Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Api Connectors Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/api-connectors-overview.md | See the following articles for examples of using a RESTful technical profile: ::: zone-end -- Learn how to build resilience when [Interfacing with external processes](../active-directory/fundamentals/resilient-external-processes.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json)-- Learn how to build [Resilience through developer best practices](../active-directory/fundamentals/resilience-b2c-developer-best-practices.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json).+- Learn how to build resilience when [Interfacing with external processes](../active-directory/architecture/resilient-external-processes.md?bc=/azure/active-directory-b2c/bread/toc.json&toc=/azure/active-directory-b2c/TOC.json) +- Learn how to build [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md?bc=/azure/active-directory-b2c/bread/toc.json&toc=/azure/active-directory-b2c/TOC.json). |
active-directory-b2c | App Registrations Training Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/app-registrations-training-guide.md | The new experience shows all Azure AD B2C app registrations and Azure AD app reg You can reach the new experience by navigating to **App registrations** in an Azure AD B2C tenant from both the **Azure AD B2C** or the **Azure Active Directory** services in the Azure portal. -The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) for any Azure AD tenant, but is tailored for Azure AD B2C tenants. +The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://devblogs.microsoft.com/microsoft365dev/new-app-registrations-experience-is-now-generally-available/) for any Azure AD tenant, but is tailored for Azure AD B2C tenants. ## What's not changing? - Your applications and related configurations can be found as-is in the new experience. You do not need to register the applications again and users of your applications will not need to sign-in again. You might not see all Microsoft Graph permissions, because many of these permiss The **openid** scope is necessary so that Azure AD B2C can sign users in to an app. The **offline_access** scope is needed to issue refresh tokens for a user. These scopes were previously added and given admin consent by default. Now, you can easily add permissions for these scopes during the creation process by ensuring the **Grant admin consent to openid and offline_access permissions** option is selected. Else, the Microsoft Graph permissions can be added with admin consent in the **API permissions** settings for an existing app. -Learn more about [permissions and consent](../active-directory/develop/v2-permissions-and-consent.md). +Learn more about [permissions and consent](../active-directory/develop/permissions-consent-overview.md). ## Platforms/Authentication: Reply URLs/redirect URIs In the legacy experience, the various platform types were managed under **Properties** as reply URLs for web apps/APIs and Redirect URI for Native clients. "Native clients" are also known as "Public clients" and include apps for iOS, macOS, Android, and other mobile and desktop application types. |
active-directory-b2c | Azure Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/azure-monitor.md | Watch this video to learn how to configure monitoring for Azure AD B2C using Azu ## Deployment overview -Azure AD B2C uses [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). Unlike Azure AD tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs. +Azure AD B2C uses [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring-health.md). Unlike Azure AD tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs. To enable _Diagnostic settings_ in Azure Active Directory within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/overview.md) to [delegate a resource](../lighthouse/concepts/architecture.md), which allows your Azure AD B2C (the **Service Provider**) to manage an Azure AD (the **Customer**) resource. > [!TIP] Now select an Azure AD B2C group or user to which you want to give permission to To make management easier, we recommend using Azure AD user _groups_ for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. In this walkthrough, we'll add a security group. > [!IMPORTANT]-> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/how-to-manage-groups.md). -1. With **Azure Active Directory** still selected in your **Azure AD B2C** directory, select **Groups**, and then select a group. If you don't have an existing group, create a **Security** group, then add members. For more information, follow the procedure [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +1. With **Azure Active Directory** still selected in your **Azure AD B2C** directory, select **Groups**, and then select a group. If you don't have an existing group, create a **Security** group, then add members. For more information, follow the procedure [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/how-to-manage-groups.md). 1. Select **Overview**, and record the group's **Object ID**. ### 3.3 Create an Azure Resource Manager template In this example, we use the Log Analytics workspace to create a dashboard. ### 5.1 Create diagnostic settings -You're ready to [create diagnostic settings](../active-directory/reports-monitoring/overview-monitoring.md) in the Azure portal. +You're ready to [create diagnostic settings](../active-directory/reports-monitoring/overview-monitoring-health.md) in the Azure portal. To configure monitoring settings for Azure AD B2C activity logs: To configure monitoring settings for Azure AD B2C activity logs: 1. Select **Save**. > [!NOTE]-> It can take up to 15 minutes after an event is emitted for it to [appear in a Log Analytics workspace](../azure-monitor/logs/data-ingestion-time.md). Also, learn more about [Active Directory reporting latencies](../active-directory/reports-monitoring/reference-reports-latencies.md), which can impact the staleness of data and play an important role in reporting. +> It can take up to 15 minutes after an event is emitted for it to [appear in a Log Analytics workspace](../azure-monitor/logs/data-ingestion-time.md). Also, learn more about [Active Directory reporting latencies](../active-directory/reports-monitoring/reference-azure-ad-sla-performance.md), which can impact the staleness of data and play an important role in reporting. If you see the error message, _To set up Diagnostic settings to use Azure Monitor for your Azure AD B2C directory, you need to set up delegated resource management_, make sure you sign in with a user who is a member of the [security group](#32-select-a-security-group) and [select your subscription](#4-select-your-subscription). The workbook will display reports in the form of a dashboard. ## Create alerts -Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events occur. You can also create alerts on absence of an event, or when a number of events occur within a particular time window. For example, alerts can be used to notify you when average number of sign-ins exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/alerts-log.md). +Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events occur. You can also create alerts on absence of an event, or when a number of events occur within a particular time window. For example, alerts can be used to notify you when average number of sign-ins exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/alerts-create-new-alert-rule.md). Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/alerts/action-groups.md) whenever there's a 25% drop in the **Total Requests** compared to previous period. Alert will run every 5 minutes and look for the drop in the last hour compared to the hour before it. The alerts are created using Kusto query language. |
active-directory-b2c | B2c Global Identity Proof Of Concept Funnel | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-proof-of-concept-funnel.md | Write users region to global lookup table. - [Azure AD B2C global identity solutions](b2c-global-identity-solutions.md) -- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)--- [Build a global identity solution with region-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)+- [Build a global identity solution with funnel-based approach](./b2c-global-identity-funnel-based-design.md) +- [Build a global identity solution with region-based approach](./b2c-global-identity-funnel-based-design.md) |
active-directory-b2c | B2c Global Identity Region Based Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-region-based-design.md | This scenario demonstrates how users will be able to perform account linking wh - [Azure AD B2C global identity solutions](b2c-global-identity-solutions.md) -- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)+- [Build a global identity solution with funnel-based approach](./b2c-global-identity-funnel-based-design.md) - [Azure AD B2C global identity proof of concept regional-based configuration](b2c-global-identity-proof-of-concept-regional.md) |
active-directory-b2c | B2c Global Identity Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-solutions.md | -Azure Active Directory B2C (Azure AD B2C) is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). It's built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allows self-service sign-up to applications. +Azure Active Directory B2C (Azure AD B2C) is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/whatis.md). It's built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allows self-service sign-up to applications. Azure AD B2C is a globally distributed service made up of several components: |
active-directory-b2c | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/best-practices.md | During the implementation phase, consider the following recommendations. | Best practice | Description | |--|--| | Edit custom policies with the Azure AD B2C extension for Visual Studio Code | Download Visual Studio Code and this community-built [extension from the Visual Studio Code Marketplace](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c). While not an official Microsoft product, the Azure AD B2C extension for Visual Studio Code includes several features that help make working with custom policies easier. |-| Learn how to troubleshoot Azure AD B2C | Learn how to [troubleshoot custom policies](./troubleshoot-custom-policies.md?tabs=applications) during development. Learn what a normal authentication flow looks like and use tools for discovering anomalies and errors. For example, use [Application Insights](troubleshoot-with-application-insights.md) to review output logs of user journeys. | +| Learn how to troubleshoot Azure AD B2C | Learn how to [troubleshoot custom policies](./troubleshoot.md?tabs=applications) during development. Learn what a normal authentication flow looks like and use tools for discovering anomalies and errors. For example, use [Application Insights](troubleshoot-with-application-insights.md) to review output logs of user journeys. | | Leverage our library of proven custom policy patterns | Find [samples](https://github.com/azure-ad-b2c/samples) for enhanced Azure AD B2C customer identity and access management (CIAM) user journeys. | ## Testing Test and automate your Azure AD B2C implementation. | Functional and UI testing | Test the user flows end-to-end. Add synthetic tests every few minutes using Selenium, VS Web Test, etc. | | Pen-testing | Before going live with your solution, perform penetration testing exercises to verify all components are secure, including any third-party dependencies. Verify you've secured your APIs with access tokens and used the right authentication protocol for your application scenario. Learn more about [Penetration testing](../security/fundamentals/pen-testing.md) and the [Microsoft Cloud Unified Penetration Testing Rules of Engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1). | | A/B Testing | Flight your new features with a small, random set of users before rolling out to your entire population. With JavaScript enabled in Azure AD B2C, you can integrate with A/B testing tools like Optimizely, Clarity, and others. |-| Load testing | Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. Load-test your APIs and CDN. Learn more about [Resilience through developer best practices](../active-directory/fundamentals/resilience-b2c-developer-best-practices.md).| +| Load testing | Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. Load-test your APIs and CDN. Learn more about [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md).| | Throttling | Azure AD B2C throttles traffic if too many requests are sent from the same source in a short period of time. Use several traffic sources while load testing, and handle the `AADB2C90229` error code gracefully in your applications. | | Automation | Use continuous integration and delivery (CI/CD) pipelines to automate testing and deployments, for example, [Azure DevOps](deploy-custom-policies-devops.md). | Stay up to date with the state of the service and find support options. | [Service updates](https://azure.microsoft.com/updates/?product=active-directory-b2c) | Stay up to date with Azure AD B2C product updates and announcements. | | [Microsoft Support](find-help-open-support-ticket.md) | File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost. | | [Azure status](https://azure.status.microsoft/status) | View the current health status of all Azure services. |- |
active-directory-b2c | Configure Authentication Sample Android App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-sample-android-app.md | The apps registration and application architecture are illustrated in the follow A computer that's running: -- [Java Development Kit (JDK) 8 or later](https://openjdk.java.net/)+- [Java Development Kit (JDK) 8 or later](https://openjdk.org/) - [Apache Maven](https://maven.apache.org/)-- [Android API level 16 or later](https://developer.android.com/studio/releases/platforms)+- [Android API level 16 or later](https://developer.android.com/tools/releases/platforms) - [Android Studio](https://developer.android.com/studio) or another code editor |
active-directory-b2c | Configure Authentication Sample Angular Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-sample-angular-spa-app.md | The following diagram describes the app registrations and the app architecture. Before you follow the procedures in this article, make sure that your computer is running: * [Visual Studio Code](https://code.visualstudio.com/) or any other code editor.-* [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). +* [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm/). * [Angular CLI](https://angular.io/cli). ## Step 1: Configure your user flow You can add and modify redirect URIs in your registered applications at any time * [Learn more about the code sample](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/) * [Enable authentication in your own Angular application](enable-authentication-angular-spa-app.md) * [Configure authentication options in your Angular application](enable-authentication-angular-spa-app-options.md)-* [Enable authentication in your own web API](enable-authentication-web-api.md) +* [Enable authentication in your own web API](enable-authentication-web-api.md) |
active-directory-b2c | Configure Authentication Sample React Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-sample-react-spa-app.md | The following diagram describes the app registrations and the app architecture. Before you follow the procedures in this article, make sure that your computer is running: * [Visual Studio Code](https://code.visualstudio.com/) or another code editor.-* [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). To test that you have Node.js and npm correctly installed on your machine, you can type `node --version` and `npm --version` in a terminal or command prompt. +* [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm/). To test that you have Node.js and npm correctly installed on your machine, you can type `node --version` and `npm --version` in a terminal or command prompt. ## Step 1: Configure your user flow |
active-directory-b2c | Configure Authentication Sample Wpf Desktop App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-sample-wpf-desktop-app.md | -This article uses a sample [Windows Presentation Foundation (WPF) desktop](/visualstudio/designers/getting-started-with-wpf) application to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your desktop apps. +This article uses a sample [Windows Presentation Foundation (WPF) desktop](/visualstudio/get-started/csharp/tutorial-wpf) application to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your desktop apps. ## Overview The application registration and architecture are illustrated in the following d ## Prerequisites -A computer that's running [Visual Studio 2019](https://www.visualstudio.com/downloads/) with .NET desktop development. +A computer that's running [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) with .NET desktop development. ## Step 1: Configure your user flow This sample acquires an access token with the relevant scopes that the desktop a ## Step 4: Get the WPF desktop app sample -1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop.git), or clone the sample web application from the [GitHub repo](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop.git). +1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop), or clone the sample web application from the [GitHub repo](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop). ```bash git clone https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop.git |
active-directory-b2c | Configure Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-tokens.md | When using the [OAuth 2.0 authorization code flow](authorization-code-flow.md), ## Next steps - Learn more about how to [request access tokens](access-tokens.md).-- Learn how to build [Resilience through developer best practices](../active-directory/fundamentals/resilience-b2c-developer-best-practices.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json).+- Learn how to build [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md?bc=/azure/active-directory-b2c/bread/toc.json&toc=/azure/active-directory-b2c/TOC.json). |
active-directory-b2c | Cookie Definitions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/cookie-definitions.md | The following sections provide information about the cookies used in Azure Activ The Microsoft Azure AD B2C service is compatible with SameSite browser configurations, including support for `SameSite=None` with the `Secure` attribute. -To safeguard access to sites, web browsers will introduce a new secure-by-default model that assumes all cookies should be protected from external access unless otherwise specified. The Chrome browser is the first to implement this change, starting with [Chrome 80 in February 2020](https://www.chromium.org/updates/same-site). For more information about preparing for the change in Chrome, see [Developers: Get Ready for New SameSite=None; Secure Cookie Settings](https://blog.chromium.org/2019/10/developers-get-ready-for-new.html) on the Chromium Blog. +To safeguard access to sites, web browsers will introduce a new secure-by-default model that assumes all cookies should be protected from external access unless otherwise specified. The Chrome browser is the first to implement this change, starting with [Chrome 80 in February 2020](https://www.chromium.org/updates/same-site/). For more information about preparing for the change in Chrome, see [Developers: Get Ready for New SameSite=None; Secure Cookie Settings](https://blog.chromium.org/2019/10/developers-get-ready-for-new.html) on the Chromium Blog. Developers must use the new cookie setting, `SameSite=None`, to designate cookies for cross-site access. When the `SameSite=None` attribute is present, an additional `Secure` attribute must be used so cross-site cookies can only be accessed over HTTPS connections. Validate and test all your applications, including those applications that use Azure AD B2C. |
active-directory-b2c | Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-domain.md | Every new Azure AD B2C tenant comes with an initial domain name, <domainname& Follow these steps to add a custom domain to your Azure AD B2C tenant: -1. [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name-to-azure-ad). +1. [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name). > [!IMPORTANT] > For these steps, be sure to sign in to your **Azure AD B2C** tenant and select the **Azure Active Directory** service. https://<domain-name>/11111111-1111-1111-1111-111111111111/v2.0/ After you add the custom domain and configure your application, users will still be able to access the <tenant-name>.b2clogin.com domain. To prevent access, you can configure the policy to check the authorization request "host name" against an allowed list of domains. The host name is the domain name that appears in the URL. The host name is available through `{Context:HostName}` [claim resolvers](claim-resolver-overview.md). Then you can present a custom error message. -1. Get the example of a conditional access policy that checks the host name from [GitHub](https://github.com/azure-ad-b2c/samples/blob/master/policies/check-host-name). +1. Get the example of a conditional access policy that checks the host name from [GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/check-host-name). 1. In each file, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is *contosob2c*, all instances of `yourtenant.onmicrosoft.com` become `contosob2c.onmicrosoft.com`. 1. Upload the policy files in the following order: `B2C_1A_TrustFrameworkExtensions_HostName.xml` and then `B2C_1A_signup_signin_HostName.xml`. |
active-directory-b2c | Custom Email Mailjet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-email-mailjet.md | Use custom email in Azure Active Directory B2C (Azure AD B2C) to send customized ::: zone pivot="b2c-custom-policy" -Custom email verification requires the use of a third-party email provider like [Mailjet](https://Mailjet.com), [SendGrid](./custom-email-sendgrid.md), or [SparkPost](https://sparkpost.com), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses Mailjet. +Custom email verification requires the use of a third-party email provider like [Mailjet](https://www.mailjet.com/), [SendGrid](./custom-email-sendgrid.md), or [SparkPost](https://messagebird.com/email/cloud-sending?sp=true), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses Mailjet. ## Create a Mailjet account Next, store the Mailjet API key in an Azure AD B2C policy key for your policies ## Create a Mailjet template -With a Mailjet account created and the Mailjet API key stored in an Azure AD B2C policy key, create a Mailjet [dynamic transactional template](https://sendgrid.com/docs/ui/sending-email/how-to-send-an-email-with-dynamic-transactional-templates/). +With a Mailjet account created and the Mailjet API key stored in an Azure AD B2C policy key, create a Mailjet [dynamic transactional template](https://docs.sendgrid.com/ui/sending-email/how-to-send-an-email-with-dynamic-templates). 1. On the Mailjet site, open the [transactional templates](https://app.mailjet.com/templates/transactional) page and select **Create a new template**. 1. Select **By coding it in HTML**, and then select **Code from scratch**. |
active-directory-b2c | Custom Email Sendgrid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-email-sendgrid.md | Use custom email in Azure Active Directory B2C (Azure AD B2C) to send customized ::: zone pivot="b2c-custom-policy" -Custom email verification requires the use of a third-party email provider like [SendGrid](https://sendgrid.com), [Mailjet](https://Mailjet.com), or [SparkPost](https://sparkpost.com), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses SendGrid. +Custom email verification requires the use of a third-party email provider like [SendGrid](https://sendgrid.com), [Mailjet](https://www.mailjet.com/), or [SparkPost](https://messagebird.com/email/cloud-sending?sp=true), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses SendGrid. ## Create a SendGrid account If you don't already have one, start by setting up a SendGrid account. For setup Be sure to complete the section in which you [create a SendGrid API key](https://docs.sendgrid.com/for-developers/partners/microsoft-azure-2021#to-find-your-sendgrid-api-key). Record the API key for use in a later step. > [!IMPORTANT]-> SendGrid offers customers the ability to send emails from shared IP and [dedicated IP addresses](https://sendgrid.com/docs/ui/account-and-settings/dedicated-ip-addresses/). When using dedicated IP addresses, you need to build your own reputation properly with an IP address warm-up. For more information, see [Warming Up An Ip Address](https://sendgrid.com/docs/ui/sending-email/warming-up-an-ip-address/). +> SendGrid offers customers the ability to send emails from shared IP and [dedicated IP addresses](https://docs.sendgrid.com/ui/account-and-settings/dedicated-ip-addresses). When using dedicated IP addresses, you need to build your own reputation properly with an IP address warm-up. For more information, see [Warming Up An Ip Address](https://docs.sendgrid.com/ui/sending-email/warming-up-an-ip-address). ## Create Azure AD B2C policy key Next, store the SendGrid API key in an Azure AD B2C policy key for your policies ## Create SendGrid template -With a SendGrid account created and SendGrid API key stored in an Azure AD B2C policy key, create a SendGrid [dynamic transactional template](https://sendgrid.com/docs/ui/sending-email/how-to-send-an-email-with-dynamic-transactional-templates/). +With a SendGrid account created and SendGrid API key stored in an Azure AD B2C policy key, create a SendGrid [dynamic transactional template](https://docs.sendgrid.com/ui/sending-email/how-to-send-an-email-with-dynamic-templates). 1. On the SendGrid site, open the [transactional templates](https://sendgrid.com/dynamic_templates) page and select **Create a Dynamic Template**. 1. Enter a unique template name like `Verification email` and then select **Create**. |
active-directory-b2c | Custom Policy Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-overview.md | When developing with Azure AD B2C policies, you may run into errors or exception - Integrate Application Insights with Azure AD B2C to [diagnose exceptions](troubleshoot-with-application-insights.md). - The [Azure AD B2C extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) can help you access and [visualize the logs](https://github.com/azure-ad-b2c/vscode-extension/blob/master/src/help/app-insights.md) based on a policy name and time.-- The most common error in setting up custom policies is improperly formatted XML. Use [XML schema validation](troubleshoot-custom-policies.md) to identify errors before you upload your XML file.+- The most common error in setting up custom policies is improperly formatted XML. Use [XML schema validation](./troubleshoot.md) to identify errors before you upload your XML file. ## Continuous integration |
active-directory-b2c | Customize Ui | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui.md | Example of the Classic template rendered on sign up sign in page: ### Company branding -You can customize your Azure AD B2C pages with a banner logo, background image, and background color by using Azure Active Directory [Company branding](../active-directory/fundamentals/customize-branding.md). The company branding includes signing up, signing in, profile editing, and password resetting. +You can customize your Azure AD B2C pages with a banner logo, background image, and background color by using Azure Active Directory [Company branding](../active-directory/fundamentals/how-to-customize-branding.md). The company branding includes signing up, signing in, profile editing, and password resetting. The following example shows a *Sign up and sign in* page with a custom logo, background image, using Ocean Blue template: Start by setting the banner logo, background image, and background color within 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the Azure portal, search for and select **Azure AD B2C**. 1. Under **Manage**, select **Company branding**.-1. Follow the steps in [Add branding to your organization's Azure Active Directory sign-in page](../active-directory/fundamentals/customize-branding.md). +1. Follow the steps in [Add branding to your organization's Azure Active Directory sign-in page](../active-directory/fundamentals/how-to-customize-branding.md). Keep these things in mind when you configure company branding in Azure AD B2C: |
active-directory-b2c | Deploy Custom Policies Devops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/deploy-custom-policies-devops.md | -> Managing Azure AD B2C custom policies with Azure Pipelines currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=.%2fref%2ftoc.json&view=graph-rest-beta&preserve-view=true). +> Managing Azure AD B2C custom policies with Azure Pipelines currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=./ref/toc.json&view=graph-rest-beta&preserve-view=true). ## Prerequisites You should see a notification banner that says that a release has been queued. T Learn more about: * [Service-to-service calls using client credentials](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md)-* [Azure DevOps Services](/azure/devops/user-guide/) +* [Azure DevOps Services](/azure/devops/get-started/) <!-- LINKS - External --> [devops]: /azure/devops/ [devops-create-project]: /azure/devops/organizations/projects/create-project-[devops-pipelines]: /azure/devops/pipelines +[devops-pipelines]: /azure/devops/pipelines/ |
active-directory-b2c | Deploy Custom Policies Github Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/deploy-custom-policies-github-action.md | To automate the custom policy deployment process, use the [GitHub Action for dep This action deploys Azure AD B2C custom policies into your Azure AD B2C tenant using the [Microsoft Graph API](/graph/api/resources/trustframeworkpolicy?view=graph-rest-beta&preserve-view=true). If the policy does not yet exist in your tenant, it will be created. Otherwise, it will be replaced. > [!IMPORTANT]-> Managing Azure AD B2C custom policies with Azure Pipelines currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=.%2fref%2ftoc.json&view=graph-rest-beta&preserve-view=true). +> Managing Azure AD B2C custom policies with Azure Pipelines currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=./ref/toc.json&view=graph-rest-beta&preserve-view=true). ## Prerequisites For the GitHub Action to access data in Microsoft Graph, grant the registered ap GitHub secrets are encrypted environment variables that you create in an organization, repository, or repository environment. In this step, you store the application secret for the application you registered earlier in the [Register an MS Graph application](#register-a-microsoft-graph-application) step. -The GitHub Action for deploying Azure AD B2C custom policies uses the secret to acquire an access token that is used to interact with the Microsoft Graph API. For more information, see [Creating encrypted secrets for a repository](https://docs.github.com/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). +The GitHub Action for deploying Azure AD B2C custom policies uses the secret to acquire an access token that is used to interact with the Microsoft Graph API. For more information, see [Creating encrypted secrets for a repository](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository). To create a GitHub secret, follow these steps: To test the workflow you created, **Push** the changes of your custom policy. On ## Optional: Schedule your workflow -The workflow you created is triggered by the [push](https://docs.github.com/actions/reference/events-that-trigger-workflows#push) event. If you prefer, you can choose another event to trigger the workflow, for example a [pull request](https://docs.github.com/actions/reference/events-that-trigger-workflows#pull_request). +The workflow you created is triggered by the [push](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push) event. If you prefer, you can choose another event to trigger the workflow, for example a [pull request](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request). -You can also schedule a workflow to run at specific UTC times using [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). The schedule event allows you to trigger a workflow at a scheduled time. For more information, see [Scheduled events](https://docs.github.com/actions/reference/events-that-trigger-workflows#scheduled-events). +You can also schedule a workflow to run at specific UTC times using [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). The schedule event allows you to trigger a workflow at a scheduled time. For more information, see [Scheduled events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#scheduled-events). The following example triggers the workflow every day at 5:30 and 17:30 UTC: To edit your workflow: ## Next steps -- Learn how to configure [Events that trigger workflows](https://docs.github.com/actions/reference/events-that-trigger-workflows)--+- Learn how to configure [Events that trigger workflows](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) |
active-directory-b2c | Enable Authentication Angular Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-angular-spa-app.md | The sample code consists of the following components: |||| | auth-config.ts| Constants | This configuration file contains information about your Azure AD B2C identity provider and the web API service. The Angular app uses this information to establish a trust relationship with Azure AD B2C, sign in and sign out the user, acquire tokens, and validate the tokens. | | app.module.ts| [Angular module](https://angular.io/guide/architecture-modules)| This component describes how the application parts fit together. This is the root module that's used to bootstrap and open the application. In this walkthrough, you add some components to the *app.module.ts* module, and you start the MSAL library with the MSAL configuration object. |-| app-routing.module.ts | [Angular routing module](https://angular.io/tutorial/toh-pt5) | This component enables navigation by interpreting a browser URL and loading the corresponding component. In this walkthrough, you add some components to the routing module, and you protect components with [MSAL Guard](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/msal-guard.md). Only authorized users can access the protected components. | +| app-routing.module.ts | [Angular routing module](https://angular.io/tutorial/tour-of-heroes/toh-pt5) | This component enables navigation by interpreting a browser URL and loading the corresponding component. In this walkthrough, you add some components to the routing module, and you protect components with [MSAL Guard](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/msal-guard.md). Only authorized users can access the protected components. | | app.component.* | [Angular component](https://angular.io/guide/architecture-components) | The `ng new` command created an Angular project with a root component. In this walkthrough, you change the *app* component to host the top navigation bar. The navigation bar contains various buttons, including sign-in and sign-out buttons. The `app.component.ts` class handles the sign-in and sign-out events. | | home.component.* | [Angular component](https://angular.io/guide/architecture-components)|In this walkthrough, you add the *home* component to render the home page for anonymous access. This component demonstrates how to check whether a user has signed in. | | profile.component.* | [Angular component](https://angular.io/guide/architecture-components) | In this walkthrough, you add the *profile* component to learn how to read the ID token claims. | The *webapi.component* file demonstrates how to call a web API. In the *src/app/ The code: -1. Uses the Angular [HttpClient](https://angular.io/guide/http) class to call the web API. +1. Uses the Angular [HttpClient](https://angular.io/guide/understanding-communicating-with-http) class to call the web API. 1. Reads the `auth-config` class's `protectedResources.todoListApi.endpoint` element. This element specifies the web API URI. Based on the web API URI, the MSAL interceptor acquires an access token with the corresponding scopes. 1. Gets the profile from the web API and sets the `profile` class variable. |
active-directory-b2c | Enable Authentication React Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-react-spa-app.md | Review the prerequisites and integration steps in the [Configure authentication ## Step 1: Create a React app project -You can use an existing React app, or [create a new React App](https://reactjs.org/docs/create-a-new-react-app.html). To create a new project, run the following commands in your command shell: +You can use an existing React app, or [create a new React App](https://react.dev/learn/start-a-new-react-project). To create a new project, run the following commands in your command shell: ``` npm i bootstrap react-bootstrap The sample code is made up of the following components. Add these components from the sample React app to your own app: -- [public/https://docsupdatetracker.net/index.html](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/3-Authorization-II/2-call-api-b2c/SPA/public/https://docsupdatetracker.net/index.html)- The [bundling process](https://reactjs.org/docs/code-splitting.html) uses this file as a template and injects the React components into the `<div id="root">` element. If you open it directly in the browser, you'll see an empty page. +- [public/https://docsupdatetracker.net/index.html](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/3-Authorization-II/2-call-api-b2c/SPA/public/https://docsupdatetracker.net/index.html)- The [bundling process](https://legacy.reactjs.org/docs/code-splitting.html) uses this file as a template and injects the React components into the `<div id="root">` element. If you open it directly in the browser, you'll see an empty page. - [src/authConfig.js](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/3-Authorization-II/2-call-api-b2c/SPA/src/authConfig.js) - A configuration file that contains information about your Azure AD B2C identity provider and the web API service. The React app uses this information to establish a trust relationship with Azure AD B2C, sign in and sign out the user, acquire tokens, and validate the tokens. |
active-directory-b2c | Find Help Open Support Ticket | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/find-help-open-support-ticket.md | Before creating a support ticket, check out the following resources for answers * For content such as how-to information or code samples for IT professionals and developers, see the [technical documentation for Azure AD B2C](../active-directory-b2c/index.yml). -* The [Microsoft Technical Community](https://techcommunity.microsoft.com/) is the place for our IT pro partners and customers to collaborate, share, and learn. The [Microsoft Technical Community Info Center](https://techcommunity.microsoft.com/t5/Community-Info-Center/ct-p/Community-Info-Center) is used for announcements, blog posts, ask-me-anything (AMA) interactions with experts, and more. You can also [join the community to submit your ideas](https://techcommunity.microsoft.com/t5/Communities/ct-p/communities). +* The [Microsoft Technical Community](https://techcommunity.microsoft.com/) is the place for our IT pro partners and customers to collaborate, share, and learn. The [Microsoft Technical Community Info Center](https://techcommunity.microsoft.com/t5/community-lounge/ct-p/Community-Info-Center) is used for announcements, blog posts, ask-me-anything (AMA) interactions with experts, and more. You can also [join the community to submit your ideas](https://techcommunity.microsoft.com/t5/Communities/ct-p/communities). ## Open a support ticket |
active-directory-b2c | Identity Provider Adfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-adfs.md | zone_pivot_groups: b2c-policy-type ## Create an AD FS application -To enable sign-in for users with an AD FS account in Azure Active Directory B2C (Azure AD B2C), create an Application Group in your AD FS. For more information, see [Build a web application using OpenID Connect with AD FS 2016 and later](/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs) +To enable sign-in for users with an AD FS account in Azure Active Directory B2C (Azure AD B2C), create an Application Group in your AD FS. For more information, see [Build a web application using OpenID Connect with AD FS 2016 and later](../active-directory/develop/msal-migration.md) To create an Application Group, follow theses steps: |
active-directory-b2c | Identity Provider Apple Id | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-apple-id.md | If the sign-in process is successful, your browser is redirected to `https://jwt ## Customize your user interface -Follow the guidelines how to [offer Sign in with Apple](https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple/overview/introduction/). Apple provides several **Sign in with Apple** buttons you can use to let people set up an account and sign in. If necessary, create a custom button to offer Sign in with Apple. Learn how to [display a Sign in with Apple button](https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple/overview/buttons/). +Follow the guidelines how to [offer Sign in with Apple](https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple). Apple provides several **Sign in with Apple** buttons you can use to let people set up an account and sign in. If necessary, create a custom button to offer Sign in with Apple. Learn how to [display a Sign in with Apple button](https://developer.apple.com/design/human-interface-guidelines/buttons). To align with the Apple user interface guidelines: - [Customize the user interface with HTML templates](customize-ui-with-html.md) - [Localize](language-customization.md) the identity provider name.- |
active-directory-b2c | Identity Provider Azure Ad Multi Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md | To enable sign-in for users with an Azure AD account in Azure Active Directory B ### Configuring optional claims -If you want to get the `family_name`, and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md). +If you want to get the `family_name`, and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/optional-claims.md). 1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**. 1. From the **Manage** section, select **App registrations**. |
active-directory-b2c | Identity Provider Azure Ad Single Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md | If the sign-in process is successful, your browser is redirected to `https://jwt ### [Optional] Configuring optional claims -If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md). +If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/optional-claims.md). 1. Sign in to the [Azure portal](https://portal.azure.com) using your organizational Azure AD tenant. Or if you're already signed in, make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso): 1. Select the **Directories + subscriptions** icon in the portal toolbar. |
active-directory-b2c | Identity Provider Ebay | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-ebay.md | zone_pivot_groups: b2c-policy-type ## Create an eBay application -To enable sign-in for users with an eBay account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [eBay developer console](https://developer.ebay.com). For more information, see [Creating a developer account](https://developer.ebay.com/api-docs/static/creating-edp-account.html). If you don't already have an eBay developer account, sign up at [https://developer.ebay.com/signin](https://developer.ebay.com/signin?tab=register). +To enable sign-in for users with an eBay account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [eBay developer console](https://developer.ebay.com). For more information, see [Creating a developer account](https://developer.ebay.com/api-docs/static/gs_join-the-ebay-developers-program.html). If you don't already have an eBay developer account, sign up at [https://developer.ebay.com/signin](https://developer.ebay.com/signin?tab=register). To create an eBay application, follow these steps: |
active-directory-b2c | Identity Provider Github | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-github.md | zone_pivot_groups: b2c-policy-type ## Create a GitHub OAuth application -To enable sign-in with a GitHub account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [GitHub Developer](https://github.com/settings/developers) portal. For more information, see [Creating an OAuth App](https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-an-oauth-app). If you don't already have a GitHub account, you can sign up at [https://www.github.com/](https://www.github.com/). +To enable sign-in with a GitHub account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [GitHub Developer](https://github.com/settings/developers) portal. For more information, see [Creating an OAuth App](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app). If you don't already have a GitHub account, you can sign up at [https://www.github.com/](https://github.com/). 1. Sign in to the [GitHub Developer](https://github.com/settings/developers) with your GitHub credentials. 1. Select **OAuth Apps** and then select **New OAuth App**. |
active-directory-b2c | Identity Provider Linkedin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-linkedin.md | zone_pivot_groups: b2c-policy-type ## Create a LinkedIn application -To enable sign-in for users with a LinkedIn account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [LinkedIn Developers website](https://www.developer.linkedin.com/). For more information, see [Authorization Code Flow](/linkedin/shared/authentication/authorization-code-flow). If you don't already have a LinkedIn account, you can sign up at [https://www.linkedin.com/](https://www.linkedin.com/). +To enable sign-in for users with a LinkedIn account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [LinkedIn Developers website](https://developer.linkedin.com/). For more information, see [Authorization Code Flow](/linkedin/shared/authentication/authorization-code-flow). If you don't already have a LinkedIn account, you can sign up at [https://www.linkedin.com/](https://www.linkedin.com/). -1. Sign in to the [LinkedIn Developers website](https://www.developer.linkedin.com/) with your LinkedIn account credentials. +1. Sign in to the [LinkedIn Developers website](https://developer.linkedin.com/) with your LinkedIn account credentials. 1. Select **My Apps**, and then click **Create app**. 1. Enter **App name**, **LinkedIn Page**, **Privacy policy URL**, and **App logo**. 1. Agree to the LinkedIn **API Terms of Use** and click **Create app**. For a full sample of a policy that uses the LinkedIn identity provider, see the LinkedIn recently [updated their APIs from v1.0 to v2.0](https://engineering.linkedin.com/blog/2018/12/developer-program-updates). As part of the migration, Azure AD B2C is only able to obtain the full name of the LinkedIn user during the sign-up. If an email address is one of the attributes that is collected during sign-up, the user must manually enter the email address and validate it. |
active-directory-b2c | Identity Provider Microsoft Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-microsoft-account.md | If the sign-in process is successful, your browser is redirected to `https://jwt ## Configuring optional claims -If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md). +If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/optional-claims.md). 1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**. 1. From the **Manage** section, select **App registrations**. |
active-directory-b2c | Identity Provider Salesforce Saml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-salesforce-saml.md | This article shows you how to enable sign-in for users from a Salesforce organiz ## Prerequisites [!INCLUDE [active-directory-b2c-customization-prerequisites-custom-policy](../../includes/active-directory-b2c-customization-prerequisites-custom-policy.md)]-- If you haven't already done so, sign up for a [free Developer Edition account](https://developer.salesforce.com/signup). This article uses the [Salesforce Lightning Experience](https://developer.salesforce.com/page/Lightning_Experience_FAQ).-- [Set up a My Domain](https://help.salesforce.com/articleView?id=domain_name_setup.htm&language=en_US&type=0) for your Salesforce organization.+- If you haven't already done so, sign up for a [free Developer Edition account](https://developer.salesforce.com/signup). This article uses the [Salesforce Lightning Experience](https://trailhead.salesforce.com/content/learn/trails/lex_admin_implementation). +- [Set up a My Domain](https://help.salesforce.com/s/articleView?id=domain_name_setup.htm&language=en_US&type=0) for your Salesforce organization. ## Set up Salesforce as an identity provider You can define a Salesforce account as a claims provider by adding it to the **C If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C. |
active-directory-b2c | Identity Provider Salesforce | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-salesforce.md | zone_pivot_groups: b2c-policy-type ## Create a Salesforce application -To enable sign-in for users with a Salesforce account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in your Salesforce [App Manager](https://login.salesforce.com/). For more information, see [Configure Basic Connected App Settings](https://help.salesforce.com/articleView?id=connected_app_create_basics.htm), and [Enable OAuth Settings for API Integration](https://help.salesforce.com/articleView?id=connected_app_create_api_integration.htm) +To enable sign-in for users with a Salesforce account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in your Salesforce [App Manager](https://login.salesforce.com/). For more information, see [Configure Basic Connected App Settings](https://help.salesforce.com/s/articleView?id=connected_app_create_basics.htm&language=en_US), and [Enable OAuth Settings for API Integration](https://help.salesforce.com/s/articleView?id=connected_app_create_api_integration.htm&language=en_US) 1. [Sign in to Salesforce](https://login.salesforce.com/). 1. From the menu, select **Setup**. To enable sign-in for users with a Salesforce account in Azure Active Directory 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**. 1. Select **Identity providers**, and then select **New OpenID Connect provider**. 1. Enter a **Name**. For example, enter *Salesforce*.-1. For **Metadata url**, enter the URL of the [Salesforce OpenID Connect Configuration document](https://help.salesforce.com/articleView?id=remoteaccess_using_openid_discovery_endpoint.htm). For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS. +1. For **Metadata url**, enter the URL of the [Salesforce OpenID Connect Configuration document](https://help.salesforce.com/s/articleView?id=remoteaccess_using_openid_discovery_endpoint.htm&language=en_US). For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS. ``` https://login.salesforce.com/.well-known/openid-configuration You can define a Salesforce account as a claims provider by adding it to the **C </ClaimsProvider> ``` -4. The **METADATA** is set to the URL of the [Salesforce OpenID Connect Configuration document](https://help.salesforce.com/articleView?id=remoteaccess_using_openid_discovery_endpoint.htm). For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS. +4. The **METADATA** is set to the URL of the [Salesforce OpenID Connect Configuration document](https://help.salesforce.com/s/articleView?id=remoteaccess_using_openid_discovery_endpoint.htm&language=en_US). For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS. 5. Set **client_id** to the application ID from the application registration. 6. Save the file. |
active-directory-b2c | Manage Custom Policies Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-custom-policies-powershell.md | Message: Validation failed: 1 validation error(s) found in policy "B2C_1A_SIGNUP ... ``` -For information about troubleshooting custom policies, see [Troubleshoot Azure AD B2C custom policies and Identity Experience Framework](./troubleshoot-custom-policies.md). +For information about troubleshooting custom policies, see [Troubleshoot Azure AD B2C custom policies and Identity Experience Framework](./troubleshoot.md). ## Next steps |
active-directory-b2c | Manage Users Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-users-portal.md | As described in [Overview of user accounts in Azure AD B2C](user-overview.md), t * Guest * Consumer -This article focuses on working with **consumer accounts** in the Azure portal. For information about creating and deleting Work and Guest accounts, see [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md). +This article focuses on working with **consumer accounts** in the Azure portal. For information about creating and deleting Work and Guest accounts, see [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users.md). ## Create a consumer user To reset a user's password: 1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. -For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md). +For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/users-restore.md). ## Export consumer users Currently, Azure AD B2C doesn't support user session revocation from the Azure p ## Next steps -For automated user management scenarios, for example migrating users from another identity provider to your Azure AD B2C directory, see [Azure AD B2C: User migration](user-migration.md). +For automated user management scenarios, for example migrating users from another identity provider to your Azure AD B2C directory, see [Azure AD B2C: User migration](user-migration.md). |
active-directory-b2c | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/overview.md | Azure Active Directory B2C provides business-to-customer identity as a service. Azure AD B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks. -Azure AD B2C is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign-up and into those applications with no restrictions on user account. +Azure AD B2C is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/whatis.md). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign-up and into those applications with no restrictions on user account. ## Who uses Azure AD B2C? Any business or individual who wishes to authenticate end users to their web/mobile applications using a white-label authentication solution. Apart from authentication, Azure AD B2C service is used for authorization such as access to API resources by authenticated users. Azure AD B2C is designed to be used by **IT administrators** and **developers**. Now that you have an idea of what Azure AD B2C is and some of the scenarios it c > [!div class="nextstepaction"] > [Azure AD B2C technical overview >](technical-overview.md)-- |
active-directory-b2c | Partner Akamai Secure Hybrid Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-akamai-secure-hybrid-access.md | To get started, you'll need: - An application that uses headers for authentication. In this sample, we'll use an application that displays headers [docker header-demo-app](https://hub.docker.com/r/mistermik/header-demo-app). -- **OR** an OpenID Connect (OIDC) application. In this sample, we'll use an [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.+- **OR** an OpenID Connect (OIDC) application. In this sample, we'll use an [ASP.NET MVC web app](../active-directory/develop/web-app-tutorial-01-register-application.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform. ## Scenario description Once the Application is deployed in a private environment and a connector is cap #### Option 2: OpenID Connect -In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform. +In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/web-app-tutorial-01-register-application.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform. 1. Configure the OIDC to SAML bridging in the **AZURE AD B2C SAML IdP** created with the previous steps. In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/tu [ ![Screenshot shows the akamai oidc app claim settings.](./media/partner-akamai-secure-hybrid-access/akamai-oidc-claims-settings.png)](./media/partner-akamai-secure-hybrid-access/akamai-oidc-claims-settings.png#lightbox) -7. Replace startup class with the following code in the [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md). +7. Replace startup class with the following code in the [ASP.NET MVC web app](../active-directory/develop/web-app-tutorial-01-register-application.md). These few changes configure the Authorization code flow grant, the authorization code will be redeemed for tokens at the token endpoint for the application, and it introduces the Metadata Address to set the discovery endpoint for obtaining metadata from Akamai. |
active-directory-b2c | Partner Akamai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-akamai.md | To learn more, go to techdocs.akamai.com for [What is a Property?](https://techd 4. For **Property hostnames**, add a property hostname, your custom domain. For example, `login.domain.com`. > [!IMPORTANT]- > Create or modify certificates with correct custom domain name settings. </br> Go to techdocs.akamai.com for [Configure HTTPS hostnames](https://learn.akamai.com/en-us/webhelp/property-manager/https-delivery-with-property-manager/GUID-9EE0EB6A-E62B-4F5F-9340-60CBD093A429.html). + > Create or modify certificates with correct custom domain name settings. </br> Go to techdocs.akamai.com for [Configure HTTPS hostnames](https://techdocs.akamai.com/property-mgr/docs/serve-content-over-https). #### Origin server property configuration settings To ensure traffic to Azure AD B2C goes through the custom domain: * [Enable custom domains for Azure Active Directory B2C](./custom-domain.md?pivots=b2c-user-flow) * [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)- |
active-directory-b2c | Partner Arkose Labs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-arkose-labs.md | To get started, you'll need: - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - [An Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription - An Arkose Labs account- - Go to arkoselabs.com to [request a demo](https://www.arkoselabs.com/book-a-demo/) + - Go to arkoselabs.com to [request a demo](https://www.arkoselabs.com/bot-management-demo/) ## Scenario description The following diagram illustrates how the Arkose Labs platform integrates with A ## Request a demo from Arkose Labs -1. Go to arkoselabs.com to [book a demo](https://www.arkoselabs.com/book-a-demo/). +1. Go to arkoselabs.com to [book a demo](https://www.arkoselabs.com/bot-management-demo/). 2. Create an account.-3. Navigate to the [Arkose Portal](https://dashboard.arkoselabs.com/login) sign-in page. +3. Navigate to the [Arkose Portal](https://portal.arkoselabs.com/) sign-in page. 4. In the dashboard, navigate to site settings. 5. Locate your public key and private key. You'll use this information later. The user flow is for sign-up and sign-in, or sign-up. The Arkose Labs user flow 3. In Azure-Samples, modify [selfAsserted.html](https://github.com/Azure-Samples/active-directory-b2c-node-sign-up-user-flow-arkose/blob/main/Assets/selfAsserted.html) file so `<ARKOSE_PUBLIC_KEY>` matches the value you generated for the client-side validation. 4. Host the HTML page on a Cross-Origin Resource Sharing (CORS) enabled web endpoint. -5. [Create a storage account](../storage/common/storage-account-create.md?tabs=azure-portal&toc=%2fazure%2fstorage%2fblobs%2ftoc.json). +5. [Create a storage account](../storage/common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json). 6. [CORS support for Azure Storage](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services). >[!NOTE] |
active-directory-b2c | Partner Asignio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-asignio.md | zone_pivot_groups: b2c-policy-type # Configure Asignio with Azure Active Directory B2C for multifactor authentication -Learn to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication. +Learn to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.web.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication. ## Before you begin |
active-directory-b2c | Partner Bindid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-bindid.md | zone_pivot_groups: b2c-policy-type # Configure Transmit Security with Azure Active Directory B2C for passwordless authentication -In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Transmit Security](https://www.transmitsecurity.com/bindid) BindID, a passwordless authentication solution. BindID uses strong Fast Identity Online (FIDO2) biometric authentication for reliable omni-channel authentication. The solution ensures a smooth sign in experience for customers across devices and channels, while reducing fraud, phishing, and credential reuse. +In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Transmit Security](https://transmitsecurity.com/solutions/password-mfa-replacement) BindID, a passwordless authentication solution. BindID uses strong Fast Identity Online (FIDO2) biometric authentication for reliable omni-channel authentication. The solution ensures a smooth sign in experience for customers across devices and channels, while reducing fraud, phishing, and credential reuse. ## Scenario description To get started, you need: * An Azure AD B2C tenant linked to the Azure subscription * See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md) * A BindID tenant- * Go to transmitsecurity.com to [get started](https://www.transmitsecurity.com/developer?utm_signup=dev_hub#try) + * Go to transmitsecurity.com to [get started](https://developer.transmitsecurity.com/#try?utm_signup=dev_hub) * Register a web application in the Azure portal * [Tutorial: Register a web application in Azure Active Directory B2C](./tutorial-register-applications.md) * Azure AD B2C custom policies |
active-directory-b2c | Partner Cloudflare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-cloudflare.md | -In this tutorial, you can learn how to configure the [Cloudflare Web Application Firewall (WAF)](https://www.cloudflare.com/waf/) solution for Azure Active Directory B2C (Azure AD B2C) tenant with custom domain. Use Cloudflare WAF to help protect organizations from malicious attacks that can exploit vulnerabilities such as SQL Injection, and cross-site scripting (XSS). +In this tutorial, you can learn how to configure the [Cloudflare Web Application Firewall (WAF)](https://www.cloudflare.com/application-services/products/waf/) solution for Azure Active Directory B2C (Azure AD B2C) tenant with custom domain. Use Cloudflare WAF to help protect organizations from malicious attacks that can exploit vulnerabilities such as SQL Injection, and cross-site scripting (XSS). ## Prerequisites After a custom domain for Azure AD B2C is configured using Azure Front Door, [te ## Create a Cloudflare account -On cloudflare.com, you can [create an account](https://dash.cloudflare.com/sign-up). To enable WAF, on [Application Services]([https://www.cloudflare.com/plans/](https://www.cloudflare.com/plans/#price-matrix) select **Pro**, which is required. +On cloudflare.com, you can [create an account](https://dash.cloudflare.com/sign-up). To enable WAF, on [Application Services](https://www.cloudflare.com/plans/#price-matrix), select **Pro**, which is required. ### Configure DNS The settings appear in the following image. ### Configure the Web Application Firewall -Go to your Cloudflare settings, and use the Cloudflare content to [configure the WAF](https://www.cloudflare.com/waf/) and learn about other security tools. +Go to your Cloudflare settings, and use the Cloudflare content to [configure the WAF](https://www.cloudflare.com/application-services/products/waf/) and learn about other security tools. ### Configure firewall rule |
active-directory-b2c | Partner Experian | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-experian.md | -Learn more about [Experian](https://www.experian.com/decision-analytics/account-opening-fraud/microsoft-integration) solutions, services, etc. +Learn more about [Experian](https://www.experian.com/business/products/crosscore) solutions, services, etc. In this tutorial, you can use the following attributes in CrossCore risk analysis: The following architecture diagram shows the implementation. ## Onboard with Experian -1. Create an Experian account. To get started, go to [Experian](https://www.experian.com/decision-analytics/account-opening-fraud/microsoft-integration) and scroll to the bottom for the contact form. +1. Create an Experian account. To get started, go to [Experian](https://www.experian.com/business/products/crosscore) and scroll to the bottom for the contact form. 2. When an account is created, you receive information for API configuration. The following sections continue the process. ## Configure Azure AD B2C with Experian |
active-directory-b2c | Partner F5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-f5.md | Learn to integrate Azure Active Directory B2C (Azure AD B2C) with F5 BIG-IP Acce Deploy F5 BIG-IP Application Delivery Controller (ADC) as a secure gateway between private networks and the internet. There are features for application-level inspection and customizable access controls. If deployed as a reverse proxy, use the BIG-IP to enable secure hybrid access to business applications, with a federated identity access layer managed by APM. -Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Azure AD](https://www.f5.com/services/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory) +Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Azure AD](https://www.f5.com/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory) ## Prerequisites To get started, you need: * F5 BIG-IP® Best bundle * F5 BIG-IP Access Policy Manager™ standalone license * F5 BIG-IP Access Policy Manager™ add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php) + * 90-day BIG-IP full feature [trial license](https://www.f5.com/trials) * A header-based web application or an IIS app for testing * See, [Set up an IIS app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) * SSL certificate to publish services over HTTPS, or use default while testing For BIG-IP configuration use Guided Configuration v.7/8. The workflow framework 2. Go to **Access** > **Guided Configuration**. 3. The version appears in the top right-hand corner. -To upgrade the Guided Configuration, go to my.f5.com for [K85454683: Upgrade F5 BIG-IP Guided Configuration on the BIG-IP system](https://support.f5.com/csp/article/K85454683). +To upgrade the Guided Configuration, go to my.f5.com for [K85454683: Upgrade F5 BIG-IP Guided Configuration on the BIG-IP system](https://my.f5.com/manage/s/article/K85454683). ### SSL profiles To achieve SLO, enable your application sign out function to call the Azure AD B An alternative SLO process is to enable the BIG-IP to listen for the request, when selecting the applications **Sign out** button. Upon detecting the request, it calls to the Azure AD B2C sign out endpoint. This approach precludes making changes to the application. -To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145). +To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://my.f5.com/manage/s/article/K42052145). > [!NOTE] > Regardless of approach, ensure the Azure AD B2C tenant knows the APM sign-out endpoint. The same access log provides detail. 10. Select **Apply**. For more information, go to techdocs.f5.com for [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)- |
active-directory-b2c | Partner Grit Editor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-grit-editor.md | -[Grit Software Systems Visual Identity Experience Framework (IEF) Editor](https://www.gritiam.com/iefeditor), is a tool that saves time during Azure Active Directory B2C (Azure AD B2C) authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys. +[Grit Software Systems Visual Identity Experience Framework (IEF) Editor](https://www.gritiam.com/iefeditor.html), is a tool that saves time during Azure Active Directory B2C (Azure AD B2C) authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys. Use the Visual IEF Editor to: After the IEF is modified, download, and upload the files to Azure AD B2C to see For additional information, review the following articles: -- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](custom-policy-get-started.md?tabs=applications)+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications) - [IEF Editor](https://app.archbee.com/doc/uwPRnuvZNjyEaJ8odNOEC/WmcXf6fTZjAHpx7-rAlac) documentation - [Grit IAM B2B2C](partner-grit-iam.md)- |
active-directory-b2c | Partner Grit Iam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-grit-iam.md | Check the authentication [scenarios](#scenario-description) in your applications - [Azure AD B2C custom policy overview](custom-policy-overview.md) -- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](custom-policy-get-started.md?tabs=applications)+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications) - [SAAS Platform - Organization Application Onboarding Portal](https://app.archbee.com/doc/G_YZFq_VwvgMlmX-_efmX/8m90WVb2M6Yi0gCe7yor2) |
active-directory-b2c | Partner Hypr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-hypr.md | -In this tutorial, learn to configure Azure Active Directory B2C (Azure AD B2C) with [HYPR](https://get.hypr.com). When Azure AD B2C is the identity provider (IdP), you can integrate HYPR with customer applications for passwordless authentication. HYPR replaces passwords with public key encryptions that help prevent fraud, phishing, and credential reuse. +In this tutorial, learn to configure Azure Active Directory B2C (Azure AD B2C) with [HYPR](https://www.hypr.com/). When Azure AD B2C is the identity provider (IdP), you can integrate HYPR with customer applications for passwordless authentication. HYPR replaces passwords with public key encryptions that help prevent fraud, phishing, and credential reuse. ## Prerequisites To get started, you'll need: - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - A HYPR cloud tenant- - Request a HYPR [custom demo](https://get.hypr.com/free-trial) + - Request a HYPR [custom demo](https://get.hypr.com/get-a-demo) - A user mobile device registered using the HYPR REST APIs, or the HYPR Device Manager in your HYPR tenant- - For example, see [HYPR SDK for Java Web](https://docs.hypr.com/integratinghypr/docs/hypr-java-web-sdk) + - For example, see [HYPR SDK for Java Web](https://docs.hypr.com/integratinghypr/docs/sdk-java-web) ## Scenario description |
active-directory-b2c | Partner Idology | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-idology.md | The following architecture diagram shows the implementation. ### Part 1 - Deploy the API -Deploy the provided [API code](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/IDology/Api) to an Azure service. The code can be published from Visual Studio, following these [instructions](/visualstudio/deployment/quickstart-deploy-to-azure). +Deploy the provided [API code](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/IDology/Api) to an Azure service. The code can be published from Visual Studio, following these [instructions](/visualstudio/deployment/quickstart-deploy-aspnet-web-app). You'll need the URL of the deployed service to configure Azure AD with the required settings. |
active-directory-b2c | Partner Itsme | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-itsme.md | Please clarify step 1 in the description below - we don't have steps in this tut 1. After activation of your itsme partner account, you'll receive an email with a one-time link to the **client secret**. -1. Follow the instructions at [itsme](https://business.itsme.be/en) to complete the configuration. +1. Follow the instructions at [itsme](https://www.itsme-id.com/en-BE/business) to complete the configuration. ## Integrate with Azure AD B2C |
active-directory-b2c | Partner Keyless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-keyless.md | To get started, you'll need: * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to the Azure subscription * A Keyless cloud tenant- * Go to keyless.io to [Request a demo](https://keyless.io/go) + * Go to keyless.io to [Request a demo](https://keyless.io/demo-request) * The Keyless Authenticator app installed on a user device ## Scenario description |
active-directory-b2c | Partner Ping Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-ping-identity.md | -In this tutorial, learn how to extend the capabilities of Azure Active Directory B2C (Azure AD B2C) with [PingAccess](https://www.pingidentity.com/en/software/pingaccess.html) and [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html). PingAccess provides access to applications and APIs, and a policy engine for authorized user access. PingFederate is an enterprise federation server for user authentication and single sign-on, an authority that permits customers, employees, and partners to access applications from devices. Use them together to enable secure hybrid access (SHA). +In this tutorial, learn how to extend the capabilities of Azure Active Directory B2C (Azure AD B2C) with [PingAccess](https://www.pingidentity.com/en/platform/capabilities/web-api-access/pingaccess.html) and [PingFederate](https://www.pingidentity.com/en/platform/capabilities/authentication-authority/pingfederate.html). PingAccess provides access to applications and APIs, and a policy engine for authorized user access. PingFederate is an enterprise federation server for user authentication and single sign-on, an authority that permits customers, employees, and partners to access applications from devices. Use them together to enable secure hybrid access (SHA). Many e-commerce sites and web applications exposed to the internet are deployed behind proxy systems, or a reverse-proxy system. These proxy systems pre-authenticate, enforce policy, and route traffic. Typical scenarios include protecting web applications from inbound web traffic and providing a uniform session management across distributed server deployments. If you want to modernize an identity platform in such configurations, there migh - Drive the end-user experience consistency - Provide a single sign-in experience across applications -In answer to these concerns, the approach in this tutorial is an Azure AD B2C, [PingAccess](https://www.pingidentity.com/en/software/pingaccess.html), and [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) integration. +In answer to these concerns, the approach in this tutorial is an Azure AD B2C, [PingAccess](https://www.pingidentity.com/en/platform/capabilities/web-api-access/pingaccess.html), and [PingFederate](https://www.pingidentity.com/en/platform/capabilities/authentication-authority/pingfederate.html) integration. ## Shared environment |
active-directory-b2c | Partner Saviynt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-saviynt.md | Learn more: [Application and service principal objects in Azure AD](../active-di 1. Install the latest version of Microsoft Graph PowerShell Module on a Windows workstation or server. -For more information, see [Microsoft Graph PowerShell documentation](/powershell/microsoftgraph). +For more information, see [Microsoft Graph PowerShell documentation](/powershell/microsoftgraph/). 2. Connect to the PowerShell module and execute the following commands: |
active-directory-b2c | Partner Strata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-strata.md | -In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) with Strata [Maverics Identity Orchestrator](https://www.strata.io/maverics-identity-orchestrator/), which helps protect on-premises applications. It connects to identity systems, migrates users and credentials, synchronizes policies and configurations, and abstracts authentication and session management. Use Strata to transition from legacy, to Azure AD B2C, without rewriting applications. +In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) with Strata [Maverics Identity Orchestrator](https://www.strata.io/), which helps protect on-premises applications. It connects to identity systems, migrates users and credentials, synchronizes policies and configurations, and abstracts authentication and session management. Use Strata to transition from legacy, to Azure AD B2C, without rewriting applications. The solution has the following benefits: To get started, you'll need: - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - An instance of [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) to store secrets used by Maverics Identity Orchestrator. Connect to Azure AD B2C or other attribute providers such as a Lightweight Directory Access Protocol (LDAP) directory or database.-- An instance of [Maverics Identity Orchestrator](https://www.strata.io/maverics-identity-orchestrator/) running in an Azure virtual machine (VM), or an on-premises server. To get software and documentation, go to strata.io [Contact Strata Identity](https://www.strata.io/contact/).+- An instance of [Maverics Identity Orchestrator](https://www.strata.io/) running in an Azure virtual machine (VM), or an on-premises server. To get software and documentation, go to strata.io [Contact Strata Identity](https://www.strata.io/company/contact/). - An on-premises application to transition to Azure AD B2C ## Scenario description The following architecture diagram shows the implementation. ## Maverics Identity Orchestrator -To get software and documentation, go to strata.io [Contact Strata Identity](https://www.strata.io/contact/). Determine Orchestrator prerequisites. Install and configure. +To get software and documentation, go to strata.io [Contact Strata Identity](https://www.strata.io/company/contact/). Determine Orchestrator prerequisites. Install and configure. ## Configure your Azure AD B2C tenant You can run your Orchestrator instance on any server, whether on-premises or in ### Install Maverics Identity Orchestrator 1. Obtain the latest Maverics RPM package. -2. Place the package on the system you'd like to install Maverics. If you're copying to a remote host, use SSH [scp](https://www.ssh.com/ssh/scp/). +2. Place the package on the system you'd like to install Maverics. If you're copying to a remote host, use SSH [scp](https://www.ssh.com/academy/ssh/scp). 3. Run the following command. Use your filename to replace `maverics.rpm`. `sudo rpm -Uvf maverics.rpm` |
active-directory-b2c | Partner Whoiam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-whoiam.md | -Learn more: [WhoIAM, Products and Services, Branded Identity Management System](https://www.whoiam.ai/brims/) +Learn more: [WhoIAM, Products and Services, Branded Identity Management System](https://www.whoiam.ai/product/branded-identity-management/) ## Prerequisites The following diagram shows the implementation architecture. 3. Deploy the BRIMS API and the BRIMS administration portal in your Azure environment. 4. Follow the documentation to configure your app. Use BRIMS for user identity verification. Azure AD B2C custom policy samples are in the BRIMS sign-up documentation. -For more information about WhoIAM BRIMS, request documentation on [WhoIAM, Contact Us](https://www.whoiam.ai/brims/). +For more information about WhoIAM BRIMS, request documentation on [WhoIAM, Contact Us](https://www.whoiam.ai/product/branded-identity-management/). ## Test the user flow |
active-directory-b2c | Quickstart Native App Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/quickstart-native-app-desktop.md | Azure Active Directory B2C (Azure AD B2C) provides cloud identity management to ## Prerequisites -- [Visual Studio 2019](https://www.visualstudio.com/downloads/) with the **ASP.NET and web development** workload.+- [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) with the **ASP.NET and web development** workload. - A social account from either Facebook, Google, or Microsoft. - [Download a zip file](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop/archive/msalv3.zip) or clone the [Azure-Samples/active-directory-b2c-dotnet-desktop](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop) repository from GitHub. |
active-directory-b2c | Quickstart Web App Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/quickstart-web-app-dotnet.md | In this quickstart, you use an ASP.NET application to sign in using a social ide ## Prerequisites -- [Visual Studio 2022](https://www.visualstudio.com/downloads/) with the **ASP.NET and web development** workload.+- [Visual Studio 2022](https://visualstudio.microsoft.com/downloads/) with the **ASP.NET and web development** workload. - A social account from Facebook, Google, or Microsoft. - [Download a zip file](https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/archive/master.zip) or clone the sample web application from GitHub. |
active-directory-b2c | Saml Service Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/saml-service-provider.md | The following SAML application scenarios are supported via your own metadata end - Get the SAML test web app from the [Azure AD B2C GitHub community repo](https://github.com/azure-ad-b2c/saml-sp-tester). - See the [options for registering a SAML application in Azure AD B2C](saml-service-provider-options.md).-- Learn how to build [Resilience through developer best practices](../active-directory/fundamentals/resilience-b2c-developer-best-practices.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json).+- Learn how to build [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md?bc=/azure/active-directory-b2c/bread/toc.json&toc=/azure/active-directory-b2c/TOC.json). <!-- LINKS - External --> [samltest]: https://aka.ms/samltestapp |
active-directory-b2c | Secure Api Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/secure-api-management.md | Before you begin, make sure that you have the following resources in place: * An [application that's registered in your tenant](tutorial-register-applications.md) * [User flows that are created in your tenant](tutorial-create-user-flows.md) * A [published API](../api-management/import-and-publish.md) in Azure API Management-* (Optional) A [Postman platform](https://www.getpostman.com/) to test secured access +* (Optional) A [Postman platform](https://www.postman.com/) to test secured access ## Get Azure AD B2C application ID You're now ready to add the inbound policy in Azure API Management that validate ## Validate secure API access -To ensure that only authenticated callers can access your API, you can validate your Azure API Management configuration by calling the API with [Postman](https://www.getpostman.com/). +To ensure that only authenticated callers can access your API, you can validate your Azure API Management configuration by calling the API with [Postman](https://www.postman.com/). To call the API, you need both an access token that's issued by Azure AD B2C and an Azure API Management subscription key. A client application (in this case, Postman) that calls a published API must inc With the access token and Azure API Management subscription key recorded, you're now ready to test whether you've correctly configured secure access to the API. -1. Create a new `GET` request in [Postman](https://www.getpostman.com/). For the request URL, specify the speakers list endpoint of the API you published as one of the prerequisites. For example: +1. Create a new `GET` request in [Postman](https://www.postman.com/). For the request URL, specify the speakers list endpoint of the API you published as one of the prerequisites. For example: `https://contosoapim.azure-api.net/conference/speakers` |
active-directory-b2c | Security Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/security-architecture.md | Your identity solution uses multiple components to provide a smooth sign in expe |Component |Endpoint|Why|How to protect| |-|-|-|-| |Azure AD B2C authentication endpoints|`/authorize`, `/token`, `/.well-known/openid-configuration`, `/discovery/v2.0/keys`|Prevent resource exhaustion|[Web Application Firewall (WAF)](./partner-web-application-firewall.md) and [Azure Front Door (AFD)](https://azure.microsoft.com/products/frontdoor/?ef_id=_k_53b0ace78faa14e3c3b1c8b385bf944d_k_&OCID=AIDcmm5edswduu_SEM__k_53b0ace78faa14e3c3b1c8b385bf944d_k_&msclkid=53b0ace78faa14e3c3b1c8b385bf944d)|-|Sign-in|NA|Malicious sign-in's may try to brute force accounts or use leaked credentials|[Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection)| +|Sign-in|NA|Malicious sign-in's may try to brute force accounts or use leaked credentials|[Identity Protection](../active-directory/identity-protection/overview-identity-protection.md)| |Sign-up|NA|Fraudulent sign-up's that may try to exhaust resources.|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500)<br> Fraud prevention technologies, such as [Dynamics Fraud Protection](./partner-dynamics-365-fraud-protection.md)|-|Email OTP|NA|Fraudulent attempts to brute force or exhaust resources|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500) and [Authenticator App](/azure/active-directory/authentication/concept-authentication-authenticator-app)| -|Multifactor authentication controls|NA|Unsolicited phone calls or SMS messages or resource exhaustion.|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500) and [Authenticator App](/azure/active-directory/authentication/concept-authentication-authenticator-app)| +|Email OTP|NA|Fraudulent attempts to brute force or exhaust resources|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500) and [Authenticator App](../active-directory/authentication/concept-authentication-authenticator-app.md)| +|Multifactor authentication controls|NA|Unsolicited phone calls or SMS messages or resource exhaustion.|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500) and [Authenticator App](../active-directory/authentication/concept-authentication-authenticator-app.md)| |External REST APIs|Your REST API endpoints|Malicious usage of user flows or custom policies can lead to resource exhaustion at your API endpoints.|[WAF](./partner-web-application-firewall.md) and [AFD](https://azure.microsoft.com/products/frontdoor/?ef_id=_k_921daffd3bd81af80dd9cba9348858c4_k_&OCID=AIDcmm5edswduu_SEM__k_921daffd3bd81af80dd9cba9348858c4_k_&msclkid=921daffd3bd81af80dd9cba9348858c4)| ### Protection mechanisms |
active-directory-b2c | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/service-limits.md | The number of users able to authenticate through an Azure AD B2C tenant is gated ## Endpoint request usage -Azure AD B2C is compliant with [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749), [OpenID Connect (OIDC)](https://openid.net/certification), and [SAML](http://saml.xml.org/saml-specifications) protocols. It provides user authentication and single sign-on (SSO) functionality, with the endpoints listed in the following table. +Azure AD B2C is compliant with [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749), [OpenID Connect (OIDC)](https://openid.net/certification/), and [SAML](http://saml.xml.org/saml-specifications) protocols. It provides user authentication and single sign-on (SSO) functionality, with the endpoints listed in the following table. The frequency of requests made to Azure AD B2C endpoints determines the overall token issuance capability. Azure AD B2C exposes endpoints, which consume a different number of requests. Review the [Authentication Protocols](./protocols-overview.md) article for more information on which endpoints are consumed by your application. The following table lists the administrative configuration limits in the Azure A - Learn about [Microsoft Graph's throttling guidance](/graph/throttling) - Learn about the [validation differences for Azure AD B2C applications](../active-directory/develop/supported-accounts-validation.md)-- Learn about [Resilience through developer best practices](../active-directory/fundamentals/resilience-b2c-developer-best-practices.md)+- Learn about [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md) |
active-directory-b2c | Supported Azure Ad Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/supported-azure-ad-features.md | An Azure Active Directory B2C (Azure AD B2C) tenant is different than an Azure A |Feature |Azure AD | Azure AD B2C | ||||-| [Groups](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) | Groups can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. You can't perform [group-based assignment of enterprise applications](../active-directory/manage-apps/assign-user-or-group-access-portal.md).| +| [Groups](../active-directory/fundamentals/how-to-manage-groups.md) | Groups can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. You can't perform [group-based assignment of enterprise applications](../active-directory/manage-apps/assign-user-or-group-access-portal.md).| | [Inviting External Identities guests](../active-directory//external-identities/add-users-administrator.md)| You can invite guest users and configure External Identities features such as federation and sign-in with Facebook and Google accounts. | You can invite only a Microsoft account or an Azure AD user as a guest to your Azure AD tenant for accessing applications or managing tenants. For [consumer accounts](user-overview.md#consumer-user), you use Azure AD B2C user flows and custom policies to manage users and sign-up or sign-in with external identity providers, such as Google or Facebook. |-| [Roles and administrators](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md)| Fully supported for administrative and user accounts. | Roles are not supported with [consumer accounts](user-overview.md#consumer-user). Consumer accounts don't have access to any Azure resources.| +| [Roles and administrators](../active-directory/fundamentals/how-subscriptions-associated-directory.md)| Fully supported for administrative and user accounts. | Roles are not supported with [consumer accounts](user-overview.md#consumer-user). Consumer accounts don't have access to any Azure resources.| | [Custom domain names](../active-directory/fundamentals/add-custom-domain.md) | You can use Azure AD custom domains for administrative accounts only. | [Consumer accounts](user-overview.md#consumer-user) can sign in with a username, phone number, or any email address. You can use [custom domains](custom-domain.md) in your redirect URLs.| | [Conditional Access](../active-directory/conditional-access/overview.md) | Fully supported for administrative and user accounts. | A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user) Learn how to configure Azure AD B2C [conditional access](conditional-access-user-flow.md).| | [Premium P1](https://azure.microsoft.com/pricing/details/active-directory) | Fully supported for Azure AD premium P1 features. For example, [Password Protection](../active-directory/authentication/concept-password-ban-bad.md), [Hybrid Identities](../active-directory/hybrid/whatis-hybrid-identity.md), [Conditional Access](../active-directory/roles/permissions-reference.md#), [Dynamic groups](../active-directory/enterprise-users/groups-create-rule.md), and more. | Azure AD B2C uses [Azure AD B2C Premium P1 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Azure AD premium P1. A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md).| |
active-directory-b2c | Tenant Management Manage Administrator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-manage-administrator.md | To delete an existing user, you must have a *Global administrator* role assignme 1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. -The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md). +The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/users-restore.md). ## Protect administrative accounts It's recommended that you protect all administrator accounts with multifactor au ![Authentication methods in use at the sign in screenshot](./media/tenant-management/sing-in-with-multi-factor-authentication.png) -If you're not using [Conditional Access](conditional-access-user-flow.md), you can enable [Azure AD security defaults](../active-directory/fundamentals/concept-fundamentals-security-defaults.md) to force all administrative accounts to use MFA. +If you're not using [Conditional Access](conditional-access-user-flow.md), you can enable [Azure AD security defaults](../active-directory/fundamentals/security-defaults.md) to force all administrative accounts to use MFA. ## Next steps |
active-directory-b2c | Tutorial Create Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tutorial-create-tenant.md | Before you create your Azure AD B2C tenant, you need to take the following consi :::image type="content" source="media/tutorial-create-tenant/review-and-create-tenant.png" alt-text="Screenshot of create tenant form in with example values in Azure portal."::: 1. Select **Review + create**.-1. Review your directory settings. Then select **Create**. Learn more about [troubleshooting deployment errors](../azure-resource-manager/templates/common-deployment-errors.md). +1. Review your directory settings. Then select **Create**. Learn more about [troubleshooting deployment errors](../azure-resource-manager/troubleshooting/common-deployment-errors.md). You can link multiple Azure AD B2C tenants to a single Azure subscription for billing purposes. To link a tenant, you must be an admin in the Azure AD B2C tenant and be assigned at least a Contributor role within the Azure subscription. See [Link an Azure AD B2C tenant to a subscription](billing.md#link-an-azure-ad-b2c-tenant-to-a-subscription). |
active-directory-b2c | User Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-overview.md | The following types of accounts are available: ## Work account -A work account is created the same way for all tenants based on Azure AD. To create a work account, you can use the information in [Quickstart: Add new users to Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md). A work account is created using the **New user** choice in the Azure portal. +A work account is created the same way for all tenants based on Azure AD. To create a work account, you can use the information in [Quickstart: Add new users to Azure Active Directory](../active-directory/fundamentals/add-users.md). A work account is created using the **New user** choice in the Azure portal. When you add a new work account, you need to consider the following configuration settings: - **Name** and **User name** - The **Name** property contains the given and surname of the user. The **User name** is the identifier that the user enters to sign in. The user name includes the full domain. The domain name portion of the user name must either be the initial default domain name *your-domain.onmicrosoft.com*, or a verified, non-federated [custom domain](../active-directory/fundamentals/add-custom-domain.md) name such as *contoso.com*. - **Email** - The new user can also sign in using an email address. We do not support special characters or multibyte characters in email, for example Japanese characters. - **Profile** - The account is set up with a profile of user data. You have the opportunity to enter a first name, last name, job title, and department name. You can edit the profile after the account is created.-- **Groups** - Use groups to perform management tasks such as assigning licenses or permissions to many users, or devices at once. You can put the new account into an existing [group](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) in your tenant.+- **Groups** - Use groups to perform management tasks such as assigning licenses or permissions to many users, or devices at once. You can put the new account into an existing [group](../active-directory/fundamentals/how-to-manage-groups.md) in your tenant. - **Directory role** - You need to specify the level of access that the user account has to resources in your tenant. The following permission levels are available: - **User** - Users can access assigned resources but cannot manage most tenant resources. When you add a new work account, you need to consider the following configuratio You can use the following information to create a new work account: -- [Azure portal](../active-directory/fundamentals/add-users-azure-active-directory.md)+- [Azure portal](../active-directory/fundamentals/add-users.md) - [Microsoft Graph](/graph/api/user-post-users) ### Update a user profile You can use the following information to update the profile of a user: -- [Azure portal](../active-directory/fundamentals/active-directory-users-profile-azure-portal.md)+- [Azure portal](../active-directory/fundamentals/how-to-manage-user-profile-info.md) - [Microsoft Graph](/graph/api/user-update) ### Reset a password for a user You can use the following information to reset the password of a user: -- [Azure portal](../active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md)+- [Azure portal](../active-directory/fundamentals/users-reset-password-azure-portal.md) - [Microsoft Graph](/graph/api/user-update) ## Guest user |
active-directory-b2c | View Audit Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/view-audit-logs.md | To download the list of activity events in a comma-separated values (CSV) file, ## Get audit logs with the Azure AD reporting API -Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/concept-reporting-api.md). +Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md). ### Enable reporting API access |
active-directory-b2c | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md | Welcome to what's new in Azure Active Directory B2C documentation. This article - [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) - [Azure AD B2C] Azure AD B2C Go-Local opt-in feature - [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](configure-security-analytics-sentinel.md) - Removing product name from filename and links. - [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-web-application-firewall.md) - Removing product name from filename and links. -- [Title not found in: #240919](azure-ad-external-identities-videos.md) - Delete azure-ad-external-identities-videos.md+- [Title not found in: #240919](./external-identities-videos.md) - Delete azure-ad-external-identities-videos.md - [Build a global identity solution with funnel-based approach](b2c-global-identity-funnel-based-design.md) - Removing product name from filename and links. - [Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md) - Removing product name from filename and links. - [Azure Active Directory B2C global identity framework proof of concept for region-based configuration](b2c-global-identity-proof-of-concept-regional.md) - Removing product name from filename and links. Welcome to what's new in Azure Active Directory B2C documentation. This article - [Configure Asignio with Azure Active Directory B2C for multifactor authentication](partner-asignio.md) - [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md) - [Configure WhoIAM Rampart with Azure Active Directory B2C](partner-whoiam-rampart.md)-- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)+- [Build a global identity solution with funnel-based approach](./b2c-global-identity-funnel-based-design.md) - [Use the Azure portal to create and delete consumer users in Azure AD B2C](manage-users-portal.md)- |
active-directory-domain-services | Ad Auth No Join Linux Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/ad-auth-no-join-linux-vm.md | Now you are ready to use AD authentication on your Linux VM. <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md |
active-directory-domain-services | Administration Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/administration-concepts.md | To get started, [create an Azure AD DS managed domain][create-instance]. [password-policy]: password-policy.md [hybrid-phs]: tutorial-configure-password-hash-sync.md#enable-synchronization-of-password-hashes [secure-domain]: secure-your-domain.md-[azure-ad-password-sync]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services +[azure-ad-password-sync]: ../active-directory/hybrid/connect/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services [create-instance]: tutorial-create-instance.md [tutorial-create-instance-advanced]: tutorial-create-instance-advanced.md-[concepts-forest]: concepts-resource-forest.md +[concepts-forest]: ./concepts-forest-trust.md [concepts-trust]: concepts-forest-trust.md <!-- EXTERNAL LINKS --> |
active-directory-domain-services | Alert Ldaps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-ldaps.md | Create a replacement secure LDAP certificate by following the steps to [create a If you still have issues, [open an Azure support request][azure-support] for additional troubleshooting assistance. <!-- INTERNAL LINKS -->-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md +[azure-support]: ../active-directory/fundamentals/how-to-get-support.md |
active-directory-domain-services | Alert Nsg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-nsg.md | It takes a few moments for the security rule to be added and show in the list. If you still have issues, [open an Azure support request][azure-support] for additional troubleshooting assistance. <!-- INTERNAL LINKS -->-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md +[azure-support]: ../active-directory/fundamentals/how-to-get-support.md [configure-ldaps]: tutorial-configure-ldaps.md |
active-directory-domain-services | Alert Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-service-principal.md | After you delete both applications, the Azure platform automatically recreates t If you still have issues, [open an Azure support request][azure-support] for additional troubleshooting assistance. <!-- INTERNAL LINKS -->-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md +[azure-support]: ../active-directory/fundamentals/how-to-get-support.md <!-- EXTERNAL LINKS -->-[New-AzureAdServicePrincipal]: /powershell/module/AzureAD/New-AzureADServicePrincipal +[New-AzureAdServicePrincipal]: /powershell/module/azuread/new-azureadserviceprincipal |
active-directory-domain-services | Change Sku | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/change-sku.md | If you have a resource forest and want to create additional trusts after the SKU <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md [concepts-sku]: administration-concepts.md#azure-ad-ds-skus [create-trust]: tutorial-create-forest-trust.md |
active-directory-domain-services | Check Health | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/check-health.md | Health status alerts are categorized into the following levels of severity: For more information on alerts that are shown in the health status page, see [Resolve alerts on your managed domain][troubleshoot-alerts] <!-- INTERNAL LINKS -->-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md +[azure-support]: ../active-directory/fundamentals/how-to-get-support.md [troubleshoot-alerts]: troubleshoot-alerts.md |
active-directory-domain-services | Compare Identity Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/compare-identity-solutions.md | You can also learn more about [manage-gpos]: manage-group-policy.md [tutorial-ldaps]: tutorial-configure-ldaps.md [tutorial-create]: tutorial-create-instance.md-[whatis-azuread]: ../active-directory/fundamentals/active-directory-whatis.md +[whatis-azuread]: ../active-directory/fundamentals/whatis.md [overview-adds]: /windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview [create-forest-trust]: tutorial-create-forest-trust.md [administration-concepts]: administration-concepts.md |
active-directory-domain-services | Concepts Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-custom-attributes.md | Select **+ Add** to choose which custom attributes to synchronize. The list show If you don't see the directory extension you are looking for, enter the extensionΓÇÖs associated application appId and click **Search** to load only that applicationΓÇÖs defined extension properties. This search helps when multiple applications define many extensions in your tenant. >[!NOTE]->If you would like to see directory extensions synchronized by Azure AD Connect, click **Enterprise App** and look for the Application ID of the **Tenant Schema Extension App**. For more information, see [Azure AD Connect sync: Directory extensions](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard). +>If you would like to see directory extensions synchronized by Azure AD Connect, click **Enterprise App** and look for the Application ID of the **Tenant Schema Extension App**. For more information, see [Azure AD Connect sync: Directory extensions](../active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard). Click **Select**, and then **Save** to confirm the change. To check the backfilling status, click **Azure AD DS Health** and verify the **S To configure onPremisesExtensionAttributes or directory extensions for cloud-only users in Azure AD, see [Custom data options in Microsoft Graph](/graph/extensibility-overview?tabs=http#custom-data-options-in-microsoft-graph). -To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md). +To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). |
active-directory-domain-services | Create Forest Trust Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-forest-trust-powershell.md | For more conceptual information about forest types in Azure AD DS, see [How do f <!-- INTERNAL LINKS --> [concepts-trust]: concepts-forest-trust.md [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance-advanced]: tutorial-create-instance-advanced.md-[Connect-AzAccount]: /powershell/module/Az.Accounts/Connect-AzAccount -[Connect-AzureAD]: /powershell/module/AzureAD/Connect-AzureAD -[New-AzResourceGroup]: /powershell/module/Az.Resources/New-AzResourceGroup +[Connect-AzAccount]: /powershell/module/az.accounts/connect-azaccount +[Connect-AzureAD]: /powershell/module/azuread/connect-azuread +[New-AzResourceGroup]: /powershell/module/az.resources/new-azresourcegroup [network-peering]: ../virtual-network/virtual-network-peering-overview.md [New-AzureADServicePrincipal]: /powershell/module/AzureAD/New-AzureADServicePrincipal-[Get-AzureRMSubscription]: /powershell/module/AzureRM.Profile/Get-AzureRmSubscription +[Get-AzureRMSubscription]: /powershell/module/azurerm.profile/get-azurermsubscription [Install-Script]: /powershell/module/powershellget/install-script <!-- EXTERNAL LINKS --> |
active-directory-domain-services | Create Gmsa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-gmsa.md | For more information about gMSAs, see [Getting started with group managed servic <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md [tutorial-create-management-vm]: tutorial-create-management-vm.md [create-custom-ou]: create-ou.md <!-- EXTERNAL LINKS --> [New-ADOrganizationalUnit]: /powershell/module/activedirectory/new-adorganizationalunit-[New-ADServiceAccount]: /powershell/module/activedirectory/New-AdServiceAccount +[New-ADServiceAccount]: /powershell/module/activedirectory/new-adserviceaccount [gmsa-overview]: /windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview [gmsa-start]: /windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts |
active-directory-domain-services | Create Ou | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-ou.md | For more information on using the administrative tools or creating and using ser <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md [tutorial-create-management-vm]: tutorial-create-management-vm.md-[connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm +[connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm |
active-directory-domain-services | Deploy Azure App Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-azure-app-proxy.md | With the Azure AD Application Proxy integrated with Azure AD DS, publish applica <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md [create-join-windows-vm]: join-windows-vm.md [azure-bastion]: ../bastion/tutorial-create-host-portal.md [Get-ADComputer]: /powershell/module/activedirectory/get-adcomputer-[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer +[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer |
active-directory-domain-services | Deploy Kcd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-kcd.md | To learn more about how delegation works in Active Directory Domain Services, se <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md [create-join-windows-vm]: join-windows-vm.md [tutorial-create-management-vm]: tutorial-create-management-vm.md |
active-directory | Insufficient Access Rights Error Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/insufficient-access-rights-error-troubleshooting.md | Reference articles that explain the reason in detail: If option 1 is not feasible and doesn't work as expected, then ask Cx to check with their AD admin and security administrators, if they are allowed to modify the default permissions of the ```AdminSDHolder``` container. This [article](https://go.microsoft.com/fwlink/?linkid=2240198) that explains the importance of the ```AdminSDHolder``` container. Once Cx gets internal approval to update the ```AdminSDHolder``` container permissions, there are two ways to update the permissions. -* Using ```ADSIEdit``` as described in this [article](https://petri.com/active-directory-security-understanding-adminsdholder-object ). +* Using ```ADSIEdit``` as described in this [article](https://petri.com/active-directory-security-understanding-adminsdholder-object). * Using ```DSACLS``` command-line script. Here's an example script that could be used as a starting point and Cx can tweak it as per their requirements. ```powershell |
active-directory | On Premises Migrate Microsoft Identity Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md | ->[!IMPORTANT] ->Currently, only the generic SQL and LDAP connectors are supported for use with the Azure AD ECMA Connector Host. ## Create a connector configuration in MIM Sync This section is included for illustrative purposes, if you wish to set up MIM Sync with a connector. If you already have MIM Sync with your ECMA connector configured, skip to the next section. |
active-directory | Use Scim To Provision Users And Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md | The **core** user schema only requires three attributes (all other attributes ar - `userName`, a unique identifier for the user (generally maps to the Azure AD user principal name) - `meta`, *read-only* metadata maintained by the service provider -In addition to the **core** user schema, the SCIM standard defines an **enterprise** user extension with a model for extending the user schema to meet your applicationΓÇÖs needs. +In addition to the **core** user schema, the SCIM standard defines an **enterprise** user extension with a model for extending the user schema to meet your application's needs. -For example, if your application requires both a user's email and userΓÇÖs manager, use the **core** schema to collect the userΓÇÖs email and the **enterprise** user schema to collect the userΓÇÖs manager. +For example, if your application requires both a user's email and user's manager, use the **core** schema to collect the user's email and the **enterprise** user schema to collect the user's manager. To design your schema, follow these steps: The following table lists an example of required attributes: |loginName|userName|userPrincipalName| |firstName|name.givenName|givenName| |lastName|name.familyName|surName|-|workMail|emails[type eq ΓÇ£workΓÇ¥].value|Mail| +|workMail|emails[type eq "work"].value|Mail| |manager|manager|manager| |tag|`urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag`|extensionAttribute1| |status|active|isSoftDeleted (computed value not stored on user)| This article provides example SCIM requests emitted by the Azure Active Director ###### Response (User not found. The detail isn't required, only status.) +*HTTP/1.1 404 Not Found* + ```json { "schemas": [ The open source .NET Core [reference code example](https://aka.ms/SCIMReferenceC The solution is composed of two projects, _Microsoft.SCIM_ and _Microsoft.SCIM.WebHostSample_. -The _Microsoft.SCIM_ project is the library that defines the components of the web service that conforms to the SCIM specification. It declares the interface _Microsoft.SCIM.IProvider_, requests are translated into calls to the providerΓÇÖs methods, which would be programmed to operate on an identity store. +The _Microsoft.SCIM_ project is the library that defines the components of the web service that conforms to the SCIM specification. It declares the interface _Microsoft.SCIM.IProvider_, requests are translated into calls to the provider's methods, which would be programmed to operate on an identity store. ![Breakdown: A request translated into calls to the provider's methods](media/use-scim-to-provision-users-and-groups/scim-figure-3.png) Requests from Azure AD Provisioning Service include an OAuth 2.0 bearer token. A -In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using the bearer token issued by Azure AD for a specified tenant: +In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the service's endpoints are authenticated using the bearer token issued by Azure AD for a specified tenant: ```csharp public void ConfigureServices(IServiceCollection services) A bearer token is also required to use of the provided [Postman tests](https://g For more information on multiple environments in ASP.NET Core, see [Use multiple environments in ASP.NET Core](/aspnet/core/fundamentals/environments). -The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using a bearer token signed with a custom key: +The following code enforces that requests to any of the service's endpoints are authenticated using a bearer token signed with a custom key: ```csharp public void ConfigureServices(IServiceCollection services) GET https://.../scim/Users?filter=externalId eq jyoung HTTP/1.1 Authorization: Bearer ... ``` -In the sample code, the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. Here's the signature of that method: +In the sample code, the request is translated into a call to the QueryAsync method of the service's provider. Here's the signature of that method: ```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll. Content-type: application/scim+json "manager":null} ``` -In the sample code, the request is translated into a call to the CreateAsync method of the serviceΓÇÖs provider. Here's the signature of that method: +In the sample code, the request is translated into a call to the CreateAsync method of the service's provider. Here's the signature of that method: ```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll. GET ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1 Authorization: Bearer ... ``` -In the sample code, the request is translated into a call to the RetrieveAsync method of the serviceΓÇÖs provider. Here's the signature of that method: +In the sample code, the request is translated into a call to the RetrieveAsync method of the service's provider. Here's the signature of that method: ```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll. In the example of a request, to retrieve the current state of a user, the values ***Example 4. Query the value of a reference attribute to be updated*** Azure AD checks the current attribute value in the identity store before updating it. However, only the manager attribute is the checked first for users. Here's an example of a request to determine whether the manager attribute of a user object currently has a certain value: -In the sample code, the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. The value of the properties of the object provided as the value of the parameters argument are as follows: +In the sample code, the request is translated into a call to the QueryAsync method of the service's provider. The value of the properties of the object provided as the value of the parameters argument are as follows: * parameters.AlternateFilters.Count: 2 * parameters.AlternateFilters.ElementAt(x).AttributePath: "ID" Content-type: application/scim+json "value":"2819c223-7f76-453a-919d-413861904646"}]}]} ``` -In the sample code, the request is translated into a call to the UpdateAsync method of the serviceΓÇÖs provider. Here's the signature of that method: +In the sample code, the request is translated into a call to the UpdateAsync method of the service's provider. Here's the signature of that method: ```csharp // System.Threading.Tasks.Tasks and DELETE ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1 Authorization: Bearer ... ``` -In the sample code, the request is translated into a call to the DeleteAsync method of the serviceΓÇÖs provider. Here's the signature of that method: +In the sample code, the request is translated into a call to the DeleteAsync method of the service's provider. Here's the signature of that method: ```csharp // System.Threading.Tasks.Tasks is defined in mscorlib.dll. To help drive awareness and demand of our joint integration, we recommend you up > * Craft a blog post or press release that describes the joint integration, the benefits and how to get started. [Example: Imprivata and Azure AD Press Release](https://www.imprivata.com/company/press/imprivata-introduces-iam-cloud-platform-healthcare-supported-microsoft) > * Leverage your social media like Twitter, Facebook or LinkedIn to promote the integration to your customers. Be sure to include @AzureAD so we can retweet your post. [Example: Imprivata Twitter Post](https://twitter.com/azuread/status/1123964502909779968) > * Create or update your marketing pages/website (e.g. integration page, partner page, pricing page, etc.) to include the availability of the joint integration. [Example: Pingboard integration Page](https://pingboard.com/org-chart-for), [Smartsheet integration page](https://www.smartsheet.com/marketplace/apps/microsoft-azure-ad), [Monday.com pricing page](https://monday.com/pricing/) -> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure AD integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/ -) +> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure AD integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/) > * Alert customers of the new integration through your customer communication (monthly newsletters, email campaigns, product release notes). ## Next steps |
active-directory | 2 Secure Access Current State | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/2-secure-access-current-state.md | Investigate access to your sensitive apps for awareness about external access. S If your email and network plans are enabled, you can investigate content sharing through email or unauthorized software as a service (SaaS) apps. * Identify, prevent, and monitor accidental sharing- * [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide&preserve-view=true ) + * [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide&preserve-view=true) * Identify unauthorized apps * [Microsoft Defender for Cloud Apps overview](/defender-cloud-apps/what-is-defender-for-cloud-apps) |
active-directory | 6 Secure Access Entitlement Managment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/6-secure-access-entitlement-managment.md | Learn more: [Plan a Microsoft Entra access reviews deployment](../governance/dep ## Using entitlement management automation -* [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview?view=graph-rest-1.0&preserve-view=true ) -* [accessPackage resource type](/graph/api/resources/accesspackage?view=graph-rest-1.0&preserve-view=true ) -* [Azure AD access reviews](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true ) -* [connectedOrganization resource type](/graph/api/resources/connectedorganization?view=graph-rest-1.0&preserve-view=true ) -* [entitlementManagementSettings resource type](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-1.0&preserve-view=true ) +* [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview?view=graph-rest-1.0&preserve-view=true) +* [accessPackage resource type](/graph/api/resources/accesspackage?view=graph-rest-1.0&preserve-view=true) +* [Azure AD access reviews](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true) +* [connectedOrganization resource type](/graph/api/resources/connectedorganization?view=graph-rest-1.0&preserve-view=true) +* [entitlementManagementSettings resource type](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-1.0&preserve-view=true) ## External access governance recommendations |
active-directory | Automate Provisioning To Applications Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/automate-provisioning-to-applications-solutions.md | In addition to the pre-integrated gallery applications, Azure AD supports provis [Learn more about provisioning to SCIM enabled applications](../app-provisioning/use-scim-to-provision-users-and-groups.md) -### Automate provisioning to SQL and LDAP based applications +### Automate provisioning to on-premises applications - Many applications don't support the SCIM standard, and customers have historically used connectors developed for MIM to connect to them. The Azure AD provisioning service supports reusing connectors developed for MIM and provisioning users into applications that rely on an LDAP user store or a SQL database. +Many applications don't support the SCIM standard, and customers have historically used connectors developed for MIM to connect to them. The Azure AD provisioning service supports reusing connectors built for MIM, without needing a MIM sync deployment. This opens up connectivity to a wide range of on-premises and SaaS applications. ++|Protocol |Connector| +|--|--| +| LDAP | [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md)| +| SQL | [SQL](../app-provisioning/tutorial-ecma-sql-connector.md) | +| REST | [Web Services](../app-provisioning/on-premises-web-services-connector.md)| +| SOAP | [Web Services](../app-provisioning/on-premises-web-services-connector.md)| +| Flat-file| [PowerShell](../app-provisioning/on-premises-powershell-connector.md) | +| Custom | [Custom ECMA connectors](../app-provisioning/on-premises-custom-connector.md) | [Learn more about on-premises application provisioning](../app-provisioning/user-provisioning.md) ### Use integrations developed by partners -Many applications may not yet support SCIM or rely on SQL / LDAP databases. Microsoft partners have developed SCIM gateways that allow you to synchronize users between Azure AD and various systems such as mainframes, HR systems, and legacy databases. In the image below, the SCIM Gateways are built and managed by partners. +Microsoft partners have developed SCIM gateways that allow you to synchronize users between Azure AD and various systems such as mainframes, HR systems, and legacy databases. In the image below, the SCIM Gateways are built and managed by partners. ![Agent with SCIM gateway](media/automate-user-provisioning-to-applications-solutions/provisioning-agent-with-scim-gateway.png) |
active-directory | Concept Mfa Regional Opt In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-regional-opt-in.md | For Voice verification, the following region codes require an opt-in. ## Next steps +* [Understanding telephony fraud](concept-mfa-telephony-fraud.md) * [Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md) |
active-directory | Concept Mfa Telephony Fraud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-telephony-fraud.md | + + Title: Understanding telephony fraud risk for Azure AD Multi-Factor Authentication (MFA) | Azure Active Directory +description: Understanding International Revenue Share Fraud (IRSF) is crucial for implementing preventive measures for Azure AD Multi-Factor Authentication (MFA) telephony verification. +++++ Last updated : 09/11/2023+++++++++++# Understanding telephony fraud ++In today's digital landscape, telecommunication services have seamlessly integrated into our daily lives. But technological progress also brings the risk of fraudulent activities like International Revenue Share Fraud (IRSF), which poses financial consequences and service disruptions. IRSF involves exploiting telecommunication billing systems by unauthorized actors. They divert telephony traffic and generate profits through a technique called *traffic pumping*. Traffic pumping targets multifactor authentication (MFA) systems, and causes inflated charges, service unreliability, and system errors. ++To counter this risk, a thorough understanding of IRSF is crucial for implementing preventive measures like regional restrictions and phone number verification, while our system aims to minimize disruptions and safeguard both our business, users, and your business we prioritize your security and as such we may sometimes take proactive measures. ++## How we help fight telephony fraud ++To protect our customers and vigilantly defend against bad actors who attempt fraud, we may engage in proactive remediation in the event of a fraud attack. Telephony fraud is a very dynamic space where even seconds can result in massive financial impact. To limit that impact, we may proactively engage temporary throttling when we detect excessive authentication requests from a particular region, phone, or user. These throttles normally clear after a few hours to a few days. ++## How you can help fight telephony fraud ++To help fight telephony fraud, B2C customers can take steps to improve security of authentication activities such as sign-in, MFA, password reset, and forgot username: ++- Use the recommended versions of user flows +- Remove region codes that aren't relevant to your organization +- Use CAPTCHA to help distinguish between human users and automated bots +- Review your telecom usage to make sure it matches the expected behavior from your users ++For more information, see [Securing phone-based MFA in B2C](/azure/active-directory-b2c/phone-based-mfa). ++In addition, you may sometimes encounter throttles because you're requesting traffic from a region that requires an opt-in. For more information, see [Regions that need to opt in for MFA telephony verification](concept-mfa-regional-opt-in.md). ++## Next steps ++* [Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md) +* [Securing phone-based MFA in B2C](/azure/active-directory-b2c/phone-based-mfa) +* [Regions that need to opt in for MFA telephony verification](concept-mfa-regional-opt-in.md) |
active-directory | How To Migrate Mfa Server To Mfa With Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md | This section covers final steps before migrating user MFA settings. ### Set federatedIdpMfaBehavior to enforceMfaByFederatedIdp -For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true ). +For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true). >[!NOTE] > The **federatedIdpMfaBehavior** setting is a new version of the **SupportsMfa** property of the [New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration) cmdlet. |
active-directory | Quickstart V2 Aspnet Core Webapp Calls Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp-calls-graph.md | -> ![Shows how the sample app generated by this quickstart works](./configure-app-multi-instancing.md aspnetcorewebapp-intro.svg) +> :::image type="content" source="media/quickstart-v2-aspnet-core-webapp/aspnetcorewebapp-intro.svg" alt-text="Diagram that how the sample app generated by this quickstart works."::: > > ### Startup class > |
active-directory | Signin Account Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/signin-account-support.md | You can tell if the sign-in page your organization uses supports Microsoft accou ![Difference between account sign-in pages](./media/signin-account-support/ui-prompt.png) -[Additional sign-in options work only for personal Microsoft accounts](https://azure.microsoft.com/updates/microsoft-account-signin-options/ ) but can't be used for signing in to work or school account resources. +[Additional sign-in options work only for personal Microsoft accounts](https://azure.microsoft.com/updates/microsoft-account-signin-options/) but can't be used for signing in to work or school account resources. ## Next steps |
active-directory | Users Custom Security Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-custom-security-attributes.md | To assign or remove custom security attributes for a user in your Azure AD tenan [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator). -+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). 1. Make sure that you have defined custom security attributes. For more information, see [Add or deactivate custom security attribute definitions in Azure AD](../fundamentals/custom-security-attributes-add.md). -1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Find and select the user you want to assign custom security attributes to. -1. In the Manage section, select **Custom security attributes (preview)**. +1. In the Manage section, select **Custom security attributes**. 1. Select **Add assignment**. To assign or remove custom security attributes for a user in your Azure AD tenan ## Update custom security attribute assignment values for a user -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). -1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Find and select the user that has a custom security attribute assignment value you want to update. -1. In the Manage section, select **Custom security attributes (preview)**. +1. In the Manage section, select **Custom security attributes**. 1. Find the custom security attribute assignment value you want to update. To assign or remove custom security attributes for a user in your Azure AD tenan You can filter the list of custom security attributes assigned to users on the All users page. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader). -1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Select **Add filter** to open the Add filter pane. You can filter the list of custom security attributes assigned to users on the A ## Remove custom security attribute assignments from a user -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). -1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Find and select the user that has the custom security attribute assignments you want to remove. -1. In the Manage section, select **Custom security attributes (preview)**. +1. In the Manage section, select **Custom security attributes**. 1. Add check marks next to all the custom security attribute assignments you want to remove. None **Where are custom security attribute assignments for users supported?** -Custom security attribute assignments for users are supported in Azure portal, PowerShell, and Microsoft Graph APIs. Custom security attribute assignments are not supported in My Apps or Microsoft 365 admin center. +Custom security attribute assignments for users are supported in Microsoft Entra admin center, PowerShell, and Microsoft Graph APIs. Custom security attribute assignments are not supported in My Apps or Microsoft 365 admin center. **Who can view the custom security attributes assigned to a user?** |
active-directory | How To Google Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-google-federation-customers.md | To configure Google federation by using PowerShell, follow these steps: At this point, the Google identity provider has been set up in your Azure AD, but it's not yet available in any of the sign-in pages. To add the Google identity provider to a user flow: 1. In your customer tenant, browse to **Identity** > **External Identities** > **User flows**.-1. Select the user flow where you want to add the Facebook identity provider. -1. Under Settings, select **Identity providers** +1. Select the user flow where you want to add the Google identity provider. ++1. Under Settings, select **Identity providers.** + 1. Under **Other Identity Providers**, select **Google**. <!-- ![Screenshot that shows how to add Google identity provider a user flow.](./media/sign-in-with-google/add-google-idp-to-user-flow.png)--> At this point, the Google identity provider has been set up in your Azure AD, bu - [Add Facebook as an identity provider](how-to-facebook-federation-customers.md) - [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md)++ |
active-directory | Direct Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation.md | To remove a configuration for an IdP in the Microsoft Entra admin center: 1. Select **OK** to confirm deletion. -You can also remove federation using the Microsoft Graph API [samlOrWsFedExternalDomainFederation](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta&preserve-view=true ) resource type. +You can also remove federation using the Microsoft Graph API [samlOrWsFedExternalDomainFederation](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta&preserve-view=true) resource type. ## Next steps |
active-directory | Tenant Restrictions V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tenant-restrictions-v2.md | Although these alternatives provide protection, certain scenarios can only be co After you create a tenant restrictions v2 policy, you can enforce the policy on each Windows 10, Windows 11, and Windows Server 2022 device by adding your tenant ID and the policy ID to the device's **Tenant Restrictions** configuration. When tenant restrictions are enabled on a Windows device, corporate proxies aren't required for policy enforcement. Devices don't need to be Azure AD managed to enforce tenant restrictions v2; domain-joined devices that are managed with Group Policy are also supported. +> [!NOTE] +> Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in Global Secure Access (preview). + #### Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2) and Group policy settings You can use Group Policy to deploy the tenant restrictions configuration to Windows devices. Refer to these resources: |
active-directory | Add Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md | Title: Add your custom domain -description: Instructions about how to add a custom domain using Azure Active Directory. +description: Instructions about how to add your custom domain name to your tenant. +# Add your custom domain name to your tenant -# Add your custom domain name using the Azure portal --Azure Active Directory (Azure AD) tenants come with an initial domain name, *\<domainname>.onmicrosoft.com*. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as *alain\@contoso.com*. +Azure Active Directory (Azure AD) tenants come with an initial domain name like, `domainname.onmicrosoft.com`. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as `alain@contoso.com`. ## Before you begin Before you can add a custom domain name, create your domain name with a domain registrar. For an accredited domain registrar, see [ICANN-Accredited Registrars](https://www.icann.org/registrar-reports/accredited-list.html). -## Create your directory in Azure AD +## Create your directory [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -After you get your domain name, you can create your first Azure AD directory. Sign in to the [Azure portal](https://portal.azure.com) for your directory, using an account with the **Owner** role for the subscription. +After you get your domain name, you can create your first directory. Sign in to the [Azure portal](https://portal.azure.com) for your directory, using an account with the [Owner](/azure/role-based-access-control/built-in-roles#owner) role for the subscription. Create your new directory by following the steps in [Create a new tenant for your organization](./create-new-tenant.md#create-a-new-tenant-for-your-organization). ->[!IMPORTANT] ->The person who creates the tenant is automatically the Global administrator for that tenant. The Global administrator can add additional administrators to the tenant. +> [!IMPORTANT] +> The person who creates the tenant is automatically granted [Global Administrator](../roles/permissions-reference.md#global-administrator) privileges. The Global Administrator role is highly privileged and can add additional administrators to the tenant. For more information about subscription roles, see [Azure roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles). ->[!TIP] -> If you plan to federate your on-premises Windows Server AD with Azure AD, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Azure AD Connect tool to synchronize your directories. +> [!TIP] +> If you plan to federate on-premises Windows Server Active Directory with Azure AD, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Azure AD Connect tool to synchronize your directories. >-> You also need to register the same domain name you select for federating with your on-premises directory in the **Azure AD Domain** step in the wizard. To see what that setup looks like, see [Verify the Azure AD domain selected for federation](../hybrid/connect/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Azure AD Connect tool, you can [download it here](https://go.microsoft.com/fwlink/?LinkId=615771). +> You also need to register the same domain name you select for federating with your on-premises directory in the **Azure AD Domain** step in the wizard. To see what that setup looks like, see [Verify the domain selected for federation](../hybrid/connect/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Azure AD Connect tool, you can [download it here](https://go.microsoft.com/fwlink/?LinkId=615771). -## Add your custom domain name to Azure AD +## Add your custom domain name After you create your directory, you can add your custom domain name. -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Domain Name Administrator](../roles/permissions-reference.md#domain-name-administrator). -1. Search for and select *Azure Active Directory* from any page. Then select **Custom domain names** > **Add custom domain**. +1. Browse to **Identity** > **Settings** > **Domain names** > **Add custom domain**. ![Custom domain names page, with Add custom domain shown](media/add-custom-domain/add-custom-domain.png) -1. In **Custom domain name**, enter your organization's new name, in this example, *contoso.com*. Select **Add domain**. +1. In **Custom domain name**, enter your organization's domain, in this example, *contoso.com*. Select **Add domain**. ![Custom domain names page, with Add custom domain page](media/add-custom-domain/add-custom-domain-blade.png) - >[!IMPORTANT] - >You must include *.com*, *.net*, or any other top-level extension for this to work. When adding a custom domain, the Password Policy values will be inherited from the initial domain. + > [!IMPORTANT] + > You must include *.com*, *.net*, or any other top-level extension for this to work. When adding a custom domain, the Password Policy values will be inherited from the initial domain. - The unverified domain is added. The **contoso.com** page appears showing your DNS information. Save this information. You need it later to create a TXT record to configure DNS. +1. The unverified domain is added. The **contoso.com** page appears showing the DNS information needed to validate your domain ownership. Save this information. ![Contoso page with DNS entry information](media/add-custom-domain/contoso-blade-with-dns-info.png) ## Add your DNS information to the domain registrar -After you add your custom domain name to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file. Creating this TXT record for your domain verifies ownership of your domain name. +After you add your custom domain name, you must return to your domain registrar and add the DNS information from your copied from the previous step. Creating this TXT or MX record for your domain verifies ownership of your domain name. -Go back to your domain registrar and create a new TXT record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record. +Go back to your domain registrar and create a new TXT or MX record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record. ->[!IMPORTANT] ->You can register as many domain names as you want. However, each domain gets its own TXT record from Azure AD. Be careful when you enter the TXT file information at the domain registrar. If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again. +> [!IMPORTANT] +> You can register as many domain names as you want. However, each domain gets its own TXT or MX record. Be careful when you enter the information at the domain registrar. If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again. ## Verify your custom domain name -After you register your custom domain name, make sure it's valid in Azure AD. The propagation from your domain registrar to Azure AD can be instantaneous or it can take a few days, depending on your domain registrar. +After you register your custom domain name, make sure it's valid in Microsoft Entra. The propagation time can be instantaneous or it can take a few days, depending on your domain registrar. To verify your custom domain name, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Domain Name Administrator](../roles/permissions-reference.md#domain-name-administrator). -1. Search for and select *Azure Active Directory* from any page, then select **Custom domain names**. +1. Browse to **Identity** > **Settings** > **Domain names**. 1. In **Custom domain names**, select the custom domain name. In this example, select **contoso.com**. ![Fabrikam - Custom domain names page, with contoso highlighted](media/add-custom-domain/custom-blade-with-contoso-highlighted.png) -1. On the **contoso.com** page, select **Verify** to make sure your custom domain is properly registered and is valid for Azure AD. +1. On the **contoso.com** page, select **Verify** to make sure your custom domain is properly registered and is valid. ![Contoso page with DNS entry information and the Verify button](media/add-custom-domain/contoso-blade-with-dns-info-verify.png) -After you've verified your custom domain name, you can delete your verification TXT or MX file. - ## Common verification issues -If Azure AD can't verify a custom domain name, try the following suggestions: +If you can't verify a custom domain name, try the following suggestions: -- **Wait at least an hour and try again.** DNS records must propagate before Azure AD can verify the domain. This process can take an hour or more.+- **Wait at least an hour and try again.** DNS records must propagate before you can verify the domain. This process can take an hour or more. - **If you are trying to verify a child domain, verify the parent domain first.** Make sure the parent domain is created and verified first before you try to verify a child domain. -- **Make sure the DNS record is correct.** Go back to the domain name registrar site. Make sure the entry is there, and that it matches the DNS entry information provided by Azure AD.+- **Make sure the DNS record is correct.** Go back to the domain name registrar site. Make sure the entry is there, and that it matches the DNS entry information provided in the Microsoft Entra admin center. - If you can't update the record on the registrar site, share the entry with someone who has permissions to add the entry and verify it's correct. + - If you can't update the record on the registrar site, share the entry with someone who has permissions to add the entry and verify it's correct. - **Make sure the domain name isn't already in use in another directory.** A domain name can only be verified in one directory. If your domain name is currently verified in another directory, it can't also be verified in the new directory. To fix this duplication problem, you must delete the domain name from the old directory. For more information about deleting domain names, see [Manage custom domain names](../enterprise-users/domains-manage.md). -- **Make sure you don't have any unmanaged Power BI tenants.** If your users have activated Power BI through self-service sign-up and created an unmanaged tenant for your organization, you must take over management as an internal or external admin, using PowerShell. For more information, see [Take over an unmanaged directory as administrator in Azure Active Directory](../enterprise-users/domains-admin-takeover.md).+- **Make sure you don't have any unmanaged Power BI tenants.** If your users have activated Power BI through self-service sign-up and created an unmanaged tenant for your organization, you must take over management as an internal or external admin, using PowerShell. For more information, see [Take over an unmanaged directory](../enterprise-users/domains-admin-takeover.md). ## Next steps -- Add another Global administrator to your directory. For more information, see [How to assign roles and administrators](./how-subscriptions-associated-directory.md).+- Add another Global Administrator to your directory. For more information, see [How to assign roles and administrators](./how-subscriptions-associated-directory.md). - Add users to your domain. For more information, see [How to add or delete users](./add-users.md). |
active-directory | Add Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users.md | +# Add or delete users -# Add or delete users using Azure Active Directory --Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator. +Add new users or delete existing users from your tenant. To add or delete users, you must be a User Administrator or Global Administrator. [!INCLUDE [GDPR-related guidance](../../../includes/gdpr-hybrid-note.md)] Add new users or delete existing users from your Azure Active Directory (Azure A You can create a new user for your organization or invite an external user from the same starting point. -1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). -1. Navigate to **Azure Active Directory** > **Users**. +1. Browse to **Identity** > **Users** > **All users**. -1. Select either **Create new user** or **Invite external user** from the menu. You can change this setting on the next screen. +1. Select **New user** > **Create new user** or **Invite external user**. ![Screenshot of adding a new user from the All users page.](media/add-users-azure-active-directory/create-new-user-menu.png) 1. On the **New User** page, provide the new user's information: - - **Identity:** Add a user name and display name for the user. **User name** and **Name** are required and can't contain accent characters. You can also add a first and last name. -- The domain part of the user name must use either the initial default domain name, *\<yourdomainname>.onmicrosoft.com*, or a custom domain name, such as *contoso.com*. For more information about how to create a custom domain name, see [Add your custom domain name using the Azure portal](add-custom-domain.md). + - **Basics:** Add a user principal name and display name for the user. **User principal name** and **Display name** are required and can't contain accent characters. You can also add a first and last name. - - **Groups and roles:** Optional. Add the user to one or more existing groups. Group membership can be set at any time. For more information about adding users to groups, see the [manage groups article](how-to-manage-groups.md). + The domain part of the user name must use either the initial default domain name like, yourdomainname.onmicrosoft.com, or a custom domain name, such as contoso.com. For more information about how to create a custom domain name, see [Add your custom domain name](add-custom-domain.md). - - **Settings:** Optional. Toggle the option to block sign-in for the user or set the user's default location. + - **Assignments** Optionally add the user to one or more existing groups, administrative units, or roles. - - **Job info**: Optional. Add the user's job title, department, company name, and manager. These details can be updated at any time. For more information about adding other user info, see [How to manage user profile information](./how-to-manage-user-profile-info.md). + - **Properties**: Add information like the user's usage location, job title, department, company name, and manager. These details can be updated at any time. For more information about adding other user info, see [How to manage user profile information](./how-to-manage-user-profile-info.md). 1. Copy the autogenerated password provided in the **Password** box. You need to give this password to the user to sign in for the first time. -1. Select **Create**. --The user is created and added to your Azure AD organization. +1. Select **Review + create** > **Create**. ## Add a new guest user -You can also invite new guest user to collaborate with your organization by selecting **Invite user** from the **New user** page. If your organization's external collaboration settings are configured to allow guests, the user will be emailed an invitation they must accept in order to begin collaborating. For more information about inviting B2B collaboration users, see [Invite B2B users to Azure Active Directory](../external-identities/add-users-administrator.md). +You can also invite new guest user to collaborate with your organization by selecting **Invite external user** from the **New user** page. If your organization's external collaboration settings are configured to allow guests, the user will be emailed an invitation they must accept in order to begin collaborating. For more information about inviting B2B collaboration users, see [Invite B2B users to Azure Active Directory](../external-identities/add-users-administrator.md). The process for inviting a guest is the same as [adding a new user](./add-users.md#add-a-new-user), with two exceptions. The email address won't follow the same domain rules as users from your organization. You can also include a personal message. If you have an environment with both Azure Active Directory (cloud) and Windows ## Delete a user -You can delete an existing user using Azure portal. +You can delete an existing user using Microsoft Entra admin center. - You must have a Global Administrator, Privileged Authentication Administrator or User Administrator role assignment to delete users in your organization. - Global Admins and Privileged Authentication Admins can delete any users including other admins. - User Administrators can delete any non-admin users, Helpdesk Administrators and other User Administrators.-- For more information, see [Administrator role permissions in Azure AD](../roles/permissions-reference.md).+- For more information, see [Administrator role permissions](../roles/permissions-reference.md). To delete a user, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles listed above. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). -1. Go to **Azure Active Directory** > **Users**. +1. Browse to **Identity** > **Users** > **All users**. -1. Search for and select the user you want to delete from your Azure AD tenant. +1. Search for and select the user you want to delete. -1. Select **Delete user**. +1. Select **Delete**. ![Screenshot of the All users page with a user selected and the Delete button highlighted.](media/add-users-azure-active-directory/delete-existing-user.png) -The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md). +The user is deleted and no longer appears on the **All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user](./users-restore.md). When a user is deleted, any licenses consumed by the user are made available for other users. ->[!Note] ->To update the identity, contact information, or job information for users whose source of authority is Windows Server Active Directory, you must use Windows Server Active Directory. After you complete the update, you must wait for the next synchronization cycle to complete before you'll see the changes. +> [!NOTE] +> To update the identity, contact information, or job information for users whose source of authority is Windows Server Active Directory, you must use Windows Server Active Directory. After you complete the update, you must wait for the next synchronization cycle to complete before you'll see the changes. ## Next steps |
active-directory | Create New Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/create-new-tenant.md | After you sign in to the [Azure portal](https://portal.azure.com), you can creat 1. From the Azure portal menu, select **Azure Active Directory**. -1. On the overview page, select **Manage tenants** +1. On the overview page, select **Manage tenants** 1. Select **Create**. - ![Azure Active Directory - Overview page - Create a tenant](media/create-new-tenant/portal.png) + ![Azure Active Directory - Overview page - Create a tenant](media/create-new-tenant/portal.png) 1. On the Basics tab, select the type of tenant you want to create, either **Azure Active Directory** or **Azure Active Directory (B2C)**. 1. Select **Next: Configuration** to move on to the Configuration tab. -1. On the Configuration tab, enter the following information: +1. On the Configuration tab, enter the following information: - ![Azure Active Directory - Create a tenant page - configuration tab ](media/create-new-tenant/create-new-tenant.png) + ![Azure Active Directory - Create a tenant page - configuration tab ](media/create-new-tenant/create-new-tenant.png) - - Type your desired Organization name (for example _Contoso Organization_) into the **Organization name** box. -- - Type your desired Initial domain name (for example _Contosoorg_) into the **Initial domain name** box. -- - Select your desired Country/Region or leave the _United States_ option in the **Country or region** box. + - Type your desired Organization name (for example _Contoso Organization_) into the **Organization name** box. + - Type your desired Initial domain name (for example _Contosoorg_) into the **Initial domain name** box. + - Select your desired Country/Region or leave the _United States_ option in the **Country or region** box. 1. Select **Next: Review + Create**. Review the information you entered and if the information is correct, select **create**. When you create a new Azure AD tenant, you become the first user of that tenant. By default, you're also listed as the [technical contact](/microsoft-365/admin/manage/change-address-contact-and-more#what-do-these-fields-mean) for the tenant. Technical contact information is something you can change in [**Properties**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties). > [!WARNING]-> Ensure your directory has at least two accounts with global administrator privileges assigned to them. This will help in the case that one global administrator is locked out. For more detail see the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md). +> Ensure your directory has at least two accounts with Global Administrator privileges assigned to them. This will help in the case that one Global Administrator is locked out. For more detail see the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md). ## Clean up resources |
active-directory | Custom Security Attributes Add | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-add.md | To add or deactivate custom security attributes definitions, you must have: An attribute set is a collection of related attributes. All custom security attributes must be part of an attribute set. Attribute sets cannot be renamed or deleted. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator). -1. Click **Azure Active Directory** > **Custom security attributes (Preview)**. +1. Browse to **Protection** > **Custom security attributes**. 1. Click **Add attribute set** to add a new attribute set. An attribute set is a collection of related attributes. All custom security attr ## Add a custom security attribute definition -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator). -1. Click **Azure Active Directory** > **Custom security attributes (Preview)**. +1. Browse to **Protection** > **Custom security attributes**. 1. On the Custom security attributes page, find an existing attribute set or click **Add attribute set** to add a new attribute set. An attribute set is a collection of related attributes. All custom security attr ![Screenshot of New attribute pane with Add predefined value pane in Azure portal.](./media/custom-security-attributes-add/attribute-new-value-add.png) - 1. When finished, click **Save**. The new custom security attribute appears in the list of custom security attributes. An attribute set is a collection of related attributes. All custom security attr Once you add a new custom security attribute definition, you can later edit some of the properties. Some properties are immutable and cannot be changed. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator). -1. Click **Azure Active Directory** > **Custom security attributes (Preview)**. +1. Browse to **Protection** > **Custom security attributes**. 1. Click the attribute set that includes the custom security attribute you want to edit. Once you add a new custom security attribute definition, you can later edit some Once you add a custom security attribute definition, you can't delete it. However, you can deactivate a custom security attribute definition. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator). -1. Click **Azure Active Directory** > **Custom security attributes (Preview)**. +1. Browse to **Protection** > **Custom security attributes**. 1. Click the attribute set that includes the custom security attribute you want to deactivate. |
active-directory | Custom Security Attributes Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-manage.md | To grant access to the appropriate people, follow these steps to assign one of t The following examples show how to assign a custom security attribute role to a principal at an attribute set scope named Engineering. -# [Portal](#tab/azure-portal) +# [Admin center](#tab/admin-center) -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). -1. Click **Azure Active Directory**. --1. In the left navigation menu, click **Custom security attributes (Preview)**. +1. Browse to **Protection** > **Custom security attributes**. 1. Click the attribute set you want grant access to. $roleAssignment = New-AzureADMSRoleAssignment -RoleDefinitionId $roleDefinitionI The following examples show how to assign a custom security attribute role to a principal at tenant scope. -# [Portal](#tab/azure-portal) --1. Sign in to the [Azure portal](https://portal.azure.com). +# [Admin center](#tab/admin-center) -1. Click **Azure Active Directory**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). -1. In the left navigation menu, click **Roles and administrators**. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ![Screenshot of assigning attribute roles at tenant scope.](./media/custom-security-attributes-manage/manage-tenant.png) |
active-directory | Get Started Premium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/get-started-premium.md | If you signed up using a new Azure AD license plan, you must activate it for you ![Confirmation email with sign in and sign up links](media/get-started-premium/MOLSEmail.png) - - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a global administrator on the tenant where the licenses are being activated. + - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a Global Administrator on the tenant where the licenses are being activated. - **Sign up.** Choose this link if you want to open the **Create Account Profile** page and create a new Azure AD tenant for your licensing plan. |
active-directory | Groups View Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/groups-view-azure-portal.md | -#Customer intent: As a brand-new Azure AD administrator, I need to view my organizationΓÇÖs groups along with the assigned members, so I can manage permissions to apps and services for people in my organization. +# Quickstart: Create a group with members and view all groups and members -# Quickstart: Create a group with members and view all groups and members in Azure Active Directory -You can view your organization's existing groups and group members using the Azure portal. Groups are used to manage users that all need the same access and permissions for potentially restricted apps and services. +You can view your organization's existing groups and group members using the Microsoft Entra Admin Center. Groups are used to manage users that all need the same access and permissions for potentially restricted apps and services. -In this quickstart, youΓÇÖll set up a new group and assign members to the group. Then you'll view your organization's group and assigned members. Throughout this guide, you'll create a user and group that you can use in other Azure AD Fundamentals quickstarts and tutorials. +In this quickstart, youΓÇÖll set up a new group and assign members to the group. Then you'll view your organization's group and assigned members. Throughout this guide, you'll create a user and group that you can use in other quickstarts and tutorials. If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. Before you begin, youΓÇÖll need to: - Create an Azure Active Directory tenant. For more information, see [Access the Azure portal and create a new tenant](./create-new-tenant.md). -<a name='sign-in-to-the-azure-portal'></a> --## Sign in to the [Azure portal](https://portal.azure.com) ---You must sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory. - ## Create a new group Create a new group, named _MDM policy - West_. For more information about creating a group, see [How to create a basic group and add members](./how-to-manage-groups.md). -1. Go to **Azure Active Directory** > **Groups**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Groups** > **All groups**. 1. Select **New group**.- 1. Complete the **Group** page: - **Group type:** Select **Security**- - **Group name:** Type _MDM policy - West_- - **Membership type:** Select **Assigned**. 1. Select **Create**. ## Create a new user-A user must exist before being added as a group member, so you'll need to create a new user. For this quickstart, we've added a user named _Alain Charon_. Check the "Custom domain names" tab first to get the verified domain name in which to create users. For more information about creating a user, see [How to add or delete users](./add-users.md). --1. Go to **Azure Active Directory** > **Users**. -1. Select **New user**. +A user must exist before being added as a group member, so you'll need to create a new user. For this quickstart, we've added a user named _Alain Charon_. Check the "Custom domain names" tab first to get the verified domain name in which to create users. For more information about creating a user, see [How to add or delete users](./add-users.md). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**. 1. Complete the **User** page: - - **Name:** Type _Alain Charon_. -- - **User name:** Type *alain\@contoso.com*. + - **User principal name:** Type *alain\@contoso.com*. + - **Display name:** Type _Alain Charon_. 1. Copy the auto-generated password provided in the **Password** box and select **Create**. ## Add a group member-Now that you have a group and a user, you can add _Alain Charon_ as a member to the _MDM policy - West_ group. For more information about adding group members, see the [Manage groups](how-to-manage-groups.md) article. --1. Go to **Azure Active Directory** > **Groups**. -2. From the **Groups - All groups** page, search for and select the **MDM policy - West** group. --3. From the **MDM policy - West Overview** page, select **Members** from the **Manage** area. --4. Select **Add members**, and then search and select **Alain Charon**. +Now that you have a group and a user, you can add _Alain Charon_ as a member to the _MDM policy - West_ group. For more information about adding group members, see the [Manage groups](how-to-manage-groups.md) article. -5. Choose **Select**. +1. Browse to **Identity** > **Groups** > **All groups**. +1. Select the **MDM policy - West** group created earlier. +1. From the **MDM policy - West Overview** page, select **Members**. +1. Select **Add members**, and then search and select **Alain Charon**. +1. Choose **Select**. ## View all groups-You can see all the groups for your organization in the **Groups - All groups** page of the Azure portal. -- Go to **Azure Active Directory** > **Groups**.+You can see all the groups for your organization in the **Groups - All groups** page. - The **Groups - All groups** page appears, showing all your active groups. +- Browse to **Identity** > **Groups** > **All groups**. ++ The **All groups** page appears, showing all your active groups. ![Screenshot of the 'Groups-All groups' page, showing all existing groups.](media/groups-view-azure-portal/groups-search.png) ## Search for a group-Search the **Groups ΓÇô All groups** page to find the **MDM policy ΓÇô West** group. -1. From the **Groups - All groups** page, type _MDM_ into the **Search** box. +Search the **All groups** page to find the **MDM policy ΓÇô West** group. ++1. Browse to **Identity** > **Groups** > **All groups**. +1. From the **All groups** page, type _MDM_ into the **Search** box. The search results appear under the **Search** box, including the _MDM policy - West_ group. ![Screenshot of the 'Groups' search page showing matching search results.](media/groups-view-azure-portal/groups-search-group-name.png) 1. Select the group **MDM policy ΓÇô West**.- 1. View the group info on the **MDM policy - West Overview** page, including the number of members of that group. ![Screenshot of MDM policy ΓÇô West Overview page with member info.](media/groups-view-azure-portal/groups-overview.png) ## View group members+ Now that youΓÇÖve found the group, you can view all the assigned members. Select **Members** from the **Manage** area, and then review the complete list of member names assigned to that specific group, including _Alain Charon_. Select **Members** from the **Manage** area, and then review the complete list o ![Screenshot of the list of members assigned to the MDM policy ΓÇô West group.](media/groups-view-azure-portal/groups-all-members.png) ## Clean up resources-The group you just created is used in other articles in the Azure AD Fundamentals documentation. If you'd rather not use this group, you can delete it and its assigned members using the following steps: -1. On the **Groups - All groups** page, search for the **MDM policy - West** group. +The group you just created is used in other articles in this documentation. If you'd rather not use this group, you can delete it and its assigned members using the following steps: +1. Browse to **Identity** > **Groups** > **All groups**. +1. On the **All groups** page, search for the **MDM policy - West** group. 1. Select the **MDM policy - West** group. - The **MDM policy - West Overview** page appears. + The **MDM policy - West Overview** page appears. 1. Select **Delete**. - The group and its associated members are deleted. + The group and its associated members are deleted. - ![Screenshot of the MDM policy ΓÇô West Overview page with Delete link highlighted.](media/groups-view-azure-portal/groups-delete.png) + ![Screenshot of the MDM policy ΓÇô West Overview page with Delete link highlighted.](media/groups-view-azure-portal/groups-delete.png) - >[!Important] - >This doesn't delete the user Alain Charon, just his membership in the deleted group. + > [!IMPORTANT] + > This doesn't delete the user Alain Charon, just his membership in the deleted group. + > + > To delete your test user: Browse to **Identity** > **Users** > **All users** select your test user and choose **Delete**. ## Next steps-Advance to the next article to learn how to associate a subscription to your Azure AD directory. ++Advance to the next article to learn how to associate a subscription to your directory. > [!div class="nextstepaction"] > [Associate an Azure subscription](./how-subscriptions-associated-directory.md) |
active-directory | How Subscriptions Associated Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-subscriptions-associated-directory.md | -All Azure subscriptions have a trust relationship with an Azure Active Directory (Azure AD) instance. Subscriptions rely on their trusted Azure AD to authenticate and authorize security principals and devices. When a subscription expires, the trusted instance of the Azure AD service remains, but the security principals lose access to Azure resources. Subscriptions can only trust a single directory while one Azure AD may be trusted by multiple subscriptions. +All Azure subscriptions have a trust relationship with an Azure Active Directory (Azure AD) tenant. Subscriptions rely on this tenant (directory) to authenticate and authorize security principals and devices. When a subscription expires, the trusted instance remains, but the security principals lose access to Azure resources. Subscriptions can only trust a single directory while one Azure AD tenant may be trusted by multiple subscriptions. -When a user signs up for a Microsoft cloud service, a new Azure AD tenant is created and the user is made a member of the Global Administrator role. However, when an owner of a subscription joins their subscription to an existing tenant, the owner isn't assigned to the Global Administrator role. +When a user signs up for a Microsoft cloud service, a new Azure AD tenant is created and the user is made a Global Administrator. However, when an owner of a subscription joins their subscription to an existing tenant, the owner isn't assigned to the Global Administrator role. While users may only have a single authentication *home* directory, users may participate as guests in multiple directories. You can see both the home and guest directories for each user in Azure AD. :::image type="content" source="media/how-subscriptions-associated-directory/trust-relationship.png" alt-text="Screenshot that shows the trust relationship between Azure subscriptions and Azure active directories."::: -> [!Important] +> [!IMPORTANT] > When a subscription is associated with a different directory, users who have roles assigned using [Azure role-based access control](../../role-based-access-control/role-assignments-portal.md) lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access. > > Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principal's rights. For more information about AKS, see [Azure Kubernetes Service (AKS)](../../aks/index.yml). Before you can associate or add your subscription, do the following steps: To associate an existing subscription with your Azure AD, follow these steps: -1. Sign in and select the subscription you want to use from the [Subscriptions page in Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade). +1. Sign to the [Azure portal](https://portal.azure.com) with the [Owner](../../role-based-access-control/built-in-roles.md#owner) role assignment for the subscription. ++1. Browse to **Subscriptions**. ++1. Select the name of the subscription you want to use. 1. Select **Change directory**. |
active-directory | How To Approve Support Access Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-approve-support-access-requests.md | -Microsoft Support access requests (preview) enable you to [give Microsoft Support engineers access to diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft. You can use the Microsoft Entra admin center and the Azure Active Directory (Azure AD) portal to manage Microsoft Support access requests (preview). +Microsoft Support access requests (preview) enable you to [give Microsoft Support engineers access to diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft. You can use the Microsoft Entra admin center and the Azure portal to manage Microsoft Support access requests (preview). This article describes how the process works and how to approve Microsoft Support access requests. ## Prerequisites -Only authorized users in your tenant can view and manage Microsoft Support access requests. To view, approve, and reject Microsoft Support access requests, a role must have the permission `microsoft.azure.supportTickets/allEntities/allTasks`. To see which Azure AD roles have this permission, search the [Azure AD built-in roles](../roles/permissions-reference.md) for the required permission. +Only authorized users in your tenant can view and manage Microsoft Support access requests. To view, approve, and reject Microsoft Support access requests, a role must have the permission `microsoft.azure.supportTickets/allEntities/allTasks`. To see which roles have this permission, search the [Azure AD built-in roles](../roles/permissions-reference.md) for the required permission. ## Scenarios and workflow This cross-tenant scenario is the primary scenario where a support access reques When you have a pending support access request, you can view and approve that request from a couple places. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Service Support Administrator](../roles/permissions-reference.md#service-support-administrator). ++1. Browse to **Learn & support** > **Diagnose and solve problems**. 1. Select the link from the banner message at the top of the page. |
active-directory | How To Create Delete Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-create-delete-users.md | +# How to create, invite, and delete users -# How to create, invite, and delete users (preview) --This article explains how to create a new user, invite an external guest, and delete a user in your Azure Active Directory (Azure AD) tenant. --The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). +This article explains how to create a new user, invite an external guest, and delete a user in your tenant. Instructions for the legacy create user process can be found in the [Add or delete users](./add-users.md) article. The required role of least privilege varies based on the type of user you're add [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. --1. Navigate to **Azure Active Directory** > **Users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). -1. Select **Create new user** from the menu. +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**. ![Screenshot of the create new user menu.](media/how-to-create-delete-users/create-new-user-menu.png) The required role of least privilege varies based on the type of user you're add The **Basics** tab contains the core fields required to create a new user. - **User principal name**: Enter a unique username and select a domain from the menu after the @ symbol. Select **Domain not listed** if you need to create a new domain. For more information, see [Add your custom domain name](add-custom-domain.md)- - **Mail nickname**: If you need to enter an email nickname that is different from the user principal name you entered, uncheck the **Derive from user principal name** option, then enter the mail nickname.- - **Display name**: Enter the user's name, such as Chris Green or Chris A. Green- - **Password**: Provide a password for the user to use during their initial sign-in. Uncheck the **Auto-generate password** option to enter a different password.- - **Account enabled**: This option is checked by default. Uncheck to prevent the new user from being able to sign-in. You can change this setting after the user is created. This setting was called **Block sign in** in the legacy create user process. Either select the **Review + create** button to create the new user or **Next: Properties** to complete the next section. Either select the **Review + create** button to create the new user or **Next: P ### Properties -There are six categories of user properties you can provide. These properties can be added or updated after the user is created. To manage these details, go to **Azure AD** > **Users** and select a user to update. +There are six categories of user properties you can provide. These properties can be added or updated after the user is created. To manage these details, go to **Identity** > **Users** > **All users** and select a user to update. - **Identity:** Enter the user's first and last name. Set the User type as either Member or Guest. - - **Job information:** Add any job-related information, such as the user's job title, department, or manager.- - **Contact information:** Add any relevant contact information for the user.- - **Parental controls:** For organizations like K-12 school districts, the user's age group may need to be provided. *Minors* are 12 and under, *Not adult* are 13-18 years old, and *Adults* are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user's access and authority.- - **Settings:** Specify the user's global location. Either select the **Review + create** button to create the new user or **Next: Assignments** to complete the next section. The final tab captures several key details from the user creation process. Revie The overall process for inviting an external guest user is similar, except for a few details on the **Basics** tab and the email invitation process. You can't assign external users to administrative units. -1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. A role with Guest Inviter privileges can also invite external users. --1. Navigate to **Azure Active Directory** > **Users**. --1. Select **Invite external user** from the menu. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Invite external user**. ![Screenshot of the invite external user menu option.](media/how-to-create-delete-users/invite-external-user-menu.png) The overall process for inviting an external guest user is similar, except for a In this section, you're inviting the guest to your tenant using *their email address*. If you need to create a guest user with a domain account, use the [create new user process](#create-a-new-user) but change the **User type** to **Guest**. - **Email**: Enter the email address for the guest user you're inviting.- - **Display name**: Provide the display name.- - **Invitation message**: Select the **Send invite message** checkbox to customize a brief message to the guest. Provide a Cc recipient, if necessary. ![Screenshot of the invite external user Basics tab.](media/how-to-create-delete-users/invite-external-user-basics-tab.png) In this section, you're inviting the guest to your tenant using *their email add When you invite an external guest user by sending an email invitation, you can check the status of the invitation from the user's details. -1. Go to **Azure AD** > **Users** and select the invited guest user. +1. Browse to **Identity** > **Users** > **All users**. +1. Select the invited guest user. 1. In the **My Feed** section, locate the **B2B collaboration** tile. - If the invitation state is **PendingAcceptance**, select the **Resend invitation** link to send another email. - You can also select the **Properties** for the user and view the **Invitation state**. You can delete an existing user using Azure portal. To delete a user, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles. --1. Go to **Azure Active Directory** > **Users**. --1. Search for and select the user you want to delete from your Azure AD tenant. -+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Search for and select the user you want to delete. 1. Select **Delete user**. ![Screenshot of the All users page with a user selected and the Delete button highlighted.](media/how-to-create-delete-users/delete-existing-user.png) -The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md). +The user is deleted and no longer appears on the **All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md). When a user is deleted, any licenses consumed by the user are made available for other users. ->[!Note] ->To update the identity, contact information, or job information for users whose source of authority is Windows Server Active Directory, you must use Windows Server Active Directory. After you complete the update, you must wait for the next synchronization cycle to complete before you'll see the changes. +> [!NOTE] +> To update the identity, contact information, or job information for users whose source of authority is Windows Server Active Directory, you must use Windows Server Active Directory. After you complete the update, you must wait for the next synchronization cycle to complete before you'll see the changes. + ## Next steps * [Learn about B2B collaboration users](../external-identities/add-users-administrator.md) |
active-directory | How To Customize Branding | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-customize-branding.md | In the following example, the company branding for Woodgrove Groceries appears o [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator for the directory. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). -2. Browse to **Azure Active Directory** > **Company branding** > **Customize**. +1. Browse to **Identity** > **User experiences** > **Company branding**. - If you currently have a customized sign-in experience, the **Edit** button is available. ![Custom branding landing page with 'Company branding' highlighted in the side menu and 'Configure' button highlighted in the center of the page](media/how-to-customize-branding/customize-branding-getting-started.png) Once your default sign-in experience is created, select the **Edit** button to m You can create a personalized sign-in experience for users who sign in using a specific browser language by customizing the branding elements for that browser language. This customization overrides any configurations made to the default branding. If you don't make any changes to the elements, the default elements are displayed. -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). ++1. Browse to **Identity** > **User experiences** > **Company branding**. -2. Go to **Azure Active Directory** > **Company branding** > **Add browser language**. +1. Select **Add browser language**. The process for customizing the experience is the same as the [default sign-in experience](#basics) process, except you must select a language from the dropdown list in the **Basics** section. We recommend adding custom text in the same areas as your default sign-in experience. |
active-directory | How To Find Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-find-tenant.md | +## Find tenant ID through the Microsoft Entra admin center ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). + +1. Browse to **Identity** > **Overview** > **Properties**. ++1. Scroll down to the **Tenant ID** section and you can find your tenant ID in the box. + ## Find tenant ID through the Azure portal [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] 1. Sign in to the [Azure portal](https://portal.azure.com). -1. Select **Azure Active Directory**. --1. Select **Properties**. +1. Browse to **Azure Active Directory** > **Properties**. 1. Scroll down to the **Tenant ID** section and you can find your tenant ID in the box. |
active-directory | How To Get Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-get-support.md | Microsoft Q&A is Azure's recommended source for community support. We recommend | [Microsoft Graph API](https://developer.microsoft.com/graph/) | [[azure-ad-graph]](/answers/topics/azure-ad-graph.html) | | All other authentication and authorization areas | [[azure-active-directory]](/answers/topics/azure-active-directory.html) | -## Open a support request in Azure Active Directory +## Open a support request If you're unable to find answers by using self-help resources, you can open an online support request. You should open a support request for only a single problem, so that we can connect you to the support engineers who are subject matter experts for your problem. Azure AD engineering teams prioritize their work based on incidents that are generated from support, so you're often contributing to service improvements. Explore the range of [Azure support options and choose the plan](https://azure.m > [!NOTE] > If you're using Azure AD B2C, open a support ticket by first switching to an Azure AD tenant that has an Azure subscription associated with it. Typically, this is your employee tenant or the default tenant created for you when you signed up for an Azure subscription. To learn more, see [how an Azure subscription is related to Azure AD](./how-subscriptions-associated-directory.md). -1. Sign in to the [Azure portal](https://portal.azure.com) and open **Azure Active Directory**. - -1. Scroll down to **Troubleshooting + Support** and select **New support request**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Service Support Administrator](../roles/permissions-reference.md#service-support-administrator). ++1. Browse to **Learn & support** > **New support request**. 1. Follow the prompts to provide us with information about the problem you're having. |
active-directory | How To Manage Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-groups.md | Before adding groups and members, [learn about groups and membership types](conc [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -You can create a basic group and add your members at the same time using the Azure Active Directory (Azure AD) portal. Azure AD roles that can manage groups include **Groups Administrator**, **User Administrator**, **Privileged Role Administrator**, or **Global Administrator**. Review the [appropriate Azure AD roles for managing groups](../roles/delegate-by-task.md#groups) +You can create a basic group and add your members at the same time using the Microsoft Entra admin center. Azure AD roles that can manage groups include **Groups Administrator**, **User Administrator**, **Privileged Role Administrator**, or **Global Administrator**. Review the [appropriate Azure AD roles for managing groups](../roles/delegate-by-task.md#groups) To create a basic group and add members: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). -1. Go to **Azure Active Directory** > **Groups** > **New group**. +1. Browse to **Identity** > **Groups** > **All groups**. + +1. Select **New group**. ![Screenshot of the 'Azure AD Groups' page with 'New group' option highlighted.](media/how-to-manage-groups/new-group.png) To create a basic group and add members: 1. **Group description.** Add an optional description to your group. 1. Switch the **Azure AD roles can be assigned to the group** setting to yes to use this group to assign Azure AD roles to members.- - This option is only available with Premium P1 or P2 licenses. + - This option is only available with P1 or P2 licenses. - You must have the **Privileged Role Administrator** or **Global Administrator** role. - Enabling this option automatically selects **Assigned** as the Membership type. - The ability to add roles while creating the group is added to the process. To create a basic group and add members: A welcome notification is sent to all users when they're added to a new Microsoft 365 group, regardless of the membership type. When an attribute of a user or device changes, all dynamic group rules in the organization are processed for potential membership changes. Users who are added then also receive the welcome notification. You can turn off this behavior in [Exchange PowerShell](/powershell/module/exchange/users-and-groups/Set-UnifiedGroup). ## Add or remove members and owners-Members and owners can be added to and removed from existing Azure AD groups. The process is the same for members and owners. You'll need the **Groups Administrator** or **User Administrator** role to add and remove members and owners. ++Members and owners can be added to and removed from existing groups. The process is the same for members and owners. You'll need the **Groups Administrator** or **User Administrator** role to add and remove members and owners. Need to add multiple members at one time? Learn about the [add members in bulk](../enterprise-users/groups-bulk-import-members.md) option. ### Add members or owners of a group -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). -1. Go to **Azure Active Directory** > **Groups**. +1. Browse to **Identity** > **Groups** > **All groups**. 1. Select the group you need to manage. Need to add multiple members at one time? Learn about the [add members in bulk]( ### Remove members or owners of a group -1. Go to **Azure Active Directory** > **Groups**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). ++1. Browse to **Identity** > **Groups** > **All groups**. 1. Select the group you need to manage. Need to add multiple members at one time? Learn about the [add members in bulk]( ## Edit group settings -Using Azure AD, you can edit a group's name, description, or membership type. You'll need the **Groups Administrator** or **User Administrator** role to edit a group's settings. +You can edit a group's name, description, or membership type. You'll need the **Groups Administrator** or **User Administrator** role to edit a group's settings. To edit your group settings: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). -1. Go to **Azure Active Directory** > **Groups**. The **Groups - All groups** page appears, showing all of your active groups. +1. Browse to **Identity** > **Groups** > **All groups**. 1. Scroll through the list or enter a group name in the search box. Select the group you need to manage. To edit your group settings: - **Object ID.** You can't change the Object ID, but you can copy it to use in your PowerShell commands for the group. For more info about using PowerShell cmdlets, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-v2-cmdlets.md). ## Add or remove a group from another group+ You can add an existing Security group to another Security group (also known as nested groups). Depending on the group types, you can add a group as a member of another group, just like a user, which applies settings like roles and access to the nested groups. You'll need the **Groups Administrator** or **User Administrator** role to edit group membership. We currently don't support: We currently don't support: ### Add a group to another group -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). -1. Go to **Azure Active Directory** > **Groups**. +1. Browse to **Identity** > **Groups** > **All groups**. -1. On the **Groups - All groups** page, search for and select the group you want to become a member of another group. +1. On the **All groups** page, search for and select the group you want to become a member of another group. >[!Note] >You only can add your group as a member to one other group at a time. Wildcard characters aren't supported in the **Select Group** search box. For a more detailed view of the group and member relationship, select the parent ### Remove a group from another group You can remove an existing Security group from another Security group; however, removing the group also removes any inherited access for its members. -1. On the **Groups - All groups** page, search for and select the group you need to remove as a member of another group. +1. On the **All groups** page, search for and select the group you need to remove as a member of another group. 1. On the group Overview page, select **Group memberships**. You can remove an existing Security group from another Security group; however, ## Delete a group -You can delete an Azure AD group for any number of reasons, but typically it will be because you: +You can delete a group for any number of reasons, but typically it will be because you: - Chose the incorrect **Group type** option.- - Created a duplicate group by mistake. - - No longer need the group. -To delete a group, you'll need the **Groups Administrator** or **User Administrator** role. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Browse to **Identity** > **Groups** > **All groups**. -2. Go to **Azure Active Directory** > **Groups**. +1. Search for and select the group you want to delete. -3. Search for and select the group you want to delete. --4. Select **Delete**. -- The group is deleted from your Azure Active Directory tenant. +1. Select **Delete**. ## Next steps - [Learn about groups and assigning access rights to groups](concept-learn-about-groups.md)- - [Manage groups using PowerShell commands](../enterprise-users/groups-settings-v2-cmdlets.md)- - [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md)- - [Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory](../enterprise-users/licensing-group-advanced.md#limitations-and-known-issues)- - [Associate or add an Azure subscription to Azure Active Directory](./how-subscriptions-associated-directory.md) |
active-directory | How To Manage Stay Signed In Prompt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-stay-signed-in-prompt.md | You must have the **Global Administrator** role to enable the 'Stay signed in?' [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -The KMSI setting is managed in the **User settings** of Azure Active Directory (Azure AD). +The KMSI setting is managed in **User settings**. -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Go to **Azure Active Directory** > **Users** > **User settings**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Browse to **Identity** > **Users** > **User settings**. 1. Set the **Show keep user signed in** toggle to **Yes**. ![Screenshot of the Show keep user signed in prompt.](media/how-to-manage-stay-signed-in-prompt/show-keep-user-signed-in.png) If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in ![Sample 'Stay signed in?' prompt](media/how-to-manage-stay-signed-in-prompt/kmsi-stay-signed-in-prompt.png) -Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the following details in the **Basic info** section. +Details about the sign-in error are found in the **Sign-in logs**. Select the impacted user from the list and locate the following details in the **Basic info** section. * **Sign in error code**: 50140 * **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in. -You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory. +You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your directory. -You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory. +You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the Global Administrators) without affecting sign-in behavior for everyone else in the directory. To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios: |
active-directory | How To Manage Support Access Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-support-access-requests.md | -You can use the Microsoft Entra admin center and the Azure Active Directory (Azure AD) portal to manage Microsoft Support access requests (preview). Microsoft Support access requests enable you to [give Microsoft Support engineers access to identity diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft. +You can use the Microsoft Entra admin center and the Azure portal to manage Microsoft Support access requests (preview). Microsoft Support access requests enable you to [give Microsoft Support engineers access to identity diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft. ## Prerequisites Only certain Azure AD roles are authorized to manage Microsoft Support access re ## View support access requests -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Service Support Administrator](../roles/permissions-reference.md#service-support-administrator). ++1. Browse to **Learn & support** > **Diagnose and solve problems**. 1. Scroll to the bottom of the page and select **Approved access** from the **Microsoft Support Access Requests** section. |
active-directory | How To Manage User Profile Info | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-user-profile-info.md | -This article covers how to add user profile information, such as a profile picture and job-specific information. You can also choose to allow users to connect their LinkedIn accounts or restrict access to the Azure AD administration portal. Some settings may be managed in more than one area of Azure AD. For more information about adding new users, see [How to add or delete users in Azure Active Directory](./add-users.md). +This article covers how to add user profile information, such as a profile picture and job-specific information. You can also choose to allow users to connect their LinkedIn accounts or restrict access to the Microsoft Entra ID administration portal. Some settings may be managed in more than one area. For more information about adding new users, see [How to add or delete users in Azure Active Directory](./add-users.md). ## Add or change profile information [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -When new users are created, only some details are added to their user profile. If your organization needs more details, they can be added after the user is created. +When new users are created, only a few details are added to their user profile. If your organization needs more details, they can be added after the user is created. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). -1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization. +1. Browse to **Identity** > **Users** > **All users**. -1. Go to **Azure Active Directory** > **Users** and select a user. +1. Select a user. 1. There are two ways to edit user profile details. Either select **Edit properties** from the top of the page or select **Properties**. If you selected the **Properties tab option**: ![Screenshot the Properties tab, with the edit options highlighted.](media/how-to-manage-user-profile-info/user-profile-properties-single-page-view.png) ### Profile categories+ There are six categories of profile details you may be able to edit. - **Identity:** Add or update other identity values for the user, such as a married last name. You can set this name independently from the values of First name and Last name. For example, you could use it to include initials, a company name, or to change the sequence of names shown. If you have two users with the same name, such as ΓÇÿChris Green,ΓÇÖ you could use the Identity string to set their names to 'Chris B. Green' and 'Chris R. Green.' There are six categories of profile details you may be able to edit. - **On-premises:** Accounts synced from Windows Server Active Directory include other values not applicable to Azure AD accounts. -> [!Note] +> [!NOTE] > You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the changes. ### Add or edit the profile picture On the user's overview page, select the camera icon in the lower-right corner of All your changes are saved for the user. -> [!Note] +> [!NOTE] > If you're having issues updating a user's profile picture, please ensure that your Office 365 Exchange Online Enterprise App is Enabled for users to sign in. ## Manage settings for all users-In the **User settings** area of Azure AD, you can adjust several settings that affect all users. Some settings are managed in a separate area of Azure AD and linked from this page. These settings require the Global Administrator role. -Go to **Azure AD** > **User settings**. +In the **User settings** area, you can adjust several settings that affect all users. Some settings are managed in a separate area linked from this page. These settings require the Global Administrator role. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Browse to **Identity** > **Users** > **User settings**. [ ![Screenshot of the Azure AD user settings options.](media/how-to-manage-user-profile-info/user-settings.png) ](media/how-to-manage-user-profile-info/user-settings.png#lightbox) -The following settings can be managed from Azure AD **User settings**. +The following settings can be managed from **User settings**. - Allow users to register their own applications - Prevent non-admins from creating their own tenants The following settings can be managed from Azure AD **User settings**. - Guest users have the same access as members (most inclusive) - Guest users have limited access to properties and memberships of directory objects - Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)-- Restrict access to the Azure AD administration portal+- Restrict access to the Microsoft Entra ID administration portal - [Allow users to connect their work or school account with LinkedIn](../enterprise-users/linkedin-user-consent.md) - [Enable the "Stay signed in?" prompt](how-to-manage-stay-signed-in-prompt.md) - Manage external collaboration settings |
active-directory | How To View Support Access Request Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-view-support-access-request-logs.md | To access the audit logs for a tenant, you must have one of the following roles: You can access a filtered view of audit logs for your tenant from the Microsoft Support access requests area. Select **Audit logs** from the side menu to view the audit logs with the category pre-selected. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Service Support Administrator](../roles/permissions-reference.md#service-support-administrator). ++1. Browse to **Learn & support** > **Diagnose and solve problems**. 1. Scroll to the bottom of the page and select **Manage pending requests** from the **Microsoft Support Access Requests** section. Activity logs for Microsoft Support access requests fall into two categories: us ### User-initiated activities -There are three user-initiated activities that you can see in your Azure AD audit logs. These are actions requested by administrators of your tenant. +There are three user-initiated activities that you can see in your audit logs. These are actions requested by administrators of your tenant. - Approval of a Microsoft Support access request - Rejection of a Microsoft Support access request |
active-directory | Identity Secure Score | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/identity-secure-score.md | -#Customer intent: As an IT admin, I want understand the identity secure score, so that I can maximize the security posture of my tenant. -- # What is identity secure score? By following the improvement actions, you can: ## How do I get my secure score? -Identity secure score is available to free and paid customers. Organizations can access their identity secure score in the [Microsoft Entra admin center](https://entra.microsoft.com/) under **Protection** > **Identity Secure Score**. +Identity secure score is available to free and paid customers. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Protection** > **Identity Secure Score**. ## How does it work? -Every 48 hours, Azure looks at your security configuration and compares your settings with the recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your directory. ItΓÇÖs possible that your security configuration isnΓÇÖt fully aligned with the best practice guidance and the improvement actions are only partially met. In these scenarios, you're awarded a portion of the max score available for the control. +Every 48 hours, we look at your security configuration and compare your settings with the recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your directory. ItΓÇÖs possible that your security configuration isnΓÇÖt fully aligned with the best practice guidance and the improvement actions are only partially met. In these scenarios, you're awarded a portion of the max score available for the control. -Each recommendation is measured based on your Azure AD configuration. If you're using third-party products to enable a best practice recommendation, you can indicate this configuration in the settings of an improvement action. You may set recommendations to be ignored if they don't apply to your environment. An ignored recommendation doesn't contribute to the calculation of your score. +Each recommendation is measured based on your configuration. If you're using third-party products to enable a best practice recommendation, you can indicate this configuration in the settings of an improvement action. You may set recommendations to be ignored if they don't apply to your environment. An ignored recommendation doesn't contribute to the calculation of your score. ![Ignore or mark action as covered by third party](./media/identity-secure-score/identity-secure-score-ignore-or-third-party-reccomendations.png) With read-only access, you aren't able to edit status for an improvement action. * Helpdesk Administrator * User Administrator-* Service support Administrator +* Service Support Administrator * Security Reader * Security Operator * Global Reader |
active-directory | License Users Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md | There are several Azure AD license plans: For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Azure AD premium license plans see [here](./get-started-premium.md). -Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory > Users >** select a user **> Properties > Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization. +Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in **Identity** > **Users** > **All users** > *select a user* > **Properties**. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant. ## View license plans and plan details You can view your available service plans, including the individual licenses, ch [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Directory Reader](../roles/permissions-reference.md#directory-readers). -1. Select **Azure Active Directory**, and then select **Licenses**. +1. Browse to **Identity** > **Billing** > **Licenses**. 1. Select **All products** to view the All Products page and to see the **Total**, **Assigned**, **Available**, and **Expiring soon** numbers for your license plans. Anyone who has a business need to use a licensed Azure AD service must have the ### To assign a license to a user -1. On the **Products** page, select the name of the license plan you want to assign to the user. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [License Administrator](../roles/permissions-reference.md#license-administrator). ++1. Browse to **Identity** > **Billing** > **Licenses**. ++1. Select the name of the license plan you want to assign to the user. 1. After you select the license plan, select **Assign**. Anyone who has a business need to use a licensed Azure AD service must have the The **Assign license** page updates to show that a user is selected and that the assignments are configured. > [!NOTE]- > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in the **Azure Active Directory > Users > Profile > Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization. + > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in **Identity** > **Users** > **All users** > *select a user* > **Properties**. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant. 1. Select **Assign**. Anyone who has a business need to use a licensed Azure AD service must have the ### To assign a license to a group -1. On the **Products** page, select the name of the license plan you want to assign to the user. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [License Administrator](../roles/permissions-reference.md#license-administrator). ++1. Browse to **Identity** > **Billing** > **Licenses**. ++1. Select the name of the license plan you want to assign to the group. ![Products blade, with highlighted product license plan](media/license-users-groups/license-products-blade-with-product-highlight.png) -1. On the **Azure Active Directory Premium Plan 2** page, select **Assign**. +1. On the **Product** page, select **Assign**. ![Products page, with highlighted Assign option](media/license-users-groups/license-products-blade-with-assign-option-highlight.png) You can remove a license from a user's Azure AD user page, from the group overvi ### To remove a license from a user -1. On the **Licensed users** page for the service plan, select the user that should no longer have the license. For example, _Alain Charon_. +1. On the **Licensed users** page for the service plan, select the user that should no longer have the license. For example, *Alain Charon*. 1. Select **Remove license**. |
active-directory | Properties Area | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/properties-area.md | Title: Add your organization's privacy info -description: Instructions about how to add your organization's privacy info to the Azure Active Directory Properties area. +description: Add your organization's privacy info, privacy contact, and technical contact to your directory. +# Add your organization's privacy info to Microsoft Entra -# Add your organization's privacy info using Azure Active Directory -This article explains how a tenant admin can add privacy-related info to an organization's Azure Active Directory (Azure AD) tenant, through the Azure portal. +This article explains how an administrator can add privacy-related info to an organization's directory, through the Microsoft Entra admin center. We strongly recommend you add both your global privacy contact and your organization's privacy statement, so your internal employees and external guests can review your policies. Because privacy statements are uniquely created and tailored for each business, we strongly recommend you contact a lawyer for assistance. [!INCLUDE [GDPR-related guidance](../../../includes/gdpr-dsr-and-stp-note.md)] -## Add your privacy info on Azure AD -You add your organization's privacy information in the **Properties** area of Azure AD. +## Add your privacy info -### To access the Properties area and add your privacy information +Your privacy and technical information is located in the **Properties** area. +### To access the properties area and add your privacy information -1. Sign in to the [Azure portal](https://portal.azure.com) as a tenant administrator. -2. On the left navbar, select **Azure Active Directory**, and then select **Properties**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). - The **Properties** area appears. +1. Browse to **Identity** > **Properties**. - :::image type="content" source="media/properties-area/properties-area.png" alt-text="Screenshot showing the properties area highlighting the privacy info area."::: + :::image type="content" source="media/properties-area/properties-area.png" alt-text="Screenshot showing the properties area highlighting the privacy info area."::: -3. Add your privacy info for your employees: +1. Add your privacy info for your users: - - **Technical contact.** Type the email address for the person to contact for technical support within your organization. + - **Technical contact.** Type the email address for the person to contact for technical support within your organization. - - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services. If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications, see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions) + - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services. If there's no person listed here, Microsoft contacts your Global Administrators. For Microsoft 365 related privacy incident notifications, see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions) - - **Privacy statement URL.** Type the link to your organization's document that describes how your organization handles both internal and external guest's data privacy. + - **Privacy statement URL.** Type the link to your organization's document that describes how your organization handles both internal and external guest's data privacy. - >[!Important] - >If you don't include either your own privacy statement or your privacy contact, your external guests will see text in the **Review Permissions** box that says, **<_your org name_> has not provided links to their terms for you to review**. For example, a guest user will see this message when they receive an invitation to access an organization through B2B collaboration. + > [!IMPORTANT] + > If you don't include either your own privacy statement or your privacy contact, your external guests will see text in the **Review Permissions** box that says, **<_your org name_> has not provided links to their terms for you to review**. For example, a guest user will see this message when they receive an invitation to access an organization through B2B collaboration. - :::image type="content" source="media/properties-area/no-privacy-statement-or-contact.png" alt-text="Screenshot showing the B2B Collaboration Review Permissions box with message."::: + :::image type="content" source="media/properties-area/no-privacy-statement-or-contact.png" alt-text="Screenshot showing the B2B Collaboration Review Permissions box with message."::: -4. Select **Save**. +1. Select **Save**. ## Next steps - [Azure Active Directory B2B collaboration invitation redemption](../external-identities/redemption-experience.md) |
active-directory | Security Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-defaults.md | To configure security defaults in your directory, you must be assigned at least To enable security defaults: -1. Sign in to theΓÇ»[Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse toΓÇ»**Identity**ΓÇ»> **Overview** > **Properties**. 1. Select **Manage security defaults**. 1. Set **Security defaults** to **Enabled**. Organizations that choose to implement Conditional Access policies that replace To disable security defaults in your directory: -1. Sign in to theΓÇ»[Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse toΓÇ»**Identity**ΓÇ»>ΓÇ»**Overview** > **Properties**. 1. Select **Manage security defaults**. 1. Set **Security defaults** to **Disabled (not recommended)**. |
active-directory | Users Assign Role Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-assign-role-azure-portal.md | -The ability to manage Azure resources is granted by assigning roles that provide the required permissions. Roles can be assigned to individual users or groups. To align with the [Zero Trust guiding principles](../../security/fundamentals/zero-trust.md), use Just-In-Time and Just-Enough-Access policies when assigning roles. +The ability to manage resources is granted by assigning roles that provide the required permissions. Roles can be assigned to individual users or groups. To align with the [Zero Trust guiding principles](../../security/fundamentals/zero-trust.md), use Just-In-Time and Just-Enough-Access policies when assigning roles. Before assigning roles to users, review the following Microsoft Learn articles: There are two main steps to the role assignment process. First you'll select the [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com) using the Privileged Role Administrator role for the directory. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Go to **Azure Active Directory** > **Users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Search for and select the user getting the role assignment. You can assign roles as either _eligible_ or _active_. Eligible roles are assign You can change the settings of a role assignment, for example to change an active role to eligible. -1. Go to **Azure Active Directory** > **Users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Search for and select the user getting their role updated. You can change the settings of a role assignment, for example to change an activ You can remove role assignments from the **Administrative roles** page for a selected user. -1. Go to **Azure Active Directory** > **Users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Search for and select the user getting the role assignment removed. |
active-directory | Users Default Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-default-permissions.md | You can restrict default permissions for member users in the following ways: | - | | | **Register applications** | Setting this option to **No** prevents users from creating application registrations. You can then grant the ability back to specific individuals, by adding them to the application developer role. | | **Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md). |-| **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). | -| **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). | +| **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global Administrators and User Administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). | +| **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global Administrators and User Administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). | | **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It doesn't restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It doesn't restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this option to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management that blocks non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management targets access to all Azure management. | | **Restrict non-admin users from creating tenants** | Users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations. </p><p></p><p>**What does this switch do?** <br> Setting this option to **Yes** restricts creation of Azure AD tenants to the Global Administrator or tenant creator roles. Setting this option to **No** allows non-admin users to create Azure AD tenants. Tenant create will continue to be recorded in the Audit log. </p><p></p><p>**How do I grant only a specific non-administrator users the ability to create new tenants?** <br> Set this option to Yes, then assign them the tenant creator role.|-| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Azure AD and Entral portal in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). | +| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Azure AD and Entra portal in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). | | **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. | The **Restrict non-admin users from creating tenants** option is shown [below](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/UserSettings) Permission | Setting explanation When a user registers an application, they're automatically added as an owner for the application. As an owner, they can manage the metadata of the application, such as the name and permissions that the app requests. They can also manage the tenant-specific configuration of the application, such as the single sign-on (SSO) configuration and user assignments. -An owner can also add or remove other owners. Unlike global administrators, owners can manage only the applications that they own. +An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the applications that they own. ### Enterprise application owner permissions When a user adds a new enterprise application, they're automatically added as an owner. As an owner, they can manage the tenant-specific configuration of the application, such as the SSO configuration, provisioning, and user assignments. -An owner can also add or remove other owners. Unlike global administrators, owners can manage only the applications that they own. +An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the applications that they own. ### Group owner permissions When a user creates a group, they're automatically added as an owner for that group. As an owner, they can manage properties of the group (such as the name) and manage group membership. -An owner can also add or remove other owners. Unlike global administrators and user administrators, owners can manage only the groups that they own. +An owner can also add or remove other owners. Unlike Global Administrators and User Administrators, owners can manage only the groups that they own. To assign a group owner, see [Managing owners for a group](./how-to-manage-groups.md). Users can perform the following actions on owned devices: Users can perform the following actions on owned groups. > [!NOTE]-> Owners of dynamic groups must have a global administrator, group administrator, Intune administrator, or user administrator role to edit group membership rules. For more information, see [Create or update a dynamic group in Azure Active Directory](../enterprise-users/groups-create-rule.md). +> Owners of dynamic groups must have a Global Administrator, Group Administrator, Intune Administrator, or User Administrator role to edit group membership rules. For more information, see [Create or update a dynamic group in Azure Active Directory](../enterprise-users/groups-create-rule.md). | **Action** | **Description** | | | | |
active-directory | Users Reset Password Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-reset-password-azure-portal.md | -# Reset a user's password using Azure Active Directory +# Reset a user's password -Azure Active Directory (Azure AD) administrators can reset a user's password if the password is forgotten, if the user gets locked out of a device, or if the user never received a password. +Administrators can reset a user's password if the password is forgotten, if the user gets locked out of a device, or if the user never received a password. ->[!Note] ->Unless your Azure AD tenant is the home directory for a user, you won't be able reset their password. This means that if your user is signing in to your organization using an account from another organization, a Microsoft account, or a Google account, you won't be able to reset their password. +> [!NOTE] +> If you're not an administrator and you need instructions on how to reset your own work or school password, see [Reset your work or school password](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e). >->If your user has a source of authority as Windows Server Active Directory, you'll only be able to reset the password if you've turned on password writeback and the user domain is managed. Changing the user password from Azure Active Directory for federated domains is not supported. In this case, you should change the user password in the on-premises Active Directory.<br><br>If your user has a source of authority as External Azure AD, you won't be able to reset the password. Only the user, or an administrator in External Azure AD, can reset the password. -->[!Note] ->If you're not an administrator and you need instructions on how to reset your own work or school password, see [Reset your work or school password](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e). +> Unless your tenant is the home directory for a user, you won't be able reset their password. This means that if your user is signing in to your organization using an account from another organization, a Microsoft account, or a Google account, you won't be able to reset their password. +> +> If your user has a source of authority as Windows Server Active Directory, you'll only be able to reset the password if you've turned on password writeback and the user domain is managed. Changing the user password for federated domains is not supported. In this case, you should change the user password in the on-premises Active Directory. +> +> If your user has a source of authority as External Azure AD, you won't be able to reset the password. Only the user, or an administrator in that tenant, can reset the password. ## To reset a password [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator, or password administrator. For more information about the available roles, see [Azure AD built-in roles](../roles/permissions-reference.md) +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Password Administrator](../roles/permissions-reference.md#password-administrator). ++1. Browse to **Identity** > **Users** > **All users**. -2. Select **Azure Active Directory**, select **Users**, search for and select the user that needs the reset, and then select **Reset Password**. +1. Select the user that needs the reset, then select **Reset Password**. The **Alain Charon - Profile** page appears with the **Reset password** option. ![User's profile page, with Reset password option highlighted](media/users-reset-password-azure-portal/user-profile-reset-password-link.png) -3. In the **Reset password** page, select **Reset password**. +1. In the **Reset password** page, select **Reset password**. - > [!Note] + > [!NOTE] > When using Azure Active Directory, a temporary password is auto-generated for the user. When using Active Directory on-premises, you create the password for the user. -4. Copy the password and give it to the user. The user will be required to change the password during the next sign-in process. +1. Copy the password and give it to the user. The user will be required to change the password during the next sign-in process. - >[!Note] - >The temporary password never expires. The next time the user signs in, the password will still work, regardless how much time has passed since the temporary password was generated. + > [!NOTE] + > The temporary password never expires. The next time the user signs in, the password will still work, regardless how much time has passed since the temporary password was generated. > [!IMPORTANT] > If an administrator is unable to reset the user's password, and the Application Event Logs on the Azure AD Connect server has error code hr=80231367, review the user's attributes in Active Directory. If the attribute **AdminCount** is set to 1, this will prevent an administrator from resetting the user's password. The attribute **AdminCount** must be set to 0, in order for an administrators to reset the user's password. - ## Next steps After you've reset your user's password, you can perform the following basic processes: |
active-directory | Users Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-restore.md | -# Restore or remove a recently deleted user using Azure Active Directory +# Restore or remove a recently deleted user After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped. During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios. -You can view your restorable users, restore a deleted user, or permanently delete a user using Azure Active Directory (Azure AD) in the Azure portal. +You can view your restorable users, restore a deleted user, or permanently delete a user using the Microsoft Entra admin center. ->[!Important] ->Neither you nor Microsoft customer support can restore a permanently deleted user. +> [!IMPORTANT] +> Neither you nor Microsoft customer support can restore a permanently deleted user. ## Required permissions You must have one of the following roles to restore and permanently delete users. -- Global administrator-+- Global Administrator - Partner Tier1 Support- - Partner Tier2 Support--- User administrator+- User Administrator ## View your restorable users You can see all the users that were deleted less than 30 days ago. These users c [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the organization. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). -2. Select **Azure Active Directory**, select **Users**, and then select **Deleted users**. +1. Browse to **Identity** > **Users** > **Deleted users**. Review the list of users that are available to restore. When a user account is deleted from the organization, the account is in a suspen ### To restore a user -1. On the **Users - Deleted users** page, search for and select one of the available users. For example, _Mary Parker_. +1. On the **Deleted users** page, search for and select one of the available users. For example, _Mary Parker_. 2. Select **Restore user**. You can permanently delete a user from your organization without waiting the 30 ### To permanently delete a user -1. On the **Users - Deleted users** page, search for and select one of the available users. For example, _Rae Huff_. +1. On the **Deleted users** page, search for and select one of the available users. For example, _Rae Huff_. 2. Select **Delete permanently**. |
active-directory | Whatis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whatis.md | To better understand Azure AD and its documentation, we recommend reviewing the |Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).| |Service Administrator|This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).| |Owner|This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|-|Azure AD Global administrator|This administrator role is automatically assigned to whomever created the Azure AD tenant. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. For more information about the various administrator roles, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).| +|Azure AD Global Administrator|This administrator role is automatically assigned to whomever created the Azure AD tenant. You can have multiple Global Administrators, but only Global Administrators can assign administrator roles (including assigning other Global Administrators) to users. For more information about the various administrator roles, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).| |Azure subscription| Used to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card.| |Azure tenant| A dedicated and trusted instance of Azure AD. The tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.| |Single tenant| Azure tenants that access other services in a dedicated environment are considered single tenant.| |
active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | When setting up federation with a partner's IdP, new guest users from that domai -Groups Administrators assigned over the scope of an administrative unit can now create groups within the administrative unit. This enables scoped group administrators to create groups that they can manage directly, without needing to elevate to Global Administrator or Privileged Role Administrator. For more information, see: [Administrative units in Azure Active Directory](../roles/administrative-units.md). +Groups Administrators assigned over the scope of an administrative unit can now create groups within the administrative unit. This enables scoped Group Administrators to create groups that they can manage directly, without needing to elevate to Global Administrator or Privileged Role Administrator. For more information, see: [Administrative units in Azure Active Directory](../roles/administrative-units.md). |
active-directory | Entitlement Management Ticketed Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-ticketed-provisioning.md | Prerequisite roles: Global administrator, Identity Governance administrator, or To add a Logic App workflow to an existing catalog, you use an ARM template for the Logic App creation here: -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Figaelmprodportalhosting.blob.core.windows.net%2Farm-deployment-template%2FLogicAppServiceNowIntegration.json ). +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Figaelmprodportalhosting.blob.core.windows.net%2Farm-deployment-template%2FLogicAppServiceNowIntegration.json). :::image type="content" source="media/entitlement-management-servicenow-integration/logic-app-arm-template.png" alt-text="Screenshot of Logic App ARM template." lightbox="media/entitlement-management-servicenow-integration/logic-app-arm-template.png"::: |
active-directory | How To Lifecycle Workflow Sync Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md | To ensure timing accuracy of scheduled workflows itΓÇÖs crucial to consider: ## Create a custom sync rule in Azure AD Connect cloud sync for EmployeeHireDate The following steps will guide you through creating a synchronization rule using cloud sync.- 1. In the Azure portal, select **Azure Active Directory**. - 2. Select **Azure AD Connect**. - 3. Select **Manage cloud sync**. - 4. Under **Configuration**, select your configuration. - 5. Select **Click to edit mappings**. This link opens the **Attribute mappings** screen. - 6. Select **Add attribute**. - 7. Fill in the following information: + 1. In the Microsoft Entra admin center, browse to > **Hybrid management** > **Azure AD Connect**. + 2. Select **Manage Azure AD cloud sync**. + 3. Under **Configuration**, select your configuration. + 4. Select **Click to edit mappings**. This link opens the **Attribute mappings** screen. + 5. Select **Add attribute**. + 6. Fill in the following information: - Mapping Type: Direct - Source attribute: extensionAttribute1 - Default value: Leave blank - Target attribute: employeeHireDate - Apply this mapping: Always- 8. Select **Apply**. - 9. Back on the **Attribute mappings** screen, you should see your new attribute mapping. - 10. Select **Save schema**. + 7. Select **Apply**. + 8. Back on the **Attribute mappings** screen, you should see your new attribute mapping. + 9. Select **Save schema**. For more information on attributes, see [Attribute mapping in Azure AD Connect cloud sync.](../hybrid/cloud-sync/how-to-attribute-mapping.md) |
active-directory | How To Connect Adconnectivitytools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-adconnectivitytools.md | The ADConnectivity tool is a PowerShell module that is used in one of the follow - During installation, when a network connectivity problem prevents the successful validation of the Active Directory credentials. - Post installation by a user who calls the functions from a PowerShell session. -The tool is located in: **C:\Program Files\Microsoft Azure Active Directory Connect\Tools\ ADConnectivityTool.psm1** +The tool is located in: **C:\Program Files\Microsoft Azure Active Directory Connect\Tools\ADConnectivityTool.psm1**. ## ADConnectivityTool during installation |
active-directory | How To Connect Modify Group Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-modify-group-writeback.md | If the original version of group writeback is already enabled and in use in your To configure directory settings to disable automatic writeback of newly created Microsoft 365 groups, use one of these methods: -- PowerShell: Use the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). For example: +- PowerShell: Use the [Microsoft Graph Beta PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). For example: ```PowerShell - # Import Module - Import-Module Microsoft.Graph.Identity.DirectoryManagement -- #Connect to MgGraph with necessary scope and select the Beta API Version - Connect-MgGraph -Scopes Directory.ReadWrite.All - Select-MgProfile -Name beta -- # Verify if "Group.Unified" directory settings exist - $DirectorySetting = Get-MgDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"} -- # If "Group.Unified" directory settings exist, update the value for new unified group writeback default - if ($DirectorySetting) { - $DirectorySetting.Values | ForEach-Object { - if ($_.Name -eq "NewUnifiedGroupWritebackDefault") { - $_.Value = "false" - } - } - Update-MgDirectorySetting -DirectorySettingId $DirectorySetting.Id -BodyParameter $DirectorySetting - } - else - { - # In case the directory setting doesn't exist, create a new "Group.Unified" directory setting - # Import "Group.Unified" template values to a hashtable - $Template = Get-MgDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"} - $TemplateValues = @{} - $Template.Values | ForEach-Object { - $TemplateValues.Add($_.Name, $_.DefaultValue) + # Import Module + Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement + + #Connect to MgGraph with necessary scope + Connect-MgGraph -Scopes Directory.ReadWrite.All + + + # Verify if "Group.Unified" directory settings exist + $DirectorySetting = Get-MgBetaDirectorySetting| Where-Object {$_.DisplayName -eq "Group.Unified"} + + # If "Group.Unified" directory settings exist, update the value for new unified group writeback default + if ($DirectorySetting) + { + $params = @{ + Values = @( + @{ + Name = "NewUnifiedGroupWritebackDefault" + Value = $false + } + ) + } + Update-MgBetaDirectorySetting -DirectorySettingId $DirectorySetting.Id -BodyParameter $params }-- # Update the value for new unified group writeback default - $TemplateValues["NewUnifiedGroupWritebackDefault"] = "false" + else + { + # In case the directory setting doesn't exist, create a new "Group.Unified" directory setting + # Import "Group.Unified" template values to a hashtable + $Template = Get-MgBetaDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"} + $TemplateValues = @{} + $Template.Values | ForEach-Object { + $TemplateValues.Add($_.Name, $_.DefaultValue) + } - # Create a directory setting using the Template values hashtable including the updated value - $params = @{} - $params.Add("TemplateId", $Template.Id) - $params.Add("Values", @()) - $TemplateValues.Keys | ForEach-Object { - $params.Values += @(@{Name = $_; Value = $TemplateValues[$_]}) + # Update the value for new unified group writeback default + $TemplateValues["NewUnifiedGroupWritebackDefault"] = $false + + # Create a directory setting using the Template values hashtable including the updated value + $params = @{} + $params.Add("TemplateId", $Template.Id) + $params.Add("Values", @()) + $TemplateValues.Keys | ForEach-Object { + $params.Values += @(@{Name = $_; Value = $TemplateValues[$_]}) + } + New-MgBetaDirectorySetting -BodyParameter $params }- New-MgDirectorySetting -BodyParameter $params - } ``` > [!NOTE] To configure directory settings to disable automatic writeback of newly created To disable writeback of all Microsoft 365 groups that were created before these modifications, use one of the following methods: - Portal: Use the [Microsoft Entra admin portal](../../enterprise-users/groups-write-back-portal.md).-- PowerShell: Use the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). For example: +- PowerShell: Use the [Microsoft Graph Beta PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). For example: ```PowerShell #Import-module- Import-module Microsoft.Graph -- #Connect to MgGraph with necessary scope and select the Beta API Version + Import-Module Microsoft.Graph.Beta + + #Connect to MgGraph with necessary scope Connect-MgGraph -Scopes Group.ReadWrite.All- Select-MgProfile -Name beta -+ #List all Microsoft 365 Groups- $Groups = Get-MgGroup -All | Where-Object {$_.GroupTypes -like "*unified*"} -+ $Groups = Get-MgBetaGroup -All | Where-Object {$_.GroupTypes -like "*unified*"} + #Disable Microsoft 365 Groups Foreach ($group in $Groups) {- Update-MgGroup -GroupId $group.id -WritebackConfiguration @{isEnabled=$false} + Update-MgBetaGroup -GroupId $group.id -WritebackConfiguration @{isEnabled=$false} } ``` |
active-directory | How To Connect Staged Rollout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-staged-rollout.md | For an overview of the feature, view this "Azure Active Directory: What is Stage For both options, we recommend enabling single sign-on (SSO) to achieve a silent sign-in experience. For Windows 7 or 8.1 domain-joined devices, we recommend using seamless SSO. For more information, see [What is seamless SSO](how-to-connect-sso.md). - For Windows 10, Windows Server 2016 and later versions, itΓÇÖs recommended to use SSO via [Primary Refresh Token (PRT)](../../devices/concept-primary-refresh-token.md) with [Azure AD joined devices](../../devices/concept-directory-join.md), [hybrid Azure AD joined devices](../../devices/concept-hybrid-join.md) or [personal registered devices](../../devices/concept-device-registration.md) via Add Work or School Account. + For Windows 10, Windows Server 2016 and later versions, it's recommended to use SSO via [Primary Refresh Token (PRT)](../../devices/concept-primary-refresh-token.md) with [Azure AD joined devices](../../devices/concept-directory-join.md), [hybrid Azure AD joined devices](../../devices/concept-hybrid-join.md) or [personal registered devices](../../devices/concept-device-registration.md) via Add Work or School Account. - You have configured all the appropriate tenant-branding and Conditional Access policies you need for users who are being migrated to cloud authentication. The following scenarios are supported for Staged Rollout. The feature works only - Group size is currently limited to 50,000 users. If you have groups that are larger than 50,000 users, it is recommended to split this group over multiple groups for Staged Rollout. -- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition without line-of-sight to the federation server for Windows 10 version 1903 and newer, when userΓÇÖs UPN is routable and domain suffix is verified in Azure AD.+- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition without line-of-sight to the federation server for Windows 10 version 1903 and newer, when user's UPN is routable and domain suffix is verified in Azure AD. - Autopilot enrollment is supported in Staged Rollout with Windows 10 version 1909 or later. The following scenarios are not supported for Staged Rollout: - Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for Windows 10 version older than 1903. This scenario will fall back to the WS-Trust endpoint of the federation server, even if the user signing in is in scope of Staged Rollout. -- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for all versions, when userΓÇÖs on-premises UPN is not routable. This scenario will fall back to the WS-Trust endpoint while in Staged Rollout mode, but will stop working when staged migration is complete and user sign-on is no longer relying on federation server.+- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for all versions, when user's on-premises UPN is not routable. This scenario will fall back to the WS-Trust endpoint while in Staged Rollout mode, but will stop working when staged migration is complete and user sign-on is no longer relying on federation server. - If you have a non-persistent VDI setup with Windows 10, version 1903 or later, you must remain on a federated domain. Moving to a managed domain isn't supported on non-persistent VDI. For more information, see [Device identity and desktop virtualization](../../devices/howto-device-identity-virtual-desktop-infrastructure.md). A: No, this feature is designed for testing cloud authentication. After successf A: Yes. To learn how to use PowerShell to perform Staged Rollout, see [Azure AD Preview](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#staged_rollout). ## Next steps-- [Azure AD 2.0 preview](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#staged_rollout )+- [Azure AD 2.0 preview](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#staged_rollout) - [Change the sign-in method to password hash synchronization](./migrate-from-federation-to-cloud-authentication.md) - [Change sign-in method to pass-through authentication](./migrate-from-federation-to-cloud-authentication.md) - [Staged Rollout interactive guide](https://mslearn.cloudguides.com/en-us/guides/Test%20migration%20to%20cloud%20authentication%20using%20staged%20rollout%20in%20Azure%20AD) |
active-directory | Custom Security Attributes Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/custom-security-attributes-apps.md | Learn how to work with custom attributes for applications in Azure AD. Undertake the following steps to assign custom security attributes through the Microsoft Entra admin center. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Find and select the application you want to add a custom security attribute to. Undertake the following steps to assign custom security attributes through the M ### Update custom security attribute assignment values for an application -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Find and select the application that has a custom security attribute assignment value you want to update. Undertake the following steps to assign custom security attributes through the M You can filter the list of custom security attributes assigned to applications on the **All applications** page. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader). 1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Select **Add filters** to open the Pick a field pane. |
active-directory | Datawiza Sso Mfa Oracle Ebs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-mfa-oracle-ebs.md | To complete the steps in this article, you need: * An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/). * An Azure AD tenant linked to the Azure subscription.-* An account with Azure AD Application Administrator permissions. For more information, see [Azure AD built-in roles](../roles/permissions-reference.md). +* A [Global Administrator](../roles/permissions-reference.md#global-administrator) role. * Docker and Docker Compose, to run DAP. For more information, see [Get Docker](https://docs.docker.com/get-docker/) and [Docker Compose Overview](https://docs.docker.com/compose/install/). * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory. For more information, see [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md). * An Oracle EBS environment. Configuration on the management console is complete. You're prompted to deploy D [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To provide more security for sign-ins, you can enable Multi-Factor Authentication in the Azure portal: --1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator. -2. Select **Azure Active Directory** > **Manage** > **Properties**. -3. Under **Properties**, select **Manage security defaults**. -- [![Screenshot of selections for managing security defaults.](./media/datawiza-sso-mfa-oracle-ebs/manage-security-defaults.png)](./media/datawiza-sso-mfa-oracle-ebs/manage-security-defaults.png#lightbox) --4. Under **Enable security defaults**, select **Yes**. -- [![Screenshot of selections for enabling security defaults.](./media/datawiza-sso-mfa-oracle-ebs/enable-security-defaults.png)](./media/datawiza-sso-mfa-oracle-ebs/enable-security-defaults.png#lightbox) +To provide more security for sign-ins, you can enable Multi-Factor Authentication in the Microsoft Entra admin center: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +2. Browse to **Identity** > **Overview** > **Properties** tab. +3. Under **Security defaults**, select **Manage security defaults**. +4. On the **Security defaults** pane, toggle the dropdown menu to select **Enabled**. 5. Select **Save**. ## Next steps |
active-directory | Datawiza Sso Oracle Jde | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-oracle-jde.md | Ensure the following prerequisites are met. * Go to docs.docker.com to [Get Docker](https://docs.docker.com/get-docker) and [Install Docker Compose](https://docs.docker.com/compose/install) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)-* An account with Azure AD and the Application administrator role - * See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles) +* An account with Azure AD and a global administrator role. See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles) * An Oracle JDE environment-* (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing. +* (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing ## Getting started with DAB To provide more security for sign-ins, you can enforce MFA for user sign-in. See, [Tutorial: Secure user sign-in events with Azure AD MFA](../authentication/tutorial-enable-azure-mfa.md). -1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator. -2. Select **Azure Active Directory** > **Manage** > **Properties**. -3. Under **Properties**, select **Manage security defaults**. -4. Under **Enable Security defaults**, select **Yes**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +2. Browse to **Identity** > **Overview** > **Properties** tab. +3. Under **Security defaults**, select **Manage security defaults**. +4. On the **Security defaults** pane, toggle the dropdown menu to select **Enabled**. 5. Select **Save**. ## Enable SSO in the Oracle JDE EnterpriseOne Console |
active-directory | F5 Big Ip Ldap Header Easybutton | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md | In this article, you can learn to secure header and LDAP-based applications usin * Improved governance: See, [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) and learn more about Azure AD pre-authentication * See also, [What is Conditional Access?](../conditional-access/overview.md) to learn about how it helps enforce organizational policies * Full single sign-on (SSO) between Azure AD and BIG-IP published services-* Manage identities and access from one control plane, the [Azure portal](https://portal.azure.com) +* Manage identities and access from one control plane, the [Microsoft Entra admin center](https://entra.microsoft.com) To learn about more benefits, see [F5 BIG-IP and Azure AD integration](./f5-integration.md). Prior BIG-IP experience isn't necessary, but you need: - F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) - 90-day BIG-IP product [Free Trial](https://www.f5.com/trial/big-ip-trial.php) - User identities [synchronized](../hybrid/connect/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD-- An account with Azure AD Application Admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)+- One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator. - An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certificates while testing - A header-based application or [set up a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing - A user directory that supports LDAP, such as Windows Active Directory Lightweight Directory Services (AD LDS), OpenLDAP etc. Before a client or service can access Microsoft Graph, it must be trusted by the This first step creates a tenant app registration to authorize the **Easy Button** access to Graph. With these permissions, the BIG-IP can push the configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com) using an account with Application Administrative rights. -2. From the left navigation pane, select the **Azure Active Directory** service. -3. Under Manage, select **App registrations > New registration**. -4. Enter a display name for your application. For example, F5 BIG-IP Easy Button. -5. Specify who can use the application > **Accounts in this organizational directory only**. -6. Select **Register**. -7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +2. Browse to **Identity** > **Applications** > **App registrations** > **New registration**. +3. Enter a display name for your application. For example, F5 BIG-IP Easy Button. +4. Specify who can use the application > **Accounts in this organizational directory only**. +5. Select **Register**. +6. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: * Application.Read.All * Application.ReadWrite.All |
active-directory | F5 Big Ip Oracle Enterprise Business Suite Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md | Learn to secure Oracle E-Business Suite (EBS) using Azure Active Directory (Azur * See, [Zero Trust security](../../security/fundamentals/zero-trust.md) * Full SSO between Azure AD and BIG-IP published services * Managed identities and access from one control plane- * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal) + * See, the [Microsoft Entra admin center](https://entra.microsoft.com) Learn more: You need the following components: * An Azure subscription * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)-* For the account, have Azure AD Application Administrator permissions +* Global Administrator, Cloud Application Administrator, or Application Administrator. * A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md) * Any of the following F5 BIG-IP license SKUs:- * F5 BIG-IP┬« Best bundle - * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license - * F5 BIG-IP Access Policy ManagerΓäó (APM) add-on license on a BIG-IP F5 BIG-IP┬« Local Traffic ManagerΓäó (LTM) + * F5 BIG-IP® Best bundle + * F5 BIG-IP Access Policy Manager™ (APM) standalone license + * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature┬átrial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php). * User identities synchronized from an on-premises directory to Azure AD * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) Learn more: [Quickstart: Register an application with the Microsoft identity pla Create a tenant app registration to authorize the Easy Button access to Graph. The BIG-IP pushes configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions. -2. In the left navigation pane, select the **Azure Active Directory** service. -3. Under **Manage**, select **App registrations > New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +2. Browse to **Identity** > **Applications** > **App registrations** > **New registration**. 4. Enter an application **Name**. For example, F5 BIG-IP Easy Button. 5. Specify who can use the application > **Accounts in this organizational directory only**. 6. Select **Register**. Use Service Provider settings for the properties of the SAML SP instance of the ![Screenshot for Service Provider input and options.](./media/f5-big-ip-oracle/service-provider-settings.png) -3. (Optional) In **Security Settings**, select or clear the **Enable Encrypted Assertion** option. Encrypting assertions between Azure AD and the BIG-IP APM means the content tokens canΓÇÖt be intercepted, nor personal or corporate data compromised. +3. (Optional) In **Security Settings**, select or clear the **Enable Encrypted Assertion** option. Encrypting assertions between Azure AD and the BIG-IP APM means the content tokens can't be intercepted, nor personal or corporate data compromised. 4. From the **Assertion Decryption Private Key** list, select **Create New** ![Screenshot of Create New options in the Assertion Decryption Private Key dropdown.](./media/f5-big-ip-oracle/configure-security-create-new.png) Learn more: * [PeopleSoft SLO Logout](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout) * Go to support.f5.com for: - * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145 + * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145) * [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056) ## Deploy Learn more: 1. From a browser, connect to the Oracle EBS application external URL, or select the application icon in the [My Apps](https://myapps.microsoft.com/). 2. Authenticate to Azure AD.-3. YouΓÇÖre redirected to the BIG-IP virtual server for the application and signed in by SSO. +3. You're redirected to the BIG-IP virtual server for the application and signed in by SSO. For increased security, block direct application access, thereby enforcing a path through the BIG-IP. For increased security, block direct application access, thereby enforcing a pat Sometimes, the Guided Configuration templates lack flexibility for requirements. -Learn more: [Tutorial: Configure F5 BIG-IPΓÇÖs Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md). +Learn more: [Tutorial: Configure F5 BIG-IP's Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md). ### Manually change configurations |
active-directory | F5 Big Ip Oracle Jde Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-jde-easy-button.md | Integrate BIG-IP with Azure AD for many benefits: * See, [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) * See, [What is Conditional Access?](../conditional-access/overview.md) * Single sign-on (SSO) between Azure AD and BIG-IP published services-* Manage identities and access from the [Azure portal](https://portal.azure.com) +* Manage identities and access from the [Microsoft Entra admin center](https://entra.microsoft.com) Learn more: In this tutorial SHA supports SP- and IdP-initiated flows. The following diagram * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to the on-premises directory * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)-* An account with Azure AD Application Admin permissions - * See, [Azure AD built-in roles](../roles/permissions-reference.md) +* One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator * An SSL Web certificate to publish services over HTTPS, or use default BIG-IP certs for testing * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md) * An Oracle JDE environment Learn more: [Quickstart: Register an application with the Microsoft identity pla The following instructions help you create a tenant app registration to authorize Easy Button access to Graph. With these permissions, the BIG-IP pushes the configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions. -2. From the left navigation pane, select the **Azure Active Directory** service. -3. Under **Manage**, select **App registrations > New registration**. -4. Enter an application **Name**. -5. For **Accounts in this organizational directory only**, specify who uses the application. -6. Select **Register**. -7. Navigate to **API permissions**. -8. Authorize the following Microsoft Graph **Application permissions**: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +2. Browse to **Identity** > **Applications** > **App registrations** > **New registration**. +3. Enter an application **Name**. +4. For **Accounts in this organizational directory only**, specify who uses the application. +5. Select **Register**. +6. Navigate to **API permissions**. +7. Authorize the following Microsoft Graph **Application permissions**: * Application.ReadWrite.All * Application.ReadWrite.OwnedBy |
active-directory | F5 Big Ip Sap Erp Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-sap-erp-easy-button.md | In this article, learn to secure SAP ERP using Azure Active Directory (Azure AD) * [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) * [What is Conditional Access?](../conditional-access/overview.md) * Single sign-on (SSO) between Azure AD and BIG-IP published services-* Manage identities and access from the [Azure portal](https://portal.azure.com) +* Manage identities and access from the [Microsoft Entra admin center](https://entra.microsoft.com) Learn more: SHA supports SP and IdP initiated flows. The following image illustrates the SP- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to the on-premises directory * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)-* An account with Azure AD Application Admin permissions - * See, [Azure AD built-in roles](../roles/permissions-reference.md) +* One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator. * An SSL Web certificate to publish services over HTTPS, or use default BIG-IP certs for testing * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md) * An SAP ERP environment configured for Kerberos authentication See, [Quickstart: Register an application with the Microsoft identity platform]( Register the Easy Button client in Azure AD, then it's allowed to establish a trust between SAML SP instances of a BIG-IP published application, and Azure AD as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions. -2. In the left navigation pane, select the **Azure Active Directory** service. -3. Under Manage, select **App registrations > New registration**. -4. Enter a **Name**. -5. In **Accounts in this organizational directory only**, specify who can use the application. -6. Select **Register**. -7. Navigate to **API permissions**. -8. Authorize the following Microsoft Graph Application permissions: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +2. Browse to **Identity** > **Applications** > **App registrations** > **New registration**. +3. Enter a **Name** for the new application. +4. In **Accounts in this organizational directory only**, specify who can use the application. +5. Select **Register**. +6. Navigate to **API permissions**. +7. Authorize the following Microsoft Graph Application permissions: * Application.Read.All * Application.ReadWrite.All |
active-directory | Cross Tenant Synchronization Configure Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure-graph.md | -This article describes the key steps to configure cross-tenant synchronization using Microsoft Graph PowerShell or Microsoft Graph API. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For detailed steps using the Azure portal, see [Configure cross-tenant synchronization](cross-tenant-synchronization-configure.md). +This article describes the key steps to configure cross-tenant synchronization using Microsoft Graph PowerShell or Microsoft Graph API. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For detailed steps using the Microsoft Entra admin center, see [Configure cross-tenant synchronization](cross-tenant-synchronization-configure.md). :::image type="content" source="./media/common/configure-diagram.png" alt-text="Diagram that shows cross-tenant synchronization between source tenant and target tenant." lightbox="./media/common/configure-diagram.png"::: |
active-directory | Cross Tenant Synchronization Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md | Title: Configure cross-tenant synchronization -description: Learn how to configure cross-tenant synchronization in Azure Active Directory using the Azure portal. +description: Learn how to configure cross-tenant synchronization in Azure Active Directory using the Microsoft Entra admin center. -This article describes the steps to configure cross-tenant synchronization using the Azure portal. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +This article describes the steps to configure cross-tenant synchronization using the Microsoft Entra admin center. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). :::image type="content" source="./media/common/configure-diagram.png" alt-text="Diagram that shows cross-tenant synchronization between source tenant and target tenant." lightbox="./media/common/configure-diagram.png"::: By the end of this article, you'll be able to: ![Icon for the target tenant.](./media/common/icon-tenant-target.png)<br/>**Target tenant** -1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator in the target tenant. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) of the target tenant. -1. Select **Azure Active Directory** > **External Identities**. --1. Select **Cross-tenant access settings**. +1. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**. 1. On the **Organization settings** tab, select **Add organization**. In this step, you automatically redeem invitations so users from the source tena In this step, you automatically redeem invitations in the source tenant. -1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator of the source tenant. --1. Select **Azure Active Directory** > **External Identities**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) of the source tenant. -1. Select **Cross-tenant access settings**. +1. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**. 1. On the **Organization settings** tab, select **Add organization**. In this step, you automatically redeem invitations in the source tenant. ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant** -1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**. -- :::image type="content" source="./media/cross-tenant-synchronization-configure/azure-ad-overview.png" alt-text="Screenshot that shows the Azure Active Directory Overview page." lightbox="./media/cross-tenant-synchronization-configure/azure-ad-overview.png"::: +1. In the source tenant, browse to **Identity** > **External Identities** > **Cross-tenant synchronization**. 1. Select **Configurations**. Attribute mappings allow you to define how data should flow between the source t Now that you have a configuration, you can test on-demand provisioning with one of your users. -1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**. +1. In the source tenant, browse to **Identity** > **External Identities** > **Cross-tenant synchronization**. 1. Select **Configurations** and then select your configuration. Now that you have a configuration, you can test on-demand provisioning with one The provisioning job starts the initial synchronization cycle of all users defined in **Scope** of the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. -1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**. +1. In the source tenant, browse to **Identity** > **External Identities** > **Cross-tenant synchronization**. 1. Select **Configurations** and then select your configuration. Once you've started a provisioning job, you can monitor the status. Even though users are being provisioned in the target tenant, they still might be able to remove themselves. If users remove themselves and they are in scope, they'll be provisioned again during the next provisioning cycle. If you want to disallow the ability for users to remove themselves from your organization, you must configure the **External user leave settings**. -1. In the target tenant, select **Azure Active Directory**. --1. Select **External Identities** > **External collaboration settings**. +1. In the target tenant, browse to **Identity** > **External Identities** > **External collaboration settings**. 1. Under **External user leave settings**, choose whether to allow external users to leave your organization themselves. This setting also applies to B2B collaboration and B2B direct connect, so if you Follows these steps to delete a configuration on the **Configurations** page. -1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**. +1. In the source tenant, browse to **Identity** > **External Identities** > **Cross-tenant synchronization**. 1. On the **Configurations** page, add a check mark next to the configuration you want to delete. |
active-directory | Cross Tenant Synchronization Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.md | To configure this setting using Microsoft Graph, see the [Update crossTenantAcce #### How do users know what tenants they belong to? -For cross-tenant synchronization, users don't receive an email or have to accept a consent prompt. If users want to see what tenants they belong to, they can open their [My Account](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd) page and select **Organizations**. In the Azure portal, users can open their [Azure portal settings](../../azure-portal/set-preferences.md), view their **Directories + subscriptions**, and switch directories. +For cross-tenant synchronization, users don't receive an email or have to accept a consent prompt. If users want to see what tenants they belong to, they can open their [My Account](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd) page and select **Organizations**. In the Microsoft Entra admin center, users can open their [Portal settings](../../azure-portal/set-preferences.md), view their **Directories + subscriptions**, and switch directories. For more information, including privacy information, see [Leave an organization as an external user](../external-identities/leave-the-organization.md). |
active-directory | Multi Tenant Organization Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/multi-tenant-organization-known-issues.md | The experiences and issues described in this article have the following scope. - Microsoft 365 admin center / Azure AD: If you're using Azure AD cross-tenant synchronization to provision your users, rather than the Microsoft 365 admin center share users functionality, Microsoft 365 admin center indicates an **Outbound sync status** of **Not configured**. This is expected preview behavior. Currently, Microsoft 365 admin center only shows the status of Azure AD cross-tenant synchronization jobs created and managed by Microsoft 365 admin center and doesn't display Azure AD cross-tenant synchronizations created and managed in Azure AD. -- Microsoft 365 admin center / Azure AD: If you view Azure AD cross-tenant synchronization in Azure portal, after adding tenants to or after joining a multi-tenant organization in Microsoft 365 admin center, you'll see a cross-tenant synchronization configuration with the name MTO_Sync_<TenantID>. Refrain from editing or changing the name if you want Microsoft 365 admin center to recognize the configuration as created and managed by Microsoft 365 admin center.+- Microsoft 365 admin center / Azure AD: If you view Azure AD cross-tenant synchronization in Microsoft Entra admin center, after adding tenants to or after joining a multi-tenant organization in Microsoft 365 admin center, you'll see a cross-tenant synchronization configuration with the name MTO_Sync_<TenantID>. Refrain from editing or changing the name if you want Microsoft 365 admin center to recognize the configuration as created and managed by Microsoft 365 admin center. - Microsoft 365 admin center / Azure AD: There's no established or supported pattern for Microsoft 365 admin center to take control of pre-existing Azure AD cross-tenant synchronization configurations and jobs. |
active-directory | Multi Tenant Organization Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/multi-tenant-organization-overview.md | Your multi-tenant organization is formed. Depending on your use case, you may want to synchronize users using one of the following methods: - [Synchronize users in multi-tenant organizations in Microsoft 365 (Preview)](/microsoft-365/enterprise/sync-users-multi-tenant-orgs)-- [Configure cross-tenant synchronization using the Azure portal](cross-tenant-synchronization-configure.md)-- [Configure cross-tenant synchronization using Microsoft Graph API](cross-tenant-synchronization-configure-graph.md)+- [Configure cross-tenant synchronization](cross-tenant-synchronization-configure.md) +- [Configure cross-tenant synchronization using PowerShell or Microsoft Graph API](cross-tenant-synchronization-configure-graph.md) - Your alternative bulk provisioning engine ## Limits |
active-directory | Admin Units Assign Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-assign-roles.md | It is not currently possible to assign directory read permissions scoped to an a ## Assign a role with an administrative unit scope -You can assign an Azure AD role with an administrative unit scope by using the Azure portal, PowerShell, or Microsoft Graph. +You can assign an Azure AD role with an administrative unit scope by using the Microsoft Entra admin center, PowerShell, or Microsoft Graph. -### Azure portal +### Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit that you want to assign a user role scope to. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. ++1. Select the administrative unit that you want to assign a user role scope to. 1. On the left pane, select **Roles and administrators** to list all the available roles. Body ## List role assignments with administrative unit scope -You can view a list of Azure AD role assignments with administrative unit scope by using the Azure portal, PowerShell, or Microsoft Graph. +You can view a list of Azure AD role assignments with administrative unit scope by using the Microsoft Entra admin center, PowerShell, or Microsoft Graph. ++### Microsoft Entra admin center -### Azure portal +You can view all the role assignments created with an administrative unit scope in the **Admin units** section of the Microsoft Entra admin center. -You can view all the role assignments created with an administrative unit scope in the [Administrative units section of Azure AD](https://portal.azure.com/?microsoft_aad_iam_adminunitprivatepreview=trueµsoft_aad_iam_rbacv2=true#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AdminUnit). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit for the list of role assignments you want to view. +1. Select the administrative unit for the list of role assignments you want to view. 1. Select **Roles and administrators**, and then open a role to view the assignments in the administrative unit. |
active-directory | Admin Units Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-manage.md | For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr ## Create an administrative unit -You can create a new administrative unit by using either the Azure portal, PowerShell or Microsoft Graph. +You can create a new administrative unit by using either the Microsoft Entra admin center, PowerShell or Microsoft Graph. -### Azure portal +### Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Administrative units**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. ![Screenshot of the Administrative units page in Azure AD.](./media/admin-units-manage/nav-to-admin-units.png) Body In Azure AD, you can delete an administrative unit that you no longer need as a unit of scope for administrative roles. Before you delete the administrative unit, you should remove any role assignments with that administrative unit scope. -### Azure portal +### Microsoft Entra admin center -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit you want to delete. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. ++1. Select the administrative unit you want to delete. 1. Select **Roles and administrators**, and then open a role to view the role assignments. 1. Remove all the role assignments with the administrative unit scope. -1. Select **Azure Active Directory** > **Administrative units**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. 1. Add a check mark next to the administrative unit you want to delete. |
active-directory | Admin Units Members Add | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-add.md | This article describes how to add users, groups, or devices to administrative un For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center -You can add users, groups, or devices to administrative units using the Azure portal. You can also add users in a bulk operation or create a new group in an administrative unit. +You can add users, groups, or devices to administrative units using the Microsoft Entra admin center. You can also add users in a bulk operation or create a new group in an administrative unit. ### Add a single user, group, or device to administrative units [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity**. -1. Select one of the following: +1. Browse to one of the following: - - **Users** - - **Groups** + - **Users** > **All users** + - **Groups** > **All groups** - **Devices** > **All devices** 1. Select the user, group, or device you want to add to administrative units. You can add users, groups, or devices to administrative units using the Azure po ### Add users, groups, or devices to a single administrative unit -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit you want to add users, groups, or devices to. +1. Select the administrative unit you want to add users, groups, or devices to. 1. Select one of the following: You can add users, groups, or devices to administrative units using the Azure po ### Add users to an administrative unit in a bulk operation -1. Sign in to the [Azure portal](https://portal.azure.com). --1. Select **Azure Active Directory**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Administrative units** and then select the administrative unit you want to add users to. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select the administrative unit to which you want to add users. +1. Select the administrative unit you want to add users to. 1. Select **Users** > **Bulk operations** > **Bulk add members**. You can add users, groups, or devices to administrative units using the Azure po ### Create a new group in an administrative unit -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit you want to create a new group in. +1. Select the administrative unit you want to create a new group in. 1. Select **Groups**. |
active-directory | Admin Units Members Dynamic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-dynamic.md | -You can add or remove users or devices for administrative units manually. With this preview, you can add or remove users or devices for administrative units dynamically using rules. This article describes how to create administrative units with dynamic membership rules using the Azure portal, PowerShell, or Microsoft Graph API. +You can add or remove users or devices for administrative units manually. With this preview, you can add or remove users or devices for administrative units dynamically using rules. This article describes how to create administrative units with dynamic membership rules using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. > [!NOTE] > Dynamic membership rules for administrative units can be created using the same attributes available for dynamic groups. For more information about the specific attributes available and examples on how to use them, see [Dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md). For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr Follow these steps to create administrative units with dynamic membership rules for users or devices. -### Azure portal +### Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. --1. Select **Administrative units** and then select the administrative unit that you want to add users or devices to. +1. Select the administrative unit that you want to add users or devices to. 1. Select **Properties**. For steps on how to edit your rule, see the following [Edit dynamic membership r When an administrative unit has been configured for dynamic membership, the usual commands to add or remove members for the administrative unit are disabled as the dynamic membership engine retains the sole ownership of adding or removing members. To make changes to the membership, you can edit the dynamic membership rules. -### Azure portal +### Microsoft Entra admin center -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit that has the dynamic membership rules you want to edit. +1. Select the administrative unit that has the dynamic membership rules you want to edit. 1. Select **Membership rules** to edit the dynamic membership rules using the rule builder. Body Follow these steps to change an administrative unit with dynamic membership rules to an administrative unit where members are manually assigned. -### Azure portal +### Microsoft Entra admin center -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit that you want to change to assigned. +1. Select the administrative unit that you want to change to assigned. 1. Select **Properties**. |
active-directory | Admin Units Members List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-list.md | In Azure Active Directory (Azure AD), you can list the users, groups, or devices For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center -You can list the users, groups, or devices in administrative units using the Azure portal. +You can list the users, groups, or devices in administrative units using the Microsoft Entra admin center. ### List the administrative units for a single user, group, or device [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory**. +1. Browse to **Identity**. -1. Select one of the following: +1. Browse to one of the following: - - **Users** - - **Groups** + - **Users** > **All users** + - **Groups** > **All groups** - **Devices** > **All devices** 1. Select the user, group, or device you want to list their administrative units. You can list the users, groups, or devices in administrative units using the Azu ### List the users, groups, or devices for a single administrative unit -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit that you want to list the users, groups, or devices for. +1. Select the administrative unit that you want to list the users, groups, or devices for. 1. Select one of the following: You can list the users, groups, or devices in administrative units using the Azu ### List the devices for an administrative unit by using the All devices page -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory**. --1. Select **Devices** > **All devices**. +1. Browse to **Identity** > **Devices** > **All devices**. 1. Select the filter for administrative unit. You can list the users, groups, or devices in administrative units using the Azu ### List the restricted management administrative units for a single user or group -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). ++1. Browse to **Identity**. ++1. Browse to one of the following: -1. Select **Azure Active Directory**. + - **Users** > **All users** + - **Groups** > **All groups** -1. Select **Users** or **Groups** and then select the user or group you want to list their restricted management administrative units. +1. Select the user or group you want to list their restricted management administrative units. 1. Select **Administrative units** to list all the administrative units where the user or group is a member. |
active-directory | Admin Units Members Remove | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-remove.md | When users, groups, or devices in an administrative unit no longer need access, For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center -You can remove users, groups, or devices from administrative units individually using the Azure portal. You can also remove users in a bulk operation. +You can remove users, groups, or devices from administrative units individually using the Microsoft Entra admin center. You can also remove users in a bulk operation. ### Remove a single user, group, or device from administrative units [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity**. -1. Select one of the following: +1. Browse to one of the following: - - **Users** - - **Groups** + - **Users** > **All users** + - **Groups** > **All groups** - **Devices** > **All devices** 1. Select the user, group, or device you want to remove from an administrative unit. You can remove users, groups, or devices from administrative units individually ### Remove users, groups, or devices from a single administrative unit -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit that you want to remove users, groups, or devices from. +1. Select the administrative unit that you want to remove users, groups, or devices from. 1. Select one of the following: You can remove users, groups, or devices from administrative units individually ### Remove users from an administrative unit in a bulk operation -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory**. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. -1. Select **Administrative units** and then select the administrative unit that you want to remove users from. +1. Select the administrative unit that you want to remove users from. 1. Select **Users** > **Bulk operations** > **Bulk remove members**. |
active-directory | Administrative Units | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/administrative-units.md | Using administrative units requires an Azure AD Premium P1 license for each admi ## Manage administrative units -You can manage administrative units by using the Azure portal, PowerShell cmdlets and scripts, or Microsoft Graph API. For more information, see: +You can manage administrative units by using the Microsoft Entra admin center, PowerShell cmdlets and scripts, or Microsoft Graph API. For more information, see: - [Create or delete administrative units](admin-units-manage.md) - [Add users, groups, or devices to an administrative unit](admin-units-members-add.md) You can expect the creation of administrative units in the organization to go th ## Currently supported scenarios -As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to: +As a Global Administrator or a Privileged Role Administrator, you can use the Microsoft Entra admin center to: - Create administrative units - Add users, groups, or devices as members of administrative units As a Global Administrator or a Privileged Role Administrator, you can use the Az Administrative unit-scoped admins can use the Microsoft 365 admin center for basic management of users in their administrative units. A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centers. -Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their [default user permissions](../fundamentals/users-default-permissions.md) to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services. +Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their [default user permissions](../fundamentals/users-default-permissions.md) to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Microsoft Entra admin center, PowerShell, and other Microsoft services. >[!Note] >Only the features described in this section are available in the Microsoft 365 admin center. No organization-level features are available for an Azure AD role with administrative unit scope. The following sections describe current support for administrative unit scenario ### Administrative unit management -| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center | +| Permissions | Microsoft Graph/PowerShell | Microsoft Entra admin center | Microsoft 365 admin center | | | :: | :: | :: | | Create or delete administrative units | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Add or remove members | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The following sections describe current support for administrative unit scenario ### User management -| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center | +| Permissions | Microsoft Graph/PowerShell | Microsoft Entra admin center | Microsoft 365 admin center | | | :: | :: | :: | | Administrative unit-scoped management of user properties, passwords | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Administrative unit-scoped management of user licenses | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The following sections describe current support for administrative unit scenario ### Group management -| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center | +| Permissions | Microsoft Graph/PowerShell | Microsoft Entra admin center | Microsoft 365 admin center | | | :: | :: | :: | | Administrative unit-scoped creation and deletion of groups | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Administrative unit-scoped management of group properties and membership for Microsoft 365 groups | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The following sections describe current support for administrative unit scenario ### Device management -| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center | +| Permissions | Microsoft Graph/PowerShell | Microsoft Entra admin center | Microsoft 365 admin center | | | :: | :: | :: | | Enable, disable, or delete devices | :heavy_check_mark: | :heavy_check_mark: | :x: | | Read BitLocker recovery keys | :heavy_check_mark: | :heavy_check_mark: | :x: | |
active-directory | Assign Roles Different Scopes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/assign-roles-different-scopes.md | For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr This section describes how to assign roles at the tenant scope. -### Azure portal +### Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ![Roles and administrators page in Azure Active Directory.](./media/common/roles-and-administrators.png) Follow these instructions to assign a role using the Microsoft Graph API in [Gra This section describes how to assign roles at an [administrative unit](administrative-units.md) scope. -### Azure portal +### Microsoft Entra admin center -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory > Administrative units** to see the list of all administrative units. +1. Browse to **Identity** > **Roles & admins** > **Admin units**. 1. Select an administrative unit. Follow these instructions to assign a role at administrative unit scope using th This section describes how to assign roles at an application registration scope. -### Azure portal +### Microsoft Entra admin center -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory > App registrations** to see the list of all app registrations. +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select an application. You can use search box to find the desired app. |
active-directory | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/best-practices.md | When planning your access control strategy, it's a best practice to manage to le Follow these steps to help you find the right role. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Roles and administrators** to see the list of Azure AD roles. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. 1. Use the **Service** filter to narrow down the list of roles. |
active-directory | Concept Understand Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/concept-understand-roles.md | When we say separate role-based access control system. it means there is a diffe ## Why some Azure AD roles are for other services -Microsoft 365 has a number of role-based access control systems that developed independently over time, each with its own service portal. To make it convenient for you to manage identity across Microsoft 365 from the Azure portal, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft 365 service. An example of this addition is the Exchange Administrator role in Azure AD. This role is equivalent to the [Organization Management role group](/exchange/organization-management-exchange-2013-help) in the Exchange role-based access control system, and can manage all aspects of Exchange. Similarly, we added the Intune Administrator role, Teams Administrator, SharePoint Administrator, and so on. Service-specific roles is one category of Azure AD built-in roles in the following section. +Microsoft 365 has a number of role-based access control systems that developed independently over time, each with its own service portal. To make it convenient for you to manage identity across Microsoft 365 from the Microsoft Entra admin center, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft 365 service. An example of this addition is the Exchange Administrator role in Azure AD. This role is equivalent to the [Organization Management role group](/exchange/organization-management-exchange-2013-help) in the Exchange role-based access control system, and can manage all aspects of Exchange. Similarly, we added the Intune Administrator role, Teams Administrator, SharePoint Administrator, and so on. Service-specific roles is one category of Azure AD built-in roles in the following section. ## Categories of Azure AD roles Service-specific roles | Azure DevOps Administrator<br>Azure Information Protect ## Next steps - [Overview of Azure AD role-based access control](custom-overview.md)-- Create role assignments using [the Azure portal, Azure AD PowerShell, and Microsoft Graph API](custom-create.md)+- [Create and assign a custom role in Azure Active Directory](custom-create.md) - [List role assignments](view-assignments.md) |
active-directory | Custom Assign Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-assign-powershell.md | -This article describes how to create a role assignment at organization-wide scope in Azure Active Directory (Azure AD). Assigning a role at organization-wide scope grants access across the Azure AD organization. To create a role assignment with a scope of a single Azure AD resource, see [How to create a custom role and assign it at resource scope](custom-create.md). This article uses the [Azure Active Directory PowerShell Version 2](/powershell/module/azuread/#directory_roles) module. +This article describes how to create a role assignment at organization-wide scope in Azure Active Directory (Azure AD). Assigning a role at organization-wide scope grants access across the Azure AD organization. To create a role assignment with a scope of a single Azure AD resource, see [Create and assign a custom role in Azure Active Directory](custom-create.md). This article uses the [Azure Active Directory PowerShell Version 2](/powershell/module/azuread/#directory_roles) module. For more information about Azure AD roles, see [Azure AD built-in roles](permissions-reference.md). |
active-directory | Custom Available Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-available-permissions.md | Grants the same permissions as microsoft.directory/applications/permissions/upda ## Next steps -- Create custom roles using [the Azure portal, Azure AD PowerShell, and Microsoft Graph API](custom-create.md)+- [Create and assign a custom role in Azure Active Directory](custom-create.md) - [List role assignments](view-assignments.md) |
active-directory | Custom Consent Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-consent-permissions.md | Title: App consent permissions for custom roles in Azure Active Directory -description: Preview app consent permissions for custom Azure AD roles in the Azure portal, PowerShell, or Graph API. +description: Preview app consent permissions for custom Azure AD roles in the Microsoft Entra admin center, PowerShell, or Graph API. This article contains the currently available app consent permissions for custom Use the permissions listed in this article to manage app consent policies, as well as the permission to grant consent to apps. > [!NOTE]-> The Azure portal does not yet support adding the permissions listed in this article to a custom directory role definition. You must [use Azure AD PowerShell to create a custom directory role](custom-create.md#create-a-role-using-powershell) with the permissions listed in this article. +> The Microsoft Entra admin center does not yet support adding the permissions listed in this article to a custom directory role definition. You must [use Azure AD PowerShell to create a custom directory role](custom-create.md#create-a-role-using-powershell) with the permissions listed in this article. #### Granting delegated permissions to apps on behalf of self (user consent) To delegate the creation, update and deletion of [app consent policies](../manag ## Next steps -- [Create custom roles using the Azure portal, Azure AD PowerShell, and Microsoft Graph API](custom-create.md)+- [Create and assign a custom role in Azure Active Directory](custom-create.md) - [View the assignments for a custom role](../roles/view-assignments.md) |
active-directory | Custom Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-create.md | -Custom roles can be created in the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) tab on the Azure AD overview page. +Custom roles can be created in the **Roles and administrators** page of the Microsoft Entra admin center. ## Prerequisites Custom roles can be created in the [Roles and administrators](https://portal.azu For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Create a role in the Azure portal +## Create a role in the Microsoft Entra admin center ### Create a new custom role to grant access to manage app registrations [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** > **New custom role**. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ++1. Select **New custom role**. ![Create or edit roles from the Roles and administrators page](./media/custom-create/new-custom-role.png) $roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access permissions over all app registrations in your organization. Additionally, custom roles and some relevant built-in roles (depending on the type of Azure AD resource) can also be assigned at the scope of a single Azure AD resource. This allows you to give the user the permission to update credentials and basic properties of a single app without having to create a second custom role. -1. Sign in to the [Azure portal](https://portal.azure.com) with Application Developer permissions. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Developer](../roles/permissions-reference.md#application-developer). -1. Select **Azure Active Directory** > **App registrations**. +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select the app registration to which you are granting access to manage. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization. |
active-directory | Custom Device Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-device-permissions.md | Title: Device management permissions for Azure AD custom roles -description: Device management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API. +description: Device management permissions for Azure AD custom roles in the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. Device management permissions can be used in custom role definitions in Azure Ac - Read device registration policies - Update device registration policies -This article lists the permissions you can use in your custom roles for different device management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md). +This article lists the permissions you can use in your custom roles for different device management scenarios. For information about how to create custom roles, see [Create and assign a custom role in Azure Active Directory](custom-create.md). ## Enable or disable devices The following permission is available to read tenant-wide device registration se - microsoft.directory/deviceRegistrationPolicy/standard/read -You can read device settings in the Azure portal. +You can read device settings in the Microsoft Entra admin center. ![Screenshot showing Device settings page in Azure portal.](./media/custom-device-permissions/device-settings.png) |
active-directory | Custom Enterprise App Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-enterprise-app-permissions.md | Title: App permissions for custom roles in Azure Active Directory -description: Preview enterprise app permissions for custom Azure AD roles in the Azure portal, PowerShell, or Graph API. +description: Preview enterprise app permissions for custom Azure AD roles in the Microsoft Entra admin center, PowerShell, or Graph API. To delegate create, read, update, and delete (CRUD) permissions for updating the ## Next steps -- [Create custom roles using the Azure portal, Azure AD PowerShell, and Microsoft Graph API](custom-create.md)+- [Create and assign a custom role in Azure Active Directory](custom-create.md) - [List role assignments](view-assignments.md) |
active-directory | Custom Enterprise Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-enterprise-apps.md | Granting the update permission is done in two steps: 1. Create a custom role with permission `microsoft.directory/servicePrincipals/appRoleAssignedTo/update` 1. Grant users or groups permissions to manage user and group assignments to enterprise apps. This is when you can set the scope to the organization-wide level or to a single application. -## Azure portal +## Microsoft Entra admin center ### Create a new custom role Granting the update permission is done in two steps: >[!NOTE] > Custom roles are created and managed at an organization-wide level and are available only from the organization's Overview page. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** and then select **New custom role**. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ++1. Select **New custom role**. ![Add a new custom role from the roles list in Azure AD](./media/custom-enterprise-apps/new-custom-role.png) Granting the update permission is done in two steps: ![Now you can create the custom role](./media/custom-enterprise-apps/role-custom-create.png) -### Assign the role to a user using the Azure portal +### Assign the role to a user using the Microsoft Entra admin center -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators**. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. -1. Select the **Grant permissions to manage user and group assignments** role. +1. Select the **Manage user and group assignments** role. ![Open Roles and Administrators and search for the custom role](./media/custom-enterprise-apps/select-custom-role.png) Granting the update permission is done in two steps: ## PowerShell -For more detail, see [Create and assign a custom role](custom-create.md) and [Assign custom roles with resource scope using PowerShell](custom-assign-powershell.md). +For more detail, see [Create and assign a custom role in Azure Active Directory](custom-create.md) and [Assign custom roles with resource scope using PowerShell](custom-assign-powershell.md). ### Create a custom role $roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -Rol ## Microsoft Graph API -Use the [Create unifiedRoleDefinition](/graph/api/rbacapplication-post-roledefinitions) API to create a custom role. For more information, see [Create and assign a custom role](custom-create.md) and [Assign custom admin roles using the Microsoft Graph API](custom-assign-graph.md). +Use the [Create unifiedRoleDefinition](/graph/api/rbacapplication-post-roledefinitions) API to create a custom role. For more information, see [Create and assign a custom role in Azure Active Directory](custom-create.md) and [Assign custom admin roles using the Microsoft Graph API](custom-assign-graph.md). ```http POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions |
active-directory | Custom Group Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-group-permissions.md | Title: Group management permissions for Azure AD custom roles -description: Group management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API. +description: Group management permissions for Azure AD custom roles in the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. Group management permissions can be used in custom role definitions in Azure Act - Read audit logs - Manage a specific type of group -This article lists the permissions you can use in your custom roles for different group management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md). +This article lists the permissions you can use in your custom roles for different group management scenarios. For information about how to create custom roles, see [Create and assign a custom role in Azure Active Directory](custom-create.md). ## License requirements |
active-directory | Custom Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-overview.md | A role assignment is an Azure AD resource that attaches a *role definition* to a - Role definition - A collection of permissions. - Scope - A way to constrain where those permissions are applicable. -You can [create role assignments](manage-roles-portal.md) and [list the role assignments](view-assignments.md) using the Azure portal, Azure AD PowerShell, or Microsoft Graph API. Azure CLI is not supported for Azure AD role assignments. +You can [create role assignments](manage-roles-portal.md) and [list the role assignments](view-assignments.md) using the Microsoft Entra admin center, Azure AD PowerShell, or Microsoft Graph API. Azure CLI is not supported for Azure AD role assignments. The following diagram shows an example of a role assignment. In this example, Chris has been assigned the App Registration Administrator custom role at the scope of the Contoso Widget Builder app registration. The assignment grants Chris the permissions of the App Registration Administrator role for only this specific app registration. Using built-in roles in Azure AD is free. Using custom roles require an Azure AD - [Understand Azure AD roles](concept-understand-roles.md) - [Assign Azure AD roles to users](manage-roles-portal.md)-- [Create and assign a custom role](custom-create.md)+- [Create and assign a custom role in Azure Active Directory](custom-create.md) |
active-directory | Custom User Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-user-permissions.md | Title: User management permissions for Azure AD custom roles -description: User management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API. +description: User management permissions for Azure AD custom roles in the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. User management permissions can be used in custom role definitions in Azure Acti - Update password policies of users - Read assignments and memberships of users -This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md). +This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see [Create and assign a custom role in Azure Active Directory](custom-create.md). ## License requirements |
active-directory | Delegate App Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/delegate-app-roles.md | By default in Azure AD, all users can register applications and manage all aspec ### To disable the default ability to create application registrations or consent to applications -1. Sign in to your Azure AD organization with an account that eligible for the Global Administrator role in your Azure AD organization. -1. Set one or both of the following: +To disable the default ability to create application registrations or consent to applications, follow these steps to set one or both of these settings for your organization. - - On the [User settings page for your organization](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings), set the **Users can register applications** setting to No. This will disable the default ability for users to create application registrations. - - On the [user settings for enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/), set the **Users can consent to applications accessing company data on their behalf** setting to No. This will disable the default ability for users to consent to applications accessing company data on their behalf. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). ++1. Browse to **Identity** > **Users** > **User settings**. ++1. Set the **Users can register applications** setting to **No**. ++ This will disable the default ability for users to create application registrations. ++1. Browse to **Identity** > **Enterprise applications** > **Consent and permissions**. ++1. Select the **Do not allow user consent** option. ++ This will disable the default ability for users to consent to applications accessing company data on their behalf. ### Grant individual permissions to create and consent to applications when the default ability is disabled Creating custom roles and assigning custom roles are separate steps: This separation allows you to create a single role definition and then assign it many times at different *scopes*. A custom role can be assigned at organization-wide scope, or it can be assigned at the scope if a single Azure AD object. An example of an object scope is a single app registration. Using different scopes, the same role definition can be assigned to Sally over all app registrations in the organization and then to Naveen over only the Contoso Expense Reports app registration. Tips when creating and using custom roles for delegating application management:-- Custom roles only grant access in the most current app registration blades of the Azure portal. They do not grant access in the legacy app registrations blades.-- Custom roles do not grant access to the Azure portal when the “[Restrict access to Azure AD administration portal](../fundamentals/users-default-permissions.md)” user setting is set to Yes.+- Custom roles only grant access in the most current app registration blades of the Microsoft Entra admin center. They do not grant access in the legacy app registrations blades. +- Custom roles do not grant access to the Microsoft Entra admin center when the [Restrict access to Azure AD administration portal](../fundamentals/users-default-permissions.md) user setting is set to **Yes**. - App registrations the user has access to using role assignments only show up in the ‘All applications’ tab on the App registration page. They do not show up in the ‘Owned applications’ tab. For more information on the basics of custom roles, see the [custom roles overview](custom-overview.md), as well as how to [create a custom role](custom-create.md) and how to [assign a role](custom-assign-powershell.md). |
active-directory | Delegate By Task | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/delegate-by-task.md | -You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see [Assign Azure AD roles at different scopes](assign-roles-different-scopes.md) or [Create and assign a custom role](custom-create.md). +You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see [Assign Azure AD roles at different scopes](assign-roles-different-scopes.md) or [Create and assign a custom role in Azure Active Directory](custom-create.md). ## Application proxy |
active-directory | Groups Assign Role | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-assign-role.md | Title: Assign Azure AD roles to groups -description: Assign Azure AD roles to role-assignable groups in the Azure portal, PowerShell, or Microsoft Graph API. +description: Assign Azure AD roles to role-assignable groups in the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. -To simplify role management, you can assign Azure AD roles to a group instead of individuals. This article describes how to assign Azure AD roles to [role-assignable groups](groups-concept.md) using the Azure portal, PowerShell, or Microsoft Graph API. +To simplify role management, you can assign Azure AD roles to a group instead of individuals. This article describes how to assign Azure AD roles to [role-assignable groups](groups-concept.md) using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. ## Prerequisites To simplify role management, you can assign Azure AD roles to a group instead of For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] Assigning an Azure AD role to a group is similar to assigning users and service > [!TIP] > These steps apply to customers that have an Azure AD Premium P1 license. If you have an Azure AD Premium P2 license in your tenant, you should instead follow steps in [Assign Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-add-role-to-user.md). -1. Sign in to the [Azure portal](https://portal.azure.com) or [Microsoft Entra admin center](https://entra.microsoft.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. :::image type="content" source="media/common/roles-and-administrators.png" alt-text="Screenshot of Roles and administrators page in Azure Active Directory." lightbox="media/common/roles-and-administrators.png"::: |
active-directory | Groups Concept | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-concept.md | Consider the example where the Contoso company has hired people across geographi ## How role assignments to groups work -To assign a role to a group, you must create a new security or Microsoft 365 group with the `isAssignableToRole` property set to `true`. In the Azure portal, you set the **Azure AD roles can be assigned to the group** option to **Yes**. Either way, you can then assign one or more Azure AD roles to the group in the same way as you assign roles to users. +To assign a role to a group, you must create a new security or Microsoft 365 group with the `isAssignableToRole` property set to `true`. In the Microsoft Entra admin center, you set the **Azure AD roles can be assigned to the group** option to **Yes**. Either way, you can then assign one or more Azure AD roles to the group in the same way as you assign roles to users. ![Screenshot of the Roles and administrators page](./media/groups-concept/role-assignable-group.png) The following scenarios aren't supported: The following are known issues with role-assignable groups: -- *Azure AD P2 licensed customers only*: Even after deleting the group, it is still shown an eligible member of the role in PIM UI. Functionally there's no problem; it's just a cache issue in the Azure portal. +- *Azure AD P2 licensed customers only*: Even after deleting the group, it is still shown an eligible member of the role in PIM UI. Functionally there's no problem; it's just a cache issue in the Microsoft Entra admin center. - Use the new [Exchange admin center](/exchange/exchange-admin-center) for role assignments via group membership. The old Exchange admin center doesn't support this feature. If accessing the old Exchange admin center is required, assign the eligible role directly to the user (not via role-assignable groups). Exchange PowerShell cmdlets work as expected. - If an administrator role is assigned to a role-assignable group instead of individual users, members of the group will not be able to access Rules, Organization, or Public Folders in the new [Exchange admin center](/exchange/exchange-admin-center). The workaround is to assign the role directly to users instead of the group. - Azure Information Protection Portal (the classic portal) doesn't recognize role membership via group yet. You can [migrate to the unified sensitivity labeling platform](/azure/information-protection/configure-policy-migrate-labels) and then use the Microsoft Purview compliance portal to use group assignments to manage roles. |
active-directory | Groups Create Eligible | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-create-eligible.md | Title: Create a role-assignable group in Azure Active Directory -description: Learn how to a role-assignable group in Azure Active Directory using the Azure portal, PowerShell, or Microsoft Graph API. +description: Learn how to a role-assignable group in Azure Active Directory using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. -This article describes how to create a role-assignable group using the Azure portal, PowerShell, or Microsoft Graph API. +This article describes how to create a role-assignable group using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. ## Prerequisites This article describes how to create a role-assignable group using the Azure por For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**. +1. Browse to **Identity** > **Groups** > **All groups**. -1. On the **New Group** tab, provide group type, name and description. +1. Select **New group**. ++1. On the **New Group** page, provide group type, name and description. 1. Set **Azure AD roles can be assigned to the group** to **Yes**. |
active-directory | Groups Remove Assignment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-remove-assignment.md | Title: Remove role assignments from a group in Azure Active Directory -description: Remove role assignments from a group in Azure Active Directory using the Azure portal, PowerShell, or Microsoft Graph API. +description: Remove role assignments from a group in Azure Active Directory using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. -This article describes how an IT admin can remove Azure AD roles assigned to groups. In the Azure portal, you can now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment. +This article describes how an IT admin can remove Azure AD roles assigned to groups. In the Microsoft Entra admin center, you can now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment. ## Prerequisites This article describes how an IT admin can remove Azure AD roles assigned to gro For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** > *role name*. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ++1. Select a *role name*. 1. Select the group from which you want to remove the role assignment and select **Remove assignment**. |
active-directory | Groups View Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-view-assignments.md | Title: View roles assigned to a group in Azure Active Directory -description: Learn how the roles assigned to a group can be viewed using the Azure portal. Viewing groups and assigned roles are default user permissions. +description: Learn how the roles assigned to a group can be viewed using the Microsoft Entra admin center. Viewing groups and assigned roles are default user permissions. -This section describes how the roles assigned to a group can be viewed using the Azure portal. Viewing groups and assigned roles are default user permissions. +This section describes how the roles assigned to a group can be viewed using the Microsoft Entra admin center. Viewing groups and assigned roles are default user permissions. ## Prerequisites This section describes how the roles assigned to a group can be viewed using the For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Groups**. +1. Browse to **Identity** > **Groups** > **All groups**. 1. Select a role-assignable group that you are interested in. |
active-directory | List Role Assignments Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/list-role-assignments-users.md | A role can be assigned to a user directly or transitively via a group. This arti For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -Follow these steps to list Azure AD roles for a user using the Azure portal. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled. +Follow these steps to list Azure AD roles for a user using the Microsoft Entra admin center. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -2. Select **Azure Active Directory** > **Users** > *user name* > **Assigned roles**. +1. Browse to **Identity** > **Users** > **All users**. ++1. Select *user name* > **Assigned roles**. You can see the list of roles assigned to the user at different scopes. Additionally, you can see whether the role has been assigned directly or via group. |
active-directory | Manage Roles Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/manage-roles-portal.md | -To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles. A role is a collection of permissions. This article describes how to assign Azure AD roles using the Azure portal and PowerShell. +To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles. A role is a collection of permissions. This article describes how to assign Azure AD roles using the Microsoft Entra admin center and PowerShell. ## Prerequisites To grant access to users in Azure Active Directory (Azure AD), you assign Azure For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center -Follow these steps to assign Azure AD roles using the Azure portal. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled. +Follow these steps to assign Azure AD roles using the Microsoft Entra admin center. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled. ### Assign a role [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ![Screenshot of Roles and administrators page in Azure Active Directory.](./media/common/roles-and-administrators.png) Follow these steps to assign Azure AD roles using the Azure portal. Your experie ### Assign a role using PIM -If you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled, you have additional role assignment capabilities. For example, you can make a user eligible for a role or set the duration. When PIM is enabled, there are two ways that you can assign roles using the Azure portal. You can use the Roles and administrators page or the PIM experience. Either way uses the same PIM service. +If you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled, you have additional role assignment capabilities. For example, you can make a user eligible for a role or set the duration. When PIM is enabled, there are two ways that you can assign roles using the Microsoft Entra admin center. You can use the Roles and administrators page or the PIM experience. Either way uses the same PIM service. -Follow these steps to assign roles using the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) page. If you want to assign roles using the [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) page, see [Assign Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-add-role-to-user.md). +Follow these steps to assign roles using the **Roles and administrators** page. If you want to assign roles using Privileged Identity Management, see [Assign Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-add-role-to-user.md). -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ![Screenshot of Roles and administrators page in Azure Active Directory when PIM enabled.](./media/common/roles-and-administrators.png) If PIM is enabled, you have additional capabilities, such as making a user eligi } ``` -1. Use [New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest](/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleeligibilityschedulerequest?view=graph-powershell-1.0&preserve-view=true) to assign the role as eligible. Once the role has been assigned, it will reflect on the Azure portal under **Privileged Identity Management -> Azure AD Roles -> Assignments -> Eligible Assignments** section. +1. Use [New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest](/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleeligibilityschedulerequest?view=graph-powershell-1.0&preserve-view=true) to assign the role as eligible. Once the role has been assigned, it will reflect in the Microsoft Entra admin center under **Identity governance** > **Privileged Identity Management** > **Azure AD Roles** > **Assignments** > **Eligible Assignments** section. ```powershell New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params | Format-List Id, Status, Action, AppScopeId, DirectoryScopeId, RoleDefinitionId, IsValidationOnly, Justification, PrincipalId, CompletedDateTime, CreatedDateTime |
active-directory | My Staff Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/my-staff-configure.md | To complete this article, you need the following resources and privileges: Once you have configured administrative units, you can apply this scope to your users who access My Staff. Only users who are assigned an administrative role can access My Staff. To enable My Staff, complete the following steps: -1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator, User Administrator, or Group Administrator. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). -1. Select **Azure Active Directory** > **User settings** > **User feature** > **Manage user feature settings**. +1. Browse to **Identity** > **Users** > **User settings**. ++1. Under **User feature**, select **Manage user feature settings**. 1. Under **Administrators can access My Staff**, you can choose to enable for all users, selected users, or no user access. You can search for administrative units and users in your organization using the ## Audit logs -You can view audit logs for actions taken in My Staff in the Azure portal. If an audit log was generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event. +You can view audit logs for actions taken in My Staff in the Microsoft Entra admin center. If an audit log was generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event. ## Next steps |
active-directory | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/prerequisites.md | To use AzureADPreview, follow these steps to make sure it is imported into the c To manage Azure AD roles using the [Microsoft Graph API](/graph/overview) and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview), you must do the following: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Enterprise applications**. +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. In the applications list, find and select **Graph explorer**. |
active-directory | Protected Actions Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/protected-actions-overview.md | Here's the initial set of permissions: If an application or service attempts to perform a protection action, it must be able to handle the required Conditional Access policy. In some cases, a user might need to intervene and satisfy the policy. For example, they may be required to complete multi-factor authentication. The following applications support step-up authentication for protected actions: -- Azure Active Directory administrator experiences for the actions in the [Entra admin center](https://entra.microsoft.com) or the [Azure portal](https://portal.azure.com)+- Azure Active Directory administrator experiences for the actions in the [Microsoft Entra admin center](https://entra.microsoft.com) - [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview?branch=main) - [Microsoft Graph Explorer](/graph/graph-explorer/graph-explorer-overview?branch=main) There are some known and expected limitations. The following applications will f - [Azure PowerShell](/powershell/azure/what-is-azure-powershell?branch=main) - [Azure AD PowerShell](/powershell/azure/active-directory/overview?branch=main)-- Creating a new [terms of use](../conditional-access/terms-of-use.md) page or [custom control](../conditional-access/controls.md) in the Entra admin center or Azure portal. New terms of use pages or custom controls are registered with Conditional Access so are subject to Conditional Access create, update, and delete protected actions. Temporarily removing the policy requirement from the Conditional Access create, update, and delete actions will allow the creation of a new terms of use page or custom control.+- Creating a new [terms of use](../conditional-access/terms-of-use.md) page or [custom control](../conditional-access/controls.md) in the Microsoft Entra admin center. New terms of use pages or custom controls are registered with Conditional Access so are subject to Conditional Access create, update, and delete protected actions. Temporarily removing the policy requirement from the Conditional Access create, update, and delete actions will allow the creation of a new terms of use page or custom control. If your organization has developed an application that calls the Microsoft Graph API to perform a protected action, you should review the code sample for how to handle a claims challenge using step-up authentication. For more information, see [Developer guide to Conditional Access authentication context](../develop/developer-guide-conditional-access-authentication-context.md). |
active-directory | Quickstart App Registration Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/quickstart-app-registration-limits.md | -In this quick start guide, you will create a custom role with permission to create an unlimited number of app registrations, and then assign that role to a user. The assigned user can then use the Azure portal, Azure AD PowerShell, or Microsoft Graph API to create application registrations. Unlike the built-in Application Developer role, this custom role grants the ability to create an unlimited number of application registrations. The Application Developer role grants the ability, but the total number of created objects is limited to 250 to prevent hitting [the directory-wide object quota](../enterprise-users/directory-service-limits-restrictions.md). The least privileged role required to create and assign Azure AD custom roles is the Privileged Role Administrator. +In this quick start guide, you will create a custom role with permission to create an unlimited number of app registrations, and then assign that role to a user. The assigned user can then use the Microsoft Entra admin center, Azure AD PowerShell, or Microsoft Graph API to create application registrations. Unlike the built-in Application Developer role, this custom role grants the ability to create an unlimited number of application registrations. The Application Developer role grants the ability, but the total number of created objects is limited to 250 to prevent hitting [the directory-wide object quota](../enterprise-users/directory-service-limits-restrictions.md). The least privileged role required to create and assign Azure AD custom roles is the Privileged Role Administrator. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. If you don't have an Azure subscription, [create a free account](https://azure.m For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center ### Create a custom role [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators** and then select **New custom role**. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ++1. Select **New custom role**. ![Create or edit roles from the Roles and administrators page](./media/quickstart-app-registration-limits/new-custom-role.png) For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr ### Assign the role -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). -1. Select **Azure Active Directory** > **Roles and administrators**. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. 1. Select the Application Registration Creator role and select **Add assignment**. For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr Done! In this quickstart, you successfully created a custom role with permission to create an unlimited number of app registrations, and then assign that role to a user. > [!TIP]-> To assign the role to an application using the Azure portal, enter the name of the application into the search box of the assignment page. Applications are not shown in the list by default, but are returned in search results. +> To assign the role to an application using the Microsoft Entra admin center, enter the name of the application into the search box of the assignment page. Applications are not shown in the list by default, but are returned in search results. ### App registration permissions |
active-directory | Role Definitions List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/role-definitions-list.md | This article describes how to list the Azure AD built-in and custom roles along For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ![list of roles in Azure portal](./media/role-definitions-list/view-roles-in-azure-active-directory.png) |
active-directory | Security Emergency Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-emergency-access.md | Create two or more emergency access accounts. These accounts should be cloud-onl ### How to create an emergency access account -1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). -1. Select **Azure Active Directory** > **Users**. +1. Browse to **Identity** > **Users** > **All users**. 1. Select **New user**. Organizations should monitor sign-in and audit log activity from the emergency a ### Obtain Object IDs of the break glass accounts -1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the User Administrator role. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). ++1. Browse to **Identity** > **Users** > **All users**. -1. Select **Azure Active Directory** > **Users**. 1. Search for the break-glass account and select the userΓÇÖs name.+ 1. Copy and save the Object ID attribute so that you can use it later.+ 1. Repeat previous steps for second break-glass account. ### Create an alert rule -1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the Monitoring Contributor role in Azure Monitor. -1. Select **All services**", enter "log analytics" in Search and then select **Log Analytics workspaces**. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor). ++1. Browse to **Monitor** > **Log Analytics workspaces**. + 1. Select a workspace.+ 1. In your workspace, select **Alerts** > **New alert rule**.+ 1. Under **Resource**, verify that the subscription is the one with which you want to associate the alert rule. 1. Under **Condition**, select **Add**. 1. Select **Custom log search** under **Signal name**. Organizations should monitor sign-in and audit log activity from the emergency a ![alert logic](./media/security-emergency-access/alert-image2.png) 1. Select **Done**. You may now view the estimated monthly cost of this alert.+ 1. Select an action group of users to be notified by the alert. If you want to create one, see [Create an action group](#create-an-action-group).+ 1. To customize the email notification sent to the members of the action group, select actions under **Customize Actions**.+ 1. Under **Alert Details**, specify the alert rule name and add an optional description.+ 1. Set the **Severity level** of the event. We recommend that you set it to **Critical(Sev 0)**.+ 1. Under **Enable rule upon creation**, leave it set as **yes**.+ 1. To turn off alerts for a while, select the **Suppress Alerts** check box and enter the wait duration before alerting again, and then select **Save**.+ 1. Click **Create alert rule**. ### Create an action group Organizations should monitor sign-in and audit log activity from the emergency a ![create an action group for notification actions](./media/security-emergency-access/action-group-image3.png) 1. Enter the action group name and a short name.+ 1. Verify the subscription and resource group.+ 1. Under action type, select **Email/SMS/Push/Voice**.+ 1. Enter an action name such as **Notify Global Administrator**.+ 1. Select the **Action Type** as **Email/SMS/Push/Voice**.+ 1. Select **Edit details** to select the notification methods you want to configure and enter the required contact information, and then select **Ok** to save the details.+ 1. Add any additional actions you want to trigger.+ 1. Select **OK**. ## Validate accounts regularly |
active-directory | Security Planning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-planning.md | Azure AD Privileged Identity Management is included in Azure AD Premium P2 or EM After you start using Azure AD Privileged Identity Management: -1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that is a Global Administrator of your Azure AD production organization. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). -2. To select the Azure AD organization where you want to use Privileged Identity Management, select your user name in the upper right-hand corner of the Azure portal. +1. To switch directories where you want to use Privileged Identity Management, select your user name in the upper right corner of the Microsoft Entra admin center. -3. On the Azure portal menu, select **All services** and filter the list for **Azure AD Privileged Identity Management**. +1. Browse to **Identity governance** > **Privileged Identity Management**. -4. Open Privileged Identity Management from the **All services** list and pin it to your dashboard. --Make sure the first person to use PIM in your organization is assigned to the **Security Administrator** and **Privileged Role Administrator** roles. Only Privileged Role Administrators can manage the Azure AD directory role assignments of users. The PIM security wizard walks you through the initial discovery and assignment experience. You can exit the wizard without making any additional changes at this time. +Make sure the first person to use PIM in your organization is assigned to the [Security Administrator](../roles/permissions-reference.md#security-administrator) and [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator) roles. Only Privileged Role Administrators can manage the Azure AD directory role assignments of users. The PIM security wizard walks you through the initial discovery and assignment experience. You can exit the wizard without making any additional changes at this time. #### Identify and categorize accounts that are in highly privileged roles After starting to use Azure AD Privileged Identity Management, view the users wh * Exchange Administrator * SharePoint Administrator -If you don't have Azure AD Privileged Identity Management in your organization, you can use the [PowerShell API](/powershell/module/azuread/get-azureaddirectoryrolemember). Start with the Global Administrator role because a Global Administrator has the same permissions across all cloud services for which your organization has subscribed. These permissions are granted no matter where they were assigned: in the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for Microsoft PowerShell. +If you don't have Azure AD Privileged Identity Management in your organization, you can use the [PowerShell API](/powershell/module/azuread/get-azureaddirectoryrolemember). Start with the Global Administrator role because a Global Administrator has the same permissions across all cloud services for which your organization has subscribed. These permissions are granted no matter where they were assigned: in the Microsoft 365 admin center, the Microsoft Entra admin center, or by the Azure AD module for Microsoft PowerShell. Remove any accounts that are no longer needed in those roles. Then, categorize the remaining accounts that are assigned to administrator roles: For more information, see [How to configure hybrid Azure Active Directory joined #### Review members of [built-in Microsoft 365 admin roles](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d) Skip this step if you're not using Microsoft 365.-ΓÇÄ + #### Validate incident response plan To improve upon your plan, Microsoft recommends you regularly validate that your plan operates as expected: To improve upon your plan, Microsoft recommends you regularly validate that your ### Additional steps for organizations managing access to Azure Determine if you need to [transfer ownership of an Azure subscription to another account](../../cost-management-billing/manage/billing-subscription-transfer.md).-ΓÇÄ ## "Break glass": what to do in an emergency |
active-directory | View Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/view-assignments.md | Title: List Azure AD role assignments -description: You can now see and manage members of an Azure Active Directory administrator role in the Azure portal. +description: You can now see and manage members of an Azure Active Directory administrator role in the Microsoft Entra admin center. This article describes how to list roles you have assigned in Azure Active Direc For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md). -## Azure portal +## Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] This procedure describes how to list role assignments with organization-wide scope. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Select **Azure Active Directory** > **Roles and administrators** and then select a role to open it and view its properties. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. ++1. Select a role to open it and view its properties. 1. Select **Assignments** to list the role assignments. To download all assignments for a specific role, follow these steps. This section describes how to list role assignments with single-application scope. This feature is currently in public preview. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). ++1. Browse to **Identity** > **Applications** > **App registrations**. -1. Select **Azure Active Directory** > **App registrations**, and then select the app registration to view its properties. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization. +1. Select the app registration to view its properties. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization. ![Create or edit app registrations from the App registrations page](./media/view-assignments/app-reg-all-apps.png) |
active-directory | Brivo Onair Identity Connector Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/brivo-onair-identity-connector-provisioning-tutorial.md | This section guides you through the steps to configure the Azure AD provisioning 8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Brivo Onair Identity Connector**. - ![Brivo Onair Identity Connector User Mappings](media/brivo-onair-identity-connector-provisioning-tutorial/user-mappings.png ) + ![Brivo Onair Identity Connector User Mappings](media/brivo-onair-identity-connector-provisioning-tutorial/user-mappings.png) 9. Review the user attributes that are synchronized from Azure AD to Brivo Onair Identity Connector in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Brivo Onair Identity Connector for update operations. Select the **Save** button to commit any changes. |
active-directory | Cisco Umbrella User Management Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md | When using Microsoft Azure AD Connect, the ObjectGUID attribute of users is not ## Step 3. Configure Cisco Umbrella User Management to support provisioning with Azure AD -1. Log in to [Cisco Umbrella dashboard](https://login.umbrella.com ). Navigate to **Deployments** > **Core Identities** > **Users and Groups**. +1. Log in to [Cisco Umbrella dashboard](https://login.umbrella.com). Navigate to **Deployments** > **Core Identities** > **Users and Groups**. 1. Expand the Azure Active Directory card and click on the **API Keys page**. |
active-directory | Hornbill Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hornbill-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 2. On the Home page, click the **Configuration** settings icon at the bottom left of the page. - ![Screenshot shows the Hornbill system.](./media/hornbill-tutorial/settings.png "Hornbill system") + ![Screenshot shows the Hornbill system.](./media/hornbill-tutorial/settings.png "Hornbill system") 3. Navigate to **Platform Configuration**. |
active-directory | Kerbf5 Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kerbf5-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ![Screenshot that shows the "Pool Properties" page with the "IP Address/Node Name" and "Port" text boxes highlighted and the "Save & Next" button selected.](./media/kerbf5-tutorial/configure08.png) -1. On the Single Sign-On Settings screen, select **Enable Single Sign-On**. Under **Selected Single Sign-On Type** choose **Kerberos**. Replace **session.saml.last.Identity** with **session.saml.last.attr.name.Identity** under **Username Source** ( this variable it set using claims mapping in the Azure AD ). Select **Show Advanced Setting**. Under **Kerberos Realm** type the Domain Name. Under **Account Name/ Account Password** Specify the APM Delegation Account and Password. Specify the Domain Controller IP in the **KDC** Field. Click **Save & Next**. +1. On the Single Sign-On Settings screen, select **Enable Single Sign-On**. Under **Selected Single Sign-On Type** choose **Kerberos**. Replace **session.saml.last.Identity** with **session.saml.last.attr.name.Identity** under **Username Source** (this variable it set using claims mapping in the Azure AD). Select **Show Advanced Setting**. Under **Kerberos Realm** type the Domain Name. Under **Account Name/ Account Password** Specify the APM Delegation Account and Password. Specify the Domain Controller IP in the **KDC** Field. Click **Save & Next**. ![Screenshot that shows the "Single Sign-On Settings" with text boxes highlighted and the "Save & Next" button selected.](./media/kerbf5-tutorial/configure09.png) |
active-directory | Sansan Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sansan-tutorial.md | Follow these steps to enable Azure AD SSO in the Azure portal. 1. In the **Reply URL** text box, type a URL using one of the following patterns: - | Environment | URL | + | Environment | URL | |: |: | | PC |`https://ap.sansan.com/v/saml2/<COMPANY_NAME>/acs` | | Smartphone App |`https://internal.api.sansan.com/saml2/<COMPANY_NAME>/acs` | Follow these steps to enable Azure AD SSO in the Azure portal. 1. In the **Sign-on URL** text box, type the URL: `https://ap.sansan.com/` - > [!NOTE] - > These values are not real. Check the actual Identifier and Reply URL values on the **Sansan admin settings**. + > [!NOTE] + > These values are not real. Check the actual Identifier and Reply URL values on the **Sansan admin settings**. 1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. In this section, you'll enable Britta Simon to use Azure single sign-on by grant To perform the **Single Sign-On settings** on the **Sansan** side, please follow the below steps according to your requirement. - * [Japanese](https://jp-help.sansan.com/hc/ja/articles/900001551383 ) version. + * [Japanese](https://jp-help.sansan.com/hc/ja/articles/900001551383) version. - * [English](https://jp-help.sansan.com/hc/en-us/articles/900001551383 ) version. + * [English](https://jp-help.sansan.com/hc/en-us/articles/900001551383) version. ### Create Sansan test user In this section, you test your Azure AD single sign-on configuration with follow ## Next steps -Once you configure Sansan you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad). +Once you configure Sansan you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad). |
active-directory | Shopify Plus Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/shopify-plus-provisioning-tutorial.md | The scenario outlined in this tutorial assumes that you already have the followi ## Step 2. Configure Shopify Plus to support provisioning with Azure AD -1. Login to [Shopify Plus organization admin](https://shopify.plus ). Navigate to **Users > Security**. +1. Login to [Shopify Plus organization admin](https://shopify.plus). Navigate to **Users > Security**. 2. Navigate to the **SCIM Integration** section, click **Generate API token**. |
active-directory | Admin Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/admin-api.md | You are able to [search](how-to-issuer-revoke.md) for verifiable credentials wit ```csharp string claimvalue = "Bowen";- string contractid = "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDM"; + string contractid = "<...your-contract-id-value...>"; string output; using (var sha256 = SHA256.Create()) You are able to [search](how-to-issuer-revoke.md) for verifiable credentials wit var input = contractid + claimvalue; byte[] inputasbytes = Encoding.UTF8.GetBytes(input); hashedsearchclaimvalue = Convert.ToBase64String(sha256.ComputeHash(inputasbytes));+ output = System.Net.WebUtility.UrlEncode( hashedsearchclaimvalue ); } ``` |
active-directory | Partner Gallery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/partner-gallery.md | -To be considered into Entra Verified ID partner documentation, submit your application [request](https://aka.ms/isvconnectvc) - ## Partner list | IDV partner | Description | Integration walkthroughs | |
active-directory | Services Partners | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/services-partners.md | -Our Services partner network extends and accelerates Microsoft Entra Verified ID adoption. Service partners offer advisory, implementation, integration and managed service capabilities that can help you build seamless end-user experiences using Verified ID. +Our Services and solutions partner network extends and accelerates Microsoft Entra Verified ID adoption. Service partners offer advisory, implementation, integration and managed service capabilities that can help you build seamless end-user experiences using Verified ID. ## Services and solution partner list -You could select a partner from the list and build seamless end-user experiences for onboarding, secure access to critical services, self-service and custom business application scenarios. +You could select a partner from the list and build seamless end-user experiences for onboarding, secure access to critical services, self-service and custom business application scenarios. If you're a Services or solution Partner and would like to be considered into Entra Verified ID partner documentation, submit your application [request](https://forms.microsoft.com/r/AGVsXmf4EZ) | Services and solution partner | Website | |
ai-services | App Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/app-architecture.md | + + Title: When to choose conversational language understanding or orchestration workflow ++description: Learn when to choose conversational language understanding or orchestration workflow ++++++ Last updated : 08/15/2023+++++# When to use conversational language understanding or orchestration workflow apps ++When you create large applications, you should consider whether your use-case would be best served by a single conversational app (flat architecture), or multiple apps that are orchestrated. +++## Orchestration overview ++Orchestration workflow is a feature that allows you to connect different projects from [LUIS](../../../LUIS/what-is-luis.md) [conversational language understanding](../overview.md), and [custom question answering](../../question-answering/overview.md) in one project. You can then use this project for predictions using one endpoint. The orchestration project makes a prediction on which child project should be called, automatically routes the request, and returns with its response. ++The key point is that orchestration involves two steps: ++1. Predicting which child project to call. <!--The model that performs this classification can be trained either with a standard or an advanced recipe. (Please see footnotes on instructions for training with advanced recipe).--> +2. Routing the utterance to the destination child app, and returning the child app's response. ++### Advantages ++* Clear decomposition and faster development: + * If your overall schema has a substantial number of domains, the orchestration approach can help decompose your application into several child apps (each serving a specific domain). For example, an automotive conversational app might have a *navigation domain*, a *media domain*, and so on. + * Developing each domain app in parallel is easier. People and teams with specific domain expertise can work on individual apps collaboratively and in parallel. + * Since each domain app is smaller, the development cycle becomes faster. Smaller sized domain apps take much less time to train than a single large app. +* More flexible [confidence score thresholds](/legal/cognitive-services/clu/clu-characteristics-and-limitations?context=/azure/ai-services/language-service/context/context#understand-confidence-scores): + * Since there are separate child apps serving each domain, it's easy to set separate thresholds for different child apps. +* AI quality improvements where appropriate: + * Some applications require that certain entities are domain restricted. Orchestration makes this easy to achieve. Once the orchestration project has predicted which child app should be called, the other child apps won't be called. ++ For example, if your app contains a `Person.Name` prebuilt entity, consider the utterance *"How do I use a jack?"*, in the context of a vehicle question. In this context, *jack* is an automotive tool, and shouldnΓÇÖt be recognized as a person's name. Using orchestration, this utterance can be redirected to a child app created to answer such questions, which doesnΓÇÖt have a `Person.Name` entity. ++### Disadvantages ++* Redundant entities in child apps: + * If you need a particular prebuilt entity being returned in all utterances irrespective of the domain, for example `Quantity.Number` or `Geography.Location`, there is no way of adding an entity to the Orchestration app (it is an intent-only model). You would need to add it to all individual child apps. +* Efficiency: + * Orchestration apps take two model inferences. One for predicting which child app to call, another for the prediction in the child app. Inference times will typically be slower than single apps with a flat architecture. +* Train/test split for orchestrator: + * Training an orchestration app does not allow you to granularly split data between the testing and training sets. For example, you cannot train a 90-10 split for child app A, and then an 80-20 split for child app B. This may be a minor point, but worth keeping in mind. ++## Flat architecture overview ++Flat architecture is the other method of developing conversational apps. Instead of using an orchestration app to send utterances to one of multiple child apps, you develop a singular (or flat) app to handle utterances. ++### Advantages ++* Simplicity: + * For small sized apps or domains, the orchestrator approach can be overly complex. + * Since all intents and entities are at the same app level, it might be easier to make changes to all of them together. +* It's easier to add entities that should always be returned: + * If you want certain prebuilt or list entities to be returned for all utterances, you only need to add it alongside other entities in a single app. If you use orchestration, as mentioned above, you would need to add it to every child app. ++### Disadvantages ++* Unwieldy for large apps: + * For large apps (say > 50 intents or entities) it can become difficult to keep track of evolving schemas and datasets. This is particularly evident in cases where the app has to serve several domains. For example an automotive conversational app might have a *navigation domain*, a *media domain*, and so on. +* Limited control over entity matches: + * In a flat architecture, there is no way to restrict entities to be returned only in certain cases. You can accomplish this using orchestration by assigning those specific entities to particular child apps. ++## Next steps +* [Orchestration workflow overview](../../orchestration-workflow/overview.md) +* [Conversational language understanding overview](../overview.md) |
ai-services | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md | Schema is the definition of your intents and entities. There are different appro You can typically think of actions and queries as _intents_, while the information required to fulfill those queries as _entities_. -For example, assume you want your customers to cancel subscriptions for various products that you offer through your chatbot. You can create a _Cancel_ intent with various examples like _"Cancel the Contoso service"_, or _"stop charging me for the Fabrikam subscription"_. The user's intent here is to _cancel_, the _Contoso service_ or _Fabrikam subscription_ are the subscriptions they would like to cancel. Therefore, you can create an entity for _subscriptions_. You can then model your entire project to capture actions as intents and use entities to fill in those actions. This allows you to cancel anything you define as an entity, such as other products. You can then have intents for signing up, renewing, upgrading, etc. that all make use of the _subscriptions_ and other entities. +For example, assume you want your customers to cancel subscriptions for various products that you offer through your chatbot. You can create a _Cancel_ intent with various examples like _"Cancel the Contoso service,"_ or _"stop charging me for the Fabrikam subscription."_ The user's intent here is to _cancel,_ the _Contoso service_ or _Fabrikam subscription_ are the subscriptions they would like to cancel. Therefore, you can create an entity for _subscriptions_. You can then model your entire project to capture actions as intents and use entities to fill in those actions. This allows you to cancel anything you define as an entity, such as other products. You can then have intents for signing up, renewing, upgrading, etc. that all make use of the _subscriptions_ and other entities. The above schema design makes it easy for you to extend existing capabilities (canceling, upgrading, signing up) to new targets by creating a new entity. -Another approach is to model the _information_ as intents and _actions_ as entities. Let's take the same example, allowing your customers to cancel subscriptions through your chatbot. You can create an intent for each subscription available, such as _Contoso_ with utterances like _"cancel Contoso"_, _"stop charging me for contoso services"_, _"Cancel the Contoso subscription"_. You would then create an entity to capture the action, _cancel_. You can define different entities for each action or consolidate actions as one entity with a list component to differentiate between actions with different keys. +Another approach is to model the _information_ as intents and _actions_ as entities. Let's take the same example, allowing your customers to cancel subscriptions through your chatbot. You can create an intent for each subscription available, such as _Contoso_ with utterances like _"cancel Contoso,"_ _"stop charging me for contoso services,"_ _"Cancel the Contoso subscription."_ You would then create an entity to capture the action, _cancel._ You can define different entities for each action or consolidate actions as one entity with a list component to differentiate between actions with different keys. This schema design makes it easy for you to extend new actions to existing targets by adding new action entities or entity components. Make sure to avoid trying to funnel all the concepts into just intents, for exam You also want to avoid mixing different schema designs. Do not build half of your application with actions as intents and the other half with information as intents. Ensure it is consistent to get the possible results. +## Use standard training before advanced training +[Standard training](../how-to/train-model.md#training-modes) is free and faster than Advanced training, making it useful to quickly understand the effect of changing your training set or schema while building the model. Once you are satisfied with the schema, consider using advanced training to get the best AIQ out of your model. +## Use the evaluation feature + +When you build an app, it's often helpful to catch errors early. ItΓÇÖs usually a good practice to add a test set when building the app, as training and evaluation results are very useful in identifying errors or issues in your schema. +## Machine-learning components and composition +See [Component types](./entity-components.md#component-types). +## Using the "none" score Threshold ++If you see too many false positives, such as out-of-context utterances being marked as valid intents, See [confidence threshold](./none-intent.md) for information on how it affects inference. ++* Non machine-learned entity components like lists and regex are by definition not contextual. If you see list or regex entities in unintended places, try labeling the list synonyms as the machine-learned component. ++* For entities, you can use learned component as the ΓÇÿRequiredΓÇÖ component, to restrict when a composed entity should fire. ++For example, suppose you have an entity called "*ticket quantity*" that attempts to extract the number of tickets you want to reserve for booking flights, for utterances such as "*Book two tickets tomorrow to Cairo.*" +++Typically, you would add a prebuilt component for `Quantity.Number` that already extracts all numbers in utterances. However if your entity was only defined with the prebuilt component, it would also extract other numbers as part of the *ticket quantity* entity, such as "*Book two tickets tomorrow to Cairo at 3 PM.*" ++To resolve this, you would label a learned component in your training data for all the numbers that are meant to be a *ticket quantity*. The entity now has two components: +* The prebuilt component that can interpret all numbers, and +* The learned component that predicts where the *ticket quantity* is in a sentence. ++If you require the learned component, make sure that *ticket quantity* is only returned when the learned component predicts it in the right context. If you also require the prebuilt component, you can then guarantee that the returned *ticket quantity* entity is both a number and in the correct position. +++## Addressing casing inconsistencies ++If you have poor AI quality and determine the casing used in your training data is dissimilar to the testing data, you can use the `normalizeCasing` project setting. This normalizes the casing of utterances when training and testing the model. If you've migrated from LUIS, you might recognize that LUIS did this by default. ++```json +{ + "projectFileVersion": "2022-10-01-preview", + ... + "settings": { + "confidenceThreshold": 0.5, + "normalizeCasing": true + } +... +``` ++## Addressing model overconfidence ++Customers can use the LoraNorm recipe version in case the model is being incorrectly overconfident. An example of this can be like the below (note that the model predicts the incorrect intent with 100% confidence). This makes the confidence threshold project setting unusable. ++| Text | Predicted intent | Confidence score | +|-|-|-| +| "*Who built the Eiffel Tower?*" | `Sports` | 1.00 | +| "*Do I look good to you today?*" | `QueryWeather` | 1.00 | +| "*I hope you have a good evening.*" | `Alarm` | 1.00 | ++To address this, use the `2023-04-15` configuration version that normalizes confidence scores. The confidence threshold project setting can then be adjusted to achieve the desired result. ++```console +curl --location 'https://<your-resource>.cognitiveservices.azure.com/language/authoring/analyze-conversations/projects/<your-project>/:train?api-version=2022-10-01-preview' \ +--header 'Ocp-Apim-Subscription-Key: <your subscription key>' \ +--header 'Content-Type: application/json' \ +--data '{ +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"modelLabel": "<modelLabel>", +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"trainingMode": "advanced", +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"trainingConfigVersion": "2023-04-15", +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"evaluationOptions": { +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"kind": "percentage", +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"testingSplitPercentage": 0, +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé"trainingSplitPercentage": 100 +ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé} +} +``` ++Once the request is sent, you can track the progress of the training job in Language Studio as usual. ++> [!NOTE] +> You have to retrain your model after updating the `confidenceThreshold` project setting. Afterwards, you'll need to republish the app for the new threshold to take effect. ++## Debugging composed entities ++Entities are functions that emit spans in your input with an associated type. The function is defined by one or more components. You can mark components as needed, and you can decide whether to enable the *combine components* setting. When you combine components, all spans that overlap will be merged into a single span. If the setting isn't used, each individual component span will be emitted. + +To better understand how individual components are performing, you can disable the setting and set each component to "not required". This lets you inspect the individual spans that are emitted, and experiment with removing components so that only problematic components are generated. ++## Evaluate a model using multiple test sets ++Data in a conversational language understanding project can have two data sets. A "testing" set, and a "training" set. If you want to use multiple test sets to evaluate your model, you can: ++* Give your test sets different names (for example, "test1" and "test2"). +* Export your project to get a JSON file with its parameters and configuration. +* Use the JSON to import a new project, and rename your second desired test set to "test". +* Train the model to run the evaluation using your second test set. ++## Custom parameters for target apps and child apps ++If you are using [orchestrated apps](./app-architecture.md), you may want to send custom parameter overrides for various child apps. The `targetProjectParameters` field allows users to send a dictionary representing the parameters for each target project. For example, consider an orchestrator app named `Orchestrator` orchestrating between a conversational language understanding app named `CLU1` and a custom question answering app named `CQA1`. If you want to send a parameter named "top" to the question answering app, you can use the above parameter. ++```console +curl --request POST \ + --url 'https://<your-language-resource>.cognitiveservices.azure.com/language/:analyze-conversations?api-version=2022-10-01-preview' \ + --header 'ocp-apim-subscription-key: <your subscription key>' \ + --data '{ + "kind": "Conversation", + "analysisInput": { + "conversationItem": { + "id": "1", + "text": "Turn down the volume", + "modality": "text", + "language": "en-us", + "participantId": "1" + } + }, + "parameters": { + "projectName": "Orchestrator", + "verbose": true, + "deploymentName": "std", + "stringIndexType": "TextElement_V8", +"targetProjectParameters": { + "CQA1": { + "targetProjectKind": "QuestionAnswering", + "callingOptions": { + "top": 1 + } + } + } + } + }' +``` |
ai-services | Tag Utterances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/tag-utterances.md | As you add utterances and label them, keep in mind: * **Label consistently**: The same entity should have the same label across all the utterances. * **Label completely**: Provide varied utterances for every intent. Label all the instances of the entity in all your utterances. + * For [Multilingual projects](../language-support.md#multi-lingual-option), adding utterances in other languages increases the model's performance in these languages, but avoid duplicating your data across all the languages you would like to support. For example, to improve a calender bot's performance with users, a developer might add examples mostly in English, and a few in Spanish or French as well. They might add utterances such as: * "_Set a meeting with **Matt** and **Kevin** **tomorrow** at **12 PM**._" (English) |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/train-model.md | Model evaluation is triggered automatically after training is completed successf <!--See the [project development lifecycle](../overview.md#project-development-lifecycle) for more information.--> +++ ## Data splitting Before you start the training process, labeled utterances in your project are divided into a training set and a testing set. Each one of them serves a different function. |
ai-services | Understand Embeddings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/understand-embeddings.md | -An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating-point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar. +An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating-point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar. Embeddings power vector similarity search in Azure Databases such as [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md). ## Embedding models An alternative method of identifying similar documents is to count the number of ## Next steps -Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md). +* Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md). +* Store your embeddings and perform vector (similarity) search using [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md) or [Azure Cosmos DB for NoSQL](../../../cosmos-db/rag-data-openai.md) + |
ai-services | Embeddings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/embeddings.md | keywords: # Learn how to generate embeddings with Azure OpenAI -An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar. +An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar. Embeddings power vector similarity search in Azure Databases such as [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md). + ## How to get embeddings Our embedding models may be unreliable or pose social risks in certain cases, an * Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md). * Learn more about the [underlying models that power Azure OpenAI](../concepts/models.md).+* Store your embeddings and perform vector (similarity) search using [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md) or [Azure Cosmos DB for NoSQL](../../../cosmos-db/rag-data-openai.md) + |
ai-services | Embeddings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/tutorials/embeddings.md | len(decode) 1466 ``` -Now that we understand more about how tokenization works we can move on to embedding. It is important to note, that we haven't actually tokenized the documents yet. The `n_tokens` column is simply a way of making sure none of the data we pass to the model for tokenization and embedding exceeds the input token limit of 8,192. When we pass the documents to the embeddings model, it will break the documents into tokens similar (though not necessarily identical) to the examples above and then convert the tokens to a series of floating point numbers that will be accessible via vector search. These embeddings can be stored locally or in an Azure Database. As a result, each bill will have its own corresponding embedding vector in the new `ada_v2` column on the right side of the DataFrame. +Now that we understand more about how tokenization works we can move on to embedding. It is important to note, that we haven't actually tokenized the documents yet. The `n_tokens` column is simply a way of making sure none of the data we pass to the model for tokenization and embedding exceeds the input token limit of 8,192. When we pass the documents to the embeddings model, it will break the documents into tokens similar (though not necessarily identical) to the examples above and then convert the tokens to a series of floating point numbers that will be accessible via vector search. These embeddings can be stored locally or in an [Azure Database to support Vector Search](../../../cosmos-db/mongodb/vcore/vector-search.md). As a result, each bill will have its own corresponding embedding vector in the new `ada_v2` column on the right side of the DataFrame. ```python df_bills['ada_v2'] = df_bills["text"].apply(lambda x : get_embedding(x, engine = 'text-embedding-ada-002')) # engine should be set to the deployment name you chose when you deployed the text-embedding-ada-002 (Version 2) model If you created an OpenAI resource solely for completing this tutorial and want t Learn more about Azure OpenAI's models: > [!div class="nextstepaction"] > [Azure OpenAI Service models](../concepts/models.md)+* Store your embeddings and perform vector (similarity) search using [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md) or [Azure Cosmos DB for NoSQL](../../../cosmos-db/rag-data-openai.md) |
ai-services | Releasenotes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/releasenotes.md | Azure AI Speech is updated on an ongoing basis. To stay up-to-date with recent d ## Recent highlights -* Speech SDK 1.31.0 was released in August 2023. - * Real-time diarization is in public preview. +* Speech SDK 1.32.1 was released in September 2023. * Speech to text and text to speech container versions were updated in March 2023. * Some Speech Studio [scenarios](speech-studio-overview.md#speech-studio-scenarios) are available to try without an Azure subscription. * Custom Speech to text container disconnected mode was released in January 2023. |
ai-services | Speech Container Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-overview.md | The following table lists the Speech containers available in the Microsoft Conta |--|--|--| | [Speech to text](speech-container-stt.md) | Transcribes continuous real-time speech or batch audio recordings with intermediate results. | Latest: 4.1.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/speech-to-text/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/speech-to-text/tags/list).| | [Custom speech to text](speech-container-cstt.md) | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | Latest: 4.1.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/custom-speech-to-text/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/speech-to-text/tags/list). |-| [Speech language identification](speech-container-lid.md)<sup>1, 2</sup> | Detects the language spoken in audio files. | Latest: 1.11.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/language-detection/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/language-detection/tags/list). | +| [Speech language identification](speech-container-lid.md)<sup>1, 2</sup> | Detects the language spoken in audio files. | Latest: 1.12.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/language-detection/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/language-detection/tags/list). | | [Neural text to speech](speech-container-ntts.md) | Converts text to natural-sounding speech by using deep neural network technology, which allows for more natural synthesized speech. | Latest: 2.15.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/neural-text-to-speech/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/neural-text-to-speech/tags/list). | <sup>1</sup> The container is available in public preview. Containers in preview are still under development and don't meet Microsoft's stability and support requirements. |
aks | Azure Files Csi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-files-csi.md | Title: Use Container Storage Interface (CSI) driver for Azure Files on Azure Kub description: Learn how to use the Container Storage Interface (CSI) driver for Azure Files in an Azure Kubernetes Service (AKS) cluster. Previously updated : 04/19/2023 Last updated : 09/12/2023 # Use Azure Files Container Storage Interface (CSI) driver in Azure Kubernetes Service (AKS) This option is optimized for random access workloads with in-place data updates > [!NOTE] > You can use a private endpoint instead of allowing access to the selected VNet. +### Optimizing read and write size options ++This section provides information about how to approach performance tuning NFS with the Azure Files CSI driver with the *rsize* and *wsize* options. The rsize and wsize options set the maximum transfer size of an NFS operation. If rsize or wsize are not specified on mount, the client and server negotiate the largest size supported by the two. Currently, both Azure NetApp Files and modern Linux distributions support read and write sizes as large as 1,048,576 Bytes (1 MiB). ++Optimal performance is based on efficient client-server communication. Increasing or decreasing the **mount** read and write option size values can improve NFS performance. The default size of the read/write packets transferred between client and server are 8 KB for NFS version 2, and 32 KB for NFS version 3 and 4. These defaults may be too large or too small. Reducing the rsize and wsize might improve NFS performance in a congested network by sending smaller packets for each NFS-read reply and write request. However, this can increase the number of packets needed to send data across the network, increasing total network traffic and CPU utilization on the client and server. ++It's important that you perform testing to find an rsize and wsize that sustains efficent packet transfer, where it doesn't decrease throughput and increase latency. ++For more information on optimizing rsize and wsize, see [Linux NFS mount options best practices for Azure NetApp Files][azure-netapp-files-mount-options-best-practices]. ++For example, to configure a maximum *rsize* and *wsize* of 256-KiB, configure the `mountOptions` in the storage class as follows: ++```yml +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: azurefile-csi-nfs +provisioner: file.csi.azure.com +allowVolumeExpansion: true +parameters: + protocol: nfs +mountOptions: + - nconnect=4 + - rsize=262144 + - wsize=262144 +``` + ### Create NFS file share storage class Create a file named `nfs-sc.yaml` and copy the manifest below. The output of the commands resembles the following example: [tag-resources]: ../azure-resource-manager/management/tag-resources.md [statically-provision-a-volume]: azure-csi-files-storage-provision.md#statically-provision-a-volume [azure-private-endpoint-dns]: ../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration+[azure-netapp-files-mount-options-best-practices]: ../azure-netapp-files/performance-linux-mount-options.md#rsize-and-wsize |
aks | Csi Secrets Store Identity Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md | Before you begin, you must have the following prerequisites: metadata: annotations: azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}- labels: - azure.workload.identity/use: "true" name: ${SERVICE_ACCOUNT_NAME} namespace: ${SERVICE_ACCOUNT_NAMESPACE} EOF Before you begin, you must have the following prerequisites: apiVersion: v1 metadata: name: busybox-secrets-store-inline-wi+ labels: + azure.workload.identity/use: "true" spec: serviceAccountName: "workload-identity-sa" containers: |
aks | Intro Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md | To secure your AKS clusters, see [Integrate Azure AD with AKS][aks-aad]. Container Insights has native integration with AKS, like collecting critical metrics and logs, alerting on identified issues, and providing visualization with workbooks or integration with Grafana. It can also collect Prometheus metrics and send them to [Azure Monitor managed service for Prometheus][azure-monitor-managed-prometheus], and all together deliver end-to-end observability. -Logs from the AKS control plane components are collected separately in Azure as resource logs and sent to different locations, such as [Azure Monitor Logs][azure-monitor-logs]. For more information, see [Collect control plane logs][monitor-aks.md#collect-control-plane-logs]. +Logs from the AKS control plane components are collected separately in Azure as resource logs and sent to different locations, such as [Azure Monitor Logs][azure-monitor-logs]. For more information, see [Resource logs](monitor-aks-reference.md#resource-logs). ## Clusters and nodes |
app-service | Deploy Staging Slots | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-staging-slots.md | When you swap two slots (usually from a staging slot into the production slot), Any of these cases trigger all instances in the source slot to restart. During [swap with preview](#Multi-Phase), this marks the end of the first phase. The swap operation is paused, and you can validate that the source slot works correctly with the target slot's settings. -1. Wait for every instance in the source slot to complete its restart. If any instance fails to restart, the swap operation reverts all changes to the source slot and stops the operation. +1. Wait for every instance in the target slot to complete its restart. If any instance fails to restart, the swap operation reverts all changes to the source slot and stops the operation. 1. If [local cache](overview-local-cache.md) is enabled, trigger local cache initialization by making an HTTP request to the application root ("/") on each instance of the source slot. Wait until each instance returns any HTTP response. Local cache initialization causes another restart on each instance. |
app-service | Monitor App Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/monitor-app-service.md | See [Create diagnostic setting to collect platform logs and metrics in Azure](.. The metrics and logs you can collect are discussed in the following sections. ++ ## Analyzing metrics You can analyze metrics for *App Service* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool. |
app-service | Tutorial Java Spring Cosmosdb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-spring-cosmosdb.md | Username: xxxxxxxxx [INFO] ``` -The output contains the URL to your deployed application (in this example, `https://spring-todo-app.azurewebsites.net` ). You can copy this URL into your web browser or run the following command in your Terminal window to load your app. +The output contains the URL to your deployed application (in this example, `https://spring-todo-app.azurewebsites.net`). You can copy this URL into your web browser or run the following command in your Terminal window to load your app. ```bash explorer https://spring-todo-app.azurewebsites.net |
automation | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/whats-new.md | Users can now restore an Automation account deleted within 30 days. Read [here]( **Type:** New feature -New scripts are added to the Azure Automation [GitHub repository](https://github.com/azureautomation) to address one of Azure Automation's key scenarios of VM management based on Azure Monitor alert. For more information, see [Trigger runbook from Azure alert](./automation-create-alert-triggered-runbook.md#common-azure-vm-management-operations). +New scripts are added to the Azure Automation [GitHub organisation](https://github.com/azureautomation) to address one of Azure Automation's key scenarios of VM management based on Azure Monitor alert. For more information, see [Trigger runbook from Azure alert](./automation-create-alert-triggered-runbook.md#common-azure-vm-management-operations). -- Stop-Azure-VM-On-Alert-- Restart-Azure-VM-On-Alert-- Delete-Azure-VM-On-Alert-- ScaleDown-Azure-VM-On-Alert-- ScaleUp-Azure-VM-On-Alert+- [Stop-Azure-VM-On-Alert](https://github.com/azureautomation/Stop-Azure-VM-On-Alert) +- [Restart-Azure-VM-On-Alert](https://github.com/azureautomation/Restart-Azure-VM-On-Alert) +- [Delete-Azure-VM-On-Alert](https://github.com/azureautomation/Delete-Azure-VM-On-Alert) +- [ScaleDown-Azure-VM-On-Alert](https://github.com/azureautomation/ScaleDown-Azure-VM-On-Alert) +- [ScaleUp-Azure-VM-On-Alert](https://github.com/azureautomation/ScaleUp-Azure-VM-On-Alert) ## November 2021 Azure Automation now supports [system-assigned managed identities](./automation- ## Next steps -If you'd like to contribute to Azure Automation documentation, see our [contributor guide](/contribute/). +If you'd like to contribute to Azure Automation documentation, see our [contributor guide](/contribute/). |
azure-app-configuration | Howto Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-best-practices.md | Title: Azure App Configuration best practices | Microsoft Docs description: Learn best practices while using Azure App Configuration. Topics covered include key groupings, key-value compositions, App Configuration bootstrap, and more. documentationcenter: ''-+ editor: '' ms.assetid: Previously updated : 09/21/2022- Last updated : 09/08/2023+ Excessive requests to App Configuration can result in throttling or overage char * Use Azure Event Grid to receive notifications when configuration changes, rather than constantly polling for any changes. For more information, see [Use Event Grid for App Configuration data change notifications](./howto-app-configuration-event.md). -* Spread your requests across multiple App Configuration stores. For example, use a different store from each geographic region for a globally deployed application. Each App Configuration store has its own request quota. This setup gives you a model for scalability and avoids the single point of failure. +* [Enable geo-replication](./howto-geo-replication.md) of your App Configuration store and spread your requests across multiple replicas. For example, use a different replica from each geographic region for a globally deployed application. Each App Configuration replica has its separate request quota. This setup gives you a model for scalability and enhanced resiliency against transient and regional outages. ## Importing configuration data into App Configuration App Configuration offers the option to bulk [import](./howto-import-export-data. ## Multi-region deployment in App Configuration -App Configuration is regional service. For applications with different configurations per region, storing these configurations in one instance can create a single point of failure. Deploying one App Configuration instances per region across multiple regions may be a better option. It can help with regional disaster recovery, performance, and security siloing. Configuring by region also improves latency and uses separated throttling quotas, since throttling is per instance. To apply disaster recovery mitigation, you can use [multiple configuration stores](./concept-disaster-recovery.md). +If your application is deployed in multiple regions, we recommend that you [enable geo-replication](./howto-geo-replication.md) of your App Configuration store. You can let your application primarily connect to the replica matching the region where instances of your application are deployed and allow them to fail over to replicas in other regions. This setup minimizes the latency between your application and App Configuration, spreads the load as each replica has separate throttling quotas, and enhances your application's resiliency against transient and regional outages. See [Resiliency and Disaster Recovery](./concept-disaster-recovery.md) for more information. ## Client applications in App Configuration |
azure-arc | Managed Instance Disaster Recovery Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/managed-instance-disaster-recovery-portal.md | To set the synchronization mode: 1. Under **Edit configuration**, select your desired mode, and select **Apply**. +## Monitor failover group status in the portal ++After you use the portal to change a failover group, the portal automatically reports the status as the change is applied. Changes that the portal reports include: ++- Add failover group +- Edit failover group configuration +- Start failover +- Delete failover group ++After you initiate the change, the portal automatically refreshes the status every two minutes. The portal automatically refreshes for two minutes. + ## Delete failover group 1. From Failover Groups**, select **Delete Failover Group**. |
azure-arc | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/release-notes.md | +## September 12, 2023 ++### Image tag ++`v1.23.0_2023-09-12` ++For complete release version information, review [Version log](version-log.md#september-12-2023). ++### Release notes ++- Portal automatically refreshes status of failover group every 2 seconds. [Monitor failover group status in the portal](managed-instance-disaster-recovery-portal.md#monitor-failover-group-status-in-the-portal). + ## August 8, 2023 ### Image tag |
azure-arc | Version Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/version-log.md | +## September 12, 2023 ++|Component|Value| +|--|--| +|Container images tag |`v1.23.0_2023-09-12`| +|**CRD names and version:**| | +|`activedirectoryconnectors.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2| +|`datacontrollers.arcdata.microsoft.com`| v1beta1, v1 through v5| +|`exporttasks.tasks.arcdata.microsoft.com`| v1beta1, v1, v2| +|`failovergroups.sql.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2| +|`kafkas.arcdata.microsoft.com`| v1beta1 through v1beta4| +|`monitors.arcdata.microsoft.com`| v1beta1, v1, v3| +|`postgresqls.arcdata.microsoft.com`| v1beta1 through v1beta6| +|`postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com`| v1beta1| +|`sqlmanagedinstances.sql.arcdata.microsoft.com`| v1beta1, v1 through v13| +|`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`| v1beta1, v1beta2| +|`sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com`| v1beta1| +|`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`| v1beta1, v1| +|`telemetrycollectors.arcdata.microsoft.com`| v1beta1 through v1beta5| +|`telemetryrouters.arcdata.microsoft.com`| v1beta1 through v1beta5| +|Azure Resource Manager (ARM) API version|2023-01-15-preview| +|`arcdata` Azure CLI extension version|1.5.5 ([Download](https://aka.ms/az-cli-arcdata-ext))| +|Arc-enabled Kubernetes helm chart extension version|1.23.0| +|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.8.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.8.0 ([Download](https://aka.ms/ads-azcli-ext))| +|SQL Database version | 957 | + ## August 8, 2023 |Component|Value| |
azure-arc | Tutorial Gitops Ci Cd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-gitops-ci-cd.md | The CD pipeline uses the security token of the running build to authenticate to 1. For the `<Project Name> Build Service (<Organization Name>)`, allow `Contribute`, `Contribute to pull requests`, and `Create branch`. For more information, see:-- [Grant VC Permissions to the Build Service](/azure/devops/pipelines/scripts/git-commands?preserve-view=true&tabs=yaml&view=azure-devops#version-control )+- [Grant VC Permissions to the Build Service](/azure/devops/pipelines/scripts/git-commands?preserve-view=true&tabs=yaml&view=azure-devops#version-control) - [Manage Build Service Account Permissions](/azure/devops/pipelines/process/access-tokens?preserve-view=true&tabs=yaml&view=azure-devops#manage-build-service-account-permissions) |
azure-arc | Tutorial Gitops Flux2 Ci Cd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-gitops-flux2-ci-cd.md | The CD pipeline uses the security token of the running build to authenticate to For more information, see: -* [Grant VC Permissions to the Build Service](/azure/devops/pipelines/scripts/git-commands?preserve-view=true&tabs=yaml&view=azure-devops#version-control ) +* [Grant VC Permissions to the Build Service](/azure/devops/pipelines/scripts/git-commands?preserve-view=true&tabs=yaml&view=azure-devops#version-control) * [Manage Build Service Account Permissions](/azure/devops/pipelines/process/access-tokens?preserve-view=true&tabs=yaml&view=azure-devops#manage-build-service-account-permissions) ### Deploy the dev environment for the first time |
azure-arc | Tutorial Use Gitops Flux2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-use-gitops-flux2.md | To deploy applications using GitOps with Flux v2, you need: > [!IMPORTANT] > Ensure that the AKS cluster is created with MSI (not SPN), because the `microsoft.flux` extension won't work with SPN-based AKS clusters.- > For new AKS clusters created with `az aks create`, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI, run `az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identity`ΓÇ¥`. For more information, see [Use a managed identity in AKS](../../aks/use-managed-identity.md). + > For new AKS clusters created with `az aks create`, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI, run `az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identity`. For more information, see [Use a managed identity in AKS](../../aks/use-managed-identity.md). * Read and write permissions on the `Microsoft.ContainerService/managedClusters` resource type. If using [AKS hybrid clusters provisioned from Azure (preview)](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview), read and write permissions on the `Microsoft.ContainerService/provisionedClusters` resource type). False whl k8s-extension C:\Users\somename\.azure\c > [!IMPORTANT] > Ensure that the AKS cluster is created with MSI (not SPN), because the `microsoft.flux` extension won't work with SPN-based AKS clusters.- > For new AKS clusters created with `az aks create`, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI, run `az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identity`ΓÇ¥`. For more information, see [Use a managed identity in AKS](../../aks/use-managed-identity.md). + > For new AKS clusters created with `az aks create`, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI, run `az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identity`. For more information, see [Use a managed identity in AKS](../../aks/use-managed-identity.md). * Read and write permissions on the `Microsoft.ContainerService/managedClusters` resource type. If using [AKS hybrid clusters provisioned from Azure (preview)](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview), read and write permissions on the `Microsoft.ContainerService/provisionedClusters` resource type). When you use this annotation, the deployed HelmRelease is patched with the refer ### Helm drift detection -[Drift detection for Helm releases](https://fluxcd.io/flux/components/helm/helmreleases/#drift-detection ) isn't enabled by default. Starting with [`microsoft.flux` v1.7.5](extensions-release.md#flux-gitops), you can enable Helm drift detection by running the following command: +[Drift detection for Helm releases](https://fluxcd.io/flux/components/helm/helmreleases/#drift-detection) isn't enabled by default. Starting with [`microsoft.flux` v1.7.5](extensions-release.md#flux-gitops), you can enable Helm drift detection by running the following command: ```azurecli az k8s-extension update --resource-group <resource-group> --cluster-name <cluster-name> --name flux --cluster-type <cluster-type> --config helm-controller.detectDrift=true |
azure-edge-hardware-center | Azure Edge Hardware Center Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-edge-hardware-center/azure-edge-hardware-center-overview.md | Azure Edge Hardware Center is a new Azure service that lets you order a variety Edge Hardware Center offers the following benefits: - **Place bulk orders of hardware** - You can order multiple units of a particular type of device or hardware at once by putting a quantity while placing your order.-- **Ship multiple devices or hardware to different locations at the same time** - You can now ship hardware to multiple locations (within one country/region) through just one order. Add multiple addresses in the ΓÇ£Shipping + QuantityΓÇ¥ tab to achieve this.+- **Ship multiple devices or hardware to different locations at the same time** - You can now ship hardware to multiple locations (within one country/region) through just one order. Add multiple addresses in the "Shipping + Quantity" tab to achieve this. - **Save addresses for future orders** - You can save your frequently used addresses while placing an order. For subsequent orders, you can then select a shipping address from your address book. - **Stay updated with your order status** - You can view the order status updates for each of the order items. You can also choose to get notified through email when your order moves to next stage. You can add one or more people in the notification list. For more information, see [Create an Azure Stack Edge resource after you place t You can track the status of your order by going to the order item resource within Edge Hardware Center. For more information, see [Track the Edge Hardware Center order](azure-edge-hardware-center-manage-order.md#track-order). -You can also [Cancel the order](azure-edge-hardware-center-manage-order.md#cancel-order) or [Return hardware](azure-edge-hardware-center-manage-order.md#return-hardware ) once you are done. +You can also [Cancel the order](azure-edge-hardware-center-manage-order.md#cancel-order) or [Return hardware](azure-edge-hardware-center-manage-order.md#return-hardware) once you are done. You can also enable alerts to receive email notifications if the order status changes. The email notifications are enabled when the order is placed. |
azure-functions | Functions Bindings Storage Blob Trigger | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-storage-blob-trigger.md | Title: Azure Blob storage trigger for Azure Functions description: Learn how to run an Azure Function as Azure Blob storage data changes. Previously updated : 04/16/2023 Last updated : 09/08/2023 ms.devlang: csharp, java, javascript, powershell, python zone_pivot_groups: programming-languages-set-functions The attribute's constructor takes the following parameters: |**BlobPath** | The path to the blob.| |**Connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](#connections).| |**Access** | Indicates whether you will be reading or writing.|+|**Source** | Sets the source of the triggering event. Use `BlobTriggerSource.EventGrid` for an [Event Grid-based blob trigger](functions-event-grid-blob-trigger.md), which provides much lower latency. The default is `BlobTriggerSource.LogsAndContainerScan`, which uses the standard polling mechanism to detect changes in the container. | # [In-process](#tab/in-process) For Python v2 functions defined using decorators, the following properties on th |`arg_name` | Declares the parameter name in the function signature. When the function is triggered, this parameter's value has the contents of the queue message. | |`path` | The [container](../storage/blobs/storage-blobs-introduction.md#blob-storage-resources) to monitor. May be a [blob name pattern](#blob-name-patterns). | |`connection` | The storage account connection string. |+|`source` | Sets the source of the triggering event. Use `EventGrid` for an [Event Grid-based blob trigger](functions-event-grid-blob-trigger.md), which provides much lower latency. The default is `LogsAndContainerScan`, which uses the standard polling mechanism to detect changes in the container. | For Python functions defined by using *function.json*, see the [Configuration](#configuration) section. ::: zone-end ::: zone pivot="programming-language-java" ## Annotations -The `@BlobTrigger` attribute is used to give you access to the blob that triggered the function. Refer to the [trigger example](#example) for details. +The `@BlobTrigger` attribute is used to give you access to the blob that triggered the function. Refer to the [trigger example](#example) for details. Use the `source` property to set the source of the triggering event. Use `EventGrid` for an [Event Grid-based blob trigger](functions-event-grid-blob-trigger.md), which provides much lower latency. The default is `LogsAndContainerScan`, which uses the standard polling mechanism to detect changes in the container. | ::: zone-end ::: zone pivot="programming-language-javascript,programming-language-typescript,programming-language-powershell,programming-language-python" ## Configuration The following table explains the properties that you can set on the `options` ob ||-| |**path** | The [container](../storage/blobs/storage-blobs-introduction.md#blob-storage-resources) to monitor. May be a [blob name pattern](#blob-name-patterns). | |**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](#connections).|+|**source** | Sets the source of the triggering event. Use `EventGrid` for an [Event Grid-based blob trigger](functions-event-grid-blob-trigger.md), which provides much lower latency. The default is `LogsAndContainerScan`, which uses the standard polling mechanism to detect changes in the container. | # [Model v3](#tab/nodejs-v3) The following table explains the binding configuration properties that you set i |**name** | The name of the variable that represents the blob in function code. | |**path** | The [container](../storage/blobs/storage-blobs-introduction.md#blob-storage-resources) to monitor. May be a [blob name pattern](#blob-name-patterns). | |**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](#connections).|+|**source** | Sets the source of the triggering event. Use `EventGrid` for an [Event Grid-based blob trigger](functions-event-grid-blob-trigger.md), which provides much lower latency. The default is `LogsAndContainerScan`, which uses the standard polling mechanism to detect changes in the container. | The following table explains the binding configuration properties that you set i |**name** | The name of the variable that represents the blob in function code. | |**path** | The [container](../storage/blobs/storage-blobs-introduction.md#blob-storage-resources) to monitor. May be a [blob name pattern](#blob-name-patterns). | |**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](#connections).|+|**source** | Sets the source of the triggering event. Use `EventGrid` for an [Event Grid-based blob trigger](functions-event-grid-blob-trigger.md), which provides much lower latency. The default is `LogsAndContainerScan`, which uses the standard polling mechanism to detect changes in the container. | ::: zone-end |
azure-functions | Functions Deploy Container Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-deploy-container-apps.md | Title: Create your first containerized Azure Functions on Azure Container Apps description: Get started with Azure Functions on Azure Container Apps by deploying your first function app from a Linux image in a container registry. Previously updated : 05/25/2023 Last updated : 09/12/2023 zone_pivot_groups: programming-languages-set-functions az group delete --name AzureFunctionsContainers-rg ## Next steps > [!div class="nextstepaction"] -> [Azure Container Apps hosting of Azure Functions](./functions-container-apps-hosting.md) +> [Azure Container Apps hosting of Azure Functions](./functions-container-apps-hosting.md) > [!div class="nextstepaction"] > [Working with containers and Azure Functions](./functions-how-to-custom-container.md) +> [!div class="nextstepaction"] +> [Help make the experience better](https://microsoft.qualtrics.com/jfe/form/SV_byFGULLJlKPh9Xw) |
azure-functions | Functions Event Grid Blob Trigger | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-event-grid-blob-trigger.md | -zone_pivot_groups: programming-languages-set-functions-lang-workers +zone_pivot_groups: programming-languages-set-functions #Customer intent: As an Azure Functions developer, I want learn how to create an Event Grid-based trigger on a Blob Storage container so that I can get a more rapid response to changes in the container. This article shows how to create a function that runs based on events raised whe > * Debug locally using ngrok by uploading files. > * Deploy to Azure and create a filtered event subscription. + ## Prerequisites ::: zone pivot="programming-language-csharp" [!INCLUDE [functions-requirements-visual-studio-code-csharp](../../includes/functions-requirements-visual-studio-code-csharp.md)] ::: zone-end [!INCLUDE [functions-requirements-visual-studio-code-node](../../includes/functions-requirements-visual-studio-code-node.md)] ::: zone-end ::: zone pivot="programming-language-powershell" When you create a Blob Storage-triggered function using Visual Studio Code, you |**Select setting from "local.settings.json"**| Select `Create new local app setting`. | |**Select a storage account**| Select the storage account you created from the list. | |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |- |**Select how you would like to open your project**| Select `Add to workspace`. | + |**Select how you would like to open your project**| Select `Open in current window`. | ::: zone-end ::: zone pivot="programming-language-python" |Prompt|Action| When you create a Blob Storage-triggered function using Visual Studio Code, you |**Select setting from "local.settings.json"**| Select `Create new local app setting`. | |**Select a storage account**| Select the storage account you created from the list. | |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |- |**Select how you would like to open your project**| Select `Add to workspace`. | + |**Select how you would like to open your project**| Select `Open in current window`. | ::: zone-end ::: zone pivot="programming-language-java" |Prompt|Action| When you create a Blob Storage-triggered function using Visual Studio Code, you | **Provide a package name** | Select `com.function`. | | **Provide an app name** | Accept the generated name starting with `BlobTriggerEventGrid`. | | **Select the build tool for Java project** | Select `Maven`. |- |**Select how you would like to open your project**| Select `Add to workspace`. | + |**Select how you would like to open your project**| Select `Open in current window`. | + ::: zone-end + ::: zone pivot="programming-language-typescript" + |Prompt|Action| + |--|--| + |**Select a language for your function project**| Select `TypeScript`. | + |**Select a TypeScript programming model**| Select `Model V4`. | + |**Select a template for your project's first function**| Select `Azure Blob Storage trigger`. | + |**Provide a function name**| Enter `BlobTriggerEventGrid`. | + |**Select setting from "local.settings.json"**| Select `Create new local app setting`. | + |**Select a storage account**| Select the storage account you created. | + |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. | + |**Select how you would like to open your project**| Select `Open in current window`. | ::: zone-end ::: zone pivot="programming-language-javascript" |Prompt|Action| |--|--| |**Select a language for your function project**| Select `JavaScript`. |+ |**Select a JavaScript programming model**| Select `Model V4`. | |**Select a template for your project's first function**| Select `Azure Blob Storage trigger`. | |**Provide a function name**| Enter `BlobTriggerEventGrid`. | |**Select setting from "local.settings.json"**| Select `Create new local app setting`. | |**Select a storage account**| Select the storage account you created. | |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |- |**Select how you would like to open your project**| Select `Add to workspace`. | + |**Select how you would like to open your project**| Select `Open in current window`. | ::: zone-end ::: zone pivot="programming-language-powershell" |Prompt|Action| When you create a Blob Storage-triggered function using Visual Studio Code, you |**Select setting from "local.settings.json"**| Select `Create new local app setting`. | |**Select a storage account**| Select the storage account you created. | |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |- |**Select how you would like to open your project**| Select `Add to workspace`. | + |**Select how you would like to open your project**| Select `Open in current window`. | ::: zone-end 1. After the prompt appears, select **Select storage account** > **Add to workspace**. dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage --version 5.1.3 ::: zone-end 1. Open the host.json project file, and inspect the `extensionBundle` element. After you create the function, in the function.json configuration file, add `"so ``` 1. Remove the associated unit test file, which no longer applies to the new trigger type. ::: zone-end++# [Model v4](#tab/nodejs-v4) ++After you create the function, add `source: "EventGrid"` to the `options` object in your TypeScript file, for example: +++# [Model v3](#tab/nodejs-v3) ++After you create the function, in the function.json configuration file, add `"source": "EventGrid"` to the `myBlob` binding, for example: ++```json +{ + "bindings": [ + { + "name": "myblob", + "type": "blobTrigger", + "direction": "in", + "path": "samples-workitems/{name}", + "source": "EventGrid", + "connection": "<NAMED_STORAGE_CONNECTION>" + } + ] +} +``` +++++# [Model v4](#tab/nodejs-v4) ++After you create the function, add `source: "EventGrid"` to the `options` object in your JavaScript file, for example: +++# [Model v3](#tab/nodejs-v3) ++After you create the function, in the function.json configuration file, add `"source": "EventGrid"` to the `myBlob` binding, for example: ++```json +{ + "bindings": [ + { + "name": "myblob", + "type": "blobTrigger", + "direction": "in", + "path": "samples-workitems/{name}", + "source": "EventGrid", + "connection": "<NAMED_STORAGE_CONNECTION>" + } + ] +} +``` +++ After you create the function, in the function.json configuration file, add `"source": "EventGrid"` to the `myBlob` binding, for example: ```json http://localhost:7071/runtime/webhooks/blobs?functionName=BlobTriggerEventGrid ::: zone-end ```http http://localhost:7071/runtime/webhooks/blobs?functionName=Host.Functions.BlobTriggerEventGrid ``` The following screenshot shows an example of how the final endpoint URL should l ::: zone-end ![Endpoint selection](./media/functions-event-grid-blob-trigger/functions-event-grid-local-dev-event-subscription-endpoint-selection-qualified.png) ::: zone-end With ngrok already running, start your local project as follows: mvn azure-functions:run ``` ::: zone-end - ::: zone pivot="programming-language-javascript,programming-language-powershell,programming-language-python,programming-language-csharp" + ::: zone pivot="programming-language-javascript,programming-language-typescript,programming-language-powershell,programming-language-python,programming-language-csharp" Press **F5** to start a debugging session. ::: zone-end https://<FUNCTION_APP_NAME>.azurewebsites.net/runtime/webhooks/blobs?functionNam ::: zone-end ```http https://<FUNCTION_APP_NAME>.azurewebsites.net/runtime/webhooks/blobs?functionName=Host.Functions.BlobTriggerEventGrid&code=<BLOB_EXTENSION_KEY> ``` |
azure-functions | Migrate Dotnet To Isolated Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-dotnet-to-isolated-model.md | Use one of the following procedures to update this XML file to run in the isolat [!INCLUDE [functions-dotnet-migrate-project-v4-isolated-net-framework](../../includes/functions-dotnet-migrate-project-v4-isolated-net-framework.md)] +# [.NET 8 (Preview)](#tab/net8) ++ ### Package and namespace changes When migrating to run in an isolated worker process, you must add the following :::code language="csharp" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/Program.cs" range="2-20"::: +# [.NET 8 (Preview)](#tab/net8) ++ ### local.settings.json file public IActionResult Run( :::code language="csharp" source="~/functions-quickstart-templates/Functions.Templates/Templates/HttpTrigger-CSharp-Isolated/HttpTriggerCSharp.cs"::: ++# [.NET 8 (Preview)](#tab/net8) +++You can also leverage [ASP.NET Core integration] to instead have the function look more like the following example: ++```csharp +[Function("HttpFunction")] +public IActionResult Run( + [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequest req) +{ + return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!"); +} +``` + ## Upgrade your function app in Azure |
azure-functions | Migrate Version 1 Version 4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-version-1-version-4.md | Use one of the following procedures to update this XML file to run in Functions [!INCLUDE [functions-dotnet-migrate-project-v4-isolated-net-framework](../../includes/functions-dotnet-migrate-project-v4-isolated-net-framework.md)] +# [.NET 8 Preview (isolated)](#tab/net8) ++ ### Package and namespace changes Based on the model you are migrating to, you may need to upgrade or change the p [!INCLUDE [functions-dotnet-migrate-packages-v4-isolated](../../includes/functions-dotnet-migrate-packages-v4-isolated.md)] +# [.NET 8 Preview (isolated)](#tab/net8) ++ +The [Notification Hubs](./functions-bindings-notification-hubs.md) and [Mobile Apps](./functions-bindings-mobile-apps.md) bindings are supported only in version 1.x of the runtime. When upgrading to version 4.x of the runtime, you need to remove these bindings in favor of working with these services directly using their SDKs. + ### Program.cs file In most cases, migrating requires you to add the following program.cs file to your project: A program.cs file isn't required when running in-process. :::code language="csharp" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/Program.cs" range="2-20"::: +# [.NET 8 Preview (isolated)](#tab/net8) ++ ### host.json file To run on version 4.x, you must add `"version": "2.0"` to the host.json file. Yo :::code language="json" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/host.json"::: +# [.NET 8 Preview (isolated)](#tab/net8) ++ ### local.settings.json file When you upgrade to version 4.x, make sure that your local.settings.json file ha > [!NOTE] > When migrating from running in-process to running in an isolated worker process, you need to change the `FUNCTIONS_WORKER_RUNTIME` value to "dotnet-isolated". +# [.NET 8 Preview (isolated)](#tab/net8) +++> [!NOTE] +> When migrating from running in-process to running in an isolated worker process, you need to change the `FUNCTIONS_WORKER_RUNTIME` value to "dotnet-isolated". + ### Class name changes Some key classes changed names between version 1.x and version 4.x. These change | `HttpRequestMessage` | `HttpRequestData` | | `HttpResponseMessage` | `HttpResponseData` | +# [.NET 8 Preview (isolated)](#tab/net8) ++| Version 1.x | .NET 7 | +| | | +| `FunctionName` (attribute) | `Function` (attribute) | +| `TraceWriter` | `ILogger<T>`, `ILogger` | +| `HttpRequestMessage` | `HttpRequestData`, `HttpRequest` (using [ASP.NET Core integration])| +| `HttpResponseMessage` | `HttpResponseData`, `IActionResult` (using [ASP.NET Core integration])| + [ASP.NET Core integration]: ./dotnet-isolated-process-guide.md#aspnet-core-integration In version 4.x, the HTTP trigger template looks like the following example: :::code language="csharp" source="~/functions-quickstart-templates/Functions.Templates/Templates/HttpTrigger-CSharp-Isolated/HttpTriggerCSharp.cs"::: +# [.NET 8 Preview (isolated)](#tab/net8) ++ ::: zone-end |
azure-functions | Migrate Version 3 Version 4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-version-3-version-4.md | Use one of the following procedures to update this XML file to run in Functions [!INCLUDE [functions-dotnet-migrate-project-v4-isolated-net-framework](../../includes/functions-dotnet-migrate-project-v4-isolated-net-framework.md)] +# [.NET 8 Preview (isolated)](#tab/net8) ++ ### Package and namespace changes Based on the model you are migrating to, you may need to upgrade or change the p [!INCLUDE [functions-dotnet-migrate-packages-v4-isolated](../../includes/functions-dotnet-migrate-packages-v4-isolated.md)] +# [.NET 8 Preview (isolated)](#tab/net8) ++ ### Program.cs file A program.cs file isn't required when running in-process. :::code language="csharp" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/Program.cs" range="2-20"::: +# [.NET 8 Preview (isolated)](#tab/net8) ++ ### local.settings.json file When you upgrade to version 4.x, make sure that your local.settings.json file ha > [!NOTE] > When migrating from running in-process to running in an isolated worker process, you need to change the `FUNCTIONS_WORKER_RUNTIME` value to "dotnet-isolated". +# [.NET 8 Preview (isolated)](#tab/net8) +++> [!NOTE] +> When migrating from running in-process to running in an isolated worker process, you need to change the `FUNCTIONS_WORKER_RUNTIME` value to "dotnet-isolated". + ### Class name changes Some key classes changed names between versions. These changes are a result eith | `IActionResult` | `HttpResponseData` | `HttpResponseData`| | `FunctionsStartup` (attribute) | Uses [`Program.cs`](#programcs-file) instead | Uses [`Program.cs`](#programcs-file) instead | +# [.NET 8 Preview (isolated)](#tab/net8) ++| .NET Core 3.1 | .NET 5 | .NET 7 | +| | | | +| `FunctionName` (attribute) | `Function` (attribute) | `Function` (attribute) | +| `ILogger` | `ILogger` | `ILogger`, `ILogger<T>` | +| `HttpRequest` | `HttpRequestData` | `HttpRequestData`, `HttpRequest` (using [ASP.NET Core integration])| +| `IActionResult` | `HttpResponseData` | `HttpResponseData`, `IActionResult` (using [ASP.NET Core integration])| +| `FunctionsStartup` (attribute) | Uses [`Program.cs`](#programcs-file) instead | Uses [`Program.cs`](#programcs-file) instead | ++ [ASP.NET Core integration]: ./dotnet-isolated-process-guide.md#aspnet-core-integration Sames as version 3.x (in-process). :::code language="csharp" source="~/functions-quickstart-templates/Functions.Templates/Templates/HttpTrigger-CSharp-Isolated/HttpTriggerCSharp.cs"::: +# [.NET 8 Preview (isolated)](#tab/net8) ++ ::: zone-end |
azure-monitor | Alerts Create New Alert Rule | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-create-new-alert-rule.md | To edit an existing alert rule: ||| |Number of violations|The number of violations that trigger the alert.| |Evaluation period|The time period within which the number of violations occur. |- |Override query time range| If you want the alert evaluation period to be different than the query time range, enter a time range here.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to two days of data.<br> If the query requires more data than the alert evaluation, and there's no **ago** command in the query, you can change the time range manually.| + |Override query time range| If you want the alert evaluation period to be different than the query time range, enter a time range here.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to two days of data.<br> If the query requires more data than the alert evaluation you can change the time range manually. +If the query contains **ago** command in the query, it will be cahnged automatically to 2 days (48 hours).| > [!NOTE] > If you or your administrator assigned the Azure Policy **Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys**, you must select **Check workspace linked storage**. If you don't, the rule creation will fail because it won't meet the policy requirements. |
azure-monitor | Alerts Manage Alert Instances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-manage-alert-instances.md | Last updated 07/11/2023 # Manage your alert instances-The **Alerts** page summarizes all alert instances in all your Azure resources generated in the last 30 days. You can search for a specific alert and manage alert instances. +The **Alerts** page summarizes all alert instances in all your Azure resources generated in the last 30 days. Alerts are stored for 30 days and are deleted after the 30-day retention period. +For stateful alerts, while the alert itself is deleted after 30 days, and is not viewable on the alerts page, the alert condition is stored until the alert is resolved, to prevent firing another alert, and so that notifications can be sent when the alert is resolved. For more information, see [Alerts and state](alerts-overview.md#alerts-and-state). You can get to the **Alerts** page in a few ways: |
azure-monitor | Alerts Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-overview.md | description: Learn about Azure Monitor alerts, alert rules, action processing ru Previously updated : 07/19/2022 Last updated : 09/12/2023 This diagram shows you how alerts work. :::image type="content" source="media/alerts-overview/alerts.png" alt-text="Diagram that explains Azure Monitor alerts." lightbox="media/alerts-overview/alerts.png"::: -An *alert rule* monitors your data and captures a signal that indicates something is happening on the specified resource. The alert rule captures the signal and checks to see if the signal meets the criteria of the condition. If the conditions are met, an alert is triggered, which initiates the associated action group and updates the state of the alert. +An **alert rule** monitors your data and captures a signal that indicates something is happening on the specified resource. The alert rule captures the signal and checks to see if the signal meets the criteria of the condition. An alert rule combines: - The resources to be monitored. - The signal or data from the resource. - Conditions. -If you're monitoring more than one resource, the condition is evaluated separately for each of the resources. Alerts are fired for each resource separately. +An **alert** is triggered if the conditions of the alert rule are met. The alert initiates the associated action group and updates the state of the alert. If you're monitoring more than one resource, the alert rule condition is evaluated separately for each of the resources, and alerts are fired for each resource separately. +Alerts are stored for 30 days and are deleted after the 30-day retention period. You can see all alert instances for all of your Azure resources on the [Alerts page](alerts-manage-alert-instances.md) in the Azure portal. ++Alerts consist of: - **Action groups**: These groups can trigger notifications or an automated workflow to let users know that an alert has been triggered. Action groups can include: - Notification methods, such as email, SMS, and push notifications. - Automation runbooks. If you're monitoring more than one resource, the condition is evaluated separate - Secure webhooks. - Webhooks. - Event hubs.-- **Alert conditions**: These conditions are set by the system. When an alert fires, the alert's monitor condition is set to **fired**. After the underlying condition that caused the alert to fire clears, the monitor condition is set to **resolved**.+- **Alert conditions**: These conditions are set by the system. When an alert fires, the alert condition is set to **fired**. After the underlying condition that caused the alert to fire clears, the alert condition is set to **resolved**. - **User response**: The response is set by the user and doesn't change until the user changes it. - **Alert processing rules**: You can use alert processing rules to make modifications to triggered alerts as they're being fired. You can use alert processing rules to add or suppress action groups, apply filters, or have the rule processed on a predefined schedule.--You can see all alert instances in all your Azure resources generated in the last 30 days on the [Alerts page](alerts-page.md) in the Azure portal. ## Types of alerts This table provides a brief description of each alert type. For more information about each alert type and how to choose which alert type best suits your needs, see [Types of Azure Monitor alerts](alerts-types.md). This table provides a brief description of each alert type. For more information |[Smart detection alerts](alerts-types.md#smart-detection-alerts)|Smart detection on an Application Insights resource automatically warns you of potential performance problems and failure anomalies in your web application. You can migrate smart detection on your Application Insights resource to create alert rules for the different smart detection modules.| |[Prometheus alerts](alerts-types.md#prometheus-alerts)|Prometheus alerts are used for alerting on Prometheus metrics stored in [Azure Monitor managed services for Prometheus](../essentials/prometheus-metrics-overview.md). The alert rules are based on the PromQL open-source query language.| +## Alerts and state ++Alerts can be stateful or stateless. +- Stateless alerts fire each time the condition is met, even if fired previously. +- Stateful alerts fire when the rule conditions are met, and will not fire again or trigger any more actions until the conditions are resolved. ++Alerts are stored for 30 days and are deleted after the 30-day retention period. ++### Stateless alerts +Stateless alerts fire each time the condition is met. The alert condition for all stateless alerts is always `fired`. ++- All activity log alerts are stateless. +- The frequency of notifications for stateless metric alerts differs based on the alert rule's configured frequency: + - **Alert frequency of less than 5 minutes**: While the condition continues to be met, a notification is sent sometime between one and six minutes. + - **Alert frequency of more than 5 minutes**: While the condition continues to be met, a notification is sent between the configured frequency and double the frequency. For example, for an alert rule with a frequency of 15 minutes, a notification is sent sometime between 15 to 30 minutes. ++### Stateful alerts +Stateful alerts fire when the rule conditions are met, and will not fire again or trigger any more actions until the conditions are resolved. +The alert condition for stateful alerts is `fired`, until it is considered resolved. When an alert is considered resolved, the alert rule sends out a resolved notification by using webhooks or email, and the alert condition is set to `resolved`. ++For stateful alerts, while the alert itself is deleted after 30 days, the alert condition is stored until the alert is resolved, to prevent firing another alert, and so that notifications can be sent when the alert is resolved. ++This table describes when a stateful alert is considered resolved: ++|Alert type |The alert is resolved when | +||| +|Metric alerts|The alert condition isn't met for three consecutive checks.| +|Log alerts| The alert condition isn't met for a specific time range. The time range differs based on the frequency of the alert:<ul> <li>**1 minute**: The alert condition isn't met for 10 minutes.</li> <li>**5 to 15 minutes**: The alert condition isn't met for three frequency periods.</li> <li>**15 minutes to 11 hours**: The alert condition isn't met for two frequency periods.</li> <li>**11 to 12 hours**: The alert condition isn't met for one frequency period.</li></ul>| + ## Recommended alert rules If you don't have alert rules defined for the selected resource, you can [enable recommended out-of-the-box alert rules in the Azure portal](alerts-manage-alert-rules.md#enable-recommended-alert-rules-in-the-azure-portal). These built-in Azure roles, supported at all Azure Resource Manager scopes, have If the target action group or rule location is in a different scope than the two built-in roles, create a user with the appropriate permissions. -## Alerts and state --You can configure whether log or metric alerts are stateful or stateless. Activity log alerts are stateless. -- Stateless alerts fire each time the condition is met, even if fired previously.-- The frequency of notifications for stateless metric alerts differs based on the alert rule's configured frequency: - - **Alert frequency of less than 5 minutes**: While the condition continues to be met, a notification is sent sometime between one and six minutes. - - **Alert frequency of more than 5 minutes**: While the condition continues to be met, a notification is sent between the configured frequency and double the frequency. For example, for an alert rule with a frequency of 15 minutes, a notification is sent sometime between 15 to 30 minutes. --- Stateful alerts fire when the condition is met. They don't fire again or trigger any more actions until the conditions are resolved, as described in this table:-- |Alert type |The alert is resolved when | - ||| - |Metric alerts|The alert condition isn't met for three consecutive checks.| - |Log alerts| The alert condition isn't met for a specific time range. The time range differs based on the frequency of the alert:<ul> <li>**1 minute**: The alert condition isn't met for 10 minutes.</li> <li>**5 to 15 minutes**: The alert condition isn't met for three frequency periods.</li> <li>**15 minutes to 11 hours**: The alert condition isn't met for two frequency periods.</li> <li>**11 to 12 hours**: The alert condition isn't met for one frequency period.</li></ul>| --When an alert is considered resolved, the alert rule sends out a resolved notification by using webhooks or email. The monitor state in the Azure portal is set to **resolved**. ## Pricing For information about pricing, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). |
azure-monitor | Alerts Troubleshoot Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-troubleshoot-log.md | When you create a log alert rule with system-assigned managed identity, the iden You can use the current ScheduledQueryRules API to set **Aggregate On** in [Metric measurement](alerts-unified-log.md#calculation-of-a-value) rules, which work as expected. To learn more about switching to the current ScheduledQueryRules API, see [Upgrade to the current Log Alerts API from legacy Log Analytics Alert API](./alerts-log-api-switch.md). +### Override query time range +As a part of the configuration of the alert, in the section of the "Advance Options", there is an option to configure "Override query time range" parameter. +If you want the alert evaluation period to be different than the query time range, enter a time range here. +The alert time range is limited to a maximum of two days. Even if the query contains an ago command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains ago(7d), the query only scans up to two days of data. +If the query requires more data than the alert evaluation, you can change the time range manually. +If there's ago command in the query, it will be changed automatically to be 2 days (48 hours). + ## Log alert fired unnecessarily A configured [log alert rule in Azure Monitor](./alerts-log.md) might be triggered unexpectedly. The following sections describe some common reasons. |
azure-monitor | Java Standalone Telemetry Processors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors.md | To configure this option, under `exclude`, specify the `matchType` one or more ` | `GC Total Time` | custom metrics | Sum of time across all GC MXBeans (diff since last reported). See [GarbageCollectorMXBean.getCollectionTime()](https://docs.oracle.com/javase/7/docs/api/java/lang/management/GarbageCollectorMXBean.html).| yes | | `Heap Memory Used (MB)` | custom metrics | See [MemoryMXBean.getHeapMemoryUsage().getUsed()](https://docs.oracle.com/javase/8/docs/api/java/lang/management/MemoryMXBean.html#getHeapMemoryUsage--). | yes | | `% Of Max Heap Memory Used` | custom metrics | java.lang:type=Memory / maximum amount of memory in bytes. See [MemoryUsage](https://docs.oracle.com/javase/7/docs/api/java/lang/management/MemoryUsage.html)| yes |-| `\Processor(_Total)\% Processor Time` | default metrics | Difference in [system wide CPU load tick counters](https://oshi.github.io/oshi/oshi-core/apidocs/oshi/hardware/CentralProcessor.html#getProcessorCpuLoadTicks())(Only User and System) divided by the number of [logical processors count](https://oshi.github.io/oshi/oshi-core/apidocs/oshi/hardware/CentralProcessor.html#getLogicalProcessorsΓÇö) in a given interval of time | no | +| `\Processor(_Total)\% Processor Time` | default metrics | Difference in [system wide CPU load tick counters](https://www.oshi.ooo/oshi-core/apidocs/oshi/hardware/CentralProcessor.html#getProcessorCpuLoadTicks()) (Only User and System) divided by the number of [logical processors count](https://www.oshi.ooo/oshi-core/apidocs/oshi/hardware/CentralProcessor.html#getLogicalProcessors()) in a given interval of time | no | | `\Process(??APP_WIN32_PROC??)\% Processor Time` | default metrics | See [OperatingSystemMXBean.getProcessCpuTime()](https://docs.oracle.com/javase/8/docs/jre/api/management/extension/com/sun/management/OperatingSystemMXBean.html#getProcessCpuTime--) (diff since last reported, normalized by time and number of CPUs). | no | | `\Process(??APP_WIN32_PROC??)\Private Bytes` | default metrics | Sum of [MemoryMXBean.getHeapMemoryUsage()](https://docs.oracle.com/javase/8/docs/api/java/lang/management/MemoryMXBean.html#getHeapMemoryUsage--) and [MemoryMXBean.getNonHeapMemoryUsage()](https://docs.oracle.com/javase/8/docs/api/java/lang/management/MemoryMXBean.html#getNonHeapMemoryUsage--). | no | | `\Process(??APP_WIN32_PROC??)\IO Data Bytes/sec` | default metrics | `/proc/[pid]/io` Sum of bytes read and written by the process (diff since last reported). See [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). | no | |
azure-monitor | Container Insights Log Query | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-log-query.md | Perf ``` ### Container memory+This query uses `memoryRssBytes` which is only available for Linux nodes. ```kusto Perf The output will show results similar to the following example. ![Screenshot that shows log query results of data ingestion volume.](./media/container-insights-log-query/log-query-example-usage-02.png) + ## Configuration or scraping errors To investigate any configuration or scraping errors, the following example query returns informational events from the `KubeMonAgentEvents` table. The output shows results similar to the following example: ## Next steps Container insights doesn't include a predefined set of alerts. To learn how to create recommended alerts for high CPU and memory utilization to support your DevOps or operational processes and procedures, see [Create performance alerts with Container insights](./container-insights-log-alerts.md).+ |
azure-monitor | Prometheus Api Promql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-api-promql.md | Example: GET 'https://k8s02-workspace-abcd.eastus.prometheus.monitor.azure.com/api/v1/label/__name__/values' ``` -For the full specification of OSS prom APIs, see [Prometheus HTTP API](https://prometheus.io/docs/prometheus/latest/querying/api/#http-api ) +For the full specification of OSS prom APIs, see [Prometheus HTTP API](https://prometheus.io/docs/prometheus/latest/querying/api/#http-api). ## API limitations The following limitations are in addition to those detailed in the Prometheus specification. |
azure-netapp-files | Azure Netapp Files Quickstart Set Up Account Create Volumes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md | When you are done and if you want to, you can delete the resource group. The act 4. Enter the name of the resource group (myRG1) to confirm that you want to permanently delete the resource group and all resources in it, and then select **Delete**. - ![Screenshot showing confirmation of deleting resource group.](../media/azure-netapp-files/azure-netapp-files-azure-confirm-resource-group-deletion.png ) + ![Screenshot showing confirmation of deleting resource group.](../media/azure-netapp-files/azure-netapp-files-azure-confirm-resource-group-deletion.png) # [PowerShell](#tab/azure-powershell) |
azure-netapp-files | Faq Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-performance.md | You can change the service level of an existing volume by moving the volume to a Azure NetApp Files provides volume performance metrics. You can also use Azure Monitor for monitoring usage metrics for Azure NetApp Files. See [Metrics for Azure NetApp Files](azure-netapp-files-metrics.md) for the list of performance metrics for Azure NetApp Files. -## WhatΓÇÖs the performance impact of Kerberos on NFSv4.1? +## What's the performance impact of Kerberos on NFSv4.1? See [Performance impact of Kerberos on NFSv4.1 volumes](performance-impact-kerberos.md) for information about security options for NFSv4.1, the performance vectors tested, and the expected performance impact. Jumbo frames are not supported with Azure virtual machines. ## Next steps - [Performance impact of Kerberos on NFSv4.1 volumes](performance-impact-kerberos.md)-- [Performance considerations for Azure NetApp Files](azure-netapp-files-performance-considerations.md )+- [Performance considerations for Azure NetApp Files](azure-netapp-files-performance-considerations.md) - [Performance benchmark test recommendations for Azure NetApp Files](azure-netapp-files-performance-metrics-volumes.md) - [Performance benchmarks for Linux](performance-benchmarks-linux.md) - [Performance impact of Kerberos on NFSv4.1 volumes](performance-impact-kerberos.md) |
azure-netapp-files | Faq Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-smb.md | The Azure NetApp Files service has a policy that automatically updates the passw To see when the password was last updated on the Azure NetApp Files SMB computer account, check the `pwdLastSet` property on the computer account using the [Attribute Editor](create-volumes-dual-protocol.md#access-active-directory-attribute-editor) in the **Active Directory Users and Computers** utility: -![Screenshot that shows the Active Directory Users and Computers utility](../media/azure-netapp-files/active-directory-users-computers-utility.png ) +![Screenshot that shows the Active Directory Users and Computers utility](../media/azure-netapp-files/active-directory-users-computers-utility.png) >[!NOTE] > Due to an interoperability issue with the [April 2022 Monthly Windows Update]( |
azure-netapp-files | Performance Azure Vmware Solution Datastore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-azure-vmware-solution-datastore.md | The results in this article were achieved using the following environment config * One volume group per physical volume * One logical partition per volume group * One XFS file system per logical partition-* AVS to Azure NetApp Files protocol: [NFS version 3](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md?tabs=azure-portal#faqs ) +* AVS to Azure NetApp Files protocol: [NFS version 3](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md?tabs=azure-portal#faqs) * Workload generator: `fio` version 3.16 * Fio scripts: [`fio-parser`](https://github.com/mchad1/fio-parser) ΓÇâ To understand how well a single AVS VM scales as more virtual disks are added, t ### Single-host scaling ΓÇô Single datastore -It scales poorly to increase the number of VMs driving IO to a single datastore from a single host. This fact is due to the single network flow. When maximum performance is reached for a given workload, it's often the result of a single queue used along the way to the hostΓÇÖs single NFS datastore over a single TCP connection. Using an 8-KB block size, total IOPS increased between 3% and 16% when scaling from one VM with a single VMDK to four VMs with 16 total VMDKs (four per VM, all on a single datastore). +It scales poorly to increase the number of VMs driving IO to a single datastore from a single host. This fact is due to the single network flow. When maximum performance is reached for a given workload, it's often the result of a single queue used along the way to the host's single NFS datastore over a single TCP connection. Using an 8-KB block size, total IOPS increased between 3% and 16% when scaling from one VM with a single VMDK to four VMs with 16 total VMDKs (four per VM, all on a single datastore). Increasing the block size (to 64 KB) for large block workloads had comparable results, reaching a peak of 2148 MiB/s (single VM, single VMDK) and 2138 MiB/s (4 VMs, 16 VMDKs). Four Azure NetApp Files datastores provide up of 10 GBps of usable bandwidth for For granular performance tuning, both Windows and Linux guest operating systems allow for striping across multiple disks. As such, you should stripe file systems across multiple VMDKs spread across multiple datastores. However, if application snapshot consistency is an issue and can't be overcome with LVM or storage spaces, consider mounting Azure NetApp Files from the guest operating system or investigate application-level scaling, of which Azure has many great options. -If you stripe volumes across multiple disks, ensure the backup software or disaster recovery software supports backing up multiple virtual disks simultaneously. As individual writes are striped across multiple disks, the file system needs to ensure disks are ΓÇ£frozenΓÇ¥ during the snapshot or backup operations. Most modern file systems include a freeze or snapshot operation such as xfs (xfs_freeze) and NTFS (volume shadow copies), which backup software can take advantage of. +If you stripe volumes across multiple disks, ensure the backup software or disaster recovery software supports backing up multiple virtual disks simultaneously. As individual writes are striped across multiple disks, the file system needs to ensure disks are "frozen" during the snapshot or backup operations. Most modern file systems include a freeze or snapshot operation such as xfs (xfs_freeze) and NTFS (volume shadow copies), which backup software can take advantage of. Because Azure NetApp Files bills for provisioned capacity at the capacity pool rather than allocated capacity (datastores), you will, for example, pay the same for 4x20TB datastores or 20x4TB datastores. If you need to, you can tweak capacity and performance of datastores on-demand, [dynamically via the Azure API/console](dynamic-change-volume-service-level.md). -For example, as you approach the end of a fiscal year you find that you need more storage performance on Standard datastore. You can increase the datastoresΓÇÖ service level for a month to enable all VMs on those datastores to have more performance available to them, while maintaining other datastores at a lower service level. You not only save cost but gain more performance by having workloads spread among more TCP connections between each datastore to each AVS host. +For example, as you approach the end of a fiscal year you find that you need more storage performance on Standard datastore. You can increase the datastores' service level for a month to enable all VMs on those datastores to have more performance available to them, while maintaining other datastores at a lower service level. You not only save cost but gain more performance by having workloads spread among more TCP connections between each datastore to each AVS host. -You can monitor your datastore metrics through vCenter or through the Azure API/Console. From vCenter, you can monitor a datastoreΓÇÖs aggregate average IOPS in the [Performance/Advanced Charts](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-B3D99B36-E856-41A5-84DB-9B7C8FABCF83.html) , as long as you enable Storage IO Control Metrics collection on the datastore. The Azure [API](monitor-volume-capacity.md#using-rest-api) and [console](monitor-azure-netapp-files.md) present metrics for `WriteIops`, `ReadIops`, `ReadThroughput`, and `WriteThroughput`, among others, to measure your workloads at the datastore level. With Azure metrics, you can set alert rules with actions to automatically resize a datastore via an Azure function, a webhook, or other actions. +You can monitor your datastore metrics through vCenter or through the Azure API/Console. From vCenter, you can monitor a datastore's aggregate average IOPS in the [Performance/Advanced Charts](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-B3D99B36-E856-41A5-84DB-9B7C8FABCF83.html) , as long as you enable Storage IO Control Metrics collection on the datastore. The Azure [API](monitor-volume-capacity.md#using-rest-api) and [console](monitor-azure-netapp-files.md) present metrics for `WriteIops`, `ReadIops`, `ReadThroughput`, and `WriteThroughput`, among others, to measure your workloads at the datastore level. With Azure metrics, you can set alert rules with actions to automatically resize a datastore via an Azure function, a webhook, or other actions. ## Next steps |
azure-resource-manager | Bicep Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-cli.md | For more information about using this command, see [Decompiling ARM template JSO The `decompile-params` command decompile a JSON parameters file to a _.bicepparam_ parameters file. ```azurecli-az bicep decompile-params -- file azuredeploy.parameters.json --bicep-file ./dir/main.bicep +az bicep decompile-params --file azuredeploy.parameters.json --bicep-file ./dir/main.bicep ``` -This command decompiles a _azuredeploy.parameters.json_ parameters file into a _azuredeploy.parameters.bicepparam_ file. `-bicep-file` specifies the path to the Bicep file (relative to the .bicepparam file) that is referenced in the `using` declaration. +This command decompiles a _azuredeploy.parameters.json_ parameters file into a _azuredeploy.parameters.bicepparam_ file. `--bicep-file` specifies the path to the Bicep file (relative to the .bicepparam file) that is referenced in the `using` declaration. ## generate-params |
azure-resource-manager | Bicep Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-config.md | Title: Bicep config file description: Describes the configuration file for your Bicep deployments Previously updated : 08/30/2023 Last updated : 09/11/2023 # Configure your Bicep environment The preceding sample enables 'userDefineTypes' and 'extensibility`. The availabl - **resourceTypedParamsAndOutputs**: Enables the type for a parameter or output to be of type resource to make it easier to pass resource references between modules. This feature is only partially implemented. See [Simplifying resource referencing](https://github.com/azure/bicep/issues/2245). - **symbolicNameCodegen**: Allows the ARM template layer to use a new schema to represent resources as an object dictionary rather than an array of objects. This feature improves the semantic equivalent of the Bicep and ARM templates, resulting in more reliable code generation. Enabling this feature has no effect on the Bicep layer's functionality. - **userDefinedFunctions**: Allows you to define your own custom functions. See [User-defined functions in Bicep](./user-defined-functions.md).-- **userDefinedTypes**: Allows you to define your own custom types for parameters. See [User-defined types in Bicep](https://aka.ms/bicepCustomTypes). ## Next steps |
azure-resource-manager | Data Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/data-types.md | Last updated 07/07/2023 # Data types in Bicep -This article describes the data types supported in [Bicep](./overview.md). [User-defined data types](./user-defined-data-types.md) are currently in preview. +This article describes the data types supported in [Bicep](./overview.md). To define custom data types, see [User-defined data types](./user-defined-data-types.md). ## Supported types |
azure-resource-manager | File | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/file.md | Title: Bicep file structure and syntax description: Describes the structure and properties of a Bicep file using declarative syntax. Previously updated : 08/30/2023 Last updated : 09/11/2023 # Understand the structure and syntax of Bicep files metadata <metadata-name> = ANY targetScope = '<scope>' +type <user-defined-data-type-name> = <type-expression> + func <user-defined-function-name> (<argument-name> <data-type>, <argument-name> <data-type>, ...) <function-data-type> => <expression> @<decorator>(<argument>) The allowed values are: In a module, you can specify a scope that is different than the scope for the rest of the Bicep file. For more information, see [Configure module scope](modules.md#set-module-scope) +## Types ++You can use the `type` statement to define user-defined data types. ++```bicep +param location string = resourceGroup().location ++type storageAccountSkuType = 'Standard_LRS' | 'Standard_GRS' ++type storageAccountConfigType = { + name: string + sku: storageAccountSkuType +} ++param storageAccountConfig storageAccountConfigType = { + name: 'storage${uniqueString(resourceGroup().id)}' + sku: 'Standard_LRS' +} ++resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountConfig.name + location: location + sku: { + name: storageAccountConfig.sku + } + kind: 'StorageV2' +} +``` ++For more information, see [User-defined data types](./user-defined-data-types.md). + ## Functions (Preview) > [!NOTE] |
azure-resource-manager | User Defined Data Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/user-defined-data-types.md | Title: User-defined types in Bicep description: Describes how to define and use user-defined data types in Bicep. Previously updated : 08/29/2023 Last updated : 09/11/2023 -# User-defined data types in Bicep (Preview) +# User-defined data types in Bicep Learn how to use user-defined data types in Bicep. [Bicep version 0.12.1 or newer](./install.md) is required to use this feature. -## Enable the preview feature --To enable this preview, modify your project's [bicepconfig.json](./bicep-config.md) file to include the following JSON: --```json -{ - "experimentalFeaturesEnabled": { - "userDefinedTypes": true - } -} -``` - ## User-defined data type syntax You can use the `type` statement to define user-defined data types. In addition, you can also use type expressions in some places to define custom types. |
azure-resource-manager | Azure Services Resource Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-services-resource-providers.md | The resources providers that are marked with **- registered** are registered by | Microsoft.DigitalTwins | [Azure Digital Twins](../../digital-twins/overview.md) | | Microsoft.DocumentDB | [Azure Cosmos DB](../../cosmos-db/index.yml) | | Microsoft.DomainRegistration | [App Service](../../app-service/index.yml) |-| Microsoft.DynamicsLcs | [Lifecycle Services](https://lcs.dynamics.com/Logon/Index ) | +| Microsoft.DynamicsLcs | [Lifecycle Services](https://lcs.dynamics.com/Logon/Index) | | Microsoft.ElasticSan | [Elastic SAN Preview](../../storage/elastic-san/index.yml) | | Microsoft.EnterpriseKnowledgeGraph | Enterprise Knowledge Graph | | Microsoft.EventGrid | [Event Grid](../../event-grid/index.yml) | |
azure-signalr | Howto Enable Geo Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/howto-enable-geo-replication.md | Companies seeking local presence or requiring a robust failover system often cho ## Example use case Contoso is a social media company with its customer base spread across the US and Canada. To serve those customers and let them communicate with each other, Contoso runs its services in Central US. Azure SignalR Service is used to handle user connections and facilitate communication among users. Contoso's end users are mostly phone users. Due to the long geographical distances, end-users in Canada might experience high latency and poor network quality. -![Diagram of using one Azure SignalR instance to handle traffic from two countries. ](./media/howto-enable-geo-replication/signalr-single.png "Single SignalR Example") +![Diagram of using one Azure SignalR instance to handle traffic from two countries. ](./media/howto-enable-geo-replication/signalr-single.png "Single SignalR Example") Before the advent of the geo-replication feature, Contoso could set up another Azure SignalR Service in Canada Central to serve its Canadian users. By setting up a geographically closer Azure SignalR Service, end users now have better network quality and lower latency. However, managing multiple Azure SignalR Services brings some challenges: 2. The development team would need to manage two separate Azure SignalR Services, each with distinct domain and connection string. 3. If a regional outage happens, the traffic needs to be switched to another region. -![Diagram of using two Azure SignalR instances to handle traffic from two countries. ](./media/howto-enable-geo-replication/signalr-multiple.png "Mutiple SignalR Example") +![Diagram of using two Azure SignalR instances to handle traffic from two countries. ](./media/howto-enable-geo-replication/signalr-multiple.png "Mutiple SignalR Example") ## Harnessing geo-replication With the new geo-replication feature, Contoso can now establish a replica in Canada Central, effectively overcoming the above-mentioned hurdles. -![Diagram of using one Azure SignalR instance with replica to handle traffic from two countries.](./media/howto-enable-geo-replication/signalr-replica.png "Replica Example") +![Diagram of using one Azure SignalR instance with replica to handle traffic from two countries.](./media/howto-enable-geo-replication/signalr-replica.png "Replica Example") ## Create a SignalR replica To create a replica, Navigate to the SignalR **Replicas** blade on the Azure portal and click **Add** to create a replica. It will be automatically enabled upon creation. -![Screenshot of creating replica for Azure SignalR on Portal.](./media/howto-enable-geo-replication/signalr-replica-create.png "Replica create") +![Screenshot of creating replica for Azure SignalR on Portal.](./media/howto-enable-geo-replication/signalr-replica-create.png "Replica create") > [!NOTE] > * Geo-replication is a feature available in premium tier. To create a replica, Navigate to the SignalR **Replicas** blade on the Azure por After creation, you would be able to view/edit your replica on the portal by clicking the replica name. -![Screenshot of overview blade of Azure SignalR replica resource. ](./media/howto-enable-geo-replication/signalr-replica-overview.png "Replica Overview") +![Screenshot of overview blade of Azure SignalR replica resource. ](./media/howto-enable-geo-replication/signalr-replica-overview.png "Replica Overview") ## Pricing and resource unit Each replica has its **own** `unit` and `autoscale settings`. To delete a replica in the Azure portal: The diagram below provides a brief illustration of the SignalR Replicas' functionality: -![Diagram of the arch of Azure SignalR replica. ](./media/howto-enable-geo-replication/signalr-replica-arch.png "Replica Arch") +![Diagram of the arch of Azure SignalR replica. ](./media/howto-enable-geo-replication/signalr-replica-arch.png "Replica Arch") 1. The client negotiates with the app server and receives a redirection to the Azure SignalR service. It then resolves the SignalR service's Fully Qualified Domain Name (FQDN) ΓÇö `contoso.service.signalr.net`. This FQDN points to a Traffic Manager, which returns the Canonical Name (CNAME) of the nearest regional SignalR instance. 2. With this CNAME, the client establishes a connection to the regional instance (Replica). Azure SignalR Service utilizes a traffic manager for health checks and DNS resol In the event of a **regional outage** in eastus (illustrated below), the traffic manager will detect the health check failure for that region. Then, this faulty replica's DNS will be excluded from the traffic manager's DNS resolution results. After a DNS Time-to-Live (TTL) duration, which is set to 90 seconds, clients in `eastus` will be redirected to connect with the replica in `westus`. -![Diagram of Azure SignalR replica failover. ](./media/howto-enable-geo-replication/signalr-replica-failover.png "Replica Failover") +![Diagram of Azure SignalR replica failover. ](./media/howto-enable-geo-replication/signalr-replica-failover.png "Replica Failover") Once the issue in `eastus` is resolved and the region is back online, the health check will succeed. Clients in `eastus` will then, once again, be directed to the replica in their region. This transition is smooth as the connected clients will not be impacted until those existing connections are closed. -![Diagram of Azure SignalR replica failover recovery. ](./media/howto-enable-geo-replication/signalr-replica-failover-recovery.png "Replica Failover Recover") +![Diagram of Azure SignalR replica failover recovery. ](./media/howto-enable-geo-replication/signalr-replica-failover-recovery.png "Replica Failover Recover") This failover and recovery process is **automatic** and requires no manual intervention. |
azure-signalr | Signalr Concept Messages And Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-concept-messages-and-connections.md | The service and the application server keep syncing connection status and making ## Related resources -* [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicesignalr ) +* [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicesignalr) * [ASP.NET Core SignalR configuration](/aspnet/core/signalr/configuration) * [JSON](https://www.json.org/) * [MessagePack](/aspnet/core/signalr/messagepackhubprotocol) |
azure-signalr | Signalr Concept Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-concept-performance.md | This article describes: You can easily monitor your service in the Azure portal. From the **Metrics** page of your SignalR instance, you can select the **Server Load** metrics to see the "pressure" of your service. -<kbd>![Screenshot of the Server Load metric of Azure SignalR on Portal. The metrics shows Server Load is at about 8 percent usage. ](./media/signalr-concept-performance/server-load.png "Server Load")</kbd> +<kbd>![Screenshot of the Server Load metric of Azure SignalR on Portal. The metrics shows Server Load is at about 8 percent usage. ](./media/signalr-concept-performance/server-load.png "Server Load")</kbd> The chart shows the computing pressure of your SignalR service. You can test your scenario and check this metric to decide whether to scale up. The latency inside SignalR service remains low if the Server Load is below 70%. |
azure-web-pubsub | Concept Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-metrics.md | Learn more about [multi-dimensional metrics](../azure-monitor/essentials/data-pl ## Related resources -- [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicewebpubsub )+- [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicewebpubsub) |
azure-web-pubsub | Concept Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-performance.md | In this guide, we'll introduce the factors that affect Web PubSub upstream appli ## Quick evaluation using metrics Before going through the factors that impact the performance, let's first introduce an easy way to monitor the pressure of your service. There's a metrics called **Server Load** on the Portal. - <kbd>![Screenshot of the Server Load metric of Azure Web PubSub on Portal. The metrics shows Server Load is at about 8 percent usage. ](./media/concept-performance/server-load.png "Server Load")</kbd> + <kbd>![Screenshot of the Server Load metric of Azure Web PubSub on Portal. The metrics shows Server Load is at about 8 percent usage. ](./media/concept-performance/server-load.png "Server Load")</kbd> It shows the computing pressure of your Azure Web PubSub service. You could test on your own scenario and check this metrics to decide whether to scale up. The latency inside Azure Web PubSub service would remain low if the Server Load is below 70%. |
azure-web-pubsub | Howto Enable Geo Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-enable-geo-replication.md | Mission critical apps often need to have a robust failover system and serve user ### Contoso, a social media company Contoso is a social media company with its customer base spread across the US and Canada. Contoso provides a mobile and web app to its users so that they can connect with each other. Contoso application is deployed in Central US. As part of Contoso's architecture, Web PubSub is used to establish persistent WebSocket connections between client apps and the application server. Contoso **likes** that they can offload managing WebSocket connections to Web PubSub, but **doesn't** like reading reports of users in Canada experiencing higher latency. Furthermore, Contoso's development team wants to insure the app against regional outage so that the users can access the app with no interruptions. -![Diagram of using one Azure WebPubSub instance to handle traffic from two countries. ](./media/howto-enable-geo-replication/web-pubsub-single.png "Single WebPubSub Example") +![Diagram of using one Azure WebPubSub instance to handle traffic from two countries. ](./media/howto-enable-geo-replication/web-pubsub-single.png "Single WebPubSub Example") Contoso **could** set up another Web PubSub resource in Canada Central which is geographically closer to its users in Canada. However, managing multiple Web PubSub resources brings some challenges: 1. A cross-region communication mechanism would need to be implemented so that users in Canada and US can interact with each other. Contoso **could** set up another Web PubSub resource in Canada Central which is All of the above takes engineering resources away from focusing on product innovation. -![Diagram of using two Azure Web PubSub instances to handle traffic from two countries. ](./media/howto-enable-geo-replication/web-pubsub-multiple.png "Mutiple Web PubSub Example") +![Diagram of using two Azure Web PubSub instances to handle traffic from two countries. ](./media/howto-enable-geo-replication/web-pubsub-multiple.png "Mutiple Web PubSub Example") ### Harnessing the geo-replication feature With the geo-replication feature, Contoso can now establish a replica in Canada Central, effectively overcoming the above-mentioned challenges. The developer team is glad to find out that they don't need to make any code changes. It's as easy as clicking a few buttons on Azure portal. The developer team is also happy to share with the stakeholders that as Contoso plans to enter the European market, they simply need to add another replica in Europe. -![Diagram of using one Azure Web PubSub instance with replica to handle traffic from two countries.](./media/howto-enable-geo-replication/web-pubsub-replica.png "Replica Example") +![Diagram of using one Azure Web PubSub instance with replica to handle traffic from two countries.](./media/howto-enable-geo-replication/web-pubsub-replica.png "Replica Example") ## How to enable geo-replication in a Web PubSub resource To create a replica in an Azure region, go to your Web PubSub resource and find the **Replicas** blade on the Azure portal and click **Add** to create a replica. It will be automatically enabled upon creation. -![Screenshot of creating replica for Azure Web PubSub on Portal.](./media/howto-enable-geo-replication/web-pubsub-replica-create.png "Replica create") +![Screenshot of creating replica for Azure Web PubSub on Portal.](./media/howto-enable-geo-replication/web-pubsub-replica-create.png "Replica create") After creation, you would be able to view/edit your replica on the portal by clicking the replica name. -![Screenshot of overview blade of Azure Web PubSub replica resource. ](./media/howto-enable-geo-replication/web-pubsub-replica-overview.svg "Replica Overview") +![Screenshot of overview blade of Azure Web PubSub replica resource. ](./media/howto-enable-geo-replication/web-pubsub-replica-overview.svg "Replica Overview") > [!NOTE] > * Geo-replication is a feature available in premium tier. To delete a replica in the Azure portal: ## Understand how the geo-replication feature works -![Diagram of the arch of Azure Web PubSub replica. ](./media/howto-enable-geo-replication/web-pubsub-replica-arch.png "Replica Arch") +![Diagram of the arch of Azure Web PubSub replica. ](./media/howto-enable-geo-replication/web-pubsub-replica-arch.png "Replica Arch") 1. The client resolves the Fully Qualified Domain Name (FQDN) `contoso.webpubsub.azure.com` of the Web PubSub service. This FQDN points to a Traffic Manager, which returns the Canonical Name (CNAME) of the nearest regional Web PubSub instance. 2. With this CNAME, the client establishes a websocket connection to the regional instance (replica). Azure Web PubSub Service utilizes a traffic manager for health checks and DNS re In the event of a **regional outage** in eastus (illustrated below), the traffic manager will detect the health check failure for that region. Then, this faulty replica's DNS will be excluded from the traffic manager's DNS resolution results. After a DNS Time-to-Live (TTL) duration, which is set to 90 seconds, clients in `eastus` will be redirected to connect with the replica in `westus`. -![Diagram of Azure Web PubSub replica failover. ](./media/howto-enable-geo-replication/web-pubsub-replica-failover.png "Replica Failover") +![Diagram of Azure Web PubSub replica failover. ](./media/howto-enable-geo-replication/web-pubsub-replica-failover.png "Replica Failover") Once the issue in `eastus` is resolved and the region is back online, the health check will succeed. Clients in `eastus` will then, once again, be directed to the replica in their region. This transition is smooth as the connected clients will not be impacted until those existing connections are closed. -![Diagram of Azure Web PubSub replica failover recovery. ](./media/howto-enable-geo-replication/web-pubsub-replica-failover-recovery.png "Replica Failover Recover") +![Diagram of Azure Web PubSub replica failover recovery. ](./media/howto-enable-geo-replication/web-pubsub-replica-failover-recovery.png "Replica Failover Recover") This failover and recovery process is **automatic** and requires no manual intervention. |
backup | Azure Kubernetes Service Cluster Backup Using Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-kubernetes-service-cluster-backup-using-powershell.md | Once the vault and policy creation are complete, you need to perform the followi Backup Extension is mandatory to be installed in the AKS cluster to perform any backup and restore operations. The Backup Extension creates a namespace `dataprotection-microsoft` in the cluster and uses the same to deploy its resources. The extension requires the storage account and blob container as inputs for installation. Learn about the [extension installation commands](./azure-kubernetes-service-cluster-manage-backups.md#install-backup-extension). - As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the **Storage Account Contributor** role. To assign the required role, [run these command](azure-kubernetes-service-cluster-manage-backups.md#grant-permission-on-storage-account ) + As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the **Storage Account Contributor** role. To assign the required role, [run these command](azure-kubernetes-service-cluster-manage-backups.md#grant-permission-on-storage-account) -3. **Enable Trusted Access** +3. **Enable Trusted Access** For the Backup vault to connect with the AKS cluster, you must enable Trusted Access as it allows the Backup vault to have a direct line of sight to the AKS cluster. Learn [how to enable Trusted Access]](azure-kubernetes-service-cluster-manage-backups.md#trusted-access-related-operations). |
batch | Jobs And Tasks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/jobs-and-tasks.md | For a detailed discussion on running MPI jobs in Batch by using the Batch .NET l [Task dependencies](batch-task-dependencies.md), as the name implies, allow you to specify that a task depends on the completion of other tasks before its execution. This feature provides support for situations in which a "downstream" task consumes the output of an "upstream" task, or when an upstream task performs some initialization that is required by a downstream task. -To use this feature, you must first [enable task dependencies](batch-task-dependencies.md#enable-task-dependencies -) on your Batch job. Then, for each task that depends on another (or many others), you specify the tasks which that task depends on. +To use this feature, you must first [enable task dependencies](batch-task-dependencies.md#enable-task-dependencies) on your Batch job. Then, for each task that depends on another (or many others), you specify the tasks which that task depends on. With task dependencies, you can configure scenarios like the following: |
batch | Large Number Tasks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/large-number-tasks.md | BatchClientParallelOptions parallelOptions = new BatchClientParallelOptions() ... ``` -Add a task collection to the job using the appropriate overload of the [AddTaskAsync](/dotnet/api/microsoft.azure.batch.cloudjob.addtaskasync) or [AddTask](/dotnet/api/microsoft.azure.batch.cloudjob.addtask -) method. For example: +Add a task collection to the job using the appropriate overload of the [AddTaskAsync](/dotnet/api/microsoft.azure.batch.cloudjob.addtaskasync) or [AddTask](/dotnet/api/microsoft.azure.batch.cloudjob.addtask) method. For example: ```csharp // Add a list of tasks as a collection |
cloud-services | Cloud Services Guestos Msrc Releases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-guestos-msrc-releases.md | description: This article lists the Microsoft Security Response Center updates a documentationcenter: na-+ editor: '' ms.assetid: d0a272a9-ed01-4f4c-a0b3-bd5e841bdd77 na Previously updated : 8/21/2023- Last updated : 9/12/2023+ # Azure Guest OS The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in. +## September 2023 Guest OS ++>[!NOTE] ++>The September Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the September Guest OS. This list is subject to change. ++| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | +| | | | | | +| Rel 23-09 | [5030214] | Latest Cumulative Update(LCU) | 6.62 | Sep 12, 2023 | +| Rel 23-09 | [5030216] | Latest Cumulative Update(LCU) | 7.31 | Sep 12, 2023 | +| Rel 23-09 | [5030213] | Latest Cumulative Update(LCU) | 5.86 | Sep 12, 2023 | +| Rel 23-09 | [5029938] | .NET Framework 3.5 Security and Quality Rollup | 2.142 | Sep 12, 2023 | +| Rel 23-09 | [5029933] | .NET Framework 4.7.2 Security and Quality Rollup | 2.142 | Sep 12, 2023 | +| Rel 23-09 | [5029915] | .NET Framework 3.5 Security and Quality Rollup LKG | 4.122 | Sep 12, 2023 | +| Rel 23-09 | [5029916] | .NET Framework 4.7.2 Cumulative Update LKG | 4.122 | Sep 12, 2023 | +| Rel 23-09 | [5030160] | .NET Framework 3.5 Security and Quality Rollup LKG | 3.130 | Sep 12, 2023 | +| Rel 23-09 | [5029932] | .NET Framework 4.7.2 Cumulative Update LKG | 3.130 | Sep 12, 2023 | +| Rel 23-09 | [5029931] | .NET Framework DotNet | 6.62 | Sep 12, 2023 | +| Rel 23-09 | [5029928] | .NET Framework 4.8 Security and Quality Rollup LKG | 7.31 | Sep 12, 2023 | +| Rel 23-09 | [5030265] | Monthly Rollup | 2.142 | Sep 12, 2023 | +| Rel 23-09 | [5030278] | Monthly Rollup | 3.130 | Sep 12, 2023 | +| Rel 23-09 | [5030269] | Monthly Rollup | 4.122 | Sep 12, 2023 | +| Rel 23-09 | [5030330] | Servicing Stack Update | 3.130 | Sep 12, 2023 | +| Rel 23-09 | [5030329] | Servicing Stack Update LKG | 4.122 | Sep 12, 2023 | +| Rel 23-09 | [5030504] | Servicing Stack Update LKG | 5.86 | Sep 12, 2023 | +| Rel 23-09 | [5028264] | Servicing Stack Update LKG | 2.142 | Jul 11, 2023 | +| Rel 23-09 | 5030369 | Servicing Stack Update | 7.31 | | +| Rel 23-09 | 5030505 | Servicing Stack Update | 6.62 | | ++[5030214]: https://support.microsoft.com/kb/5030214 +[5030216]: https://support.microsoft.com/kb/5030216 +[5030213]: https://support.microsoft.com/kb/5030213 +[5029938]: https://support.microsoft.com/kb/5029938 +[5029933]: https://support.microsoft.com/kb/5029933 +[5029915]: https://support.microsoft.com/kb/5029915 +[5029916]: https://support.microsoft.com/kb/5029916 +[5030160]: https://support.microsoft.com/kb/5030160 +[5029932]: https://support.microsoft.com/kb/5029932 +[5029931]: https://support.microsoft.com/kb/5029931 +[5029928]: https://support.microsoft.com/kb/5029928 +[5030265]: https://support.microsoft.com/kb/5030265 +[5030278]: https://support.microsoft.com/kb/5030278 +[5030269]: https://support.microsoft.com/kb/5030269 +[5030330]: https://support.microsoft.com/kb/5030330 +[5030329]: https://support.microsoft.com/kb/5030329 +[5030504]: https://support.microsoft.com/kb/5030504 +[5028264]: https://support.microsoft.com/kb/5028264 +[5030505]: https://support.microsoft.com/kb/5030505 +++ ## August 2023 Guest OS |
communication-services | Call Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/call-automation.md | Whether your application has answered a one-to-one or group call, or placed an o **Cancel media operations** Based on business logic your application may need to cancel ongoing and queued media operations. Depending on the media operation canceled and the ones in queue, you'll receive a webhook event indicating that the action has been canceled. +### Query scenarios ++**List participants** +Returns a list of all the participants in a call. Recording and transcription bots are omitted from this list. + ## Events The following table outlines the current events emitted by Azure Communication Services. The following two tables describe the events emitted by Event Grid and from the Call Automation as webhook events. |
communication-services | Phone Number Management For Canada | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-canada.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |General Availability | General Availability | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-| Alphanumeric Sender ID\** | Public Preview | - | - | - | +| Alphanumeric Sender ID\** | General Availability | - | - | - | \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Denmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-denmark.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free | - | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-| Alphanumeric Sender ID\** | Public Preview | - | - | - | +| Alphanumeric Sender ID\** | General Availability | - | - | - | \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. \** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service. |
communication-services | Phone Number Management For Estonia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-estonia.md | Use the below tables to find all the relevant information on number availability | Number Type | Send SMS | Receive SMS | Make Calls | Receive Calls | | :- | :- | :- | :- | : |-| Alphanumeric Sender ID\* | Public Preview | - | - | - | +| Alphanumeric Sender ID\* | General Availability | - | - | - | \* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service. |
communication-services | Phone Number Management For France | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-france.md | Use the below tables to find all the relevant information on number availability | Number Type | Send SMS | Receive SMS | Make Calls | Receive Calls | | :- | :- | :- | :- | : | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Germany | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-germany.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Italy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-italy.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free*** |- | - | General Availability | General Availability\* | | Local*** | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Latvia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-latvia.md | Use the below tables to find all the relevant information on number availability | Number Type | Send SMS | Receive SMS | Make Calls | Receive Calls | | :- | :- | :- | :- | : |-| Alphanumeric Sender ID\* | Public Preview | - | - | - | +| Alphanumeric Sender ID\* | General Availability | - | - | - | \* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service. |
communication-services | Phone Number Management For Lithuania | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-lithuania.md | Use the below tables to find all the relevant information on number availability | Number Type | Send SMS | Receive SMS | Make Calls | Receive Calls | | :- | :- | :- | :- | : |-| Alphanumeric Sender ID\* | Public Preview\* | - | - | - | +| Alphanumeric Sender ID\* | General Availability \* | - | - | - | \* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service. |
communication-services | Phone Number Management For Netherlands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-netherlands.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Norway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-norway.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Poland | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-poland.md | Use the below tables to find all the relevant information on number availability | Number Type | Send SMS | Receive SMS | Make Calls | Receive Calls | | :- | :- | :- | :- | : | | Toll-Free | - | - | - | Public Preview\* |-| Alphanumeric Sender ID\** | Public Preview | - | - | - | +| Alphanumeric Sender ID\** | General Availability | - | - | - | \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Portugal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-portugal.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Spain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-spain.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Sweden | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-sweden.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For Switzerland | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-switzerland.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free |- | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Phone Number Management For United Kingdom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-united-kingdom.md | Use the below tables to find all the relevant information on number availability | :- | :- | :- | :- | : | | Toll-Free | - | - | General Availability | General Availability\* | | Local | - | - | General Availability | General Availability\* |-|Alphanumeric Sender ID\**|Public Preview|-|-|-| +|Alphanumeric Sender ID\**|General Availability |-|-|-| \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communications-gateway | Connect Operator Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/connect-operator-connect.md | To enable the application, add the Application ID of the system-assigned managed Microsoft Teams only sends traffic to domains that you've confirmed that you own. Your Azure Communications Gateway deployment automatically receives an autogenerated fully qualified domain name (FQDN). You need to add this domain name to your Active Directory tenant as a custom domain name, share the details with your onboarding team and then verify the domain name. This process confirms that you own the domain. 1. Navigate to the **Overview** of your Azure Communications Gateway resource and select **Properties**. Find the field named **Domain**. This name is your deployment's domain name.-1. Complete the following procedure: [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name-to-azure-ad). +1. Complete the following procedure: [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name). 1. Share your DNS TXT record information with your onboarding team. Wait for your onboarding team to confirm that the DNS TXT record has been configured correctly. 1. Complete the following procedure: [Verify your custom domain name](../active-directory/fundamentals/add-custom-domain.md#verify-your-custom-domain-name). |
confidential-computing | Virtual Machine Solutions Sgx | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions-sgx.md | Under **properties**, you also have to specify an image under **storageProfile** "publisher": "MicrosoftWindowsServer", "sku": "2019-datacenter-gensecond", "version": "latest"- }, - "18_04-lts-gen2": { - "offer": "UbuntuServer", - "publisher": "Canonical", - "sku": "18_04-lts-gen2", - "version": "latest" }, "20_04-lts-gen2": { "offer": "UbuntuServer", Under **properties**, you also have to specify an image under **storageProfile** "sku": "20_04-lts-gen2", "version": "latest" }+ "22_04-lts-gen2": { + "offer": "UbuntuServer", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + }, ``` ## Next step |
confidential-ledger | Verify Node Quotes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/verify-node-quotes.md | An Azure confidential ledger node executes on top of a Trusted Execution Environ ## Prerequisites -- Install [CCF](https://microsoft.github.io/CCF/main/build_apps/install_bin.html) or the [CCF Python package](https://pypi.org/project/ccf/).-- An Azure confidential ledger instance.+- Ubuntu 20.04-LTS 64-bit +- Install [CCF](https://microsoft.github.io/CCF/main/build_apps/install_bin.html) or the [CCF Python package](https://pypi.org/project/ccf/) +- Install the [Open Enclave Host-verify SDK](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/install_host_verify_Ubuntu_20.04.md) +- Install [jq](https://jqlang.github.io/jq/download/) ## Verify node quote +### Download the service identity ++The service identity can be downloaded from https://identity.confidential-ledger.core.azure.com/ledgerIdentity. It is used to verify the identity of the node that the client is connected to and establish a secure communication channel with it. The following command downloads the service identity, formats it and saves it to service_cert.pem. ++```bash +curl https://identity.confidential-ledger.core.azure.com/ledgerIdentity/<ledgername> --silent | jq '.ledgerTlsCertificate' | xargs echo -e > service_cert.pem +``` ++### Verify quote + The node quote can be downloaded from `https://<ledgername>.confidential-ledger.azure.com` and verified by using the `oeverify` tool that ships with the [Open Enclave SDK](https://github.com/openenclave/openenclave/blob/master/tools/oeverify/README.md) or with the `verify_quote.sh` script. It is installed with the CCF installation or the CCF Python package. For complete details about the script and the supported parameters, refer to [verify_quote.sh](https://microsoft.github.io/CCF/main/use_apps/verify_quote.html). ```bash-verify_quote.sh https://<ledgername>.confidential-ledger.azure.com:443 +/opt/ccf_virtual/bin/verify_quote.sh https://<ledgername>.confidential-ledger.azure.com:443 --cacert service_cert.pem ``` The script checks if the cryptographic hash of the node's identity public key (DER encoded) matches the SGX report data and that the MRENCLAVE value present in the quote is trusted. A list of trusted MRENCLAVE values in the network can be downloaded from the `https://<ledgername>.confidential-ledger.azure.com/node/code` endpoint. An optional `mrenclave` parameter can be supplied to check if the node is running the trusted code. If supplied, the mreclave value in the quote must match it exactly. |
container-apps | Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/samples.md | Refer to the following samples to learn how to use Azure Container Apps in diffe | [gRPC with ASP.NET Core on Azure Container Apps](https://github.com/Azure-Samples/dotNET-Workers-with-gRPC-messaging-on-Azure-Container-Apps) | This repository contains a simple scenario built to demonstrate how ASP.NET Core 6.0 can be used to build a cloud-native application hosted in Azure Container Apps that uses gRPC request/response transmission from Worker microservices. The gRPC service simultaneously streams sensor data to a Blazor server frontend, so you can watch the data be charted in real-time. | | [Deploy an Orleans Cluster to Container Apps](https://github.com/Azure-Samples/Orleans-Cluster-on-Azure-Container-Apps) | An end-to-end sample and tutorial for getting a Microsoft Orleans cluster running on Azure Container Apps. Worker microservices rapidly transmit data to a back-end Orleans cluster for monitoring and storage, emulating thousands of physical devices in the field. | | [Deploy a shopping cart Orleans app to Container Apps](https://github.com/Azure-Samples/orleans-blazor-server-shopping-cart-on-container-apps) | An end-to-end example shopping cart app built in ASP.NET Core Blazor Server with Orleans deployed to Azure Container Apps. |-| [ASP.NET Core front-end with two back-end APIs on Azure Container Apps](https://github.com/Azure-Samples/dotNET-FrontEnd-to-BackEnd-on-Azure-Container-Apps )<br /> | This sample demonstrates ASP.NET Core 6.0 can be used to build a cloud-native application hosted in Azure Container Apps. | -| [ASP.NET Core front-end with two back-end APIs on Azure Container Apps (with Dapr)](https://github.com/Azure-Samples/dotNET-FrontEnd-to-BackEnd-with-DAPR-on-Azure-Container-Apps )<br /> | Demonstrates how ASP.NET Core 6.0 is used to build a cloud-native application hosted in Azure Container Apps using Dapr. | +| [ASP.NET Core front-end with two back-end APIs on Azure Container Apps](https://github.com/Azure-Samples/dotNET-FrontEnd-to-BackEnd-on-Azure-Container-Apps)<br /> | This sample demonstrates ASP.NET Core 6.0 can be used to build a cloud-native application hosted in Azure Container Apps. | +| [ASP.NET Core front-end with two back-end APIs on Azure Container Apps (with Dapr)](https://github.com/Azure-Samples/dotNET-FrontEnd-to-BackEnd-with-DAPR-on-Azure-Container-Apps)<br /> | Demonstrates how ASP.NET Core 6.0 is used to build a cloud-native application hosted in Azure Container Apps using Dapr. | | [Deploy Drupal on Azure Container Apps](https://github.com/Azure-Samples/drupal-on-azure-container-apps) | Demonstrates how to deploy a Drupal site to Azure Container Apps, with Azure Database for MariaDB, and Azure Files to store static assets. | |
container-instances | Container Instances Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-vnet.md | The log output should show that `wget` was able to connect and download the inde ### Example - YAML -You can also deploy a container group to an existing virtual network by using a YAML file, a [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet -), or another programmatic method such as with the Python SDK. +You can also deploy a container group to an existing virtual network by using a YAML file, a [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet), or another programmatic method such as with the Python SDK. For example, when using a YAML file, you can deploy to a virtual network with a subnet delegated to Azure Container Instances. Specify the following properties: |
cosmos-db | Emulator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/emulator.md | Every request made against the emulator must be authenticated using a key over T | | | | **Endpoint** | `localhost:8081` | | **Key** | `C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==` |-| **Connection string** | `` | +| **Connection string** | `AccountEndpoint=https://localhost:8081/;AccountKey=C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==;` | > [!TIP] > With the Windows (local) emulator, you can also customize the key used by the emulator. For more information, see [Windows emulator arguments](emulator-command-line-parameters.md#manage-the-emulator-with-command-line-syntax). |
cosmos-db | Hierarchical Partition Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/hierarchical-partition-keys.md | Find the latest preview version of each supported SDK: | | | | | .NET SDK v3 | >= 3.33.0 | <https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.33.0/> | | Java SDK v4 | >= 4.42.0 | <https://github.com/Azure/azure-sdk-for-jav#4420-2023-03-17/> |-| JavaScript SDK v3 | 3.17.4-beta.1 | <https://www.npmjs.com/package/@azure/cosmos/v/3.17.4-beta.1/> | +| JavaScript SDK v4 | 4.0.0 | <https://www.npmjs.com/package/@azure/cosmos/> | ## Create a container by using hierarchical partition keys Mono<CosmosItemResponse<UserSession>> readResponse = container.readItem(id, part +##### [JavaScript SDK v4](#tab/javascript-v4) ++```javascript +// Store the unique identifier +String id = "f7da01b0-090b-41d2-8416-dacae09fbb4a"; ++// Build the full partition key path +PartitionKey partitionKey = new PartitionKeyBuilder() + .add("Microsoft") //TenantId + .add("8411f20f-be3e-416a-a3e7-dcd5a3c1f28b") //UserId + .add("0000-11-0000-1111") //SessionId + .build(); + +// Perform a point read +Mono<CosmosItemResponse<UserSession>> readResponse = container.readItem(id, partitionKey, UserSession.class); +``` +++ ### Run a query The SDK code that you use to run a query on a subpartitioned container is identical to running a query on a non-subpartitioned container. |
cosmos-db | Choose Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/choose-model.md | Azure Cosmos DB is a fully managed NoSQL and relational database for modern app Both, the Request Unit (RU) and vCore-based Azure Cosmos DB for MongoDB offering make it easy to use Azure Cosmos DB as if it were a MongoDB database. Both options work without the overhead of complex management and scaling approaches. You can use your existing MongoDB skills and continue to use your favorite MongoDB drivers, SDKs, and tools by pointing your application to the connection string for your account using the API for MongoDB. Additionally, both are cloud-native offerings that can be integrated seamlessly with other Azure services to build enterprise-grade modern applications. -## Choosing between RU-based and vCore-based options +## Choose between RU-based and vCore-based -Here are a few key factors to help you decide which is the right architecture for you: +Here are a few key factors to help you decide which is the right option for you. -| Factor | RU-based | vCore-based | -| -- | -- | -| -| What do you want to do | • Works well if you're trying to build new cloud-native MongoDB apps or refactor existing apps for all the benefits of a cloud-native offering | • Works well if you're trying to lift and shift existing MongoDB apps and run them as-is on a fully supported managed service. | -| What are your availability needs | • Offers upto [99.999%](../high-availability.md#slas) of availability with multi-region deployments | • Offers competitive SLA (once generally available) | -| How do you want to scale | • Offers limitless horizontal scalability, instantaneous scale up and granular throughput control. | • Offers high-capacity vertical and horizontal scaling with familiar vCore-based cluster tier options to choose from. | -| What are your top read & query patterns | • Works well for workloads with more point reads *(fetching a single item by its ID and shard key value)* and lesser long running queries and complex aggregation pipeline operations. | • Works irrespective of the operation types in your workload. Operations may include workloads with long-running queries, complex aggregation pipelines, distributed transactions, joins, etc. | +### Choose RU-based if ++- You're building new cloud-native MongoDB apps or refactoring existing apps for cloud-native benefits. +- Your workload has more point reads (fetching a single item by its _id and shard key value) and few long-running queries and complex aggregation pipeline operations. +- You want limitless horizontal scalability, instantaneous scale up, and granular throughput control. +- You're running mission-critical applications requiring industry-leading 99.999% availability. ++[**Get started with Azure Cosmos DB for MongoDB RU**](./quickstart-python.md) ++### Choose vCore-based if ++- You're migrating (lift & shift) an existing MongoDB workload or building a new MongoDB application. +- Your workload has more point reads (fetching a single item by its ID and shard key value) and few long-running queries and complex aggregation pipeline operations. +- You prefer high-capacity vertical and horizontal scaling with familiar vCore-based cluster tiers such as M30, M40, M50 and more. +- You're running applications requiring 99.995% availability. ++[**Get started with Azure Cosmos DB for MongoDB vCore**](./vcore/quickstart-portal.md) ++> [!TIP] +> Want to try the Azure Cosmos DB for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../try-free.md) for free. ## Resource and billing differences between the options -There are differences between the offerings in the way the resources are assigned and billed on the platform: +The RU and vCore services have different architectures with important billing differences. ++### RU-based resources and billing ++- You'd like a multi-tenant service that instantly allocates resources to your workload, aligning with storage and throughput requirements. ++> [!NOTE] +> Throughput is based on [Request Units (RUs)](../request-units.md). ++- You prefer to pay fixed (standard provisioned throughput) or variable (autoscale) fees corresponding to Request Units (RUs) and consumed storage. ++> [!NOTE] +> RU charges depend on the selected model: provisioned throughput (standard or autoscale) or serverless. ++[**Get started with Azure Cosmos DB for MongoDB RU**](./quickstart-python.md) ++### vCore-based resources and billing ++- You'd like dedicated instances that utilize preset CPU, memory, and storage resources, which can dynamically scale to suit your needs. +- You prefer to pay a consistent flat fee based on compute (CPU, memory, and the number of nodes) and storage. -| Resource details | RU-based | vCore-based | -| -- | -- | -| -| How are the resources assigned | • This option is a multi-tenant service that instantly assigns resources to the workload to meet its storage and throughput needs. <br/>• Throughput uses the concept of [Request Units (RUs)](../request-units.md). | • This option provides dedicated instances using preset CPU, memory and storage resources that scale to meet your needs. | -| How are the resources billed | • You pay variable fees for the RUs and consumed storage. <br/>• RU charges are based on the choice of the model: provisioned throughput (standard or autoscale) or serverless. | • You pay consistent flat fee based on the compute (CPU, memory and the number of nodes) and storage. | +[**Get started with Azure Cosmos DB for MongoDB vCore**](./vcore/quickstart-portal.md) ## Next steps -- [Create a Go app](quickstart-go.md) using Azure Cosmos DB for MongoDB.-- Deploy Azure Cosmos DB for MongoDB vCore [using a Bicep template](vcore/quickstart-bicep.md).+> [!div class="nextstepaction"] +> [Try Azure Cosmos DB for free](../try-free.md) |
cosmos-db | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/introduction.md | - Title: Introduction/Overview- -description: Use Azure Cosmos DB for MongoDB to store and query massive amounts of data using popular open-source drivers. ----- Previously updated : 02/28/2023----# What is Azure Cosmos DB for MongoDB? ---[Azure Cosmos DB](../introduction.md) is a fully managed NoSQL and relational database for modern app development. --Azure Cosmos DB for MongoDB makes it easy to use Azure Cosmos DB as if it were a MongoDB database. You can use your existing MongoDB skills and continue to use your favorite MongoDB drivers, SDKs, and tools by pointing your application to the connection string for your account using the API for MongoDB. --> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWXr4T] --> [!TIP] -> Want to try the Azure Cosmos DB for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../try-free.md) for free. --## Cosmos DB for MongoDB benefits --Cosmos DB for MongoDB has numerous benefits compared to other MongoDB service offerings such as MongoDB Atlas: --- **Instantaneous scalability**: With the [Autoscale](../provision-throughput-autoscale.md) feature, your database scales instantaneously with zero warmup period. Other MongoDB offerings such as MongoDB Atlas can take hours to scale up and up to days to scale down. --- **Automatic and transparent sharding**: The API for MongoDB manages all of the infrastructure for you. This management includes sharding and optimizing the number of shards. Other MongoDB offerings such as MongoDB Atlas, require you to specify and manage sharding to horizontally scale. This automation gives you more time to focus on developing applications for your users.--- **Five 9's of availability**: [99.999% availability](../high-availability.md) is easily configurable to ensure your data is always there for you. --- **Active-active database**: Unlike MongoDB Atlas, Cosmos DB for MongoDB supports active-active across multiple regions. Databases can span multiple regions, with no single point of failure for **writes and reads for the same data**. MongoDB Atlas global clusters only support active-passive deployments for writes for the same data. -- **Cost efficient, granular, unlimited scalability**: Sharded collections can scale to any size, unlike other MongoDB service offerings. The Azure Cosmos DB platform can scale in increments as small as 1/100th of a VM due to its architecture. This means that you can scale your database to the exact size you need, without paying for unused resources.--- **Real time analytics (HTAP) at any scale**: Run analytics workloads against your transactional MongoDB data in real time with no effect on your database. This analysis is fast and inexpensive, due to the cloud native analytical columnar store being utilized, with no ETL pipelines. Easily create Power BI dashboards, integrate with Azure Machine Learning and Azure AI services, and bring all of your data from your MongoDB workloads into a single data warehousing solution. Learn more about the [Azure Synapse Link](../synapse-link.md).--- **Serverless deployments**: Cosmos DB for MongoDB offers a [serverless capacity mode](../serverless.md). With [Serverless](../serverless.md), you're only charged per operation, and don't pay for the database when you don't use it.--- **Free Tier**: With Azure Cosmos DB free tier, you get the first 1000 RU/s and 25 GB of storage in your account for free forever, applied at the account level. Free tier accounts are automatically [sandboxed](../limit-total-account-throughput.md) so you never pay for usage.--- **Free 7 day Continuous Backups**: Azure Cosmos DB for MongoDB offers free 7 day continuous backups for any amount of data. This means that you can restore your database to any point in time within the last 7 days. --- **Upgrades take seconds**: All API versions are contained within one codebase, making version changes as simple as [flipping a switch](upgrade-version.md), with zero downtime.--- **Role Based Access Control**: With Azure Cosmos DB for MongoDB, you can assign granular roles and permissions to users to control access to your data and audit user actions- all using native Azure tooling.--- **In-depth monitoring capabilities**: Cosmos DB for MongoDB integrates natively with [Azure Monitor](../../azure-monitor/overview.md) to provide in-depth monitoring capabilities.--## How Cosmos DB for MongoDB works --Cosmos DB for MongoDB implements the wire protocol for MongoDB. This implementation allows transparent compatibility with MongoDB client SDKs, drivers, and tools. Azure Cosmos DB doesn't host the MongoDB database engine. Any MongoDB client driver compatible with the API version you're using should be able to connect, with no special configuration. --> [!IMPORTANT] -> This article describes a feature of Azure Cosmos DB that provides wire protocol compatibility with MongoDB databases. Microsoft does not run MongoDB databases to provide this service. Azure Cosmos DB is not affiliated with MongoDB, Inc. --### MongoDB feature compatibility --Cosmos DB for MongoDB is compatible with the following MongoDB server versions: --- [Version 5.0 (vCore preview)](./vcore/quickstart-portal.md)-- [Version 4.2](feature-support-42.md)-- [Version 4.0](feature-support-40.md)-- [Version 3.6](feature-support-36.md)-- [Version 3.2](feature-support-32.md)--### Choosing a server version --All versions run on the same codebase, making upgrades a simple task that can be completed in seconds with zero downtime. Azure Cosmos DB simply flips a few feature flags to go from one version to another. The feature flags also enable continued support for older API versions such as 3.2 and 3.6. You can choose the server version that works best for you. --Not sure if your workload is ready? [Reach out to us](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR9aWEKTdeoxPpcB2ORTA2_1UQk44OEhBRjlIWjJMTUxLTzhJVVpPU0M4My4u) to leverage automated tooling to determine if you're ready to migrate to Cosmos DB for MongoDB. --## What you need to know to get started --- You aren't billed for virtual machines in a cluster. [Pricing](../how-pricing-works.md) is based on throughput in request units (RUs) configured on a per database or per collection basis. The first 1000 RUs per second are free with [Free Tier](../free-tier.md).--- There are three ways to deploy the Cosmos DB for MongoDB:-- - [Provisioned throughput](../set-throughput.md): Set a RU/sec number and change it manually. This model best fits consistent workloads. -- - [Autoscale](../provision-throughput-autoscale.md): Set an upper bound on the throughput you need. Throughput instantly scales to match your needs. This model best fits workloads that change frequently and optimizes their costs. -- - [Serverless](../serverless.md): Only pay for the throughput you use, period. This model best fits dev/test workloads. --- Sharded cluster performance is dependent on the shard key you choose when creating a collection. Choose a shard key carefully to ensure that your data is evenly distributed across shards.--## Frequently asked questions --1. Does Cosmos DB for MongoDB support my data residency requirements? -- Yes, data residency is governed at the database account level which is associated with one or more regions. Customers typically create a database account for each residency requirement. For example, if you have a requirement to store data in the US and EU, you would create two database accounts, one in the US and one in the EU. --2. Does Cosmos DB for MongoDB support documents larger than 2 MB? -- Yes, documents as large as 16 MB are fully supported. --3. Does Cosmos DB for MongoDB support multi-field sort? -- Yes, multi-field sort is supported. A compound index is required for the fields in the sort to ensure the operation is efficient and scalable. --4. Does Cosmos DB for MongoDB scale linearly? -- In many cases, Cosmos DB's costs scale better than linear. For example, if you read a 1KB document, this equates to 1 Request Unit (RU). But if you read a 10KB document, this still equates to roughly 1RU. The [Cosmos DB capacity calculator](https://cosmos.azure.com/capacitycalculator/) can help you estimate your throughput needs. --4. How can I encrypt data and manage access at the field level? -- Cosmos DB for MongoDB supports Field Level Encryption. --5. How do I pay for Request Units (RUs)? -- Cosmos DB for MongoDB offers three capacity modes: provisioned throughput, autoscale, and serverless. **None require an upfront commitment**. Autoscale instantaneously scales to meet your needs, and serverless only charges for the throughput you use. --6. Which features are supported in Cosmos DB for MongoDB? -- Cosmos DB for MongoDB supports a rich set of MongoDB features backed by Cosmos DB's limitless scale architecture. These features include: Aggregation pipelines, Change streams, Indexes, Geospatial queries, and more. See the [feature support matrix](feature-support-42.md) for more details. Not sure if your workload is ready? [Reach out to us](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR9aWEKTdeoxPpcB2ORTA2_1UQk44OEhBRjlIWjJMTUxLTzhJVVpPU0M4My4u) to leverage automated tooling to determine if you're ready to migrate to Cosmos DB for MongoDB. --4. Does Cosmos DB for MongoDB run on-premises? -- Cosmos DB for MongoDB is a cloud-native multi-tenant service and is not available on-premises. Cosmos DB offers an [emulator for local development and testing](../local-emulator.md). ---## Next steps --- Follow the [Connect a MongoDB application to Azure Cosmos DB](connect-account.md) tutorial to learn how to get your account connection string information.-- Follow the [Use Studio 3T with Azure Cosmos DB](connect-using-mongochef.md) tutorial to learn how to create a connection between your Azure Cosmos DB database and MongoDB app in Studio 3T.-- Follow the [Import MongoDB data into Azure Cosmos DB](../../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%253ftoc%253d%2fazure%2fcosmos-db%2ftoc.json) tutorial to import your data to an Azure Cosmos DB database. |
cosmos-db | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/overview.md | + + Title: Introduction/Overview ++description: Use Azure Cosmos DB for MongoDB to store and query massive amounts of data using popular open-source drivers. +++++ Last updated : 09/12/2023+++# What is Azure Cosmos DB for MongoDB? +++[Azure Cosmos DB](../introduction.md) is a fully managed NoSQL and relational database for modern app development. ++Azure Cosmos DB for MongoDB makes it easy to use Azure Cosmos DB as if it were a MongoDB database. You can use your existing MongoDB skills and continue to use your favorite MongoDB drivers, SDKs, and tools by pointing your application to the connection string for your account using the API for MongoDB. ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWXr4T] ++## Cosmos DB for MongoDB benefits ++Cosmos DB for MongoDB has numerous benefits compared to other MongoDB service offerings such as MongoDB Atlas: ++### Request Unit (RU) architecture ++A fully managed MongoDB-compatible service with flexible scaling using [Request Units (RUs)](../request-units.md). Designed for cloud-native applications. ++- **Instantaneous scalability**: With the [Autoscale](../provision-throughput-autoscale.md) feature, your database scales instantaneously with zero warmup period. Other MongoDB offerings such as MongoDB Atlas can take hours to scale up and up to days to scale down. ++- **Automatic and transparent sharding**: The API for MongoDB manages all of the infrastructure for you. This management includes sharding and optimizing the number of shards. Other MongoDB offerings such as MongoDB Atlas, require you to specify and manage sharding to horizontally scale. This automation gives you more time to focus on developing applications for your users. ++- **Five 9's of availability**: [99.999% availability](../high-availability.md) is easily configurable to ensure your data is always there for you. ++- **Active-active database**: Unlike MongoDB Atlas, Cosmos DB for MongoDB supports active-active across multiple regions. Databases can span multiple regions, with no single point of failure for **writes and reads for the same data**. MongoDB Atlas global clusters only support active-passive deployments for writes for the same data. +- **Cost efficient, granular, unlimited scalability**: Sharded collections can scale to any size, unlike other MongoDB service offerings. The Azure Cosmos DB platform can scale in increments as small as 1/100th of a VM due to its architecture. This scalability means that you can scale your database to the exact size you need, without paying for unused resources. ++- **Real time analytics (HTAP) at any scale**: Run analytics workloads against your transactional MongoDB data in real time with no effect on your database. This analysis is fast and inexpensive, due to the cloud native analytical columnar store being utilized, with no ETL pipelines. Easily create Power BI dashboards, integrate with Azure Machine Learning and Azure AI services, and bring all of your data from your MongoDB workloads into a single data warehousing solution. Learn more about the [Azure Synapse Link](../synapse-link.md). ++- **Serverless deployments**: Cosmos DB for MongoDB offers a [serverless capacity mode](../serverless.md). With [Serverless](../serverless.md), you're only charged per operation, and don't pay for the database when you don't use it. ++### vCore Architecture ++A fully managed MongoDB-compatible service with dedicated instances for new and existing MongoDB apps. This architecture offers a familiar vCore architecture for MongoDB users, efficient scaling, and seamless integration with Azure services. ++- **Native Vector Search**: Seamlessly integrate your AI-based applications with your data that's stored in Azure Cosmos DB for MongoDB vCore. This integration is an all-in-one solution, unlike other vector search solutions that send your data between service integrations. ++- **Flat pricing with Low total cost of ownership**: Enjoy a familiar pricing model for Azure Cosmos DB for MongoDB vCore, based on compute (vCores & RAM) and storage (disks). ++- **Elevate querying with Text Indexes**: Enhance your data querying efficiency with our text indexing feature. Seamlessly navigate full-text searches across MongoDB collections, simplifying the process of extracting valuable insights from your documents. ++- **Scale with no shard key required**: Simplify your development process with high-capacity vertical scaling, all without the need for a shard key. Sharding and scaling horizontally is simple once collections are into the TBs. ++- **Free 35 day Backups with point in time restore (PITR)**: Azure Cosmos DB for MongoDB vCore offers free 35 day backups for any amount of data. ++> [!TIP] +> Visit [Choose your model](./choose-model.md) for an in-depth comparison of each architecture to help you choose which one is right for you. ++## How Azure Cosmos DB for MongoDB works ++Cosmos DB for MongoDB implements the wire protocol for MongoDB. This implementation allows transparent compatibility with MongoDB client SDKs, drivers, and tools. Azure Cosmos DB doesn't host the MongoDB database engine. Any MongoDB client driver compatible with the API version you're using should be able to connect, with no special configuration. ++> [!IMPORTANT] +> This article describes a feature of Azure Cosmos DB that provides wire protocol compatibility with MongoDB databases. Microsoft does not run MongoDB databases to provide this service. Azure Cosmos DB is not affiliated with MongoDB, Inc. ++## Next steps ++- Read the [FAQ](faq.yml) +- [Connect an existing MongoDB application to Azure Cosmos DB for MongoDB RU](connect-account.md) |
cosmos-db | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/ru/introduction.md | + + Title: Introduction/Overview ++description: Learn about Azure Cosmos DB for MongoDB RU, a fully managed MongoDB-compatible database with Instantaneous scalability. +++++ Last updated : 09/12/2023++++# What is Azure Cosmos DB for MongoDB RU? +++[Azure Cosmos DB](../../introduction.md) is a fully managed NoSQL and relational database for modern app development. ++Azure Cosmos DB for MongoDB RU (Request Unit architecture) makes it easy to use Azure Cosmos DB as if it were a MongoDB database. You can use your existing MongoDB skills and continue to use your favorite MongoDB drivers, SDKs, and tools. Azure Cosmos DB for MongoDB RU is built on top of the Cosmos DB platform. This service takes advantage of Azure Cosmos DB's global distribution, elastic scale, and enterprise-grade security. ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWXr4T] ++> [!TIP] +> Want to try the Azure Cosmos DB for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../../try-free.md) for free. ++## Cosmos DB for MongoDB RU benefits ++Cosmos DB for MongoDB RU has numerous benefits compared to other MongoDB service offerings such as MongoDB Atlas: ++- **Instantaneous scalability**: With the [Autoscale](../../provision-throughput-autoscale.md) feature, your database scales instantaneously with zero warmup period. Other MongoDB offerings such as MongoDB Atlas can take hours to scale up and up to days to scale down. ++- **Automatic and transparent sharding**: The API for MongoDB manages all of the infrastructure for you. This management includes sharding and optimizing the number of shards. Other MongoDB offerings such as MongoDB Atlas, require you to specify and manage sharding to horizontally scale. This automation gives you more time to focus on developing applications for your users. ++- **Five 9's of availability**: [99.999% availability](../../high-availability.md) is easily configurable to ensure your data is always there for you. ++- **Active-active database**: Unlike MongoDB Atlas, Cosmos DB for MongoDB RU supports active-active across multiple regions. Databases can span multiple regions, with no single point of failure for **writes and reads for the same data**. MongoDB Atlas global clusters only support active-passive deployments for writes for the same data. +- **Cost efficient, granular, unlimited scalability**: Sharded collections can scale to any size, unlike other MongoDB service offerings. The Azure Cosmos DB platform can scale in increments as small as 1/100th of a VM due to its architecture. This support means that you can scale your database to the exact size you need, without paying for unused resources. ++- **Real time analytics (HTAP) at any scale**: Run analytics workloads against your transactional MongoDB data in real time with no effect on your database. This analysis is fast and inexpensive, due to the cloud native analytical columnar store being utilized, with no ETL pipelines. Easily create Power BI dashboards, integrate with Azure Machine Learning and Azure AI services, and bring all of your data from your MongoDB workloads into a single data warehousing solution. Learn more about the [Azure Synapse Link](../../synapse-link.md). ++- **Serverless deployments**: Cosmos DB for MongoDB RU offers a [serverless capacity mode](../../serverless.md). With [Serverless](../../serverless.md), you're only charged per operation, and don't pay for the database when you don't use it. ++- **Free Tier**: With Azure Cosmos DB free tier, you get the first 1000 RU/s and 25 GB of storage in your account for free forever, applied at the account level. Free tier accounts are automatically [sandboxed](../../limit-total-account-throughput.md) so you never pay for usage. ++- **Free 7 day Continuous Backups**: Azure Cosmos DB for MongoDB RU offers free seven day continuous backups for any amount of data. This retention means that you can restore your database to any point in time within the last seven days. ++- **Upgrades take seconds**: All API versions are contained within one codebase, making version changes as simple as [flipping a switch](../upgrade-version.md), with zero downtime. ++- **Role Based Access Control**: With Azure Cosmos DB for MongoDB RU, you can assign granular roles and permissions to users to control access to your data and audit user actions- all using native Azure tooling. ++- **In-depth monitoring capabilities**: Cosmos DB for MongoDB RU integrates natively with [Azure Monitor](../../../azure-monitor/overview.md) to provide in-depth monitoring capabilities. ++## How Cosmos DB for MongoDB works ++Cosmos DB for MongoDB RU implements the wire protocol for MongoDB. This implementation allows transparent compatibility with MongoDB client SDKs, drivers, and tools. Azure Cosmos DB doesn't host the MongoDB database engine. Any MongoDB client driver compatible with the API version you're using can connect with no special configuration. ++> [!IMPORTANT] +> This article describes a feature of Azure Cosmos DB that provides wire protocol compatibility with MongoDB databases. Microsoft does not run MongoDB databases to provide this service. Azure Cosmos DB is not affiliated with MongoDB, Inc. ++### Choosing a server version ++All versions run on the same codebase, making upgrades a simple task that can be completed in seconds with zero downtime. Azure Cosmos DB simply flips a few feature flags to go from one version to another. The feature flags also enable continued support for old API versions such as 4.0 and 3.6. You can choose the server version that works best for you. ++Not sure if your workload is ready? Use the automatic [premigration assessment](../pre-migration-steps.md) to determine if you're ready to migrate to Cosmos DB for MongoDB RU or vCore. ++## What you need to know to get started ++With the RU model, you aren't billed for virtual machines in a cluster. [Pricing](../../how-pricing-works.md) is based on throughput in request units (RUs) configured on a per database or per collection basis. The first 1000 RUs per second are free with [Free Tier](../../free-tier.md). ++There are three ways to deploy the Cosmos DB for MongoDB: ++- [Provisioned throughput](../../set-throughput.md): Set a RU/sec number and change it manually. This model best fits consistent workloads. ++- [Autoscale](../../provision-throughput-autoscale.md): Set an upper bound on the throughput you need. Throughput instantly scales to match your needs. This model best fits workloads that change frequently and optimizes their costs. ++- [Serverless](../../serverless.md): Only pay for the throughput you use, period. This model best fits dev/test workloads. ++Sharded cluster performance is dependent on the shard key you choose when creating a collection. Choose a shard key carefully to ensure that your data is evenly distributed across shards. ++## Next steps ++- Follow the [Use Studio 3T with Azure Cosmos DB](../connect-using-mongochef.md) tutorial to learn how to create a connection between your Azure Cosmos DB database and MongoDB app in Studio 3T. +- Follow the [Import MongoDB data into Azure Cosmos DB](../../../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%253ftoc%253d%2fazure%2fcosmos-db%2ftoc.json) tutorial to import your data to an Azure Cosmos DB database. |
cosmos-db | Migration Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/migration-options.md | -This document describes the various options to lift and shift your MongoDB workloads to Azure Cosmos DB for MongoDB vCore-based offering. +This document describes the various options to lift and shift your MongoDB workloads to Azure Cosmos DB for MongoDB vCore offering. ## Premigration assessment The [Azure Cosmos DB Migration for MongoDB extension](/sql/azure-data-studio/ext ## Native MongoDB tools (Offline) -You can use the native MongoDB tools such as *mongodump/mongorestore*, *mongoexport/mongoimport* to migrate datasets offline (without replicating live changes) to Azure Cosmos DB for MongoDB vCore-based offering. +You can use the native MongoDB tools such as *mongodump/mongorestore*, *mongoexport/mongoimport* to migrate datasets offline (without replicating live changes) to Azure Cosmos DB for MongoDB vCore offering. | Scenario | MongoDB native tool | | | | |
cosmos-db | Vector Search | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/vector-search.md | Use vector search in Azure Cosmos DB for MongoDB vCore to seamlessly integrate y ## What is vector search? -Vector search is a method that helps you find similar items based on their data characteristics rather than by exact matches on a property field. This technique is useful in applications such as searching for similar text, finding related images, making recommendations, or even detecting anomalies. It works by taking the vector representations (lists of numbers) of your data that you created by using a machine learning model by using or an embeddings API. Examples of embeddings APIs are [Azure OpenAI Embeddings](/azure/ai-services/openai/how-to/embeddings) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/). It then measures the distance between the data vectors and your query vector. The data vectors that are closest to your query vector are the ones that are found to be most similar semantically. +Vector search is a method that helps you find similar items based on their data characteristics rather than by exact matches on a property field. This technique is useful in applications such as searching for similar text, finding related images, making recommendations, or even detecting anomalies. It works by taking the [vector representations](../../../ai-services/openai/concepts/understand-embeddings.md) (lists of numbers) of your data that you created by using a machine learning model by using or an embeddings API. Examples of embeddings APIs are [Azure OpenAI Embeddings](/azure/ai-services/openai/how-to/embeddings) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/). It then measures the distance between the data vectors and your query vector. The data vectors that are closest to your query vector are the ones that are found to be most similar semantically. -By integrating vector search capabilities natively, you can unlock the full potential of your data in applications that are built on top of the OpenAI API. You can also create custom-built solutions that use vector embeddings. +By integrating vector search capabilities natively, you can unlock the full potential of your data in applications that are built on top of the [OpenAI API](../../../ai-services/openai/concepts/understand-embeddings.md). You can also create custom-built solutions that use vector embeddings. ## Use the createIndexes template to create a vector index This command creates a `vector-ivf` index against the `vectorContent` property i ### Add vectors to your database -To add vectors to your database's collection, you first need to create the embeddings by using your own model, [Azure OpenAI Embeddings](../../../cognitive-services/openai/tutorials/embeddings.md), or another API (such as [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/)). In this example, new documents are added through sample embeddings: +To add vectors to your database's collection, you first need to create the [embeddings](../../../ai-services/openai/concepts/understand-embeddings.md) by using your own model, [Azure OpenAI Embeddings](../../../cognitive-services/openai/tutorials/embeddings.md), or another API (such as [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/)). In this example, new documents are added through sample embeddings: ```javascript db.exampleCollection.insertMany([ In this example, `vectorIndex` is returned with all the `cosmosSearch` parameter ## Next steps -This guide demonstrates how to create a vector index, add documents that have vector data, perform a similarity search, and retrieve the index definition. By using vector search, you can efficiently store, index, and query high-dimensional vector data directly in Azure Cosmos DB for MongoDB vCore. Vector search enables you to unlock the full potential of your data via vector embeddings, and it empowers you to build more accurate, efficient, and powerful applications. +This guide demonstrates how to create a vector index, add documents that have vector data, perform a similarity search, and retrieve the index definition. By using vector search, you can efficiently store, index, and query high-dimensional vector data directly in Azure Cosmos DB for MongoDB vCore. Vector search enables you to unlock the full potential of your data via [vector embeddings](../../../ai-services/openai/concepts/understand-embeddings.md), and it empowers you to build more accurate, efficient, and powerful applications. > [!div class="nextstepaction"] > [Build AI apps with Azure Cosmos DB for MongoDB vCore vector search](vector-search-ai.md)+* Learn more about [Azure OpenAI embeddings](../../../ai-services/openai/concepts/understand-embeddings.md) +* Learn how to [generate embeddings using Azure OpenAI](../../../ai-services/openai/tutorials/embeddings.md) |
cosmos-db | Best Practices Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/best-practices-javascript.md | + + Title: Best practices for JavaScript SDK ++description: Review a list of best practices for using the Azure Cosmos DB JavaScript SDK in a performant manner. ++++++ Last updated : 09/11/2023+++# Best practices for JavaScript SDK in Azure Cosmos DB for NoSQL +++This guide includes best practices for solutions built using the latest version of the JavaScript SDK for Azure Cosmos DB for NoSQL. The best practices included here helps improve latency, improve availability, and boost overall performance for your solutions. ++## Account configuration ++- Make sure to run your application in the same [Azure region](../distribute-data-globally.md) as your Azure Cosmos DB account, whenever possible to reduce latency. Enable 2-4 regions and replicate your accounts in multiple regions for [best availability](../distribute-data-globally.md). For production workloads, enable [service-managed failover](../how-to-manage-database-account.md#configure-multiple-write-regions). In the absence of this configuration, the account experiences loss of write availability for all the duration of the write region outage, as manual failover can't succeed due to lack of region connectivity. For more information on how to add multiple regions using the JavaScript SDK, see the [global distribution tutorial](tutorial-global-distribution.md). ++## SDK usage ++- Always using the [latest version](sdk-nodejs.md) of the Azure Cosmos DB SDK available for optimal performance. +- Use a [single instance](/javascript/api/@azure/cosmos/cosmosclient?view=azure-node-latest&preserve-view=true) of `CosmosClient` for the lifetime of your application for better performance. +- Set the [preferredRegions](/javascript/api/@azure/cosmos/connectionpolicy?view=azure-node-latest#@azure-cosmos-connectionpolicy-preferredlocations&preserve-view=true) in the SDK using [ConnectionPolicy](./tutorial-global-distribution.md). During failovers, write operations are sent to the current write region and all reads are sent to the first region within your preferred regions list. For more information about regional failover mechanics, see [availability troubleshooting](troubleshoot-sdk-availability.md). +- A transient error is an error that has an underlying cause that soon resolves itself. Applications that connect to your database should be built to expect these transient errors. To handle them, implement retry logic in your code instead of surfacing them to users as application errors. The SDK has built-in logic to handle these transient failures on retryable requests like read or query operations. The SDK can't retry on writes for transient failures as writes aren't idempotent. The SDK does allow users to configure retry logic for throttles. For details on which errors to retry on [visit here](conceptual-resilient-sdk-applications.md#should-my-application-retry-on-errors). +- Use SDK logging to capture extra diagnostic information and troubleshoot latency issues. ++## Data design ++- The request charge of a specified operation correlates directly to the size of the document. We recommend reducing the size of your documents as operations on large documents cost more than operations on smaller documents. +- Some characters are restricted and can't be used in some identifiers: '/', '\\', '?', '#'. The general recommendation is to not use any special characters in identifiers like database name, collection name, item ID, or partition key to avoid any unexpected behavior. +- The Azure Cosmos DB indexing policy also allows you to specify which document paths to include or exclude from indexing by using indexing paths `IndexingPolicy#getIncludedPaths()` and `IndexingPolicy#getExcludedPaths()`. Ensure that you exclude unused paths from indexing for faster writes. For more information, see [creating indexes using the SDK sample](performance-tips-java-sdk-v4.md#indexing-policy). ++## Host characteristics ++- You may run into connectivity/availability issues due to lack of resources on your client machine. Monitor your CPU utilization on nodes running the Azure Cosmos DB client, and scale up/out if usage is high. Also, consider running your workload using the [cluster](https://nodejs.org/api/cluster.html) module. +- For most common cases of production workloads, we highly recommend using at least 4-cores and 8-GB memory VMs whenever possible. +- If using a virtual machine to run your application, enable [Accelerated Networking](../../virtual-network/create-vm-accelerated-networking-powershell.md) on your VM to help with bottlenecks due to high traffic and reduce latency or CPU jitter. You might also want to consider using a higher end Virtual Machine where the max CPU usage is under 70%. +- By default, query results are returned in chunks of 100 items or 4 MB, whichever limit is hit first. If a query returns more than 100 items, increase the page size to reduce the number of round trips required. Memory consumption increases as page size increases. ++## Next steps ++> [!div class="nextstepaction"] +> [Partitioning and scaling in Azure Cosmos DB](../partitioning-overview.md). |
cosmos-db | Change Feed Design Patterns | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/change-feed-design-patterns.md | For example, the change feed helps you perform the following tasks efficiently: - Implement an application-level data tiering and archival. For example, you can store "hot data" in Azure Cosmos DB and age out "cold data" to other storage systems such as [Azure Blob Storage](../../storage/common/storage-introduction.md). -When you have to [denormalize data across partitions and containers](model-partition-example.md#v2-introducing-denormalization-to-optimize-read-queries -), you can read from your container's change feed as a source for this data replication. Real-time data replication with the change feed can guarantee only eventual consistency. You can [monitor how far the change feed processor lags behind](how-to-use-change-feed-estimator.md) in processing changes in your Azure Cosmos DB container. +When you have to [denormalize data across partitions and containers](model-partition-example.md#v2-introducing-denormalization-to-optimize-read-queries), you can read from your container's change feed as a source for this data replication. Real-time data replication with the change feed can guarantee only eventual consistency. You can [monitor how far the change feed processor lags behind](how-to-use-change-feed-estimator.md) in processing changes in your Azure Cosmos DB container. ## Event sourcing |
cosmos-db | Change Feed Pull Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/change-feed-pull-model.md | Machine 2: [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeedpull/SampleChangeFeedPullModel.java?name=Machine2)] +### [JavaScript](#tab/JavaScript) ++To process the change feed by using the pull model, create an instance of `ChangeFeedPullModelIterator`. When you initially create `ChangeFeedPullModelIterator`, you must specify a required `changeFeedStartFrom` value inside the `ChangeFeedIteratorOptions` which consists of both the starting position for reading changes and the resource(a partition key or a FeedRange) for which changes are to be fetched. +> [!NOTE] +> If no `changeFeedStartFrom` value is specified, then changefeed will be fetched for an entire container from Now(). +> Currently, only [latest version](change-feed-modes.md#latest-version-change-feed-mode) is supported by JS SDK and is selected by default. ++You can optionally use `maxItemCount` in `ChangeFeedIteratorOptions` to set the maximum number of items received per page. +Here's an example of how to obtain the iterator in latest version mode that returns entity objects: ++```js +const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning() +}; ++const iterator = container.items.getChangeFeedIterator(options); +``` ++### Consume the changes for an entire container ++If you don't supply a `FeedRange` or `PartitionKey` parameter inside `ChangeFeedStartFrom`, you can process an entire container's change feed at your own pace. Here's an example, which starts reading all changes, starting at the current time: ++```js +async function waitFor(milliseconds: number): Promise<void> { + return new Promise((resolve) => setTimeout(resolve, milliseconds)); +} ++const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning() +}; ++const iterator = container.items.getChangeFeedIterator(options); ++let timeout = 0; ++while(iterator.hasMoreResults) { + const response = await iterator.readNext(); + if (response.statusCode === StatusCodes.NotModified) { + timeout = 5000; + } + else { + console.log("Result found", response.result); + timeout = 0; + } + await waitFor(timeout); +} +``` ++Because the change feed is effectively an infinite list of items that encompass all future writes and updates, the value of `hasMoreResults` is always `true`. When you try to read the change feed and there are no new changes available, you receive a response with `NotModified` status. In the preceding example, it's handled by waiting five seconds before rechecking for changes. ++### Consume the changes for a partition key ++In some cases, you might want to process only the changes for a specific partition key. You can obtain iterator for a specific partition key and process the changes the same way that you can for an entire container. ++```js +async function waitFor(milliseconds: number): Promise<void> { + return new Promise((resolve) => setTimeout(resolve, milliseconds)); +} ++const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning("partitionKeyValue") +}; ++const iterator = container.items.getChangeFeedIterator(options); ++let timeout = 0; ++while(iterator.hasMoreResults) { + const response = await iterator.readNext(); + if (response.statusCode === StatusCodes.NotModified) { + timeout = 5000; + } + else { + console.log("Result found", response.result); + timeout = 0; + } + await waitFor(timeout); +} +``` ++### Use FeedRange for parallelization ++In the change feed pull model, you can use the `FeedRange` to parallelize the processing of the change feed. A `FeedRange` represents a range of partition key values. ++Here's an example that shows how to get a list of ranges for your container: ++```js +const ranges = await container.getFeedRanges(); +``` ++When you get a list of `FeedRange` values for your container, you get one `FeedRange` per [physical partition](../partitioning-overview.md#physical-partitions). ++By using a `FeedRange`, you can create iterator to parallelize the processing of the change feed across multiple machines or threads. Unlike the previous example that showed how to obtain a changefeed iterator for the entire container or a single partition key, you can use FeedRanges to obtain multiple iterators, which can process the change feed in parallel. ++Here's a sample that shows how to read from the beginning of the container's change feed by using two hypothetical separate machines that read in parallel: ++Machine 1: ++```js +async function waitFor(milliseconds: number): Promise<void> { + return new Promise((resolve) => setTimeout(resolve, milliseconds)); +} ++const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning(ranges[0]) +}; ++const iterator = container.items.getChangeFeedIterator(options); ++let timeout = 0; ++while(iterator.hasMoreResults) { + const response = await iterator.readNext(); + if (response.statusCode === StatusCodes.NotModified) { + timeout = 5000; + } + else { + console.log("Result found", response.result); + timeout = 0; + } + await waitFor(timeout); +} +``` ++Machine 2: ++```js +async function waitFor(milliseconds: number): Promise<void> { + return new Promise((resolve) => setTimeout(resolve, milliseconds)); +} ++const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning(ranges[1]) +}; ++const iterator = container.items.getChangeFeedIterator(options); ++let timeout = 0; ++while(iterator.hasMoreResults) { + const response = await iterator.readNext(); + if (response.statusCode === StatusCodes.NotModified) { + timeout = 5000; + } + else { + console.log("Result found", response.result); + timeout = 0; + } + await waitFor(timeout); +} +``` ++### Save continuation tokens ++You can save the position of your iterator by obtaining the continuation token. A continuation token is a string value that keeps of track of your changefeed iterator last processed changes and allows the iterator to resume at this point later. The continuation token, if specified, takes precedence over the start time and start from beginning values. The following code reads through the change feed since container creation. After no more changes are available, it will persist a continuation token so that change feed consumption can be later resumed. ++```js +const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning() +}; ++const iterator = container.items.getChangeFeedIterator(options); ++let timeout = 0; +let continuation = ""; +while(iterator.hasMoreResults) { + const response = await iterator.readNext(); + if (response.statusCode === StatusCodes.NotModified) { + continuation = response.continuationToken; + break; + } + else { + console.log("Result found", response.result); + } +} ++// For checking any new changes using the continuation token +const continuationOptions = { + changeFeedStartFrom: ChangeFeedStartFrom(continuation) +} +const newIterator = container.items.getChangeFeedIterator(continuationOptions); +``` +Continuation token never expires as long as the Azure Cosmos DB container still exists. ++### Use AsyncIterator ++You can use the JavaScript Async Iterator to fetch the changefeed. Here is an example to use Async Iterator. ++```js +async function waitFor(milliseconds: number): Promise<void> { + return new Promise((resolve) => setTimeout(resolve, milliseconds)); +} +const options = { + changeFeedStartFrom: ChangeFeedStartFrom.Beginning() +}; +let timeout = 0; ++for await(const result of container.items.getChangeFeedIterator(options).getAsyncIterator()) { + if (result.statusCode === StatusCodes.NotModified) { + timeout = 5000; + } + else { + console.log("Result found", result.result); + timeout = 0; + } + await waitFor(timeout); +} +``` ## Next steps |
cosmos-db | How To Java Change Feed | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-java-change-feed.md | cd azure-cosmos-java-sql-api-sample/src/main/java/com/azure/cosmos/examples/chan 1. Configure the [`ChangeFeedProcessorOptions`](/java/api/com.azure.cosmos.models.changefeedprocessoroptions) in a Java application using Azure Cosmos DB and Azure Cosmos DB Java SDK V4. The [`ChangeFeedProcessorOptions`](/java/api/com.azure.cosmos.models.changefeedprocessoroptions) provides essential settings to control the behavior of the Change Feed Processor during data processing. [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=ChangeFeedProcessorOptions)] -2. Initialize [`ChangeFeedProcessor`](/java/api/com.azure.cosmos.changefeedprocessor) with relevant configurations, including the host name, feed container, lease container, and data handling logic. The [`start()`](/java/api/com.azure.cosmos.changefeedprocessor#com-azure-cosmos-changefeedprocessor-start()) method initiates the data processing, enabling concurrent and real-time processing of incoming data changes from the feed container. +2. Initialize [ChangeFeedProcessor](/java/api/com.azure.cosmos.changefeedprocessor) with relevant configurations, including the host name, feed container, lease container, and data handling logic. The [start()](/java/api/com.azure.cosmos.changefeedprocessor#com-azure-cosmos-changefeedprocessor-start()) method initiates the data processing, enabling concurrent and real-time processing of incoming data changes from the feed container. [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=StartChangeFeedProcessor)] 3. Specify the delegate handles incoming data changes using the `handleChanges()` method. The method processes the received JsonNode documents from the Change Feed. As a developer you have two options for handling the JsonNode document provided to you by Change Feed. One option is to operate on the document in the form of a JsonNode. This is great especially if you don't have a single uniform data model for all documents. The second option - transform the JsonNode to a POJO having the same structure as the JsonNode. Then you can operate on the POJO. |
cosmos-db | Index Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/index-metrics.md | You can enable indexing metrics for a query by setting the `PopulateIndexMetrics return Flux.just(itemsResponse); }).blockLast(); ```++## [JavaScript SDK](#tab/javascript) +```javascript +const querySpec = { + query: "SELECT TOP 10 c.id FROM c WHERE c.Item = 'value1234' AND c.Price > 2", + }; +const { resources: resultsIndexMetrics, indexMetrics } = await container.items + .query(querySpec, { populateIndexMetrics: true }) + .fetchAll(); +console.log("IndexMetrics: ", indexMetrics); +``` ### Example output |
cosmos-db | Reference Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/reference-functions.md | If a new distributed table isn't related to other tables, it's best to specify `colocate_with => 'none'`. **shard\_count:** (Optional) the number of shards to create for the new-distributed table. When specifying `shard_count` you canΓÇÖt specify a value of +distributed table. When specifying `shard_count` you can't specify a value of `colocate_with` other than none. To change the shard count of an existing table-or colocation group, use the [alter_distributed_table](#alter_distributed_table -function. +or colocation group, use the [alter_distributed_table](#alter_distributed_table) function. Possible values for `shard_count` are between 1 and 64000. For guidance on choosing the optimal value, see [Shard Count](howto-shard-count.md). timestamptz. **older_than:** (timestamptz) change partitions whose upper range is less than or equal to older_than. -**new_access_method:** (name) either ΓÇÿheapΓÇÖ for row-based storage, or -ΓÇÿcolumnarΓÇÖ for columnar storage. +**new_access_method:** (name) either 'heap' for row-based storage, or +'columnar' for columnar storage. #### Return Value SELECT * from citus_remote_connection_stats(); ``` ```- hostname | port | database_name | connection_count_to_node + hostname | port | database_name | connection_count_to_node -+++-- citus_worker_1 | 5432 | postgres | 3 (1 row) |
cosmos-db | Rag Data Openai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/rag-data-openai.md | You can employ RAG by utilizing native vector search within Azure Cosmos DB for - [Vector search with Azure Cognitive Search](../search/vector-search-overview.md) - [Vector search with Azure Cosmos DB for MongoDB vCore](mongodb/vcore/vector-search.md) - [Vector search with Azure Cosmos DB PostgreSQL](postgresql/howto-use-pgvector.md)+- Learn more about [Azure OpenAI embeddings](../ai-services/openai/concepts/understand-embeddings.md) +- Learn how to [generate embeddings using Azure OpenAI](../ai-services/openai/tutorials/embeddings.md) |
data-factory | Security And Access Control Troubleshoot Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/security-and-access-control-troubleshoot-guide.md | If none of the preceding methods works, contact Microsoft for help. #### Symptoms -You created managed private endpoint from ADF and obtained an approved private endpoint. But, after deleting or rejecting the private endpoint later, the managed private endpoint in ADF still persists to exist and shows ΓÇ£ApprovedΓÇ¥. +You created managed private endpoint from ADF and obtained an approved private endpoint. But, after deleting or rejecting the private endpoint later, the managed private endpoint in ADF still persists to exist and shows "Approved". #### Cause To resolve the issue, do the following: You're unable to register the IR authentication key on the self-hosted VM because the private link is enabled. You receive the following error message: -"Failed to get service token from ADF service with key *************** and time cost is: 0.1250079 second, the error code is: InvalidGatewayKey, activityId is: XXXXXXX and detailed error message is Client IP address is not valid private ip Cause Data factory couldnΓÇÖt access the public network thereby not able to reach out to the cloud to make the successful connection." +"Failed to get service token from ADF service with key *************** and time cost is: 0.1250079 second, the error code is: InvalidGatewayKey, activityId is: XXXXXXX and detailed error message is Client IP address is not valid private ip Cause Data factory couldn't access the public network thereby not able to reach out to the cloud to make the successful connection." #### Cause Try to enable public network access on the user interface, as shown in the follo -### Service private DNS zone overrides Azure Resource Manager DNS resolution causing ΓÇÿNot foundΓÇÖ error +### Service private DNS zone overrides Azure Resource Manager DNS resolution causing 'Not found' error #### Cause-Both Azure Resource Manager and the service are using the same private zone creating a potential conflict on customerΓÇÖs private DNS with a scenario where the Azure Resource Manager records will not be found. +Both Azure Resource Manager and the service are using the same private zone creating a potential conflict on customer's private DNS with a scenario where the Azure Resource Manager records will not be found. #### Resolution 1. Find Private DNS zones **privatelink.azure.com** in Azure portal. :::image type="content" source="media/security-access-control-troubleshoot-guide/private-dns-zones.png" alt-text="Screenshot of finding Private DNS zones."::: 2. Check if there is an A record **adf**. :::image type="content" source="media/security-access-control-troubleshoot-guide/a-record.png" alt-text="Screenshot of A record.":::-3. Go to **Virtual network links**, delete all records. +3. Go to **Virtual network links**, delete all records. :::image type="content" source="media/security-access-control-troubleshoot-guide/virtual-network-link.png" alt-text="Screenshot of virtual network link.":::-4. Navigate to your service in Azure portal and recreate the private endpoint for the portal. +4. Navigate to your service in Azure portal and recreate the private endpoint for the portal. :::image type="content" source="media/security-access-control-troubleshoot-guide/create-private-endpoint.png" alt-text="Screenshot of recreating private endpoint.":::-5. Go back to Private DNS zones, and check if there is a new private DNS zone **privatelink.adf.azure.com**. +5. Go back to Private DNS zones, and check if there is a new private DNS zone **privatelink.adf.azure.com**. :::image type="content" source="media/security-access-control-troubleshoot-guide/check-dns-record.png" alt-text="Screenshot of new DNS record."::: ### Connection error in public endpoint You can reassign access to the following permissions: **Get, Unwrap Key, and Wra * Customer deleted Key Vault / CMK before deleting the service. CMK in the service should have "Soft Delete" enabled and "Purge Protect" enabled which has default retention policy of 90 days. You can restore the deleted key. -Please review [Recover deleted Key](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-soft-deleted-secrets-keys-and-certificates ) and [Deleted Key Value](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault) +Please review [Recover deleted Key](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-soft-deleted-secrets-keys-and-certificates) and [Deleted Key Value](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault) * User Assigned Managed Identity (UA-MI) was deleted before the service. You can recover from this by using REST API calls, you can do this in an http client of your choice in any programming language. If you have not anything already set up for REST API calls with Azure authentication, the easiest way to do this would be by using POSTMAN/Fiddler. Please follow following steps. |
data-factory | Self Hosted Integration Runtime Troubleshoot Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-troubleshoot-guide.md | How to determine whether you're affected: :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/trusted-root-ca-check.png" alt-text="Screenshot showing the DigiCert Global Root G2 folder in the Trusted Root Certification Authorities directory."::: - If it isn't in the trusted root CA, [download it here](http://cacerts.digicert.com/DigiCertGlobalRootG2.crt ). + If it isn't in the trusted root CA, [download it here](http://cacerts.digicert.com/DigiCertGlobalRootG2.crt). ## Next steps |
data-lake-analytics | Data Lake Analytics Data Lake Tools For Vscode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/data-lake-analytics-data-lake-tools-for-vscode.md | To sign out, enter the command **ADL: Logout**. Expand **AZURE DATALAKE**, select **Sign in to Azure**, and then follow step 3 and step 4 of [To connect to Azure by using a command](#sign-in-by-command). -!["Sign in to Azure" selection in the explorer](./media/data-lake-analytics-data-lake-tools-for-vscode/data-lake-tools-for-vscode-sign-in-from-explorer.png ) +!["Sign in to Azure" selection in the explorer](./media/data-lake-analytics-data-lake-tools-for-vscode/data-lake-tools-for-vscode-sign-in-from-explorer.png) You can't sign out from the explorer. To sign out, see [To connect to Azure by using a command](#sign-in-by-command). |
dev-box | Quickstart Create Dev Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-create-dev-box.md | To complete this quickstart, you need: |**Project**|Select a project from the dropdown list. | |**Dev box pool**|Select a pool from the dropdown list, which includes all the dev box pools for that project. | - :::image type="content" source="./media/quickstart-create-dev-box/add-dev-box.png" alt-text="Screenshot of the dialog for adding a dev box."::: + :::image type="content" source="./media/quickstart-create-dev-box/create-dev-box.png" alt-text="Screenshot of the dialog for adding a dev box."::: -4. Select **Add** to begin creating your dev box. + You may see the following information: + - How many dev boxes you can create in the project that you selected, if the project has limits configured. + - Whether hibernation is supported or not. + - A shutdown time if the pool where you're creating the dev box has a shutdown schedule. -5. Use the home page of the developer portal to track the progress of creation. +4. Select **Create** to begin creating your dev box. - :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-creating.png" alt-text="Screenshot of the developer portal that shows the dev box card with a status of Creating."::: +5. Use the dev box tile in the developer portal to track the progress of creation. ++ :::image type="content" source="./media/quickstart-create-dev-box/dev-box-tile-creating.png" alt-text="Screenshot of the developer portal that shows the dev box card with a status of Creating."::: [!INCLUDE [dev box runs on creation note](./includes/note-dev-box-runs-on-creation.md)] ## Connect to a dev box -After you provision a dev box, one way to access it quickly is through a browser: +After you create a dev box, one way to access it quickly is through a browser: 1. Sign in to the [developer portal](https://aka.ms/devbox-portal). When you no longer need your dev box, you can delete it: ## Next steps -In this quickstart, you created a dev box through the developer portal and connected to it by using a browser. To learn how to connect to a dev box by using a Remote Desktop app, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md). +In this quickstart, you created a dev box through the developer portal and connected to it by using a browser. ++To learn how to connect to a dev box by using a Remote Desktop app, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md). |
event-grid | Subscribe To Graph Api Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/subscribe-to-graph-api-events.md | Last updated 09/01/2022 This article describes steps to subscribe to events published by Microsoft Graph API. The following table lists the resources for which events are available through Graph API. For every resource, events for create, update and delete state changes are supported. > [!IMPORTANT]-> Microsoft Graph API's ability to send events to Azure Event Grid is currently in **private preview**. If you have questions or need support, please email us [mailto:ask-graph-and-grid@microsoft.com?subject=Support Request](<mailto:ask-graph-and-grid@microsoft.com?subject=Support Request>). +> Microsoft Graph API's ability to send events to Azure Event Grid is currently in **private preview**. If you have questions or need support, email us at [ask-graph-and-grid@microsoft.com](mailto:ask-graph-and-grid@microsoft.com?subject=Support%20Request). |Microsoft event source |Resource(s) | Available event types | |: | : | :-| |
event-hubs | Event Hubs Federation Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-federation-overview.md | example, you can: Azure Synapse Analytics, etc.) to perform batch analytics or train machine learning models based on very large, indexed pools of historical data. - Store projections (also called "materialized views") in databases ([SQL- Database](../stream-analytics/sql-database-output.md), [Azure Cosmos DB](../stream-analytics/azure-cosmos-db-output.md) ). + Database](../stream-analytics/sql-database-output.md), [Azure Cosmos DB](../stream-analytics/azure-cosmos-db-output.md)). ### Stateless replication applications in Azure Functions |
event-hubs | Schema Registry Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/schema-registry-concepts.md | You can use one of the following libraries to include an Avro serializer, which - [Java - azure-data-schemaregistry-avro](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/schemaregistry/azure-data-schemaregistry-apacheavro) - [Python - azure-schemaregistry-avroserializer](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/schemaregistry/azure-schemaregistry-avroencoder/) - [JavaScript - @azure/schema-registry-avro](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro)-- [Apache Kafka](https://github.com/Azure/azure-schema-registry-for-kafka/) - Run Kafka-integrated Apache Avro serializers and deserializers backed by Azure Schema Registry. The Java client's Apache Kafka client serializer for the Azure Schema Registry can be used in any Apache Kafka scenario and with any Apache Kafka┬« based deployment or cloud service. +- [Apache Kafka](https://github.com/Azure/azure-schema-registry-for-kafka/) - Run Kafka-integrated Apache Avro serializers and deserializers backed by Azure Schema Registry. The Java client's Apache Kafka client serializer for the Azure Schema Registry can be used in any Apache Kafka scenario and with any Apache Kafka® based deployment or cloud service. - **Azure CLI** - For an example of adding a schema to a schema group using CLI, see [Adding a schema to a schema group using CLI](https://github.com/Azure/azure-event-hubs/tree/master/samples/Management/CLI/AddschematoSchemaGroups). - **PowerShell** - For an example of adding a schema to a schema group using PowerShell, see [Adding a schema to a schema group using PowerShell](https://github.com/Azure/azure-event-hubs/tree/master/samples/Management/PowerShell/AddingSchematoSchemagroups). For instructions on creating registering an application using the Azure portal, - See the following **Schema Registry Avro client library** samples. - [.NET](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/schemaregistry/Microsoft.Azure.Data.SchemaRegistry.ApacheAvro/tests/Samples) - [Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/schemaregistry/azure-data-schemaregistry-apacheavro/src/samples)- - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro/samples ) + - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro/samples) - [Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/schemaregistry/azure-schemaregistry-avroencoder/samples) - [Kafka Avro Integration for Azure Schema Registry](https://github.com/Azure/azure-schema-registry-for-kafka/tree/master/csharp/avro/samples) |
event-hubs | Schema Registry Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/schema-registry-overview.md | Having schemas stored alongside the events and inside the eventing infrastructur - See the following **Schema Registry Avro client library** samples. - [.NET](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/schemaregistry/Microsoft.Azure.Data.SchemaRegistry.ApacheAvro/tests/Samples) - [Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/schemaregistry/azure-data-schemaregistry-apacheavro/src/samples)- - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro/samples ) + - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro/samples) - [Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/schemaregistry/azure-schemaregistry-avroencoder/samples) - [Kafka Avro Integration for Azure Schema Registry](https://github.com/Azure/azure-schema-registry-for-kafka/tree/master/csharp/avro/samples) |
expressroute | Cross Network Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/cross-network-connectivity.md | Let's configure Global VNet peering between the VNets in Contoso and Fabrikam Az The following picture shows the network architecture after configuring Global VNet peering. -![The Architecture after VNet-peering](./media/cross-network-connectivity/vnet-peering.png ) +![The Architecture after VNet-peering](./media/cross-network-connectivity/vnet-peering.png) The following table shows the routes known to the Contoso subscription VM. Pay attention to the last entry of the table. This entry is the result of cross connecting the virtual networks. |
expressroute | Expressroute Locations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations.md | If you're remote and don't have fiber connectivity, or you want to explore other | **[Tamares Telecom](http://www.tamarestelecom.com/our-services/#Connectivity)** | Equinix | London | | **[Tata Teleservices](https://www.tatatelebusiness.com/data-services/ez-cloud-connect/)** | Tata Communications | Chennai<br/>Mumbai | | **[TDC Erhverv](https://tdc.dk/Produkter/cloudaccessplus)** | Equinix | Amsterdam | -| **[Telecom Italia Sparkle](https://www.tisparkle.com/our-platform/corporate-platform/sparkle-cloud-connect#catalogue)**| Equinix | Amsterdam | +| **[Telecom Italia Sparkle](https://www.tisparkle.com/our-platform/corporate-platform/sparkle-cloud-connect)**| Equinix | Amsterdam | | **[Telekom Deutschland GmbH](https://cloud.telekom.de/de/infrastruktur/managed-it-services/managed-hybrid-infrastructure-mit-microsoft-azure)** | Interxion | Amsterdam<br/>Frankfurt | | **[Telia](https://www.telia.se/foretag/losningar/produkter-tjanster/datanet)** | Equinix | Amsterdam | | **[ThinkTel](https://www.thinktel.ca/services/agile-ix-data/expressroute/)** | Equinix | Toronto | If you're remote and don't have fiber connectivity, or you want to explore other | **[Digital Realty](https://www.digitalrealty.com/services/interconnection/service-exchange/)** | IX Reach<br/>Megaport PacketFabric | | **[EdgeConnex](https://www.edgeconnex.com/services/edge-data-centers-proximity-matters/)** | Megaport<br/>PacketFabric | | **[Flexential](https://www.flexential.com/connectivity/cloud-connect-microsoft-azure-expressroute)** | IX Reach<br/>Megaport<br/>PacketFabric |-| **[QTS Data Centers](https://www.qtsdatacenters.com/hybrid-solutions/connectivity/azure-cloud )** | Megaport<br/>PacketFabric | +| **[QTS Data Centers](https://www.qtsdatacenters.com/hybrid-solutions/connectivity/azure-cloud)** | Megaport<br/>PacketFabric | | **[Stream Data Centers](https://www.streamdatacenters.com/products-services/network-cloud/)** | Megaport | | **RagingWire Data Centers** | IX Reach<br/>Megaport<br/>PacketFabric | | **[T5 Datacenters](https://t5datacenters.com/)** | IX Reach | |
firewall-manager | Quick Secure Virtual Hub Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/quick-secure-virtual-hub-terraform.md | Multiple Azure resources are defined in the Terraform code. The following resour - [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) - [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) - [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group)-- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association+- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association) - [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) - [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) - [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) |
firewall | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/overview.md | To learn about Firewall Standard features, see [Azure Firewall Standard features ## Azure Firewall Premium - Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic, or known malicious instruction sequences used by malware. There are more than 58,000 signatures in over 50 categories that are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks. + Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic, or known malicious instruction sequences used by malware. There are more than 67,000 signatures in over 50 categories that are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks. ![Firewall Premium overview](media/overview/firewall-premium.png) |
firewall | Premium Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/premium-features.md | IDPS signature rules have the following properties: |Signature ID |Internal ID for each signature. This ID is also presented in Azure Firewall Network Rules logs.| |Mode |Indicates if the signature is active or not, and whether firewall drops or alerts upon matched traffic. The below signature mode can override IDPS mode<br>- **Disabled**: The signature isn't enabled on your firewall.<br>- **Alert**: You receive alerts when suspicious traffic is detected.<br>- **Alert and Deny**: You receive alerts and suspicious traffic is blocked. Few signature categories are defined as ΓÇ£Alert OnlyΓÇ¥, therefore by default, traffic matching their signatures isn't blocked even though IDPS mode is set to ΓÇ£Alert and DenyΓÇ¥. Customers may override this by customizing these specific signatures to ΓÇ£Alert and DenyΓÇ¥ mode. <br><br>IDPS Signature mode is determined by one of the following reasons:<br><br> 1. Defined by Policy Mode ΓÇô Signature mode is derived from IDPS mode of the existing policy.<br>2. Defined by Parent Policy ΓÇô Signature mode is derived from IDPS mode of the parent policy.<br>3. Overridden ΓÇô You can override and customize the Signature mode.<br>4. Defined by System - Signature mode is set to *Alert Only* by the system due to its [category](idps-signature-categories.md). You may override this signature mode.<br><br>Note: IDPS alerts are available in the portal via network rule log query.| |Severity |Each signature has an associated severity level and assigned priority that indicates the probability that the signature is an actual attack.<br>- **Low (priority 3)**: An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.<br>- **Medium (priority 2)**: The signature indicates an attack of a suspicious nature. The administrator should investigate further.<br>- **High (priority 1)**: The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.|-|Direction |The traffic direction for which the signature is applied.<br>- **Inbound**: Signature is applied only on traffic arriving from the Internet and destined to your [configured private IP address range](#idps-private-ip-ranges).<br>- **Outbound**: Signature is applied only on traffic sent from your [configured private IP address range](#idps-private-ip-ranges) to the Internet.<br>- **Bidirectional**: Signature is always applied on any traffic direction.| +|Direction |The traffic direction for which the signature is applied.<br><br>- **Inbound**: Signature is applied only on traffic arriving from the Internet and destined to your [configured private IP address range](#idps-private-ip-ranges).<br>- **Outbound**: Signature is applied only on traffic sent from your [configured private IP address range](#idps-private-ip-ranges) to the Internet.<br>- **Internal**: Signature is applied only on traffic sent from and destined to your [configured private IP address range](#idps-private-ip-ranges).<br>- **Any**: Signature is always applied on any traffic direction.| |Group |The group name that the signature belongs to.| |Description |Structured from the following three parts:<br>- **Category name**: The category name that the signature belongs to as described in [Azure Firewall IDPS signature rule categories](idps-signature-categories.md).<br>- High level description of the signature<br>- **CVE-ID** (optional) in the case where the signature is associated with a specific CVE.| |Protocol |The protocol associated with this signature.| |
global-secure-access | How To Simulate Remote Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-simulate-remote-network.md | You need the public IP addresses of your virtual network gateway. These IP addre :::image type="content" source="media/how-to-simulate-remote-network/virtual-network-gateway-public-ip-addresses.png" alt-text="Screenshot showing how to find the public IP addresses of a virtual network gateway." lightbox="media/how-to-simulate-remote-network/virtual-network-gateway-public-ip-addresses.png"::: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](../active-directory/roles/permissions-reference.md#global-secure-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator). 1. Browse to **Global Secure Access Preview** > **Remote network** > **Create remote network**. 1. Provide a **Name** for your network, select an appropriate **Region**, then select **Next: Connectivity**. 1. On the **Connectivity** tab, select **Add a link**. |
governance | Gov Dod Impact Level 4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-dod-impact-level-4.md | initiative definition. ||||| |[\[Preview\]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2e94d99a-8a36-4563-bc77-810d8893b671) |Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/AB-CmkEncryption](../../../backup/encryption-at-rest-with-cmk.md). |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/AzBackupRSVault_CMKEnabled_Audit.json) | |[\[Preview\]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47031206-ce96-41f8-861b-6a915f3de284) |Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at [https://aka.ms/dps/CMK](../../../iot-dps/iot-dps-customer-managed-keys.md). |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_CMKEncryptionEnabled_AuditDeny.json) |-|[Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a5ee18-2ae6-4810-86f7-18e39ce5629b) |Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/automation-cmk](../../../automation/automation-secure-asset-encryption.md#:~:text=Secure assets in Azure Automation include credentials, certificates, connections,,Using Microsoft-managed keys). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json) | +|[Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a5ee18-2ae6-4810-86f7-18e39ce5629b) |Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [Encryption of secure assets in Azure Automation](../../../automation/automation-secure-asset-encryption.md#microsoft-managed-keys). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json) | |[Azure Batch account should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F99e9ccd8-3db9-4592-b0d1-14b1715a4d8a) |Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/Batch-CMK](https://aka.ms/Batch-CMK). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_CustomerManagedKey_Audit.json) | |[Azure Container Instance container group should use customer-managed key for encryption](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0aa61e00-0a01-4a3c-9945-e93cffedf0e6) |Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled, Deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Instance/ContainerInstance_CMK_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](../../../cosmos-db/how-to-setup-cmk.md). |disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) | |
governance | Gov Dod Impact Level 5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-dod-impact-level-5.md | initiative definition. ||||| |[\[Preview\]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2e94d99a-8a36-4563-bc77-810d8893b671) |Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/AB-CmkEncryption](../../../backup/encryption-at-rest-with-cmk.md). |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/AzBackupRSVault_CMKEnabled_Audit.json) | |[\[Preview\]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47031206-ce96-41f8-861b-6a915f3de284) |Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at [https://aka.ms/dps/CMK](../../../iot-dps/iot-dps-customer-managed-keys.md). |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_CMKEncryptionEnabled_AuditDeny.json) |-|[Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a5ee18-2ae6-4810-86f7-18e39ce5629b) |Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/automation-cmk](../../../automation/automation-secure-asset-encryption.md#:~:text=Secure assets in Azure Automation include credentials, certificates, connections,,Using Microsoft-managed keys). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json) | +|[Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a5ee18-2ae6-4810-86f7-18e39ce5629b) |Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [Encryption of secure assets in Azure Automation](../../../automation/automation-secure-asset-encryption.md#microsoft-managed-keys). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json) | |[Azure Batch account should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F99e9ccd8-3db9-4592-b0d1-14b1715a4d8a) |Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/Batch-CMK](https://aka.ms/Batch-CMK). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_CustomerManagedKey_Audit.json) | |[Azure Container Instance container group should use customer-managed key for encryption](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0aa61e00-0a01-4a3c-9945-e93cffedf0e6) |Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled, Deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Instance/ContainerInstance_CMK_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](../../../cosmos-db/how-to-setup-cmk.md). |disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) | |
governance | Guest Configuration Baseline Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/guest-configuration-baseline-linux.md | For more information, see [Azure Policy guest configuration](../concepts/guest-c |Ensure noexec option set on /dev/shm partition.<br /><sub>(1.1.16)</sub> |Description: Setting this option on a file system prevents users from executing programs from shared memory. This control deters users from introducing potentially malicious software on the system. |Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. For more information, see the fstab(5) manual pages. | |Disable automounting<br /><sub>(1.1.21)</sub> |Description: With automounting enabled, anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lack permissions to mount it themselves. |Disable the autofs service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-autofs' | |Ensure mounting of USB storage devices is disabled<br /><sub>(1.1.21.1)</sub> |Description: Removing support for USB storage devices reduces the local attack surface of the server. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install usb-storage /bin/true` then unload the usb-storage module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |-|Ensure core dumps are restricted.<br /><sub>(1.5.1)</sub> |Description: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see `limits.conf(5)` ). In addition, setting the `fs.suid_dumpable` variable to 0 will prevent setuid programs from dumping core. |Add `hard core 0` to /etc/security/limits.conf or a file in the limits.d directory and set `fs.suid_dumpable = 0` in sysctl or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-core-dumps' | +|Ensure core dumps are restricted.<br /><sub>(1.5.1)</sub> |Description: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see `limits.conf(5)`). In addition, setting the `fs.suid_dumpable` variable to 0 will prevent setuid programs from dumping core. |Add `hard core 0` to /etc/security/limits.conf or a file in the limits.d directory and set `fs.suid_dumpable = 0` in sysctl or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-core-dumps' | |Ensure prelink is disabled.<br /><sub>(1.5.4)</sub> |Description: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc. |uninstall `prelink` using your package manager or run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-prelink' | |Ensure permissions on /etc/motd are configured.<br /><sub>(1.7.1.4)</sub> |Description: If the `/etc/motd` file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |Set the owner and group of /etc/motd to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' | |Ensure permissions on /etc/issue are configured.<br /><sub>(1.7.1.5)</sub> |Description: If the `/etc/issue` file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |Set the owner and group of /etc/issue to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' | |
hdinsight | Hbase Troubleshoot Pegged Cpu Region Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hbase/hbase-troubleshoot-pegged-cpu-region-server.md | Apache HBase region server process starts occupying close to 200% CPU, causing a ## Cause -If you are running HBase cluster v3.4, you might have been hit by a potential bug caused by upgrade of jdk to version 1.7.0_151. The symptom we see is region server process starts occupying close to 200% CPU (to verify this run the `top` command; if there is a process occupying close to 200% CPU get its pid and confirm it is region server process by running `ps -aux | grep` ). +If you are running HBase cluster v3.4, you might have been hit by a potential bug caused by upgrade of jdk to version 1.7.0_151. The symptom we see is region server process starts occupying close to 200% CPU. To verify this, run the `top` command; if there is a process occupying close to 200% CPU get its pid and confirm it is region server process by running `ps -aux | grep`. ## Resolution |
hdinsight | Hdinsight For Vscode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-for-vscode.md | For run a PySpark batch job, you can follow the normal steps to submit job to HD ## Apache Livy configuration -[Apache Livy](https://livy.incubator.apache.org/) configuration is supported. You can configure it in the **.VSCode\settings.json** file in the workspace folder. Currently, Livy configuration only supports Python script. For more information, see [Livy README](https://github.com/cloudera/livy/blob/master/README.rst ). +[Apache Livy](https://livy.incubator.apache.org/) configuration is supported. You can configure it in the **.VSCode\settings.json** file in the workspace folder. Currently, Livy configuration only supports Python script. For more information, see [Livy README](https://github.com/cloudera/livy/blob/master/README.rst). <a id="triggerlivyconf"></a>**How to trigger Livy configuration** |
iot-dps | How To Legacy Device Symm Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/how-to-legacy-device-symm-key.md | In this section, you'll prepare a development environment that's used to build t ``` >[!NOTE]- >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md). + >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/v3/migration_guide_provisioning.md). ::: zone-end |
iot-dps | Quick Create Simulated Device Symm Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/quick-create-simulated-device-symm-key.md | In this section, you prepare a development environment that's used to build the ``` >[!NOTE]- >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md). + >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. ::: zone-end |
iot-dps | Quick Create Simulated Device X509 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/quick-create-simulated-device-x509.md | git clone -b v2 https://github.com/Azure/azure-iot-sdk-python.git --recursive ``` >[!NOTE]->The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md). +>The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. ::: zone-end |
iot-dps | Tutorial Custom Hsm Enrollment Group X509 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/tutorial-custom-hsm-enrollment-group-x509.md | git clone -b v2 https://github.com/Azure/azure-iot-sdk-python.git --recursive ``` >[!NOTE]->The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md). +>The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. ::: zone-end |
iot-hub | Iot Hub Device Streams Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-device-streams-overview.md | -!["IoT Hub device streams overview"](./media/iot-hub-device-streams-overview/iot-hub-device-streams-overview.png ) +!["IoT Hub device streams overview"](./media/iot-hub-device-streams-overview/iot-hub-device-streams-overview.png) Using IoT Hub device streams, devices remain secure and will only need to open up outbound TCP connections to IoT hub's streaming endpoint over port 443. Once a stream is established, the service-side and device-side applications will each have programmatic access to a WebSocket client object to send and receive raw bytes to one another. The reliability and ordering guarantees provided by this tunnel is on par with TCP. |
load-balancer | Cross Region Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/cross-region-overview.md | Cross-region load balancer routes the traffic to the appropriate regional load b * Outbound rules aren't supported on Cross-region Load Balancer. For outbound connections, utilize [outbound rules](./outbound-rules.md) on the regional load balancer or [NAT gateway](../nat-gateway/nat-overview.md). ## Pricing and SLA-Cross-region load balancer shares the [SLA](https://azure.microsoft.com/support/legal/sla/load-balancer/v1_0/ ) of standard load balancer. +Cross-region load balancer shares the [SLA](https://azure.microsoft.com/support/legal/sla/load-balancer/v1_0/) of standard load balancer. ## Next steps |
machine-learning | Image Classification Multilabel | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/image-classification-multilabel.md | AutoML runs a number of trials (specified in `max_trials`) in parallel (`specifi 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. Visit this link for an [explanation on each primary metric for computer vision.](../how-to-auto-train-image-models.md#primary-metric) -1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms +1. (Optional) You are able to configure algorithm settings. Visit this link for a [list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#explanations) 1. (Optional) To configure job limits, visit [this link for more explanation.](../how-to-auto-train-image-models.md#job-limits) |
machine-learning | Image Classification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/image-classification.md | AutoML runs a number of trials (specified in max_trials) in parallel (specified 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. Visit this link for an [explanation on each primary metric for computer vision.](../how-to-auto-train-image-models.md#primary-metric) -1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms +1. (Optional) You are able to configure algorithm settings. Visit this link for a [list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#explanations) 1. (Optional) To configure job limits, visit [this link for more explanation.](../how-to-auto-train-image-models.md#job-limits) |
machine-learning | Image Instance Segmentation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/image-instance-segmentation.md | AutoML runs a number of trials (specified in max_trials) in parallel (specified 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. Visit this link for an [explanation on each primary metric for computer vision.](../how-to-auto-train-image-models.md#primary-metric) -1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms +1. (Optional) You are able to configure algorithm settings. Visit this link for a [list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#explanations) 1. (Optional) To configure job limits, visit [this link for more explanation.](../how-to-auto-train-image-models.md#job-limits) |
machine-learning | Image Object Detection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/image-object-detection.md | AutoML runs a number of trials (specified in max_trials) in parallel (specified 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. Visit this link for an [explanation on each primary metric for computer vision.](../how-to-auto-train-image-models.md#primary-metric) -1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms +1. (Optional) You are able to configure algorithm settings. Visit this link for a [list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#explanations) 1. (Optional) To configure job limits, visit [this link for more explanation.](../how-to-auto-train-image-models.md#job-limits) |
machine-learning | Text Classification Multilabel | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/text-classification-multilabel.md | This model requires a training and a validation dataset. The datasets must be in 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. -1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings +1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings) 1. (Optional) You are able to configure Hyperparameters. Visit this link for a [full list of configurable Hyperparameters](../how-to-auto-train-nlp-models.md#supported-hyperparameters) |
machine-learning | Text Classification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/text-classification.md | This model requires a training and a Validation dataset. The datasets must be in 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. -1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings +1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings) 1. (Optional) You are able to configure Hyperparameters. Visit this link for a [full list of configurable Hyperparameters](../how-to-auto-train-nlp-models.md#supported-hyperparameters) |
machine-learning | Text Ner | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference-v2/text-ner.md | This model requires a training and Validation dataset. The datasets must be in M 1. Specify the **Primary Metric** you want AutoML to use to measure your model's success. -1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings +1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings) 1. (Optional) You are able to configure Hyperparameters. Visit this link for a [full list of configurable Hyperparameters](../how-to-auto-train-nlp-models.md#supported-hyperparameters) |
machine-learning | Concept Automated Ml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-automated-ml.md | How-to articles provide additional detail into what functionality automated ML o ### Jupyter notebook samples -Review detailed code examples and use cases in the [GitHub notebook repository for automated machine learning samples](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/automl-standalone-jobs. +Review detailed code examples and use cases in the [GitHub notebook repository for automated machine learning samples](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/automl-standalone-jobs). ### Python SDK reference |
machine-learning | Concept Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-customer-managed-keys.md | +monikerRange: 'azureml-api-2 || azureml-api-1' # Customer-managed keys for Azure Machine Learning Azure Machine Learning is built on top of multiple Azure services. While the dat In addition to customer-managed keys, Azure Machine Learning also provides a [hbi_workspace flag](/python/api/azure-ai-ml/azure.ai.ml.entities.workspace). Enabling this flag reduces the amount of data Microsoft collects for diagnostic purposes and enables [extra encryption in Microsoft-managed environments](../security/fundamentals/encryption-atrest.md). This flag also enables the following behaviors: -* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster, provided you havenΓÇÖt created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters. +* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster, provided you haven't created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters. * Cleans up your local scratch disk between jobs. * Securely passes credentials for your storage account, container registry, and SSH account from the execution layer to your compute clusters using your key vault. In addition to customer-managed keys, Azure Machine Learning also provides a [hb ## Limitations -* The customer-managed key for resources the workspace depends on canΓÇÖt be updated after workspace creation. -* Resources managed by Microsoft in your subscription canΓÇÖt transfer ownership to you. +* The customer-managed key for resources the workspace depends on can't be updated after workspace creation. +* Resources managed by Microsoft in your subscription can't transfer ownership to you. * You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your workspace. ## How workspace metadata is stored The following resources store metadata for your workspace: -| Service | How itΓÇÖs used | +| Service | How it's used | | -- | -- | | Azure Cosmos DB | Stores job history data. | | Azure Cognitive Search | Stores indices that are used to help query your machine learning content. | These Microsoft-managed resources are located in a new Azure resource group is c Azure Machine Learning uses compute resources to train and deploy machine learning models. The following table describes the compute options and how data is encrypted by each one: | Compute | Encryption | | -- | -- | | Azure Container Instance | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Encrypt data with a customer-managed key](../container-instances/container-instances-encrypt-data.md). | | Azure Kubernetes Service | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Bring your own keys with Azure disks in Azure Kubernetes Services](../aks/azure-disk-customer-managed-keys.md). | | Azure Machine Learning compute instance | Local scratch disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. | | Azure Machine Learning compute cluster | OS disk encrypted in Azure Storage with Microsoft-managed keys. Temporary disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |+| Compute | Encryption | +| -- | -- | +| Azure Kubernetes Service | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Bring your own keys with Azure disks in Azure Kubernetes Services](../aks/azure-disk-customer-managed-keys.md). | +| Azure Machine Learning compute instance | Local scratch disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. | +| Azure Machine Learning compute cluster | OS disk encrypted in Azure Storage with Microsoft-managed keys. Temporary disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. | **Compute cluster** The OS disk for each compute node stored in Azure Storage is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. This compute target is ephemeral, and clusters are typically scaled down when no jobs are queued. The underlying virtual machine is de-provisioned, and the OS disk is deleted. Azure Disk Encryption isn't supported for the OS disk. The OS disk for compute instance is encrypted with Microsoft-managed keys in Azu ### HBI_workspace flag -* The `hbi_workspace` flag can only be set when a workspace is created. It canΓÇÖt be changed for an existing workspace. -* When this flag is set to True, it may increase the difficulty of troubleshooting issues because less telemetry data is sent to Microsoft. ThereΓÇÖs less visibility into success rates or problem types. Microsoft may not be able to react as proactively when this flag is True. +* The `hbi_workspace` flag can only be set when a workspace is created. It can't be changed for an existing workspace. +* When this flag is set to True, it may increase the difficulty of troubleshooting issues because less telemetry data is sent to Microsoft. There's less visibility into success rates or problem types. Microsoft may not be able to react as proactively when this flag is True. To enable the `hbi_workspace` flag when creating an Azure Machine Learning workspace, follow the steps in one of the following articles: |
machine-learning | How To Create Component Pipeline Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-create-component-pipeline-python.md | Now you've constructed the pipeline, you can submit to your workspace. To submit We'll use `DefaultAzureCredential` to get access to the workspace. `DefaultAzureCredential` should be capable of handling most Azure SDK authentication scenarios. -Reference for more available credentials if it doesn't work for you: [configure credential example](https://github.com/Azure/MachineLearningNotebooks/blob/master/configuration.ipynb), [azure-identity reference doc](/python/api/azure-identity/azure.identity?view=azure-python&preserve-view=true ). +Reference for more available credentials if it doesn't work for you: [configure credential example](https://github.com/Azure/MachineLearningNotebooks/blob/master/configuration.ipynb), [azure-identity reference doc](/python/api/azure-identity/azure.identity?view=azure-python&preserve-view=true). [!notebook-python[] (~/azureml-examples-main/sdk/python/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=credential)] |
machine-learning | How To Setup Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-setup-customer-managed-keys.md | +monikerRange: 'azureml-api-2 || azureml-api-1' # Use customer-managed keys with Azure Machine Learning In the [customer-managed keys concepts article](concept-customer-managed-keys.md | Resource provider | Why it's needed | | -- | -- | | Microsoft.MachineLearningServices | Creating the Azure Machine Learning workspace.- | Microsoft.Storage Azure | Storage Account is used as the default storage for the workspace. + | Microsoft.Storage Azure | Storage Account is used as the default storage for the workspace. | Microsoft.KeyVault |Azure Key Vault is used by the workspace to store secrets. | Microsoft.DocumentDB/databaseAccounts | Azure Cosmos DB instance that logs metadata for the workspace. | Microsoft.Search/searchServices | Azure Search provides indexing capabilities for the workspace. In the [customer-managed keys concepts article](concept-customer-managed-keys.md ## Limitations -* The customer-managed key for resources the workspace depends on canΓÇÖt be updated after workspace creation. -* Resources managed by Microsoft in your subscription canΓÇÖt transfer ownership to you. +* The customer-managed key for resources the workspace depends on can't be updated after workspace creation. +* Resources managed by Microsoft in your subscription can't transfer ownership to you. * You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your workspace. * The key vault that contains your customer-managed key must be in the same Azure subscription as the Azure Machine Learning workspace. * OS disk of machine learning compute can't be encrypted with customer-managed key, but can be encrypted with Microsoft-managed key if the workspace is created with `hbi_workspace` parameter set to `TRUE`. For more details, see [Data encryption](concept-data-encryption.md#machine-learning-compute). Once the workspace has been created, you'll notice that Azure resource group is For more information on customer-managed keys with Azure Cosmos DB, see [Configure customer-managed keys for your Azure Cosmos DB account](../cosmos-db/how-to-setup-cmk.md). ### Azure Container Instance > [!IMPORTANT] To use the key when deploying a model to Azure Container Instance, create a new For more information on creating and using a deployment configuration, see the following articles: -* [AciWebservice.deploy_configuration()](/python/api/azureml-core/azureml.core.webservice.aci.aciwebservice#deploy-configuration-cpu-cores-none--memory-gb-none--tags-none--properties-none--description-none--location-none--auth-enabled-none--ssl-enabled-none--enable-app-insights-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--ssl-cname-none--dns-name-label-none--primary-key-none--secondary-key-none--collect-model-data-none--cmk-vault-base-url-none--cmk-key-name-none--cmk-key-version-none-) reference -* [Where and how to deploy](how-to-deploy-online-endpoints.md) +* [AciWebservice.deploy_configuration()](/python/api/azureml-core/azureml.core.webservice.aci.aciwebservice#deploy-configuration-cpu-cores-none--memory-gb-none--tags-none--properties-none--description-none--location-none--auth-enabled-none--ssl-enabled-none--enable-app-insights-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--ssl-cname-none--dns-name-label-none--primary-key-none--secondary-key-none--collect-model-data-none--cmk-vault-base-url-none--cmk-key-name-none--cmk-key-version-none-) * [Deploy a model to Azure Container Instances (SDK/CLI v1)](v1/how-to-deploy-azure-container-instance.md) For more information on using a customer-managed key with ACI, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).- ### Azure Kubernetes Service You may encrypt a deployed Azure Kubernetes Service resource using customer-managed keys at any time. For more information, see [Bring your own keys with Azure Kubernetes Service](../aks/azure-disk-customer-managed-keys.md). |
machine-learning | How To Troubleshoot Online Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-troubleshoot-online-endpoints.md | Others: * [InvalidDeploymentSpec](#error-invaliddeploymentspec) * [PodUnschedulable](#error-podunschedulable) * [PodOutOfMemory](#error-podoutofmemory)-* [InferencingClientCallFailed](#error-inferencingclientcallfailed ) +* [InferencingClientCallFailed](#error-inferencingclientcallfailed) ### ERROR: ACRSecretError This is because extension cannot get principal credential from Azure because the This is because the Kubernetes cluster request AAD token failed or timeout, please check your network accessibility then try again. -* You can follow the [Configure required network traffic](../machine-learning/how-to-access-azureml-behind-firewall.md#scenario-use-kubernetes-compute ) to check the outbound proxy, make sure the cluster can connect to workspace. +* You can follow the [Configure required network traffic](../machine-learning/how-to-access-azureml-behind-firewall.md#scenario-use-kubernetes-compute) to check the outbound proxy, make sure the cluster can connect to workspace. * The workspace endpoint url can be found in online endpoint CRD in cluster. If your workspace is a private workspace which disabled public network access, the Kubernetes cluster should only communicate with that private workspace through the private link. This is a list of common model consumption errors resulting from the endpoint `i Managed online endpoints have bandwidth limits for each endpoint. You find the limit configuration in [Manage and increase quotas for resources with Azure Machine Learning](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints). If your bandwidth usage exceeds the limit, your request will be delayed. To monitor the bandwidth delay: -- Use metric ΓÇ£Network bytesΓÇ¥ to understand the current bandwidth usage. For more information, see [Monitor managed online endpoints](how-to-monitor-online-endpoints.md).+- Use metric "Network bytes" to understand the current bandwidth usage. For more information, see [Monitor managed online endpoints](how-to-monitor-online-endpoints.md). - There are two response trailers will be returned if the bandwidth limit enforced: - `ms-azureml-bandwidth-request-delay-ms`: delay time in milliseconds it took for the request stream transfer. - `ms-azureml-bandwidth-response-delay-ms`: delay time in milliseconds it took for the response stream transfer. |
machine-learning | Monitor Resource Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/monitor-resource-reference.md | |
machine-learning | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/introduction.md | For more information on installing and using the different extensions, see the f For more information on installing and using the different SDK versions: -* `azureml-core` - [Install the Azure Machine Learning SDK (v1) for Python](/python/api/overview/azure/ml/install?view=azure-ml-py&preserve-view=true ) +* `azureml-core` - [Install the Azure Machine Learning SDK (v1) for Python](/python/api/overview/azure/ml/install?view=azure-ml-py&preserve-view=true) * `azure-ai-ml` - [Install the Azure Machine Learning SDK (v2) for Python](https://aka.ms/sdk-v2-install) |
managed-instance-apache-cassandra | Configure Hybrid Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/configure-hybrid-cluster.md | This quickstart demonstrates how to use the Azure CLI commands to configure a hy 1. Certs signed by a CA. This can be a self-signed CA or even a public one. In this case we need the root CA certificate (refer to instructions on [preparing SSL certificates for production](https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureSSLCertWithCA.html)), and all intermediaries (if applicable). - Optionally, if you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS) as well, you need to provide the certificates in the same format as when creating the hybrid cluster. See Azure CLI sample below - the certificates are provided in the `--client-certificates` parameter. This will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit cassandra.yaml settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options )). + Optionally, if you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS) as well, you need to provide the certificates in the same format as when creating the hybrid cluster. See Azure CLI sample below - the certificates are provided in the `--client-certificates` parameter. This will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit cassandra.yaml settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options)). > [!NOTE] > The value of the `delegatedManagementSubnetId` variable you will supply below is exactly the same as the value of `--scope` that you supplied in the command above: |
managed-instance-apache-cassandra | Create Cluster Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-cluster-cli.md | Configuring client certificates is **optional**. A client application can connec - Self signed certs. This means a private and public (no CA) certificate for each node - in this case we need all public certificates. - Certs signed by a CA. This can be a self-signed CA or even a public one. In this case we need the root CA certificate (refer to [instructions on preparing SSL certificates](https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureSSLCertWithCA.html) for production), and all intermediaries (if applicable). -If you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS), you need to provide the certificates via Azure CLI. The below command will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit `cassandra.yaml` settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options )). +If you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS), you need to provide the certificates via Azure CLI. The below command will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit `cassandra.yaml` settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options)). ```azurecli-interactive resourceGroupName='<Resource_Group_Name>' |
managed-instance-apache-cassandra | Create Cluster Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-cluster-portal.md | Configuring client certificates is **optional**. A client application can connec - Self signed certs. This means a private and public (no CA) certificate for each node - in this case we need all public certificates. - Certs signed by a CA. This can be a self-signed CA or even a public one. In this case we need the root CA certificate (refer to [instructions on preparing SSL certificates](https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureSSLCertWithCA.html) for production), and all intermediaries (if applicable). -If you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS), you need to provide the certificates via Azure CLI. The below command will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit `cassandra.yaml` settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options )). +If you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS), you need to provide the certificates via Azure CLI. The below command will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit `cassandra.yaml` settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options)). ```azurecli-interactive resourceGroupName='<Resource_Group_Name>' |
migrate | Tutorial Migrate Vmware Agent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-migrate-vmware-agent.md | Select VMs for migration. 12. In **Cache storage account**, keep the default option to use the cache storage account that is automatically created for the project. Use the dropdown if you'd like to specify a different storage account to use as the cache storage account for replication. <br/> > [!NOTE] >- > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault ) + > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault) > - To replicate using ExpressRoute with private peering, create a private endpoint for the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1) 13. In **Availability options**, select: - Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Availability Zones. If you select this option, you'll need to specify the Availability Zone to use for each of the selected machine in the Compute tab. This option is only available if the target region selected for the migration supports Availability Zones |
networking | Load Balancer Linux Cli Load Balance Multiple Websites Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/scripts/load-balancer-linux-cli-load-balance-multiple-websites-vm.md | This script sample creates a virtual network with two virtual machines (VM) that ## Sample script -[!code-azurecli-interactive[main](../../../cli_scripts/load-balancer/load-balance-multiple-web-sites-vm/load-balance-multiple-web-sites-vm.sh "Load balance multiple web sites")] +[!code-azurecli-interactive [main](../../../cli_scripts/load-balancer/load-balance-multiple-web-sites-vm/load-balance-multiple-web-sites-vm.sh "Load balance multiple web sites")] ## Clean up deployment |
notification-hubs | Notification Hubs High Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-high-availability.md | Last updated 08/22/2023 Android, Windows, etc.) from any back-end (cloud or on-premises). This article describes the configuration options to achieve the availability characteristics required by your solution. For more information about our SLA, see the [Notification Hubs SLA][]. > [!NOTE]-> The following feature is available in preview: +> The following feature is now available in general availability (GA): > > - Availability zones >-> Availability zones support will incur an additional cost on top of existing tier pricing. You will not be charged to preview the feature. Once it becomes generally available, you are automatically billed. +> Availability zones support will incur an additional cost on top of existing tier pricing. Starting October 9th 2023, you are automatically billed. Notification Hubs offers two availability configurations: |
openshift | Azure Redhat Openshift Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/azure-redhat-openshift-release-notes.md | +## Update - September 2023 ++To create a private cluster without a public IP address, you can now add the parameter `--outbound-type UserDefinedRouting` to the `aro create` command. See [Create a private cluster without a public IP address](howto-create-private-cluster-4x.md#create-a-private-cluster-without-a-public-ip-address) for details. ++A cluster that is deployed with this feature and is running version 4.11 or higher can be scaled to 120 nodes and 30,000 pods. + ## Version 4.12 - August 2023 We're pleased to announce the launch of OpenShift 4.12 for Azure Red Hat OpenShift. This release enables [OpenShift Container Platform 4.12](https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html). |
postgresql | Concepts Azure Ad Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-azure-ad-authentication.md | The following table provides a list of high-level Azure AD features and capabili | Disable Password Authentication | Not Available | Available | | Service Principal can act as group member | No | Yes | | Audit Azure AD Logins | No | Yes |-| PG bouncer support | No | Yes (New Servers) | +| PG bouncer support | No | Yes | ## How Azure AD Works In Flexible Server |
postgresql | Concepts Connection Pooling Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-connection-pooling-best-practices.md | + + Title: Connection pooling best practices - Azure Database for PostgreSQL - Flexible Server +description: This article describes the best practices for connection pooling in Azure Database for PostgreSQL - Flexible Server. +++++ Last updated : 08/30/2023+++# Connection pooling strategy for PostgreSQL Using PgBouncer +++Strategic guidance for selecting connection pooling mechanism for PostgreSQL. ++## Introduction ++When using PostgreSQL, establishing a connection to the database involves creating a communication channel between the client application and the server. This channel is responsible for managing data, executing queries, and initiating transactions. Once the connection is established, the client application can send commands to the server and receive responses. However, creating a new connection for each operation can cause performance issues for mission-critical applications. Every time a new connection is created, PostgreSQL spawns a new process using the postmaster process, which consumes more resources. ++To mitigate this issue, connection pooling is used to create a cache of connections that can be reused in PostgreSQL. When an application or client requests a connection, it's created from the connection pool. After the session or transaction is completed, the connection is returned to the pool for reuse. By reusing connections, resources usage is reduced, and performance is improved. +++Although there are different tools for connection pooling, in this section, we discuss different strategies to use connection pooling using **PgBouncer**. ++## What is PgBouncer? ++**PgBouncer** is an efficient connection pooler designed for PostgreSQL, offering the advantage of reducing processing time and optimizing resource usage in managing multiple client connections to one or more databases. **PgBouncer** incorporates three distinct pooling mode for connection rotation: ++- **Session pooling:** This method assigns a server connection to the client application for the entire duration of the client's connection. Upon disconnection of the client application, PgBouncer promptly returns the server connection back to the pool. This pooling mechanism is the default setting. (Note: It isn't recommended in most of the cases and don't give any performance benefits over classic connections). +- **Transaction pooling:** With transaction pooling, a server connection is dedicated to the client application during a transaction. Once the transaction is successfully completed, **PgBouncer** intelligently releases the server connection, making it available again within the pool. Transaction pooling is the default mode in Flexible server, and it does not support prepared transactions. +- **Statement pooling:** In statement pooling, a server connection is allocated to the client application for each individual statement. Upon the statement's completion, the server connection is promptly returned to the connection pool. It's important to note that multi-statement transactions are not supported in this mode. ++The effective utilization of PgBouncer can be categorized into three distinct usage patterns. ++- **PgBouncer and Application Colocation deployment** +- **Application independent centralized PgBouncer deployments** +- **Inbuilt PgBouncer and Database deployment** +++Each of these patterns has its own advantages & disadvantages. ++## 1. PgBouncer and application colocation Deployment ++When utilizing this approach, PgBouncer is deployed on the same server where your application is hosted. The application & PgBouncer can be deployed either on traditional virtual machines or within a microservices-based architecture as highlighted: ++### I. PgBouncer deployed in Application VM ++If your application runs on an Azure VM, you can set up PgBouncer on the same VM. To install and configure PgBouncer as a connection pooling proxy with Azure Database for PostgreSQL, follow the instructions provided in the following [link](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/steps-to-install-and-setup-pgbouncer-connection-pooling-proxy/ba-p/730555). ++++Deploying PgBouncer in an application server can provide several advantages, especially when working with PostgreSQL databases. Some of the key benefits & limitations of this deployment method are: ++**Benefits:** ++- **Reduced Latency:** By deploying **PgBouncer** on the same Application VM, communication between the primary application and the connection pooler is efficient due to their proximity. deploying PgBouncer in Application VM minimizes latency and ensures smooth and swift interactions. +- **Improved security:** **PgBouncer** can act as a secure intermediary between the application and the database, providing an extra layer of security. It can enforce authentication and encryption, ensuring that only authorized clients can access the database. ++Overall, deploying PgBouncer in an application server provides a more efficient, secure, and scalable approach to managing connections to PostgreSQL databases, enhancing the performance and reliability of the application. ++**Limitations:** ++- **Single point of failure:** If PgBouncer is deployed as a single instance on the application server, it becomes a potential single point of failure. If the PgBouncer instance goes down, it can disrupt the entire database connection pool, causing downtime for the application. To mitigate Single point of failure, you can set up multiple PgBouncer instances behind a load balancer for high availability. +- **Limited scalability:** PgBouncer scalability depends on the capacity of the server where it's deployed. If the application server reaches its connection limit, PgBouncer may become a bottleneck, limiting the ability to scale the application. You may need to distribute the connection load across multiple PgBouncer instances or consider alternative solutions like connection pooling at the application level. +- **Configuration complexity:** Configuring and fine-tuning PgBouncer can be complex, especially when considering factors such as connection limits, pool sizing, and load balancing. Administrators need to carefully tune the PgBouncer configuration to match the application's requirements and ensure optimal performance and stability. ++It's important to weigh these limitations against the benefits and evaluate whether PgBouncer is the right choice for your specific application and database setup. ++### II. PgBouncer deployed as an AKS sidecar ++It's possible to utilize **PgBouncer** as a sidecar container if your application is containerized and running on [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/services/kubernetes-service/), [Azure Container Instance (ACI)](https://azure.microsoft.com/products/container-instances), [Azure Container Apps (ACA)](https://azure.microsoft.com/products/container-apps/), or [Azure Red Hat OpenShift (ARO)](https://azure.microsoft.com/products/openshift/). The Sidecar pattern draws its inspiration from the concept of a sidecar that attached to a motorcycle, where an auxiliary container, known as the sidecar container, is attached to a parent application. This pattern enriches the parent application by extending its functionalities and delivering supplementary support. ++The sidecar pattern is typically used with containers being coscheduled as an atomic container group. deploying PgBouncer in an AKS sidecar tightly couples the application and sidecar lifecycles and shares resources such as hostname and networking to make efficient use of resources. The PgBouncer sidecar operates alongside the application container within the same pod in Azure Kubernetes Service (AKS) with 1:1 mapping, serving as a connection pooling proxy for Azure Database for PostgreSQL. ++This sidecar pattern is typically used with containers being coscheduled as an atomic container group. sidecar pattern strongly binds the application and sidecar lifecycles and has shared resources such hostname and networking. By using this setup, PgBouncer optimizes connection management and facilitates efficient communication between the application and the Azure Database for PostgreSQL. ++Microsoft has published a [**PgBouncer** sidecar proxy image](https://hub.docker.com/_/microsoft-azure-oss-db-tools-pgbouncer-sidecar) in Microsoft container registry. ++Refer [this](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/steps-to-install-and-setup-pgbouncer-connection-pooling-on-azure/ba-p/3633043) for more details. +++Some of the key benefits & limitations of this deployment method are: ++**Benefits:** ++- **Reduced Latency:** By deploying **PgBouncer** as an AKS sidecar, communication between the primary application and the connection pooler is seamless and efficient due to their proximity. Deploying PgBouncer an AKS sidecar minimizes latency and ensures smooth and swift interactions. +- **Simplified Management and Deployment:** The tight coupling of **PgBouncer** with the application container simplifies the management and deployment process. Both components are tightly integrated, allowing for easier administration and seamless coordination. +- **High Availability and Connection Resiliency:** If an application container failure or restart, the **PgBouncer** sidecar container closely follows, ensuring high availability. This setup guarantees connection resiliency and maintains predictable performance even during failovers, contributing to a reliable and robust system. ++By considering PgBouncer as an AKS sidecar, you can use these advantages to enhance your application's performance, streamline management, and ensure continuous availability of the connection pooler. ++**Limitations:** ++- **Connection Performance Issues:** Largehund-scale applications that utilize thousands of pods, each running sidecar PgBouncer, may encounter potential challenges related to database connection exhaustion. This situation can result in performance degradation and service disruptions. Deploying a sidecar PgBouncer for each pod increases the number of concurrent connections to the database server, which can exceed its capacity. As a result, the database may struggle to handle the high volume of incoming connections, may lead to performance issues such as increased response times or even service outages. +- **Complex Deployment:** The utilization of the sidecar pattern introduces a level of complexity to the deployment process, as it involves running two containers within the same pod. This can potentially complicate troubleshooting and debugging activities, requiring extra effort to identify and resolve issues. +- **Scaling Challenges:** Moreover, it's important to note that the sidecar pattern may not be the ideal choice for applications that demand high scalability. The inclusion of a sidecar container can impose more resource requirements, potentially limiting the number of pods that can be effectively created and managed. ++While considering this sidecar pattern, it's crucial to carefully assess the trade-offs between deployment complexity and scalability requirements to determine the most appropriate approach for your specific application scenario. ++## 2. Application independent - centralized PgBouncer deployment ++When utilizing this approach, PgBouncer is deployed as a centralized service, independent of the application. The PgBouncer service can be deployed either on traditional virtual machines or within a microservices-based architecture as highlighted: ++### I. PgBouncer deployed in ubuntu VM ++**PgBouncer** connection proxy is set up between the application and database layer as shown in the image. Since Azure Database for PostgreSQL is a fully managed platform service, user won't be able to install any external services on DB server. In this case, if your application is running on an Azure VM, you can set up **PgBouncer** on the same VM. If the application is running on a managed service like Azure App Services or Azure Functions, you need to provision a separate Ubuntu VM to run **PgBouncer** proxy. ++Refer [link](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/steps-to-install-and-setup-pgbouncer-connection-pooling-proxy/ba-p/730555) to install and set up PgBouncer connection pooling proxy with Azure Database for PostgreSQL. ++++Some of the key benefits & limitations of this deployment method are: ++**Benefits:** ++- **Seamless Integration with Managed +- **Simplified Setup on Azure VM:** If you're already running your application on an Azure VM, setting up PgBouncer on the same VM is straightforward. deploying the PgBouncer in VM ensures that PgBouncer is deployed in close proximity to your application, minimizing network latency and maximizing performance. +- **Non-Intrusive Configuration:** By deploying PgBouncer on a VM, you can avoid modifying server parameters on Azure PostgreSQL. This is useful when you want to configure PgBouncer on a flexible server. For example, changing the SSLMODE parameter to "required" on Azure PostgreSQL might cause certain applications that rely on SSLMODE=FALSE to fail. Deploying PgBouncer on a separate VM allows you to maintain the default server configuration while still using PgBouncer's benefits. +++By considering these benefits, deploying PgBouncer on a VM offers a convenient and efficient solution for enhancing the performance and compatibility of your application running on Azure infrastructure. ++**Limitations:** ++- **Single point of failure:** As **PgBouncer** is configured on standalone VM, connection pooling might not work if the VM is unavailable. This may result in errors in application connectivity. +- **Management overhead:** As **PgBouncer** is installed in VM, there might be management overhead to manage multiple configuration files. This makes it difficult to cope up with version upgrades, new releases, and product updates. +- **Feature parity:** If you're migrating from traditional PostgreSQL to Azure PostgreSQL and using **PgBouncer**, there might be some features gaps. For example, lack of md5 support in Azure PostgreSQL. ++### II. Centralized PgBouncer deployed as a service within AKS ++If you're working with highly scalable and large containerized deployments on Azure Kubernetes Service (AKS), consisting of hundreds of pods, or in situations where multiple applications need to connect to a shared database, **PgBouncer** can be employed as a standalone service rather than a sidecar container. ++By utilizing **PgBouncer** as a separate service, you can efficiently manage and handle connection pooling for your applications on a broader scale. This approach allows for centralizing the connection pooling functionality, enabling multiple applications to connect to the same database resource while maintaining optimal performance and resource utilization. ++[**PgBouncer** sidecar proxy image](https://hub.docker.com/_/microsoft-azure-oss-db-tools-pgbouncer-sidecar) published in Microsoft container registry can be used to create and deploy a service. +++Some of the key benefits & limitations of this deployment method are: ++**Benefits:** ++- **Enhanced Reliability:** Deploying **PgBouncer** as a standalone service allows for configuration in a highly available manner. This improves the overall reliability of the connection pooling infrastructure, ensuring continuous availability even in the face of failures or disruptions. +- **Optimal Resource Utilization:** If your application or the database server has limited resources, opting for a separate machine dedicated to running the **PgBouncer** service can be advantageous. By deploying **PgBouncer** on a machine with ample resources, you can ensure optimal performance and prevent resource contention issues. +- **Centralized Connection Management:** When centralized management of database connections is a requirement, a standalone **PgBouncer** service provides a more streamlined approach. By consolidating connection management tasks into a centralized service, you can effectively monitor and control database connections across multiple applications, simplifying administration and ensuring consistency. ++By considering **PgBouncer** as a standalone service within AKS, you can use these benefits to achieve improved reliability, resource efficiency, and centralized management of database connections. ++**Limitations:** ++- **Increased N/W Latency:** When deploying **PgBouncer** as a standalone service, it's important to consider the potential introduction of more latency. This is due to the need for connections to be passed between the application and the PgBouncer service over the network. It's crucial to evaluate the latency requirements of your application and consider the trade-offs between centralized connection management and potential latency issues. ++While **PgBouncer** running as a standalone service offers benefits such as centralized management and resource optimization, it's important to assess the impact of potential latency on your application's performance to ensure it aligns with your specific requirements. ++## 3. Inbuilt PgBouncer in Azure Database for PostgreSQL Flexible Server ++Azure Database for PostgreSQL ΓÇô Flexible Server offers [PgBouncer](https://github.com/pgbouncer/pgbouncer) as a built-in connection pooling solution. This is offered as an optional service that can be enabled on a per-database server basis. PgBouncer runs in the same virtual machine as the Postgres database server. As the number of connections increases beyond a few hundreds or thousand, Postgres may encounter resource limitations. In such cases, built-in PgBouncer can provide a significant advantage by improving the management of idle and short-lived connections at the database server. ++Refer link to enable and set up PgBouncer connection pooling in Azure DB for PostgreSQL Flexible server. ++Some of the key benefits & limitations of this deployment method are: ++**Benefits:** ++- **Seamless Configuration:** With the inbuilt **PgBouncer** in Flexible Server, there is no need for a separate installation or complex setup. It can be easily configured directly from the server parameters, ensuring a hassle-free experience. +- **Managed Service Convenience:** As a managed service, users can enjoy the advantages of other Azure managed services. This includes automatic updates, eliminating the need for manual maintenance and ensuring that **PgBouncer** stays up to date with the latest features and security patches. +- **Public and Private Connection Support:** The inbuilt **PgBouncer** in Flexible Server provides support for both public and private connections. This allows users to establish secure connections over private networks or connect externally, depending on their specific requirements. +- **High Availability (HA):** In the event of a failover, where a standby server is promoted to the primary role, **PgBouncer** seamlessly restarts on the newly promoted standby without any changes required to the application connection string. This ensures continuous availability and minimizes disruption to the application. +- **Cost Efficient:** It's cost efficient as the users donΓÇÖt need to pay for extra compute like VM or the containers. Though It does have some CPU impact as it's another process running on the same machine. ++With inbuilt PgBouncer in Flexible Server, users can enjoy the convenience of simplified configuration, the reliability of a managed service, support for various pooling modes, and seamless high availability during failover scenarios. ++**Limitations:** ++- **Not supported with Burstable:** **PgBouncer** is currently not supported with Burstable server compute tier. If you change the compute tier from General Purpose or Memory Optimized to Burstable tier, you lose the **PgBouncer** capability. +- **Re-establish connections after restarts:** Whenever the server is restarted during scale operations, HA failover, or a restart, the **PgBouncer** is also restarted along with the server virtual machine. Hence, existing connections must be re-established. ++_We have discussed different ways of implementing PgBouncer and the table summarizes which deployment method to opt for:_ ++++|**Selection Criteria**|**PgBouncer on App VM**|**PgBouncer on VM using ALB***|**PgBouncer on AKS Sidecar**|**PgBouncer as a Service**|**Flexible Server Inbuilt PgBouncer**| +||:-:|:-:|:-:|:-:|:-:| +|Simplified Management|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/red.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/red.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::| +|HA|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::| +|Containerized Apps|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::| +|Reduced Network Overhead & Latency|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::| +|Fine grain control on monitoring and debugging|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/red.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/red.png":::|:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::| ++++++|**Difficulty Level**|**Symbol**| +||:-:| +|Easy |:::image type="icon" source="./media/concepts-connection-pooling-best-practices/green.png":::| +|Medium| :::image type="icon" source="./media/concepts-connection-pooling-best-practices/yellow.png":::| +|Difficult |:::image type="icon" source="./media/concepts-connection-pooling-best-practices/red.png":::| +++*ALB: Azure Load Balancer. + |
quotas | Quotas Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/quotas/quotas-overview.md | -The concept of quotas is designed to help protect customers from things like inaccurately resourced deployments and mistaken consumption. For Azure, it helps minimize risks from deceptive or inappropriate consumption and unexpected demand. Quotas are set and enforced in the scope of the [subscription](/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings. +The concept of quotas is designed to help protect customers from things like inaccurately resourced deployments and mistaken consumption. For Azure, it helps minimize risks from deceptive or inappropriate consumption and unexpected demand. Quotas are set and enforced in the scope of the [subscription](/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings). ## Quotas or limits? |
reliability | Availability Zones Baseline | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/availability-zones-baseline.md | For specialized workloads on Azure as below examples, please refer to the respec - [Migrate Azure Kubernetes Service (AKS) and MySQL Flexible Server workloads to availability zone support](/azure/reliability/migrate-workload-aks-mysql) - Oracle - - [Oracle on Azure architecture design](/azure/architecture/solution-ideas/articles/oracle-on-azure-start-here ) + - [Oracle on Azure architecture design](/azure/architecture/solution-ideas/articles/oracle-on-azure-start-here) #### Do you want to achieve Business Continuity and Disaster Recovery in the same Azure region due to compliance, data residency, or governance requirements? |
sap | Remove Region | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/bash/remove-region.md | Licensed under the MIT license. ## Related links -[GitHub repository: SAP on Azure Deployment Automation Framework](https://github.com/Azure/sap-automation ) +[GitHub repository: SAP on Azure Deployment Automation Framework](https://github.com/Azure/sap-automation) |
sap | Quickstart Create High Availability Namecustom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/quickstart-create-high-availability-namecustom.md | az workloads sap-sizing-recommendation --app-location "eastus" --database-type " ## Create *json* configuration file with custom resource names -- Prepare a *json* file with the configuration (payload) to use for the deployment of SAP system infrastructure. You can make edits in this [sample payload]([https://github.com/Azure/Azure-Center-for-SAP-solutions-preview/blob/main/Payload_Samples/CreatePayloadDistributedNon-HA.json](https://github.com/Azure/Azure-Center-for-SAP-solutions-preview/blob/main/Payload_Samples/CreatePayload_withTransportDirectory_withHAAvSet_withCustomResourceName.json) or use the examples listed in the [Rest API documentation](/rest/api/workloads) for Azure Center for SAP solutions +- Prepare a *json* file with the configuration (payload) to use for the deployment of SAP system infrastructure. You can make edits in this [sample payload](https://github.com/Azure/Azure-Center-for-SAP-solutions-preview/blob/main/Payload_Samples/CreatePayload_withTransportDirectory_withHAAvSet_withCustomResourceName.json) or use the examples listed in the [Rest API documentation](/rest/api/workloads) for Azure Center for SAP solutions - In this json file, provide the custom resource names for the infrastructure that is deployed for your SAP system ## Deploy infrastructure for your SAP system |
search | Index Add Language Analyzers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/index-add-language-analyzers.md | For more information about creating an index and setting field properties, see [ | Urdu | ur.microsoft | | | Vietnamese | vi.microsoft | | - All analyzers with names annotated with **Lucene** are powered by [Apache Lucene's language analyzers](https://lucene.apache.org/core/6_6_1/core/overview-summary.html ). + All analyzers with names annotated with **Lucene** are powered by [Apache Lucene's language analyzers](https://lucene.apache.org/core/6_6_1/core/overview-summary.html). ## See also |
search | Resource Partners Knowledge Mining | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/resource-partners-knowledge-mining.md | Get expert help from Microsoft partners who build comprehensive solutions that i | Partner | Description | Product link | ||-|-|-| ![Agolo](media/resource-partners/agolo-logo.png "Agolo company logo") | [**Agolo**](https://www.agolo.com) is the leading summarization engine for enterprise use. AgoloΓÇÖs AI platform analyzes hundreds of thousands of media articles, research documents and proprietary information to give each customer a summary of key points specific to their areas of interest. </br></br>Our partnership with Microsoft combines the power and adaptability of the Azure Cognitive Search platform, integrated with Agolo summarization. Rather than typical search engine snippets, the results page displays contextually relevant Agolo summaries, instantly enabling the user to determine the relevance of that document to their specific needs. The impact of summarization-powered search is that users find more relevant content faster, enabling them to do their job more effectively and gaining a competitive advantage. | [Product page](https://www.agolo.com/microsoft-azure-cognitive-search ) | +| ![Agolo](media/resource-partners/agolo-logo.png "Agolo company logo") | [**Agolo**](https://www.agolo.com) is the leading summarization engine for enterprise use. Agolo's AI platform analyzes hundreds of thousands of media articles, research documents and proprietary information to give each customer a summary of key points specific to their areas of interest. </br></br>Our partnership with Microsoft combines the power and adaptability of the Azure Cognitive Search platform, integrated with Agolo summarization. Rather than typical search engine snippets, the results page displays contextually relevant Agolo summaries, instantly enabling the user to determine the relevance of that document to their specific needs. The impact of summarization-powered search is that users find more relevant content faster, enabling them to do their job more effectively and gaining a competitive advantage. | [Product page](https://www.agolo.com/microsoft-azure-cognitive-search) | | ![BA Insight](media/resource-partners/ba-insight-logo.png "BA Insights company logo") | [**BA Insight Search for Workplace**](https://www.bainsight.com/azure-search/) is a complete enterprise search solution powered by Azure Cognitive Search. It is the first of its kind solution, bringing the internet to enterprises for secure, "askable", powerful search to help organizations get a return on information. It delivers a web-like search experience, connects to 80+ enterprise systems and provides automated and intelligent meta tagging. | [Product page](https://www.bainsight.com/azure-search/) | | ![BlueGranite](media/resource-partners/blue-granite-full-color.png "Blue Granite company logo") | [**BlueGranite**](https://www.bluegranite.com/) offers 25 years of experience in Modern Business Intelligence, Data Platforms, and AI solutions across multiple industries. Their Knowledge Mining services enable organizations to obtain unique insights from structured and unstructured data sources. Modular AI capabilities perform searches on numerous file types to index data and associate that data with more traditional data sources. Analytics tools extract patterns and trends from the enriched data and showcase results to users at all levels. | [Product page](https://www.bluegranite.com/knowledge-mining) |-| ![Enlighten Designs](media/resource-partners/enlighten-ver2.png "Enlighten Designs company logo") | [**Enlighten Designs**](https://www.enlighten.co.nz) is an award-winning innovation studio that has been enabling client value and delivering digitally transformative experiences for over 22 years. We are pushing the boundaries of the Microsoft technology toolbox, harnessing Cognitive Search, application development, and advanced Azure services that have the potential to transform our world. As experts in Power BI and data visualization, we hold the titles for the most viewed, and the most downloaded Power BI visuals in the world and are MicrosoftΓÇÖs Data Journalism agency of record when it comes to data storytelling. | [Product page](https://www.enlighten.co.nz/Services/Data-Visualisation/Azure-Cognitive-Search) | +| ![Enlighten Designs](media/resource-partners/enlighten-ver2.png "Enlighten Designs company logo") | [**Enlighten Designs**](https://www.enlighten.co.nz) is an award-winning innovation studio that has been enabling client value and delivering digitally transformative experiences for over 22 years. We are pushing the boundaries of the Microsoft technology toolbox, harnessing Cognitive Search, application development, and advanced Azure services that have the potential to transform our world. As experts in Power BI and data visualization, we hold the titles for the most viewed, and the most downloaded Power BI visuals in the world and are Microsoft's Data Journalism agency of record when it comes to data storytelling. | [Product page](https://www.enlighten.co.nz/Services/Data-Visualisation/Azure-Cognitive-Search) | | ![Neudesic](media/resource-partners/neudesic-logo.png "Neudesic company logo") | [**Neudesic**](https://www.neudesic.com/) is the trusted technology partner in business innovation, delivering impactful business results to clients through digital modernization and evolution. Our consultants bring business and technology expertise together, offering a wide range of cloud and data-driven solutions, including custom application development, data and artificial intelligence, comprehensive managed services, and business software products. Founded in 2002, Neudesic is a privately held company headquartered in Irvine, California. | [Product page](https://www.neudesic.com/services/modern-workplace/document-intelligence-platform-schedule-demo/)| | ![OrangeNXT](media/resource-partners/orangenxt-beldmerk-boven-160px.png "OrangeNXT company logo") | [**OrangeNXT**](https://orangenxt.com/) offers expertise in data consolidation, data modeling, and building skillsets that include custom logic developed for specific use-cases.</br></br>digitalNXT Search is an OrangeNXT solution that combines AI, optical character recognition (OCR), and natural language processing in Azure Cognitive Search pipeline to help you extract search results from multiple structured and unstructured data sources. Integral to digitalNXT Search is advanced custom cognitive skills for interpreting and correlating selected data.</br></br>| [Product page](https://orangenxt.com/solutions/digitalnxt/digitalnxt-search/)| | ![Plain Concepts](media/resource-partners/plain-concepts-logo.png "Plain Concepts company logo") | [**Plain Concepts**](https://www.plainconcepts.com/contact/) is a Microsoft Partner with over 15 years of cloud, data, and AI expertise on Azure, and more than 12 Microsoft MVP awards. We specialize in the creation of new data relationships among heterogeneous information sources, which combined with our experience with Artificial Intelligence, Machine Learning, and Azure AI services, exponentially increases the productivity of both machines and human teams. We help customers to face the digital revolution with the AI-based solutions that best suits their company requirements.| [Product page](https://www.plainconcepts.com/artificial-intelligence/) | |
search | Search Howto Run Reset Indexers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-run-reset-indexers.md | GET /indexers/[indexer name]/status?api-version=[api-version] ### [**.NET SDK (C#)**](#tab/reset-indexer-csharp) -The following example (from [azure-search-dotnet-samples/multiple-data-sources/](https://github.com/Azure-Samples/azure-search-dotnet-samples/blob/master/multiple-data-sources/v11/src/Program.cs)) illustrates the [**ResetIndexers**](/dotnet/api/azure.search.documents.indexes.searchindexerclient.resetindexer) and [**RunIndexers**](/dotnet/api/azure.search.documents.indexes.searchindexerclient.runindexer) methods in the Azure .NET SDK. +The following example (from [azure-search-dotnet-samples/multiple-data-sources/](https://github.com/Azure-Samples/azure-search-dotnet-scale/blob/main/multiple-data-sources/v11/src/Program.cs)) illustrates the [**ResetIndexers**](/dotnet/api/azure.search.documents.indexes.searchindexerclient.resetindexer) and [**RunIndexers**](/dotnet/api/azure.search.documents.indexes.searchindexerclient.runindexer) methods in the Azure .NET SDK. ```csharp // Reset the indexer if it already exists |
service-fabric | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/release-notes.md | Instead, you should enable Automatic OS upgrades through Virtual Machine Scale S | March 1, 2023 | Azure Service Fabric 9.1 Second Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU2.md) | | April 6, 2023 | Azure Service Fabric 9.1 Third Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU3.md) | | May 15, 2023 | Azure Service Fabric 9.1 Fourth Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU4.md) |+| June 19, 2023 | Azure Service Fabric 9.1 Fifth Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU5.md) | +| August 30, 2023 | Azure Service Fabric 9.1 Sixth Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU6.md) | ## Service Fabric 9.0 |
service-fabric | Service Fabric Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-get-started.md | For latest Runtime and SDK you can download from below: | Package |Version| | | |-|[Install Service Fabric Runtime for Windows](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.9.1.1833.9590.exe) | 9.1.1833 | -|[Install Service Fabric SDK](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.6.1.1833.msi) | 6.1.1833 | +|[Install Service Fabric Runtime for Windows](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.10.0.1816.9590.exe) | 10.0.1816.9590 | +|[Install Service Fabric SDK](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.7.0.1816.msi) | 7.0.1816 | You can find direct links to the installers for previous releases on [Service Fabric Releases](https://github.com/microsoft/service-fabric/tree/master/release_notes) |
service-fabric | Service Fabric Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-versions.md | If you want to find a list of all the available Service Fabric runtime versions ### Current versions | Service Fabric runtime |Can upgrade directly from|Can downgrade to*|Compatible SDK or NuGet package version|Supported .NET runtimes** |OS Version |End of support | | | | | | | | |-| 9.1 CU5<br>9.1.1833.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | -| 9.1 CU4<br>9.1.1799.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | -| 9.1 CU3<br>9.1.1653.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | -| 9.1 CU2<br>9.1.1583.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | -| 9.1 CU1<br>9.1.1436.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | -| 9.1 RTO<br>9.1.1390.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | +| 10.0 RTO<br>10.0.1816.9590 | 9.0 CU10<br>9.0.1553.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | +| 9.1 CU6<br>9.1.1851.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU5<br>9.1.1833.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU4<br>9.1.1799.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU3<br>9.1.1653.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU2<br>9.1.1583.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU1<br>9.1.1436.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.1 RTO<br>9.1.1390.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | January 31, 2024 | +| 9.0 CU11<br>9.0.1569.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 6.0 | .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | November 1, 2023 | | 9.0 CU10<br>9.0.1553.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 6.0 | .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | November 1, 2023 | | 9.0 CU9<br>9.0.1526.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 6.0 | .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | November 1, 2023 | | 9.0 CU8<br>9.0.1380.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 6.0 | .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | November 1, 2023 | Support for Service Fabric on a specific OS ends when support for the OS version ### Current versions | Service Fabric runtime | Can upgrade directly from |Can downgrade to*|Compatible SDK or NuGet package version | Supported .NET runtimes** | OS version | End of support | | | | | | | | |-| 9.1 CU5<br>9.1.1625.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | -| 9.1 CU4<br>9.1.1592.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | -| 9.1 CU3<br>9.1.1457.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | -| 9.1 CU2<br>9.1.1388.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | -| 9.1 CU1<br>9.1.1230.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | -| 9.1 RTO<br>9.1.1206.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | +| 10.0 RTO<br>10.0.1728.1 | 9.0 CU10<br>9.0.1489.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | +| 9.1 CU6<br>9.1.1642.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU5<br>9.1.1625.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU4<br>9.1.1592.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU3<br>9.1.1457.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU2<br>9.1.1388.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.1 CU1<br>9.1.1230.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.1 RTO<br>9.1.1206.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | January 31, 2024 | +| 9.0 CU11<br>9.0.1503.1 | 8.0 CU3<br>8.0.527.1 | 8.2 CU 5.1<br>8.2.1483.1 | .NET 6 | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | November 1, 2023 | | 9.0 CU10<br>9.0.1489.1 | 8.0 CU3<br>8.0.527.1 | 8.2 CU 5.1<br>8.2.1483.1 | .NET 6 | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | November 1, 2023 | | 9.0 CU9<br>9.0.1463.1 | 8.0 CU3<br>8.0.527.1 | 8.2 CU 5.1<br>8.2.1483.1 | .NET 6 | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | November 1, 2023 | | 9.0 CU8<br>9.0.1317.1 | 8.0 CU3<br>8.0.527.1 | 8.2 CU 5.1<br>8.2.1483.1 | .NET 6 | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | November 1, 2023 | The following table lists the version names of Service Fabric and their correspo | Version name | Windows version number | Linux version number | | | | |+| 10.0 RTO | 10.0.1816.9590 | 10.0.1728.1 | +| 9.1 CU6 | 9.1.1851.9590 | 9.1.1642.1 | | 9.1 CU5 | 9.1.1833.9590 | 9.1.1625.1 | | 9.1 CU4 | 9.1.1799.9590 | 9.1.1592.1 | | 9.1 CU3 | 9.1.1653.9590 | 9.1.1457.1 | | 9.1 CU2 | 9.1.1583.9590 | 9.1.1388.1 | | 9.1 CU1 | 9.1.1436.9590 | 9.1.1230.1 | | 9.1 RTO | 9.1.1390.9590 | 9.1.1206.1 |+| 9.0 CU11 | 9.0.1569.9590 | 9.0.1503.1 | | 9.0 CU10 | 9.0.1553.9590 | 9.0.1489.1 | | 9.0 CU9 | 9.0.1526.9590 | 9.0.1463.1 | | 9.0 CU8 | 9.0.1380.9590 | 9.0.1317.1 | |
service-fabric | Service Fabric Work With Reliable Collections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-work-with-reliable-collections.md | Internally, Reliable Collections serialize your objects using .NET's DataContrac Furthermore, service code is upgraded one upgrade domain at a time. So, during an upgrade, you have two different versions of your service code running simultaneously. You must avoid having the new version of your service code use the new schema as old versions of your service code might not be able to handle the new schema. When possible, you should design each version of your service to be forward compatible by one version. Specifically, this means that V1 of your service code should be able to ignore any schema elements it does not explicitly handle. However, it must be able to save any data it doesn't explicitly know about and write it back out when updating a dictionary key or value. > [!WARNING]-> While you can modify the schema of a key, you must ensure that your key's hash code and equals algorithms are stable. If you change how either of these algorithms operate, you will not be able to look up the key within the reliable dictionary ever again. +> While you can modify the schema of a key, you must ensure that your key's equality and comparison algorithms are stable. +> Behavior of reliable collections after a change in either of these algorithms is undefined and may lead to data corruption, loss and +> service crashes. > .NET Strings can be used as a key but use the string itself as the key--do not use the result of String.GetHashCode as the key. -Alternatively, you can perform what is typically referred to as a two upgrade. With a two-phase upgrade, you upgrade your service from V1 to V2: V2 contains the code that knows how to deal with the new schema change but this code doesn't execute. When the V2 code reads V1 data, it operates on it and writes V1 data. Then, after the upgrade is complete across all upgrade domains, you can somehow signal to the running V2 instances that the upgrade is complete. (One way to signal this is to roll out a configuration upgrade; this is what makes this a two-phase upgrade.) Now, the V2 instances can read V1 data, convert it to V2 data, operate on it, and write it out as V2 data. When other instances read V2 data, they do not need to convert it, they just operate on it, and write out V2 data. +Alternatively, you can perform a multi-phase upgrade. +1. Upgrade service to a new version that + - has both the original V1, and the new V2 version of the data contracts included in the service code package; + - registers custom V2 [state serializers](/azure/service-fabric/service-fabric-reliable-services-reliable-collections-serialization#custom-serialization), if needed; + - performs all operations on the original, V1 collection using the V1 data contracts. +2. Upgrade service to a new version that + - [creates a new, V2 collection](/dotnet/api/microsoft.servicefabric.data.ireliablestatemanager.getoraddasync); + - performs each add, update and delete operation on first V1 and then V2 collections in a single transaction; + - performs read operations on the V1 collection only. +3. Copy all data from the V1 collection to the V2 collection. + - This can be done in a background process by the service version deployed in step 2. + - [Retreieve all keys](/dotnet/api/microsoft.servicefabric.data.collections.ireliabledictionary2-2.createkeyenumerableasync) + from the V1 collection. Enumeration is performed with the + [IsolationLevel.Snapshot](/dotnet/api/microsoft.servicefabric.data.beta.isolationlevel) + by default to avoid locking the collection for the duration of the operation. + - For each key, use a separate transaction to + - [TryGetValueAsync](/dotnet/api/microsoft.servicefabric.data.collections.ireliabledictionary-2.trygetvalueasync) + from the V1 collection. + - If the value has already been removed from the V1 collection since the copy process started, + the key should be skipped and not resurected in the V2 collection. + - [TryAddAsync](/dotnet/api/microsoft.servicefabric.data.collections.ireliabledictionary.tryaddasync) + the value to the V2 collection. + - If the value has already been added to the V2 collection since the copy process started, + the key should be skipped. + - The transaction should be committed only if the `TryAddAsync` returns `true`. + - Value access APIs use the [IsolationLevel.ReadRepeatable](/dotnet/api/microsoft.servicefabric.data.beta.isolationlevel) + by default and rely on locking to guarantee that the values aren't modified by another caller until the transaction is committed or aborted. +4. Upgrade service to a new version that + - performs read operations on the V2 collection only; + - still performs each add, update and delete operation on first V1 and then V2 collections to maintain the option of rolling back to V1. +5. Comprehensively test the service and confirm it is working as expected. + - If you missed any value access operation that wasn't updated to work on both V1 and V2 collection, you may notice missing data. + - If any data is missing roll back to Step 1, remove the V2 collection and repeat the process. +6. Upgrade service to a new version that + - performs all operations on the V2 collection only; + - going back to V1 is no longer possible with a service rollback and would require rolling forward with reversed steps 2-4. +7. Upgrade service a new version that + - [removes the V1 collection](/dotnet/api/microsoft.servicefabric.data.ireliablestatemanager.removeasync). +8. Wait for log truncation. + - By default, this happens every 50MB of writes (adds, updates, and removes) to reliable collections. +9. Upgrade service to a new version that + - no longer has the V1 data contracts included in the service code package. ## Next steps To learn about creating forward compatible data contracts, see [Forward-Compatible Data Contracts](/dotnet/framework/wcf/feature-details/forward-compatible-data-contracts) To learn best practices on versioning data contracts, see [Data Contract Version To learn how to implement version tolerant data contracts, see [Version-Tolerant Serialization Callbacks](/dotnet/framework/wcf/feature-details/version-tolerant-serialization-callbacks) To learn how to provide a data structure that can interoperate across multiple versions, see [IExtensibleDataObject](/dotnet/api/system.runtime.serialization.iextensibledataobject)++To learn how to configure reliable collections, see [Replicator Configuration](/azure/service-fabric/service-fabric-reliable-services-configuration#replicator-configuration) |
site-recovery | Azure To Azure Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-support-matrix.md | Title: Support matrix for Azure VM disaster recovery with Azure Site Recovery description: Summarizes support for Azure VMs disaster recovery to a secondary region with Azure Site Recovery. Previously updated : 08/07/2023 Last updated : 09/12/2023 Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 18.04 LTS |[9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0)| 4.15.0-196-generic <br> 4.15.0-1157-azure <br> 5.4.0-1098-azure <br> 4.15.0-1158-azure <br> 4.15.0-1159-azure <br> 4.15.0-201-generic <br> 4.15.0-202-generic <br> 5.4.0-1100-azure <br> 5.4.0-136-generic | 18.04 LTS | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |4.15.0-1151-azure </br> 4.15.0-193-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic</br>4.15.0-1153-azure </br>4.15.0-194-generic </br>5.4.0-1094-azure </br>5.4.0-128-generic </br>5.4.0-131-generic | |||-20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic | +20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure | 20.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-146-generic <br> 5.4.0-147-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-70-generic <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.4.0-1107-azure <br> 5.4.0-148-generic <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.15.0-73-generic <br> 5.15.0-1039-azure | 20.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.4.0-1101-azure <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.4.0-1103-azure <br> 5.4.0-139-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic <br> 5.4.0-1104-azure <br> 5.4.0-144-generic | 20.04 LTS | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | 5.4.0-1095-azure <br> 5.15.0-1023-azure <br> 5.4.0-1098-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.4.0-1100-azure <br> 5.4.0-136-generic <br> 5.4.0-137-generic | 20.04 LTS | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |5.13.0-1009-azure </br> 5.13.0-1012-azure </br> 5.13.0-1013-azure </br> 5.13.0-1014-azure </br> 5.13.0-1017-azure </br> 5.13.0-1021-azure </br> 5.13.0-1022-azure </br> 5.13.0-1023-azure </br> 5.13.0-1025-azure </br> 5.13.0-1028-azure </br> 5.13.0-1029-azure </br> 5.13.0-1031-azure </br> 5.13.0-21-generic </br> 5.13.0-22-generic </br> 5.13.0-23-generic </br> 5.13.0-25-generic </br> 5.13.0-27-generic </br> 5.13.0-28-generic </br> 5.13.0-30-generic </br> 5.13.0-35-generic </br> 5.13.0-37-generic </br> 5.13.0-39-generic </br> 5.13.0-40-generic </br> 5.13.0-41-generic </br> 5.13.0-44-generic </br> 5.13.0-48-generic </br> 5.13.0-51-generic </br> 5.13.0-52-generic </br> 5.15.0-1007-azure </br> 5.15.0-1008-azure </br> 5.15.0-1013-azure </br> 5.15.0-1014-azure </br> 5.15.0-1017-azure </br> 5.15.0-1019-azure </br> 5.15.0-1020-azure </br> 5.15.0-33-generic </br> 5.15.0-51-generic </br> 5.15.0-43-generic </br> 5.15.0-46-generic </br> 5.15.0-48-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic </br> 5.15.0-1021-azure </br> 5.15.0-1022-azure </br> 5.15.0-50-generic </br> 5.15.0-52-generic </br> 5.4.0-1094-azure </br> 5.4.0-128-generic </br> 5.4.0-131-generic | |||-22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic | +22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure | 22.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.15.0-70-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.15.0-73-generic <br> 5.15.0-1039-azure | 22.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.15.0-1003-azure <br> 5.15.0-1005-azure <br> 5.15.0-1007-azure <br> 5.15.0-1008-azure <br> 5.15.0-1010-azure <br> 5.15.0-1012-azure <br> 5.15.0-1013-azure <br> 5.15.0-1014-azure <br> 5.15.0-1017-azure <br> 5.15.0-1019-azure <br> 5.15.0-1020-azure <br> 5.15.0-1021-azure <br> 5.15.0-1022-azure <br> 5.15.0-1023-azure <br> 5.15.0-1024-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-25-generic <br> 5.15.0-27-generic <br> 5.15.0-30-generic <br> 5.15.0-33-generic <br> 5.15.0-35-generic <br> 5.15.0-37-generic <br> 5.15.0-39-generic <br> 5.15.0-40-generic <br> 5.15.0-41-generic <br> 5.15.0-43-generic <br> 5.15.0-46-generic <br> 5.15.0-47-generic <br> 5.15.0-48-generic <br> 5.15.0-50-generic <br> 5.15.0-52-generic <br> 5.15.0-53-generic <br> 5.15.0-56-generic <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic | Debian 11 | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azur **Release** | **Mobility service version** | **Kernel version** | | | |-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 | +SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.130-azure:5 <br> 4.12.14-16.133-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.124-azure:5 <br> 4.12.14-16.127-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.115-azure:5 <br> 4.12.14-16.120-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.51](https://suppo **Release** | **Mobility service version** | **Kernel version** | | | |-SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 | +SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.40-azure:4 <br> 5.14.21-150400.14.43-azure:4 <br> 5.14.21-150400.14.46-azure:4 <br> 5.14.21-150400.14.49-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.31-azure:4 <br> 5.14.21-150400.14.34-azure:4 <br> 5.14.21-150400.14.37-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.12-azure:4 <br> 5.14.21-150400.14.10-azure:4 <br> 5.14.21-150400.14.13-azure:4 <br> 5.14.21-150400.14.16-azure:4 <br> 5.14.21-150400.14.7-azure:4 <br> 5.3.18-150300.38.83-azure:3 <br> 5.14.21-150400.14.21-azure:4 <br> 5.14.21-150400.14.28-azure:4 <br> 5.3.18-150300.38.88-azure:3 | |
site-recovery | Vmware Azure Troubleshoot Configuration Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-troubleshoot-configuration-server.md | To update the configuration server, run the [unified setup](service-updates-how- ## Azure Active Directory application creation failure -You have insufficient permissions to create an application in Azure Active Directory (AAD) using the [Open Virtualization Application (OVA)](vmware-azure-deploy-configuration-server.md#deploy-a-configuration-server-through-an-ova-template -) template. +You have insufficient permissions to create an application in Azure Active Directory (Azure AD) using the [Open Virtualization Application (OVA)](vmware-azure-deploy-configuration-server.md#deploy-a-configuration-server-through-an-ova-template) template. To resolve the issue, sign in to the Azure portal and do one of the following: -- Request the Application Developer role in AAD. For more information on the Application Developer role, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md).-- Verify that the **User can create application** flag is set to *true* in AAD. For more information, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app).+- Request the Application Developer role in Azure AD. For more information on the Application Developer role, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md). +- Verify that the **User can create application** flag is set to *true* in Azure AD. For more information, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). ## Process server/Master Target are unable to communicate with the configuration server |
spring-apps | How To Config Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-config-server.md | The following table lists the configurable properties that you can use to set up | `host-key-algorithm` | No | The host key algorithm. Should be *ssh-dss*, *ssh-rsa*, *ecdsa-sha2-nistp256*, *ecdsa-sha2-nistp384*, or *ecdsa-sha2-nistp521*. Required only if `host-key` exists. | | `strict-host-key-checking` | No | Indicates whether the Config Server instance fails to start when using the private `host-key`. Should be *true* (default value) or *false*. | -> [!NOTE] -> Config Server uses RSA keys with SHA-1 signatures for now. If you're using GitHub, for RSA public keys added to GitHub before November 2, 2021, the corresponding private key is supported. For RSA public keys added to GitHub after November 2, 2021, the corresponding private key is not supported, and we suggest using basic authentication instead. - ### Private repository with basic authentication The following table lists the configurable properties that you can use to set up a private Git repository with basic authentication. |
spring-apps | How To Configure Enterprise Spring Cloud Gateway Filters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-enterprise-spring-cloud-gateway-filters.md | To integrate with API Portal for VMware Tanzu, VMware Spring Cloud Gateway autom ## Prerequisites - An already provisioned Azure Spring Apps Enterprise plan service instance with Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- > [!NOTE] - > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You cannot enable VMware Spring Cloud Gateway after provisioning. --- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later.+- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ## Use filters |
spring-apps | How To Configure Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-enterprise-spring-cloud-gateway.md | To integrate with API portal for VMware Tanzu, VMware Spring Cloud Gateway autom ## Prerequisites - An already provisioned Azure Spring Apps Enterprise plan service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- > [!NOTE] - > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You can't enable VMware Spring Cloud Gateway after provisioning. --- Azure CLI version 2.0.67 or later. For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).+- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ## Enable or disable VMware Spring Cloud Gateway |
spring-apps | How To Deploy In Azure Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-deploy-in-azure-virtual-network.md | For subnets, Azure reserves five IP addresses, and Azure Spring Apps requires at For a service runtime subnet, the minimum size is /28. +> [!NOTE] +> A small subnet range impacts the underlying resource you can use for system components like ingress controller. Azure Spring Apps uses an underlying ingress controller to handle application traffic management. The number of ingress controller instances automatically increases as application traffic increases. Reserve a larger virtual network subnet IP range if application traffic could increase in the future. You typically reserve one IP addresses for traffic of 10000 requests per second. + ## Bring your own route table Azure Spring Apps supports using existing subnets and route tables. |
spring-apps | How To Enterprise Application Configuration Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enterprise-application-configuration-service.md | -[Application Configuration Service for VMware Tanzu](https://docs.pivotal.io/tcs-k8s/0-1/) is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native `ConfigMap` resources that are populated from properties defined in one or more Git repositories. +[Application Configuration Service for VMware Tanzu](https://docs.vmware.com/en/Application-Configuration-Service-for-VMware-Tanzu/2.0/acs/GUID-overview.html) is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native `ConfigMap` resources that are populated from properties defined in one or more Git repositories. With Application Configuration Service for Tanzu, you have a central place to manage external properties for applications across all environments. To understand the differences from Spring Cloud Config Server in Basic/Standard, see the [Use Application Configuration Service for external configuration](./how-to-migrate-standard-tier-to-enterprise-tier.md#use-application-configuration-service-for-external-configuration) section of [Migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan](./how-to-migrate-standard-tier-to-enterprise-tier.md). |
spring-apps | How To Enterprise Service Registry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enterprise-service-registry.md | with the Azure Spring Apps Enterprise plan, you don't have to create or start th ## Prerequisites - An already provisioned Azure Spring Apps Enterprise plan instance with Tanzu Service Registry enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- > [!NOTE] - > To use Tanzu Service Registry, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time. - - [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] ## Create applications that use Service Registry |
spring-apps | How To Troubleshoot Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-troubleshoot-enterprise-spring-cloud-gateway.md | This article shows you how to troubleshoot Spring Cloud Gateway for VMware Tanzu ## Prerequisites - An already provisioned Azure Spring Apps Enterprise plan service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- > [!NOTE] - > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You can't enable VMware Spring Cloud Gateway after provisioning. - - [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ## Check Gateway metrics |
spring-apps | How To Use Enterprise Api Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-enterprise-api-portal.md | This article shows you how to use API portal for VMware Tanzu® with the Azure S ## Prerequisites - An already provisioned Azure Spring Apps Enterprise plan instance with API portal enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- > [!NOTE] - > To use API portal, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time. - - [Spring Cloud Gateway for Tanzu](./how-to-use-enterprise-spring-cloud-gateway.md) is enabled during provisioning and the corresponding API metadata is configured. ## Configure API portal |
spring-apps | How To Use Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-enterprise-spring-cloud-gateway.md | To integrate with [API portal for VMware Tanzu®](./how-to-use-enterprise-api-po ## Prerequisites - An already provisioned Azure Spring Apps Enterprise plan service instance with Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- > [!NOTE] - > To use Spring Cloud Gateway, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time. --- [Azure CLI version 2.0.67 or later](/cli/azure/install-azure-cli).+- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ## Configure routes |
spring-apps | Quotas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quotas.md | The following table defines limits for the pricing plans in Azure Spring Apps. | Inbound Public Endpoints | per Azure Spring Apps service instance | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | | Outbound Public IPs | per Azure Spring Apps service instance | 1 <sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | | User-assigned managed identities | per app instance | 20 | 20 | 20 | Not available during preview | Not available during preview |+| Requests per second/Throughput | per Azure Spring Apps service instance | 5000 <sup>3</sup> | 10000 <sup>3</sup> | 20000 <sup>3</sup> | Not applicable | Not applicable | <sup>1</sup> You can increase this limit via support request to a maximum of 1 per app. <sup>2</sup> You can increase this limit via support request to a maximum of 10. +<sup>3</sup> This limit only applies to customers without an Enterprise Agreement subscription. You can increase this limit based on your workload size via raising a support ticket. For customers with an Enterprise Agreement subscription, Azure Spring Apps automatically adjusts underlying resource to support application traffic. + > [!TIP] > Limits listed apply for apps and deployments in any state, including apps in a stopped state. These limits include total app instances and per service instances. Be sure to delete apps and deployments that aren't being used. |
storage | Storage Blob Tags Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-tags-javascript.md | You can delete all tags by passing an empty JSON object into the setTags method. To get tags, create a [BlobClient](storage-blob-javascript-get-started.md#create-a-blobclient-object) then use the following method: -- [BlobClient.getTags](/javascript/api/@azure/storage-blob/blobclient#@azure-storage-blob-blobclient-gettags-) +- [BlobClient.getTags](/javascript/api/@azure/storage-blob/blobclient#@azure-storage-blob-blobclient-gettags) The following example shows how to get and iterate over the blob's tags. |
storage | Storage Blob Tags Typescript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-tags-typescript.md | You can delete all tags by passing an empty JSON object into the setTags method. To get tags, create a [BlobClient](storage-blob-typescript-get-started.md#create-a-blobclient-object) then use the following method: -- [BlobClient.getTags](/javascript/api/@azure/storage-blob/blobclient#@azure-storage-blob-blobclient-gettags-) +- [BlobClient.getTags](/javascript/api/@azure/storage-blob/blobclient#@azure-storage-blob-blobclient-gettags) The following example shows how to get and iterate over the blob's tags. |
storage | Container Storage Aks Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/container-storage/container-storage-aks-quickstart.md | description: Learn how to install Azure Container Storage Preview on an Azure Ku Previously updated : 09/07/2023 Last updated : 09/12/2023 - # Quickstart: Use Azure Container Storage Preview with Azure Kubernetes Service az k8s-extension list --cluster-name <cluster-name> --resource-group <resource-g Congratulations, you've successfully installed Azure Container Storage. You now have new storage classes that you can use for your Kubernetes workloads. -## Next steps +## Choose a data storage option -Now you can create a storage pool and persistent volume claim, and then deploy a pod and attach a persistent volume. Depending on the back-end storage type you want to use, follow the steps in the appropriate how-to article. +Next you'll need to choose a back-end storage option to create your storage pool. Choose one of the following three options and follow the link to create a storage pool and persistent volume claim. -- [Use Azure Container Storage Preview with Azure Elastic SAN Preview](use-container-storage-with-elastic-san.md)-- [Use Azure Container Storage Preview with Azure Disks](use-container-storage-with-managed-disks.md)-- [Use Azure Container Storage with Azure Ephemeral disk (NVMe)](use-container-storage-with-local-disk.md)+- **Azure Elastic SAN Preview**: Azure Elastic SAN preview is a good fit for general purpose databases, streaming and messaging services, CD/CI environments, and other tier 1/tier 2 workloads. Storage is provisioned on demand per created volume and volume snapshot. Multiple clusters can access a single SAN concurrently, however persistent volumes can only be attached by one consumer at a time. [Create a storage pool using Azure Elastic SAN Preview](use-container-storage-with-elastic-san.md#create-a-storage-pool). ++- **Azure Disks**: Azure Disks are a good fit for databases such as MySQL, MongoDB, and PostgreSQL. Storage is provisioned per target container storage pool size and maximum volume size. [Create a storage pool using Azure Disks](use-container-storage-with-managed-disks.md#create-a-storage-pool). ++- **Ephemeral Disk**: This option uses local NVMe drives on the AKS nodes and is extremely latency sensitive (low sub-ms latency), so it's best for applications with no data durability requirement or with built-in data replication support such as Cassandra. AKS discovers the available ephemeral storage on AKS nodes and acquires the drives for volume deployment. [Create a storage pool using Ephemeral Disk](use-container-storage-with-local-disk.md#create-a-storage-pool). |
storage | Volume Snapshot Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/container-storage/volume-snapshot-restore.md | description: Take a point-in-time snapshot of a persistent volume and restore it Previously updated : 07/03/2023 Last updated : 09/12/2023 +- This article assumes you've already installed Azure Container Storage on your AKS cluster, and that you've created a storage pool and persistent volume claim (PVC) using either [Azure Disks](use-container-storage-with-managed-disks.md) or [ephemeral disk (local storage)](use-container-storage-with-local-disk.md). Azure Elastic SAN Preview doesn't support volume snapshots. ## Create a volume snapshot class Now you can create a new persistent volume claim that uses the volume snapshot a > [!TIP] > If you already created a restored persistent volume claim and want to apply the yaml file again to correct an error or make a change, you'll need to first delete the old persistent volume claim before applying the yaml file again: `kubectl delete pvc <pvc-name>`. -## Delete the original pod +## Delete the original pod (optional) -Before you create a new pod, you'll need to delete the original pod that you created the snapshot from. +Before you create a new pod, you might want to delete the original pod that you created the snapshot from. -1. Run `kubectl get pods` to list the pods. Make sure you're deleting the right one. +1. Run `kubectl get pods` to list the pods. Make sure you're deleting the right pod. 1. To delete the pod, run `kubectl delete pod <pod-name>`. ## Create a new pod using the restored snapshot -Once you've deleted the original pod, you can create a new pod using the restored persistent volume claim. Create the pod using [Fio](https://github.com/axboe/fio) (Flexible I/O Tester) for benchmarking and workload simulation, and specify a mount path for the persistent volume. +Next, create a new pod using the restored persistent volume claim. Create the pod using [Fio](https://github.com/axboe/fio) (Flexible I/O Tester) for benchmarking and workload simulation, and specify a mount path for the persistent volume. 1. Use your favorite text editor to create a YAML manifest file such as `code acstor-pod2.yaml`. |
storage | Elastic San Connect Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-connect-linux.md | description: Learn how to connect to an Azure Elastic SAN Preview volume from a Previously updated : 07/11/2023 Last updated : 09/12/2023 Before you can connect to a volume, you'll need to get **StorageTargetIQN**, **S Run the following command to get these values: ```azurecli+# Connect to Azure +az login ++# Get volume information az elastic-san volume show -e yourSanName -g yourResourceGroup -v yourVolumeGroupName -n yourVolumeName ``` |
storage | Elastic San Connect Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-connect-windows.md | description: Learn how to connect to an Azure Elastic SAN Preview volume from a Previously updated : 07/11/2023 Last updated : 09/12/2023 Set-MSDSMGlobalDefaultLoadBalancePolicy -Policy RR Before you can connect to a volume, you'll need to get **StorageTargetIQN**, **StorageTargetPortalHostName**, and **StorageTargetPortalPort** from your Azure Elastic SAN volume. -Run the following commands to get these values: +Fill in the variables with your values, then run the following commands: ```azurepowershell+# Connect to Azure +Connect-AzAccount + # Get the target name and iSCSI portal name to connect a volume to a client -$connectVolume = Get-AzElasticSanVolume -ResourceGroupName $resourceGroupName -ElasticSanName $sanName -VolumeGroupName $searchedVolumeGroup -Name $searchedVolume +$resourceGroupName="yourRGName" +$sanName="yourSANName" +$volumeGroup="yourVolumeGroupName" +$volumeName="yourVolumeName" ++$connectVolume = Get-AzElasticSanVolume -ResourceGroupName $resourceGroupName -ElasticSanName $sanName -VolumeGroupName $volumeGroup -Name $volumeName $connectVolume.storagetargetiqn $connectVolume.storagetargetportalhostname $connectVolume.storagetargetportalport |
storage | Elastic San Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-create.md | description: Learn how to deploy an Azure Elastic SAN (preview) with the Azure p Previously updated : 08/30/2023 Last updated : 09/12/2023 $VolumeName = "<VolumeName>" $Location = "<Location>" $Zone = <Zone> +# Connect to Azure +Connect-AzAccount + # Create the SAN. New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -AvailabilityZone $Zone -Location $Location -BaseSizeTib 100 -ExtendedCapacitySizeTiB 20 -SkuName Premium_LRS ``` VolumeName="<VolumeName>" Location="<Location>" Zone=<Zone> +# Connect to Azure +az login ++# Create an Elastic SAN az elastic-san create -n $EsanName -g $RgName -l $Location --base-size-tib 100 --extended-capacity-size-tib 20 --sku "{name:Premium_LRS,tier:Premium}" --availability-zones $Zone ``` |
stream-analytics | Stream Analytics Get Started With Azure Stream Analytics To Process Data From Iot Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-get-started-with-azure-stream-analytics-to-process-data-from-iot-devices.md | For ease of use, this getting started guide provides a sample data file, which w ## Create an Azure Stream Analytics query After your job is created, write a query. You can test queries against sample data without connecting an input or output to your job. -1. Download the [HelloWorldASA-InputStream.json](https://github.com/Azure/azure-stream-analytics/blob/master/Samples/GettingStarted/HelloWorldASA-InputStream.json -) from GitHub. +1. Download the [HelloWorldASA-InputStream.json](https://github.com/Azure/azure-stream-analytics/blob/master/Samples/GettingStarted/HelloWorldASA-InputStream.json) from GitHub. 1. On the **Azure Stream Analytics job** page in the Azure portal, select **Query** under **Job topology** from the left menu. 1. Select **Upload sample input**, select the `HelloWorldASA-InputStream.json` file you downloaded, and select **OK**. |
virtual-desktop | Insights Costs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/insights-costs.md | Title: Estimate Azure Virtual Desktop Insights monitoring costs - Azure description: How to estimate costs and pricing for using Azure Virtual Desktop Insights. Previously updated : 06/14/2023 Last updated : 09/12/2023 To learn more about input delay performance counters, see [User Input Delay perf ## Estimating Windows Event Log ingestion -> [!IMPORTANT] -> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. --Windows Event Logs are data sources collected by either the Log Analytics Agent or the Azure Monitor Agent (preview) on Windows virtual machines. You can collect events from standard logs like System and Application as well as custom logs created by applications you need to monitor. +Windows Event Logs are data sources collected by either the Azure Monitor Agent or the Log Analytics agent on Windows virtual machines. You can collect events from standard logs like System and Application as well as custom logs created by applications you need to monitor. These are the default Windows Events for Azure Virtual Desktop Insights: |
virtual-desktop | Insights Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/insights-glossary.md | Title: Azure Virtual Desktop Insights glossary - Azure description: A glossary of terms and concepts related to Azure Virtual Desktop Insights.- -- Previously updated : 06/14/2022 Last updated : 09/12/2023 core. Knowing how many users are active will help you efficiently resource and s ## Windows Event Logs -> [!IMPORTANT] -> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. --Windows Event Logs are data sources collected by either the Log Analytics agents or the Azure Monitor Agent (preview) on Windows virtual machines. You can collect events from standard logs like System and Application as well as custom logs created by applications you need to monitor. +Windows Event Logs are data sources collected by either the Azure Monitor Agent or the Log Analytics agent on Windows virtual machines. You can collect events from standard logs like System and Application as well as custom logs created by applications you need to monitor. The following table lists the required Windows Event Logs for Azure Virtual Desktop Insights: |
virtual-desktop | Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/insights.md | Title: Use Azure Virtual Desktop Insights to monitor your deployment - Azure description: How to set up Azure Virtual Desktop Insights to monitor your Azure Virtual Desktop environments. Previously updated : 08/24/2023 Last updated : 09/12/2023 # Use Azure Virtual Desktop Insights to monitor your deployment -> [!IMPORTANT] -> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. This topic will walk you through how to set up Azure Virtual Desktop Insights to monitor your Azure Virtual Desktop environments. +>[!IMPORTANT] +>[The Log Analytics Agent is currently being deprecated](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you use the Log Analytics Agent, you'll eventually need to migrate to the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) by August 31, 2024. + ## Prerequisites Before you start using Azure Virtual Desktop Insights, you'll need to set up the following things: To set up workspace diagnostics using the resource diagnostic settings section i ### Session host data settings +You can use either the Azure Monitor Agent or the Log Analytics agent to collect information on your Azure Virtual Desktop session hosts. Select the relevant tab for your scenario. ++# [Azure Monitor Agent](#tab/monitor) ++To collect information on your Azure Virtual Desktop session hosts, you must configure a [Data Collection Rule (DCR)](../azure-monitor/essentials/data-collection-rule-overview.md) to collect performance data and Windows Event Logs, associate the session hosts with the DCR, install the Azure Monitor Agent on all session hosts in host pools you're collecting data from, and ensure the session hosts are sending data to a Log Analytics workspace. ++The Log Analytics workspace you send session host data to doesn't have to be the same one you send diagnostic data to. ++To configure a DCR and select a Log Analytics workspace destination using the configuration workbook: ++1. Select the **Session host data settings** tab in the configuration workbook. +1. Select the **Log Analytics workspace** you want to send session host data to. +1. If you haven't already created a resource group for the DCR, select **Create a resource group** to create one. +1. If you haven't already configured a DCR, select **Create data collection rule** to automatically configure the DCR using the configuration workbook. ++#### Session hosts ++You need to install the Azure Monitor Agent on all session hosts in the host pool and send data from those hosts to your selected Log Analytics workspace. If the session hosts don't all meet the requirements, you'll see a **Session hosts** section at the top of **Session host data settings** with the message *Some hosts in the host pool are not sending data to the selected Log Analytics workspace.* ++>[!NOTE] +> If you don't see the **Session hosts** section or error message, all session hosts are set up correctly. Automated deployment is limited to 1000 session hosts or fewer. ++To set up your remaining session hosts using the configuration workbook: ++1. Select the DCR you're using for data collection. +1. Select **Deploy association** to create the DCR association. +1. Select **Add extension** to deploy the Azure Monitor Agent. +1. Select **Add system managed identity** to configure the required [managed identity](../azure-monitor/agents/azure-monitor-agent-manage.md#prerequisites). ++>[!NOTE] +>For larger host pools (over 1,000 session hosts) or if you encounter deployment issues, we recommend you [install the Azure Monitor Agent](../azure-monitor/agents/azure-monitor-agent-manage.md#install) when you create a session host by using an Azure Resource Manager template. + # [Log Analytics agent](#tab/analytics) To collect information on your Azure Virtual Desktop session hosts, you'll need to install the Log Analytics agent on all session hosts in the host pool, make sure the session hosts are sending to a Log Analytics workspace, and configure your Log Analytics agent settings to collect performance data and Windows Event Logs. To set up Windows Event Logs using the configuration workbook: >[!NOTE] >If automatic event deployment fails, select **Open agent configuration** in the configuration workbook to manually add any missing Windows Event Logs. -# [Azure Monitor Agent (preview)](#tab/monitor) --To collect information on your Azure Virtual Desktop session hosts, you must configure a [Data Collection Rule (DCR)](../azure-monitor/essentials/data-collection-rule-overview.md) to collect performance data and Windows Event Logs, associate the session hosts with the DCR, install the Azure Monitor Agent on all session hosts in host pools you're collecting data from, and ensure the session hosts are sending data to a Log Analytics workspace. --The Log Analytics workspace you send session host data to doesn't have to be the same one you send diagnostic data to. --To configure a DCR and select a Log Analytics workspace destination using the configuration workbook: --1. Select the **Session host data settings** tab in the configuration workbook. -1. Select the **Log Analytics workspace** you want to send session host data to. -1. If you haven't already created a resource group for the DCR, select **Create a resource group** to create one. -1. If you haven't already configured a DCR, select **Create data collection rule** to automatically configure the DCR using the configuration workbook. --#### Session hosts --You need to install the Azure Monitor Agent on all session hosts in the host pool and send data from those hosts to your selected Log Analytics workspace. If the session hosts don't all meet the requirements, you'll see a **Session hosts** section at the top of **Session host data settings** with the message *Some hosts in the host pool are not sending data to the selected Log Analytics workspace.* -->[!NOTE] -> If you don't see the **Session hosts** section or error message, all session hosts are set up correctly. Automated deployment is limited to 1000 session hosts or fewer. --To set up your remaining session hosts using the configuration workbook: --1. Select the DCR you're using for data collection. -1. Select **Deploy association** to create the DCR association. -1. Select **Add extension** to deploy the Azure Monitor Agent. -1. Select **Add system managed identity** to configure the required [managed identity](../azure-monitor/agents/azure-monitor-agent-manage.md#prerequisites). -->[!NOTE] ->For larger host pools (over 1,000 session hosts) or if you encounter deployment issues, we recommend you [install the Azure Monitor Agent](../azure-monitor/agents/azure-monitor-agent-manage.md#install) when you create a session host by using an Azure Resource Manager template. - ## Optional: configure alerts |
virtual-desktop | Troubleshoot Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-insights.md | Title: Troubleshoot Monitor Azure Virtual Desktop - Azure description: How to troubleshoot issues with Azure Virtual Desktop Insights. Previously updated : 06/14/2023 Last updated : 09/12/2023 # Troubleshoot Azure Virtual Desktop Insights -> [!IMPORTANT] -> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - This article presents known issues and solutions for common problems in Azure Virtual Desktop Insights. >[!IMPORTANT]->[The Log Analytics Agent is currently being deprecated](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). While Azure Virtual Desktop Insights currently uses the Log Analytics Agent for Azure Virtual Desktop support, you'll eventually need to migrate to the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) by August 31, 2024. +>[The Log Analytics Agent is currently being deprecated](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you use the Log Analytics Agent for Azure Virtual Desktop support, you'll eventually need to migrate to the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) by August 31, 2024. -# [Log Analytics agent](#tab/analytics) +# [Azure Monitor Agent](#tab/monitor) ## Issues with configuration and setup If the configuration workbook isn't working properly to automate setup, you can use these resources to set up your environment manually: - To manually enable diagnostics or access the Log Analytics workspace, see [Send Azure Virtual Desktop diagnostics to Log Analytics](diagnostics-log-analytics.md).-- To install the Log Analytics extension on a session host manually, see [Log Analytics virtual machine extension for Windows](../virtual-machines/extensions/oms-windows.md).+- To install the Azure Monitor Agent extension on a session host manually, see [Azure Monitor Agent virtual machine extension for Windows](../azure-monitor/agents/azure-monitor-agent-manage.md#install). - To set up a new Log Analytics workspace, see [Create a Log Analytics workspace in the Azure portal](../azure-monitor/logs/quick-create-workspace.md).-- To add, remove, or edit performance counters, see [Configuring performance counters](../azure-monitor/agents/data-sources-performance-counters.md).-- To configure Windows Event Logs for a Log Analytics workspace, see [Collect Windows event log data sources with Log Analytics agent](../azure-monitor/agents/data-sources-windows-events.md).+- To validate the Data Collection Rules in use, see [View data collection rules](../azure-monitor/essentials/data-collection-rule-overview.md#view-data-collection-rules). ## My data isn't displaying properly If your data isn't displaying properly, check the following common solutions: - First, make sure you've set up correctly with the configuration workbook as described in [Use Azure Virtual Desktop Insights to monitor your deployment](insights.md). If you're missing any counters or events, the data associated with them won't appear in the Azure portal.-- Check your access permissions and contact the resource owners to request missing permissions. Anyone monitoring Azure Virtual Desktop requires the following permissions:+- Check your access permissions & contact the resource owners to request missing permissions; anyone monitoring Azure Virtual Desktop requires the following permissions: - Read-access to the Azure resource groups that hold your Azure Virtual Desktop resources - Read-access to the subscription's resource groups that hold your Azure Virtual Desktop session hosts - Read-access to whichever Log Analytics workspaces you're using-- You may need to open outgoing ports in your server's firewall to allow Azure Monitor and Log Analytics to send data to the portal. To learn how to do this, see the following articles:- - [Azure Monitor Outgoing ports](../azure-monitor/app/ip-addresses.md) - - [Log Analytics Firewall Requirements](../azure-monitor/agents/log-analytics-agent.md#firewall-requirements). -- Not seeing data from recent activity? You may want to wait for 15 minutes and refresh the feed. Azure Monitor has a 15-minute latency period for populating log data. To learn more, see [Log data ingestion time in Azure Monitor](../azure-monitor/logs/data-ingestion-time.md).+- You may need to open outgoing ports in your server's firewall to allow Azure Monitor to send data to the portal. To learn how to do this, see [Firewall requirements](../azure-monitor/agents/azure-monitor-agent-data-collection-endpoint.md#firewall-requirements). +- If you're not seeing data from recent activity, you may need to wait for 15 minutes and refresh the feed. Azure Monitor has a 15-minute latency period for populating log data. To learn more, see [Log data ingestion time in Azure Monitor](../azure-monitor/logs/data-ingestion-time.md). If you're not missing any information but your data still isn't displaying properly, there may be an issue in the query or the data sources. For more information, see [known issues and limitations](#known-issues-and-limitations). -# [Azure Monitor Agent (preview)](#tab/monitor) +# [Log Analytics agent](#tab/analytics) ## Issues with configuration and setup If the configuration workbook isn't working properly to automate setup, you can use these resources to set up your environment manually: - To manually enable diagnostics or access the Log Analytics workspace, see [Send Azure Virtual Desktop diagnostics to Log Analytics](diagnostics-log-analytics.md).-- To install the Azure Monitor Agent extension on a session host manually, see [Azure Monitor Agent virtual machine extension for Windows](../azure-monitor/agents/azure-monitor-agent-manage.md#install).+- To install the Log Analytics extension on a session host manually, see [Log Analytics virtual machine extension for Windows](../virtual-machines/extensions/oms-windows.md). - To set up a new Log Analytics workspace, see [Create a Log Analytics workspace in the Azure portal](../azure-monitor/logs/quick-create-workspace.md).-- To validate the Data Collection Rules in use, see [View data collection rules](../azure-monitor/essentials/data-collection-rule-overview.md#view-data-collection-rules).+- To add, remove, or edit performance counters, see [Configuring performance counters](../azure-monitor/agents/data-sources-performance-counters.md). +- To configure Windows Event Logs for a Log Analytics workspace, see [Collect Windows event log data sources with Log Analytics agent](../azure-monitor/agents/data-sources-windows-events.md). ## My data isn't displaying properly If your data isn't displaying properly, check the following common solutions: - First, make sure you've set up correctly with the configuration workbook as described in [Use Azure Virtual Desktop Insights to monitor your deployment](insights.md). If you're missing any counters or events, the data associated with them won't appear in the Azure portal.-- Check your access permissions & contact the resource owners to request missing permissions; anyone monitoring Azure Virtual Desktop requires the following permissions:+- Check your access permissions and contact the resource owners to request missing permissions. Anyone monitoring Azure Virtual Desktop requires the following permissions: - Read-access to the Azure resource groups that hold your Azure Virtual Desktop resources - Read-access to the subscription's resource groups that hold your Azure Virtual Desktop session hosts - Read-access to whichever Log Analytics workspaces you're using-- You may need to open outgoing ports in your server's firewall to allow Azure Monitor to send data to the portal. To learn how to do this, see [Firewall requirements](../azure-monitor/agents/azure-monitor-agent-data-collection-endpoint.md#firewall-requirements).-- If you're not seeing data from recent activity, you may need to wait for 15 minutes and refresh the feed. Azure Monitor has a 15-minute latency period for populating log data. To learn more, see [Log data ingestion time in Azure Monitor](../azure-monitor/logs/data-ingestion-time.md).+- You may need to open outgoing ports in your server's firewall to allow Azure Monitor and Log Analytics to send data to the portal. To learn how to do this, see the following articles: + - [Azure Monitor Outgoing ports](../azure-monitor/app/ip-addresses.md) + - [Log Analytics Firewall Requirements](../azure-monitor/agents/log-analytics-agent.md#firewall-requirements). +- Not seeing data from recent activity? You may want to wait for 15 minutes and refresh the feed. Azure Monitor has a 15-minute latency period for populating log data. To learn more, see [Log data ingestion time in Azure Monitor](../azure-monitor/logs/data-ingestion-time.md). If you're not missing any information but your data still isn't displaying properly, there may be an issue in the query or the data sources. For more information, see [known issues and limitations](#known-issues-and-limitations). By design, custom Workbook templates will not automatically adopt updates from t Learn more about data terms at the [Azure Virtual Desktop Insights glossary](insights-glossary.md). -# [Log Analytics agent](#tab/analytics) +# [Azure Monitor Agent](#tab/monitor) ## The data I need isn't available -If you want to monitor more Performance counters or Windows Event Logs, you can enable them to send diagnostics info to your Log Analytics workspace and monitor them in **Host Diagnostics: Host browser**. --- To add performance counters, see [Configuring performance counters](../azure-monitor/agents/data-sources-performance-counters.md#configure-performance-counters)-- To add Windows Events, see [Configuring Windows Event Logs](../azure-monitor/agents/data-sources-windows-events.md#configure-windows-event-logs)--Can't find a data point to help diagnose an issue? Send us feedback! +If this article doesn't have the data point you need to resolve an issue, you can send us feedback at the following places: - To learn how to leave feedback, see [Troubleshooting overview, feedback, and support for Azure Virtual Desktop](troubleshoot-set-up-overview.md). - You can also leave feedback for Azure Virtual Desktop at the [Azure Virtual Desktop feedback hub](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). -# [Azure Monitor Agent (preview)](#tab/monitor) +# [Log Analytics agent](#tab/analytics) ## The data I need isn't available -If this article doesn't have the data point you need to resolve an issue, you can send us feedback at the following places: +If you want to monitor more Performance counters or Windows Event Logs, you can enable them to send diagnostics info to your Log Analytics workspace and monitor them in **Host Diagnostics: Host browser**. ++- To add performance counters, see [Configuring performance counters](../azure-monitor/agents/data-sources-performance-counters.md#configure-performance-counters) +- To add Windows Events, see [Configuring Windows Event Logs](../azure-monitor/agents/data-sources-windows-events.md#configure-windows-event-logs) ++Can't find a data point to help diagnose an issue? Send us feedback! - To learn how to leave feedback, see [Troubleshooting overview, feedback, and support for Azure Virtual Desktop](troubleshoot-set-up-overview.md). - You can also leave feedback for Azure Virtual Desktop at the [Azure Virtual Desktop feedback hub](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). |
virtual-desktop | Whats New Multimedia Redirection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-multimedia-redirection.md | Title: What's new in multimedia redirection MMR? - Azure Virtual Desktop description: New features and product updates for multimedia redirection for Azure Virtual Desktop. Previously updated : 06/13/2023 Last updated : 09/12/2023 +## Updates for version 1.0.2309.7002 ++*Date published: September 12, 2023* ++In this release, we've made the following changes: ++- Added support for using the Preview version of the extension. +- Fixed a memory leak that caused the host to not close. +- Added support for providing Telemetry IDs to the extension for customer support purposes. +- Improved call connection reliability. + ## Updates for version 1.0.2304.12009 *Date published: June 13, 2023* |
virtual-machines | Automatic Vm Guest Patching | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/automatic-vm-guest-patching.md | As a new rollout is triggered every month, a VM will receive at least one patch | microsoftcblmariner | cbl-mariner | cbl-mariner-2 | | microsoftcblmariner | cbl-mariner | cbl-mariner-2-gen2 | | Redhat | RHEL | 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7_9, 7-RAW, 7-LVM |-| Redhat | RHEL | 8, 8.1, 81gen2, 8.2, 82gen2, 8_3, 83-gen2, 8_4, 84-gen2, 8_5, 85-gen2, 8_6, 86-gen2, 8-lvm, 8-lvm-gen2 | +| Redhat | RHEL | 8, 8.1, 81gen2, 8.2, 82gen2, 8_3, 83-gen2, 8_4, 84-gen2, 8_5, 85-gen2, 8_6, 86-gen2, 8_7, 8-lvm, 8-lvm-gen2 | +| Redhat | RHEL | 9_0, 9_1, 9-lvm, 9-lvm-gen2 | | Redhat | RHEL-RAW | 8-raw, 8-raw-gen2 | | OpenLogic | CentOS | 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7_8, 7_9, 7_9-gen2 | | OpenLogic | centos-lvm | 7-lvm | |
virtual-machines | Basv2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/basv2.md | Last updated 06/20/2022 #Required; mm/dd/yyyy format. Date the article was created o -# Basv2-series (Public Preview) +# Basv2-series Basv2-series virtual machines run on the AMD's 3rd Generation EPYCTM 7763v processor in a multi-threaded configuration with up to 256 MB L3 cache configuration, providing low cost CPU burstable general purpose virtual machines. Basv2-series virtual machines utilize a CPU credit model to track how much CPU is consumed - the virtual machine accumulates CPU credits when a workload is operating below the base CPU performance threshold and, uses credits when running above the base CPU performance threshold, until all of its credits are consumed. Upon consuming all the CPU credits, a Basv2-series virtual machine is throttled back to its base CPU performance until it accumulates the credits to CPU burst again. |
virtual-machines | Bsv2 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/bsv2-series.md | Last updated 06/20/2022 #Required; mm/dd/yyyy format. Date the article was created o -# Bsv2-series (Public Preview) +# Bsv2-series Bsv2-series virtual machines run on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor in a [hyper threaded](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) configuration, providing low cost CPU burstable general purpose virtual machines. Bsv2-series virtual machines utilize a CPU credit model to track how much CPU is consumed - the virtual machine accumulates CPU credits when a workload is operating below the base CPU performance threshold and, uses credits when running above the base CPU performance threshold until all of its credits are consumed. Upon consuming all the CPU credits, a Bsv2-series virtual machine is throttled back to its base CPU performance until it accumulates the credits to CPU burst again. |
virtual-machines | Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/custom-domain.md | In Azure there are multiple ways to connect a custom domain to your VM or resour ## Prerequisites - You need a VM with a web server running. You can use the [Quickstart](./linux/quick-create-cli.md) to create a VM and add NGINX. -- The VM must be accessible to the web (open port 80, or 443 ). For a more secure deployment place your VM behind a load balancer or Application Gateway first. For more information, see [Quickstart: Load Balancer](../load-balancer/quickstart-load-balancer-standard-public-portal.md?tabs=option-1-create-load-balancer-standard).+- The VM must be accessible to the web (open port 80, or 443). For a more secure deployment place your VM behind a load balancer or Application Gateway first. For more information, see [Quickstart: Load Balancer](../load-balancer/quickstart-load-balancer-standard-public-portal.md?tabs=option-1-create-load-balancer-standard). - Have an existing domain and access to DNS settings. For more information, see [Buy a custom domain for Azure App Service](../app-service/manage-custom-dns-buy-domain.md). |
virtual-wan | Cross Tenant Vnet Az Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/cross-tenant-vnet-az-cli.md | + + Title: 'Connect cross-tenant virtual networks to a hub: Azure CLI' ++description: This article helps you connect cross-tenant virtual networks to a virtual hub by using Azure CLI. ++++++ Last updated : 09/12/2023++++# Connect cross-tenant virtual networks to a Virtual WAN hub - with Azure CLI ++This article helps you use Azure Virtual WAN to connect a virtual network to a virtual hub in a different tenant. This architecture is useful if you have client workloads that must be connected to be the same network but are on different tenants. For example, as shown in the following diagram, you can connect a non-Contoso virtual network (the remote tenant) to a Contoso virtual hub (the parent tenant). +++In this article, you learn how to: ++* Add another tenant as a Contributor on your Azure subscription. +* Connect a cross-tenant virtual network to a virtual hub. ++The steps for this configuration use a combination of the Azure portal and Azure CLI. However, the feature itself is available in PowerShell and the Azure CLI only. ++>[!NOTE] +> You can manage cross-tenant virtual network connections only through PowerShell or the Azure CLI. You *cannot* manage cross-tenant virtual network connections in the Azure portal. ++## Before you begin ++### Prerequisites ++To use the steps in this article, you must have the following configuration already set up in your environment: ++* A virtual WAN and virtual hub in your parent subscription +* A virtual network configured in a subscription in a different (remote) tenant +* Virtual WAN CLI extension, version 0.3.0 or higher. For more details about extension, go to [Available Azure CLI extensions](/cli/azure/azure-cli-extensions-list). ++Make sure that the virtual network address space in the remote tenant doesn't overlap with any other address space within any other virtual networks already connected to the parent virtual hub. ++### Working with Azure CLI ++This article uses Azure CLI commands. To run the commands, you can use Azure Cloud Shell. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. ++To open Cloud Shell, just select **Open Cloudshell** from the upper-right corner of a code block. You can also open Cloud Shell on a separate browser tab by going to [CloudShell](https://portal.azure.com/#cloudshell/). In the top left dropdown menu, select Bash instead of PowerShell. ++Select **Copy** to copy the blocks of code, paste them into Cloud Shell, and select the Enter key to run them. ++## <a name="rights"></a>Assign permissions ++1. In the subscription of the virtual network in the remote tenant, add the Contributor role assignment to the administrator (the user who administers the virtual hub). Contributor permissions will enable the administrator to modify and access the virtual networks in the remote tenant. ++ You can use either Azure CLI or the Azure portal to assign this role. See the following articles for steps: ++ * [Assign Azure roles using Azure CLI](../role-based-access-control/role-assignments-cli.md) + * [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md) ++1. Run the following command to add the remote tenant subscription and the parent tenant subscription to the current session of console. If you're signed in to the parent, you need to run the command for only the remote tenant. ++ ```azurecli-interactive + az login --tenant "[tenant ID]" + ``` ++1. Verify that the role assignment is successful. Sign in to Azure CLI (if not already) by using the parent credentials and run the following command: ++ ```azurecli-interactive + az account list -o table + ``` ++ If the permissions have successfully propagated to the parent and have been added to the session, the subscriptions owned by the parent and the remote tenant will both appear in the output of the command. ++## <a name="connect"></a>Connect a virtual network to a hub ++In the following steps, you'll be using Azure CLI commands to link a virtual hub to a virtual network in a subscription from a different tenant. Replace the example values to reflect your own environment. ++1. Make sure you're in the context of your virtual hub account: ++ ```azurecli-interactive + az account set --subscriptionId "[virtual hub subscription]" + ``` ++1. Connect the virtual network to the hub: ++ ```azurecli-interactive + az network vhub connection create --resource-group "[resource_group_name]" --name "[connection_name]" --vhub-name "[virtual_hub_name]" --remote-vnet "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/vnetName" + ``` ++You can view the new connection in either Azure CLI or the Azure portal: ++* In the console, the metadata from the newly formed connection appears if the connection was successfully formed. +* In the Azure portal, go to the virtual hub and select **Connectivity** > **Virtual Network Connections**. You can then view the pointer to the connection. To see the actual resource, you'll need the proper permissions. ++## <a name="troubleshoot"></a>Troubleshoot ++* Verify the virtual wan extension is 0.3.0 or higher using ```az --version```. +* Verify that the remote subscription access is available from the cli ```az account list -o table```. +* Make sure quotes are included around the names of resource groups or any other environment-specific variables (for example, `"VirtualHub1"` or `"VirtualNetwork1"`). ++## Next steps ++- For more information about Virtual WAN, see the [FAQ](virtual-wan-faq.md). |