Create a new group, named _MDM policy - West_. For more information about creating a group, see [How to create a basic group and add members](active-directory-groups-create-azure-portal.md). 1. Select **Azure Active Directory**, **Groups**, and then select **New group**.
Create a new user, named _Alain Charon_. A user must exist before being added as
3. Copy the auto-generated password provided in the **Password** box, and then select **Create**. ## Add a group member+ Now that you have a group and a user, you can add _Alain Charon_ as a member to the _MDM policy - West_ group. For more information about adding group members, see [How to add or remove group members](active-directory-groups-members-azure-portal.md). 1. Select **Azure Active Directory** > **Groups**.
active-directory Active Directory How Subscriptions Associated Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
Title: Add an existing Azure subscription to your tenant - Azure AD
description: Instructions about how to add an existing Azure subscription to your Azure Active Directory (Azure AD) tenant. -+ Previously updated : 03/05/2021 Last updated : 08/17/2022
Before you can associate or add your subscription, do the following tasks:
- Users that have been assigned roles using Azure RBAC will lose their access. - Service Administrator and Co-Administrators will lose access.
- - If you have any key vaults, they'll be inaccessible and you'll have to fix them after association.
+ - If you have any key vaults, they'll be inaccessible, and you'll have to fix them after association.
- If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the association. - If you have a registered Azure Stack, you'll have to re-register it after association. - For more information, see [Transfer an Azure subscription to a different Azure AD directory](../../role-based-access-control/transfer-subscription.md).
To associate an existing subscription to your Azure AD directory, follow these s
:::image type="content" source="media/active-directory-how-subscriptions-associated-directory/edit-directory-ui.png" alt-text="Screenshot that shows the Change the directory page with a sample directory and the Change button highlighted.":::
- After the directory is changed for the subscription, you will get a success message.
+ After the directory is changed for the subscription, you'll get a success message.
1. Select **Switch directories** on the subscription page to go to your new directory.
active-directory Active Directory How To Find Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-how-to-find-tenant.md
Title: How to find your tenant ID - Azure Active Directory
description: Instructions about how to find and Azure Active Directory tenant ID to an existing Azure subscription. -+ Previously updated : 10/30/2020 Last updated : 08/17/2022
For Microsoft 365 CLI, use the cmdlet **tenant id** as shown in the following ex
m365 tenant id get ```
-For more information, see the Microsoft 365 [tenant id get](https://pnp.github.io/cli-microsoft365/cmd/tenant/id/id-get/) command reference.
+For more information, see the Microsoft 365 [tenant ID get](https://pnp.github.io/cli-microsoft365/cmd/tenant/id/id-get/) command reference.
## Next steps
active-directory Active Directory Licensing Whatis Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal.md
description: Learn about Azure Active Directory group-based licensing, including
keywords: Azure AD licensing -+ Previously updated : 10/29/2018 Last updated : 08/17/2022
Here are the main features of group-based licensing:
- A user can be a member of multiple groups with license policies specified. A user can also have some licenses that were directly assigned, outside of any groups. The resulting user state is a combination of all assigned product and service licenses. If a user is assigned same license from multiple sources, the license will be consumed only once. -- In some cases, licenses cannot be assigned to a user. For example, there might not be enough available licenses in the tenant, or conflicting services might have been assigned at the same time. Administrators have access to information about users for whom Azure AD could not fully process group licenses. They can then take corrective action based on that information.
+- In some cases, licenses can't be assigned to a user. For example, there might not be enough available licenses in the tenant, or conflicting services might have been assigned at the same time. Administrators have access to information about users for whom Azure AD couldn't fully process group licenses. They can then take corrective action based on that information.
## Your feedback is welcome!
active-directory Active Directory Manage Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-manage-groups.md
Title: Manage app & resource access using groups - Azure AD
description: Learn about how to manage access to your organization's cloud-based apps, on-premises apps, and resources using Azure Active Directory groups. -+ Previously updated : 01/08/2020 Last updated : 08/17/2022
There are four ways to assign resource access rights to your users:
## Can users join groups without being assigned? The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.
-After a user requests to join a group, the request is forwarded to the group owner. If it's required, the owner can approve the request and the user is notified of the group membership. However, if you have multiple owners and one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions about how to let your users request to join groups, see [Set up Azure AD so users can request to join groups](../enterprise-users/groups-self-service-management.md)
+After a user requests to join a group, the request is forwarded to the group owner. If it's required, the owner can approve the request, and the user is notified of the group membership. However, if you have multiple owners and one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions about how to let your users request to join groups, see [Set up Azure AD so users can request to join groups](../enterprise-users/groups-self-service-management.md)
## Next steps Now that you have a bit of an introduction to access management using groups, you start to manage your resources and apps.
active-directory Active Directory Ops Guide Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-auth.md
Previously updated : 10/31/2019 Last updated : 08/17/2022
active-directory Active Directory Ops Guide Govern https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-govern.md
Previously updated : 10/31/2019 Last updated : 08/17/2022
There are eight aspects to a secure Identity governance. This list will help you
## Next steps
-Get started with the [Azure AD operational checks and actions](active-directory-ops-guide-ops.md).
+Get started with the [Azure AD operational checks and actions](active-directory-ops-guide-ops.md).
active-directory Active Directory Ops Guide Iam https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-iam.md
Previously updated : 10/31/2019 Last updated : 08/17/2022
There are five aspects to a secure Identity infrastructure. This list will help
## Next steps
-Get started with the [Authentication management checks and actions](active-directory-ops-guide-auth.md).
+Get started with the [Authentication management checks and actions](active-directory-ops-guide-auth.md).
active-directory Active Directory Ops Guide Intro https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-intro.md
Previously updated : 10/31/2019 Last updated : 08/17/2022
active-directory Active Directory Ops Guide Ops https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-ops.md
Previously updated : 10/31/2019 Last updated : 08/17/2022
There are seven aspects to a secure Identity infrastructure. This list will help
## Next steps
-Refer to the [Azure AD deployment plans](active-directory-deployment-plans.md) for implementation details on any capabilities you haven't deployed.
+Refer to the [Azure AD deployment plans](active-directory-deployment-plans.md) for implementation details on any capabilities you haven't deployed.
active-directory Active Directory Properties Area https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-properties-area.md
Title: Add your organization's privacy info - Azure Active Directory | Microsoft
description: Instructions about how to add your organization's privacy info to the Azure Active Directory Properties area. -+ Previously updated : 04/17/2018 Last updated : 08/17/2022
You add your organization's privacy information in the **Properties** area of Az
- **Technical contact.** Type the email address for the person to contact for technical support within your organization.
- - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services . If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications please see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions)
+ - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services. If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications, see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions)
- **Privacy statement URL.** Type the link to your organization's document that describes how your organization handles both internal and external guest's data privacy.
active-directory Active Directory Troubleshooting Support Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-troubleshooting-support-howto.md
Title: Find help and open a support ticket - Azure Active Directory | Microsoft
description: Instructions about how to get help and open a support ticket for Azure Active Directory. -+ Previously updated : 08/28/2017 Last updated : 08/17/2022
active-directory Active Directory Users Assign Role Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md
Title: Assign Azure AD roles to users - Azure Active Directory | Microsoft Docs
description: Instructions about how to assign administrator and non-administrator roles to users with Azure Active Directory. -+ Previously updated : 08/31/2020 Last updated : 08/17/2022
active-directory Active Directory Users Profile Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md
Title: Add or update user profile information - Azure AD
description: Instructions about how to add information to a user's profile in Azure Active Directory, including a picture and job details. -+ Previously updated : 06/10/2021 Last updated : 08/17/2022
active-directory Active Directory Users Reset Password Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md
Title: Reset a user's password - Azure Active Directory | Microsoft Docs
description: Instructions about how to reset a user's password using Azure Active Directory. -+ ms.assetid: fad5624b-2f13-4abc-b3d4-b347903a8f16 Previously updated : 06/07/2022 Last updated : 08/17/2022
active-directory Active Directory Users Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-restore.md
Title: Restore or permanently remove recently deleted user - Azure AD
description: How to view restorable users, restore a deleted user, or permanently delete a user with Azure Active Directory. -+ Previously updated : 10/23/2020 Last updated : 08/17/2022
# Restore or remove a recently deleted user using Azure Active Directory+ After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started. You can view your restorable users, restore a deleted user, or permanently delete a user using Azure Active Directory (Azure AD) in the Azure portal.
You can view your restorable users, restore a deleted user, or permanently delet
>Neither you nor Microsoft customer support can restore a permanently deleted user. ## Required permissions+ You must have one of the following roles to restore and permanently delete users. - Global administrator
You must have one of the following roles to restore and permanently delete users
- User administrator ## View your restorable users+ You can see all the users that were deleted less than 30 days ago. These users can be restored. ### To view your restorable users+ 1. Sign in to the [Azure portal](https://portal.azure.com/) using a Global administrator account for the organization. 2. Select **Azure Active Directory**, select **Users**, and then select **Deleted users**.
You can see all the users that were deleted less than 30 days ago. These users c
## Restore a recently deleted user
-When a user account is deleted from the organization, the account is in a suspended state and all the related organization information is preserved. When you restore a user, this organization information is also restored.
+When a user account is deleted from the organization, the account is in a suspended state. All of the account's organization information is preserved. When you restore a user, this organization information is also restored.
-> [!Note]
+> [!NOTE]
> Once a user is restored, licenses that were assigned to the user at the time of deletion are also restored even if there are no seats available for those licenses. If you are then consuming more licenses more than you purchased, your organization could be temporarily out of compliance for license usage. ### To restore a user
active-directory Active Directory Whatis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-whatis.md
Title: What is Azure Active Directory?
description: Learn about Azure Active Directory, including terminology, available licenses, and a list of associated features. -+ Previously updated : 01/27/2022 Last updated : 08/17/2022
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md
Title: Add your custom domain - Azure Active Directory | Microsoft Docs
description: Instructions about how to add a custom domain using Azure Active Directory. -+ Previously updated : 10/25/2019 Last updated : 08/17/2022
active-directory Add Users Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users-azure-active-directory.md
Previously updated : 02/16/2022 Last updated : 08/17/2022
active-directory Azure Active Directory Parallel Identity Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/azure-active-directory-parallel-identity-options.md
na Previously updated : 11/18/2021 Last updated : 08/17/2022
active-directory Concept Fundamentals Mfa Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-mfa-get-started.md
Last updated 03/18/2020
-+
active-directory Customize Branding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/customize-branding.md
Title: Add branding to your organization's sign-in page - Azure AD
description: Instructions about how to add your organization's branding to the Azure Active Directory sign-in page. -+ Previously updated : 07/03/2021 Last updated : 08/17/2022
# Add branding to your organization's Azure Active Directory sign-in page+ Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active Directory (Azure AD) sign-in pages. Your sign-in pages appear when users sign in to your organization's web-based apps, such as Microsoft 365, which uses Azure AD as your identity provider. >[!NOTE] >Adding custom branding requires you to have either Azure Active Directory Premium 1, Premium 2, or Office 365 (for Office 365 apps) licenses. For more information about licensing and editions, see [Sign up for Azure AD Premium](active-directory-get-started-premium.md).<br><br>Azure AD Premium editions are available for customers in China using the worldwide instance of Azure Active Directory. Azure AD Premium editions aren't currently supported in the Azure service operated by 21Vianet in China. For more information, talk to us using the [Azure Active Directory Forum](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789). ## Customize your Azure AD sign-in page+ You can customize your Azure AD sign-in pages, which appear when users sign in to your organization's tenant-specific apps, such as `https://outlook.com/contoso.com`, or when passing a domain variable, such as `https://passwordreset.microsoftonline.com/?whr=contoso.com`.
-Your custom branding won't immediately appear when your users go to sites such as, www\.office.com. Instead, the user has to sign-in before your customized branding appears. After the user has signed in, the branding may take 15 minutes or longer to appear.
+Your custom branding won't immediately appear when your users go to sites such as, www\.office.com. Instead, the user has to sign-in before your customized branding appears. After the user has signed in, the branding may take 15 minutes, or longer to appear.
> [!NOTE] > **All branding elements are optional and will remain default when unchanged.** For example, if you specify a banner logo with no background image, the sign-in page will show your logo with a default background image from the destination site such as Microsoft 365.<br><br>Additionally, sign-in page branding doesn't carry over to personal Microsoft accounts. If your users or business guests sign in using a personal Microsoft account, the sign-in page won't reflect the branding of your organization. ### To configure your branding for the first time+ 1. Sign in to the [Azure portal](https://portal.azure.com/) using a Global administrator account for the directory. 2. Select **Azure Active Directory**, and then select **Company branding**, and then select **Configure**.
Your custom branding won't immediately appear when your users go to sites such a
- **Sign-in page background image.** Select a .png or .jpg image file to appear as the background for your sign-in pages. The image will be anchored to the center of the browser, and will scale to the size of the viewable space. You can't select an image larger than 1920x1080 pixels in size or that has a file size more than 300,000 bytes.
- It's recommended to use images without a strong subject focus, e.g., an opaque white box appears in the center of the screen, and could cover any part of the image depending on the dimensions of the viewable space.
+ It's recommended to use images without a strong subject focus, for example, an opaque white box appears in the center of the screen, and could cover any part of the image depending on the dimensions of the viewable space.
- **Banner logo.** Select a .png or .jpg version of your logo to appear on the sign-in page after the user enters a username and on the **My Apps** portal page.
- The image can't be taller than 60 pixels or wider than 280 pixels, and the file shouldnΓÇÖt be larger than 10KB. We recommend using a transparent image since the background might not match your logo background. We also recommend not adding padding around the image or it might make your logo look small.
+ The image can't be taller than 60 pixels or wider than 280 pixels, and the file shouldnΓÇÖt be larger than 10 KB. We recommend using a transparent image since the background might not match your logo background. We also recommend not adding padding around the image or it might make your logo look small.
- **Username hint.** Type the hint text that appears to users if they forget their username. This text must be Unicode, without links or code, and can't exceed 64 characters. If guests sign in to your app, we suggest not adding this hint.
You can't change your original configuration's language from your default langua
![Contoso - Company branding page, with the new language configuration shown](media/customize-branding/company-branding-french-config.png) ## Add your custom branding to pages
-Add your custom branding to pages by modifying the end of the URL with the text, `?whr=yourdomainname`. This specific modification works on different types of pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service Password Reset (SSPR) setup page, and the sign in page.
+Add your custom branding to pages by modifying the end of the URL with the text, `?whr=yourdomainname`. This specific modification works on different types of pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service Password Reset (SSPR) setup page, and the sign-in page.
Whether an application supports customized URLs for branding or not depends on the specific application, and should be checked before attempting to add a custom branding to a page.
active-directory License Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md
Title: Assign or remove licenses - Azure Active Directory | Microsoft Docs
description: Instructions about how to assign or remove Azure Active Directory licenses from your users or groups. --+ ms.assetid: f8b932bc-8b4f-42b5-a2d3-f2c076234a78 Previously updated : 12/14/2020 Last updated : 08/17/2022
# Assign or remove licenses in the Azure Active Directory portal
-Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants.
+Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and don't transfer to other tenants.
## Available license plans
There are several license plans available for the Azure AD service, including:
For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Azure AD premium license plans see [here](./active-directory-get-started-premium.md).
-Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
+Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. Any user whose usage location isn't specified inherits the location of the Azure AD organization.
## View license plans and plan details
active-directory Road To The Cloud Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/road-to-the-cloud-migrate.md
This project has two primary initiatives. The first is to plan and implement a V
For more information, see:
-* [Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure](/azure/virtual-desktop/deploy-azure-ad-joined-vm)
+* [Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure](../../virtual-desktop/deploy-azure-ad-joined-vm.md)
* [Windows 365 planning guide](/windows-365/enterprise/planning-guide)
Azure AD Domain Services allows you to migrate application servers to the cloud
[Establish an Azure AD footprint](road-to-the-cloud-establish.md)
-[Implement a cloud-first approach](road-to-the-cloud-implement.md)
+[Implement a cloud-first approach](road-to-the-cloud-implement.md)
active-directory Secure With Azure Ad Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-best-practices.md
When designing isolated environments, it's important to consider the following p
* **Use only modern authentication** - Applications deployed in isolated environments must use claims-based modern authentication (for example, SAML, * Auth, OAuth2, and OpenID Connect) to use capabilities such as federation, Azure AD B2B collaboration, delegation, and the consent framework. This way, legacy applications that have dependency on legacy authentication methods such as NT LAN Manager (NTLM) won't carry forward in isolated environments.
-* **Enforce strong authentication** - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Whenever possible, [passwordless authentication](/azure/active-directory/authentication/concept-authentication-passwordless) such as [Windows for Business Hello](/windows/security/identity-protection/hello-for-business/hello-overview) or a [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)) should be used.
+* **Enforce strong authentication** - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Whenever possible, [passwordless authentication](../authentication/concept-authentication-passwordless.md) such as [Windows for Business Hello](/windows/security/identity-protection/hello-for-business/hello-overview) or a [FIDO2 security keys](../authentication/howto-authentication-passwordless-security-key.md)) should be used.
* **Deploy secure workstations** - [Secure workstations](/security/compass/privileged-access-devices) provide the mechanism to ensure that the platform and the identity that platform represents is properly attested and secured against exploitation. Two other approaches to consider are:
Provision [emergency access accounts](../roles/security-emergency-access.md) for
Use [Azure managed identities](../managed-identities-azure-resources/overview.md) for Azure resources that require a service identity. Check the [list of services that support managed identities](../managed-identities-azure-resources/managed-identities-status.md) when designing your Azure solutions.
-If managed identities aren't supported or not possible, consider [provisioning service principal objects](/azure/active-directory/develop/app-objects-and-service-principals).
+If managed identities aren't supported or not possible, consider [provisioning service principal objects](../develop/app-objects-and-service-principals.md).
### Hybrid service accounts
Below are some specific recommendations for Azure solutions. For general guidanc
* Define Conditional Access policies for [security information registration](../conditional-access/howto-conditional-access-policy-registration.md) that reflects a secure root of trust process on-premises (for example, for workstations in physical locations, identifiable by IP addresses, that employees must visit in person for verification).
-* Consider managing Conditional Access policies at scale with automation using [MS Graph CA API](/azure/active-directory/conditional-access/howto-conditional-access-apis)). For example, you can use the API to configure, manage, and monitor CA policies consistently across tenants.
+* Consider managing Conditional Access policies at scale with automation using [MS Graph CA API](../conditional-access/howto-conditional-access-apis.md)). For example, you can use the API to configure, manage, and monitor CA policies consistently across tenants.
* Consider using Conditional Access to restrict workload identities. Create a policy to limit or better control access based on location or other relevant circumstances.
Below are some considerations when designing a governed subscription lifecycle p
## Operations
-The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), [Azure Security Benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](/azure/active-directory/fundamentals/active-directory-ops-guide-ops) for detailed guidance to operate individual environments.
+The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), [Azure Security Benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](./active-directory-ops-guide-ops.md) for detailed guidance to operate individual environments.
### Cross-environment roles and responsibilities
The following scenarios must be explicitly monitored and investigated:
* Assignment to Azure resources using dedicated accounts for MCA billing tasks.
-* **Privileged role activity** - Configure and review security [alerts generated by Azure AD PIM](/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts). If locking down direct RBAC assignments isn't fully enforceable with technical controls (for example, Owner role has to be granted to product teams to do their job), then monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly to access the subscription with Azure RBAC.
+* **Privileged role activity** - Configure and review security [alerts generated by Azure AD PIM](../privileged-identity-management/pim-how-to-configure-security-alerts.md). If locking down direct RBAC assignments isn't fully enforceable with technical controls (for example, Owner role has to be granted to product teams to do their job), then monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly to access the subscription with Azure RBAC.
* **Classic role assignments** - Organizations should use the modern Azure RBAC role infrastructure instead of the classic roles. As a result, the following events should be monitored:
Similarly, Azure Monitor can be integrated with ITSM systems through the [IT Ser
* [Resource isolation in a single tenant](secure-with-azure-ad-single-tenant.md)
-* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)
+* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)
active-directory Secure With Azure Ad Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-fundamentals.md
Non-production environments are commonly referred to as sandbox environments.
* Devices
-**Human identities** are user objects that generally represent people in an organization. These identities are either created and managed directly in Azure AD or are synchronized from an on-premises Active Directory to Azure AD for a given organization. These types of identities are referred to as **local identities**. There can also be user objects invited from a partner organization or a social identity provider using [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). In this content, we refer to these types of identity as **external identities**.
+**Human identities** are user objects that generally represent people in an organization. These identities are either created and managed directly in Azure AD or are synchronized from an on-premises Active Directory to Azure AD for a given organization. These types of identities are referred to as **local identities**. There can also be user objects invited from a partner organization or a social identity provider using [Azure AD B2B collaboration](../external-identities/what-is-b2b.md). In this content, we refer to these types of identity as **external identities**.
-**Non-human identities** include any identity not associated with a human. This type of identity is an object such as an application that requires an identity to run. In this content, we refer to this type of identity as a **workload identity**. Various terms are used to describe this type of identity, including [application objects and service principals](/azure/marketplace/manage-aad-apps).
+**Non-human identities** include any identity not associated with a human. This type of identity is an object such as an application that requires an identity to run. In this content, we refer to this type of identity as a **workload identity**. Various terms are used to describe this type of identity, including [application objects and service principals](../../marketplace/manage-aad-apps.md).
* **Application object**. An Azure AD application is defined by its one and only application object. The object resides in the Azure AD tenant where the application registered. The tenant is known as the application's "home" tenant.
Non-production environments are commonly referred to as sandbox environments.
* **Multi-tenant** applications allow identities from any Azure AD tenant to authenticate.
-* **Service principal object**. Although there are [exceptions](/azure/marketplace/manage-aad-apps), application objects can be considered the *definition* of an application. Service principal objects can be considered an instance of an application. Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.
+* **Service principal object**. Although there are [exceptions](../../marketplace/manage-aad-apps.md), application objects can be considered the *definition* of an application. Service principal objects can be considered an instance of an application. Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.
**Service principal objects** are also directory identities that can perform tasks independently from human intervention. The service principal defines the access policy and permissions for a user or application in the Azure AD tenant. This mechanism enables core features such as authentication of the user or application during sign-in and authorization during resource access.
-Azure AD allows application and service principal objects to authenticate with a password (also known as an application secret), or with a certificate. The use of passwords for service principals is discouraged and [we recommend using a certificate](/azure/active-directory/develop/howto-create-service-principal-portal) whenever possible.
+Azure AD allows application and service principal objects to authenticate with a password (also known as an application secret), or with a certificate. The use of passwords for service principals is discouraged and [we recommend using a certificate](../develop/howto-create-service-principal-portal.md) whenever possible.
-* **Managed identities for Azure resources**. Managed identities are special service principals in Azure AD. This type of service principal can be used to authenticate against services that support Azure AD authentication without needing to store credentials in your code or handle secrets management. For more information, see [What are managed identities for Azure resources?](/azure/active-directory/managed-identities-azure-resources/overview)
+* **Managed identities for Azure resources**. Managed identities are special service principals in Azure AD. This type of service principal can be used to authenticate against services that support Azure AD authentication without needing to store credentials in your code or handle secrets management. For more information, see [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)
* **Device identity**: A device identity is an identity that verifies that the device being used in the authentication flow has undergone a process to attest that the device is legitimate and meets the technical requirements specified by the organization. Once the device has successfully completed this process, the associated identity can be used to further control access to an organization's resources. With Azure AD, devices can authenticate with a certificate. Some legacy scenarios required a human identity to be used in *non-human* scenarios. For example, when service accounts being used in on-premises applications such as scripts or batch jobs require access to Azure AD. This pattern isn't recommended and we recommend you use [certificates](../authentication/concept-certificate-based-authentication-technical-deep-dive.md). However, if you do use a human identity with password for authentication, protect your Azure AD accounts with [Azure Active Directory Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md).
-**Hybrid identity**. A hybrid identity is an identity that spans on-premises and cloud environments. This provides the benefit of being able to use the same identity to access on-premises and cloud resources. The source of authority in this scenario is typically an on-premises directory, and the identity lifecycle around provisioning, de-provisioning and resource assignment is also driven from on-premises. For more information, see [Hybrid identity documentation](/azure/active-directory/hybrid/).
+**Hybrid identity**. A hybrid identity is an identity that spans on-premises and cloud environments. This provides the benefit of being able to use the same identity to access on-premises and cloud resources. The source of authority in this scenario is typically an on-premises directory, and the identity lifecycle around provisioning, de-provisioning and resource assignment is also driven from on-premises. For more information, see [Hybrid identity documentation](../hybrid/index.yml).
**Directory objects**. An Azure AD tenant contains the following common objects:
Azure AD provides industry-leading strong authentication options that organizati
**Application access policies**. Azure AD provides capabilities to further control and secure access to your organization's applications.
-**Conditional Access**. Azure AD Conditional Access policies are tools to bring user and device context into the authorization flow when accessing Azure AD resources. Organizations should explore use of Conditional Access policies to allow, deny, or enhance authentication based on user, risk, device, and network context. For more information, see the [Azure AD Conditional Access documentation](/azure/active-directory/conditional-access/).
+**Conditional Access**. Azure AD Conditional Access policies are tools to bring user and device context into the authorization flow when accessing Azure AD resources. Organizations should explore use of Conditional Access policies to allow, deny, or enhance authentication based on user, risk, device, and network context. For more information, see the [Azure AD Conditional Access documentation](../conditional-access/index.yml).
**Azure AD Identity Protection**. This feature enables organizations to automate the detection and remediation of identity-based risks, investigate risks, and export risk detection data to third-party utilities for further analysis. For more information, see [overview on Azure AD Identity Protection](../identity-protection/overview-identity-protection.md).
Azure AD provides industry-leading strong authentication options that organizati
Azure AD also provides a portal and the Microsoft Graph API to allow organizations to manage identities or integrate Azure AD identity management into existing workflows or automation. To learn more about Microsoft Graph, see [Use the Microsoft Graph API](/graph/use-the-api).
-**Device management**. Azure AD is used to manage the lifecycle and integration with cloud and on-premises device management infrastructures. It also is used to define policies to control access from cloud or on-premises devices to your organizational data. Azure AD provides the lifecycle services of devices in the directory and the credential provisioning to enable authentication. It also manages a key attribute of a device in the system that is the level of trust. This detail is important when designing a resource access policy. For more information, see [Azure AD Device Management documentation](/azure/active-directory/devices/).
+**Device management**. Azure AD is used to manage the lifecycle and integration with cloud and on-premises device management infrastructures. It also is used to define policies to control access from cloud or on-premises devices to your organizational data. Azure AD provides the lifecycle services of devices in the directory and the credential provisioning to enable authentication. It also manages a key attribute of a device in the system that is the level of trust. This detail is important when designing a resource access policy. For more information, see [Azure AD Device Management documentation](../devices/index.yml).
**Configuration management**. Azure AD has service elements that need to be configured and managed to ensure the service is configured to an organization's requirements. These elements include domain management, SSO configuration, and application management to name but a few. Azure AD provides a portal and the Microsoft Graph API to allow organizations to manage these elements or integrate into existing processes. To learn more about Microsoft Graph, see [Use the Microsoft Graph API](/graph/use-the-api).
Azure AD also provides a portal and the Microsoft Graph API to allow organizatio
* Applications used to access
-Azure AD also provides information on the actions that are being performed within Azure AD, and reports on security risks. For more information, see [Azure Active Directory reports and monitoring](/azure/active-directory/reports-monitoring/).
+Azure AD also provides information on the actions that are being performed within Azure AD, and reports on security risks. For more information, see [Azure Active Directory reports and monitoring](../reports-monitoring/index.yml).
**Auditing**. Auditing provides traceability through logs for all changes done by specific features within Azure AD. Examples of activities found in audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles, and policies. Reporting in Azure AD enables you to audit sign-in activities, risky sign-ins, and users flagged for risk. For more information, see [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md).
Azure AD also provides information on the actions that are being performed withi
* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)
-* [Best practices](secure-with-azure-ad-best-practices.md)
+* [Best practices](secure-with-azure-ad-best-practices.md)
active-directory Secure With Azure Ad Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-introduction.md
Having a set of directory objects in the Azure AD tenant boundary engenders the
## Administrative units for role management
-Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference) role to regional support specialists, so they can manage users only in the region that they support. An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only:
+Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the [Helpdesk Administrator](../roles/permissions-reference.md) role to regional support specialists, so they can manage users only in the region that they support. An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only:
* Users
In the following diagram, administrative units are used to segment the Azure AD
![Diagram that shows Azure AD Administrative units.](media/secure-with-azure-ad-introduction/administrative-units.png)
-For more information on administrative units, see [Administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units).
+For more information on administrative units, see [Administrative units in Azure Active Directory](../roles/administrative-units.md).
### Common reasons for resource isolation
Configuration settings in Azure AD can impact any resource in the Azure AD tenan
* Bypass security requirements >[!NOTE]
->Using [Named Locations](/azure/active-directory/conditional-access/location-condition) can present some challenges to your [zero-trust journey](https://www.microsoft.com/security/business/zero-trust). Verify that using Named Locations fits into your security strategy and principles.
+>Using [Named Locations](../conditional-access/location-condition.md) can present some challenges to your [zero-trust journey](https://www.microsoft.com/security/business/zero-trust). Verify that using Named Locations fits into your security strategy and principles.
Allowed authentication methods: Global administrators set the authentication methods allowed for the tenant. * **Self-service options**. Global Administrators set self-service options such as self-service-password reset and create Microsoft 365 groups at the tenant level.
Who should have the ability to administer the environment and its resources? The
Given the interdependence between an Azure AD tenant and its resources, it's critical to understand the security and operational risks of compromise or error. If you're operating in a federated environment with synchronized accounts, an on-premises compromise can lead to an Azure AD compromise.
-* **Identity compromise** - Within the boundary of a tenant, any identity can be assigned any role, given the one providing access has sufficient privileges. While the impact of compromised non-privileged identities is largely contained, compromised administrators can have broad impact. For example, if an Azure AD global administrator account is compromised, Azure resources can become compromised. To mitigate risk of identity compromise, or bad actors, implement [tiered administration](/security/compass/privileged-access-access-model) and ensure that you follow principles of least privilege for [Azure AD Administrator Roles](/azure/active-directory/roles/delegate-by-task). Similarly, ensure that you create CA policies that specifically exclude test accounts and test service principals from accessing resources outside of the test applications. For more information on privileged access strategy, see [Privileged access: Strategy](/security/compass/privileged-access-strategy).
+* **Identity compromise** - Within the boundary of a tenant, any identity can be assigned any role, given the one providing access has sufficient privileges. While the impact of compromised non-privileged identities is largely contained, compromised administrators can have broad impact. For example, if an Azure AD global administrator account is compromised, Azure resources can become compromised. To mitigate risk of identity compromise, or bad actors, implement [tiered administration](/security/compass/privileged-access-access-model) and ensure that you follow principles of least privilege for [Azure AD Administrator Roles](../roles/delegate-by-task.md). Similarly, ensure that you create CA policies that specifically exclude test accounts and test service principals from accessing resources outside of the test applications. For more information on privileged access strategy, see [Privileged access: Strategy](/security/compass/privileged-access-strategy).
* **Federated environment compromise**
Incorporating zero-trust principles into your Azure AD design strategy can help
* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)
-* [Best practices](secure-with-azure-ad-best-practices.md)
+* [Best practices](secure-with-azure-ad-best-practices.md)
active-directory Secure With Azure Ad Multiple Tenants https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-multiple-tenants.md
Another approach could have been to utilize the capabilities of Azure AD Connect
## Multi-tenant resource isolation
-A new tenant provides the ability to have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). Similarly, organizations can implement [Azure Lighthouse](/azure/lighthouse/overview) for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.
+A new tenant provides the ability to have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](../external-identities/what-is-b2b.md). Similarly, organizations can implement [Azure Lighthouse](../../lighthouse/overview.md) for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.
This will allow users to continue to use their corporate credentials, while achieving the benefits of separation as described above.
Devices: This tenant contains a reduced number of devices; only those that are n
* [Resource isolation in a single tenant](secure-with-azure-ad-single-tenant.md)
-* [Best practices](secure-with-azure-ad-best-practices.md)
+* [Best practices](secure-with-azure-ad-best-practices.md)
active-directory Secure With Azure Ad Resource Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-resource-management.md
Before any resource management request can be executed by Resource Manager, a se
* **Valid user check** - The user requesting to manage the resource must have an account in the Azure AD tenant associated with the subscription of the managed resource.
-* **User permission check** - Permissions are assigned to users using [role-based access control (RBAC)](/azure/role-based-access-control/overview). An RBAC role specifies a set of permissions a user may take on a specific resource. RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
+* **User permission check** - Permissions are assigned to users using [role-based access control (RBAC)](../../role-based-access-control/overview.md). An RBAC role specifies a set of permissions a user may take on a specific resource. RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
* **Azure policy check** - [Azure policies](../../governance/policy/overview.md) specify the operations allowed or explicitly denied for a specific resource. For example, a policy can specify that users are only allowed (or not allowed) to deploy a specific type of virtual machine.
Conditional Access: A key benefit of using Azure AD for signing into Azure virtu
**Challenges**: The list below highlights key challenges with using this option for identity isolation.
-* No central management or configuration of servers. For example, there's no Group Policy that can be applied to a group of servers. Organizations should consider deploying [Update Management in Azure](/azure/automation/update-management/overview) to manage patching and updates of these servers.
+* No central management or configuration of servers. For example, there's no Group Policy that can be applied to a group of servers. Organizations should consider deploying [Update Management in Azure](../../automation/update-management/overview.md) to manage patching and updates of these servers.
* Not suitable for multi-tiered applications that have requirements to authenticate with on-premises mechanisms such as Windows Integrated Authentication across these servers or services. If this is a requirement for the organization, then it's recommended that you explore the Standalone Active Directory Domain Services, or the Azure Active Directory Domain Services scenarios described in this section.
For this isolated model, it's assumed that there's no connectivity to the VNet t
* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)
-* [Best practices](secure-with-azure-ad-best-practices.md)
+* [Best practices](secure-with-azure-ad-best-practices.md)
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
For more information about how to better secure your organization by using autom
In September 2021, we have added following 44 new applications in our App gallery with Federation support
-[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [iAuditor](../saas-apps/iauditor-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Facebook Work Accounts](../saas-apps/facebook-work-accounts-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://app.visult.io/), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webフロー](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/us/sign-up/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md)
+[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [iAuditor](../saas-apps/iauditor-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Facebook Work Accounts](../saas-apps/facebook-work-accounts-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://visult.app), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webフロー](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/us/sign-up/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md)
You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md
For more information, see:[Customize app SAML token claims - Microsoft Entra | M
You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.
-To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](/azure/active-directory-domain-services/concepts-forest-trust).
+To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](../../active-directory-domain-services/concepts-forest-trust.md).
Note that end users are encouraged to enable the optional telemetry setting in t
Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Admin. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require: - You need [Application Administrator](../roles/permissions-reference.md#application-administrator) and [Groups Administrator](../roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.-- You need [Domain Services Contributor](/azure/role-based-access-control/built-in-roles#domain-services-contributor) Azure role to create the required Azure AD DS resources.
+- You need [Domain Services Contributor](../../role-based-access-control/built-in-roles.md#domain-services-contributor) Azure role to create the required Azure AD DS resources.
Check out these resources to learn more: -- [Tutorial - Create an Azure Active Directory Domain Services managed domain | Microsoft Docs](/azure/active-directory-domain-services/tutorial-create-instance#prerequisites)
+- [Tutorial - Create an Azure Active Directory Domain Services managed domain | Microsoft Docs](../../active-directory-domain-services/tutorial-create-instance.md#prerequisites)
- [Least privileged roles by task - Azure Active Directory | Microsoft Docs](../roles/delegate-by-task.md#domain-services)-- [Azure built-in roles - Azure RBAC | Microsoft Docs](/azure/role-based-access-control/built-in-roles#domain-services-contributor)
+- [Azure built-in roles - Azure RBAC | Microsoft Docs](../../role-based-access-control/built-in-roles.md#domain-services-contributor)
We've improved the Privileged Identity management (PIM) time to role activation
-
------
active-directory Four Steps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/four-steps.md
na Previously updated : 06/20/2019 Last updated : 08/17/2022
active-directory How To Connect Group Writeback V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-group-writeback-v2.md
You can view the existing writeback settings on Microsoft 365 groups in the port
[![Screenshot of Microsoft 365 group properties.](media/how-to-connect-group-writeback/group-2.png)](media/how-to-connect-group-writeback/group-2.png#lightbox)
-You can also view the writeback state via MS Graph: [Get group](https://docs.microsoft.com/graph/api/group-get?view=graph-rest-beta&tabs=http)
+You can also view the writeback state via MS Graph: [Get group](/graph/api/group-get?tabs=http&view=graph-rest-beta)
Example: `GET https://graph.microsoft.com/beta/groups?$filter=groupTypes/any(c:c eq 'Unified')&$select=id,displayName,writebackConfiguration`
Finally, you can also view the writeback state via PowerShell using the [Micros
For groups that haven't been created yet, you can view whether or not they're going to be automatically written back.
-To see the default behavior in your environment for newly created groups use MS Graph: [directorySetting](https://docs.microsoft.com/graph/api/resources/directorysetting?view=graph-rest-beta)
+To see the default behavior in your environment for newly created groups use MS Graph: [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta)
Example: `GET https://graph.microsoft.com/beta/Settings`
To see the default behavior in your environment for newly created groups use MS
If a `directorySetting` named **Group.Unified** exists with a `NewUnifiedGroupWritebackDefault` value of **false**, Microsoft 365 groups **won't automatically** be enabled for write-back when they're created. If the value is not specified or it is set to true, newly created Microsoft 365 groups **will automatically** be written back.
-You can also use the PowerShell cmdlet [AzureADDirectorySetting](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-settings-cmdlets)
+You can also use the PowerShell cmdlet [AzureADDirectorySetting](../enterprise-users/groups-settings-cmdlets.md)
Example: `(Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"} | FL *).values`
You can also use the PowerShell cmdlet [AzureADDirectorySetting](https://docs.mi
If a `directorySetting` is returned with a `NewUnifiedGroupWritebackDefault` value of **false**, Microsoft 365 groups **won't automatically** be enabled for write-back when they're created. If the value is not specified or it is set to **true**, newly created Microsoft 365 groups **will automatically** be written back. ### Discover if AD has been prepared for Exchange
-To verify if Active Directory has been prepared for Exchange, see [Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange Server Active Directory, Exchange 2019 Active Directory](https://docs.microsoft.com/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019#how-do-you-know-this-worked)
+To verify if Active Directory has been prepared for Exchange, see [Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange Server Active Directory, Exchange 2019 Active Directory](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019#how-do-you-know-this-worked)
## Public preview prerequisites The following are prerequisites for group writeback.
The following are prerequisites for group writeback.
- Azure AD Connect version 2.0.89.0 or later - **Optional**: Exchange Server 2016 CU15 or later - Only needed for configuring cloud groups with Exchange Hybrid.
- - See [Configure Microsoft 365 Groups with on-premises Exchange hybrid](https://docs.microsoft.com/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites) for more information.
- - If you haven't [prepared AD for Exchange](https://docs.microsoft.com/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019), mail related attributes of groups won't be written back.
+ - See [Configure Microsoft 365 Groups with on-premises Exchange hybrid](/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites) for more information.
+ - If you haven't [prepared AD for Exchange](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019), mail related attributes of groups won't be written back.
## Choosing the right approach Choosing the right deployment approach for your organization will depend on the current state of group writeback in your environment and the desired writeback behavior.
If you plan to make changes to the default behavior, we recommend that you do so
While this release has undergone extensive testing, you may still encounter issues. One of the goals of this public preview release is to find and fix any such issues before moving to General Availability.ΓÇ» While support is provided for this public preview release, Microsoft may not always be able to fix all issues you may encounter immediately. For this reason, it's recommended that you use your best judgment before deploying this release in your production environment.ΓÇ» Limitations and known issues specific to Group writeback: -- Cloud [distribution list groups](https://docs.microsoft.com/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) created in Exchange Online cannot be written back to AD, only Microsoft 365 and Azure AD security groups are supported.
+- Cloud [distribution list groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) created in Exchange Online cannot be written back to AD, only Microsoft 365 and Azure AD security groups are supported.
- To be backwards compatible with the current version of group writeback, when you enable group writeback, all existing Microsoft 365 groups are written back and created as distribution groups, by default. This behavior can be modified by following the steps detailed in [Modifying group writeback](how-to-connect-modify-group-writeback.md). - When you disable writeback for a group, the group won't automatically be removed from your on-premises Active Directory, until hard deleted in Azure AD. This behavior can be modified by following the steps detailed in [Modifying group writeback](how-to-connect-modify-group-writeback.md) - Group Writeback does not support writeback of nested group members that have a scope of ‘Domain local’ in AD, since Azure AD security groups are written back with scope ‘Universal’. If you have a nested group like this, you'll see an export error in Azure AD Connect with the message “A universal group cannot have a local group as a member.” The resolution is to remove the member with scope ‘Domain local’ from the Azure AD group or update the nested group member scope in AD to ‘Global’ or ‘Universal’ group.
While this release has undergone extensive testing, you may still encounter issu
- [Modify Azure AD Connect group writeback default behavior](how-to-connect-modify-group-writeback.md) - [Enable Azure AD Connect group writeback](how-to-connect-group-writeback-enable.md)-- [Disable Azure AD Connect group writeback](how-to-connect-group-writeback-disable.md)
+- [Disable Azure AD Connect group writeback](how-to-connect-group-writeback-disable.md)
active-directory How To Connect Install Automatic Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-install-automatic-upgrade.md
Azure AD Connect automatic upgrade is a feature that regularly checks for newer
Note that for security reasons the agent that performs the automatic upgrade validates the new build of Azure AD Connect based on the digital signature of the downloaded version. >[!NOTE]
-> Azure Active Directory (AD) Connect follows the [Modern Lifecycle Policy](https://docs.microsoft.com/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service.
+> Azure Active Directory (AD) Connect follows the [Modern Lifecycle Policy](/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service.
>
-> Product governed by the Modern Policy follow a [continuous support and servicing model](https://docs.microsoft.com/lifecycle/overview/product-end-of-support-overview). Customers must take the latest update to remain supported.
+> Product governed by the Modern Policy follow a [continuous support and servicing model](/lifecycle/overview/product-end-of-support-overview). Customers must take the latest update to remain supported.
> > For products and services governed by the Modern Lifecycle Policy, Microsoft's policy is to provide a minimum 30 days' notification when customers are required to take action in order to avoid significant degradation to the normal use of the product or service.
Here is a list of the most common messages you find. It does not list all, but t
|UpgradeNotSupportedAADHealthUploadDisabled|Health data uploads have been disabled from the portal| ## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory How To Connect Modify Group Writeback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-modify-group-writeback.md
If the original version of group writeback is already enabled and in use in your
### Disable automatic writeback of all Microsoft 365 groups 1. To configure directory settings to disable automatic writeback of newly created Microsoft 365 groups, update the `NewUnifiedGroupWritebackDefault` setting to false.
- 2. To do this via PowerShell, use the: [New-AzureADDirectorySetting](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-settings-cmdlets) cmdlet.
+ 2. To do this via PowerShell, use the: [New-AzureADDirectorySetting](../enterprise-users/groups-settings-cmdlets.md) cmdlet.
Example: ```PowerShell $TemplateId = (Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq "Group.Unified" }).Id
If the original version of group writeback is already enabled and in use in your
$Setting["NewUnifiedGroupWritebackDefault"] = "False" New-AzureADDirectorySetting -DirectorySetting $Setting ```
- 3. Via MS Graph: [directorySetting](https://docs.microsoft.com/graph/api/resources/directorysetting?view=graph-rest-beta)
+ 3. Via MS Graph: [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta)
### Disable writeback for each existing Microsoft 365 group. -- Portal: [Entra admin portal](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-write-back-portal)
+- Portal: [Entra admin portal](../enterprise-users/groups-write-back-portal.md)
- PowerShell: [Microsoft Identity Tools PowerShell Module](https://www.powershellgallery.com/packages/MSIdentityTools/2.0.16) Example: `Get-mggroup -filter "groupTypes/any(c:c eq 'Unified')" | Update-MsIdGroupWritebackConfiguration -WriteBackEnabled $false` -- MS Graph: [Update group](https://docs.microsoft.com/graph/api/group-update?view=graph-rest-beta&tabs=http)
+- MS Graph: [Update group](/graph/api/group-update?tabs=http&view=graph-rest-beta)
If the original version of group writeback is already enabled and in use in your
>After deletion in AD, written back groups are not automatically restored from the AD recycle bin, if they're re-enabled for writeback or restored from soft delete state. New groups will be created. Deleted groups restored from the AD recycle bin, prior to being re-enabled for writeback or restored from soft delete state in Azure AD, will be joined to their respective Azure AD group. 1. On your Azure AD Connect server, open a PowerShell prompt as administrator.
- 2. Disable [Azure AD Connect sync scheduler](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler)
+ 2. Disable [Azure AD Connect sync scheduler](./how-to-connect-sync-feature-scheduler.md)
``` PowerShell Set-ADSyncScheduler -SyncCycleEnabled $false ```
If the original version of group writeback is already enabled and in use in your
Since the default sync rule, that limits the group size, is created when group writeback is enabled, the following steps must be completed after group writeback is enabled. 1. On your Azure AD Connect server, open a PowerShell prompt as administrator.
-2. Disable [Azure AD Connect sync scheduler](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler)
+2. Disable [Azure AD Connect sync scheduler](./how-to-connect-sync-feature-scheduler.md)
``` PowerShell Set-ADSyncScheduler -SyncCycleEnabled $false ```
-3. Open the [synchronization rule editor](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-create-custom-sync-rule)
+3. Open the [synchronization rule editor](./how-to-connect-create-custom-sync-rule.md)
4. Set the Direction to Outbound 5. Locate and disable the ΓÇÿOut to AD ΓÇô Group Writeback Member LimitΓÇÖ synchronization rule 6. Enable Azure AD Connect sync scheduler
Since the default sync rule, that limits the group size, is created when group w
## Restoring from AD Recycle Bin
-If you're updating the default behavior to delete groups when disabled for writeback or soft deleted, we recommend that you enable the [Active Directory Recycle Bin](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-recycle-bin) feature for your on-premises instances of Active Directory. This feature will allow you to manually restore previously deleted AD groups, so that they can be rejoined to their respective Azure AD groups, if they were accidentally disabled for writeback or soft deleted.
+If you're updating the default behavior to delete groups when disabled for writeback or soft deleted, we recommend that you enable the [Active Directory Recycle Bin](./how-to-connect-sync-recycle-bin.md) feature for your on-premises instances of Active Directory. This feature will allow you to manually restore previously deleted AD groups, so that they can be rejoined to their respective Azure AD groups, if they were accidentally disabled for writeback or soft deleted.
Prior to re-enabling for writeback, or restoring from soft delete in Azure AD, the group will first need to be restored in AD.
Prior to re-enabling for writeback, or restoring from soft delete in Azure AD, t
- [Azure AD Connect group writeback](how-to-connect-group-writeback-v2.md) - [Enable Azure AD Connect group writeback](how-to-connect-group-writeback-enable.md) - -- [Disable Azure AD Connect group writeback](how-to-connect-group-writeback-disable.md)
+- [Disable Azure AD Connect group writeback](how-to-connect-group-writeback-disable.md)
active-directory Create Service Principal Cross Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/create-service-principal-cross-tenant.md
From the Microsoft Graph explorer window:
## Next steps -- [Add RBAC role to the enterprise application](/azure/role-based-access-control/role-assignments-portal)
+- [Add RBAC role to the enterprise application](../../role-based-access-control/role-assignments-portal.md)
- [Assign users to your application](add-application-portal-assign-users.md)
active-directory Datawiza Azure Ad Sso Oracle Jde https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-azure-ad-sso-oracle-jde.md
This tutorial shows how to enable Azure Active Directory (Azure AD) single sign-
Benefits of integrating applications with Azure AD using DAB include: -- [Proactive security with Zero Trust](https://www.microsoft.com/security/business/zero-trust) through [Azure AD SSO](https://azure.microsoft.com/solutions/active-directory-sso/OCID=AIDcmm5edswduu_SEM_e13a1a1787ce1700761a78c235ae5906:G:s&ef_id=e13a1a1787ce1700761a78c235ae5906:G:s&msclkid=e13a1a1787ce1700761a78c235ae5906#features), [Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks) and
- [Conditional Access](/azure/active-directory/conditional-access/overview).
+- [Proactive security with Zero Trust](https://www.microsoft.com/security/business/zero-trust) through [Azure AD SSO](https://azure.microsoft.com/solutions/active-directory-sso/OCID=AIDcmm5edswduu_SEM_e13a1a1787ce1700761a78c235ae5906:G:s&ef_id=e13a1a1787ce1700761a78c235ae5906:G:s&msclkid=e13a1a1787ce1700761a78c235ae5906#features), [Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md) and
+ [Conditional Access](../conditional-access/overview.md).
- [Easy authentication and authorization in Azure AD with no-code Datawiza](https://www.microsoft.com/security/blog/2022/05/17/easy-authentication-and-authorization-in-azure-active-directory-with-no-code-datawiza/). Use of web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, Oracle Peoplesoft, and home-grown apps.
The scenario solution has the following components:
- **Datawiza Cloud Management Console (DCMC)**: A centralized console to manage DAB. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Broker and access control policies. Understand the SP initiated flow by following the steps mentioned in [Datawiza and Azure AD authentication
-architecture](/azure/active-directory/manage-apps/datawiza-with-azure-ad#datawiza-with-azure-ad-authentication-architecture).
+architecture](./datawiza-with-azure-ad.md#datawiza-with-azure-ad-authentication-architecture).
## Prerequisites
Ensure the following prerequisites are met.
- An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free) - An Azure AD tenant linked to the Azure subscription.
- - See, [Quickstart: Create a new tenant in Azure Active Directory.](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant)
+ - See, [Quickstart: Create a new tenant in Azure Active Directory.](../fundamentals/active-directory-access-create-new-tenant.md)
- Docker and Docker Compose
Ensure the following prerequisites are met.
- User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory.
- - See, [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+ - See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md).
- An account with Azure AD and the Application administrator role
- - See, [Azure AD built-in roles, all roles](/azure/active-directory/roles/permissions-reference#all-roles).
+ - See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles).
- An Oracle JDE environment
For the Oracle JDE application to recognize the user correctly, there's another
## Enable Azure AD Multi-Factor Authentication
-To provide an extra level of security for sign-ins, enforce multifactor authentication (MFA) for user sign-in. One way to achieve this is to [enable MFA on the Azure portal](/azure/active-directory/authentication/tutorial-enable-azure-mfa).
+To provide an extra level of security for sign-ins, enforce multifactor authentication (MFA) for user sign-in. One way to achieve this is to [enable MFA on the Azure portal](../authentication/tutorial-enable-azure-mfa.md).
1. Sign in to the Azure portal as a **Global Administrator**.
To confirm Oracle JDE application access occurs correctly, a prompt appears to u
- [Watch the video - Enable SSO/MFA for Oracle JDE with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90). -- [Configure Datawiza and Azure AD for secure hybrid access](/azure/active-directory/manage-apps/datawiza-with-azure-ad)
+- [Configure Datawiza and Azure AD for secure hybrid access](./datawiza-with-azure-ad.md)
-- [Configure Datawiza with Azure AD B2C](/azure/active-directory-b2c/partner-datawiza)
+- [Configure Datawiza with Azure AD B2C](../../active-directory-b2c/partner-datawiza.md)
-- [Datawiza documentation](https://docs.datawiza.com/)
+- [Datawiza documentation](https://docs.datawiza.com/)
active-directory How Manage User Assigned Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md
Title: Manage user-assigned managed identities - Azure AD
description: Create user-assigned managed identities. -+ editor:
active-directory How Managed Identities Work Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md
description: Description of managed identities for Azure resources work with Azu
documentationcenter: -+ editor: ms.assetid: 0232041d-b8f5-4bd2-8d11-27999ad69370
active-directory How To Managed Identity Regional Move https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-managed-identity-regional-move.md
Title: Move managed identities to another region - Azure AD
description: Steps involved in getting a managed identity recreated in another region -+
active-directory How To Use Vm Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sdk.md
description: Code samples for using Azure SDKs with an Azure VM that has managed
documentationcenter: -+ editor:
active-directory How To Use Vm Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md
description: Step-by-step instructions and examples for using an Azure VM-manage
documentationcenter: -+ editor:
active-directory How To Use Vm Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md
description: Step-by-step instructions and examples for using managed identities
documentationcenter: -+ editor:
active-directory How To View Managed Identity Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-activity.md
description: Step-by-step instructions for viewing the activities made to manage
documentationcenter: '' -+ editor: ''
active-directory How To View Managed Identity Service Principal Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-cli.md
description: Step-by-step instructions for viewing the service principal of a ma
documentationcenter: '' -+ editor: ''
active-directory How To View Managed Identity Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-portal.md
description: Step-by-step instructions for viewing the service principal of a ma
documentationcenter: '' -+ editor: ''
active-directory How To View Managed Identity Service Principal Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-powershell.md
description: Step-by-step instructions for viewing the service principal of a ma
documentationcenter: '' -+ editor: ''
active-directory Howto Assign Access Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/howto-assign-access-cli.md
description: Step-by-step instructions for assigning a managed identity on one r
documentationcenter: -+ editor:
active-directory Howto Assign Access Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/howto-assign-access-portal.md
description: Step-by-step instructions for assigning a managed identity on one r
documentationcenter: -+ editor:
active-directory Howto Assign Access Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/howto-assign-access-powershell.md
description: Step-by-step instructions for assigning a managed identity on one r
documentationcenter: -+ editor:
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/known-issues.md
description: Known issues with managed identities for Azure resources.
documentationcenter: -+ editor: ms.assetid: 2097381a-a7ec-4e3b-b4ff-5d2fb17403b6
active-directory Managed Identities Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-faq.md
description: Frequently asked questions about managed identities
documentationcenter: -+ editor:
active-directory Managed Identities Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-status.md
Last updated 01/10/2022
-+
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
description: Recommendations on when to use user-assigned versus system-assigned
documentationcenter: -+ editor:
active-directory Msi Tutorial Linux Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/msi-tutorial-linux-vm-access-arm.md
description: A tutorial that walks you through the process of using a user-assig
documentationcenter: '' -+ editor: daveba
active-directory Overview For Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview-for-developers.md
description: An overview how developers can use managed identities for Azure res
documentationcenter: -+ editor: ms.assetid: 0232041d-b8f5-4bd2-8d11-27999ad69370
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview.md
description: An overview of the managed identities for Azure resources.
documentationcenter: -+ editor: ms.assetid: 0232041d-b8f5-4bd2-8d11-27999ad69370
active-directory Qs Configure Cli Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md
Title: Configure managed identities on Azure VM using Azure CLI - Azure AD description: Step-by-step instructions for configuring system and user-assigned managed identities on an Azure VM using Azure CLI. -+
active-directory Qs Configure Cli Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vmss.md
description: Step-by-step instructions for configuring system and user-assigned
documentationcenter: -+ editor:
active-directory Qs Configure Portal Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md
description: Step-by-step instructions for configuring managed identities for Az
documentationcenter: '' -+ editor: ''
active-directory Qs Configure Portal Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss.md
description: Step-by-step instructions for configuring managed identities for Az
documentationcenter: '' -+ editor: ''
active-directory Qs Configure Powershell Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md
Title: Configure managed identities on an Azure VM using PowerShell - Azure AD
description: Step-by-step instructions for configuring managed identities for Azure resources on an Azure VM using PowerShell. -+
active-directory Qs Configure Powershell Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vmss.md
description: Step-by-step instructions for configuring a system and user-assigne
documentationcenter: -+ editor:
active-directory Qs Configure Rest Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vm.md
description: Step-by-step instructions for configuring a system and user-assigne
documentationcenter: -+ editor:
active-directory Qs Configure Rest Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md
description: Step-by-step instructions for configuring a system and user-assigne
documentationcenter: -+ editor:
active-directory Qs Configure Sdk Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-sdk-windows-vm.md
description: Step-by-step instructions for configuring and using managed identit
documentationcenter: '' -+ editor: ''
active-directory Qs Configure Template Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md
description: Step-by-step instructions for configuring managed identities for Az
documentationcenter: '' -+ editor: ''
active-directory Qs Configure Template Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md
description: Step-by-step instructions for configuring managed identities for Az
documentationcenter: '' -+ editor: ''
active-directory Services Azure Active Directory Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md
Last updated 02/01/2022
-+ # Azure services that support Azure AD authentication
active-directory Tutorial Linux Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm.md
description: A quickstart that walks you through the process of using a Linux VM
documentationcenter: '' -+ editor: bryanla
active-directory Tutorial Linux Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md
description: A tutorial that walks you through the process of using a Linux VM s
documentationcenter: -+ editor:
active-directory Tutorial Linux Vm Access Datalake https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-datalake.md
description: A tutorial that shows you how to use a Linux VM system-assigned man
documentationcenter: -+ editor:
active-directory Tutorial Linux Vm Access Nonaad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad.md
description: A tutorial that walks you through the process of using a Linux VM s
documentationcenter: '' -+ editor: daveba
active-directory Tutorial Linux Vm Access Storage Access Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-access-key.md
description: A tutorial that walks you through the process of using a Linux VM s
documentationcenter: '' -+ editor: daveba
active-directory Tutorial Linux Vm Access Storage Sas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md
description: Tutorial showing how to use a Linux VM system-assigned managed iden
documentationcenter: '' -+
active-directory Tutorial Linux Vm Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage.md
description: A tutorial that walks you through the process of using a Linux VM s
documentationcenter: -+ editor:
active-directory Tutorial Vm Managed Identities Cosmos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos.md
Title: Use managed identities from a virtual machine to access Cosmos DB description: Learn how to use managed identities with Windows VMs using the Azure portal, CLI, PowerShell, Azure Resource Manager template -+
active-directory Tutorial Vm Windows Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-vm-windows-access-storage.md
description: A tutorial that walks you through the process of using a Windows VM
documentationcenter: '' -+ editor: daveba
active-directory Tutorial Windows Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm.md
description: A tutorial that walks you through the process of using a Windows VM
documentationcenter: '' -+ editor: daveba
active-directory Tutorial Windows Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md
description: A tutorial that walks you through the process of using a system-ass
documentationcenter: '' -+ editor:
active-directory Tutorial Windows Vm Access Datalake https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-datalake.md
description: A tutorial that shows you how to use a Windows VM system-assigned m
documentationcenter: -+ editor:
active-directory Tutorial Windows Vm Access Nonaad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad.md
description: A tutorial that walks you through the process of using a Windows VM
documentationcenter: '' -+ editor: daveba
active-directory Tutorial Windows Vm Access Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md
description: A tutorial that walks you through the process of using a Windows VM
documentationcenter: '' -+
active-directory Tutorial Windows Vm Access Storage Sas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-storage-sas.md
description: A tutorial that shows you how to use a Windows VM system-assigned m
documentationcenter: '' -+ editor: daveba
active-directory Tutorial Windows Vm Ua Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm.md
description: A tutorial that walks you through the process of using a user-assig
documentationcenter: '' -+ editor:
active-directory Amazon Web Service Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/amazon-web-service-tutorial.md
To configure the integration of AWS Single-Account Access into Azure AD, you nee
1. In the **Add from the gallery** section, type **AWS Single-Account Access** in the search box. 1. Select **AWS Single-Account Access** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for AWS Single-Account Access Configure and test Azure AD SSO with AWS Single-Account Access using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AWS Single-Account Access.
active-directory Atlassian Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/atlassian-cloud-tutorial.md
To configure the integration of Atlassian Cloud into Azure AD, you need to add A
1. In the **Add from the gallery** section, type **Atlassian Cloud** in the search box. 1. Select **Atlassian Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO Configure and test Azure AD SSO with Atlassian Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Atlassian Cloud.
active-directory Aws Single Sign On Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aws-single-sign-on-tutorial.md
To configure the integration of AWS IAM Identity Center into Azure AD, you need
1. In the **Add from the gallery** section, type **AWS IAM Identity Center** in the search box. 1. Select **AWS IAM Identity Center** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for AWS IAM Identity Center Configure and test Azure AD SSO with AWS IAM Identity Center using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AWS IAM Identity Center.
active-directory Cisco Anyconnect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cisco-anyconnect.md
To configure the integration of Cisco AnyConnect into Azure AD, you need to add
1. In the **Add from the gallery** section, type **Cisco AnyConnect** in the search box. 1. Select **Cisco AnyConnect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for Cisco AnyConnect Configure and test Azure AD SSO with Cisco AnyConnect using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cisco AnyConnect.
active-directory Docusign Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/docusign-tutorial.md
To configure the integration of DocuSign into Azure AD, you must add DocuSign fr
1. In the **Add from the gallery** section, type **DocuSign** in the search box. 1. Select **DocuSign** from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for DocuSign Configure and test Azure AD SSO with DocuSign by using a test user named **B.Simon**. For SSO to work, you must establish a link relationship between an Azure AD user and the corresponding user in DocuSign.
active-directory Fortigate Ssl Vpn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md
To configure the integration of FortiGate SSL VPN into Azure AD, you need to add
1. In the **Add from the gallery** section, enter **FortiGate SSL VPN** in the search box. 1. Select **FortiGate SSL VPN** in the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for FortiGate SSL VPN You'll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding SAML SSO user group in FortiGate SSL VPN.
active-directory Google Apps Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/google-apps-tutorial.md
To configure the integration of Google Cloud / G Suite Connector by Microsoft in
1. In the **Add from the gallery** section, type **Google Cloud / G Suite Connector by Microsoft** in the search box. 1. Select **Google Cloud / G Suite Connector by Microsoft** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD single sign-on for Google Cloud / G Suite Connector by Microsoft Configure and test Azure AD SSO with Google Cloud / G Suite Connector by Microsoft using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Google Cloud / G Suite Connector by Microsoft.
active-directory Lms And Education Management System Leaf Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/lms-and-education-management-system-leaf-tutorial.md
Previously updated : 06/27/2022 Last updated : 08/16/2022
For more information, see [Azure built-in roles](../roles/permissions-reference.
In this tutorial, you configure and test Azure AD SSO in a test environment. * LMS and Education Management System Leaf supports **SP** initiated SSO.
-* LMS and Education Management System Leaf supports **Just In Time** user provisioning.
## Add LMS and Education Management System Leaf from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<SUBDOMAIN>.leaf-hrm.jp/loginusers/acs` c. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.leaf-hrm.jp/`
+ `https://<SUBDOMAIN>.leaf-hrm.jp/loginusers/sso/1`
> [!Note] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [LMS and Education Management System Leaf support team](mailto:leaf-jimukyoku@insource.co.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+1. Your LMS and Education Management System Leaf application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but LMS and Education Management System Leaf expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
+ 1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
To configure single sign-on on **LMS and Education Management System Leaf** side
### Create LMS and Education Management System Leaf test user
-In this section, a user called B.Simon is created in LMS and Education Management System Leaf. LMS and Education Management System Leaf supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in LMS and Education Management System Leaf, a new one is created after authentication.
+1. Log in as the Leaf system administrator user. From the **User tab** of **Master Maintenance**, create a user with a login ID of `leaftest`.
+2. From the User tab of Master Maintenance, click the **SSO Information Bulk Registration** button.
+3. Click the **Registration CSV** button to download the registration CSV.
+4. Open the downloaded CSV, enter (Leaf) login ID, nameID format, authentication server, and save.
+
+ ![Screenshot for Registration CSV.](./media/lms-and-education-management-system-leaf-tutorial/create-test-user.png)
+
+ ![Screenshot for Name ID.](./media/lms-and-education-management-system-leaf-tutorial/name-identifier.png)
+
+ a. Please enter `leaftest` in the **(Leaf) Login ID** column.
+
+ b. In the Authentication Server column, enter the value corresponding to the Authentication Server in the above figure.
+
+ c. In the NameID format column, enter the value corresponding to **NameID format**.
+
+ d.Enter **leaftest@company。.extension** in the [NameID] column.
+
+5. Click the **Select File** button and select the CSV you edited earlier.
+6. Click the **Upload** button.
+
+> [!NOTE]
+> As a way to associate with Leaf, the login ID (user) on which Leaf is linked with the NameID (user)
+and NameID format (format) on which IdP (authentication server) is specified.
+ ## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure LMS and Education Management System Leaf you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure LMS and Education Management System Leaf you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Salesforce Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/salesforce-tutorial.md
To configure the integration of Salesforce into Azure AD, you need to add Salesf
1. In the **Add from the gallery** section, type **Salesforce** in the search box. 1. Select **Salesforce** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide)
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide)
## Configure and test Azure AD SSO for Salesforce
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-After you configure Salesforce, you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+After you configure Salesforce, you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Saml Toolkit Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/saml-toolkit-tutorial.md
To configure the integration of Azure AD SAML Toolkit into Azure AD, you need to
1. In the **Add from the gallery** section, type **Azure AD SAML Toolkit** in the search box. 1. Select **Azure AD SAML Toolkit** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for Azure AD SAML Toolkit Configure and test Azure AD SSO with Azure AD SAML Toolkit using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Azure AD SAML Toolkit.
active-directory Servicenow Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/servicenow-tutorial.md
To configure the integration of ServiceNow into Azure AD, you need to add Servic
1. In the **Add from the gallery** section, enter **ServiceNow** in the search box. 1. Select **ServiceNow** from results panel, and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for ServiceNow Configure and test Azure AD SSO with ServiceNow by using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ServiceNow.
active-directory Slack Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/slack-tutorial.md
To configure the integration of Slack into Azure AD, you need to add Slack from
1. In the **Add from the gallery** section, type **Slack** in the search box. 1. Select **Slack** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).
+ ## Configure and test Azure AD SSO for Slack Configure and test Azure AD SSO with Slack using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Slack.
active-directory Verifiable Credentials Configure Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
The following diagram illustrates the Verified ID architecture and the component
[Azure Key Vault](../../key-vault/general/basic-concepts.md) is a cloud service that enables the secure storage and access of secrets and keys. The Verified ID service stores public and private keys in Azure Key Vault. These keys are used to sign and verify credentials.
-If you don't have an Azure Key Vault instance available, follow [these steps](/azure/key-vault/general/quick-create-portal) to create a key vault using the Azure portal.
+If you don't have an Azure Key Vault instance available, follow [these steps](../../key-vault/general/quick-create-portal.md) to create a key vault using the Azure portal.
>[!NOTE] >By default, the account that creates a vault is the only one with access. The Verified ID service needs access to the key vault. You must configure your key vault with access policies allowing the account used during configuration to create and delete keys. The account used during configuration also requires permissions to sign so that it can create the domain binding for Verified ID. If you use the same account while testing, modify the default policy to grant the account sign permission, in addition to the default permissions granted to vault creators.
Once that you have successfully completed the verification steps, you are ready
## Next steps - [Learn how to issue Microsoft Entra Verified ID credentials from a web application](verifiable-credentials-configure-issuer.md).-- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).
+- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).
aks Command Invoke https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/command-invoke.md
az aks command invoke \
The above example runs three `helm` commands on the *myAKSCluster* cluster in *myResourceGroup*.
-## Use `command invoke` to run commands an with attached file or directory
+## Use `command invoke` to run commands with an attached file or directory
Use `az aks command invoke --command` to run commands on your cluster and `--file` to attach a file or directory for use by those commands. For example:
aks Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-security.md
Nightly updates apply security updates to the OS on the node, but the node image
For Windows Server nodes, Windows Update doesn't automatically run and apply the latest updates. Schedule Windows Server node pool upgrades in your AKS cluster around the regular Windows Update release cycle and your own validation process. This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the older nodes. For more information on this process, see [Upgrade a node pool in AKS][nodepool-upgrade].
+### Node authorization
+Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets to protect against East-West attacks. Node authorization is enabled by default on AKS 1.24 + clusters.
+ ### Node deployment Nodes are deployed into a private virtual network subnet, with no public IP addresses assigned. For troubleshooting and management purposes, SSH is enabled by default and only accessible using the internal IP address.
api-management Devops Api Development Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/devops-api-development-templates.md
Title: CI/CD for Azure API Management using ARM templates
-description: Introduction to API DevOps with Azure API Management, using Azure Resource Manager templates to manage API deployments in a CI/CD pipeline
+ Title: Use DevOps and CI/CD to publish APIs
+description: Introduction to API DevOps with Azure API Management
-+ Previously updated : 10/09/2020- Last updated : 08/15/2022+
-# CI/CD for API Management using Azure Resource Manager templates
+# Use DevOps and CI/CD to publish APIs
-This article shows you how to use API DevOps with Azure API Management, through Azure Resource Manager templates. With the strategic value of APIs, a continuous integration and continuous deployment (CI/CD) pipeline has become an important aspect of API development. It allows organizations to automate deployment of API changes without error-prone manual steps, detect issues earlier, and ultimately deliver value to users faster.
+With the strategic value of APIs in the enterprise, adopting DevOps continuous integration (CI) and deployment (CD) techniques has become an important aspect of API development. This article discusses the decisions you'll need to make to adopt DevOps principles for the management of APIs.
-For details, tools, and code samples to implement the DevOps approach described in this article, see the open-source [Azure API Management DevOps Resource Kit](https://github.com/Azure/azure-api-management-devops-resource-kit) in GitHub. Because customers bring a wide range of engineering cultures and existing automation solutions, the approach isn't a one-size-fits-all solution.
+API DevOps consists of three parts:
-For architectural guidance, see:
-* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
+Each part of the API DevOps pipeline is discussed below.
-## The problem
+## API definition
-Organizations today normally have multiple deployment environments (such as development, testing, and production) and use separate API Management instances for each environment. Some instances are shared by multiple development teams, who are responsible for different APIs with different release cadences.
+An API developer writes an API definition by providing a specification, settings (such as logging, diagnostics, and backend settings), and policies to be applied to the API. The API definition provides the information required to provision the API on an Azure API Management service. The specification may be based on a standards-based API specification (such as [WSDL][1], [OpenAPI][2], or [GraphQL][3]), or it may be defined using the Azure Resource Manager (ARM) APIs (for example, an ARM template describing the API and operations). The API definition will change over time and should be considered "source code". Ensure that the API definition is stored under source code control and has appropriate review before adoption.
-As a result, customers face the following challenges:
+There are several tools to assist producing the API definition:
-* How to automate deployment of APIs into API Management
-* How to migrate configurations from one environment to another
-* How to avoid interference between different development teams that share the same API Management instance
+* The [Azure API Management DevOps Resource Toolkit][4] includes two tools that provide an Azure Resource Manager (ARM) template. The _extractor_ creates an ARM template by extracting an API definition from an API Management service. The _creator_ produces the ARM template from a YAML specification. The DevOps Resource Toolkit supports SOAP, REST, and GraphQL APIs.
+* The [Azure API Ops Toolkit][5] provides a workflow built on top of a [git][21] source code control system (such as [GitHub][22] or [Azure Repos][23]). It uses an _extractor_ similar to the DevOps Resource Toolkit to produce an API definition that is then applied to a target API Management service. API Ops supports REST only at this time.
+* The [dotnet-apim][6] tool converts a well-formed YAML definition into an ARM template for later deployment. The tool is focused on REST APIs.
+* [Terraform][7] is an alternative to Azure Resource Manager to configure resources in Azure. You can create a Terraform configuration (together with policies) to implement the API in the same way that an ARM template is created.
-## Manage configurations in Resource Manager templates
+You can also use IDE-based tools for editors such as [Visual Studio Code][8] to produce the artifacts necessary to define the API. For instance, there are [over 30 plugins for editing OpenAPI specification files][9] on the Visual Studio Code Marketplace. You can also use code generators to create the artifacts. The [CADL language][10] lets you easily create high-level building blocks and then compile them into a standard API definition format such as OpenAPI.
-The following image illustrates the proposed approach.
+## API approval
+Once the API definition has been produced, the developer will submit the API definition for review and approval. If using a git-based source code control system (such as [GitHub][22] or [Azure Repos][23]), the submission can be done via [Pull Request][11]. A pull request informs others of changes that have been proposed to the API definition. Once the approval gates have been confirmed, an approver will merge the pull request into the main repository to signify that the API definition can be deployed to production. The pull request process empowers the developer to remediate any issues found during the approval process.
-In this example, there are two deployment environments: *Development* and *Production*. Each has its own API Management instance.
+Both GitHub and Azure Repos allow approval pipelines to be configured that run when a pull request is submitted. You can configure the approval pipelines to run tools such as:
-* API developers have access to the Development instance and can use it for developing and testing their APIs.
-* A designated team called the *API publishers* manages the Production instance.
+* API specification linters such as [Spectral][12] to ensure that the definition meets API standards required by the organization.
+* Breaking change detection using tools such as [openapi-diff][13].
+* Security audit and assessment tools. [OWASP maintains a list of tools][14] for security scanning.
+* Automated API test frameworks such as [Newman][15], a test runner for [Postman collections][16].
-The key in this proposed approach is to keep all API Management configurations in [Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). The organization should keep these templates in a source control system such as Git. As illustrated in the image, a Publisher repository contains all configurations of the Production API Management instance in a collection of templates:
+> [!NOTE]
+> Azure APIs must conform to a [strict set of guidelines][26] that you can use as a starting point for your own API guidelines. There is a [Spectral configuration][27] for enforcing the guidelines.
-|Template |Description |
-|||
-|Service template | Service-level configurations of the API Management instance, such as pricing tier and custom domains. |
-|Shared templates | Shared resources throughout an API Management instance, such as groups, products, and loggers. |
-|API templates | Configurations of APIs and their subresources: operations, policies, diagnostic settings. |
-|Master (main) template | Ties everything together by [linking](../azure-resource-manager/templates/linked-templates.md) to all templates and deploying them in order. To deploy all configurations to an API Management instance, deploy the main template. You can also deploy each template individually. |
+Once the automated tools have been run, the API definition is reviewed by the human eye. Tools won't catch all problems. A human reviewer ensures that the API definition meets the organizational criteria for APIs, including adherence to security, privacy, and consistency guidelines.
-API developers will fork the Publisher repository to a Developer repository and work on the changes for their APIs. In most cases, they focus on the API templates for their APIs and don't need to change the shared or service templates.
+## API publication
-## Migrate configurations to templates
-API developers face challenges when working with Resource Manager templates:
+The API definition will be published to an API Management service through a release pipeline. The tools used to publish the API definition depend on the tool used to produce the API definition:
-* API developers often work with the [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) and might not be familiar with Resource Manager schemas. Authoring templates manually might be error-prone.
+* If using the [Azure API Management DevOps Resource Toolkit][4] or [dotnet-apim][6], the API definition is represented as an ARM template. Tasks are available for [Azure Pipelines][17] and [GitHub Actions][18] to deploy an ARM template.
+* If using the [Azure API Ops Toolkit][5], the toolkit includes a publisher that writes the API definition to the service.
+* If using [Terraform][7], CLI tools will deploy the API definition on your service. There are tasks available for [Azure Pipelines][19] and [GitHub Actions][20]
- A tool called [Creator](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#creator) in the resource kit can help automate the creation of API templates based on an Open API Specification file. Additionally, developers can supply API Management policies for an API in XML format.
+> **Can I use other source code control and CI/CD systems?**
+>
+> Yes. The process described works with any source code control system (although API Ops does require that the source code control system is [git][21] based). Similarly, you can use any CI/CD platform as long as it can be triggered by a check-in and run command line tools that communicate with Azure.
-* For customers who are already using API Management, another challenge is to extract existing configurations into Resource Manager templates. For those customers, a tool called [Extractor](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#Extractor) in the resource kit can help generate templates by extracting configurations from their API Management instances.
+## Best practices
-## Workflow
+There's no industry standard for setting up a DevOps pipeline for publishing APIs, and none of the tools mentioned will work in all situations. However, we see that most situations are covered by using a combination of the following tools and
-* After API developers have finished developing and testing an API, and have generated the API templates, they can submit a pull request to merge the changes to the publisher repository.
+* [Azure Repos][23] stores the API definitions in a [git][21] repository.
+* [Azure Pipelines][17] runs the automated API approval and API publication processes.
+* [Azure API Ops Toolkit][5] provides tools and workflows for publishing APIs.
-* API publishers can validate the pull request and make sure the changes are safe and compliant. For example, they can check if only HTTPS is allowed to communicate with the API. Most validations can be automated as a step in the CI/CD pipeline.
+We've seen the greatest success in customer deployments, and recommend the following practices:
-* Once the changes are approved and merged successfully, API publishers can choose to deploy them to the Production instance either on schedule or on demand. The deployment of the templates can be automated using [GitHub Actions](https://docs.github.com/en/actions), [Azure Pipelines](/azure/devops/pipelines), [Azure PowerShell](../azure-resource-manager/templates/deploy-powershell.md), [Azure CLI](../azure-resource-manager/templates/deploy-cli.md), or other tools.
+* Set up either [GitHub][22] or [Azure Repos][23] for your source code control system. This choice will determine your choice of pipeline runner as well. GitHub can use [Azure Pipelines][17] or [GitHub Actions][18], whereas Azure Repos must use Azure Pipelines.
+* Set up an Azure API Management service for each API developer so that they can develop API definitions along with the API service. Use the consumption or developer SKU when creating the service.
+* Use [policy fragments][24] to reduce the new policy that developers need to write for each API.
+* Use the [Azure API Ops Toolkit][5] to extract a working API definition from the developer service.
+* Set up an API approval process that runs on each pull request. The API approval process should include breaking change detection, linting, and automated API testing.
+* Use the [Azure API Ops Toolkit][5] publisher to publish the API to your production API Management service.
+Review [Automated API deployments with API Ops][28] in the Azure Architecture Center for more details on how to configure and run a CI/CD deployment pipeline with API Ops.
-With this approach, an organization can automate the deployment of API changes into API Management instances, and it's easy to promote changes from one environment to another. Because different API development teams will be working on different sets of API templates and files, it prevents interference between different teams.
+## References
-## Video
+* [Azure DevOps Services][25] includes [Azure Repos][23] and [Azure Pipelines][17].
+* [Azure API Ops Toolkit][5] provides a workflow for API Management DevOps.
+* [Spectral][12] provides a linter for OpenAPI specifications.
+* [openapi-diff][13] provides a breaking change detector for OpenAPI v3 definitions.
+* [Newman][15] provides an automated test runner for Postman collections.
-> [!VIDEO https://www.youtube.com/embed/4Sp2Qvmg6j8]
-
-## Next steps
--- See the open-source [Azure API Management DevOps Resource Kit](https://github.com/Azure/azure-api-management-devops-resource-kit) for additional information, tools, and sample templates.
+<!-- Links -->
+[1]: https://www.w3.org/TR/wsdl20/
+[2]: https://www.openapis.org/
+[3]: https://graphql.org/learn/schema/
+[4]: https://github.com/Azure/azure-api-management-devops-resource-kit
+[5]: https://github.com/Azure/APIOps
+[6]: https://github.com/mirsaeedi/dotnet-apim
+[7]: https://www.terraform.io/
+[8]: https://code.visualstudio.com/
+[9]: https://marketplace.visualstudio.com/search?term=OpenAPI&target=VSCode&category=All%20categories&sortBy=Relevance
+[10]: https://github.com/microsoft/cadl
+[11]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests
+[12]: https://stoplight.io/open-source/spectral
+[13]: https://github.com/Azure/openapi-diff
+[14]: https://owasp.org/www-community/api_security_tools
+[15]: https://github.com/postmanlabs/newman
+[16]: https://learning.postman.com/docs/getting-started/creating-the-first-collection/
+[17]: /azure/azure-resource-manager/templates/deployment-tutorial-pipeline
+[18]: https://github.com/marketplace/actions/deploy-azure-resource-manager-arm-template
+[19]: https://marketplace.visualstudio.com/items?itemName=charleszipp.azure-pipelines-tasks-terraform
+[20]: https://learn.hashicorp.com/tutorials/terraform/github-actions
+[21]: https://git-scm.com/
+[22]: https://github.com/
+[23]: /azure/devops/repos/get-started/what-is-repos
+[24]: ./policy-fragments.md
+[25]: https://azure.microsoft.com/services/devops/
+[26]: https://github.com/microsoft/api-guidelines/blob/vNext/azure/Guidelines.md
+[27]: https://github.com/Azure/azure-api-style-guide
+[28]: /azure/architecture/example-scenario/devops/automated-api-deployments-apiops
app-service Configure Authentication Provider Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-provider-aad.md
At present, this allows _any_ client application in your Azure AD tenant to requ
You have now configured a daemon client application that can access your App Service app using its own identity. > [!NOTE]
-> The access tokens provided to your app via EasyAuth do not have scopes for other APIs, such as Graph, even if your application has permissions to access those APIs. To use these APIs, you will need to use Azure Resource Manager to configure the token returned so it can be used to authenticate to other services. For more information, see [Tutorial: Access Microsoft Graph from a secured .NET app as the user](/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer) .
+> The access tokens provided to your app via EasyAuth do not have scopes for other APIs, such as Graph, even if your application has permissions to access those APIs. To use these APIs, you will need to use Azure Resource Manager to configure the token returned so it can be used to authenticate to other services. For more information, see [Tutorial: Access Microsoft Graph from a secured .NET app as the user](./scenario-secure-app-access-microsoft-graph-as-user.md?tabs=azure-resource-explorer) .
## Best practices
Regardless of the configuration you use to set up authentication, the following
* [Tutorial: Authenticate and authorize users end-to-end in Azure App Service](tutorial-auth-aad.md) <!-- URLs. -->
-[Azure portal]: https://portal.azure.com/
+[Azure portal]: https://portal.azure.com/
app-service Configure Connect To Azure Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-connect-to-azure-storage.md
The following features are supported for Linux containers:
- Mapping `/mounts`, `mounts/foo/bar`, `/`, and `/mounts/foo.bar/` to custom-mounted storage is not supported (you can only use /mounts/pathname for mounting custom storage to your web app.) - Storage mounts cannot be used together with clone settings option during [deployment slot](deploy-staging-slots.md) creation. - Storage mounts are not backed up when you [back up your app](manage-backup.md). Be sure to follow best practices to back up the Azure Storage accounts. -- Only Azure Files [SMB](/azure/storage/files/files-smb-protocol) are supported. Azure Files [NFS](/azure/storage/files/files-nfs-protocol) is not currently supported for Linux App Services.
+- Only Azure Files [SMB](../storage/files/files-smb-protocol.md) are supported. Azure Files [NFS](../storage/files/files-nfs-protocol.md) is not currently supported for Linux App Services.
::: zone-end
To validate that the Azure Storage is mounted successfully for the app:
- [Configure a custom container](configure-custom-container.md?pivots=platform-linux). - [Video: How to mount Azure Storage as a local share](https://www.youtube.com/watch?v=OJkvpWYr57Y).
app-service Configure Language Php https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-php.md
az webapp config show --resource-group <resource-group-name> --name <app-name> -
To show all supported PHP versions, run the following command in the [Cloud Shell](https://shell.azure.com): ```azurecli-interactive
-az webapp list-runtimes --os windows | grep php
+az webapp list-runtimes --os windows | grep PHP
``` ::: zone-end
app-service Configure Language Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-python.md
App Service ignores any errors that occur when processing a custom startup comma
gunicorn --bind=0.0.0.0 --timeout 600 --workers=4 --chdir <module_path> <module>.wsgi ```
- For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). If you are using scale rules to scale your web app up and down, you can dynamically set the number of workers using the `NUM_CORES` environment variable in our startup command, for example: `--workers $((($NUM_CORES*2)+1))`. For more information on setting the recommended number of gunicorn workers, see [the Gunicorn FAQ](https://docs.gunicorn.org/en/stable/design.html#how-many-workers)
+ For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). If you are using auto-scale rules to scale your web app up and down, you should also dynamically set the number of gunicorn workers using the `NUM_CORES` environment variable in your startup command, for example: `--workers $((($NUM_CORES*2)+1))`. For more information on setting the recommended number of gunicorn workers, see [the Gunicorn FAQ](https://docs.gunicorn.org/en/stable/design.html#how-many-workers)
- **Enable production logging for Django**: Add the `--access-logfile '-'` and `--error-logfile '-'` arguments to the command line:
app-service Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/overview.md
App Service Environment v3 is available in the following regions:
### Azure Public:
-| Region | Normal and dedicated host | Availability zone support |
-| -- | :-: | :-: |
-| Australia East | x | x |
-| Australia Southeast | x | |
-| Brazil South | x | x |
-| Canada Central | x | x |
-| Canada East | x | |
-| Central India | x | x |
-| Central US | x | x |
-| East Asia | x | x |
-| East US | x | x |
-| East US 2 | x | x |
-| France Central | x | x |
-| Germany West Central | x | x |
-| Japan East | x | x |
-| Korea Central | x | x |
-| North Central US | x | |
-| North Europe | x | x |
-| Norway East | x | x |
-| South Africa North | x | x |
-| South Central US | x | x |
-| Southeast Asia | x | x |
-| Sweden Central | x | x |
-| Switzerland North | x | x |
-| UAE North | x | |
-| UK South | x | x |
-| UK West | x | |
-| West Central US | x | |
-| West Europe | x | x |
-| West US | x | |
-| West US 2 | x | x |
-| West US 3 | x | x |
+| Region | Normal and dedicated host | Availability zone support |
+| -- | :--: | :-: |
+| Australia East | ✅ | ✅ |
+| Australia Southeast | ✅ | |
+| Brazil South | ✅ | ✅ |
+| Canada Central | ✅ | ✅ |
+| Canada East | ✅ | |
+| Central India | ✅ | ✅ |
+| Central US | ✅ | ✅ |
+| East Asia | ✅ | ✅ |
+| East US | ✅ | ✅ |
+| East US 2 | ✅ | ✅ |
+| France Central | ✅ | ✅ |
+| Germany West Central | ✅ | ✅ |
+| Japan East | ✅ | ✅ |
+| Korea Central | ✅ | ✅ |
+| North Central US | ✅ | |
+| North Europe | ✅ | ✅ |
+| Norway East | ✅ | ✅ |
+| South Africa North | ✅ | ✅ |
+| South Central US | ✅ | ✅ |
+| Southeast Asia | ✅ | ✅ |
+| Sweden Central | ✅ | ✅ |
+| Switzerland North | ✅ | ✅ |
+| UAE North | ✅ | |
+| UK South | ✅ | ✅ |
+| UK West | ✅ | |
+| West Central US | ✅ | |
+| West Europe | ✅ | ✅ |
+| West US | ✅ | |
+| West US 2 | ✅ | ✅ |
+| West US 3 | ✅ | ✅ |
### Azure Government: | Region | Normal and dedicated host | Availability zone support | | -- | :-: | :-: |
-| US Gov Texas | x | |
-| US Gov Arizona | x | |
-| US Gov Virginia | x | |
+| US Gov Texas | ✅ | |
+| US Gov Arizona | ✅ | |
+| US Gov Virginia | ✅ | |
## App Service Environment v2
app-service Quickstart Wordpress https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-wordpress.md
When no longer needed, you can delete the resource group, App service, and all r
:::image type="content" source="./media/quickstart-wordpress/delete-resource-group.png" alt-text="Delete resource group."::: ## Change MySQL password
-The WordPress configuration is modified to use [Application Settings](reference-app-settings.md#wordpress) to connect to the MySQL database. To change the MySQL database password, see [update admin password](/azure/mysql/single-server/how-to-create-manage-server-portal#update-admin-password). Whenever the MySQL database credentials are changed, the [Application Settings](reference-app-settings.md#wordpress) also need to be updated. The [Application Settings for MySQL database](reference-app-settings.md#wordpress) begin with the **`DATABASE_`** prefix. For more information on updating MySQL passwords, see [WordPress on App Service](https://azure.github.io/AppService/2022/02/23/WordPress-on-App-Service-Public-Preview.html#known-limitations).
+The WordPress configuration is modified to use [Application Settings](reference-app-settings.md#wordpress) to connect to the MySQL database. To change the MySQL database password, see [update admin password](../mysql/single-server/how-to-create-manage-server-portal.md#update-admin-password). Whenever the MySQL database credentials are changed, the [Application Settings](reference-app-settings.md#wordpress) also need to be updated. The [Application Settings for MySQL database](reference-app-settings.md#wordpress) begin with the **`DATABASE_`** prefix. For more information on updating MySQL passwords, see [WordPress on App Service](https://azure.github.io/AppService/2022/02/23/WordPress-on-App-Service-Public-Preview.html#known-limitations).
## Change WordPress admin password
Congratulations, you've successfully completed this quickstart!
> [Tutorial: PHP app with MySQL](tutorial-php-mysql-app.md) > [!div class="nextstepaction"]
-> [Configure PHP app](configure-language-php.md)
+> [Configure PHP app](configure-language-php.md)
app-service Reference App Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/reference-app-settings.md
APACHE_RUN_GROUP | RUN sed -i 's!User ${APACHE_RUN_GROUP}!Group www-data!g' /etc
> |DATABASE_HOST|Database|-|-|Database host used to connect to WordPress.| > |DATABASE_NAME|Database|-|-|Database name used to connect to WordPress.| > |DATABASE_USERNAME|Database|-|-|Database username used to connect to WordPress.|
-> |DATABASE_PASSWORD|Database|-|-|Database password used to connect to the MySQL database. To change the MySQL database password, see [update admin password](/azure/mysql/single-server/how-to-create-manage-server-portal#update-admin-password). Whenever the MySQL database password is changed, the Application Settings also need to be updated. |
+> |DATABASE_PASSWORD|Database|-|-|Database password used to connect to the MySQL database. To change the MySQL database password, see [update admin password](../mysql/single-server/how-to-create-manage-server-portal.md#update-admin-password). Whenever the MySQL database password is changed, the Application Settings also need to be updated. |
> |WORDPRESS_ADMIN_EMAIL|Deployment only|-|-|WordPress admin email.| > |WORDPRESS_ADMIN_PASSWORD|Deployment only|-|-|WordPress admin password. This is only for deployment purposes. Modifying this value has no effect on the WordPress installation. To change the WordPress admin password, see [resetting your password](https://wordpress.org/support/article/resetting-your-password/#to-change-your-password).| > |WORDPRESS_ADMIN_USER|Deployment only|-|-|WordPress admin username|
HTTPSCALE_FORWARD_REQUEST
IS_VALID_STAMP_TOKEN NEEDS_SITE_RESTRICTED_TOKEN HTTP_X_MS_PRIVATELINK_ID
- -->
+ -->
app-service Tutorial Java Quarkus Postgresql App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-quarkus-postgresql-app.md
# Tutorial: Build a Quarkus web app with Azure App Service on Linux and PostgreSQL This tutorial walks you through the process of building, configuring, deploying, and scaling Java web apps on Azure.
-When you are finished, you will have a [Quarkus](https://quarkus.io) application storing data in [PostgreSQL](/azure/postgresql) database running on [Azure App Service on Linux](overview.md).
+When you are finished, you will have a [Quarkus](https://quarkus.io) application storing data in [PostgreSQL](../postgresql/index.yml) database running on [Azure App Service on Linux](overview.md).
![Screenshot of Quarkus application storing data in PostgreSQL.](./media/tutorial-java-quarkus-postgresql/quarkus-crud-running-locally.png)
In this tutorial, you learn how to:
## Clone the sample app and prepare the repo
-This tutorial uses a sample Fruits list app with a web UI that calls a Quarkus REST API backed by [Azure Database for PostgreSQL](/azure/postgresql). The code for the app is available [on GitHub](https://github.com/quarkusio/quarkus-quickstarts/tree/main/hibernate-orm-panache-quickstart). To learn more about writing Java apps using Quarkus and PostgreSQL, see the [Quarkus Hibernate ORM with Panache Guide](https://quarkus.io/guides/hibernate-orm-panache) and the [Quarkus Datasource Guide](https://quarkus.io/guides/datasource).
+This tutorial uses a sample Fruits list app with a web UI that calls a Quarkus REST API backed by [Azure Database for PostgreSQL](../postgresql/index.yml). The code for the app is available [on GitHub](https://github.com/quarkusio/quarkus-quickstarts/tree/main/hibernate-orm-panache-quickstart). To learn more about writing Java apps using Quarkus and PostgreSQL, see the [Quarkus Hibernate ORM with Panache Guide](https://quarkus.io/guides/hibernate-orm-panache) and the [Quarkus Datasource Guide](https://quarkus.io/guides/datasource).
Run the following commands in your terminal to clone the sample repo and set up the sample app environment.
and
Learn more about running Java apps on App Service on Linux in the developer guide. > [!div class="nextstepaction"]
-> [Java in App Service Linux dev guide](configure-language-java.md?pivots=platform-linux)
+> [Java in App Service Linux dev guide](configure-language-java.md?pivots=platform-linux)
application-gateway Configuration Http Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/configuration-http-settings.md
This feature is useful when you want to keep a user session on the same server a
> Some vulnerability scans may flag the Application Gateway affinity cookie because the Secure or HttpOnly flags are not set. These scans do not take into account that the data in the cookie is generated using a one-way hash. The cookie does not contain any user information and is used purely for routing.
-The [Chromium browser](https://www.chromium.org/Home) [v80 update](https://chromiumdash.appspot.com/schedule) brought a mandate where HTTP cookies without [SameSite](https://tools.ietf.org/id/draft-ietf-httpbis-rfc6265bis-03.html#rfc.section.5.3.7) attribute have to be treated as SameSite=Lax. In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use *SameSite=None; Secure* attributes and it should be sent over HTTPS only. Otherwise, in an HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.
+The [Chromium browser](https://www.chromium.org/Home) [v80 update](https://chromiumdash.appspot.com/schedule) brought a mandate where HTTP cookies without [SameSite](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#rfc.section.5.3.7) attribute have to be treated as SameSite=Lax. In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use *SameSite=None; Secure* attributes and it should be sent over HTTPS only. Otherwise, in an HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.
To support this change, starting February 17 2020, Application Gateway (all the SKU types) will inject another cookie called *ApplicationGatewayAffinityCORS* in addition to the existing *ApplicationGatewayAffinity* cookie. The *ApplicationGatewayAffinityCORS* cookie has two more attributes added to it (*"SameSite=None; Secure"*) so that sticky sessions are maintained even for cross-origin requests.
automation Add User Assigned Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/add-user-assigned-identity.md
If you don't have an Azure subscription, create a [free account](https://azure.m
- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the user-assigned managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Azure AD tenant. -- To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles#owner).
+- To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../role-based-access-control/built-in-roles.md#owner).
## Add user-assigned managed identity for Azure Automation account
print(response.text)
- If you need to disable a managed identity, see [Disable your Azure Automation account managed identity](disable-managed-identity-for-automation.md). -- For an overview of Azure Automation account security, see [Automation account authentication overview](automation-security-overview.md).
+- For an overview of Azure Automation account security, see [Automation account authentication overview](automation-security-overview.md).
automation Automation Create Standalone Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-create-standalone-account.md
The following table describes the fields on the **Basics** tab.
The following image shows a standard configuration for a new Automation account. ### Advanced
You can chose to enable managed identities later, and the Automation account is
The following image shows a standard configuration for a new Automation account.
-### Tags tab
+### Networking
+
+On the **Networking** tab, you can configure connectivity to Automation Account - either publicly via public IP addresses or privately using a [Azure Automation Private Link](./how-to/private-link-security.md). Azure Automation Private Link connects one or more private endpoints (and therefore the virtual networks they are contained in) to your Automation Account resource.
+
+The following image shows a standard configuration for a new Automation account.
++
+### Tags
On the **Tags** tab, you can specify Resource Manager tags to help organize your Azure resources. For more information, see [Tag resources, resource groups, and subscriptions for logical organization](../azure-resource-manager/management/tag-resources.md).
-### Review + create tab
+### Review + create
When you navigate to the **Review + create** tab, Azure runs validation on the Automation account settings that you have chosen. If validation passes, you can proceed to create the Automation account.
automation Automation Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-security-overview.md
For details on using managed identities, see [Enable managed identity for Azure
## Run As accounts Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model. There are two types of Run As accounts in Azure Automation:
+- Azure Run As Account
+- Azure Classic Run As Account
To create or renew a Run As account, permissions are needed at three levels:
For runbooks that use Hybrid Runbook Workers on Azure VMs, you can use [runbook
* To create an Automation account from the Azure portal, see [Create a standalone Azure Automation account](automation-create-standalone-account.md). * If you prefer to create your account using a template, see [Create an Automation account using an Azure Resource Manager template](quickstart-create-automation-account-template.md). * For authentication using Amazon Web Services, see [Authenticate runbooks with Amazon Web Services](automation-config-aws-account.md).
-* For a list of Azure services that support the managed identities for Azure resources feature, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
+* For a list of Azure services that support the managed identities for Azure resources feature, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
automation Automation Solution Vm Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-solution-vm-management.md
The Start/Stop VMs during off-hours feature start or stops enabled Azure VMs. It starts or stops machines on user-defined schedules, provides insights through Azure Monitor logs, and sends optional emails by using [action groups](../azure-monitor/alerts/action-groups.md). The feature can be enabled on both Azure Resource Manager and classic VMs for most scenarios. > [!NOTE]
-> Before you install this version (v1), we would like you to know about the [next version](../azure-functions/start-stop-vms/overview.md), which is in preview right now. This new version (v2) offers all the same functionality as this one, but is designed to take advantage of newer technology in Azure. It adds some of the commonly requested features from customers, such as multi-subscription support from a single Start/Stop instance.
->
-> Start/Stop VMs during off-hours (v1) will be deprecated soon and the date will be announced once V2 moves to general availability (GA).
+> Before you install version 1, we recommend you to learn about the [version 2](../azure-functions/start-stop-vms/overview.md), which is now generally available. The newer version offers all existing capabilities along with the support to use it with Azure. This also provides new capabilities, such as multi-subscription support from a single Start/Stop instance.
+
+> Start/Stop VMs during off-hours (v1) will be deprecated soon.
This feature uses [Start-AzVm](/powershell/module/az.compute/start-azvm) cmdlet to start VMs. It uses [Stop-AzVM](/powershell/module/az.compute/stop-azvm) for stopping VMs.
automation Extension Based Hybrid Runbook Worker Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/extension-based-hybrid-runbook-worker-install.md
To install and use Hybrid Worker extension using REST API, follow these steps. T
```
-1. Follow the steps [here](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.
+1. Follow the steps [here](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.
1. Get the automation account details using this API call.
Using [VM insights](../azure-monitor/vm/vminsights-overview.md), you can monitor
- To learn about Azure VM extensions, see [Azure VM extensions and features for Windows](../virtual-machines/extensions/features-windows.md) and [Azure VM extensions and features for Linux](../virtual-machines/extensions/features-linux.md). -- To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](../azure-arc/servers/manage-vm-extensions.md).
+- To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](../azure-arc/servers/manage-vm-extensions.md).
automation Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/managed-identity.md
This issue occurs when you don't have the following permissions for the user-ass
> The above permissions are granted by default to Managed Identity Operator and Managed Identity Contributor. ### Resolution
-Ensure that you have [Identity Operator role permission](/azure/role-based-access-control/built-in-roles#managed-identity-operator) to add the user-assigned managed identity to your Automation account.
+Ensure that you have [Identity Operator role permission](../../role-based-access-control/built-in-roles.md#managed-identity-operator) to add the user-assigned managed identity to your Automation account.
## Scenario: Runbook fails with "this.Client.SubscriptionId cannot be null." error message
availability-zones Migrate App Gateway V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/availability-zones/migrate-app-gateway-v2.md
# Migrate Application Gateway and WAF deployments to availability zone support
-[Application Gateway Standard v2](/azure/application-gateway/overview-v2) and Application Gateway with [WAF v2](/azure/web-application-firewall/ag/ag-overview) supports zonal and zone redundant deployments. For more information about zone redundancy, see [Regions and availability zones](az-overview.md).
+[Application Gateway Standard v2](../application-gateway/overview-v2.md) and Application Gateway with [WAF v2](../web-application-firewall/ag/ag-overview.md) supports zonal and zone redundant deployments. For more information about zone redundancy, see [Regions and availability zones](az-overview.md).
If you previously deployed **Azure Application Gateway Standard v2** or **Azure Application Gateway Standard v2 + WAF v2** without zonal support, you must redeploy these services to enable zone redundancy. Two migration options to redeploy these services are described in this article.
Use this option to:
To create a separate Application Gateway, WAF (optional) and IP address: 1. Go to the [Azure portal](https://portal.azure.com).
-2. Follow the steps in [Create an application gateway](../application-gateway/quick-create-portal.md#create-an-application-gateway) or [Create an application gateway with a Web Application Firewall](/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal) to create a new Application Gateway v2 or Application Gateway v2 + WAF v2, respectively. You can reuse your existing Virtual Network or create a new one, but you must create a new frontend Public IP address.
+2. Follow the steps in [Create an application gateway](../application-gateway/quick-create-portal.md#create-an-application-gateway) or [Create an application gateway with a Web Application Firewall](../web-application-firewall/ag/application-gateway-web-application-firewall-portal.md) to create a new Application Gateway v2 or Application Gateway v2 + WAF v2, respectively. You can reuse your existing Virtual Network or create a new one, but you must create a new frontend Public IP address.
3. Verify that the application gateway and WAF are working as intended. 4. Migrate your DNS configuration to the new public IP address. 5. Delete the old Application gateway and WAF resources.
To delete the Application Gateway and WAF and redeploy:
1. Go to the [Azure portal](https://portal.azure.com). 2. Select **All resources**, and then select the resource group that contains the Application Gateway. 3. Select the Application Gateway resource and then select **Delete**. Type **yes** to confirm deletion, and then click **Delete**.
-4. Follow the steps in [Create an application gateway](../application-gateway/quick-create-portal.md#create-an-application-gateway) or [Create an application gateway with a Web Application Firewall](/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal) to create a new Application Gateway v2 or Application Gateway v2 + WAF v2, respectively, using the same Virtual Network, subnets, and Public IP address that you used previously.
+4. Follow the steps in [Create an application gateway](../application-gateway/quick-create-portal.md#create-an-application-gateway) or [Create an application gateway with a Web Application Firewall](../web-application-firewall/ag/application-gateway-web-application-firewall-portal.md) to create a new Application Gateway v2 or Application Gateway v2 + WAF v2, respectively, using the same Virtual Network, subnets, and Public IP address that you used previously.
## Next steps
availability-zones Migrate Search Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/availability-zones/migrate-search-service.md
++
+ Title: Migrate Azure Cognitive Search to availability zone support
+description: Learn how to migrate Azure Cognitive Search to availability zone support.
+++ Last updated : 08/01/2022++++++
+# Migrate Azure Cognitive Search to availability zone support
+
+This guide describes how to migrate Azure Cognitive Search from non-availability zone support to availability support.
+
+Azure Cognitive Search services can take advantage of availability support [in regions that support availability zones](../search/search-performance-optimization.md#availability-zones). Services with [two or more replicas](../search/search-capacity-planning.md) in these regions created after availability support was enabled can automatically utilize availability zones. Each replica will be placed in a different availability zone within the region. If you have more replicas than availability zones, the replicas will be distributed across availability zones as evenly as possible.
+
+If a search service was created before availability zone support was enabled in its region, the search service must be recreated to take advantage of availability zone support.
+
+## Prerequisites
+
+The following are the current requirements/limitations for enabling availability zone support:
+
+- The search service must be in [a region that supports availability zones](../search/search-performance-optimization.md#availability-zones)
+- The search service must be created after availability zone support was enabled in its region.
+- The search service must have [at least two replicas](../search/search-performance-optimization.md#high-availability)
+
+## Downtime requirements
+
+Downtime will be dependent on how you decide to carry out the migration. Migration will consist of a side-by-side deployment where you'll create a new search service. Downtime will depend on how you choose to redirect traffic from your old search service to your new availability zone enabled search service. For example, if you're using [Azure Front Door](../frontdoor/front-door-overview.md), downtime will be dependent on the time it takes to update Azure Front Door with your new search service's information. Alternatively, you can route traffic to multiple search services at the same time using [Azure Traffic Manager](../traffic-manager/traffic-manager-overview.md).
+
+## Migration guidance: Recreate your search service
+
+### When to recreate your search service
+
+If you created your search service in a region that supports availability zones before this support was enabled, you'll need to recreate the search service.
+
+### How to recreate your search service
+
+1. [Create a new search service](../search/search-create-service-portal.md) in the same region as the old search service. This region should [support availability zones on or after the current date](../search/search-performance-optimization.md#availability-zones).
+
+ >[!IMPORTANT]
+ >The [free and basic tiers do not support availability zones](../search/search-sku-tier.md#feature-availability-by-tier), and so they should not be used.
+1. Add at [least two replicas to your new search service](../search/search-capacity-planning.md#add-or-reduce-replicas-and-partitions). Once the search service has at least two replicas, it automatically takes advantage of availability zone support.
+1. Migrate your data from your old search service to your new search service by rebuilding of all your search indexes from your old service.
+
+To rebuild all of your search indexes, choose one of the following two options:
+ - [Move individual indexes from your old search service to your new one](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/master/index-backup-restore)
+ - Rebuild indexes from an external data source if one is available.
+1. Redirect traffic from your old search service to your new search service. This may require updates to your application that uses the old search service.
+>[!TIP]
+>Services such as [Azure Front Door](../frontdoor/front-door-overview.md) and [Azure Traffic Manager](../traffic-manager/traffic-manager-overview.md) help simplify this process.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to create and deploy ARM templates](../azure-resource-manager/templates/quickstart-create-templates-use-visual-studio-code.md)
+
+> [!div class="nextstepaction"]
+> [ARM Quickstart Templates](https://azure.microsoft.com/resources/templates/)
+
+> [!div class="nextstepaction"]
+> [Learn about high availability in Azure Cognitive Search](../search/search-performance-optimization.md)
azure-app-configuration Enable Dynamic Configuration Azure Functions Csharp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/enable-dynamic-configuration-azure-functions-csharp.md
In this tutorial, you learn how to:
## Reload data from App Configuration
-Azure Functions support running [in-process](/azure/azure-functions/functions-dotnet-class-library) or [isolated-process](/azure/azure-functions/dotnet-isolated-process-guide). The main difference in App Configuration usage between the two modes is how the configuration is refreshed. In the in-process mode, you must make a call in each function to refresh the configuration. In the isolated-process mode, there is support for middleware. The App Configuration middleware, `Microsoft.Azure.AppConfiguration.Functions.Worker`, enables the call to refresh configuration automatically before each function is executed.
+Azure Functions support running [in-process](../azure-functions/functions-dotnet-class-library.md) or [isolated-process](../azure-functions/dotnet-isolated-process-guide.md). The main difference in App Configuration usage between the two modes is how the configuration is refreshed. In the in-process mode, you must make a call in each function to refresh the configuration. In the isolated-process mode, there is support for middleware. The App Configuration middleware, `Microsoft.Azure.AppConfiguration.Functions.Worker`, enables the call to refresh configuration automatically before each function is executed.
1. Update the code that connects to App Configuration and add the data refreshing conditions.
Azure Functions support running [in-process](/azure/azure-functions/functions-do
In this tutorial, you enabled your Azure Functions app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial. > [!div class="nextstepaction"]
-> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)
+> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)
azure-app-configuration Howto Set Up Private Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-set-up-private-access.md
# Set up private access in Azure App Configuration
-In this article, you'll learn how to set up private access for your Azure App Configuration store, by creating a [private endpoint](/azure/private-link/private-endpoint-overview) with Azure Private Link. Private endpoints allow access to your App Configuration store using a private IP address from a virtual network.
+In this article, you'll learn how to set up private access for your Azure App Configuration store, by creating a [private endpoint](../private-link/private-endpoint-overview.md) with Azure Private Link. Private endpoints allow access to your App Configuration store using a private IP address from a virtual network.
## Prerequisites
This command will prompt your web browser to launch and load an Azure sign-in pa
1. Leave the box **Enable network policies for all private endpoints in this subnet** checked.
- 1. Under **Private IP configuration**, select the option to allocate IP addresses dynamically. For more information, refer to [Private IP addresses](/azure/virtual-network/ip-services/private-ip-addresses#allocation-method).
+ 1. Under **Private IP configuration**, select the option to allocate IP addresses dynamically. For more information, refer to [Private IP addresses](../virtual-network/ip-services/private-ip-addresses.md#allocation-method).
1. Optionally, you can select or create an **Application security group**. Application security groups allow you to group virtual machines and define network security policies based on those groups.
Once deployment is complete, you'll get a notification that your endpoint has be
Go to **Networking** > **Private Access** in your App Configuration store to access the private endpoints linked to your App Configuration store.
-1. Check the connection state of your private link connection. When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](/azure/private-link/rbac-permissions), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request. For more information about the connection approval models, go to [Manage Azure Private Endpoints](/azure/private-link/manage-private-endpoint#private-endpoint-connections).
+1. Check the connection state of your private link connection. When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](../private-link/rbac-permissions.md), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request. For more information about the connection approval models, go to [Manage Azure Private Endpoints](../private-link/manage-private-endpoint.md#private-endpoint-connections).
1. To manually approve, reject or remove a connection, select the checkbox next to the endpoint you want to edit and select an action item from the top menu.
az network private-endpoint-connection show --resource-group <resource-group> --
#### Get connection approval
-When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](/azure/private-link/rbac-permissions), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request.
+When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](../private-link/rbac-permissions.md), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request.
To approve a private endpoint connection, use the [az network private-endpoint-connection approve](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-approve) command. Replace the placeholder texts `resource-group`, `private-endpoint`, and `<app-config-store-name>` with the name of the resource group, the name of the private endpoint and the name of the store.
To approve a private endpoint connection, use the [az network private-endpoint-c
az network private-endpoint-connection approve --resource-group <resource-group> --name <private-endpoint> --type Microsoft.AppConfiguration/configurationStores --resource-name <app-config-store-name> ```
-For more information about the connection approval models, go to [Manage Azure Private Endpoints](/azure/private-link/manage-private-endpoint#private-endpoint-connections).
+For more information about the connection approval models, go to [Manage Azure Private Endpoints](../private-link/manage-private-endpoint.md#private-endpoint-connections).
#### Delete a private endpoint connection
For more CLI commands, go to [az network private-endpoint-connection](/cli/azure
-If you have issues with a private endpoint, check the following guide: [Troubleshoot Azure Private Endpoint connectivity problems](/azure/private-link/troubleshoot-private-endpoint-connectivity).
+If you have issues with a private endpoint, check the following guide: [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
## Next steps
If you have issues with a private endpoint, check the following guide: [Troubles
>[Use private endpoints for Azure App Configuration](concept-private-endpoint.md) > [!div class="nextstepaction"]
->[Disable public access in Azure App Configuration](howto-disable-public-access.md)
+>[Disable public access in Azure App Configuration](howto-disable-public-access.md)
azure-app-configuration Quickstart Azure Functions Csharp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-azure-functions-csharp.md
In this quickstart, you incorporate the Azure App Configuration service into an
[!INCLUDE [Create a project using the Azure Functions template](../../includes/functions-vstools-create.md)] ## Connect to an App Configuration store
-This project will use [dependency injection in .NET Azure Functions](/azure/azure-functions/functions-dotnet-dependency-injection) and add Azure App Configuration as an extra configuration source. Azure Functions support running [in-process](/azure/azure-functions/functions-dotnet-class-library) or [isolated-process](/azure/azure-functions/dotnet-isolated-process-guide). Pick the one that matches your requirements.
+This project will use [dependency injection in .NET Azure Functions](../azure-functions/functions-dotnet-dependency-injection.md) and add Azure App Configuration as an extra configuration source. Azure Functions support running [in-process](../azure-functions/functions-dotnet-class-library.md) or [isolated-process](../azure-functions/dotnet-isolated-process-guide.md). Pick the one that matches your requirements.
1. Right-click your project, and select **Manage NuGet Packages**. On the **Browse** tab, search for and add following NuGet packages to your project. ### [In-process](#tab/in-process)
In this quickstart, you created a new App Configuration store and used it with a
To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial. > [!div class="nextstepaction"]
-> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)
+> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)
azure-arc Deploy Active Directory Connector Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/deploy-active-directory-connector-cli.md
Previously updated : 05/05/2022 Last updated : 08/16/2022
To know further details about how to set up OU and AD account, go to [Deploy Azu
#### Create an AD connector instance > [!NOTE]
-> Make sure the password of provided domain service AD account here doesn't contain `!` as special characters.
+> Make sure to wrap your password for the domain service AD account with single quote `'` to avoid the expansion of special characters such as `!`.
> To view available options for create command for AD connector instance, use the following command:
az arcdata ad-connector create
--k8s-namespace < Kubernetes namespace > --realm < AD Domain name > --nameserver-addresses < DNS server IP addresses >account-provisioning < account provisioning mode : manual or auto >
+--account-provisioning < account provisioning mode : manual or automatic >
--prefer-k8s-dns < whether Kubernetes DNS or AD DNS Server for IP address lookup > --use-k8s ```
az arcdata ad-connector create
--use-k8s ```
+```azurecli
+# Setting environment variables needed for automatic account provisioning
+DOMAIN_SERVICE_ACCOUNT_USERNAME='sqlmi'
+DOMAIN_SERVICE_ACCOUNT_PASSWORD='arc@123!!'
+
+# Deploying active directory connector with automatic account provisioning
+az arcdata ad-connector create
+--name arcadc
+--k8s-namespace arc
+--realm CONTOSO.LOCAL
+--nameserver-addresses 10.10.10.11
+--account-provisioning automatic
+--prefer-k8s-dns false
+--use-k8s
+```
+ ##### Directly connected mode ```azurecli
az arcdata ad-connector create
--dns-domain-name < The DNS name of AD domain > --realm < AD Domain name > --nameserver-addresses < DNS server IP addresses >account-provisioning < account provisioning mode : manual or auto >
+--account-provisioning < account provisioning mode : manual or automatic >
--prefer-k8s-dns < whether Kubernetes DNS or AD DNS Server for IP address lookup > --data-controller-name < Arc Data Controller Name > --resource-group < resource-group >
az arcdata ad-connector create
--resource-group arc-rg ```
+```azurecli
+# Setting environment variables needed for automatic account provisioning
+DOMAIN_SERVICE_ACCOUNT_USERNAME='sqlmi'
+DOMAIN_SERVICE_ACCOUNT_PASSWORD='arc@123!!'
+
+# Deploying active directory connector with automatic account provisioning
+az arcdata ad-connector create
+--name arcadc
+--realm CONTOSO.LOCAL
+--dns-domain-name contoso.local
+--nameserver-addresses 10.10.10.11
+--account-provisioning automatic
+--prefer-k8s-dns false
+--data-controller-name arcdc
+--resource-group arc-rg
+```
+ ### Update an AD connector instance To view available options for update command for AD connector instance, use the following command:
azure-arc Agent Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/agent-upgrade.md
az connectedk8s upgrade -g AzureArcTest1 -n AzureArcTest --agent-version 1.1.0
## Version support policy
-When you [create support requests](/azure/azure-portal/supportability/how-to-create-azure-support-request) for Azure Arc-enabled Kubernetes, the following version support policy applies:
+When you [create support requests](../../azure-portal/supportability/how-to-create-azure-support-request.md) for Azure Arc-enabled Kubernetes, the following version support policy applies:
* Azure Arc-enabled Kubernetes agents have a support window of "N-2", where 'N' is the latest minor release of agents. * For example, if Azure Arc-enabled Kubernetes introduces 0.28.a today, versions 0.28.a, 0.28.b, 0.27.c, 0.27.d, 0.26.e, and 0.26.f are supported.
If you create a support request and are using a version that is outside of the s
* Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md). * Already have a Kubernetes cluster connected Azure Arc? [Create configurations on your Azure Arc-enabled Kubernetes cluster](./tutorial-use-gitops-connected-cluster.md).
-* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).
+* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).
azure-arc Agent Release Notes Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/agent-release-notes-archive.md
Title: Archive for What's new with Azure Arc-enabled servers agent description: The What's new release notes in the Overview section for Azure Arc-enabled servers agent contains six months of activity. Thereafter, the items are removed from the main article and put into this article. Previously updated : 07/06/2022 Last updated : 08/17/2022
The Azure Connected Machine agent receives improvements on an ongoing basis. Thi
- Known issues - Bug fixes
+## Version 1.16 - March 2022
+
+### Known issues
+
+- `azcmagent logs` doesn't collect Guest Configuration logs in this release. You can locate the log directories in the [agent installation details](deployment-options.md#agent-installation-details).
+
+### New features
+
+- You can now granularly control which extensions are allowed to be deployed to your server and whether or not Guest Configuration should be enabled. See [local agent controls to enable or disable capabilities](security-overview.md#local-agent-security-controls) for more information.
+
+### Fixed
+
+- The "Arc" proxy bypass keyword no longer includes Azure Active Directory endpoints on Linux. Azure Storage endpoints for extension downloads are now included with the "Arc" keyword.
+ ## Version 1.15 - February 2022 ### Known issues
azure-arc Agent Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/agent-release-notes.md
Title: What's new with Azure Arc-enabled servers agent description: This article has release notes for Azure Arc-enabled servers agent. For many of the summarized issues, there are links to more details. Previously updated : 07/26/2022 Last updated : 08/17/2022
The Azure Connected Machine agent receives improvements on an ongoing basis. To
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Arc-enabled servers agent](agent-release-notes-archive.md).
+## Version 1.21 - August 2022
+
+### New features
+
+- `azcmagent connect` usability improvements:
+ - The `--subscription-id (-s)` parameter now accepts friendly names in addition to subscription IDs
+ - Automatic registration of any missing resource providers for first-time users (additional user permissions required to register resource providers)
+ - A progress bar now appears while the resource is being created and connected
+ - The onboarding script now supports both the yum and dnf package managers on RPM-based Linux systems
+- You can now restrict which URLs can be used to download machine configuration (formerly Azure Policy guest configuration) packages by setting the `allowedGuestConfigPkgUrls` tag on the server resource and providing a comma-separated list of URL patterns to allow.
+
+### Fixed
+
+- Extension installation failures are now reported to Azure more reliably to prevent extensions from being stuck in the "creating" state
+- Metadata for Google Cloud Platform virtual machines can now be retrieved when the agent is configured to use a proxy server
+- Improved network connection retry logic and error handling
+ ## Version 1.20 - July 2022 ### Known issues
This page is updated monthly, so revisit it regularly. If you're looking for ite
- `azcmagent logs` collects only the 2 most recent logs for each service to reduce ZIP file size. - `azcmagent logs` collects Guest Configuration logs again.
-## Version 1.16 - March 2022
-
-### Known issues
--- `azcmagent logs` doesn't collect Guest Configuration logs in this release. You can locate the log directories in the [agent installation details](deployment-options.md#agent-installation-details).-
-### New features
--- You can now granularly control which extensions are allowed to be deployed to your server and whether or not Guest Configuration should be enabled. See [local agent controls to enable or disable capabilities](security-overview.md#local-agent-security-controls) for more information.-
-### Fixed
--- The "Arc" proxy bypass keyword no longer includes Azure Active Directory endpoints on Linux. Azure Storage endpoints for extension downloads are now included with the "Arc" keyword.- ## Next steps - Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review [Connected Machine agent overview](agent-overview.md) to understand requirements, technical details about the agent, and deployment methods.
azure-cache-for-redis Cache Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-configure.md
Select **Diagnose and solve problems** to be provided with common issues and str
Select **Events** to add event subscriptions to your cache. Use events to build reactive, event-driven apps with the fully managed event routing service that is built into Azure.
-The Event Grid helps you build automation into your cloud infrastructure, create serverless apps, and integrate across services and clouds. For more information, see [What is Azure Event Grid](/azure/event-grid/overview).
+The Event Grid helps you build automation into your cloud infrastructure, create serverless apps, and integrate across services and clouds. For more information, see [What is Azure Event Grid](../event-grid/overview.md).
## Redis console
The **Virtual Network** section allows you to configure the virtual network sett
The **Private Endpoint** section allows you to configure the private endpoint settings for your cache. Private endpoint is supported on all cache tiers Basic, Standard, Premium, and Enterprise. We recommend using private endpoint instead of VNets. Private endpoints are easy to set up or remove, are supported on all tiers, and can connect your cache to multiple different VNets at once.
-For more information, see [Azure Cache for Redis with Azure Private Link](/azure/azure-cache-for-redis/cache-private-link).
+For more information, see [Azure Cache for Redis with Azure Private Link](./cache-private-link.md).
### Firewall
Azure Automation delivers a cloud-based automation, operating system updates, an
Select **Tasks** to help you manage Azure Cache for Redis resources more easily. These tasks vary in number and availability, based on the resource type. Presently, you can only use the **Send monthly cost for resource** template to create a task while in preview.
-For more information, see [Manage Azure resources and monitor costs by creating automation tasks](/azure/logic-apps/create-automation-tasks-azure-resources).
+For more information, see [Manage Azure resources and monitor costs by creating automation tasks](../logic-apps/create-automation-tasks-azure-resources.md).
### Export template
For more information about Redis commands, see [https://redis.io/commands](https
## Next steps - [How can I run Redis commands?](cache-development-faq.yml#how-can-i-run-redis-commands-)-- [Monitor Azure Cache for Redis](cache-how-to-monitor.md)
+- [Monitor Azure Cache for Redis](cache-how-to-monitor.md)
azure-cache-for-redis Cache How To Premium Persistence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-premium-persistence.md
The following list contains answers to commonly asked questions about Azure Cach
- [Can I use the same storage account for persistence across two different caches?](#can-i-use-the-same-storage-account-for-persistence-across-two-different-caches) - [Will I be charged for the storage being used in Data Persistence](#will-i-be-charged-for-the-storage-being-used-in-data-persistence) - [How frequently does RDB and AOF persistence write to my blobs, and should I enable soft delete?](#how-frequently-does-rdb-and-aof-persistence-write-to-my-blobs-and-should-i-enable-soft-delete)-- [Will having firewall exceptions on the storage account affect persistence](#Will having firewall exceptions on the storage account affect persistence)
+- [Will having firewall exceptions on the storage account affect persistence](#will-having-firewall-exceptions-on-the-storage-account-affect-persistence)
### RDB persistence
When clustering is enabled, each shard in the cache has its own set of page blob
After a rewrite, two sets of AOF files exist in storage. Rewrites occur in the background and append to the first set of files. Set operations, sent to the cache during the rewrite, append to the second set. A backup is temporarily stored during rewrites if there's a failure. The backup is promptly deleted after a rewrite finishes. If soft delete is turned on for your storage account, the soft delete setting applies and existing backups continue to stay in the soft delete state. ### Will having firewall exceptions on the storage account affect persistence+ Using managed identity adds the cache instance to the [trusted services list](../storage/common/storage-network-security.md?tabs=azure-portal), making firewall exceptions easier to carry out. If you aren't using managed identity and instead authorizing to a storage account using a key, then having firewall exceptions on the storage account tends to break the persistence process. ## Next steps
azure-cache-for-redis Cache Ml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-ml.md
Azure Cache for Redis is performant and scalable. When paired with an Azure Mach
> * `model` - The registered model that will be deployed. > * `inference_config` - The inference configuration for the model. >
-> For more information on setting these variables, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).
+> For more information on setting these variables, see [Deploy models with Azure Machine Learning](../machine-learning/how-to-deploy-managed-online-endpoints.md).
## Create an Azure Cache for Redis instance
def run(data):
return error ```
-For more information on entry script, see [Define scoring code.](/azure/machine-learning/how-to-deploy-managed-online-endpoints)
+For more information on entry script, see [Define scoring code.](../machine-learning/how-to-deploy-managed-online-endpoints.md)
* **Dependencies**, such as helper scripts or Python/Conda packages required to run the entry script or model
These entities are encapsulated into an **inference configuration**. The inferen
For more information on environments, see [Create and manage environments for training and deployment](../machine-learning/how-to-use-environments.md).
-For more information on inference configuration, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).
+For more information on inference configuration, see [Deploy models with Azure Machine Learning](../machine-learning/how-to-deploy-managed-online-endpoints.md).
> [!IMPORTANT] > When deploying to Functions, you do not need to create a **deployment configuration**.
pip install azureml-contrib-functions
To create the Docker image that is deployed to Azure Functions, use [azureml.contrib.functions.package](/python/api/azureml-contrib-functions/azureml.contrib.functions) or the specific package function for the trigger you want to use. The following code snippet demonstrates how to create a new package with an HTTP trigger from the model and inference configuration: > [!NOTE]
-> The code snippet assumes that `model` contains a registered model, and that `inference_config` contains the configuration for the inference environment. For more information, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).
+> The code snippet assumes that `model` contains a registered model, and that `inference_config` contains the configuration for the inference environment. For more information, see [Deploy models with Azure Machine Learning](../machine-learning/how-to-deploy-managed-online-endpoints.md).
```python from azureml.contrib.functions import package
After a few moments, the resource group and all of its resources are deleted.
* Learn more about [Azure Cache for Redis](./cache-overview.md) * Learn to configure your function app in the [Functions](../azure-functions/functions-create-function-linux-custom-image.md) documentation. * [API Reference](/python/api/azureml-contrib-functions/azureml.contrib.functions)
-* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md)
+* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md)
azure-functions Functions Deployment Slots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-deployment-slots.md
Azure Functions deployment slots have the following considerations:
- The number of slots available to an app depends on the plan. The Consumption plan is only allowed one deployment slot. Additional slots are available for apps running under other plans. For details, see [Service limits](functions-scale.md#service-limits). - Swapping a slot resets keys for apps that have an `AzureWebJobsSecretStorageType` app setting equal to `files`. - When slots are enabled, your function app is set to read-only mode in the portal.
+- Use function app names shorter than 32 characters. Names longer than 32 characters are at risk of causing [host ID collisons](storage-considerations.md#host-id-considerations).
## Next steps
azure-functions Functions Infrastructure As Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-infrastructure-as-code.md
description: Learn how to build an Azure Resource Manager template that deploys
ms.assetid: d20743e3-aab6-442c-a836-9bcea09bfd32 Previously updated : 04/03/2019 Last updated : 08/18/2022
You can use an Azure Resource Manager template to deploy a function app. This ar
For more information about creating templates, see [Authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). For sample templates, see:+ - [ARM templates for function app deployment](https://github.com/Azure-Samples/function-app-arm-templates) - [Function app on Consumption plan] - [Function app on Azure App Service plan]
An Azure storage account is required for a function app. You need a general purp
```json {
- "type": "Microsoft.Storage/storageAccounts",
- "name": "[variables('storageAccountName')]",
- "apiVersion": "2019-06-01",
- "location": "[resourceGroup().location]",
- "kind": "StorageV2",
- "sku": {
- "name": "[parameters('storageAccountType')]"
- }
+ "type": "Microsoft.Storage/storageAccounts",
+ "name": "[variables('storageAccountName')]",
+ "apiVersion": "2019-06-01",
+ "location": "[resourceGroup().location]",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "[parameters('storageAccountType')]"
+ }
} ```
These properties are specified in the `appSettings` collection in the `siteConfi
```json "appSettings": [
- {
- "name": "AzureWebJobsStorage",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
- },
- {
- "name": "AzureWebJobsDashboard",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
- }
+ {
+ "name": "AzureWebJobsStorage",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
+ },
+ {
+ "name": "AzureWebJobsDashboard",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
+ }
] ```
These properties are specified in the `appSettings` collection in the `siteConfi
Application Insights is recommended for monitoring your function apps. The Application Insights resource is defined with the type **Microsoft.Insights/components** and the kind **web**: ```json
- {
- "apiVersion": "2015-05-01",
- "name": "[variables('appInsightsName')]",
- "type": "Microsoft.Insights/components",
- "kind": "web",
- "location": "[resourceGroup().location]",
- "tags": {
- "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', variables('functionAppName'))]": "Resource"
- },
- "properties": {
- "Application_Type": "web",
- "ApplicationId": "[variables('appInsightsName')]"
- }
- },
+{
+ "apiVersion": "2015-05-01",
+ "name": "[variables('appInsightsName')]",
+ "type": "Microsoft.Insights/components",
+ "kind": "web",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', variables('functionAppName'))]": "Resource"
+ },
+ "properties": {
+ "Application_Type": "web",
+ "ApplicationId": "[variables('appInsightsName')]"
+ }
+},
``` In addition, the instrumentation key needs to be provided to the function app using the `APPINSIGHTS_INSTRUMENTATIONKEY` application setting. This property is specified in the `appSettings` collection in the `siteConfig` object: ```json "appSettings": [
- {
- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
- "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"
- }
+ {
+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
+ "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"
+ }
] ``` ### Hosting plan The definition of the hosting plan varies, and can be one of the following:
-* [Consumption plan](#consumption) (default)
-* [Premium plan](#premium)
-* [App Service plan](#app-service-plan)
+
+- [Consumption plan](#consumption) (default)
+- [Premium plan](#premium)
+- [App Service plan](#app-service-plan)
### Function app
The function app resource is defined by using a resource of type **Microsoft.Web
```json {
- "apiVersion": "2015-08-01",
- "type": "Microsoft.Web/sites",
- "name": "[variables('functionAppName')]",
- "location": "[resourceGroup().location]",
- "kind": "functionapp",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
- "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
- ]
+ "apiVersion": "2015-08-01",
+ "type": "Microsoft.Web/sites",
+ "name": "[variables('functionAppName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "functionapp",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
+ "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
+ ]
} ```
These properties are specified in the `appSettings` collection in the `siteConfi
```json "properties": {
- "siteConfig": {
- "appSettings": [
- {
- "name": "AzureWebJobsStorage",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
- },
- {
- "name": "FUNCTIONS_WORKER_RUNTIME",
- "value": "node"
- },
- {
- "name": "WEBSITE_NODE_DEFAULT_VERSION",
- "value": "~14"
- },
- {
- "name": "FUNCTIONS_EXTENSION_VERSION",
- "value": "~4"
- }
- ]
- }
+ "siteConfig": {
+ "appSettings": [
+ {
+ "name": "AzureWebJobsStorage",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
+ },
+ {
+ "name": "FUNCTIONS_WORKER_RUNTIME",
+ "value": "node"
+ },
+ {
+ "name": "WEBSITE_NODE_DEFAULT_VERSION",
+ "value": "~14"
+ },
+ {
+ "name": "FUNCTIONS_EXTENSION_VERSION",
+ "value": "~4"
+ }
+ ]
+ }
} ```
To run your app on Linux, you must also set the property `"reserved": true` for
} } ```+ ### Create a function app
For a sample Azure Resource Manager template, see [Azure Function App Hosted on
"properties": { "reserved": true, "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "siteConfig": {
+ "siteConfig": {
"linuxFxVersion": "node|14", "appSettings": [ {
For a sample Azure Resource Manager template, see [Azure Function App Hosted on
"name": "FUNCTIONS_WORKER_RUNTIME", "value": "node" }
- ]
+ ]
} } } ```+ <a name="premium"></a>
To run your app on Linux, you must also set property `"reserved": true` for the
"kind": "elastic" } ```+ ### Create a function app
The settings required by a function app running in Premium plan differ between W
} } ```+ > [!IMPORTANT] > You don't need to set the [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare) setting because it's generated for you when the site is first created.
The function app must have set `"kind": "functionapp,linux"`, and it must have s
} } ```+ <a name="app-service-plan"></a>
To run your app on Linux, you must also set property `"reserved": true` for the
} } ```+ ### Create a function app
The function app must have set `"kind": "functionapp,linux"`, and it must have s
} } ```+ ### Custom Container Image
If you are [deploying a custom container image](./functions-create-function-linu
```json {
- "apiVersion": "2016-03-01",
- "type": "Microsoft.Web/sites",
- "name": "[variables('functionAppName')]",
- "location": "[resourceGroup().location]",
- "kind": "functionapp",
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
- ],
- "properties": {
- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "siteConfig": {
- "appSettings": [
- {
- "name": "AzureWebJobsStorage",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
- },
- {
- "name": "FUNCTIONS_WORKER_RUNTIME",
- "value": "node"
- },
- {
- "name": "WEBSITE_NODE_DEFAULT_VERSION",
- "value": "~14"
- },
- {
- "name": "FUNCTIONS_EXTENSION_VERSION",
- "value": "~3"
- },
- {
- "name": "DOCKER_REGISTRY_SERVER_URL",
- "value": "[parameters('dockerRegistryUrl')]"
- },
- {
- "name": "DOCKER_REGISTRY_SERVER_USERNAME",
- "value": "[parameters('dockerRegistryUsername')]"
- },
- {
- "name": "DOCKER_REGISTRY_SERVER_PASSWORD",
- "value": "[parameters('dockerRegistryPassword')]"
- },
- {
- "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
- "value": "false"
- }
- ],
- "linuxFxVersion": "DOCKER|myacr.azurecr.io/myimage:mytag"
+ "apiVersion": "2016-03-01",
+ "type": "Microsoft.Web/sites",
+ "name": "[variables('functionAppName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "functionapp",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+ ],
+ "properties": {
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
+ "siteConfig": {
+ "appSettings": [
+ {
+ "name": "AzureWebJobsStorage",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
+ },
+ {
+ "name": "FUNCTIONS_WORKER_RUNTIME",
+ "value": "node"
+ },
+ {
+ "name": "WEBSITE_NODE_DEFAULT_VERSION",
+ "value": "~14"
+ },
+ {
+ "name": "FUNCTIONS_EXTENSION_VERSION",
+ "value": "~3"
+ },
+ {
+ "name": "DOCKER_REGISTRY_SERVER_URL",
+ "value": "[parameters('dockerRegistryUrl')]"
+ },
+ {
+ "name": "DOCKER_REGISTRY_SERVER_USERNAME",
+ "value": "[parameters('dockerRegistryUsername')]"
+ },
+ {
+ "name": "DOCKER_REGISTRY_SERVER_PASSWORD",
+ "value": "[parameters('dockerRegistryPassword')]"
+ },
+ {
+ "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
+ "value": "false"
}
+ ],
+ "linuxFxVersion": "DOCKER|myacr.azurecr.io/myimage:mytag"
}
+ }
} ```
To create the app and plan resources, you must have already [created an App Serv
```json {
- "parameters": {
- "kubeEnvironmentId" : {
- "type": "string"
- },
- "customLocationId" : {
- "type": "string"
- }
+ "parameters": {
+ "kubeEnvironmentId" : {
+ "type": "string"
+ },
+ "customLocationId" : {
+ "type": "string"
}
+ }
} ```
Both sites and plans must reference the custom location through an `extendedLoca
```json {
- "extendedLocation": {
- "type": "customlocation",
- "name": "[parameters('customLocationId')]"
- },
+ "extendedLocation": {
+ "type": "customlocation",
+ "name": "[parameters('customLocationId')]"
+ },
} ```
The plan resource should use the Kubernetes (K1) SKU, and its `kind` field shoul
```json {
- "type": "Microsoft.Web/serverfarms",
+ "type": "Microsoft.Web/serverfarms",
+ "name": "[variables('hostingPlanName')]",
+ "location": "[parameters('location')]",
+ "apiVersion": "2020-12-01",
+ "kind": "linux,kubernetes",
+ "sku": {
+ "name": "K1",
+ "tier": "Kubernetes"
+ },
+ "extendedLocation": {
+ "type": "customlocation",
+ "name": "[parameters('customLocationId')]"
+ },
+ "properties": {
"name": "[variables('hostingPlanName')]", "location": "[parameters('location')]",
- "apiVersion": "2020-12-01",
- "kind": "linux,kubernetes",
- "sku": {
- "name": "K1",
- "tier": "Kubernetes"
- },
- "extendedLocation": {
- "type": "customlocation",
- "name": "[parameters('customLocationId')]"
+ "workerSizeId": "0",
+ "numberOfWorkers": "1",
+ "kubeEnvironmentProfile": {
+ "id": "[parameters('kubeEnvironmentId')]"
},
- "properties": {
- "name": "[variables('hostingPlanName')]",
- "location": "[parameters('location')]",
- "workerSizeId": "0",
- "numberOfWorkers": "1",
- "kubeEnvironmentProfile": {
- "id": "[parameters('kubeEnvironmentId')]"
- },
- "reserved": true
- }
+ "reserved": true
+ }
} ```
The function app resource should have its `kind` field set to "functionapp,linux
```json {
- "apiVersion": "2018-11-01",
- "type": "Microsoft.Web/sites",
- "name": "[variables('appName')]",
- "kind": "kubernetes,functionapp,linux,container",
- "location": "[parameters('location')]",
- "extendedLocation": {
- "type": "customlocation",
- "name": "[parameters('customLocationId')]"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
- "[variables('hostingPlanId')]"
- ],
- "properties": {
- "serverFarmId": "[variables('hostingPlanId')]",
- "siteConfig": {
- "linuxFxVersion": "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-appservice-quickstart",
- "appSettings": [
- {
- "name": "FUNCTIONS_EXTENSION_VERSION",
- "value": "~3"
- },
- {
- "name": "AzureWebJobsStorage",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
-
- },
- {
- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
- "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"
- }
- ],
- "alwaysOn": true
+ "apiVersion": "2018-11-01",
+ "type": "Microsoft.Web/sites",
+ "name": "[variables('appName')]",
+ "kind": "kubernetes,functionapp,linux,container",
+ "location": "[parameters('location')]",
+ "extendedLocation": {
+ "type": "customlocation",
+ "name": "[parameters('customLocationId')]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
+ "[variables('hostingPlanId')]"
+ ],
+ "properties": {
+ "serverFarmId": "[variables('hostingPlanId')]",
+ "siteConfig": {
+ "linuxFxVersion": "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-appservice-quickstart",
+ "appSettings": [
+ {
+ "name": "FUNCTIONS_EXTENSION_VERSION",
+ "value": "~3"
+ },
+ {
+ "name": "AzureWebJobsStorage",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
+
+ },
+ {
+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
+ "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"
}
+ ],
+ "alwaysOn": true
}
+ }
} ```
A function app has many child resources that you can use in your deployment, inc
} }, "resources": [
- {
- "apiVersion": "2015-08-01",
- "name": "appsettings",
- "type": "config",
- "dependsOn": [
- "[resourceId('Microsoft.Web/Sites', parameters('appName'))]",
- "[resourceId('Microsoft.Web/Sites/sourcecontrols', parameters('appName'), 'web')]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
- ],
- "properties": {
- "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",
- "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",
- "FUNCTIONS_EXTENSION_VERSION": "~3",
- "FUNCTIONS_WORKER_RUNTIME": "dotnet",
- "Project": "src"
- }
- },
- {
- "apiVersion": "2015-08-01",
- "name": "web",
- "type": "sourcecontrols",
- "dependsOn": [
- "[resourceId('Microsoft.Web/sites/', parameters('appName'))]"
- ],
- "properties": {
- "RepoUrl": "[parameters('sourceCodeRepositoryURL')]",
- "branch": "[parameters('sourceCodeBranch')]",
- "IsManualIntegration": "[parameters('sourceCodeManualIntegration')]"
- }
- }
+ {
+ "apiVersion": "2015-08-01",
+ "name": "appsettings",
+ "type": "config",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/Sites', parameters('appName'))]",
+ "[resourceId('Microsoft.Web/Sites/sourcecontrols', parameters('appName'), 'web')]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+ ],
+ "properties": {
+ "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",
+ "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",
+ "FUNCTIONS_EXTENSION_VERSION": "~3",
+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",
+ "Project": "src"
+ }
+ },
+ {
+ "apiVersion": "2015-08-01",
+ "name": "web",
+ "type": "sourcecontrols",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/sites/', parameters('appName'))]"
+ ],
+ "properties": {
+ "RepoUrl": "[parameters('sourceCodeRepositoryURL')]",
+ "branch": "[parameters('sourceCodeBranch')]",
+ "IsManualIntegration": "[parameters('sourceCodeManualIntegration')]"
+ }
+ }
] } ```+ > [!TIP] > This template uses the [Project](https://github.com/projectkudu/kudu/wiki/Customizing-deployments#using-app-settings-instead-of-a-deployment-file) app settings value, which sets the base directory in which the Functions deployment engine (Kudu) looks for deployable code. In our repository, our functions are in a subfolder of the **src** folder. So, in the preceding example, we set the app settings value to `src`. If your functions are in the root of your repository, or if you are not deploying from source control, you can remove this app settings value.
A function app has many child resources that you can use in your deployment, inc
You can use any of the following ways to deploy your template:
-* [PowerShell](../azure-resource-manager/templates/deploy-powershell.md)
-* [Azure CLI](../azure-resource-manager/templates/deploy-cli.md)
-* [Azure portal](../azure-resource-manager/templates/deploy-portal.md)
-* [REST API](../azure-resource-manager/templates/deploy-rest.md)
+- [PowerShell](../azure-resource-manager/templates/deploy-powershell.md)
+- [Azure CLI](../azure-resource-manager/templates/deploy-cli.md)
+- [Azure portal](../azure-resource-manager/templates/deploy-portal.md)
+- [REST API](../azure-resource-manager/templates/deploy-rest.md)
### Deploy to Azure button
To test out this deployment, you can use a [template like this one](https://raw.
Learn more about how to develop and configure Azure Functions.
-* [Azure Functions developer reference](functions-reference.md)
-* [How to configure Azure function app settings](functions-how-to-use-azure-function-app-settings.md)
-* [Create your first Azure function](./functions-get-started.md)
+- [Azure Functions developer reference](functions-reference.md)
+- [How to configure Azure function app settings](functions-how-to-use-azure-function-app-settings.md)
+- [Create your first Azure function](./functions-get-started.md)
<!-- LINKS -->
azure-functions Functions Recover Storage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-recover-storage-account.md
Your function app must be able to access the storage account. Common issues that
* The storage account firewall is enabled and not configured to allow traffic to and from functions. For more information, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md?toc=%2fazure%2fstorage%2ffiles%2ftoc.json).
-* Verify that the `allowSharedKeyAccess` setting is set to `true` which is its default value. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../storage/common/shared-key-authorization-prevent.md?tabs=portal#verify-that-shared-key-access-is-not-allowed).
+* Verify that the `allowSharedKeyAccess` setting is set to `true`, which is its default value. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../storage/common/shared-key-authorization-prevent.md?tabs=portal#verify-that-shared-key-access-is-not-allowed).
## Daily execution quota is full
You can also use the portal from a computer that's connected to the virtual netw
For more information about inbound rule configuration, see the "Network Security Groups" section of [Networking considerations for an App Service Environment](../app-service/environment/network-info.md#network-security-groups).
-## Container image unavailable (Linux)
+## Container errors on Linux
-For Linux function apps that run from a container, the "Azure Functions runtime is unreachable" error can occur when the container image being referenced is unavailable or fails to start correctly.
-
-To confirm that the error is caused for this reason:
+For function apps that run on Linux in a container, the `Azure Functions runtime is unreachable` error can occur as a result of problems with the container. Use the following procedure to review the container logs for errors:
1. Navigate to the Kudu endpoint for the function app, which is located at `https://scm.<FUNCTION_APP>.azurewebsites.net`, where `<FUNCTION_APP>` is the name of your app.
-1. Download the Docker logs ZIP file and review them locally, or review the docker logs from within Kudu.
+1. Download the Docker logs .zip file and review the contents on your local computer.
+
+1. Check for any logged errors that indicate that the container is unable to start successfully.
+
+### Container image unavailable
+
+Errors can occur when the container image being referenced is unavailable or fails to start correctly. Check for any logged errors that indicate that the container is unable to start successfully.
+
+You need to correct any errors that prevent the container from starting for the function app run correctly.
+
+When the container image can't be found, you'll see a `manifest unknown` error in the Docker logs. In this case, you can use the Azure CLI commands documented at [How to target Azure Functions runtime versions](set-runtime-version.md?tabs=azurecli#manual-version-updates-on-linux) to change the container image being referenced. If you've deployed a [custom container image](functions-create-function-linux-custom-image.md), you need to fix the image and redeploy the updated version to the referenced registry.
+
+### App container has conflicting ports
+
+Your function app might be in an unresponsive state due to conflicting port assignment upon startup. This can happen in the following cases:
+
+* Your container has separate services running where one or more services are tying to bind to the same port as the function app.
+* You've added an Azure Hybrid Connection that shares the same port value as the function app.
-1. Check for any errors in the logs that would indicate that the container is unable to start successfully.
+By default, the container in which your function app runs uses port `:80`. When other services in the same container are also trying to using port `:80`, the function app can fail to start. If your logs show port conflicts, change the default ports.
-Any such error would need to be remedied for the function to work correctly.
+## Host ID collision
-When the container image can't be found, you should see a `manifest unknown` error in the Docker logs. In this case, you can use the Azure CLI commands documented at [How to target Azure Functions runtime versions](set-runtime-version.md?tabs=azurecli) to change the container image being reference. If you've deployed a custom container image, you need to fix the image and redeploy the updated version to the referenced registry.
+Starting with version 3.x of the Functions runtime, [host ID collision](storage-considerations.md#host-id-considerations) are detected and logged as a warning. In version 4.x, an error is logged and the host is stopped. If the runtime can't start for your function app, [review the logs](analyze-telemetry-data.md). If there's a warning or an error about host ID collisions, follow the mitigation steps in [Host ID considerations](storage-considerations.md#host-id-considerations).
## Next steps
azure-functions Functions Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-versions.md
The following table indicates which programming languages are currently supporte
## <a name="creating-1x-apps"></a>Run on a specific version
-By default, function apps created in the Azure portal and by the Azure CLI are set to version 4.x. You can modify this version if needed. You can only downgrade the runtime version to 1.x after you create your function app but before you add any functions. Moving to a later version is allowed even with apps that have existing functions. When your app has existing functions, be aware of any breaking changes between versions before moving to a later runtime version. The following sections detail changes between versions:
+By default, function apps created in the Azure portal and by the Azure CLI are set to version 4.x. You can modify this version if needed. You can only downgrade the runtime version to 1.x after you create your function app but before you add any functions. Moving to a later version is allowed even with apps that have existing functions. When your app has existing functions, be aware of any breaking changes between versions before moving to a later runtime version. The following sections detail breaking changes between versions, including language-specific breaking changes.
+ [Between 3.x and 4.x](#breaking-changes-between-3x-and-4x) + [Between 2.x and 3.x](#breaking-changes-between-2x-and-3x) + [Between 1.x and later versions](#migrating-from-1x-to-later-versions)
+If you don't see your programming language, go select it from the [top of the page](#top).
+ Before making a change to the major version of the runtime, you should first test your existing code on the new runtime version. You can verify your app runs correctly after the upgrade by deploying to another function app running on the latest major version. You can also verify your code locally by using the runtime-specific version of the [Azure Functions Core Tools](functions-run-local.md), which includes the Functions runtime. Downgrades to v2.x aren't supported. When possible, you should always run your apps on the latest supported version of the Functions runtime.
To update your project to Azure Functions 4.x:
### Breaking changes between 3.x and 4.x
-The following are some changes to be aware of before upgrading a 3.x app to 4.x. For a full list, see Azure Functions GitHub issues labeled [*Breaking Change: Approved*](https://github.com/Azure/azure-functions/issues?q=is%3Aissue+label%3A%22Breaking+Change%3A+Approved%22+is%3A%22closed+OR+open%22). More changes are expected during the preview period. Subscribe to [App Service Announcements](https://github.com/Azure/app-service-announcements/issues) for updates.
+The following are key breaking changes to be aware of before upgrading a 3.x app to 4.x, including language-specific breaking changes. For a full list, see Azure Functions GitHub issues labeled [*Breaking Change: Approved*](https://github.com/Azure/azure-functions/issues?q=is%3Aissue+label%3A%22Breaking+Change%3A+Approved%22+is%3A%22closed+OR+open%22). More changes are expected during the preview period. Subscribe to [App Service Announcements](https://github.com/Azure/app-service-announcements/issues) for updates.
+
+If you don't see your programming language, go select it from the [top of the page](#top).
#### Runtime
Azure Functions version 3.x is highly backwards compatible to version 2.x. Many
### Breaking changes between 2.x and 3.x
-The following are the language-specific changes to be aware of before upgrading a 2.x app to 3.x.
+The following are the language-specific changes to be aware of before upgrading a 2.x app to 3.x. If you don't see your programming language, go select it from the [top of the page](#top).
::: zone pivot="programming-language-csharp" The main differences between versions when running .NET class library functions is the .NET Core runtime. Functions version 2.x is designed to run on .NET Core 2.2 and version 3.x is designed to run on .NET Core 3.1.
azure-functions Storage Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/storage-considerations.md
Azure Functions requires an Azure Storage account when you create a function app
## Storage account requirements
-When creating a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. This is because Functions relies on Azure Storage for operations such as managing triggers and logging function executions. Some storage accounts don't support queues and tables. These accounts include blob-only storage accounts and Azure Premium Storage.
+When creating a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. This requirement exists because Functions relies on Azure Storage for operations such as managing triggers and logging function executions. Some storage accounts don't support queues and tables. These accounts include blob-only storage accounts and Azure Premium Storage.
To learn more about storage account types, see [Storage account overview](../storage/common/storage-account-overview.md).
-While you can use an existing storage account with your function app, you must make sure that it meets these requirements. Storage accounts created as part of the function app create flow in the Azure portal are guaranteed to meet these storage account requirements. In the portal, unsupported accounts are filtered out when choosing an existing storage account while creating a function app. In this flow, you are only allowed to choose existing storage accounts in the same region as the function app you're creating. To learn more, see [Storage account location](#storage-account-location).
+While you can use an existing storage account with your function app, you must make sure that it meets these requirements. Storage accounts created as part of the function app create flow in the Azure portal are guaranteed to meet these storage account requirements. In the portal, unsupported accounts are filtered out when choosing an existing storage account while creating a function app. In this flow, you're only allowed to choose existing storage accounts in the same region as the function app you're creating. To learn more, see [Storage account location](#storage-account-location).
<!-- JH: Does using a Premium Storage account improve perf? --> ## Storage account guidance
-Every function app requires a storage account to operate. If that account is deleted your function app won't run. To troubleshoot storage-related issues, see [How to troubleshoot storage-related issues](functions-recover-storage-account.md). The following additional considerations apply to the Storage account used by function apps.
+Every function app requires a storage account to operate. When that account is deleted, your function app won't run. To troubleshoot storage-related issues, see [How to troubleshoot storage-related issues](functions-recover-storage-account.md). The following other considerations apply to the Storage account used by function apps.
### Storage account location
-For best performance, your function app should use a storage account in the same region, which reduces latency. The Azure portal enforces this best practice. If, for some reason, you need to use a storage account in a region different than your function app, you must create your function app outside of the portal.
+For best performance, your function app should use a storage account in the same region, which reduces latency. The Azure portal enforces this best practice. If for some reason you need to use a storage account in a region different than your function app, you must create your function app outside of the portal.
### Storage account connection setting
You may need to use separate store accounts to [avoid host ID collisions](#avoid
### Lifecycle management policy considerations
-Functions uses Blob storage to persist important information, such as [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys). When you apply a [lifecycle management policy](../storage/blobs/lifecycle-management-overview.md) to your Blob Storage account, the policy may remove blobs needed by the Functions host. Because of this, you shouldn't apply such policies to the storage account used by Functions. If you do need to apply such a policy, remember to exclude containers used by Functions, which are usually prefixed with `azure-webjobs` or `scm`.
+Functions uses Blob storage to persist important information, such as [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys). When you apply a [lifecycle management policy](../storage/blobs/lifecycle-management-overview.md) to your Blob Storage account, the policy may remove blobs needed by the Functions host. Because of this fact, you shouldn't apply such policies to the storage account used by Functions. If you do need to apply such a policy, remember to exclude containers used by Functions, which are prefixed with `azure-webjobs` or `scm`.
### Optimize storage performance
When all customer data must remain within a single region, the storage account a
Other platform-managed customer data is only stored within the region when hosting in an internally load-balanced App Service Environment (ASE). To learn more, see [ASE zone redundancy](../app-service/environment/zone-redundancy.md#in-region-data-residency).
-## Host ID considerations
+## Host ID considerations
Functions uses a host ID value as a way to uniquely identify a particular function app in stored artifacts. By default, this ID is auto-generated from the name of the function app, truncated to the first 32 characters. This ID is then used when storing per-app correlation and tracking information in the linked storage account. When you have function apps with names longer than 32 characters and when the first 32 characters are identical, this truncation can result in duplicate host ID values. When two function apps with identical host IDs use the same storage account, you get a host ID collision because stored data can't be uniquely linked to the correct function app.
+>[!NOTE]
+>This same collison can occur between a function app in a production slot and the same function app in a staging slot, when both slots use the same storage account.
+ Starting with version 3.x of the Functions runtime, host ID collision is detected and a warning is logged. In version 4.x, an error is logged and the host is stopped, resulting in a hard failure. More details about host ID collision can be found in [this issue](https://github.com/Azure/azure-functions-host/issues/2015). ### Avoiding host ID collisions You can use the following strategies to avoid host ID collisions:
-+ Use a separated storage account for each function app involved in the collision.
-+ Rename one of your function apps to a value less than 32 characters in length, which changes the computed host ID for the app and removes the collision.
++ Use a separated storage account for each function app or slot involved in the collision.++ Rename one of your function apps to a value fewer than 32 characters in length, which changes the computed host ID for the app and removes the collision. + Set an explicit host ID for one or more of the colliding apps. To learn more, see [Host ID override](#override-the-host-id). > [!IMPORTANT]
You can use the following strategies to avoid host ID collisions:
You can explicitly set a specific host ID for your function app in the application settings by using the `AzureFunctionsWebHost__hostid` setting. For more information, see [AzureFunctionsWebHost__hostid](functions-app-settings.md#azurefunctionswebhost__hostid).
-To learn how to create app settings, see [Work with application settings](functions-how-to-use-azure-function-app-settings.md#settings).
+When the collision occurs between slots, you may need to mark this setting as a slot setting. To learn how to create app settings, see [Work with application settings](functions-how-to-use-azure-function-app-settings.md#settings).
## Create an app without Azure Files
-Azure Files is set up by default for Premium and non-Linux Consumption plans to serve as a shared file system in high-scale scenarios. The file system is used by the platform for some features such as log streaming, but it primarily ensures consistency of the deployed function payload. When an app is [deployed using an external package URL](./run-functions-from-deployment-package.md), the app content is served from a separate read-only file system, so Azure Files can be omitted if desired. In such cases, a writeable file system is provided, but it is not guaranteed to be shared with all function app instances.
+Azure Files is set up by default for Premium and non-Linux Consumption plans to serve as a shared file system in high-scale scenarios. The file system is used by the platform for some features such as log streaming, but it primarily ensures consistency of the deployed function payload. When an app is [deployed using an external package URL](./run-functions-from-deployment-package.md), the app content is served from a separate read-only file system. This means that you can create your function app without Azure Files. If you create your function app with Azure Files, a writeable file system is still provided. However, this file system may not be available for all function app instances.
-When Azure Files isn't used, you must account for the following:
+When Azure Files isn't used, you must meet the following requirements:
* You must deploy from an external package URL. * Your app can't rely on a shared writeable file system.
-* The app can't use Functions runtime v1.
+* The app can't use version 1.x of the Functions runtime.
* Log streaming experiences in clients such as the Azure portal default to file system logs. You should instead rely on Application Insights logs.
-If the above are properly accounted for, you may create the app without Azure Files. Create the function app without specifying the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE` application settings. You can do this by generating an ARM template for a standard deployment, removing these two settings, and then deploying the template.
+If the above are properly accounted for, you may create the app without Azure Files. Create the function app without specifying the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE` application settings. You can avoid these settings by generating an ARM template for a standard deployment, removing the two settings, and then deploying the template.
-Because Functions use Azure Files during parts of the the dynamic scale-out process, scaling could be limited when running without Azure Files on Consumption and Premium plans.
+Because Functions use Azure Files during parts of the dynamic scale-out process, scaling could be limited when running without Azure Files on Consumption and Premium plans.
## Mount file shares _This functionality is current only available when running on Linux._
-You can mount existing Azure Files shares to your Linux function apps. By mounting a share to your Linux function app, you can leverage existing machine learning models or other data in your functions. You can use the following command to mount an existing share to your Linux function app.
+You can mount existing Azure Files shares to your Linux function apps. By mounting a share to your Linux function app, you can use existing machine learning models or other data in your functions. You can use the following command to mount an existing share to your Linux function app.
# [Azure CLI](#tab/azure-cli)
For a complete example, see the script in [Create a serverless Python function a
-Currently, only a `storage-type` of `AzureFiles` is supported. You can only mount five shares to a given function app. Mounting a file share may increase the cold start time by at least 200-300ms, or even more when the storage account is in a different region.
+Currently, only a `storage-type` of `AzureFiles` is supported. You can only mount five shares to a given function app. Mounting a file share may increase the cold start time by at least 200-300 ms, or even more when the storage account is in a different region.
The mounted share is available to your function code at the `mount-path` specified. For example, when `mount-path` is `/path/to/mount`, you can access the target directory by file system APIs, as in the following Python example:
azure-government Azure Secure Isolation Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/azure-secure-isolation-guidance.md
Storage accounts are encrypted regardless of their performance tier (standard or
Because data encryption is performed by the Storage service, server-side encryption with CMK enables you to use any operating system types and images for your VMs. For your Windows and Linux IaaS VMs, Azure also provides Azure Disk encryption that enables you to encrypt managed disks with CMK within the Guest VM, as described in the next section. Combining Azure Storage service encryption and Disk encryption effectively enables [double encryption of data at rest](../virtual-machines/disks-enable-double-encryption-at-rest-portal.md). #### Azure Disk encryption
-Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, you may optionally use [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to encrypt Azure [Windows](../virtual-machines/windows/disk-encryption-overview.md) and [Linux](../virtual-machines/linux/disk-encryption-overview.md) IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes [managed disks](../virtual-machines/managed-disks-overview.md), as described later in this section. Azure disk encryption uses the industry standard [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview) feature of Windows and the [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide OS-based volume encryption that is integrated with Azure Key Vault.
+Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, you may optionally use [Azure Disk encryption](../virtual-machines/disk-encryption-overview.md) to encrypt Azure [Windows](../virtual-machines/windows/disk-encryption-overview.md) and [Linux](../virtual-machines/linux/disk-encryption-overview.md) IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes [managed disks](../virtual-machines/managed-disks-overview.md), as described later in this section. Azure disk encryption uses the industry standard [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview) feature of Windows and the [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide OS-based volume encryption that is integrated with Azure Key Vault.
Drive encryption through BitLocker and DM-Crypt is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker and DM-Crypt provide the most protection when used with a Trusted Platform Module (TPM) version 1.2 or higher. The TPM is a microcontroller designed to secure hardware through integrated cryptographic keys ΓÇô it's commonly pre-installed on newer computers. BitLocker and DM-Crypt can use this technology to protect the keys used to encrypt disk volumes and provide integrity to computer boot process.
For [Windows VMs](../virtual-machines/windows/disk-encryption-faq.yml), Azure Di
Customer-managed keys (CMK) enable you to have [full control](../virtual-machines/disk-encryption.md#full-control-of-your-keys) over your encryption keys. You can grant access to managed disks in your Azure Key Vault so that your keys can be used for encrypting and decrypting the DEK. You can also disable your keys or revoke access to managed disks at any time. Finally, you have full audit control over key usage with Azure Key Vault monitoring to ensure that only managed disks or other authorized resources are accessing your encryption keys. ##### *Encryption at host*
-Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.
+Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../virtual-machines/disk-encryption-overview.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.
You're [always in control of your customer data](https://www.microsoft.com/trust-center/privacy/data-management) in Azure. You can access, extract, and delete your customer data stored in Azure at will. When you terminate your Azure subscription, Microsoft takes the necessary steps to ensure that you continue to own your customer data. A common concern upon data deletion or subscription termination is whether another customer or Azure administrator can access your deleted data. The following sections explain how data deletion, retention, and destruction work in Azure.
azure-monitor Agent Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agent-manage.md
Title: Managing the Azure Log Analytics agent
+ Title: Manage the Azure Log Analytics agent
description: This article describes the different management tasks that you will typically perform during the lifecycle of the Log Analytics Windows or Linux agent deployed on a machine. --++ Last updated 04/06/2022
-# Managing and maintaining the Log Analytics agent for Windows and Linux
+# Manage and maintain the Log Analytics agent for Windows and Linux
After initial deployment of the Log Analytics Windows or Linux agent in Azure Monitor, you may need to reconfigure the agent, upgrade it, or remove it from the computer if it has reached the retirement stage in its lifecycle. You can easily manage these routine maintenance tasks manually or through automation, which reduces both operational error and expenses. [!INCLUDE [Log Analytics agent deprecation](../../../includes/log-analytics-agent-deprecation.md)]
-## Upgrading agent
+## Upgrade the agent
-The Log Analytics agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on the deployment scenario and environment the VM is running in. The following methods can be used to upgrade the agent.
+Upgrade to the latest release of the Log Analytics agent for Windows and Linux manually or automatically based on your deployment scenario and the environment the VM is running in:
-| Environment | Installation Method | Upgrade method |
+| Environment | Installation method | Upgrade method |
|--|-|-| | Azure VM | Log Analytics agent VM extension for Windows/Linux | Agent is automatically upgraded [after the VM model changes](../../virtual-machines/extensions/features-linux.md#how-agents-and-extensions-are-updated), unless you configured your Azure Resource Manager template to opt out by setting the property _autoUpgradeMinorVersion_ to **false**. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. Major version upgrade is always manual. See [VirtualMachineExtensionInner.AutoUpgradeMinorVersion Property](https://docs.azure.cn/dotnet/api/microsoft.azure.management.compute.fluent.models.virtualmachineextensioninner.autoupgrademinorversion?view=azure-dotnet). | | Custom Azure VM images | Manual install of Log Analytics agent for Windows/Linux | Updating VMs to the newest version of the agent needs to be performed from the command line running the Windows installer package or Linux self-extracting and installable shell script bundle.|
You can download the latest version of the Windows agent from your Log Analytics
5. From the **Windows Servers** page, select the appropriate **Download Windows Agent** version to download depending on the processor architecture of the Windows operating system. >[!NOTE]
->During the upgrade of the Log Analytics agent for Windows, it does not support configuring or reconfiguring a workspace to report to. To configure the agent, you need to follow one of the supported methods listed under [Adding or removing a workspace](#adding-or-removing-a-workspace).
+>During the upgrade of the Log Analytics agent for Windows, it does not support configuring or reconfiguring a workspace to report to. To configure the agent, you need to follow one of the supported methods listed under [Add or remove a workspace](#add-or-remove-a-workspace).
> #### To upgrade using the Setup Wizard
Run the following command to upgrade the agent.
### Enable Auto-Update for the Linux Agent
-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature, using the following PowerShell commands.
+We recommend enabling [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) using these commands to update the agent automatically:
+ # [Powershell](#tab/PowerShellLinux) ```powershell Set-AzVMExtension \
az vm extension set \
--version latestVersion \ --enable-auto-upgrade true ```+
-## Adding or removing a workspace
+## Add or remove a workspace
### Windows agent The steps in this section are necessary when you want to not only reconfigure the Windows agent to report to a different workspace or to remove a workspace from its configuration, but also when you want to configure the agent to report to more than one workspace (commonly referred to as multi-homing). Configuring the Windows agent to report to multiple workspaces can only be performed after initial setup of the agent and using the methods described below.
azure-monitor Agent Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agent-windows.md
Title: Install Log Analytics agent on Windows computers
description: This article describes how to connect Windows computers hosted in other clouds or on-premises to Azure Monitor with the Log Analytics agent for Windows. Last updated 03/31/2022++
Regardless of the installation method used, you'll require the workspace ID and
[![Screenshot that shows workspace details.](media/log-analytics-agent/workspace-details.png)](media/log-analytics-agent/workspace-details.png#lightbox) > [!NOTE]
-> You can't configure the agent to report to more than one workspace during initial setup. [Add or remove a workspace](agent-manage.md#adding-or-removing-a-workspace) after installation by updating the settings from Control Panel or PowerShell.
+> You can't configure the agent to report to more than one workspace during initial setup. [Add or remove a workspace](agent-manage.md#add-or-remove-a-workspace) after installation by updating the settings from Control Panel or PowerShell.
## Install the agent
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agents-overview.md
description: Overview of the Azure Monitor Agent, which collects monitoring data
Previously updated : 7/21/2022 Last updated : 8/17/2022
Azure Monitor Agent uses [data collection rules](../essentials/data-collection-r
| Data source | Destinations | Description | |:|:|:| | Performance | Azure Monitor Metrics (Public preview)<sup>1</sup> - Insights.virtualmachine namespace<br>Log Analytics workspace - [Perf](/azure/azure-monitor/reference/tables/perf) table | Numerical values measuring performance of different aspects of operating system and workloads |
- | Windows event logs | Log Analytics workspace - [Event](/azure/azure-monitor/reference/tables/Event) table | Information sent to the Windows event logging system |
+ | Windows event logs (including sysmon events) | Log Analytics workspace - [Event](/azure/azure-monitor/reference/tables/Event) table | Information sent to the Windows event logging system |
| Syslog | Log Analytics workspace - [Syslog](/azure/azure-monitor/reference/tables/syslog)<sup>2</sup> table | Information sent to the Linux event logging system | | Text logs | Log Analytics workspace - custom table | Events sent to log file on agent machine |
Azure Monitor Agent uses [data collection rules](../essentials/data-collection-r
## Supported services and features
-Azure Monitor Agent currently supports these Azure Monitor features:
+In addition to the generally available data collection listed above, Azure Monitor Agent also supports these Azure Monitor features in preview:
| Azure Monitor feature | Current support | Other extensions installed | More information | | : | : | : | : | | Text logs and Windows IIS logs | Public preview | None | [Collect text logs with Azure Monitor Agent (Public preview)](data-collection-text-log.md) | | Windows client installer | Public preview | None | [Set up Azure Monitor Agent on Windows client devices](azure-monitor-agent-windows-client.md) |
-| [VM insights](../vm/vminsights-overview.md) | Preview | Dependency Agent extension, if youΓÇÖre using the Map Services feature | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |
+| [VM insights](../vm/vminsights-overview.md) | Public preview | Dependency Agent extension, if youΓÇÖre using the Map Services feature | [Enable VM Insights overview](../vm/vminsights-enable-overview.md) |
-Azure Monitor Agent currently supports these Azure
+In addition to the generally available data collection listed above, Azure Monitor Agent also supports these Azure services in preview:
| Azure service | Current support | Other extensions installed | More information | | : | : | : | : | | [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md) | Preview | <ul><li>Azure Security Agent extension</li><li>SQL Advanced Threat Protection extension</li><li>SQL Vulnerability Assessment extension</li></ul> | [Sign-up link](https://aka.ms/AMAgent) | | [Microsoft Sentinel](../../sentinel/overview.md) | <ul><li>Windows DNS logs: Preview</li><li>Linux Syslog CEF: Preview</li><li>Windows Forwarding Event (WEF): [Public preview](../../sentinel/data-connectors-reference.md#windows-forwarded-events-preview)</li><li>Windows Security Events: [Generally available](../../sentinel/connect-windows-security-events.md?tabs=AMA)</li></ul> | Sentinel DNS extension, if youΓÇÖre collecting DNS logs. For all other data types, you just need the Azure Monitor Agent extension. | <ul><li>[Sign-up link for Windows DNS logs](https://aka.ms/AMAgent)</li><li>[Sign-up link for Linux Syslog CEF](https://aka.ms/AMAgent)</li><li>No sign-up needed for Windows Forwarding Event (WEF) and Windows Security Events</li></ul> | | [Change Tracking](../../automation/change-tracking/overview.md) (part of Defender) | Supported as File Integrity Monitoring in the Microsoft Defender for Cloud: Preview. | Change Tracking extension | [Sign-up link](https://aka.ms/AMAgent) |
-| [Update Management](../../automation/update-management/overview.md) (available without Azure Monitor Agent) | Use Update Management v2 - Public preview | None | [Update management center (Public preview) documentation](/azure/update-center/) |
+| [Update Management](../../automation/update-management/overview.md) (available without Azure Monitor Agent) | Use Update Management v2 - Public preview | None | [Update management center (Public preview) documentation](../../update-center/index.yml) |
| [Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md) | Connection Monitor: Preview | Azure NetworkWatcher extension | [Sign-up link](https://aka.ms/amadcr-privatepreviews) | ## Supported regions
azure-monitor Azure Monitor Agent Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-manage.md
description: Options for managing the Azure Monitor agent (AMA) on Azure virtual
Previously updated : 06/21/2022 Last updated : 08/18/2022
The following prerequisites must be met prior to installing the Azure Monitor ag
We recommend using `mi_res_id` as the `identifier-name`. The sample commands below only show usage with `mi_res_id` for the sake of brevity. For more details on `mi_res_id`, `object_id`, and `client_id`, see the [managed identity documentation](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md#get-a-token-using-http). - **System-assigned**: This is suited for initial testing or small deployments. When used at scale (for example, for all VMs in a subscription) it results in substantial number of identities created (and deleted) in Azure AD (Azure Active Directory). To avoid this churn of identities, it is recommended to use user-assigned managed identities instead. **For Arc-enabled servers, system-assigned managed identity is enabled automatically** (as soon as you install the Arc agent) as it's the only supported type for Arc-enabled servers. - This is not required for Azure Arc-enabled servers. The system identity will be enabled automatically if the agent is installed via [creating and assigning a data collection rule using the Azure portal](data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association).-- **Networking**: The [AzureResourceManager service tag](../../virtual-network/service-tags-overview.md) must be enabled on the virtual network for the virtual machine. Additionally, the virtual machine must have access to the following HTTPS endpoints:
+- **Networking**: If using network firewalls, the [AzureResourceManager service tag](../../virtual-network/service-tags-overview.md) must be enabled on the virtual network for the virtual machine. Additionally, the virtual machine must have access to the following HTTPS endpoints:
- global.handler.control.monitor.azure.com - `<virtual-machine-region-name>`.handler.control.monitor.azure.com (example: westus.handler.control.azure.com) - `<log-analytics-workspace-id>`.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opsinsights.azure.com)
azure-monitor Azure Monitor Agent Migration Tools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-migration-tools.md
Previously updated : 6/22/2022 Last updated : 8/18/2022 # Customer intent: As an Azure account administrator, I want to use the available Azure Monitor tools to migrate from Log Analytics Agent to Azure Monitor Agent and track the status of the migration in my account.
You can access the workbook [here](https://portal.azure.com/#view/AppInsightsExt
## Installing and using DCR Config Generator (preview) Azure Monitor Agent relies only on [data collection rules (DCRs)](../essentials/data-collection-rule-overview.md) for configuration, whereas Log Analytics Agent inherits its configuration from Log Analytics workspaces.
-Use the DCR Config Generator tool to parse Log Analytics Agent configuration from your workspaces and generate corresponding data collection rules automatically. You can then associate the rules to machines running the new agent using built-in association policies.
+Use the DCR Config Generator tool to parse Log Analytics Agent configuration from your workspaces and generate/deploy corresponding data collection rules automatically. You can then associate the rules to machines running the new agent using built-in association policies.
> [!NOTE] > DCR Config Generator does not currently support additional configuration for [Azure solutions or services](./azure-monitor-agent-overview.md#supported-services-and-features) dependent on Log Analytics Agent.
To install DCR Config Generator:
1. Run the script:
- Option 1:
+ Option 1: Outputs **ready-to-deploy ARM template files** only that will create the generated DCR in the specified subscription and resource group, when deployed.
```powershell .\WorkspaceConfigToDCRMigrationTool.ps1 -SubscriptionId $subId -ResourceGroupName $rgName -WorkspaceName $workspaceName -DCRName $dcrName -Location $location -FolderPath $folderPath ```
- Option 2 (if you just want the DCR payload JSON file):
+ Option 2: Outputs **ready-to-deploy ARM template files** and **the DCR JSON files** separately for you to deploy via other means. You need to set the `GetDcrPayload` parameter.
```powershell
- $dcrJson = Get-DCRJson -ResourceGroupName $rgName -WorkspaceName $workspaceName -PlatformType $platformType $dcrJson | ConvertTo-Json -Depth 10 | Out-File "<filepath>\OutputFiles\dcr_output.json"
+ .\WorkspaceConfigToDCRMigrationTool.ps1 -SubscriptionId $subId -ResourceGroupName $rgName -WorkspaceName $workspaceName -DCRName $dcrName -Location $location -FolderPath $folderPath -GetDcrPayload
``` **Parameters**
To install DCR Config Generator:
| `WorkspaceName` | Yes | Name of the target workspace. | | `DCRName` | Yes | Name of the new DCR. | | `Location` | Yes | Region location for the new DCR. |
- | `FolderPath` | No | Path in which to save the new data collection rules. By default, Azure Monitor uses the current directory. |
+ | `GetDcrPayload` | No | When set, it generates additional DCR JSON files
+ | `FolderPath` | No | Path in which to save the ARM template files and JSON files (optional). By default, Azure Monitor uses the current directory. |
-1. Review the output data collection rules. The script can produce two types of ARM template files, depending on the agent configuration in the target workspace:
+1. Review the output ARM template files. The script can produce two types of ARM template files, depending on the agent configuration in the target workspace:
- Windows ARM template and parameter files - if the target workspace contains Windows performance counters or Windows events. - Linux ARM template and parameter files - if the target workspace contains Linux performance counters or Linux Syslog events.
azure-monitor Data Collection Rule Azure Monitor Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-rule-azure-monitor-agent.md
To send data to Log Analytics, create the data collection rule in the **same reg
[ ![Screenshot showing the Resources tab of the Data Collection Rules screen.](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png) ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox) + 1. On the **Collect and deliver** tab, select **Add data source** to add a data source and set a destination. 1. Select a **Data source type**. 1. Select which data you want to collect. For performance counters, you can select from a predefined set of objects and their sampling rate. For events, you can select from a set of logs and severity levels.
azure-monitor Alerts Manage Alert Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-manage-alert-rules.md
Manage your alert rules in the Azure portal, or using the CLI or PowerShell.
1. From the top command bar, select **Alert rules**. You'll see all of your alert rules across subscriptions. You can filter the list of rules using the available filters: **Resource group**, **Resource type**, **Resource** and **Signal type**. 1. Select the alert rule that you want to edit. You can select multiple alert rules and enable or disable them. Multi-selecting rules can be useful when you want to perform maintenance on specific resources. 1. Edit any of the fields in the following sections. You can't edit the **Alert Rule Name**, **Scope**, or **Signal type** of an existing alert rule.
- - **Condition**. Learn more about conditions for [metric alert rules](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric#tabpanel_1_metric), [log alert rules](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=log#tabpanel_1_log), and [activity log alert rules](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=activity-log#tabpanel_1_activity-log)
+ - **Condition**. Learn more about conditions for [metric alert rules](./alerts-create-new-alert-rule.md?tabs=metric#tabpanel_1_metric), [log alert rules](./alerts-create-new-alert-rule.md?tabs=log#tabpanel_1_log), and [activity log alert rules](./alerts-create-new-alert-rule.md?tabs=activity-log#tabpanel_1_activity-log)
- **Actions** - **Alert rule details** 1. Select **Save** on the top command bar.
azure-monitor Auto Collect Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/auto-collect-dependencies.md
Below is the currently supported list of dependency calls that are automatically
| |-| | [HTTP](https://nodejs.org/api/http.html), [HTTPS](https://nodejs.org/api/https.html) | 0.10+ | | <b>Storage clients</b> | |
-| [Redis](https://www.npmjs.com/package/redis) | 2.x |
+| [Redis](https://www.npmjs.com/package/redis) | 2.x - 3.x |
| [MongoDb](https://www.npmjs.com/package/mongodb); [MongoDb Core](https://www.npmjs.com/package/mongodb-core) | 2.x - 3.x |
-| [MySQL](https://www.npmjs.com/package/mysql) | 2.0.0 - 2.16.x |
-| [PostgreSql](https://www.npmjs.com/package/pg); | 6.x - 7.x |
+| [MySQL](https://www.npmjs.com/package/mysql) | 2.x |
+| [PostgreSql](https://www.npmjs.com/package/pg); | 6.x - 8.x |
| [pg-pool](https://www.npmjs.com/package/pg-pool) | 1.x - 2.x | | <b>Logging libraries</b> | | | [console](https://nodejs.org/api/console.html) | 0.10+ |
azure-monitor Export Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/export-telemetry.md
To migrate to diagnostic settings export:
2. [Migrate application to workspace-based](convert-classic-resource.md). 3. [Enable diagnostic settings export](create-workspace-resource.md#export-telemetry). Select **Diagnostic settings > add diagnostic setting** from within your Application Insights resource.
+> [!CAUTION]
+> If you want to store diagnostic logs in a Log Analytics workspace, there are two things to consider to avoid seeing duplicate data in Application Insights:
+> * The destination can't be the same Log Analytics workspace that your Application Insights resource is based on.
+> * The Application Insights user can't have access to both the Application Insights resource and the workspace created for diagnostic logs. This can be done with [Azure role-based access control (Azure RBAC)](./resources-roles-access-control.md).
+ <!--Link references--> [exportasa]: ../../stream-analytics/app-insights-export-sql-stream-analytics.md
-[roles]: ./resources-roles-access-control.md
+[roles]: ./resources-roles-access-control.md
azure-monitor Autoscale Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-overview.md
This article describes Microsoft Azure autoscale and its benefits.
Azure autoscale supports many resource types. For more information about supported resources, see [autoscale supported resources](#supported-services-for-autoscale). > [!NOTE]
-> [Availability sets](/archive/blogs/kaevans/autoscaling-azurevirtual-machines) are an older scaling feature for virtual machines with limited support. We recommend migrating to [virtual machine scale sets](/azure/virtual-machine-scale-sets/overview) for faster and more reliable autoscale support.
+> [Availability sets](/archive/blogs/kaevans/autoscaling-azurevirtual-machines) are an older scaling feature for virtual machines with limited support. We recommend migrating to [virtual machine scale sets](../../virtual-machine-scale-sets/overview.md) for faster and more reliable autoscale support.
## What is autoscale
In contrast, scaling up and down, or vertical scaling, keeps the number of resou
### Predictive autoscale (preview)
-[Predictive autoscale](/azure/azure-monitor/autoscale/autoscale-predictive) uses machine learning to help manage and scale Azure virtual machine scale sets with cyclical workload patterns. It forecasts the overall CPU load on your virtual machine scale set, based on historical CPU usage patterns. The scale set can then be scaled out in time to meet the predicted demand.
+[Predictive autoscale](./autoscale-predictive.md) uses machine learning to help manage and scale Azure virtual machine scale sets with cyclical workload patterns. It forecasts the overall CPU load on your virtual machine scale set, based on historical CPU usage patterns. The scale set can then be scaled out in time to meet the predicted demand.
## Autoscale setup
Some commonly used metrics include CPU usage, memory usage, thread counts, queue
### Custom metrics
-Use your own custom metrics that your application generates. Configure your application to send metrics to [Application Insights](/azure/azure-monitor/app/app-insights-overview) so you can use those metrics decide when to scale.
+Use your own custom metrics that your application generates. Configure your application to send metrics to [Application Insights](../app/app-insights-overview.md) so you can use those metrics decide when to scale.
### Time
Rules can trigger one or more actions. Actions include:
+ Scale - Scale resources in or out. + Email - Send an email to the subscription admins, co-admins, and/or any other email address. + Webhooks - Call webhooks to trigger multiple complex actions inside or outside Azure. In Azure, you can:
- + Start an [Azure Automation runbook](/azure/automation/overview).
- + Call an [Azure Function](/azure/azure-functions/functions-overview).
- + Trigger an [Azure Logic App](/azure/logic-apps/logic-apps-overview).
+ + Start an [Azure Automation runbook](../../automation/overview.md).
+ + Call an [Azure Function](../../azure-functions/functions-overview.md).
+ + Trigger an [Azure Logic App](../../logic-apps/logic-apps-overview.md).
## Autoscale settings
The following services are supported by autoscale:
| Service | Schema & Documentation | | | |
-| Azure Virtual machines scale sets |[Overview of autoscale with Azure virtual machine scale sets](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview) |
+| Azure Virtual machines scale sets |[Overview of autoscale with Azure virtual machine scale sets](../../virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview.md) |
| Web apps |[Scaling Web Apps](autoscale-get-started.md) | | Azure API Management service|[Automatically scale an Azure API Management instance](../../api-management/api-management-howto-autoscale.md) | Azure Data Explorer Clusters|[Manage Azure Data Explorer clusters scaling to accommodate changing demand](/azure/data-explorer/manage-cluster-horizontal-scaling)|
The following services are supported by autoscale:
To learn more about autoscale, see the following resources: + [Azure Monitor autoscale common metrics](autoscale-common-metrics.md)
-+ [Scale virtual machine scale sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell?toc=/azure/azure-monitor/toc.json)
-+ [Autoscale using Resource Manager templates for virtual machine scale sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell?toc=/azure/azure-monitor/toc.json)
++ [Scale virtual machine scale sets](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md?toc=%2fazure%2fazure-monitor%2ftoc.json)++ [Autoscale using Resource Manager templates for virtual machine scale sets](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md?toc=%2fazure%2fazure-monitor%2ftoc.json) + [Best practices for Azure Monitor autoscale](autoscale-best-practices.md) + [Use autoscale actions to send email and webhook alert notifications](autoscale-webhook-email.md) + [Autoscale REST API](/rest/api/monitor/autoscalesettings) + [Troubleshooting virtual machine scale sets and autoscale](../../virtual-machine-scale-sets/virtual-machine-scale-sets-troubleshoot.md)
-+ [Troubleshooting Azure Monitor autoscale](/azure/azure-monitor/autoscale/autoscale-troubleshoot)
++ [Troubleshooting Azure Monitor autoscale](./autoscale-troubleshoot.md)
azure-monitor Tutorial Outages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/tutorial-outages.md
In this tutorial, you will:
## Pre-requisites - Install [.NET 5.0 or above](https://dotnet.microsoft.com/download). -- Install [the Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
+- Install [the Azure CLI](/cli/azure/install-azure-cli).
## Set up the test application
Now that you've discovered the web app in-guest change and understand next steps
## Next steps
-Learn more about [Change Analysis](./change-analysis.md).
+Learn more about [Change Analysis](./change-analysis.md).
azure-monitor Data Collection Transformations Structure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-transformations-structure.md
ms.reviwer: nikeist
# Structure of transformation in Azure Monitor (preview)
-[Transformations in Azure Monitor](/azure/azure-monitor/essentials/data-collection-transformations) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. They are implemented as a Kusto Query Language (KQL) statement in a [data collection rule (DCR)](data-collection-rule-overview.md). This article provides details on how this query is structured and limitations on the KQL language allowed.
+[Transformations in Azure Monitor](./data-collection-transformations.md) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. They are implemented as a Kusto Query Language (KQL) statement in a [data collection rule (DCR)](data-collection-rule-overview.md). This article provides details on how this query is structured and limitations on the KQL language allowed.
## Transformation structure
Use [Identifier quoting](/azure/data-explorer/kusto/query/schema-entities/entity
## Next steps -- [Create a data collection rule](../agents/data-collection-rule-azure-monitor-agent.md) and an association to it from a virtual machine using the Azure Monitor agent.
+- [Create a data collection rule](../agents/data-collection-rule-azure-monitor-agent.md) and an association to it from a virtual machine using the Azure Monitor agent.
azure-monitor Migrate To Azure Storage Lifecycle Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy.md
Last updated 07/10/2022
# Migrate from diagnostic settings storage retention to Azure Storage lifecycle management
-This guide walks you through migrating from using Azure diagnostic settings storage retention to using [Azure Storage lifecycle management](/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal) for retention.
+This guide walks you through migrating from using Azure diagnostic settings storage retention to using [Azure Storage lifecycle management](../../storage/blobs/lifecycle-management-policy-configure.md?tabs=azure-portal) for retention.
## Prerequisites
To set the rule for a specific subscription, resource group, and function app na
## Next steps
-[Configure a lifecycle management policy](/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal).
+[Configure a lifecycle management policy](../../storage/blobs/lifecycle-management-policy-configure.md?tabs=azure-portal).
azure-monitor Azure Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/insights/azure-sql.md
While Azure SQL Analytics (preview) is free to use, consumption of diagnostics t
- [Create your own dashboards](../visualize/tutorial-logs-dashboards.md) showing Azure SQL data. - [Create alerts](../alerts/alerts-overview.md) when specific Azure SQL events occur. - [Monitor Azure SQL Database with Azure Monitor](/azure/azure-sql/database/monitoring-sql-database-azure-monitor)-- [Monitor Azure SQL Managed Instance with Azure Monitor](/azure/azure-sql/database/monitoring-sql-managed-instance-azure-monitor)
+- [Monitor Azure SQL Managed Instance with Azure Monitor](/azure/azure-sql/managed-instance/monitoring-sql-managed-instance-azure-monitor)
azure-monitor Analyze Usage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/analyze-usage.md
find where TimeGenerated > ago(24h) project _BilledSize, _IsBillable, Computer,
**Count of billable events by computer** ```kusto
-find where TimeGenerated > ago(24h) project _IsBillable, Computer
+find where TimeGenerated > ago(24h) project _IsBillable, Computer, Type
| where _IsBillable == true and Type != "Usage" | extend computerName = tolower(tostring(split(Computer, '.')[0])) | summarize eventCount = count() by computerName
azure-monitor Search Jobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/search-jobs.md
Last updated 01/27/2022
Search jobs are asynchronous queries that fetch records into a new search table within your workspace for further analytics. The search job uses parallel processing and can run for hours across extremely large datasets. This article describes how to create a search job and how to query its resulting data. > [!NOTE]
-> The search job feature is currently in public preview and is not supported in workspaces with [customer-managed keys](customer-managed-keys.md).
+> The search job feature is currently in public preview and isn't supported in:
+> - Workspaces with [customer-managed keys](customer-managed-keys.md).
+> - The China East 2 region.
## When to use search jobs
azure-monitor Workbooks View Designer Conversion Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-view-designer-conversion-overview.md
This is a workbook with a data types over time tab:
## Replicate the View Designer overview tile
-In View Designer, you can use the overview tile to represent and summarize the overall state. These are presented in seven tiles, ranging from numbers to charts. In workbooks, you can create similar visualizations and pin them to your [Azure portal Dashboard](/azure/azure-portal/azure-portal-dashboards). Just like the overview tiles in the Workspace summary, pinned workbook items will link directly to the workbook view.
+In View Designer, you can use the overview tile to represent and summarize the overall state. These are presented in seven tiles, ranging from numbers to charts. In workbooks, you can create similar visualizations and pin them to your [Azure portal Dashboard](../../azure-portal/azure-portal-dashboards.md). Just like the overview tiles in the Workspace summary, pinned workbook items will link directly to the workbook view.
You can also take advantage of the high level of customization features provided with Azure Dashboard, which allows auto refresh, moving, sizing, and more filtering for your pinned items and visualizations.
With workbooks, you can choose to query one or both sections of the view. Formul
## Next steps -- [Sample conversions](workbooks-view-designer-conversions.md)
+- [Sample conversions](workbooks-view-designer-conversions.md)
azure-monitor Vminsights Dependency Agent Maintenance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-dependency-agent-maintenance.md
The Dependency Agent collects data about processes running on the virtual machin
- The Dependency Agent requires the Log Analytics Agent to be installed on the same machine. - On both the Windows and Linux versions, the Dependency Agent collects data using a user-space service and a kernel driver.
- - Dependency Agent supports the same [Windows versions Log Analytics Agent supports](/azure/azure-monitor/agents/agents-overview#supported-operating-systems), except Windows Server 2008 SP2 and Azure Stack HCI.
+ - Dependency Agent supports the same [Windows versions Log Analytics Agent supports](../agents/agents-overview.md#supported-operating-systems), except Windows Server 2008 SP2 and Azure Stack HCI.
- For Linux, see [Dependency Agent Linux support](#dependency-agent-linux-support). ## Upgrade Dependency Agent
Since the Dependency agent works at the kernel level, support is also dependent
## Next steps
-If you want to stop monitoring your VMs for a while or remove VM insights entirely, see [Disable monitoring of your VMs in VM insights](../vm/vminsights-optout.md).
+If you want to stop monitoring your VMs for a while or remove VM insights entirely, see [Disable monitoring of your VMs in VM insights](../vm/vminsights-optout.md).
azure-netapp-files Azacsnap Cmd Ref Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-configure.md
When adding a *SAP HANA database* to the configuration, the following values are
### Backint coexistence
-[Azure Backup](/azure/backup/) service provides an alternate backup tool for SAP HANA, where database and log backups are streamed into the
+[Azure Backup](../backup/index.yml) service provides an alternate backup tool for SAP HANA, where database and log backups are streamed into the
Azure Backup Service. Some customers would like to combine the streaming backint-based backups with regular snapshot-based backups. However, backint-based backups block other methods of backup, such as using a files-based backup or a storage snapshot-based backup (for example, AzAcSnap). Guidance is provided on
-the Azure Backup site on how to [Run SAP HANA native client backup to local disk on a database with Azure Backup enabled](/azure/backup/sap-hana-db-manage#run-sap-hana-native-client-backup-to-local-disk-on-a-database-with-azure-backup-enabled).
+the Azure Backup site on how to [Run SAP HANA native client backup to local disk on a database with Azure Backup enabled](../backup/sap-hana-db-manage.md).
The process described in the Azure Backup documentation has been implemented with AzAcSnap to automatically do the following steps:
azure-netapp-files Azacsnap Cmd Ref Runbefore Runafter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-runbefore-runafter.md
The following list of environment variables is generated by `azacsnap` and passe
### Example usage An example usage for this new feature is to upload a snapshot to Azure Blob for archival purposes using the azcopy tool
-([Copy or move data to Azure Storage by using AzCopy](/azure/storage/common/storage-use-azcopy-v10)).
+([Copy or move data to Azure Storage by using AzCopy](../storage/common/storage-use-azcopy-v10.md)).
The following crontab entry is a single line and runs `azacsnap` at five past midnight. Note the call to `snapshot-to-blob.sh` passing the snapshot name and snapshot prefix:
PORTAL_GENERATED_SAS="https://<targetstorageaccount>.blob.core.windows.net/<blob
## Next steps - [Take a backup](azacsnap-cmd-ref-backup.md)-- [Get snapshot details](azacsnap-cmd-ref-details.md)
+- [Get snapshot details](azacsnap-cmd-ref-details.md)
azure-netapp-files Azacsnap Preview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-preview.md
Return to this document for details on using the preview features.
> This section's content supplements [Configure Azure Application Consistent Snapshot tool](azacsnap-cmd-ref-configure.md) website page. Microsoft provides many storage options for deploying databases such as SAP HANA. Many of these options are detailed on the
-[Azure Storage types for SAP workload](/azure/virtual-machines/workloads/sap/planning-guide-storage) web page. Additionally there's a
-[Cost conscious solution with Azure premium storage](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#cost-conscious-solution-with-azure-premium-storage).
+[Azure Storage types for SAP workload](../virtual-machines/workloads/sap/planning-guide-storage.md) web page. Additionally there's a
+[Cost conscious solution with Azure premium storage](../virtual-machines/workloads/sap/hana-vm-operations-storage.md#cost-conscious-solution-with-azure-premium-storage).
AzAcSnap is able to take application consistent database snapshots when deployed on this type of architecture (that is, a VM with Managed Disks). However, the set up for this platform is slightly more complicated as in this scenario we need to block I/O to the mountpoint (using `xfs_freeze`) before taking a snapshot of the Managed
The steps to follow to set up Azure Key Vault and store the Service Principal in
- [Get started](azacsnap-get-started.md) - [Test AzAcSnap](azacsnap-cmd-ref-test.md)-- [Back up using AzAcSnap](azacsnap-cmd-ref-backup.md)
+- [Back up using AzAcSnap](azacsnap-cmd-ref-backup.md)
azure-percept Azure Percept For Deepstream Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-percept/deepstream/azure-percept-for-deepstream-overview.md
+
+ Title: Azure Percept for DeepStream overview
+description: A description of Azure Percept for DeepStream developer tools that provide a custom developer experience.
+++++ Last updated : 08/10/2022++
+# Azure Percept for DeepStream overview
+
+Azure Percept for DeepStream includes developer tools that provide a custom developer experience. It enables you to create NVIDIA DeepStream containers using Microsoft-based images and guidance, supported models from NVIDIA out of the box, and/or bring your own models.
+
+DeepStream is NVIDIAΓÇÖs toolkit to develop and deploy Vision AI applications and services. It provides multi-platform, scalable, Transport Layer Security (TLS)-encrypted security that can be deployed on-premises, on the edge, and in the cloud.
+
+## Azure Percept for DeepStream offers:
+
+- **Simplifying your development process**
+
+ Auto selection of AI model execution and inference provider: One of several execution providers, such as ORT, CUDA, and TENSORT, are automatically selected to simplify your development process.
+
+- **Customizing Region of Interest (ROI) to enable your business scenario**
+
+ Region of Interest (ROI) configuration widget: Percept Player, a web app widget, is included for customizing ROIs to enable event detection for your business scenario.
+
+- **Simplifying the configuration for pre/post processing**
+
+ You can add a Python-based model and parser using a configuration file, instead of hardcoding it into the pipeline.
+
+- **Offering a broad Pre-built AI model framework**
+
+ This solution supports many of the most common CV models in use today, for example NVIDIA TAO, ONNX, CAFFE, UFF (TensorFlow), and Triton.
+
+- **Supporting bring your own model**
+
+ Support for model and container customization, USB or RTSP camera and pre-recorded video streams, event-based video snippet storage in Azure Storage and Alerts, and AI model deployment via Azure IoT Module Twin update.
+
+## Azure Percept for DeepStream key components
+
+The following table provides a list of Azure Percept for DeepStreamΓÇÖs key components and a description of each one.
+
+| Components | Details |
+|-||
+| **Edge devices** | Azure Percept for DeepStream is available on the following devices:<br> - [Azure Stack HCI](/azure-stack/hci/overview): Requires a NVIDIA GPU (T4 or A2)<br> - [NVIDIA Jetson Orin](https://www.nvidia.com/autonomous-machines/embedded-systems/jetson-orin/)<br> - [NVIDIA Jetson Xavier](https://www.nvidia.com/autonomous-machines/embedded-systems/jetson-agx-xavier/)<br><br>**Note**<br>You can use any of the listed devices with any of the development paths. Some implementation steps may differ depending on the architecture of your device. Azure Stack HCI uses AMD64. Jetson devices use ARM64.<br><br> |
+| **Computer vision models** | Azure Percept for DeepStream can work with many different computer vision (CV) models as outlined:<br><br> - **NVIDIA Models** <br>For example: Body Pose Estimation and License Plate Recognition. License Plate Recognition includes three models: traffic cam net, license plate detection, and license plate reading and other Nivida Models.<br><br> - **ONNX Models** <br>For example: SSD-MobileNetV1, YOLOv4, Tiny YOLOv3, EfficentNet-Lite.<br><br> |
+| **Development Paths** | Azure Percept for DeepStream offers three development paths:<br><br> - **Getting started path** <br>This path uses pre-trained models and pre-recorded videos of simulated manufacturing environment to demonstrate the steps required to create an Edge AI solution using Azure Percept for DeepStream.<br>If you're just getting started on your computer vision (CV) app journey or simply want to learn more about Azure Percept for DeepStream, we recommend this path.<br><br> - **Pre-built model path** <br>This path provides pre-built parsers in Python for the CV models outlined earlier. You can easily deploy one of these models and integrate your own video stream.<br>If you're familiar with Azure IoT Edge solutions and want to leverage one of the supported models with an existing video stream, we recommend this path. <br><br> - **Bring your own model (BYOM) path**<br>This path provides you with steps of how to integrate your own custom model and parser into your Azure Percept for DeepStream Edge AI solution.<br>If you're an experienced developer who is familiar with cloud-based CV solutions and want a simplified deployment experience Azure Percept for DeepStream, we recommend this path.<br><br> |
+
+## Next steps
+
+Text to come.
+
+<!-- You're now ready to start using Azure Percept for DeepStream to create, manage, and deploy custom Edge AI solutions. We recommend the following resources to get started:
+
+- [Getting started checklist for Azure Percept for DeepStream](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/EeWQwQ8T-LVDmTMqC62Gss0Bo_1Fbjj9I8mDSLYwlICd_Q?e=f9FajM)
+
+- [Tutorial: Deploy a supported model to your Azure Percept for DeepStream solution ](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/EQ9Wux4CkO5Iss8s82lcZj4B9XCwagaVoUEKyK0q2y-A1w?e=YfOaWn) -->
azure-percept Azure Percept On Azure Stack Hci Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-percept/hci/azure-percept-on-azure-stack-hci-overview.md
+
+ Title: Azure Percept on Azure Stack HCI overview
+description: A description of Azure Percept on Azure Stack HCI.
+++++ Last updated : 08/15/2022 ++
+# Azure Percept on Azure Stack HCI overview
+Azure Percept on Azure Stack HCI is a virtualized workload that enables you to extend the capabilities of your existing [Azure Stack HCI](https://azure.microsoft.com/products/azure-stack/hci/) deployments quickly and easily by adding sophisticated AI solutions at the Edge. It is available as a preconfigured virtual hard disk (VHDX) that functions as an Azure IoT Edge device with AI capabilities.
+
+## Azure Percept on Azure Stack HCI enables you:
+
+### Maximize your investments easily
+Maximize your existing investments in the Azure Stack HCI computer infrastructure when you run Azure Percept on Azure Stack HCI. You can leverage [Windows Admin Center (WAC)](https://www.microsoft.com/windows-server/windows-admin-center) management expertise with Azure Percept for Azure Stack HCI extension to ingest and analyze data streams from your existing IP camera infrastructure. Using WAC also enables you to easily deploy, manage, scale, and secure your Azure Percept virtual machine (VM).
+
+### Bring data to storage and compute
+Use Azure Stack HCIΓÇÖs robust storage and compute options to pre-process raw data at the Edge before sending it to Azure for further processing and training. Since artificial intelligence/machine learning (AI/ML) solutions at the edge generate and process a significant amount of data, using Azure Stack HCI reduces the amount of data transfer or bandwidth consumed into Azure.
+
+### Maintain device security
+Azure Percept on Azure Stack HCI provides multiple layers of security. Leverage security mechanisms and processes built into the solution, including virtual trusted platform module (TPM), secure boot, secure provisioning, trusted software, secure update, and [Microsoft Defender for IoT](https://www.microsoft.com/security/blog/2021/11/02/how-microsoft-defender-for-iot-can-secure-your-iot-devices/#:~:text=Microsoft%20Defender%20for%20IoT%20is%20an%20open%20platform,to%20enrich%20the%20information%20coming%20from%20multiple%20sources).
+
+## Key components of Azure Percept on Azure Stack HCI
+Azure Percept on Azure Stack HCI integrates with Azure Percept Studio, Azure IoT Edge, IoT Hub, and Spatial Analysis from Azure Cognitive Services to create an end-to-end intelligent solution that leverages your existing IP camera devices.
+
+The following diagram provides a high-level view of the Azure Percept on Azure Stack HCI architecture.
+
+![Architecture diagram for Azure Percept on Azure Stack HCI.](./media/azure-percept-component-diagram.png)
+
+**Azure Percept on Azure Stack HCI includes the following key components:**
+
+### Azure Stack HCI
+[Azure Stack HCI](https://azure.microsoft.com/products/azure-stack/hci/) is a hyperconverged infrastructure (HCI) cluster solution that hosts virtualized Windows and Linux workloads and their storage in a hybrid environment that combines on-premises infrastructure with Azure cloud services. It requires a minimum of two clustered compute nodes, scales to as many as 16 clustered nodes, and enables data pre-processing at the edge by providing robust storage and compute options. Azure Percept on Azure Stack HCI runs as a pre-configured VM on Azure Stack HCI and has failover capability to ensure continuous operation. For information about customizable solutions that you can configure to meet your needs, see [certified Azure Stack HCI systems](https://azurestackhcisolutions.azure.microsoft.com/#/catalog).
+
+### Azure Percept virtual machine (VM)
+The Azure Percept VM leverages a virtual hard disk (VHDX) that runs on the Azure Stack HCI device. It enables you to host your own AI models, communicate with the cloud via IoT Hub, and update the Azure Percept virtual machine (VM) so you can update containers, download models, and manage devices remotely.
+
+The Percept VM leverages Azure IoT Edge to communicate with [Azure IoT Hub](https://www.bing.com/aclk?ld=e8d3D-tqxgHU7f2fug-xNf9TVUCUyRhu5fu58-tWHmwhmAtKIzkXCQETOv1QnKdXCr1kFm6NQ4SA4K5mukLPrpKC5z7nTlhrXnaiTqPPGu2a47SnDq-aKylUzhYQLxKs1yyOtnDuD1DDg4q04CZdFUFwPani9jnp6DLiQPMoYBkhhEJ3FV6SFro1VVB67p_n_4De1B7A&u=aHR0cHMlM2ElMmYlMmZhenVyZS5taWNyb3NvZnQuY29tJTJmZW4tdXMlMmZmcmVlJTJmaW90JTJmJTNmT0NJRCUzZEFJRDIyMDAyNzdfU0VNX2VhM2NkYWExN2Y5MzFkNDE2NTkwYjgyMjdlMjk0ZjdmJTNhRyUzYXMlMjZlZl9pZCUzZGVhM2NkYWExN2Y5MzFkNDE2NTkwYjgyMjdlMjk0ZjdmJTNhRyUzYXMlMjZtc2Nsa2lkJTNkZWEzY2RhYTE3ZjkzMWQ0MTY1OTBiODIyN2UyOTRmN2Y&rlid=ea3cdaa17f931d416590b8227e294f7f&ntb=1). It runs locally and securely, performs AI inferencing at the Edge, and communicates with Azure services for security and updates. It includes [Defender for IoT](https://www.bing.com/ck/a?!&&p=4b4f5983a77f5d870170a12cd507a8d967bd32e10eab125544ac7aad1691be23JmltdHM9MTY1Mjc1MzE3OCZpZ3VpZD1mZmQyZGJiNi1iOWFlLTRiYjgtOTQ1MC1iM2FlNmQ1ZTBlNmUmaW5zaWQ9NTQ1Mg&ptn=3&fclid=f087fcb3-d585-11ec-b34a-9f80cb12a098&u=a1aHR0cHM6Ly9henVyZS5taWNyb3NvZnQuY29tL2VuLXVzL3NlcnZpY2VzL2lvdC1kZWZlbmRlci8&ntb=1) to provide a lightweight security agent that proactively monitors for security threats like botnets, brute force attempts, crypto miners, malware, and chatbots, that you can also integrate into your Azure Monitor infrastructure.
+
+### Azure Percept Windows Admin Center Extension (WAC)
+[Windows Admin Center (WAC)](https://www.microsoft.com/windows-server/windows-admin-center) is a locally deployed application accessed via your browser for managing Azure Stack HCI clusters, Windows Server, and more. Azure Percept on Azure Stack HCI is installed through a WAC extension that guides the user through configuring and deploying the Percept VM and related services. It creates a secure and performant AI video inferencing solution usable from the edge to the cloud.
+
+### Azure Percept Solution Development Paths
+Whether you're a beginner, an expert, or anywhere in between, from zero to low code, to creating or bringing your own models, Azure Percept has a solution development path for you to build your Edge artificial intelligence (AI) solution. Azure Percept has three solution development paths that you can use to build Edge AI solutions: Azure Percept Studio, Azure Percept for DeepStream, and Azure Percept Open-Source Project. You aren't limited to one path; you can choose any or all of them depending on your business needs. For more information about the solution development paths, visit [Azure Percept solution development paths overview](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/EU92ZnNynDBGuVn3P5Xr5gcBFKS5HQguZm7O5sEENPUvPA?e=33T6Vi).
+
+#### *Azure Percept Studio*
+[Azure Percept Studio](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/EeyEj0dBcplEs9LSFaz95DsBApnmxRMdjZ9I3QinSgO0yA?e=cbIJkI) is a user-friendly portal for creating, deploying, and operating Edge artificial intelligence (AI) solutions. Using a low-code to no-code approach, you can discover and complete guided workflows and create an end-to-end Edge AI solution. This solution integrates Azure IoT and Azure AI cloud services like Azure IoT Hub, IoT Edge, Azure Storage, Log Analytics, and Spatial Analysis from Azure Cognitive Services.
+
+#### *Azure Percept for DeepStream*
+[Azure Percept for DeepStream](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/ETDSdi6ruptBkwMqvLPRL90Bzv3ORhpmAZ1YLeGt1LvtVA?e=lY2Q4f&CID=DDDB383F-4BFE-4C97-86A7-70766B16EB93&wdLOR=cDA23C19C-5685-46EC-BA28-7C9DEC460A5B&isSPOFile=1&clickparams=eyJBcHBOYW1lIjoiVGVhbXMtRGVza3RvcCIsIkFwcFZlcnNpb24iOiIyNy8yMjA3MzEwMTAwNSIsIkhhc0ZlZGVyYXRlZFVzZXIiOmZhbHNlfQ%3D%3D) includes developer tools that provide a custom developer experience. It enables you to create NVIDIA DeepStream containers using Microsoft-based images and guidance, supported models from NVIDIA out of the box, and/or bring your own models (BYOM). DeepStream is NVIDIAΓÇÖs toolkit to develop and deploy Vision AI applications and services. It provides multi-platform, scalable, Transport Layer Security (TLS)-encrypted security that can be deployed on-premises, on the edge, and in the cloud.
+
+#### *Azure Percept Open-Source Project*
+[Azure Percept Open-Source Project](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/Eeoh0pZk5g1MqwJZUAZFEvEBMYmfAqdibII6Znm-PnnDIQ?e=4ZDfUT) is a framework for creating, deploying, and operating Edge artificial intelligence (AI) solutions at scale with the control and flexibility of open-source natively on your environment. Azure Percept Open-Source Project is fully open-sourced and leverages the open-source software (OSS) community to deliver enhanced experiences. It's a self-managed solution where you host the environment in your own cluster.
+
+## Next steps
+
+Text to come.
+
+<!-- Before you start setting up your Azure Percept virtual machine (VM), we recommend the following articles:
+- [Getting started checklist for Azure Percept on Azure Stack HCI](https://github.com/microsoft/santa-cruz-workload/blob/main/articles/getting-started-checklist-for-azure-percept.md)
+- [Azure Percept solution development paths overview](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/EU92ZnNynDBGuVn3P5Xr5gcBFKS5HQguZm7O5sEENPUvPA?e=DKZtr6)
+
+If youΓÇÖre ready to start setting up your Azure Percept virtual machine (VM), we recommend the following tutorial:
+- [Tutorial: Setting up Azure Percept on Azure Stack HCI using WAC extension (Cluster server)](https://github.com/microsoft/santa-cruz-workload/blob/main/articles/tutorial-setting-up-azure-percept-using-wac-extension-cluster.md) -->
azure-percept Azure Percept Open Source Project Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-percept/open-source/azure-percept-open-source-project-overview.md
+
+ Title: Azure Percept Open-Source Project overview
+description: An overview of the Azure Percept Open-Source project
+++++ Last updated : 08/17/2022 ++
+# Azure Percept Open-Source Project overview
+
+Azure Percept Open-Source Project is a framework for creating, deploying, and operating Edge artificial intelligence (AI) solutions at scale with the control and flexibility of open-source natively on your environment. It's fully open-sourced and leverages the open-source software (OSS) community to deliver enhanced experiences. And, as a self-managed solution, you can host the experience on your own Kubernetes clusters.
+
+Azure Percept Open-Source Project has a no- to low-code portal experience as well as APIs that can be used to build custom Edge AI applications. It supports running Edge AI apps by utilizing cameras and Edge devices with different Edge runtimes and accelerators across multiple locations at scale. Since it's designed with machine learning operations (MLOps) in mind, it provides support for active learning, continuous training, and data gathering using your machine learning (ML) models running at the edge.
+
+## Azure Percept Open-Source Project offers
+
+- **An integrated developer experience**
+
+ You can easily build camera-based Edge AI apps using first- and third-party ML models. In one seamless flow, you can leverage pre-built models from our partnerΓÇÖs Model Zoo and create your own ML models with Azure Custom Vision.
+
+- **Solution deployment and management experience at scale**
+
+ Azure Percept Open-Source Project is Kubernetes native, so you can run the experience wherever Kubernetes runs; on-premises, hybrid, cloud, or multicloud environments. You can manage your experience using Kubernetes native tools such as Kubectl, our unique command line interface (CLI), and/or our no- to low-code native web portal. Edge AI apps and assets you create are projected and managed as Kubernetes objects, which allows you to rely on the Kubernetes control plane to manage the state of your Edge AI assets across many environments at scale.
+
+- **Standard-based**
+
+ Azure Percept Open-Source Project is built on and supports popular industrial standards, protocols, and frameworks like Open Platform Communications Unified Architecture (OPC-UA), Open Network Video Interface Forum (ONVIF), OpenTelemetry, CloudEvents, Distributed Application Runtime (Dapr), Message Queuing Telemetry Transport (MQTT), Open Neural Network Exchange (ONNX), Akri, Kubectl, Helm, and many others.
+
+- **Zero-friction adoption**
+
+ Even without any Edge hardware, you can get started with a few commands, then seamlessly transit from prototype/pilot to production at scale. Azure Percept Open-Source Project has an easy-to-use no- to low-code portal experience that allows developers to create and manage Edge AI solutions in minutes instead of days or months.
+
+- **Azure powered and platform agnostic**
+
+ Azure Percept Open-Source Project natively uses and supports Azure Edge and AI Services like Azure IoT Hub, Azure IoT Edge, Azure Cognitive Services, Azure Storage Server, Azure ML, and so on. At the same time, it also allows you to modify the experience for use cases that require the use of other services (Azure or non-Azure) or other Open-Source Software (OSS) tools.
+
+## Next steps
+
+Text to come.
+
+<!-- You're now ready to start using Azure Percept Open-Source Project. We recommend the following resources to get started.
+
+ - TBD (getting started) How to get started and setup Azure Percept Open-Source Project
+
+- [Introduction to Azure Percept for Open-Source Project core concepts](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/EQwRE6w96T1OiO_kstWw1lMBs1yZFUow_ik3kx3rV12EVg?e=bactOi)
+
+- [Tutorial: Create an Edge AI solution with Azure Percept for Open-Source Project](https://microsoft.sharepoint-df.com/:w:/t/AzurePerceptHCIDocumentation/ERF8mxgtOqhIt2YJWFafuZoBC6kZ6hC-iRAMuCJeyZjD-w?e=BS4cN5)
+-->
azure-percept Overview Azure Percept Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-percept/overview-azure-percept-studio.md
Title: Azure Percept Studio overview
+ Title: Azure Percept Studio overview v1
description: Learn more about Azure Percept Studio
Last updated 03/23/2021
-# Azure Percept Studio overview
+# Azure Percept Studio overview v1
[Azure Percept Studio](https://go.microsoft.com/fwlink/?linkid=2135819) is the single launch point for creating edge AI models and solutions. Azure Percept Studio allows you to discover and complete guided workflows that make it easy to integrate edge AI-capable hardware and powerful Azure AI and IoT cloud services.
azure-percept Azure Percept Studio Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-percept/studio/azure-percept-studio-overview.md
+
+ Title: Azure Percept Studio overview
+description: Description of Azure Percept Studio.
+++++ Last updated : 08/08/2022++
+# Azure Percept Studio overview
+
+Azure Percept Studio is a user-friendly portal for creating, deploying, and operating Edge artificial intelligence (AI) solutions. Using a low-code to no-code approach, you can discover and complete guided workflows and create an end-to-end Edge AI solution. This solution integrates Azure IoT and Azure AI cloud services like Azure IoT Hub, IoT Edge, Azure Storage, Log Analytics, and Spatial Analysis from Azure Cognitive Services.
+
+With Azure Percept Studio, you can connect your Edge AI compute devices and cameras and then configure and apply the pre-built AI skills included with Azure Precept Studio to automate and transform your operations at the edge. For example, you can use your cameras to count people in an area, detect when people cross a line, or when people enter/exit a restricted or secured area. You can then use AI skills to help you analyze this data in real-time so you can manage queues, space utilization, and occupancy, like a store entrance or exit, a curbside pickup area, or intruders on secure premises.
+
+## Azure Percept Studio offers:
+
+- **No code, low code integrated flows**
+
+ Whether you're a beginner or an advanced developer working on a pilot solution, Azure Percept Studio offers access to well-integrated workflows that you can use to reduce friction around building Edge AI solutions. You can create a pilot Edge AI solution in 10 minutes.
+
+- **People understanding AI skills**
+
+ Azure Spatial Analysis is fully integrated in Azure Percept. Spatial Analysis detects the presence and movements of people in real time video feed from IP cameras. There are three skills available around people understanding: people counting in an area, detecting when people cross a line, and detecting when people enter/ exit and area.
+
+- **Gain insights and act**
+
+ Once your solution is created, you can operate your devices and solutions remotely, monitor multiple video streams, and create live inference telemetry. To optimize your operations at the Edge, you can then aggregate inference data over time and derive insights and trends that you can use in real time to create alerts that help you be proactive instead of reactive.
+
+## Next steps
+
+Text to come.
+
+<!-- If you havenΓÇÖt set up your Azure Percept on Azure Stack HCI, we recommend the following tutorial to start setting up your VM using Azure Percept Windows Admin Center Extension (WAC):
+
+- [Set up Azure Percept on Azure Stack HCI using WAC extensions](set-up-azure-percept-using-wac-extension-cluster.md)
+
+If you have already set up your Azure Percept on Azure Stack HCI and are ready to start building your edge AI solution, we recommend the following tutorial:
+
+- [Create a no-code Edge AI solution using Azure Percept Studio](AzP%20Studio%20Guide.md).-->
azure-resource-manager Deploy Service Catalog Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-service-catalog-quickstart.md
Title: Use Azure portal to deploy service catalog app
-description: Shows consumers of Managed Applications how to deploy a service catalog app through the Azure portal.
+ Title: Use Azure portal to deploy service catalog managed application
+description: Shows consumers of Azure Managed Applications how to deploy a service catalog managed application from the Azure portal.
-- Previously updated : 10/04/2018 + Last updated : 08/17/2022
-# Quickstart: Deploy service catalog app through Azure portal
-In the [preceding quickstart](publish-service-catalog-app.md), you published a managed application definition. In this quickstart, you create a service catalog app from that definition.
+# Quickstart: Deploy service catalog managed application from Azure portal
+
+In the quickstart article to [publish the definition](publish-service-catalog-app.md), you published an Azure managed application definition. In this quickstart, you use that definition to deploy a service catalog managed application. The deployment creates two resource groups. One resource group contains the managed application and the other is a managed resource group for the deployed resource. In this article, the managed application definition deploys a managed storage account.
+
+## Prerequisites
-## Create service catalog app
+To complete this quickstart, you need an Azure account with an active subscription. If you completed the quickstart to publish a definition, you should already have an account. Otherwise, [create a free account](https://azure.microsoft.com/free/) before you begin.
+
+## Create service catalog managed application
In the Azure portal, use the following steps:
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Create a resource**.
- ![Create a resource](./media/deploy-service-catalog-quickstart/create-new.png)
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/create-resource.png" alt-text="Create a resource":::
+
+1. Search for _Service Catalog Managed Application_ and select it from the available options.
-1. Search for **Service Catalog Managed Application** and select it from the available options.
+1. **Service Catalog Managed Application** is displayed. Select **Create**.
- ![Search for service catalog application](./media/deploy-service-catalog-quickstart/select-service-catalog.png)
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/create-service-catalog-managed-application.png" alt-text="Select create":::
-1. You see a description of the Managed Application service. Select **Create**.
+1. The portal shows the managed application definitions that you can access. From the available definitions, select the one you want to deploy. In this quickstart, use the **Managed Storage Account** definition that you created in the preceding quickstart. Select **Create**.
- ![Select create](./media/deploy-service-catalog-quickstart/create-service-catalog.png)
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/select-service-catalog-managed-application.png" alt-text="Screenshot that shows managed application definitions that you can select and deploy.":::
-1. The portal shows the managed application definitions that you have access to. From the available definitions, select the one you wish to deploy. In this quickstart, use the **Managed Storage Account** definition that you created in the preceding quickstart. Select **Create**.
+1. Provide values for the **Basics** tab and select **Next: Storage settings**.
- ![Select definition to deploy](./media/deploy-service-catalog-quickstart/select-definition.png)
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/basics-info.png" alt-text="Screenshot that highlights the information needed on the basics tab.":::
-1. Provide values for the **Basics** tab. Select the Azure subscription to deploy your service catalog app to. Create a new resource group named **applicationGroup**. Select a location for your app. When finished, select **OK**.
+ - **Subscription**: Select the subscription where you want to deploy the managed application.
+ - **Resource group**: Select the resource group. For this example, create a resource group named _applicationGroup_.
+ - **Region**: Select the location where you want to deploy the resource.
+ - **Application Name**: Enter a name for your application. For this example, use _demoManagedApplication_.
+ - **Managed Resource Group**: Uses a default name in the format `mrg-{definitionName}-{dateTime}` like the example _mrg-ManagedStorage-20220817085240_. You can change the name.
- ![Provide values for basic](./media/deploy-service-catalog-quickstart/provide-basics.png)
+1. Enter a prefix for the storage account name and select the storage account type. Select **Next: Review + create**.
-1. Provide a prefix for the storage account name. Select the type of storage account to create. When finished, select **OK**.
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/storage-info.png" alt-text="Screenshot that shows the information needed to create a storage account.":::
- ![Provide values for storage](./media/deploy-service-catalog-quickstart/provide-storage.png)
+ - **Storage account name prefix**: Use only lowercase letters and numbers and a maximum of 11 characters. During deployment, the prefix is concatenated with a unique string to create the storage account name.
+ - **Storage account type**: Select **Change type** to choose a storage account type. The default is Standard LRS.
-1. Review the summary. After validation succeeds, select **OK** to begin deployment.
+1. Review the summary of the values you selected and verify **Validation Passed** is displayed. Select **Create** to begin the deployment.
- ![View summary](./media/deploy-service-catalog-quickstart/view-summary.png)
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/summary-validation.png" alt-text="Screenshot that summarizes the values you selected and shows the validation status.":::
## View results
-After the service catalog app has been deployed, you have two new resource groups. One resource group holds the service catalog app. The other resource group holds the resources for the service catalog app.
+After the service catalog managed application is deployed, you have two new resource groups. One resource group contains the managed application. The other resource group contains the managed resource that was deployed. In this example, a managed storage account.
+
+### Managed application
+
+Go to the resource group named **applicationGroup**. The resource group contains your managed application named _demoManagedApplication_.
+
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/view-application-group.png" alt-text="Screenshot that shows the resource group that contains the managed application.":::
+
+### Managed resource
+
+Go to the managed resource group with the name prefix **mrg-ManagedStorage** to see the resource that was deployed. The resource group contains the managed storage account that uses the prefix you specified. In this example, the storage account prefix is _demoappstg_.
+
+ :::image type="content" source="./media/deploy-service-catalog-quickstart/view-managed-resource-group.png" alt-text="Screenshot that shows the managed resource group that contains the resource deployed by the managed application.":::
+
+The storage account that's created by the managed application has a role assignment. In the [publish the definition](publish-service-catalog-app.md#create-an-azure-active-directory-user-group-or-application) article, you created an Azure Active Directory group. That group was used in the managed application definition. When you deployed the managed application, a role assignment for that group was added to the managed storage account.
+
+To see the role assignment from the Azure portal:
+
+1. Go to the **mrg-ManagedStorage** resource group.
+1. Select **Access Control (IAM)** > **Role assignments**.
+
+ You can also view the resource's **Deny assignments**.
+
+The role assignment gives the application's publisher access to manage the storage account. In this example, the publisher might be your IT department. The _Deny assignments_ prevents customers from making changes to a managed resource's configuration. Managed apps are designed so that customers don't need to maintain the resources. The _Deny assignment_ excludes the Azure Active Directory group that was assigned in **Role assignments**.
+
+## Clean up resources
-1. View the resource group named **applicationGroup** to see the service catalog app.
+When your finished with the managed application, you can delete the resource groups and that will remove all the resources you created. For example, in this quickstart you created the resource groups _applicationGroup_ and a managed resource group with the prefix _mrg-ManagedStorage_.
- ![View application](./media/deploy-service-catalog-quickstart/view-managed-application.png)
+1. From Azure portal **Home**, in the search field, enter _resource groups_.
+1. Select **Resource groups**.
+1. Select **applicationGroup** and **Delete resource group**.
+1. To confirm the deletion, enter the resource group name and select **Delete**.
-1. View the resource group named **applicationGroup{hash-characters}** to see the resources for the service catalog app.
+When the resource group that contains the managed application is deleted, the managed resource group is also deleted. In this example, when _applicationGroup_ is deleted the _mrg-ManagedStorage_ resource group is also deleted.
- ![View resources](./media/deploy-service-catalog-quickstart/view-resources.png)
+If you want to delete the managed application definition, you can delete the resource groups you created in the quickstart to [publish the definition](publish-service-catalog-app.md).
## Next steps
-* To learn how to create the definition files for a managed application, see [Create and publish a managed application definition](publish-service-catalog-app.md).
-* For Azure CLI, see [Deploy service catalog app with Azure CLI](./scripts/managed-application-cli-sample-create-application.md).
-* For PowerShell, see [Deploy service catalog app with PowerShell](./scripts/managed-application-poweshell-sample-create-application.md).
+- To learn how to create the definition files for a managed application, see [Quickstart: Create and publish an Azure Managed Application definition](publish-service-catalog-app.md).
+- For Azure CLI, see [Deploy managed application with Azure CLI](./scripts/managed-application-cli-sample-create-application.md).
+- For PowerShell, see [Deploy managed application with PowerShell](./scripts/managed-application-poweshell-sample-create-application.md).
azure-resource-manager Publish Service Catalog App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-app.md
To publish a managed application to your service catalog, do the following tasks
To complete this quickstart, you need the following items: -- If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+- An Azure account with an active subscription. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.
- [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). - Install the latest version of [Azure PowerShell](/powershell/azure/install-az-ps) or [Azure CLI](/cli/azure/install-azure-cli).
azure-resource-manager Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/best-practices.md
The following information can be helpful when you work with [resources](./syntax
] ```
- For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata).
+ For more details about comments and metadata see [Understand the structure and syntax of ARM templates](./syntax.md#comments-and-metadata).
* If you use a *public endpoint* in your template (such as an Azure Blob storage public endpoint), *don't hard-code* the namespace. Use the `reference` function to dynamically retrieve the namespace. You can use this approach to deploy the template to different public namespace environments without manually changing the endpoint in the template. Set the API version to the same version that you're using for the storage account in your template.
The following information can be helpful when you work with [resources](./syntax
## Comments
-In addition to the `comments` property, comments using the `//` syntax are supported. For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata). You may choose to save JSON files that contain `//` comments using the `.jsonc` file extension, to indicate the JSON file contains comments. The ARM service will also accept comments in any JSON file including parameters files.
+In addition to the `comments` property, comments using the `//` syntax are supported. For more details about comments and metadata see [Understand the structure and syntax of ARM templates](./syntax.md#comments-and-metadata). You may choose to save JSON files that contain `//` comments using the `.jsonc` file extension, to indicate the JSON file contains comments. The ARM service will also accept comments in any JSON file including parameters files.
## Visual Studio Code ARM Tools
After you've completed your template, run the test toolkit to see if there are w
## Next steps * For information about the structure of the template file, see [Understand the structure and syntax of ARM templates](./syntax.md).
-* For recommendations about how to build templates that work in all Azure cloud environments, see [Develop ARM templates for cloud consistency](./template-cloud-consistency.md).
+* For recommendations about how to build templates that work in all Azure cloud environments, see [Develop ARM templates for cloud consistency](./template-cloud-consistency.md).
azure-resource-manager Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deploy-cli.md
az deployment group create \
--parameters storageAccountType=Standard_GRS ```
-The value of the `--template-file` parameter must be a Bicep file or a `.json` or `.jsonc` file. The `.jsonc` file extension indicates the file can contain `//` style comments. The ARM system accepts `//` comments in `.json` files. It does not care about the file extension. For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata).
+The value of the `--template-file` parameter must be a Bicep file or a `.json` or `.jsonc` file. The `.jsonc` file extension indicates the file can contain `//` style comments. The ARM system accepts `//` comments in `.json` files. It does not care about the file extension. For more details about comments and metadata see [Understand the structure and syntax of ARM templates](./syntax.md#comments-and-metadata).
The Azure deployment template can take a few minutes to complete. When it finishes, you see a message that includes the result:
az deployment group create \
--template-file storage.json \ --parameters '@storage.parameters.jsonc' ```
-For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata).
+For more details about comments and metadata see [Understand the structure and syntax of ARM templates](./syntax.md#comments-and-metadata).
If you are using Azure CLI with version 2.3.0 or older, you can deploy a template with multi-line strings or comments using the `--handle-extended-json-format` switch. For example:
If you are using Azure CLI with version 2.3.0 or older, you can deploy a templat
* To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](rollback-on-error.md). * To specify how to handle resources that exist in the resource group but aren't defined in the template, see [Azure Resource Manager deployment modes](deployment-modes.md). * To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](./syntax.md).
-* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](common-deployment-errors.md).
+* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](common-deployment-errors.md).
azure-resource-manager Template Tutorial Export Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-export-template.md
Title: Tutorial - Export template from the Azure portal description: Learn how to use an exported template to complete your template development. Previously updated : 09/09/2020 Last updated : 08/17/2022
# Tutorial: Use exported template from the Azure portal
-In this tutorial series, you've created a template to deploy an Azure storage account. In the next two tutorials, you add an *App Service plan* and a *website*. Instead of creating templates from scratch, you learn how to export templates from the Azure portal and how to use sample templates from the [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/). You customize those templates for your use. This tutorial focuses on exporting templates, and customizing the result for your template. It takes about **14 minutes** to complete.
+In this tutorial series, you create a template to deploy an Azure storage account. In the next two tutorials, you add an **App Service plan** and a **website**. Instead of creating templates from scratch, you learn how to export templates from the Azure portal and how to use sample templates from the [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/). You customize those templates for your use. This tutorial focuses on exporting templates and customizing the result for your template. This instruction takes **14 minutes** to complete.
## Prerequisites We recommend that you complete the [tutorial about outputs](template-tutorial-add-outputs.md), but it's not required.
-You must have Visual Studio Code with the Resource Manager Tools extension, and either Azure PowerShell or Azure CLI. For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).
+You need to have Visual Studio Code with the Resource Manager Tools extension and either Azure PowerShell or Azure Command-Line Interface (CLI). For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).
## Review template
-At the end of the previous tutorial, your template had the following JSON:
+At the end of the previous tutorial, your template had the following JSON file:
:::code language="json" source="~/resourcemanager-templates/get-started-with-templates/add-outputs/azuredeploy.json":::
This template works well for deploying storage accounts, but you might want to a
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select **Create a resource**.
-1. In **Search the Marketplace**, enter **App Service plan**, and then select **App Service plan**. Don't select **App Service plan (classic)**
+1. In **Search services and Marketplace**, enter **App Service Plan**, and then select **App Service Plan**.
1. Select **Create**.
-1. Enter:
+1. On the **Create App Service Plan** page, enter the following:
- - **Subscription**: select your Azure subscription.
- - **Resource Group**: Select **Create new** and then specify a name. Provide a different resource group name than the one you have been using in this tutorial series.
- - **Name**: enter a name for the App service plan.
- - **Operating System**: select **Linux**.
- - **Region**: select an Azure location. For example, **Central US**.
- - **Pricing tier**: to save costs, change the SKU to **Basic B1** (under Dev/Test).
+ - **Subscription**: Select your Azure subscription from the drop-down menu.
+ - **Resource Group**: Select **Create new** and then specify a name. Provide a different resource group name than the one you've been using in this tutorial series.
+ - **Name**: enter a name for the App Service Plan.
+ - **Operating System**: Select **Linux**.
+ - **Region**: Select an Azure location from the drop-down menu, such as **Central US**.
+ - **Pricing Tier**: To save costs, select **Change size** to change the **SKU and size** to **first Basic (B1)**, under **Dev / Test** for less demanding workloads.
![Resource Manager template export template portal](./media/template-tutorial-export-template/resource-manager-template-export.png) 1. Select **Review and create**.
This template works well for deploying storage accounts, but you might want to a
![Go to resource](./media/template-tutorial-export-template/resource-manager-template-export-go-to-resource.png)
-1. Select **Export template**.
+1. From the left menu, under **Automation**, select **Export template**.
![Resource Manager template export template](./media/template-tutorial-export-template/resource-manager-template-export-template.png)
This template works well for deploying storage accounts, but you might want to a
![Resource Manager template export template exported template](./media/template-tutorial-export-template/resource-manager-template-exported-template.png) > [!IMPORTANT]
-> Typically, the exported template is more verbose than you might want when creating a template. For example, the SKU object in the exported template has five properties. This template works, but you could just use the `name` property. You can start with the exported template, and then modify it as you like to fit your requirements.
+> Typically, the exported template is more verbose than you might want when creating a template. The SKU object, for example, in the exported template has five properties. This template works, but you could just use the `name` property. You can start with the exported template and then modify it as you like to fit your requirements.
## Revise existing template
-The exported template gives you most of the JSON you need, but you need to customize it for your template. Pay particular attention to differences in parameters and variables between your template and the exported template. Obviously, the export process doesn't know the parameters and variables that you've already defined in your template.
+The exported template gives you most of the JSON you need, but you have to customize it for your template. Pay particular attention to differences in parameters and variables between your template and the exported template. Obviously, the export process doesn't know the parameters and variables that you've already defined in your template.
The following example highlights the additions to your template. It contains the exported code plus some changes. First, it changes the name of the parameter to match your naming convention. Second, it uses your location parameter for the location of the app service plan. Third, it removes some of the properties where the default value is fine.
New-AzResourceGroupDeployment `
# [Azure CLI](#tab/azure-cli)
-To run this deployment command, you must have the [latest version](/cli/azure/install-azure-cli) of Azure CLI.
+To run this deployment command, you need to have the [latest version](/cli/azure/install-azure-cli) of Azure CLI.
```azurecli az deployment group create \
az deployment group create \
> [!NOTE]
-> If the deployment failed, use the `verbose` switch to get information about the resources being created. Use the `debug` switch to get more information for debugging.
+> If the deployment fails, use the `verbose` switch to get information about the resources you're creating. Use the `debug` switch to get more information for debugging.
## Verify deployment
You can verify the deployment by exploring the resource group from the Azure por
1. Sign in to the [Azure portal](https://portal.azure.com). 1. From the left menu, select **Resource groups**. 1. Select the resource group you deployed to.
-1. The resource group contains a storage account and an App Service plan.
+1. The resource group contains a storage account and an App Service Plan.
## Clean up resources If you're moving on to the next tutorial, you don't need to delete the resource group.
-If you're stopping now, you might want to clean up the resources you deployed by deleting the resource group.
+If you're stopping now, you might want to delete the resource group.
-1. From the Azure portal, select **Resource group** from the left menu.
-2. Enter the resource group name in the **Filter by name** field.
-3. Select the resource group name.
+1. From the Azure portal, select **Resource groups** from the left menu.
+2. Type the resource group name in the **Filter for any field...** text field.
+3. Check the box next to **myResourceGroup** and select **myResourceGroup** or your resource group name.
4. Select **Delete resource group** from the top menu. ## Next steps
-You learned how to export a template from the Azure portal, and how to use the exported template for your template development. You can also use the Azure Quickstart templates to simplify template development.
+You learned how to export a template from the Azure portal and how to use the exported template for your template development. You can also use the Azure Quickstart Templates to simplify template development.
> [!div class="nextstepaction"]
-> [Use Azure Quickstart templates](template-tutorial-quickstart-template.md)
+> [Use Azure Quickstart Templates](template-tutorial-quickstart-template.md)
azure-video-analyzer Detect Motion Record Video Edge Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-analyzer/video-analyzer-docs/edge/detect-motion-record-video-edge-devices.md
To play the MP4 clip:
1. Sign in by using the credentials that were generated when you set up your Azure resources. 1. At the command prompt, go to the relevant directory. The default location is /var/media. You should see the MP4 files in the directory.
-1. Use [Secure Copy (SCP)](../../../virtual-machines/linux/copy-files-to-linux-vm-using-scp.md) to copy the files to your local machine.
+1. Use [Secure Copy (SCP)](../../../virtual-machines/copy-files-to-vm-using-scp.md) to copy the files to your local machine.
1. Play the files by using [VLC media player](https://www.videolan.org/vlc/) or any other MP4 player. ## Clean up resources
azure-video-indexer Create Account Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/create-account-portal.md
Last updated 06/10/2022
[!INCLUDE [Gate notice](./includes/face-limited-access.md)] --
-This tutorial walks you through the steps of creating an Azure Video Indexer account and its accompanying resources by using the Azure portal. The account created is an Azure Resource Manager (ARM) based account which is enabled with all Video Indexer features and capabilities. For information about different Azure Video Indexer account types, see the [Overview of account types](accounts-overview.md) topic.
+This tutorial walks you through the steps of creating an Azure Video Indexer account and its accompanying resources by using the Azure portal. The created account is an Azure Resource Manager (ARM) based account. For information about different Azure Video Indexer account types, see the [Overview of account types](accounts-overview.md) topic.
## Prerequisites
azure-vmware Azure Vmware Solution Platform Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-vmware-solution-platform-updates.md
HCX cloud manager in Azure VMware solutions can now be accessible over a public
HCX with public IP is especially useful in cases where On-premises sites are not connected to Azure via Express Route or VPN. HCX service mesh appliances can be configured with public IPs to avoid lower tunnel MTUs due to double encapsulation if a VPN is used for on-premises to cloud connections.
-For more information, please see [Enable HCX over the internet](/azure/azure-vmware/enable-hcx-access-over-internet)
+For more information, please see [Enable HCX over the internet](./enable-hcx-access-over-internet.md)
## July 7, 2022
For more information on this vCenter version, see [VMware vCenter Server 6.7 Upd
>This is non-disruptive and should not impact Azure VMware Services or workloads. During maintenance, various VMware alerts, such as _Lost network connectivity on DVPorts_ and _Lost uplink redundancy on DVPorts_, appear in vCenter Server and clear automatically as the maintenance progresses. ## Post update
-Once complete, newer versions of VMware components appear. If you notice any issues or have any questions, contact our support team by opening a support ticket.
+Once complete, newer versions of VMware components appear. If you notice any issues or have any questions, contact our support team by opening a support ticket.
azure-vmware Disaster Recovery Using Vmware Site Recovery Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager.md
While Microsoft aims to simplify VMware SRM and vSphere Replication installation
## Scale limitations
-To learn about the limits for the VMware Site Recovery Manager Add-On with the Azure VMware Soltuion, check the [Azure subscription and service limits, quotas, and constraints.](/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-vmware-solution-limits)
+To learn about the limits for the VMware Site Recovery Manager Add-On with the Azure VMware Soltuion, check the [Azure subscription and service limits, quotas, and constraints.](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-vmware-solution-limits)
## SRM licenses
VMware and Microsoft support teams will engage each other as needed to troublesh
- [vSphere Replication administration](https://docs.vmware.com/en/vSphere-Replication/8.2/com.vmware.vsphere.replication-admin.doc/GUID-35C0A355-C57B-430B-876E-9D2E6BE4DDBA.html) - [Pre-requisites and Best Practices for SRM installation](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/com.vmware.srm.install_config.doc/GUID-BB0C03E4-72BE-4C74-96C3-97AC6911B6B8.html) - [Network ports for SRM](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/com.vmware.srm.install_config.doc/GUID-499D3C83-B8FD-4D4C-AE3D-19F518A13C98.html)-- [Network ports for vSphere Replication](https://kb.vmware.com/s/article/2087769)
+- [Network ports for vSphere Replication](https://kb.vmware.com/s/article/2087769)
azure-vmware Enable Managed Snat For Workloads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-managed-snat-for-workloads.md
With this capability, you:
- Are unable to view connection logs. - Have a limit of 128 000 concurrent connections.
-## Prerequisites
-- Azure Solution VMware private cloud-- DNS Server configured on the NSX-T Datacenter- ## Reference architecture
-The architecture shows Internet access to and from your Azure VMware Solution private cloud using a Public IP directly to the NSX Edge.
+The architecture shows Internet access outbound from your Azure VMware Solution private cloud using an Azure VMware Solution Managed SNAT Service.
:::image type="content" source="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip-snat.png" alt-text="Diagram that shows architecture of Internet access to and from your Azure VMware Solution Private Cloud using a Public IP directly to the SNAT Edge." border="false" lightbox="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip-snat-expanded.png":::
azure-vmware Enable Public Ip Nsx Edge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-public-ip-nsx-edge.md
With this capability, you have the following features:
- DDoS Security protection against network traffic in and out of the Internet. - HCX Migration support over the Public Internet.
-## Reference architecture
+## Prerequisites
+- Azure VMware Solution private cloud
+- DNS Server configured on the NSX-T Datacenter
+
+## Reference architecture
The architecture shows Internet access to and from your Azure VMware Solution private cloud using a Public IP directly to the NSX Edge. :::image type="content" source="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip.png" alt-text="Diagram that shows architecture of Internet access to and from your Azure VMware Solution Private Cloud using a Public IP directly to the NSX Edge." border="false" lightbox="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip-expanded.png":::
backup Azure Backup Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-backup-glossary.md
Refer to [Azure Resource Manager documentation](../azure-resource-manager/manage
## Azure Disk Encryption (ADE)
-Refer to [Azure Disk Encryption documentation](../security/fundamentals/azure-disk-encryption-vms-vmss.md).
+Refer to [Azure Disk Encryption documentation](../virtual-machines/disk-encryption-overview.md).
## Backend storage / Cloud storage / Backup storage
backup Backup Azure Vms Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-encryption.md
Azure Backup can back up and restore Azure VMs using ADE with and without the Az
**Unmanaged** | Yes | Yes **Managed** | Yes | Yes -- Learn more about [ADE](../security/fundamentals/azure-disk-encryption-vms-vmss.md), [Key Vault](../key-vault/general/overview.md), and [KEKs](../virtual-machine-scale-sets/disk-encryption-key-vault.md#set-up-a-key-encryption-key-kek).-- Read the [FAQ](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for Azure VM disk encryption.
+- Learn more about [ADE](../virtual-machines/disk-encryption-overview.md), [Key Vault](../key-vault/general/overview.md), and [KEKs](../virtual-machine-scale-sets/disk-encryption-key-vault.md#set-up-a-key-encryption-key-kek).
+- Read the [FAQ](../virtual-machines/disk-encryption-overview.md) for Azure VM disk encryption.
### Limitations
backup Encryption At Rest With Cmk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/encryption-at-rest-with-cmk.md
This article discusses about how to:
- This feature currently **doesn't support backup using MARS agent**, and you may not be able to use a CMK-encrypted vault for the same. The MARS agent uses a user passphrase-based encryption. This feature also doesn't support backup of classic VMs. -- This feature isn't related to [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md), which uses guest-based encryption of a VM's disk using BitLocker (for Windows) and DM-Crypt (for Linux).
+- This feature isn't related to [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md), which uses guest-based encryption of a VM's disk using BitLocker (for Windows) and DM-Crypt (for Linux).
- The Recovery Services vault can be encrypted only with keys stored in Azure Key Vault, located in the **same region**. Also, keys must be **RSA keys** only and should be in **enabled** state.
bastion Bastion Connect Vm Ssh Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/bastion-connect-vm-ssh-linux.md
Title: 'Connect to a Linux VM using SSH' description: Learn how to use Azure Bastion to connect to Linux VM using SSH.- Previously updated : 10/12/2021 Last updated : 08/18/2022
This article shows you how to securely and seamlessly create an SSH connection to your Linux VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Linux VM using RDP. For information, see [Create an RDP connection to a Linux VM](bastion-connect-vm-rdp-linux.md).
-Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the [What is Azure Bastion?](bastion-overview.md).
+Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the [What is Azure Bastion?](bastion-overview.md) overview article.
-When connecting to a Linux virtual machine using SSH, you can use both username/password and SSH keys for authentication. You can connect to your VM with SSH keys by using either:
-
-* A private key that you manually enter
-* A file that contains the private key information
+When connecting to a Linux virtual machine using SSH, you can use both username/password and SSH keys for authentication.
The SSH private key must be in a format that begins with `"--BEGIN RSA PRIVATE KEY--"` and ends with `"--END RSA PRIVATE KEY--"`.
In order to make a connection, the following roles are required:
In order to connect to the Linux VM via SSH, you must have the following ports open on your VM: * Inbound port: SSH (22) ***or***
-* Inbound port: Custom value (you will then need to specify this custom port when you connect to the VM via Azure Bastion)
+* Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)
> [!NOTE] > If you want to specify a custom port value, Azure Bastion must be configured using the Standard SKU. The Basic SKU does not allow you to specify custom ports. >
-## <a name="username"></a>Connect: Using username and password
+## Bastion connection page
-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.
+1. In the [Azure portal](https://portal.azure.com), go to the virtual machine that you want to connect to. On the **Overview** page, select **Connect**, then select **Bastion** from the dropdown to open the Bastion connection page. You can also select **Bastion** from the left pane.
:::image type="content" source="./media/bastion-connect-vm-ssh-linux/connect.png" alt-text="Screenshot shows the overview for a virtual machine in Azure portal with Connect selected" lightbox="./media/bastion-connect-vm-ssh-linux/connect.png":::
-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).
-1. On the **Connect using Azure Bastion** page, enter the **Username** and **Password**.
+1. On the **Bastion** connection page, click the **Connection Settings** arrow to expand all the available settings. If you are using a Bastion **Standard** SKU, you have more available settings than a Basic SKU.
+
+ :::image type="content" source="./media/bastion-connect-vm-ssh-linux/connection-settings.png" alt-text="Screenshot shows connection settings.":::
+
+1. Authenticate and connect using one of the methods in the following sections.
+
+ * [Username and password](#username-and-password)
+ * [Private key from local file](#private-key-from-local-file)
+ * [Password - Azure Key Vault](#passwordazure-key-vault)
+ * [Private key - Azure Key Vault](#private-keyazure-key-vault)
+
+## Username and password
+
+Use the following steps to authenticate using username and password.
++
+1. To authenticate using a username and password, configure the following settings:
+
+ * **Protocol**: Select SSH.
+ * **Port**: Input the port number. Custom port co