Updates from: 09/14/2021 03:07:29
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-domain-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/policy-reference.md
Title: Built-in policy definitions for Azure Active Directory Domain Services description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
active-directory Concept Conditional Access Conditions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-conditions.md
Previously updated : 07/08/2021 Last updated : 09/13/2021
This setting works with all browsers. However, to satisfy a device policy, like
| OS | Browsers | | :-- | :-- |
-| Windows 10 | Microsoft Edge, Internet Explorer, Chrome |
+| Windows 10 | Microsoft Edge, Internet Explorer, Chrome, [Firefox 91+](https://support.mozilla.org/kb/windows-sso) |
| Windows 8 / 8.1 | Internet Explorer, Chrome | | Windows 7 | Internet Explorer, Chrome | | iOS | Microsoft Edge, Intune Managed Browser, Safari |
active-directory Concept Continuous Access Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
Previously updated : 04/27/2021 Last updated : 09/13/2021
# Continuous access evaluation
-Token expiration and refresh is a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, those access tokens are valid for one hour, when they expire, the client is redirected back to Azure AD to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory.
+Token expiration and refresh are a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, access tokens are valid for one hour, when they expire the client is redirected to Azure AD to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory.
-Customers have expressed concerns about the lag between when conditions change for the user, like network location or credential theft, and when policies can be enforced related to that change. We have experimented with the "blunt object" approach of reduced token lifetimes but found they can degrade user experiences and reliability without eliminating risks.
+Customers have expressed concerns about the lag between when conditions change for a user, and when policy changes are enforced. Azure AD has experimented with the "blunt object" approach of reduced token lifetimes but found they can degrade user experiences and reliability without eliminating risks.
-Timely response to policy violations or security issues really requires a "conversation" between the token issuer, like Azure AD, and the relying party, like Exchange Online. This two-way conversation gives us two important capabilities. The relying party can notice when things have changed, like a client coming from a new location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user due to account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE). The goal is for response to be near real time, but in some cases latency of up to 15 minutes may be observed due to event propagation time.
+Timely response to policy violations or security issues really requires a "conversation" between the token issuer (Azure AD), and the relying party (enlightened app). This two-way conversation gives us two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE). The goal is for response to be near real time, but latency of up to 15 minutes may be observed because of event propagation time.
The initial implementation of continuous access evaluation focuses on Exchange, Teams, and SharePoint Online.
There are two scenarios that make up continuous access evaluation, critical even
### Critical event evaluation
-Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. Critical event evaluation does not rely on Conditional Access policies so is available in any tenant. The following events are currently evaluated:
+Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical Azure AD events. Those events can then be evaluated and enforced near real time. Critical event evaluation doesn't rely on Conditional Access policies so is available in any tenant. The following events are currently evaluated:
- User Account is deleted or disabled - Password for a user is changed or reset
Continuous access evaluation is implemented by enabling services, like Exchange
- Administrator explicitly revokes all refresh tokens for a user - High user risk detected by Azure AD Identity Protection
-This process enables the scenario where users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after one of these critical events.
+This process enables the scenario where users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event.
> [!NOTE]
-> Teams and SharePoint Online does not support user risk events yet.
+> Teams and SharePoint Online do not support user risk events.
### Conditional Access policy evaluation (preview)
-Exchange Online, SharePoint Online, Teams, and MS Graph are able to synchronize key Conditional Access policies so they can be evaluated within the service itself.
+Exchange Online, SharePoint Online, Teams, and MS Graph can synchronize key Conditional Access policies for evaluation within the service itself.
This process enables the scenario where users lose access to organizational files, email, calendar, or tasks from Microsoft 365 client apps or SharePoint Online immediately after network location changes.
This process enables the scenario where users lose access to organizational file
| **SharePoint Online** | Supported | Supported | Supported | Supported | Supported | | **Exchange Online** | Supported | Supported | Supported | Supported | Supported |
+## Client Capabilities
+ ### Client-side claim challenge
-Before continuous access evaluation, clients would always try to replay the access token from its cache as long as it was not expired. With CAE, we are introducing a new case that a resource provider can reject a token even when it is not expired. In order to inform clients to bypass their cache even though the cached tokens have not expired, we introduce a mechanism called **claim challenge** to indicate that the token was rejected and a new access token need to be issued by Azure AD. CAE requires a client update to understand claim challenge. The latest version of the following applications below support claim challenge:
+Before continuous access evaluation, clients would replay the access token from its cache as long as it hadn't expired. With CAE, we introduce a new case where a resource provider can reject a token when it isn't expired. To inform clients to bypass their cache even though the cached tokens haven't expired, we introduce a mechanism called **claim challenge** to indicate that the token was rejected and a new access token need to be issued by Azure AD. CAE requires a client update to understand claim challenge. The latest version of the following applications below support claim challenge:
| | Web | Win32 | iOS | Android | Mac | | : | :: | :: | :: | :: | :: |
Before continuous access evaluation, clients would always try to replay the acce
### Token lifetime
-Because risk and policy are evaluated in real time, clients that negotiate continuous access evaluation aware sessions will rely on CAE instead of existing static access token lifetime policies, which means that configurable token lifetime policy will not be honored anymore for CAE-capable clients that negotiate CAE-aware sessions.
+Because risk and policy are evaluated in real time, clients that negotiate continuous access evaluation aware sessions no longer rely on static access token lifetime policies. This change means that the configurable token lifetime policy isn't honored for clients negotiating CAE-aware sessions.
-Token lifetime is increased to be long lived, up to 28 hours, in CAE sessions. Revocation is driven by critical events and policy evaluation, not just an arbitrary time period. This change increases the stability of applications without affecting security posture.
+Token lifetime is increased to long lived, up to 28 hours, in CAE sessions. Revocation is driven by critical events and policy evaluation, not just an arbitrary time period. This change increases the stability of applications without affecting security posture.
-If you are not using CAE-capable clients, your default access token lifetime will remain 1 hour unless you have configured your access token lifetime with the [Configurable Token Lifetime (CTL)](../develop/active-directory-configurable-token-lifetimes.md) preview feature.
+If you aren't using CAE-capable clients, your default access token lifetime will remain 1 hour. The default only changes if you configured your access token lifetime with the [Configurable Token Lifetime (CTL)](../develop/active-directory-configurable-token-lifetimes.md) preview feature.
-## Example flows
+## Example flow diagrams
-### User revocation event flow:
+### User revocation event flow
![User revocation event flow](./media/concept-continuous-access-evaluation/user-revocation-event-flow.png) 1. A CAE-capable client presents credentials or a refresh token to Azure AD asking for an access token for some resource. 1. An access token is returned along with other artifacts to the client. 1. An Administrator explicitly [revokes all refresh tokens for the user](/powershell/module/azuread/revoke-azureaduserallrefreshtoken). A revocation event will be sent to the resource provider from Azure AD.
-1. An access token is presented to the resource provider. The resource provider evaluates the validity of the token and checks whether there is any revocation event for the user. The resource provider uses this information to decide to grant access to the resource or not.
+1. An access token is presented to the resource provider. The resource provider evaluates the validity of the token and checks whether there's any revocation event for the user. The resource provider uses this information to decide to grant access to the resource or not.
1. In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client. 1. The CAE-capable client understands the 401+ claim challenge. It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. Azure AD will then reevaluate all the conditions and prompt the user to reauthenticate in this case.
-### User condition change flow (Preview):
+### User condition change flow (Preview)
In the following example, a Conditional Access administrator has configured a location based Conditional Access policy to only allow access from specific IP ranges:
In the following example, a Conditional Access administrator has configured a lo
1. User moves out of an allowed IP range 1. The client presents an access token to the resource provider from outside of an allowed IP range. 1. The resource provider evaluates the validity of the token and checks the location policy synced from Azure AD.
-1. In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client because it is not coming from allowed IP range.
+1. In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client. The client is challenged because it isn't coming from an allowed IP range.
1. The CAE-capable client understands the 401+ claim challenge. It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. Azure AD reevaluates all the conditions and will deny access in this case. ## Enable or disable CAE (Preview)
In the following example, a Conditional Access administrator has configured a lo
From this page, you can optionally limit the users and groups that will be subject to the preview.
-> [!WARNING]
-> To disable continuous access evaluation please select **Enable preview** then **Disable preview** and select **Save**.
- > [!NOTE]
->You can query the Microsoft Graph via [**continuousAccessEvaluationPolicy**](/graph/api/continuousaccessevaluationpolicy-get?view=graph-rest-beta&tabs=http#request-body) to verify the configuration of CAE in your tenant. An HTTP 200 response and associated response body indicate whether CAE is enabled or disabled in your tenant. CAE is not configured if Microsoft Graph returns an HTTP 404 response.
+> You can query the Microsoft Graph via [**continuousAccessEvaluationPolicy**](/graph/api/continuousaccessevaluationpolicy-get?view=graph-rest-beta&tabs=http#request-body) to verify the configuration of CAE in your tenant. An HTTP 200 response and associated response body indicate whether CAE is enabled or disabled in your tenant. CAE is not configured if Microsoft Graph returns an HTTP 404 response.
![Enabling the CAE preview in the Azure portal](./media/concept-continuous-access-evaluation/enable-cae-preview.png)
-## Troubleshooting
+### Available options
-### Supported location policies
+Organizations have options when it comes to enabling CAE.
-For CAE, we only have insights into named IP-based named locations. We have no insights into other location settings like [MFA trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips) or country-based locations. When user comes from an MFA trusted IP or trusted locations that include MFA Trusted IPs or country location, CAE will not be enforced after user move to a different location. In those cases, we will issue a 1-hour CAE token without instant IP enforcement check.
+1. Leaving the default selected **Auto Enable after general availability** enables the functionality when CAE is generally available.
+1. Customers who select **Enable preview** immediately benefit from the new functionality and won't have to make any changes at general availability.
+1. Customers who select **Disable preview** have time to adopt CAE at their organization's own pace. This setting will persist as **Disabled** at general availability.
-> [!IMPORTANT]
-> When configuring locations for continuous access evaluation, use only the [IP based Conditional Access location condition](../conditional-access/location-condition.md) and configure all IP addresses, **including both IPv4 and IPv6**, that can be seen by your identity provider and resources provider. Do not use country location conditions or the trusted ips feature that is available in Azure AD Multi-Factor Authentication's service settings page.
+## Limitations
+
+### Group membership and Policy update effective time
+
+Changes made to Conditional Access policies and group membership made by administrators could take up to one day to be effective. The delay is from replication between Azure AD and resource providers like Exchange Online and SharePoint Online. Some optimization has been done for policy updates, which reduce the delay to two hours. However, it doesn't cover all the scenarios yet.
+
+When Conditional Access policy or group membership changes need to be applied to certain users immediately, you have two options.
-### IP address configuration
+- Run the [revoke-azureaduserallrefreshtoken PowerShell command](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) to revoke all refresh tokens of a specified user.
+- Select "Revoke Session" on the user profile page in the Azure portal to revoke the user's session to ensure that the updated policies will be applied immediately.
-Your identity provider and resource providers may see different IP addresses. This mismatch may happen due to network proxy implementations in your organization or incorrect IPv4/IPv6 configurations between your identity provider and resource provider. For example:
+### IP address variation
+
+Your identity provider and resource providers may see different IP addresses. This mismatch may happen because of:
+
+- Network proxy implementations in your organization
+- Incorrect IPv4/IPv6 configurations between your identity provider and resource provider
+
+Examples:
- Your identity provider sees one IP address from the client. - Your resource provider sees a different IP address from the client after passing through a proxy.-- The IP address your identity provider sees is part of an allowed IP range in policy but the IP address from the resource provider is not.
+- The IP address your identity provider sees is part of an allowed IP range in policy but the IP address from the resource provider isn't.
-If this scenario exists in your environment to avoid infinite loops, Azure AD will issue a one hour CAE token and will not enforce client location change. Even in this case, security is improved compared to traditional one hour tokens since we are still evaluating the [other events](#critical-event-evaluation) besides client location change events.
+To avoid infinite loops because of these scenarios, Azure AD issues a one hour CAE token and won't enforce client location change. In this case, security is improved compared to traditional one hour tokens since we're still evaluating the [other events](#critical-event-evaluation) besides client location change events.
+
+### Supported location policies
+
+CAE only has insight into [IP-based named locations](../conditional-access/location-condition.md#ip-address-ranges). CAE doesn't have insight into other location conditions like [MFA trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips) or country-based locations. When a user comes from an MFA trusted IP, trusted location that includes MFA Trusted IPs, or country location, CAE won't be enforced after that user moves to a different location. In those cases, Azure AD will issue a one-hour access token without instant IP enforcement check.
+
+> [!IMPORTANT]
+> When configuring locations for continuous access evaluation, use only the [IP based Conditional Access location condition](../conditional-access/location-condition.md) and configure all IP addresses, **including both IPv4 and IPv6**, that can be seen by your identity provider and resources provider. Do not use country location conditions or the trusted ips feature that is available in Azure AD Multi-Factor Authentication's service settings page.
### Office and Web Account Manager settings | Office update channel | DisableADALatopWAMOverride | DisableAADWAM | | | | |
-| Semi-Annual Enterprise Channel | If set to enabled or 1, CAE is not be supported. | If set to enabled or 1, CAE is not be supported. |
-| Current Channel <br> or <br> Monthly Enterprise Channel | CAE is supported regardless of the setting | CAE is supported regardless of the setting |
+| Semi-Annual Enterprise Channel | If set to enabled or 1, CAE won't be supported. | If set to enabled or 1, CAE won't be supported. |
+| Current Channel <br> or <br> Monthly Enterprise Channel | CAE is supported whatever the setting | CAE is supported whatever the setting |
-For an explanation of the office update channels, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels). It is recommended that organizations do not disable Web Account Manager (WAM).
+For an explanation of the office update channels, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels). The recommendation is that organizations don't disable Web Account Manager (WAM).
-### Group membership and Policy update effective time
+### Coauthoring in Office apps
-Group membership and policy update made by administrators could take up to one day to be effective. Some optimization has been done for policy updates which reduce the delay to two hours. However, it does not cover all the scenarios yet.
+When multiple users are collaborating on a document at the same time, their access to the document may not be immediately revoked by CAE based on user revocation or policy change events. In this case, the user loses access completely after:
-If there is an emergency and you need to have your policies updated or group membership change to be applied to certain users immediately, you should use this [PowerShell command](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) or "Revoke Session" in the user profile page to revoke the users' session, which will make sure that the updated policies will be applied immediately.
+- Closing the document
+- Closing the Office app
+- After a period of 10 hours
-### Coauthoring in Office apps
+To reduce this time a SharePoint Administrator can reduce the maximum lifetime of coauthoring sessions for documents stored in SharePoint Online and OneDrive for Business, by [configuring a network location policy in SharePoint Online](/sharepoint/control-access-based-on-network-location). Once this configuration is changed, the maximum lifetime of coauthoring sessions will be reduced to 15 minutes, and can be adjusted further using the SharePoint Online PowerShell command "[Set-SPOTenant ΓÇôIPAddressWACTokenLifetime](/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps)".
-When multiple users are collaborating on the same document at the same time, the user's access to the document may not be immediately revoked by CAE based on user revocation or policy change events. In this case, the user loses access completely after, closing the document, closing Word, Excel, or PowerPoint, or after a period of 10 hours.
+### Enable after a user is disabled
-To reduce this time a SharePoint Administrator can optionally reduce the maximum lifetime of coauthoring sessions for documents stored in SharePoint Online and OneDrive for Business, by [configuring a network location policy in SharePoint Online](/sharepoint/control-access-based-on-network-location). Once this configuration is changed, the maximum lifetime of coauthoring sessions will be reduced to 15 minutes, and can be adjusted further using the SharePoint Online PowerShell command "Set-SPOTenant ΓÇôIPAddressWACTokenLifetime"
+If you enable a user right after disabling, there's some latency before the account is recognized as enabled in downstream Microsoft services.
-### Enable after a user is disabled
+- SharePoint Online and Teams typically have a 15-minute delay. 
+- Exchange Online typically has a 35-40 minute delay.
+
+### Push notifications
-If you enable a user right after it is disabled. There will be some latency before the account can be enabled. SPO and Teams will have 15-mins delay. The delay is 35-40 minutes for EXO.
+An IP address policy isn't evaluated before push notifications are released. This scenario exists because push notifications are outbound and don't have an associated IP address to be evaluated against. If a user clicks into that push notification, for example an email in Outlook, CAE IP address policies are still enforced before the email can display. Push notifications display a message preview, which isn't protected by an IP address policy. All other CAE checks are done before the push notification being sent. If a user or device has its access removed, enforcement occurs within the documented period.
## FAQs
Sign-in Frequency will be honored with or without CAE.
## Next steps -- [Announcing continuous access evaluation](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) - [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md) - [Claims challenges, claims requests, and client capabilities](../develop/claims-challenge.md)
+- [Monitor and troubleshoot continuous access evaluation](howto-continuous-access-evaluation-troubleshoot.md)
active-directory Howto Continuous Access Evaluation Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot.md
+
+ Title: Monitor and troubleshoot sign-ins with continuous access evaluation in Azure AD
+description: Troubleshoot and respond to changes in user state faster with continuous access evaluation in Azure AD
+++++ Last updated : 09/13/2021++++++++
+# Monitor and troubleshoot continuous access evaluation
+
+Administrators can monitor and troubleshoot sign in events where [continuous access evaluation (CAE)](concept-continuous-access-evaluation.md) is applied in multiple ways.
+
+## Continuous access evaluation sign-in reporting
+
+Administrators will have the opportunity to monitor user sign-ins where CAE is applied. This pane can be located by via the following instructions:
+
+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Browse to **Azure Active Directory** > **Sign-ins**.
+1. Apply the **Is CAE Token** filter.
+
+[ ![Add a filter to the Sitn-ins log to see where CAE is being applied or not](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png) ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png#lightbox)
+
+From here, admins will be presented with information about their userΓÇÖs sign-in events. Select any sign-in to see details about the session, like which Conditional Access policies were applied and is CAE enabled.
+
+A given sign-in attempt may display on either the interactive or non-interactive tab. Administrators may need to check both tabs as they track their userΓÇÖs sign-ins.
+
+### Searching for specific sign-in attempts
+
+Use filters to narrow your search. For example, if a user signed in to Teams, use the Application filter and set it to Teams. Admins may need to check the sign-ins from both interactive and non-interactive tabs to locate the specific sign-in. To further narrow the search, admins may apply multiple filters.
+
+## Continuous access evaluation workbooks
+
+The continuous access evaluation insights workbook allows administrators to view and monitor CAE usage insights for their tenants. The first table displays authentication attempts with IP mismatches. The second table displays the support status of CAE across various applications. This workbook can be found as template under the Conditional Access category.
+
+### Accessing the CAE workbook template
+
+Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
+
+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Browse to **Azure Active Directory** > **Workbooks**.
+1. Under **Public Templates**, search for **Continuous access evaluation insights**.
+
+[ ![Find the CAE insights workbook in the gallery to continue monitoring](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-workbooks-continuous-access-evaluation.png) ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-workbooks-continuous-access-evaluation.png#lightbox)
+
+The **Continuous access evaluation insights** workbook contains two tables:
+
+### Table 1: Potential IP address mismatch between Azure AD and resource provider
+
+![Workbook table 1 showing potential IP address mismatches](./media/howto-continuous-access-evaluation-troubleshoot/continuous-access-evaluation-insights-workbook-table-1.png)
+
+The potential IP address mismatch between Azure AD & resource provider table allows admins to investigate sessions where the IP address detected by Azure AD doesn't match with the IP address detected by the Resource Provider.
+
+This workbook table sheds light on these scenarios by displaying the respective IP addresses and whether a CAE token was issued during the session.
+
+#### IP address configuration
+
+Your identity provider and resource providers may see different IP addresses. This mismatch may happen because of the following examples:
+
+- Your network implements split tunneling.
+- Your resource provider is using an IPv6 address and Azure AD is using an IPv4 address.
+- Because of network configurations, Azure AD sees one IP address from the client and your resource provider sees a different IP address from the client.
+
+If this scenario exists in your environment, to avoid infinite loops, Azure AD will issue a one-hour CAE token and won't enforce client location change during that one-hour period. Even in this case, security is improved compared to traditional one-hour tokens since we're still evaluating the other events besides client location change events.
+
+Admins can view records filtered by time range and application. Admins can compare the number of mismatched IPs detected with the total number of sign-ins during a specified time period.
+
+To unblock users, administrators can add specific IP addresses to a trusted named location.
+
+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations.
+
+> [!NOTE]
+> Before adding an IP address as a trusted named location, confirm that the IP address does in fact belong to the intended organization.
+
+For more information about named locations, see the article [Using the location condition](location-condition.md#named-locations)
+
+### Table 2: Continuous access evaluation support status
+
+![Workbook table 2 showing CAE supported apps and sign-in count](./media/howto-continuous-access-evaluation-troubleshoot/continuous-access-evaluation-insights-workbook-table-2.png)
+
+The continuous access evaluation support status table allows admins to differentiate between client applications that support CAE and those client applications that don't support CAE. The table displays the number of user sign-ins for each client application.
+
+You may notice that the same application may appear as both supported and not supported. This duplication is because of a concept called client capability. Not all clients are CAE supported and capable. For example, if a customer has some users using the latest version of Outlook and others still using an older unsupported version, that customer will see Outlook instances as supported and non supported. The older version of Outlook isn't CAE capable can't do continuous access evaluation. For users that are using the most recent version of Outlook, the admin will see supported CAE status.
+
+Based on analysis, admins may choose to turn on strict enforcement within a Conditional Access policy. When strict enforcement is turned on, any client that isn't CAE capable will be rejected entirely. Admins can view records filtered by time range, application, and resource.
+
+## Next steps
+
+- [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
+- [Using the location condition](location-condition.md#named-locations)
+- [Continuous access evaluation](concept-continuous-access-evaluation.md)
active-directory Require Managed Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/require-managed-devices.md
Previously updated : 10/16/2020 Last updated : 09/13/2021
Requiring managed devices for cloud app access ties **Azure AD Conditional Acces
- **[Conditional Access in Azure Active Directory](./overview.md)** - This article provides you with a conceptual overview of Conditional Access and the related terminology. - **[Introduction to device management in Azure Active Directory](../devices/overview.md)** - This article gives you an overview of the various options you have to get devices under organizational control. - For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji). This extension is required when a Conditional Access policy requires device-specific details.-- For Firefox support, starting **Firefox 91** in **Windows 10 version 1809 or above**, configure [Windows SSO](https://support.mozilla.org/en-US/kb/windows-sso).
+- For Firefox support, starting in **Firefox 91** in **Windows 10 version 1809 or above**, configure [Windows SSO](https://support.mozilla.org/kb/windows-sso).
>[!NOTE] > We recommend using Azure AD device based Conditional Access policy to get the best enforcement after initial device authentication. This includes closing sessions if the device falls out of compliance and device code flow.
active-directory What If Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/what-if-tool.md
You can only select one user. This is the only required field.
The default for this setting is **All cloud apps**. The default setting performs an evaluation of all available policies in your environment. You can narrow down the scope to policies affecting specific cloud apps.
+> [!NOTE]
+> When using the What If tool, it does not test for [Conditional Access service dependencies](service-dependencies.md). For example, if you are using What If to test a Conditional Access policy for Microsoft Teams, the result will not take into consideration any policy that would apply to Office 365 Exchange Online, a Conditional Access service dependency for Microsoft Teams.
+ ### IP address The IP address is a single IPv4 address to mimic the [location condition](location-condition.md). The address represents Internet facing address of the device used by your user to sign in. You can verify the IP address of a device by, for example, navigating to [What is my IP address](https://whatismyipaddress.com).
active-directory Msal Android Handling Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-android-handling-exceptions.md
Title: Errors and exceptions (MSAL Android) | Azure
description: Learn how to handle errors and exceptions, Conditional Access, and claims challenges in MSAL Android applications. -+
Last updated 08/07/2020-+
active-directory Msal Android Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-android-single-sign-on.md
Title: How to enable cross-app SSO on Android using MSAL | Azure
description: How to use the Microsoft Authentication Library (MSAL) for Android to enable single sign-on across your applications. -+
android
ms.devlang: java Last updated 10/15/2020-+
active-directory Msal Net Migration Android Broker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-migration-android-broker.md
Title: Migrate Xamarin Android apps using brokers to MSAL.NET description: Learn how to migrate Xamarin Android apps that use the Microsoft Authenticator or Intune Company Portal from ADAL.NET to MSAL.NET.-+
Last updated 08/31/2020-+ #Customer intent: As an application developer, I want to learn how to migrate my Xamarin Android applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET.
active-directory Quickstart V2 Angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-angular.md
Title: "Quickstart: Sign in users in Angular single-page apps - Azure"
description: In this quickstart, you learn how an Angular app can call an API that requires access tokens issued by the Microsoft identity platform. -+
Last updated 03/18/2020-++ #Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform so that my Angular app can sign in users of personal Microsoft accounts, work accounts, or school accounts.
active-directory Tutorial V2 Angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-angular.md
Title: "Tutorial: Create an Angular app that uses the Microsoft identity platfor
description: In this tutorial, you build an Angular single-page app (SPA) that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf. -+
Last updated 03/05/2020-+ + # Tutorial: Sign in users and call the Microsoft Graph API from an Angular single-page application
active-directory V2 Permissions And Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-permissions-and-consent.md
Some high-privilege permissions in Microsoft resources can be set to *admin-rest
* Write data to an organization's directory by using `Directory.ReadWrite.All` * Read all groups in an organization's directory by using `Groups.Read.All`
+> [!NOTE]
+>In requests to the authorization, token or consent endpoints for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, `scope=User.Read` is equivalent to `https://graph.microsoft.com/User.Read`.
+ Although a consumer user might grant an application access to this kind of data, organizational users can't grant access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. If your app requires scopes for admin-restricted permissions, an organization's administrator must consent to those scopes on behalf of the organization's users. To avoid displaying prompts to users that request consent for permissions they can't grant, your app can use the admin consent endpoint. The admin consent endpoint is covered in the next section.
active-directory Concept Primary Refresh Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/concept-primary-refresh-token.md
Previously updated : 07/20/2020 Last updated : 09/13/2021
Once issued, a PRT is valid for 14 days and is continuously renewed as long as t
A PRT is used by two key components in Windows: * **Azure AD CloudAP plugin**: During Windows sign in, the Azure AD CloudAP plugin requests a PRT from Azure AD using the credentials provided by the user. It also caches the PRT to enable cached sign in when the user does not have access to an internet connection.
-* **Azure AD WAM plugin**: When users try to access applications, the Azure AD WAM plugin uses the PRT to enable SSO on Windows 10. Azure AD WAM plugin uses the PRT to request refresh and access tokens for applications that rely on WAM for token requests. It also enables SSO on browsers by injecting the PRT into browser requests. Browser SSO in Windows 10 is supported on Microsoft Edge (natively), Chrome (via the [Windows 10 Accounts](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en) or [Office Online](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb?hl=en) extensions) or Mozilla Firefox v91+ (via [Windows SSO setting](https://support.mozilla.org/en-US/kb/windows-sso))
+* **Azure AD WAM plugin**: When users try to access applications, the Azure AD WAM plugin uses the PRT to enable SSO on Windows 10. Azure AD WAM plugin uses the PRT to request refresh and access tokens for applications that rely on WAM for token requests. It also enables SSO on browsers by injecting the PRT into browser requests. Browser SSO in Windows 10 is supported on Microsoft Edge (natively), Chrome (via the [Windows 10 Accounts](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en) or [Office Online](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb?hl=en) extensions) or Mozilla Firefox v91+ (Firefox [Windows SSO setting](https://support.mozilla.org/kb/windows-sso))
## How is a PRT renewed?
active-directory Entitlement Management Access Reviews Review Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-reviews-review-access.md
Azure AD entitlement management simplifies how enterprises manage access to grou
To review users' active access package assignments, the creator of a review must satisfy these prerequisites: - Azure AD Premium P2-- Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager
+- Global administrator, Identity Governance administrator, or User administrator
For more information, see [License requirements](entitlement-management-overview.md#license-requirements).
To review access for multiple users more quickly, you can use the system-generat
## Next steps -- [Self-review of access packages](entitlement-management-access-reviews-self-review.md)
+- [Self-review of access packages](entitlement-management-access-reviews-self-review.md)
active-directory Tshoot Connect Sync Errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/tshoot-connect-sync-errors.md
a. Ensure that the userPrincipalName attribute has supported characters and requ
#### Related Articles * [Prepare to provision users through directory synchronization to Microsoft 365](https://support.office.com/article/Prepare-to-provision-users-through-directory-synchronization-to-Office-365-01920974-9e6f-4331-a370-13aea4e82b3e)
+## Deletion access violation and Password access violation errors
+
+Azure Active Directory protects cloud only objects from being updated through Azure AD Connect. While it is not possible to update these objects through Azure AD Connect, calls can be made directly to the AADConnect cloud side backend to attempt to change cloud only objects. When doing so, the following errors can be returned:
+
+* Deleting a cloud only object is not supported. Please contact Microsoft Customer Support.
+* The password change request cannot be executed since it contains changes to one or more cloud only user objects, which is not supported. Please contact Microsoft Customer Support.
+ ## LargeObject ### Description When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema, the synchronization operation results in the **LargeObject** or **ExceededAllowedLength** sync error. Typically this error occurs for the following attributes
active-directory Secure Hybrid Access Integrations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/secure-hybrid-access-integrations.md
- Title: Secure hybrid access with Azure AD partner integration
-description: Help customers discover and migrate SaaS applications into Azure AD and connect apps that use legacy authentication methods with Azure AD.
------- Previously updated : 04/20/2021----
-# Secure hybrid access with Azure Active Directory partner integrations
-
-Azure Active Directory (Azure AD) supports modern authentication protocols that keep applications secure in a highly connected, cloud-based world. However, many business applications were created to work in a protected corporate network, and some of these applications use legacy authentication methods. As companies look to build a Zero Trust strategy and support hybrid and cloud-first work environments, they need solutions that connect apps to Azure AD and provide modern authentication solutions for legacy applications.
-
-Azure AD natively supports modern protocols like SAML, WS-Fed, and OIDC. Azure AD's App Proxy supports Kerberos and header-based authentication. Other protocols like SSH, NTLM, LDAP, Cookies, aren't yet supported, but ISVs can create solutions to connect these applications with Azure AD to support customers on their journey to Zero Trust.
-
-ISVs have the opportunity to help customers discover and migrate SaaS applications into Azure AD. They can also connect apps that use legacy authentication methods with Azure AD. This will help customers consolidate onto a single platform (Azure AD) to simplify their app management and enable them to implement Zero Trust principles. Supporting apps using legacy authentication makes their users more secure. This solution can be a great stop-gap until the customer modernizes their apps to support modern authentication protocols.
-
-## Solution overview
-
-The solution you build can include the following parts:
-
-1. **App discovery**. Often, customers aren't aware of all the applications they're using. So as a first step you can build application discovery capabilities into your solution and surface discovered applications in the user interface. This enables the customer to prioritize how they want to approach integrating their applications with Azure AD.
-2. **App migration**. Next you can create an in-product workflow where the customer can directly integrate apps with Azure AD without having to go to the Azure AD portal. If you don't implement discovery capabilities in your solution you can start your solution here, integrating the applications customers do know about with Azure AD.
-3. **Legacy authentication support**. You can connect apps using legacy authentication methods to Azure AD so that they get the benefits of single sign-on (SSO) and other features.
-4. **Conditional access**. As an additional feature, you can enable customers to apply Azure AD [Conditional Access](/azure/active-directory/conditional-access/overview/) policies to the applications from within your solution without having to go the Azure AD portal.
-
-The rest of this guide explains the technical considerations and our recommendations for implementing a solution.
-
-## Publish your application to the Azure AD app gallery
-
-You can pre-integrate your application with Azure AD to support SSO and automated provisioning by following the process to [publish it in the Azure AD app gallery](/azure/active-directory/develop/v2-howto-app-gallery-listing/). The Azure AD app gallery is a trusted source of Azure AD compatible applications for IT admins. Applications listed there have been validated to be compatible with Azure AD. They support SSO, automate user provisioning, and can easily integrate into customer tenants with automated app registration.
-
-In addition, we recommend that you become a [verified publisher](/azure/active-directory/develop/publisher-verification-overview/) so that customers know you are the trusted publisher of the app.
-
-## Enable IT admin single sign-on
-
-You'll want to [choose either OIDC or SAML](/azure/active-directory/manage-apps/sso-options#choosing-a-single-sign-on-method/) to enable SSO for IT administrators to your solution.
-
-The best option is to use OIDC. Microsoft Graph uses [OIDC/OAuth](/azure/active-directory/develop/v2-protocols-oidc/). This means that if your solution uses OIDC with Azure AD for IT administrator SSO, then your customers will have a seamless end-to-end experience. They'll use OIDC to sign in to your solution and that same JSON Web Token (JWT) that was issued by Azure AD can then be used to interact with Microsoft Graph.
-
-If your solution is instead using [SAML](/azure/active-directory/manage-apps/configure-saml-single-sign-on/) for IT administrator SSO, the SAML token won't enable your solution to interact with Microsoft Graph. You can still use SAML for IT administrator SSO but your solution needs to support OIDC integration with Azure AD so it can get a JWT from Azure AD to properly interact with Microsoft Graph. You can use one of the following approaches:
-
-Recommended SAML Approach: Create a new registration in the Azure AD app gallery, which is [an OIDC app](/azure/active-directory/saas-apps/openidoauth-tutorial/). This provides the most seamless experience for your customer. They'll add both the SAML and OIDC apps to their tenant. If your application isn't in the Azure AD gallery today, you can start with a non-gallery [multi-tenant application](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant/).
-
-Alternate SAML Approach: Your customer can manually [create an OIDC application registration](/azure/active-directory/saas-apps/openidoauth-tutorial/) in their Azure AD tenant and ensure they set the right URI's, endpoints, and permissions specified later in this document.
-
-You'll would want to use the [client_credentials grant type](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token/), which will require that your solution allows the customer to input a client_ID and secret into your user interface, and that you store this information. Get a JWT from Azure AD, which you can then use to interact with Microsoft Graph.
-
-If you choose this route, you should have ready-made documentation for your customer about how to create this application registration within their Azure AD tenant including the endpoints, URI's, and permissions required.
-
-> [!NOTE]
-> Before any applications can be used for either IT administrator or end-user sign-on, the customer's IT administrator will need to [consent to the application in their tenant](/azure/active-directory/manage-apps/grant-admin-consent/).
-
-## Authentication flows
-
-The solution will include three key authentication flows that support the following scenarios:
-
-1. The customer's IT administrator signs in with SSO to administer your solution.
-
-2. The customer's IT administrator uses your solution to integrate applications with Azure AD via Microsoft Graph.
-
-3. End-users sign into legacy applications secured by your solution and Azure AD.
-
-### Your customer's IT administrator does single sign-on to your solution
-
-Your solution can use either SAML or OIDC for SSO when the customer's IT administrator signs in. Either way, its recommended that the IT administrator can sign in to your solution using their Azure AD credentials, which enables them a seamless experience and allows them to use the existing security controls they already have in place. Your solution should be integrated with Azure AD for SSO using either SAML or OIDC.
-
-![image diagram of the IT administrator being redirected by the solution to Azure AD to log in, and then being redirected by Azure AD back to the solution with a SAML token or JWT](./media/secure-hybrid-access-integrations/admin-flow.png)
-
-1. The IT administrator wants to sign-in to your solution with their Azure AD credentials.
-
-2. Your solution will redirect them to Azure AD either with a SAML or OIDC sign-in request.
-
-3. Azure AD will authenticate the IT administrator and then send them back to your solution with either a SAML token or JWT in tow to be authorized within your solution
-
-### The IT administrator integrates applications with Azure AD using your solution
-
-The second leg of the IT administrator journey will be to integrate applications with Azure AD by using your solution. To do this, your solution will use Microsoft Graph to create application registrations and Azure AD Conditional Access policies.
-
-Here is a diagram and summary of this user authentication flow:
-
-![image diagram of the IT administrator being redirected by the solution to Azure AD to log in, then being redirected by Azure AD back to the solution with a SAML token or JWT, and finally the solution making a call to Microsoft Graph with the JWT](./media/secure-hybrid-access-integrations/registration-flow.png)
--
-1. The IT administrator wants to sign-in to your solution with their Azure AD credentials.
-
-2. Your solution will redirect them to Azure AD either with a SAML or OIDC sign-in request.
-
-3. Azure AD will authenticate the IT administrator and then send them back to your solution with either a SAML token or JWT for authorization within your solution.
-
-4. When an IT administrator wants to integrate one of their applications with Azure AD, rather than having to go to the Azure AD portal, your solution will call the Microsoft Graph with their existing JWT to register those applications or apply Azure AD Conditional Access policies to them.
-
-### End-users sign-in to the applications secured by your solution and Azure AD
-
-When end users need to sign into individual applications secured with your solution and Azure AD, they use either OIDC or SAML. If the applications need to interact with Microsoft Graph or any Azure AD protected API for some reason, its recommended that the individual applications you register with Microsoft Graph be configured to use OIDC. This will ensure that the JWT that they get from Azure AD to authenticate them into the applications can also be applied for interacting with Microsoft Graph. If there is no need for the individual applications to interact with Microsoft Graph or any Azure AD protected API, then SAML will suffice.
-
-Here is a diagram and summary of this user authentication flow:
-
-![image diagram of the end user being redirected by the solution to Azure AD to log in, then being redirected by Azure AD back to the solution with a SAML token or JWT, and finally the solution making a call to another application using the application's preferred authentication type](./media/secure-hybrid-access-integrations/end-user-flow.png)
-
-1. The end user wants to sign-in to an application secured by your solution and Azure AD.
-2. Your solution will redirect them to Azure AD either with a SAML or OIDC sign-in request.
-3. Azure AD will authenticate the end user and then send them back to your solution with either a SAML token or JWT for authorization within your solution.
-4. Once authorized against your solution, your solution will then allow the original request to the application to go through using the preferred protocol of the application.
-
-## Summary of Microsoft Graph APIs you will use
-
-Your solution will need to use these APIs. Azure AD will allow you to configure either the delegated permissions or the application permissions. For this solution, you only need delegated permissions.
-
-[Application Templates API](/graph/application-saml-sso-configure-api#retrieve-the-gallery-application-template-identifier/): If you're interested in searching the Azure AD app gallery, you can use this API to find a matching application template. **Permission required** : Application.Read.All.
-
-[Application Registration API](/graph/api/application-post-applications): You'll use this API to create either OIDC or SAML application registrations so end users can sign-in to the applications that the customers have secured with your solution. Doing this will enable these applications to also be secured with Azure AD. **Permissions required** : Application.Read.All, Application.ReadWrite.All
-
-[Service Principal API](/graph/api/serviceprincipal-update): After doing the app registration, you'll need to update the Service Principal Object to set some SSO properties. **Permissions required** : Application.ReadWrite.All, Directory.AccessAsUser.All, AppRoleAssignment.ReadWrite.All (for assignment)
-
-[Conditional Access API](/graph/api/resources/conditionalaccesspolicy): If you want to also apply Azure AD Conditional Access policies to these end-user applications, you can use this API to do so. **Permissions required** : Policy.Read.All, Policy.ReadWrite.ConditionalAccess, and Application.Read.All
-
-## Example Graph API scenarios
-
-This section provides a reference example for using Microsoft Graph APIs to implement application registrations, connect legacy applications, and enable conditional access policies via your solution. In addition, there is guidance on automating admin consent, getting the token signing certificate, and assigning users and groups. This functionality may be useful in your solution.
-
-### Use the Graph API to register apps with Azure AD
-
-#### Apps in the Azure AD app gallery
-
-Some of the applications your customer is using will already be available in the [Azure AD Application Gallery](https://azuremarketplace.microsoft.com/marketplace/apps). You can create a solution that programmatically adds these applications to the customer's tenant. The following is an example of using the Microsoft Graph API to search the Azure AD app gallery for a matching template and then registering the application in the customer's Azure AD tenant.
-
-Search the Azure AD app gallery for a matching application. When using the application templates API, the display name is case-sensitive.
-
-```http
-Authorization: Required with a valid Bearer token
-Method: Get
-
-https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayname eq "Salesforce.com"
-```
-
-If a match is found from the prior API call, capture the ID and then make this API call while providing a user-friendly display name for the application in the JSON body:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: POST
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applicationTemplates/cd3ed3de-93ee-400b-8b19-b61ef44a0f29/instantiate
-{
- "displayname": "Salesforce.com"
-}
-```
-
-When you make the above API call, we'll also generate a Service Principal object, which might take a few seconds. From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
-
-Next, you'll want to PATCH the Service Principal Object with the saml protocol and the appropriate login URL:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: servicePrincipal/json
-
-https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
-{
- "preferredSingleSignOnMode":"saml",
- "loginURL": "https://www.salesforce.com"
-}
-```
-
-And lastly, you'll want to patch the Application Object with the appropriate redirecturis and the identifieruris:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applications/54c4806b-b260-4a12-873c-967116983792
-{
- "web": {
- "redirectUris":["https://www.salesforce.com"]},
- "identifierUris":["https://www.salesforce.com"]
-}
-```
-
-#### Applications not in the Azure AD app gallery
-
-If you can't find a match in the Azure AD app gallery or you just want to integrate a custom application, then you have the option of registering a custom application in Azure AD using this template ID:
-
-**8adf8e6e-67b2-4cf2-a259-e3dc5476c621**
-
-And then make this API call while providing a user-friendly display name of the application in the JSON body:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: POST
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
-{
- "displayname": "Custom SAML App"
-}
-```
-
-When you make the above API call, we'll also generate a Service Principal object, which might take a few seconds. From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
-
-Next, you'll want to PATCH the Service Principal Object with the saml protocol and the appropriate login URL:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: servicePrincipal/json
-
-https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
-{
- "preferredSingleSignOnMode":"saml",
- "loginURL": "https://www.samlapp.com"
-}
-```
-
-And lastly, you'll want to patch the Application Object with the appropriate redirecturis and the identifieruris:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applications/54c4806b-b260-4a12-873c-967116983792
-{
- "web": {
- "redirectUris":["https://www.samlapp.com"]},
- "identifierUris":["https://www.samlapp.com"]
-}
-```
-
-#### Cut over to Azure AD single sign-on
-
-Once you have these SaaS applications registered inside Azure AD, the applications still need to be cut over to start us Azure AD as their identity provider. There are two ways to do this:
-
-1. If the applications support one-click SSO, then Azure AD can cut over the application for the customer. They just need to go into the Azure AD portal and perform the one-click SSO with the administrative credentials for the supported SaaS application. You can read about this in [one-click, SSO configuration of your Azure Marketplace application](/azure/active-directory/manage-apps/one-click-sso-tutorial/).
-2. If the application doesn't support one-click SSO, then the customer will need to manually cutover the application to start using Azure AD. You can learn more in the [SaaS App Integration Tutorials for use with Azure AD](/azure/active-directory/saas-apps/tutorial-list/).
-
-### Connect apps using legacy authentication methods to Azure AD
-
-This is where your solution can sit in between Azure AD and the application and enable the customer to get the benefits of Single-Sign On and other Azure Active Directory features even for applications that are not supported. To do so, your application will call Azure AD to authenticate the user and apply Azure AD Conditional Access policies before they can access these applications with legacy protocols.
-
-You can enable customers to do this integration directly from your console so that the discovery and integration is a seamless end-to-end experience. This will involve your platform creating either a SAML or OIDC application registration between your platform and Azure AD.
-
-#### Create a SAML application registration
-
-Use the custom application template ID for this:
-
-**8adf8e6e-67b2-4cf2-a259-e3dc5476c621**
-
-And then make this API call while providing a user-friendly display name in the JSON body:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: POST
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
-{
- "displayname": "Custom SAML App"
-}
-```
-
-When you make the above API call, we'll also generate a Service Principal object, which might take a few seconds. From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
-
-Next, you'll want to PATCH the Service Principal Object with the saml protocol and the appropriate login URL:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: servicePrincipal/json
-
-https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
-{
- "preferredSingleSignOnMode":"saml",
- "loginURL": "https://www.samlapp.com"
-}
-```
-
-And lastly, you'll want to PATCH the Application Object with the appropriate redirecturis and the identifieruris:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applications/54c4806b-b260-4a12-873c-967116983792
-{
- "web": {
- "redirectUris":["https://www.samlapp.com"]},
- "identifierUris":["https://www.samlapp.com"]
-}
-```
-
-#### Create an OIDC application registration
-
-You should use the custom application template ID for this:
-
-**8adf8e6e-67b2-4cf2-a259-e3dc5476c621**
-
-And then make this API call while providing a user-friendly display name in the JSON body:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: POST
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
-{
- "displayname": "Custom OIDC App"
-}
-```
-
-From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/applications/{Application Object ID}
-{
- "web": {
- "redirectUris":["https://www.samlapp.com"]},
- "identifierUris":["[https://www.samlapp.com"],
- "requiredResourceAccess": [
- {
- "resourceAppId": "00000003-0000-0000-c000-000000000000",
- "resourceAccess": [
- {
- "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
- "type": "Scope"
- },
- {
- "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
- "type": "Scope"
- },
- {
- "id": "37f7f235-527c-4136-accd-4a02d197296e",
- "type": "Scope"
- }]
- }]
-}
-```
-
-> [!NOTE]
-> The API Permissions listed above within the resourceAccess node will grant the application access to OpenID, User.Read, and offline_access, which should be enough to get the user signed in to your solution. You can find more information on permissions on the [permissions reference page](/graph/permissions-reference/).
-
-### Apply conditional access policies
-
-We want to empower customers and partners to also use the Microsoft Graph API to create or apply Conditional Access policies to customer's applications. For partners, this can provide additional value so the customer can apply these policies directly from your solution without having to go to the Azure AD portal. You have two options when applying Azure AD Conditional Access Policies:
--- You can assign the application to an existing Conditional Access Policy-- You can create a new Conditional Access policy and assign the application to that new policy-
-#### An existing conditional access policy
-
-First, you'll want to query to get a list of all Conditional Access Policies and grab the Object ID of the policy you want to modify:
-
-```https
-Authorization: Required with a valid Bearer token
-Method:GET
-
-https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
-```
-
-Next, you'll want to Patch the policy by including the Application Object ID to be in scope of the includeApplications within the JSON body:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-
-https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyid}
-{
- "displayName":"Existing CA Policy",
- "state":"enabled",
- "conditions":
- {
- "applications":
- {
- "includeApplications":[
- "00000003-0000-0ff1-ce00-000000000000",
- "{Application Object ID}"
- ]
- },
- "users": {
- "includeUsers":[
- "All"
- ]
- }
- },
- "grantControls":
- {
- "operator":"OR",
- "builtInControls":[
- "mfa"
- ]
- }
-}
-```
-
-#### Create a new Azure AD conditional access policy
-
-You'll want to add the Application Object ID to be in scope of the includeApplications within the JSON body:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: POST
-
-https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/
-{
- "displayName":"New CA Policy",
- "state":"enabled",
- "conditions":
- {
- "applications": {
- "includeApplications":[
- "{Application Object ID}"
- ]
- },
- "users": {
- "includeUsers":[
- "All"
- ]
- }
- },
- "grantControls": {
- "operator":"OR",
- "builtInControls":[
- "mfa"
- ]
- }
-}
-```
-
-If you're interested in creating new Azure AD Conditional Access Policies, here are some additional templates that can help get you started using the [Conditional Access API](/azure/active-directory/conditional-access/howto-conditional-access-apis/).
-
-```https
-#Policy Template for Requiring Compliant Device
-
-{
- "displayName":"Enforce Compliant Device",
- "state":"enabled",
- "conditions": {
- "applications": {
- "includeApplications":[
- "{Application Object ID}"
- ]
- },
- "users": {
- "includeUsers":[
- "All"
- ]
- }
- },
- "grantControls": {
- "operator":"OR",
- "builtInControls":[
- "compliantDevice",
- "domainJoinedDevice"
- ]
- }
-}
-
-#Policy Template for Block
-
-{
- "displayName":"Block",
- "state":"enabled",
- "conditions": {
- "applications": {
- "includeApplications":[
- "{Application Object ID}"
- ]
- },
- "users": {
- "includeUsers":[
- "All"
- ]
- }
- },
- "grantControls": {
- "operator":"OR",
- "builtInControls":[
- "block"
- ]
- }
-}
-```
-
-### Automate admin consent
-
-If the customer is onboarding numerous applications from your platform to Azure AD, you'll likely want to automate admin consent for them so they don't have to manually consent to lots of applications. This can also be done via Microsoft Graph. You'll need both the Service Principal Object ID of the application you created in previous API calls and the Service Principal Object ID of Microsoft Graph from the customer's tenant.
-
-You can get the Service Principal Object ID of Microsoft Graph by making this API call:
-
-```https
-Authorization: Required with a valid Bearer token
-Method:GET
-
-https://graph.microsoft.com/v1.0/serviceprincipals/?$filter=appid eq '00000003-0000-0000-c000-000000000000'&$select=id,appDisplayName
-```
-
-Then when you're ready to automate admin consent, you can make this API call:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: POST
-Content-type: application/json
-
-https://graph.microsoft.com/v1.0/oauth2PermissionGrants
-{
- "clientId":"{Service Principal Object ID of Application}",
- "consentType":"AllPrincipals",
- "principalId":null,
- "resourceId":"{Service Principal Object ID Of MicrosofT Graph}",
- "scope":"openid user.read offline_access}"
-}
-```
-
-### Get the token signing certificate
-
-To get the public portion of the token signing certificate for all these applications, you can GET it from the Azure AD metadata endpoint for the application:
-
-```https
-Method:GET
-
-https://login.microsoftonline.com/{Tenant_ID}/federationmetadata/2007-06/federationmetadata.xml?appid={Application_ID}
-```
-
-### Assign users and groups
-
-Once you've published the applications to Azure AD, you can optionally assign it to users and groups to ensure it shows up on the [MyApplications](/azure/active-directory/user-help/my-applications-portal-workspaces/) portal. This assignment is stored on the Service Principal Object that was generated when you created the application:
-
-First you'll want to get any AppRoles that the application may have associated with it. It's common for SaaS applications to have various AppRoles associated with them. For custom applications, there is typically just the one default AppRole. Grab the ID of the AppRole you want to assign:
-
-```https
-Authorization: Required with a valid Bearer token
-Method:GET
-
-https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
-```
-
-Next, you'll want to get the Object ID of the user or group from Azure AD that you'll want to assign to the application. Also take the App Role ID from the previous API call and submit it as part of the PATCH body on the Service Principal:
-
-```https
-Authorization: Required with a valid Bearer token
-Method: PATCH
-Content-type: servicePrincipal/json
-
-https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
-{
- "principalId":"{Principal Object ID of User -or- Group}",
- "resourceId":"{Service Principal Object ID}",
- "appRoleId":"{App Role ID}"
-}
-```
-
-## Existing partners
-
-Microsoft has existing partnerships with these third-party providers to protect legacy applications while using existing networking and delivery controllers.
-
-| **ADC provider** | **Link** |
-| | |
-| Akamai Enterprise Application Access (EAA) | [https://docs.microsoft.com/azure/active-directory/saas-apps/akamai-tutorial](/azure/active-directory/saas-apps/akamai-tutorial) |
-| Citrix Application Delivery Controller (ADC) | [https://docs.microsoft.com/azure/active-directory/saas-apps/citrix-netscaler-tutorial](/azure/active-directory/saas-apps/citrix-netscaler-tutorial) |
-| F5 Big-IP APM | [https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-integration](/azure/active-directory/manage-apps/f5-aad-integration) |
-| Kemp | [https://docs.microsoft.com/azure/active-directory/saas-apps/kemp-tutorial](/azure/active-directory/saas-apps/kemp-tutorial) |
-| Pulse Secure Virtual Traffic Manager (VTM) | [https://docs.microsoft.com/azure/active-directory/saas-apps/pulse-secure-virtual-traffic-manager-tutorial](/azure/active-directory/saas-apps/pulse-secure-virtual-traffic-manager-tutorial) |
-
-The following VPN solution providers connect with Azure AD to enable modern authentication and authorization methods like SSO and multi-factor authentication.
-
-| **VPN vendor** | **Link** |
-| | |
-| Cisco AnyConnect | [https://docs.microsoft.com/azure/active-directory/saas-apps/cisco-anyconnect](/azure/active-directory/saas-apps/cisco-anyconnect) |
-| Fortinet | [https://docs.microsoft.com/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial](/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial) |
-| F5 Big-IP APM | [https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-password-less-vpn](/azure/active-directory/manage-apps/f5-aad-password-less-vpn) |
-| Palo Alto Networks Global Protect | [https://docs.microsoft.com/azure/active-directory/saas-apps/paloaltoadmin-tutorial](/azure/active-directory/saas-apps/paloaltoadmin-tutorial) |
-| Pulse Secure Pulse Connect Secure (PCS) | [https://docs.microsoft.com/azure/active-directory/saas-apps/pulse-secure-pcs-tutorial](/azure/active-directory/saas-apps/pulse-secure-pcs-tutorial) |
-
-The following SDP solution providers connect with Azure AD to enable modern authentication and authorization methods like SSO and multi-factor authentication.
-
-| **SDP vendor** | **Link** |
-| | |
-| Datawiza Access Broker | [https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso](/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso) |
-| Perimeter 81 | [https://docs.microsoft.com/azure/active-directory/saas-apps/perimeter-81-tutorial](/azure/active-directory/saas-apps/perimeter-81-tutorial) |
-| Silverfort Authentication Platform | [https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso](/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso) |
-| Strata | [https://docs.microsoft.com/azure/active-directory/saas-apps/maverics-identity-orchestrator-saml-connector-tutorial](/azure/active-directory/saas-apps/maverics-identity-orchestrator-saml-connector-tutorial) |
-| Zscaler Private Access (ZPA) | [https://docs.microsoft.com/azure/active-directory/saas-apps/zscalerprivateaccess-tutorial](/azure/active-directory/saas-apps/zscalerprivateaccess-tutorial) |
+
+ Title: Secure hybrid access with Azure AD partner integration
+description: Help customers discover and migrate SaaS applications into Azure AD and connect apps that use legacy authentication methods with Azure AD.
+++++++ Last updated : 04/20/2021++++
+# Secure hybrid access with Azure Active Directory partner integrations
+
+Azure Active Directory (Azure AD) supports modern authentication protocols that keep applications secure in a highly connected, cloud-based world. However, many business applications were created to work in a protected corporate network, and some of these applications use legacy authentication methods. As companies look to build a Zero Trust strategy and support hybrid and cloud-first work environments, they need solutions that connect apps to Azure AD and provide modern authentication solutions for legacy applications.
+
+Azure AD natively supports modern protocols like SAML, WS-Fed, and OIDC. Azure AD's App Proxy supports Kerberos and header-based authentication. Other protocols like SSH, NTLM, LDAP, Cookies, aren't yet supported, but ISVs can create solutions to connect these applications with Azure AD to support customers on their journey to Zero Trust.
+
+ISVs have the opportunity to help customers discover and migrate SaaS applications into Azure AD. They can also connect apps that use legacy authentication methods with Azure AD. This will help customers consolidate onto a single platform (Azure AD) to simplify their app management and enable them to implement Zero Trust principles. Supporting apps using legacy authentication makes their users more secure. This solution can be a great stop-gap until the customer modernizes their apps to support modern authentication protocols.
+
+## Solution overview
+
+The solution you build can include the following parts:
+
+1. **App discovery**. Often, customers aren't aware of all the applications they're using. So as a first step you can build application discovery capabilities into your solution and surface discovered applications in the user interface. This enables the customer to prioritize how they want to approach integrating their applications with Azure AD.
+2. **App migration**. Next you can create an in-product workflow where the customer can directly integrate apps with Azure AD without having to go to the Azure AD portal. If you don't implement discovery capabilities in your solution you can start your solution here, integrating the applications customers do know about with Azure AD.
+3. **Legacy authentication support**. You can connect apps using legacy authentication methods to Azure AD so that they get the benefits of single sign-on (SSO) and other features.
+4. **Conditional access**. As an additional feature, you can enable customers to apply Azure AD [Conditional Access](/azure/active-directory/conditional-access/overview/) policies to the applications from within your solution without having to go the Azure AD portal.
+
+The rest of this guide explains the technical considerations and our recommendations for implementing a solution.
+
+## Publish your application to the Azure AD app gallery
+
+You can pre-integrate your application with Azure AD to support SSO and automated provisioning by following the process to [publish it in the Azure AD app gallery](/azure/active-directory/develop/v2-howto-app-gallery-listing/). The Azure AD app gallery is a trusted source of Azure AD compatible applications for IT admins. Applications listed there have been validated to be compatible with Azure AD. They support SSO, automate user provisioning, and can easily integrate into customer tenants with automated app registration.
+
+In addition, we recommend that you become a [verified publisher](/azure/active-directory/develop/publisher-verification-overview/) so that customers know you are the trusted publisher of the app.
+
+## Enable IT admin single sign-on
+
+You'll want to [choose either OIDC or SAML](/azure/active-directory/manage-apps/sso-options#choosing-a-single-sign-on-method/) to enable SSO for IT administrators to your solution.
+
+The best option is to use OIDC. Microsoft Graph uses [OIDC/OAuth](/azure/active-directory/develop/v2-protocols-oidc/). This means that if your solution uses OIDC with Azure AD for IT administrator SSO, then your customers will have a seamless end-to-end experience. They'll use OIDC to sign in to your solution and that same JSON Web Token (JWT) that was issued by Azure AD can then be used to interact with Microsoft Graph.
+
+If your solution is instead using [SAML](/azure/active-directory/manage-apps/configure-saml-single-sign-on/) for IT administrator SSO, the SAML token won't enable your solution to interact with Microsoft Graph. You can still use SAML for IT administrator SSO but your solution needs to support OIDC integration with Azure AD so it can get a JWT from Azure AD to properly interact with Microsoft Graph. You can use one of the following approaches:
+
+Recommended SAML Approach: Create a new registration in the Azure AD app gallery, which is [an OIDC app](/azure/active-directory/saas-apps/openidoauth-tutorial/). This provides the most seamless experience for your customer. They'll add both the SAML and OIDC apps to their tenant. If your application isn't in the Azure AD gallery today, you can start with a non-gallery [multi-tenant application](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant/).
+
+Alternate SAML Approach: Your customer can manually [create an OIDC application registration](/azure/active-directory/saas-apps/openidoauth-tutorial/) in their Azure AD tenant and ensure they set the right URI's, endpoints, and permissions specified later in this document.
+
+You'll would want to use the [client_credentials grant type](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token/), which will require that your solution allows the customer to input a client_ID and secret into your user interface, and that you store this information. Get a JWT from Azure AD, which you can then use to interact with Microsoft Graph.
+
+If you choose this route, you should have ready-made documentation for your customer about how to create this application registration within their Azure AD tenant including the endpoints, URI's, and permissions required.
+
+> [!NOTE]
+> Before any applications can be used for either IT administrator or end-user sign-on, the customer's IT administrator will need to [consent to the application in their tenant](/azure/active-directory/manage-apps/grant-admin-consent/).
+
+## Authentication flows
+
+The solution will include three key authentication flows that support the following scenarios:
+
+1. The customer's IT administrator signs in with SSO to administer your solution.
+
+2. The customer's IT administrator uses your solution to integrate applications with Azure AD via Microsoft Graph.
+
+3. End-users sign into legacy applications secured by your solution and Azure AD.
+
+### Your customer's IT administrator does single sign-on to your solution
+
+Your solution can use either SAML or OIDC for SSO when the customer's IT administrator signs in. Either way, its recommended that the IT administrator can sign in to your solution using their Azure AD credentials, which enables them a seamless experience and allows them to use the existing security controls they already have in place. Your solution should be integrated with Azure AD for SSO using either SAML or OIDC.
+
+![image diagram of the IT administrator being redirected by the solution to Azure AD to log in, and then being redirected by Azure AD back to the solution with a SAML token or JWT](./media/secure-hybrid-access-integrations/admin-flow.png)
+
+1. The IT administrator wants to sign-in to your solution with their Azure AD credentials.
+
+2. Your solution will redirect them to Azure AD either with a SAML or OIDC sign-in request.
+
+3. Azure AD will authenticate the IT administrator and then send them back to your solution with either a SAML token or JWT in tow to be authorized within your solution
+
+### The IT administrator integrates applications with Azure AD using your solution
+
+The second leg of the IT administrator journey will be to integrate applications with Azure AD by using your solution. To do this, your solution will use Microsoft Graph to create application registrations and Azure AD Conditional Access policies.
+
+Here is a diagram and summary of this user authentication flow:
+
+![image diagram of the IT administrator being redirected by the solution to Azure AD to log in, then being redirected by Azure AD back to the solution with a SAML token or JWT, and finally the solution making a call to Microsoft Graph with the JWT](./media/secure-hybrid-access-integrations/registration-flow.png)
++
+1. The IT administrator wants to sign-in to your solution with their Azure AD credentials.
+
+2. Your solution will redirect them to Azure AD either with a SAML or OIDC sign-in request.
+
+3. Azure AD will authenticate the IT administrator and then send them back to your solution with either a SAML token or JWT for authorization within your solution.
+
+4. When an IT administrator wants to integrate one of their applications with Azure AD, rather than having to go to the Azure AD portal, your solution will call the Microsoft Graph with their existing JWT to register those applications or apply Azure AD Conditional Access policies to them.
+
+### End-users sign-in to the applications secured by your solution and Azure AD
+
+When end users need to sign into individual applications secured with your solution and Azure AD, they use either OIDC or SAML. If the applications need to interact with Microsoft Graph or any Azure AD protected API for some reason, its recommended that the individual applications you register with Microsoft Graph be configured to use OIDC. This will ensure that the JWT that they get from Azure AD to authenticate them into the applications can also be applied for interacting with Microsoft Graph. If there is no need for the individual applications to interact with Microsoft Graph or any Azure AD protected API, then SAML will suffice.
+
+Here is a diagram and summary of this user authentication flow:
+
+![image diagram of the end user being redirected by the solution to Azure AD to log in, then being redirected by Azure AD back to the solution with a SAML token or JWT, and finally the solution making a call to another application using the application's preferred authentication type](./media/secure-hybrid-access-integrations/end-user-flow.png)
+
+1. The end user wants to sign-in to an application secured by your solution and Azure AD.
+2. Your solution will redirect them to Azure AD either with a SAML or OIDC sign-in request.
+3. Azure AD will authenticate the end user and then send them back to your solution with either a SAML token or JWT for authorization within your solution.
+4. Once authorized against your solution, your solution will then allow the original request to the application to go through using the preferred protocol of the application.
+
+## Summary of Microsoft Graph APIs you will use
+
+Your solution will need to use these APIs. Azure AD will allow you to configure either the delegated permissions or the application permissions. For this solution, you only need delegated permissions.
+
+[Application Templates API](/graph/application-saml-sso-configure-api#retrieve-the-gallery-application-template-identifier/): If you're interested in searching the Azure AD app gallery, you can use this API to find a matching application template. **Permission required** : Application.Read.All.
+
+[Application Registration API](/graph/api/application-post-applications): You'll use this API to create either OIDC or SAML application registrations so end users can sign-in to the applications that the customers have secured with your solution. Doing this will enable these applications to also be secured with Azure AD. **Permissions required** : Application.Read.All, Application.ReadWrite.All
+
+[Service Principal API](/graph/api/serviceprincipal-update): After doing the app registration, you'll need to update the Service Principal Object to set some SSO properties. **Permissions required** : Application.ReadWrite.All, Directory.AccessAsUser.All, AppRoleAssignment.ReadWrite.All (for assignment)
+
+[Conditional Access API](/graph/api/resources/conditionalaccesspolicy): If you want to also apply Azure AD Conditional Access policies to these end-user applications, you can use this API to do so. **Permissions required** : Policy.Read.All, Policy.ReadWrite.ConditionalAccess, and Application.Read.All
+
+## Example Graph API scenarios
+
+This section provides a reference example for using Microsoft Graph APIs to implement application registrations, connect legacy applications, and enable conditional access policies via your solution. In addition, there is guidance on automating admin consent, getting the token signing certificate, and assigning users and groups. This functionality may be useful in your solution.
+
+### Use the Graph API to register apps with Azure AD
+
+#### Apps in the Azure AD app gallery
+
+Some of the applications your customer is using will already be available in the [Azure AD Application Gallery](https://azuremarketplace.microsoft.com/marketplace/apps). You can create a solution that programmatically adds these applications to the customer's tenant. The following is an example of using the Microsoft Graph API to search the Azure AD app gallery for a matching template and then registering the application in the customer's Azure AD tenant.
+
+Search the Azure AD app gallery for a matching application. When using the application templates API, the display name is case-sensitive.
+
+```http
+Authorization: Required with a valid Bearer token
+Method: Get
+
+https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayname eq "Salesforce.com"
+```
+
+If a match is found from the prior API call, capture the ID and then make this API call while providing a user-friendly display name for the application in the JSON body:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: POST
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applicationTemplates/cd3ed3de-93ee-400b-8b19-b61ef44a0f29/instantiate
+{
+ "displayname": "Salesforce.com"
+}
+```
+
+When you make the above API call, we'll also generate a Service Principal object, which might take a few seconds. From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
+
+Next, you'll want to PATCH the Service Principal Object with the saml protocol and the appropriate login URL:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: servicePrincipal/json
+
+https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
+{
+ "preferredSingleSignOnMode":"saml",
+ "loginURL": "https://www.salesforce.com"
+}
+```
+
+And lastly, you'll want to patch the Application Object with the appropriate redirecturis and the identifieruris:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applications/54c4806b-b260-4a12-873c-967116983792
+{
+ "web": {
+ "redirectUris":["https://www.salesforce.com"]},
+ "identifierUris":["https://www.salesforce.com"]
+}
+```
+
+#### Applications not in the Azure AD app gallery
+
+If you can't find a match in the Azure AD app gallery or you just want to integrate a custom application, then you have the option of registering a custom application in Azure AD using this template ID:
+
+**8adf8e6e-67b2-4cf2-a259-e3dc5476c621**
+
+And then make this API call while providing a user-friendly display name of the application in the JSON body:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: POST
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
+{
+ "displayname": "Custom SAML App"
+}
+```
+
+When you make the above API call, we'll also generate a Service Principal object, which might take a few seconds. From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
+
+Next, you'll want to PATCH the Service Principal Object with the saml protocol and the appropriate login URL:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: servicePrincipal/json
+
+https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
+{
+ "preferredSingleSignOnMode":"saml",
+ "loginURL": "https://www.samlapp.com"
+}
+```
+
+And lastly, you'll want to patch the Application Object with the appropriate redirecturis and the identifieruris:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applications/54c4806b-b260-4a12-873c-967116983792
+{
+ "web": {
+ "redirectUris":["https://www.samlapp.com"]},
+ "identifierUris":["https://www.samlapp.com"]
+}
+```
+
+#### Cut over to Azure AD single sign-on
+
+Once you have these SaaS applications registered inside Azure AD, the applications still need to be cut over to start us Azure AD as their identity provider. There are two ways to do this:
+
+1. If the applications support one-click SSO, then Azure AD can cut over the application for the customer. They just need to go into the Azure AD portal and perform the one-click SSO with the administrative credentials for the supported SaaS application. You can read about this in [one-click, SSO configuration of your Azure Marketplace application](/azure/active-directory/manage-apps/one-click-sso-tutorial/).
+2. If the application doesn't support one-click SSO, then the customer will need to manually cutover the application to start using Azure AD. You can learn more in the [SaaS App Integration Tutorials for use with Azure AD](/azure/active-directory/saas-apps/tutorial-list/).
+
+### Connect apps using legacy authentication methods to Azure AD
+
+This is where your solution can sit in between Azure AD and the application and enable the customer to get the benefits of Single-Sign On and other Azure Active Directory features even for applications that are not supported. To do so, your application will call Azure AD to authenticate the user and apply Azure AD Conditional Access policies before they can access these applications with legacy protocols.
+
+You can enable customers to do this integration directly from your console so that the discovery and integration is a seamless end-to-end experience. This will involve your platform creating either a SAML or OIDC application registration between your platform and Azure AD.
+
+#### Create a SAML application registration
+
+Use the custom application template ID for this:
+
+**8adf8e6e-67b2-4cf2-a259-e3dc5476c621**
+
+And then make this API call while providing a user-friendly display name in the JSON body:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: POST
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
+{
+ "displayname": "Custom SAML App"
+}
+```
+
+When you make the above API call, we'll also generate a Service Principal object, which might take a few seconds. From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
+
+Next, you'll want to PATCH the Service Principal Object with the saml protocol and the appropriate login URL:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: servicePrincipal/json
+
+https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
+{
+ "preferredSingleSignOnMode":"saml",
+ "loginURL": "https://www.samlapp.com"
+}
+```
+
+And lastly, you'll want to PATCH the Application Object with the appropriate redirecturis and the identifieruris:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applications/54c4806b-b260-4a12-873c-967116983792
+{
+ "web": {
+ "redirectUris":["https://www.samlapp.com"]},
+ "identifierUris":["https://www.samlapp.com"]
+}
+```
+
+#### Create an OIDC application registration
+
+You should use the custom application template ID for this:
+
+**8adf8e6e-67b2-4cf2-a259-e3dc5476c621**
+
+And then make this API call while providing a user-friendly display name in the JSON body:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: POST
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
+{
+ "displayname": "Custom OIDC App"
+}
+```
+
+From the previous API call, you'll want to capture the Application ID and the Service Principal ID, which you'll use in the next API calls.
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/applications/{Application Object ID}
+{
+ "web": {
+ "redirectUris":["https://www.samlapp.com"]},
+ "identifierUris":["[https://www.samlapp.com"],
+ "requiredResourceAccess": [
+ {
+ "resourceAppId": "00000003-0000-0000-c000-000000000000",
+ "resourceAccess": [
+ {
+ "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
+ "type": "Scope"
+ },
+ {
+ "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
+ "type": "Scope"
+ },
+ {
+ "id": "37f7f235-527c-4136-accd-4a02d197296e",
+ "type": "Scope"
+ }]
+ }]
+}
+```
+
+> [!NOTE]
+> The API Permissions listed above within the resourceAccess node will grant the application access to OpenID, User.Read, and offline_access, which should be enough to get the user signed in to your solution. You can find more information on permissions on the [permissions reference page](/graph/permissions-reference/).
+
+### Apply conditional access policies
+
+We want to empower customers and partners to also use the Microsoft Graph API to create or apply Conditional Access policies to customer's applications. For partners, this can provide additional value so the customer can apply these policies directly from your solution without having to go to the Azure AD portal. You have two options when applying Azure AD Conditional Access Policies:
+
+- You can assign the application to an existing Conditional Access Policy
+- You can create a new Conditional Access policy and assign the application to that new policy
+
+#### An existing conditional access policy
+
+First, you'll want to query to get a list of all Conditional Access Policies and grab the Object ID of the policy you want to modify:
+
+```https
+Authorization: Required with a valid Bearer token
+Method:GET
+
+https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
+```
+
+Next, you'll want to Patch the policy by including the Application Object ID to be in scope of the includeApplications within the JSON body:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+
+https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyid}
+{
+ "displayName":"Existing CA Policy",
+ "state":"enabled",
+ "conditions":
+ {
+ "applications":
+ {
+ "includeApplications":[
+ "00000003-0000-0ff1-ce00-000000000000",
+ "{Application Object ID}"
+ ]
+ },
+ "users": {
+ "includeUsers":[
+ "All"
+ ]
+ }
+ },
+ "grantControls":
+ {
+ "operator":"OR",
+ "builtInControls":[
+ "mfa"
+ ]
+ }
+}
+```
+
+#### Create a new Azure AD conditional access policy
+
+You'll want to add the Application Object ID to be in scope of the includeApplications within the JSON body:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: POST
+
+https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/
+{
+ "displayName":"New CA Policy",
+ "state":"enabled",
+ "conditions":
+ {
+ "applications": {
+ "includeApplications":[
+ "{Application Object ID}"
+ ]
+ },
+ "users": {
+ "includeUsers":[
+ "All"
+ ]
+ }
+ },
+ "grantControls": {
+ "operator":"OR",
+ "builtInControls":[
+ "mfa"
+ ]
+ }
+}
+```
+
+If you're interested in creating new Azure AD Conditional Access Policies, here are some additional templates that can help get you started using the [Conditional Access API](/azure/active-directory/conditional-access/howto-conditional-access-apis/).
+
+```https
+#Policy Template for Requiring Compliant Device
+
+{
+ "displayName":"Enforce Compliant Device",
+ "state":"enabled",
+ "conditions": {
+ "applications": {
+ "includeApplications":[
+ "{Application Object ID}"
+ ]
+ },
+ "users": {
+ "includeUsers":[
+ "All"
+ ]
+ }
+ },
+ "grantControls": {
+ "operator":"OR",
+ "builtInControls":[
+ "compliantDevice",
+ "domainJoinedDevice"
+ ]
+ }
+}
+
+#Policy Template for Block
+
+{
+ "displayName":"Block",
+ "state":"enabled",
+ "conditions": {
+ "applications": {
+ "includeApplications":[
+ "{Application Object ID}"
+ ]
+ },
+ "users": {
+ "includeUsers":[
+ "All"
+ ]
+ }
+ },
+ "grantControls": {
+ "operator":"OR",
+ "builtInControls":[
+ "block"
+ ]
+ }
+}
+```
+
+### Automate admin consent
+
+If the customer is onboarding numerous applications from your platform to Azure AD, you'll likely want to automate admin consent for them so they don't have to manually consent to lots of applications. This can also be done via Microsoft Graph. You'll need both the Service Principal Object ID of the application you created in previous API calls and the Service Principal Object ID of Microsoft Graph from the customer's tenant.
+
+You can get the Service Principal Object ID of Microsoft Graph by making this API call:
+
+```https
+Authorization: Required with a valid Bearer token
+Method:GET
+
+https://graph.microsoft.com/v1.0/serviceprincipals/?$filter=appid eq '00000003-0000-0000-c000-000000000000'&$select=id,appDisplayName
+```
+
+Then when you're ready to automate admin consent, you can make this API call:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: POST
+Content-type: application/json
+
+https://graph.microsoft.com/v1.0/oauth2PermissionGrants
+{
+ "clientId":"{Service Principal Object ID of Application}",
+ "consentType":"AllPrincipals",
+ "principalId":null,
+ "resourceId":"{Service Principal Object ID Of MicrosofT Graph}",
+ "scope":"openid user.read offline_access}"
+}
+```
+
+### Get the token signing certificate
+
+To get the public portion of the token signing certificate for all these applications, you can GET it from the Azure AD metadata endpoint for the application:
+
+```https
+Method:GET
+
+https://login.microsoftonline.com/{Tenant_ID}/federationmetadata/2007-06/federationmetadata.xml?appid={Application_ID}
+```
+
+### Assign users and groups
+
+Once you've published the applications to Azure AD, you can optionally assign it to users and groups to ensure it shows up on the [MyApplications](/azure/active-directory/user-help/my-applications-portal-workspaces/) portal. This assignment is stored on the Service Principal Object that was generated when you created the application:
+
+First you'll want to get any AppRoles that the application may have associated with it. It's common for SaaS applications to have various AppRoles associated with them. For custom applications, there is typically just the one default AppRole. Grab the ID of the AppRole you want to assign:
+
+```https
+Authorization: Required with a valid Bearer token
+Method:GET
+
+https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
+```
+
+Next, you'll want to get the Object ID of the user or group from Azure AD that you'll want to assign to the application. Also take the App Role ID from the previous API call and submit it as part of the PATCH body on the Service Principal:
+
+```https
+Authorization: Required with a valid Bearer token
+Method: PATCH
+Content-type: servicePrincipal/json
+
+https://graph.microsoft.com/v1.0/servicePrincipals/3161ab85-8f57-4ae0-82d3-7a1f71680b27
+{
+ "principalId":"{Principal Object ID of User -or- Group}",
+ "resourceId":"{Service Principal Object ID}",
+ "appRoleId":"{App Role ID}"
+}
+```
+
+## Existing partners
+
+Microsoft has existing partnerships with these third-party providers to protect legacy applications while using existing networking and delivery controllers.
+
+| **ADC provider** | **Link** |
+| | |
+| Akamai Enterprise Application Access (EAA) | [https://docs.microsoft.com/azure/active-directory/saas-apps/akamai-tutorial](/azure/active-directory/saas-apps/akamai-tutorial) |
+| Citrix Application Delivery Controller (ADC) | [https://docs.microsoft.com/azure/active-directory/saas-apps/citrix-netscaler-tutorial](/azure/active-directory/saas-apps/citrix-netscaler-tutorial) |
+| F5 Big-IP APM | [https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-integration](/azure/active-directory/manage-apps/f5-aad-integration) |
+| Kemp | [https://docs.microsoft.com/azure/active-directory/saas-apps/kemp-tutorial](/azure/active-directory/saas-apps/kemp-tutorial) |
+| Pulse Secure Virtual Traffic Manager (VTM) | [https://docs.microsoft.com/azure/active-directory/saas-apps/pulse-secure-virtual-traffic-manager-tutorial](/azure/active-directory/saas-apps/pulse-secure-virtual-traffic-manager-tutorial) |
+
+The following VPN solution providers connect with Azure AD to enable modern authentication and authorization methods like SSO and multi-factor authentication.
+
+| **VPN vendor** | **Link** |
+| | |
+| Cisco AnyConnect | [https://docs.microsoft.com/azure/active-directory/saas-apps/cisco-anyconnect](/azure/active-directory/saas-apps/cisco-anyconnect) |
+| Fortinet | [https://docs.microsoft.com/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial](/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial) |
+| F5 Big-IP APM | [https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-password-less-vpn](/azure/active-directory/manage-apps/f5-aad-password-less-vpn) |
+| Palo Alto Networks Global Protect | [https://docs.microsoft.com/azure/active-directory/saas-apps/paloaltoadmin-tutorial](/azure/active-directory/saas-apps/paloaltoadmin-tutorial) |
+| Pulse Secure Pulse Connect Secure (PCS) | [https://docs.microsoft.com/azure/active-directory/saas-apps/pulse-secure-pcs-tutorial](/azure/active-directory/saas-apps/pulse-secure-pcs-tutorial) |
+
+The following SDP solution providers connect with Azure AD to enable modern authentication and authorization methods like SSO and multi-factor authentication.
+
+| **SDP vendor** | **Link** |
+| | |
+| Datawiza Access Broker | [https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso](/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso) |
+| Perimeter 81 | [https://docs.microsoft.com/azure/active-directory/saas-apps/perimeter-81-tutorial](/azure/active-directory/saas-apps/perimeter-81-tutorial) |
+| Silverfort Authentication Platform | [https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso](/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso) |
+| Strata | [https://docs.microsoft.com/azure/active-directory/saas-apps/maverics-identity-orchestrator-saml-connector-tutorial](/azure/active-directory/saas-apps/maverics-identity-orchestrator-saml-connector-tutorial) |
+| Zscaler Private Access (ZPA) | [https://docs.microsoft.com/azure/active-directory/saas-apps/zscalerprivateaccess-tutorial](/azure/active-directory/saas-apps/zscalerprivateaccess-tutorial) |
active-directory Secure Hybrid Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/secure-hybrid-access.md
In addition to [Azure AD Application Proxy](../app-proxy/what-is-application-pro
![Image shows secure hybrid access with app proxy and partners](./media/secure-hybrid-access/secure-hybrid-access.png)
-The following partners offer pre-built solutions to support conditional access policies per application and provide detailed guidance for integrating with Azure AD.
+The following partners offer pre-built solutions to support **conditional access policies per application** and provide detailed guidance for integrating with Azure AD.
- [Akamai Enterprise Application Access](../saas-apps/akamai-tutorial.md) - [Citrix Application Delivery Controller (ADC)](../saas-apps/citrix-netscaler-tutorial.md) -- [Datawiza Access Broker](datawiza-with-azure-ad.md)
+- [Datawiza Access Broker](../manage-apps/datawiza-with-azure-ad.md)
- [F5 Big-IP APM ADC](../manage-apps/f5-aad-integration.md)
The following partners offer pre-built solutions to support conditional access p
- [Perimeter 81](../saas-apps/perimeter-81-tutorial.md) -- [Silverfort Authentication Platform](../manage-apps/add-application-portal-setup-oidc-sso.md)
+- [Silverfort Authentication Platform](../manage-apps/silverfort-azure-ad-integration.md)
+
+- [Strata](https://docs.microsoft.com/azure/active-directory/saas-apps/maverics-identity-orchestrator-saml-connector-tutorial)
+
+The following partners offer pre-built solutions and detailed guidance for integrating with Azure AD.
+
+- [Cisco AnyConnect](https://docs.microsoft.com/azure/active-directory/saas-apps/cisco-anyconnect)
+
+- [Fortinet](https://docs.microsoft.com/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial)
- [Palo Alto Networks Global Protect](../saas-apps/paloaltoadmin-tutorial.md)+ - [Pulse Secure Pulse Connect Secure (PCS)](../saas-apps/pulse-secure-pcs-tutorial.md) - [Pulse Secure Virtual Traffic Manager (VTM)](../saas-apps/pulse-secure-virtual-traffic-manager-tutorial.md)
active-directory Silverfort Azure Ad Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/silverfort-azure-ad-integration.md
+
+ Title: Secure hybrid access with Azure AD and Silverfort
+description: In this tutorial, learn how to integrate Silverfort with Azure AD for secure hybrid access
+++++++ Last updated : 9/08/2021++++
+# Tutorial: Configure Silverfort with Azure Active Directory for secure hybrid access
+
+In this tutorial, learn how to integrate Silverfort with Azure Active Directory (Azure AD). [Silverfort](https://www.silverfort.com/) uses innovative agent-less and proxy-less technology to connect all your assets on-premises and in the cloud to Azure AD. This solution enables organizations to apply identity protection, visibility, and user experience across all environments in Azure AD. It enables universal risk-based monitoring and assessment of authentication activity for on-premises and cloud environments, and proactively prevents threats.
+
+Silverfort can seamlessly connect any type of asset into Azure AD, as if it was a modern web application. For example:
+
+- Legacy and homegrown applications
+
+- Remote desktop and Secure Shell (SSH)
+
+- Command-line tools and other admin access
+
+- File shares and databases
+
+- Infrastructure and industrial systems
+
+These **bridged** assets appear as regular applications in Azure AD and can be protected with Conditional Access, single-sign-on (SSO), multifactor authentication, auditing and more.
+
+This solution combines all corporate assets and third party Identity and Access Management (IAM) platforms. For example, Active Directory, Active Directory Federation Services (ADFS), and Remote Authentication Dial-In User Service (RADIUS) on Azure AD, including hybrid and multi-cloud environments.
+
+## Scenario description
+
+In this guide, you'll configure and test the Silverfort Azure AD bridge in your Azure AD tenant.
+
+Once configured, you can create Silverfort authentication policies that bridge authentication requests from various identity sources to Azure AD for SSO. Once an application is bridged, it can be managed in Azure AD.
+
+The following diagram shows the components included in the solution and sequence of authentication orchestrated by Silverfort.
+
+![image shows the architecture diagram](./media/silverfort-azure-ad-integration/silverfort-architecture-diagram.png)
+
+| Step | Description|
+|:|:|
+| 1. | User sends authentication request to the original Identity provider (IdP) through protocols such as Kerberos, SAML, NTLM, OIDC, and LDAP(s).|
+| 2. | The response is routed as-is to Silverfort for validation to check authentication state.|
+| 3. | Silverfort provides visibility, discovery, and bridging to Azure AD.|
+| 4. | If the application is configured as **bridged**, the authentication decision is passed on to Azure AD. Azure AD evaluates Conditional Access policies and validates authentication.|
+| 5. | The authentication state response is then released and sent as-is to the IdP by Silverfort. |
+| 6.| IdP grants or denies access to the resource.|
+| 7. | User is notified if access request is granted or denied. |
+
+## Prerequisites
+
+To set up SSO for an application that you added to your Azure AD tenant, you'll need:
+
+- An Azure account with an active subscription. You can create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+- One of the following roles in your Azure account - Global administrator, Cloud application administrator, Application administrator, or Owner of the service principal.
+
+- An application that supports SSO and that was already pre-configured and added to the Azure AD gallery. The Silverfort application in the Azure AD gallery is already pre-configured. You'll need to add it as an Enterprise application from the gallery.
+
+## Onboard with Silverfort
+
+To deploy Silverfort in your tenant or infrastructure, [contact Silverfort](https://www.silverfort.com/). Install Silverfort Desktop app on relevant workstations.
+
+## Configure Silverfort and create a policy
+
+1. From a browser, log in to the **Silverfort admin console**.
+
+2. In the main menu, navigate to **Settings**, and then scroll to
+ **Azure AD Bridge Connector** in the General section. Confirm your tenant ID, and then select **Authorize**.
+
+ ![image shows azure ad bridge connector](./media/silverfort-azure-ad-integration/azure-ad-bridge-connector.png)
+
+ ![image shows registration confirmation](./media/silverfort-azure-ad-integration/grant-permission.png)
+
+3. A registration confirmation is shown in a new tab. Close this tab.
+
+ ![image shows registration completed](./media/silverfort-azure-ad-integration/registration-completed.png)
+
+4. In the **Settings** page, select **Save changes**
+
+ ![image shows the azure ad adapter](./media/silverfort-azure-ad-integration/silverfort-azure-ad-adapter.png)
+
+ Log in to your Azure AD console. You'll see **Silverfort Azure AD Adapter** application registered as an Enterprise application.
+
+ ![image shows enterprise application](./media/silverfort-azure-ad-integration/enterprise-application.png)
+
+5. In the Silverfot admin console, navigate to the **Policies** page, and select **Create Policy**.
+
+6. The **New Policy** dialog will appear. Enter a **Policy Name**, that would indicate the application name that will be created in Azure. For example, if you're adding multiple servers or applications under this policy, name it to reflect the resources covered by the policy. In the example, we'll create a policy for the *SL-APP1* server.
+
+ ![image shows define policy](./media/silverfort-azure-ad-integration/define-policy.png)
+
+7. Select appropriate **Authentication** type, and **Protocol**.
+
+8. In the **Users and Groups** field, select the edit icon to configure users that will be affected by the policy. These users's authentication will be bridged to Azure AD.
+
+ ![image shows user and groups](./media/silverfort-azure-ad-integration/user-groups.png)
+
+9. Search and select users, groups, or Organization units (OUs).
+
+ ![image shows search users](./media/silverfort-azure-ad-integration/search-users.png)
+
+ Selected users will be listed in the SELECTED box.
+
+ ![image shows selected user](./media/silverfort-azure-ad-integration/select-user.png)
+
+10. Select the **Source** for which the policy will apply. In this example, *All Devices* are selected.
+
+ ![image shows source](./media/silverfort-azure-ad-integration/source.png)
+
+11. Set the **Destination** to *SL-App1*. You can select the edit button to change or add more resources or groups of resources (optional).
+
+ ![image shows destination](./media/silverfort-azure-ad-integration/destination.png)
+
+12. Select the Action to **AZURE AD BRIDGE**.
+
+ ![image shows save azure ad bridge](./media/silverfort-azure-ad-integration/save-azure-ad-bridge.png)
+
+13. Select **SAVE** to save the new policy. You'll be prompted to enable or activate it.
+
+ ![image shows change status](./media/silverfort-azure-ad-integration/change-status.png)
+
+ The policy will appear in the Policies page, in the Azure AD Bridge section:
+
+ ![image shows add policy](./media/silverfort-azure-ad-integration/add-policy.png)
+
+14. Return to the Azure AD console, and navigate to **Enterprise applications**. The new Silverfort application should now appear. This application can now be included in [CA policies](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json%23create-a-conditional-access-policy).
+
+## Next steps
+
+- [Silverfort Azure AD adapter](https://azuremarketplace.microsoft.com/marketplace/apps/aad.silverfortazureadadapter?tab=overview)
+
+- [Silverfort resources](https://www.silverfort.com/resources/)
active-directory Askspoke Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/askspoke-tutorial.md
Previously updated : 08/20/2020 Last updated : 08/27/2021
In this tutorial, you'll learn how to integrate askSpoke with Azure Active Direc
* Enable your users to be automatically signed-in to askSpoke with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
## Prerequisites
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* askSpoke supports **SP and IDP** initiated SSO
-* askSpoke supports **Just In Time** user provisioning
-* Once you configure askSpoke you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* askSpoke supports **SP and IDP** initiated SSO.
+* askSpoke supports **Just In Time** user provisioning.
+* askSpoke supports [Automated user provisioning](askspoke-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding askSpoke from the gallery
+## Add askSpoke from the gallery
To configure the integration of askSpoke into Azure AD, you need to add askSpoke from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
To configure the integration of askSpoke into Azure AD, you need to add askSpoke
Configure and test Azure AD SSO with askSpoke using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in askSpoke.
-To configure and test Azure AD SSO with askSpoke, complete the following building blocks:
+To configure and test Azure AD SSO with askSpoke, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with askSpoke, complete the following buildin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **askSpoke** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **askSpoke** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **askSpoke**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure askSpoke SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Settings** tab from the left navigation pane.
- ![askSpoke settings tab](./media/askspoke-tutorial/configure1.png)
+ ![askSpoke settings tab](./media/askspoke-tutorial/configure-1.png)
1. Scroll down to **SSO** and click on **Connect**.
- ![askSpoke connect](./media/askspoke-tutorial/configure2.png)
+ ![askSpoke connect](./media/askspoke-tutorial/configure-2.png)
1. On the **Enable SAML & SCIM** section, perform the following steps:
- ![askSpoke Enable SAML & SCIM section](./media/askspoke-tutorial/configure3.png)
+ ![askSpoke Enable SAML & SCIM section](./media/askspoke-tutorial/configure-3.png)
1. In the **Sign-on URL** textbox, paste **Login URL** value, which you have copied from the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called B.Simon is created in askSpoke. askSpoke supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in askSpoke, a new one is created when you attempt to access askSpoke.
+askSpoke also supports automatic user provisioning, you can find more details [here](./askspoke-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to askspoke Sign on URL where you can initiate the login flow.
-When you click the askSpoke tile in the Access Panel, you should be automatically signed in to the askSpoke for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Go to askspoke Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the askspoke for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the askspoke tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the askspoke for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try askSpoke with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure askspoke you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Auditboard Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/auditboard-tutorial.md
Previously updated : 05/10/2021 Last updated : 08/20/2021 # Tutorial: Azure Active Directory integration with AuditBoard
To configure Azure AD integration with AuditBoard, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment. * AuditBoard supports **SP and IDP** initiated SSO.
+* AuditBoard supports [Automated user provisioning](auditboard-provisioning-tutorial.md).
## Add AuditBoard from the gallery
To configure single sign-on on **AuditBoard** side, you need to send the **App F
In this section, you create a user called Britta Simon in AuditBoard. Work with [AuditBoard support team](mailto:support@auditboard.com) to add the users in the AuditBoard platform. Users must be created and activated before you use single sign-on.
+AuditBoard also supports automatic user provisioning, you can find more details [here](./auditboard-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Bitabiz Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bitabiz-tutorial.md
Previously updated : 02/06/2019 Last updated : 08/20/2021 # Tutorial: Azure Active Directory integration with BitaBIZ
-In this tutorial, you learn how to integrate BitaBIZ with Azure Active Directory (Azure AD).
-Integrating BitaBIZ with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate BitaBIZ with Azure Active Directory (Azure AD). When you integrate BitaBIZ with Azure AD, you can:
-* You can control in Azure AD who has access to BitaBIZ.
-* You can enable your users to be automatically signed-in to BitaBIZ (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to BitaBIZ.
+* Enable your users to be automatically signed-in to BitaBIZ with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with BitaBIZ, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* BitaBIZ single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* BitaBIZ single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* BitaBIZ supports **SP and IDP** initiated SSO
-
-## Adding BitaBIZ from the gallery
-
-To configure the integration of BitaBIZ into Azure AD, you need to add BitaBIZ from the gallery to your list of managed SaaS apps.
-
-**To add BitaBIZ from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **BitaBIZ**, select **BitaBIZ** from result panel then click **Add** button to add the application.
-
- ![BitaBIZ in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+* BitaBIZ supports **SP and IDP** initiated SSO.
+* BitaBIZ supports [Automated user provisioning](bitabiz-provisioning-tutorial.md).
-In this section, you configure and test Azure AD single sign-on with BitaBIZ based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in BitaBIZ needs to be established.
-To configure and test Azure AD single sign-on with BitaBIZ, you need to complete the following building blocks:
+## Add BitaBIZ from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure BitaBIZ Single Sign-On](#configure-bitabiz-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create BitaBIZ test user](#create-bitabiz-test-user)** - to have a counterpart of Britta Simon in BitaBIZ that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of BitaBIZ into Azure AD, you need to add BitaBIZ from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **BitaBIZ** in the search box.
+1. Select **BitaBIZ** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with BitaBIZ, perform the following steps:
+## Configure and test Azure AD SSO for BitaBIZ
-1. In the [Azure portal](https://portal.azure.com/), on the **BitaBIZ** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with BitaBIZ using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BitaBIZ.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with BitaBIZ, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure BitaBIZ SSO](#configure-bitabiz-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create BitaBIZ test user](#create-bitabiz-test-user)** - to have a counterpart of Britta Simon in BitaBIZ that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **BitaBIZ** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![BitaBIZ Domain and URLs single sign-on information](common/idp-identifier.png)
+4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP initiated** mode perform the following steps:
In the **Identifier** text box, type a URL using the following pattern:
- `https://www.bitabiz.com/<instanceId>`
+ `https://www.bitabiz.com/<INSTANCE_ID>`
> [!NOTE] > The value in the above URL is for demonstration only. Update the value with the actual identifier, which is explained later in the tutorial. 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![image](common/both-preintegrated-signon.png)
- In the **Sign-on URL** text box, type the URL: `https://www.bitabiz.com/dashboard`
To configure Azure AD single sign-on with BitaBIZ, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
- b. Azure Ad Identifier
+### Create an Azure AD test user
- c. Logout URL
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
-### Configure BitaBIZ Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to BitaBIZ.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **BitaBIZ**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure BitaBIZ SSO
1. In a different web browser window, sign-on to your BitaBIZ tenant as an administrator. 2. Click on **SETUP ADMIN**.
- ![Screenshot shows part of a browser window with Setup Admin selected.](./media/bitabiz-tutorial/settings1.png)
+ ![Screenshot shows part of a browser window with Setup Admin selected.](./media/bitabiz-tutorial/setup-admin.png)
3. Click on **Microsoft integrations** under **Add value** section.
- ![Screenshot shows Add value with Microsoft integrations selected.](./media/bitabiz-tutorial/settings2.png)
+ ![Screenshot shows Add value with Microsoft integrations selected.](./media/bitabiz-tutorial/integrations.png)
4. Scroll down to the section **Microsoft Azure AD (Enable single sign on)** and perform following steps:
- ![Screenshot shows the Microsoft Azure A D section where you enter the information described in this step.](./media/bitabiz-tutorial/settings3.png)
+ ![Screenshot shows the Microsoft Azure A D section where you enter the information described in this step.](./media/bitabiz-tutorial/configuration.png)
a. Copy the value from the **Entity ID (ΓÇ¥IdentifierΓÇ¥ in Azure AD)** textbox and paste it into the **Identifier** textbox on the **Basic SAML Configuration** section in Azure portal.
To configure Azure AD single sign-on with BitaBIZ, perform the following steps:
g. Click **Save Azure AD configuration** to save and activate the SSO configuration.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to BitaBIZ.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **BitaBIZ**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **BitaBIZ**.
-
- ![The BitaBIZ link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
### Create BitaBIZ test user
In the case of BitaBIZ, provisioning is a manual task.
2. Click on **SETUP ADMIN**.
- ![Screenshot shows part of your browser window with Setup Admin selected.](./media/bitabiz-tutorial/settings1.png)
+ ![Screenshot shows part of your browser window with Setup Admin selected.](./media/bitabiz-tutorial/setup-admin.png)
3. Click on **Add users** under **Organization** section.
- ![Screenshot shows the Organization section with Add users selected.](./media/bitabiz-tutorial/user1.png)
+ ![Screenshot shows the Organization section with Add users selected.](./media/bitabiz-tutorial/add-user.png)
4. Click **Add new employee**.
- ![Screenshot shows Add users with Add new employee selected.](./media/bitabiz-tutorial/user2.png)
+ ![Screenshot shows Add users with Add new employee selected.](./media/bitabiz-tutorial/new-employee.png)
5. On the **Add new employee** dialog page, perform the following steps:
- ![Screenshot shows the page where you enter the information described in this step.](./media/bitabiz-tutorial/user3.png)
+ ![Screenshot shows the page where you enter the information described in this step.](./media/bitabiz-tutorial/save-employee.png)
a. In the **First Name** textbox, type the first name of user like Britta.
In the case of BitaBIZ, provisioning is a manual task.
> [!NOTE] > The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active.
-### Test single sign-on
+> [!NOTE]
+>BitaBIZ also supports automatic user provisioning, you can find more details [here](./bitabiz-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to BitaBIZ Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to BitaBIZ Sign-on URL directly and initiate the login flow from there.
-When you click the BitaBIZ tile in the Access Panel, you should be automatically signed in to the BitaBIZ for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the BitaBIZ for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the BitaBIZ tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BitaBIZ for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure BitaBIZ you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Bizagi Studio For Digital Process Automation Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-tutorial.md
Previously updated : 06/15/2021 Last updated : 08/27/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a Bizagi project using Automation services or server. * Bizagi for Digital Process Automation supports **SP** initiated SSO.
+* Bizagi for Digital Process Automation supports [Automated user provisioning](bizagi-studio-for-digital-process-automation-provisioning-tutorial.md).
## Add Bizagi for Digital Process Automation from the gallery
To configure single sign-on on **Bizagi for Digital Process Automation** side, y
In this section, you create a user called Britta Simon in Bizagi for Digital Process Automation. Work with [Bizagi for Digital Process Automation support team](mailto:jarvein.rivera@bizagi.com) to add the users in the Bizagi for Digital Process Automation platform. Users must be created and activated before you use single sign-on.
+Bizagi for Digital Process Automation also supports automatic user provisioning, you can find more details [here](./bizagi-studio-for-digital-process-automation-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Blink Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blink-tutorial.md
Previously updated : 08/16/2019 Last updated : 08/27/2021
In this tutorial, you'll learn how to integrate Blink with Azure Active Director
* Enable your users to be automatically signed-in to Blink with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Blink supports **SP** initiated SSO
-* Blink supports **Just In Time** user provisioning
+* Blink supports **SP** initiated SSO.
+* Blink supports **Just In Time** user provisioning.
+* Blink supports [Automated user provisioning](blink-provisioning-tutorial.md).
## Adding Blink from the gallery To configure the integration of Blink into Azure AD, you need to add Blink from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Blink** in the search box. 1. Select **Blink** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Blink
+## Configure and test Azure AD SSO for Blink
Configure and test Azure AD SSO with Blink using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Blink.
-To configure and test Azure AD SSO with Blink, complete the following building blocks:
+To configure and test Azure AD SSO with Blink, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Blink, complete the following building b
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Blink** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Blink** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using one of the following pattern:
+ a. In the **Sign on URL** text box, type a URL using one of the following patterns:
- ```http
- https://app.joinblink.com
- https://<SUBDOMAIN>.joinblink.com
- ```
+ | Sign-on URL|
+ ||
+ | `https://app.joinblink.com` |
+ | `https://<SUBDOMAIN>.joinblink.com` |
+ |
+
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: `https://api.joinblink.com/saml/o-<TENANTID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Blink**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Blink SSO
To configure single sign-on on **Blink** side, you need to send the downloaded *
In this section, a user called Britta Simon is created in Blink. Blink supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Blink, a new one is created after authentication.
-## Test SSO
+Blink also supports automatic user provisioning, you can find more details [here](./blink-provisioning-tutorial.md) on how to configure automatic user provisioning.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Blink tile in the Access Panel, you should be automatically signed in to the Blink for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on Test this application in Azure portal. This will redirect to Blink Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Blink Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Blink tile in the My Apps, this will redirect to Blink Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Slack with Azure AD](https://aad.portal.azure.com/)
+Once you configure Blink you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Blogin Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blogin-tutorial.md
Previously updated : 06/09/2021 Last updated : 08/20/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* BlogIn supports **SP and IDP** initiated SSO. * BlogIn supports **Just In Time** user provisioning.
+* BlogIn supports [Automated user provisioning](blogin-provisioning-tutorial.md).
## Add BlogIn from the gallery
For a more detailed explanation of setting up SSO on BlogIn, see [How to set up
In this section, a user called B.Simon is created in BlogIn. BlogIn supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in BlogIn, a new one is created after authentication.
+BlogIn also supports automatic user provisioning, you can find more details [here](./blogin-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Bonus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bonus-tutorial.md
Previously updated : 06/15/2021 Last updated : 08/27/2021 # Tutorial: Azure Active Directory integration with Bonusly
To configure Azure AD integration with Bonusly, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment. * Bonusly supports **IDP** initiated SSO.
+* Bonusly supports [Automated user provisioning](bonusly-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In order to enable Azure AD users to sign in to Bonusly, they must be provisione
d. Click **Save**. > [!NOTE]
- > The Azure AD account holder receives an email that includes a link to confirm the account before it becomes active.
+ > The Azure AD account holder receives an email that includes a link to confirm the account before it becomes active.
+
+> [!NOTE]
+>Bonusly also supports automatic user provisioning, you can find more details [here](./bonusly-provisioning-tutorial.md) on how to configure automatic user provisioning.
## Test SSO
active-directory Boxcryptor Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/boxcryptor-tutorial.md
Previously updated : 06/09/2021 Last updated : 08/27/2021 # Tutorial: Azure Active Directory integration with Boxcryptor
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Boxcryptor supports **SP** initiated SSO. * Boxcryptor supports **Just In Time** user provisioning.
+* Boxcryptor supports [Automated user provisioning](boxcryptor-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Boxcryptor** side, you need to send the downloa
In this section, a user called B.Simon is created in Boxcryptor. Boxcryptor supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Boxcryptor, a new one is created after authentication.
+Boxcryptor also supports automatic user provisioning, you can find more details [here](./boxcryptor-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Britive Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/britive-tutorial.md
Previously updated : 02/25/2020 Last updated : 08/20/2021
In this tutorial, you'll learn how to integrate Britive with Azure Active Direct
* Enable your users to be automatically signed-in to Britive with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Britive supports **SP** initiated SSO
-* Once you configure Britive you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Britive supports **SP** initiated SSO.
+* Britive supports [Automated user provisioning](britive-provisioning-tutorial.md).
## Adding Britive from the gallery To configure the integration of Britive into Azure AD, you need to add Britive from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Britive** in the search box. 1. Select **Britive** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Britive
+## Configure and test Azure AD SSO for Britive
Configure and test Azure AD SSO with Britive using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Britive.
-To configure and test Azure AD SSO with Britive, complete the following building blocks:
+To configure and test Azure AD SSO with Britive, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Britive, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Britive** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Britive** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Britive**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Britive SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Admin Settings Icon** and select **Security**.
- ![Screenshot shows the Britive website with Settings and Security selected.](./media/britive-tutorial/configure1.png)
+ ![Screenshot shows the Britive website with Settings and Security selected.](./media/britive-tutorial/security.png)
1. Select **SSO Configuration** and perform the following steps:
- ![Screenshot shows S S O Configuration where you enter the information in this step.](./media/britive-tutorial/configure2.png)
+ ![Screenshot shows S S O Configuration where you enter the information in this step.](./media/britive-tutorial/configuration.png)
a. Copy **Audience/Entity ID** value and paste it into the **Identifier (Entity ID)** text box in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Admin Settings Icon** and select **User Administration**.
- ![Screenshot shows the Britive website with Settings and User Administration selected.](./media/britive-tutorial/user1.png)
+ ![Screenshot shows the Britive website with Settings and User Administration selected.](./media/britive-tutorial/user.png)
1. Click on **ADD USER**.
- ![Screenshot shows the ADD USER button.](./media/britive-tutorial/user2.png)
+ ![Screenshot shows the ADD USER button.](./media/britive-tutorial/add-user.png)
1. Fill all the necessary details of the user according your organization requirement and click **ADD USER**.
- ![Screenshot shows the Ad a User page where you enter user information.](./media/britive-tutorial/user3.png)
-
-## Test SSO
+ ![Screenshot shows the Ad a User page where you enter user information.](./media/britive-tutorial/user-fields.png)
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+> [!NOTE]
+>Britive also supports automatic user provisioning, you can find more details [here](./britive-provisioning-tutorial.md) on how to configure automatic user provisioning.
-When you click the Britive tile in the Access Panel, you should be automatically signed in to the Britive for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+## Test SSO
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Britive Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Britive Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Britive tile in the My Apps, this will redirect to Britive Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Britive with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Britive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Browserstack Single Sign On Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/browserstack-single-sign-on-tutorial.md
Previously updated : 05/07/2021 Last updated : 08/27/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * BrowserStack Single Sign-on supports **SP and IDP** initiated SSO.
+* BrowserStack Single Sign-on supports [Automated user provisioning](browserstack-single-sign-on-provisioning-tutorial.md).
## Add BrowserStack Single Sign-on from the gallery
To configure single sign-on on **BrowserStack Single Sign-on** side, you need to
In this section, you create a user called B.Simon in BrowserStack Single Sign-on. Work with [BrowserStack Single Sign-on support team](mailto:support@browserstack.com) to add the users in the BrowserStack Single Sign-on platform. Users must be created and activated before you use single sign-on.
+BrowserStack Single Sign-on also supports automatic user provisioning, you can find more details [here](./browserstack-single-sign-on-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Checkproof Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/checkproof-tutorial.md
Previously updated : 08/06/2021 Last updated : 08/20/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * CheckProof supports **IDP** initiated SSO.
+* CheckProof supports [Automated user provisioning](checkproof-provisioning-tutorial.md).
## Add CheckProof from the gallery
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
![CheckProof create user page.](./media/checkproof-tutorial/user.png)
+> [!NOTE]
+>CheckProof also supports automatic user provisioning, you can find more details [here](./checkproof-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Citrix Gotomeeting Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/citrix-gotomeeting-tutorial.md
Previously updated : 06/16/2021 Last updated : 08/20/2021 # Tutorial: Azure Active Directory single sign-on (SSO) integration with GoToMeeting
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * GoToMeeting supports **IDP** initiated SSO.
+* GoToMeeting supports [Automated user provisioning](citrixgotomeeting-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
There is no action item for you in this section. If a user doesn't already exist
> [!NOTE] > If you need to create a user manually, Contact [GoToMeeting support team](https://support.logmeininc.com/gotomeeting).
+> [!NOTE]
+>GoToMeeting also supports automatic user provisioning, you can find more details [here](./citrixgotomeeting-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Clebex Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clebex-tutorial.md
Previously updated : 04/22/2021 Last updated : 08/27/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Clebex supports **Just In Time** user provisioning.
+* Clebex supports [Automated user provisioning](clebex-provisioning-tutorial.md).
-## Adding Clebex from the gallery
+
+## Add Clebex from the gallery
To configure the integration of Clebex into Azure AD, you need to add Clebex from the gallery to your list of managed SaaS apps.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called Britta Simon is created in Clebex. Clebex supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Clebex, a new one is created after authentication.
+Clebex also supports automatic user provisioning, you can find more details [here](./clebex-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Cloud Academy Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloud-academy-sso-tutorial.md
Previously updated : 12/15/2020 Last updated : 08/27/2021
In this tutorial, you'll configure and test Azure AD SSO in a test environment.
* Cloud Academy - SSO supports **SP** initiated SSO * Cloud Academy - SSO supports **Just In Time** user provisioning
+* Cloud Academy - SSO supports [Automated user provisioning](cloud-academy-sso-provisioning-tutorial.md).
## Add Cloud Academy - SSO from the gallery
In this section, you'll enable B.Simon to use Azure single sign-on by granting t
In this section, a user called Britta Simon is created in Cloud Academy - SSO. Cloud Academy - SSO supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Cloud Academy - SSO, a new one is created after authentication.
+Cloud Academy - SSO also supports automatic user provisioning, you can find more details [here](./cloud-academy-sso-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Coda Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/coda-tutorial.md
Previously updated : 05/20/2021 Last updated : 08/20/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Coda supports **Just In Time** user provisioning.
+* Coda supports [Automated user provisioning](coda-provisioning-tutorial.md).
+ ## Add Coda from the gallery To configure the integration of Coda into Azure AD, you need to add Coda from the gallery to your list of managed SaaS apps.
This completes the work necessary for the SAML SSO connection setup.
In this section, a user called Britta Simon is created in Coda. Coda supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Coda, a new one is created after authentication.
+Coda also supports automatic user provisioning, you can find more details [here](./coda-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Comeetrecruitingsoftware Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/comeetrecruitingsoftware-tutorial.md
Previously updated : 01/22/2019 Last updated : 08/23/2021 # Tutorial: Azure Active Directory integration with Comeet Recruiting Software
-In this tutorial, you learn how to integrate Comeet Recruiting Software with Azure Active Directory (Azure AD).
-Integrating Comeet Recruiting Software with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Comeet Recruiting Software with Azure Active Directory (Azure AD). When you integrate Comeet Recruiting Software with Azure AD, you can:
-* You can control in Azure AD who has access to Comeet Recruiting Software.
-* You can enable your users to be automatically signed-in to Comeet Recruiting Software (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Comeet Recruiting Software.
+* Enable your users to be automatically signed-in to Comeet Recruiting Software with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Comeet Recruiting Software, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Comeet Recruiting Software single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Comeet Recruiting Software single sign-on (SSO) enabled subscription.
## Scenario description
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-
-* Comeet Recruiting Software supports **SP and IDP** initiated SSO
-
-## Adding Comeet Recruiting Software from the gallery
-
-To configure the integration of Comeet Recruiting Software into Azure AD, you need to add Comeet Recruiting Software from the gallery to your list of managed SaaS apps.
-
-**To add Comeet Recruiting Software from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+In this tutorial, you configure and test Azure AD SSO in a test environment.
-3. To add new application, click **New application** button on the top of dialog.
+* Comeet Recruiting Software supports **SP and IDP** initiated SSO.
+* Comeet Recruiting Software supports [Automated user provisioning](comeet-recruiting-software-provisioning-tutorial.md).
- ![The New application button](common/add-new-app.png)
-4. In the search box, type **Comeet Recruiting Software**, select **Comeet Recruiting Software** from result panel then click **Add** button to add the application.
+## Add Comeet Recruiting Software from the gallery
- ![Comeet Recruiting Software in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Comeet Recruiting Software based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Comeet Recruiting Software needs to be established.
-
-To configure and test Azure AD single sign-on with Comeet Recruiting Software, you need to complete the following building blocks:
+To configure the integration of Comeet Recruiting Software into Azure AD, you need to add Comeet Recruiting Software from the gallery to your list of managed SaaS apps.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Comeet Recruiting Software Single Sign-On](#configure-comeet-recruiting-software-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Comeet Recruiting Software test user](#create-comeet-recruiting-software-test-user)** - to have a counterpart of Britta Simon in Comeet Recruiting Software that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Comeet Recruiting Software** in the search box.
+1. Select **Comeet Recruiting Software** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Comeet Recruiting Software
-To configure Azure AD single sign-on with Comeet Recruiting Software, perform the following steps:
+Configure and test Azure AD SSO with Comeet Recruiting Software using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Comeet Recruiting Software.
-1. In the [Azure portal](https://portal.azure.com/), on the **Comeet Recruiting Software** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Comeet Recruiting Software, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure Comeet Recruiting Software SSO](#configure-comeet-recruiting-software-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create Comeet Recruiting Software test user](#create-comeet-recruiting-software-test-user)** - to have a counterpart of Britta Simon in Comeet Recruiting Software that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Comeet Recruiting Software** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that shows the "Basic S A M L Configuration" section with the "Save" action, "Identifier" field, and "Reply U R L" field highlighted.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://app.comeet.co/adfs_auth/acs/<UNIQUEID>/`
To configure Azure AD single sign-on with Comeet Recruiting Software, perform th
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Comeet Recruiting Software Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL: `https://app.comeet.co`
To configure Azure AD single sign-on with Comeet Recruiting Software, perform th
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
+### Create an Azure AD test user
-### Configure Comeet Recruiting Software Single Sign-On
-
-To configure single sign-on on **Comeet Recruiting Software** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Comeet Recruiting Software support team](https://support.comeet.co/knowledgebase/adfs-single-sign-on/). They set this setting to have the SAML SSO connection set properly on both sides.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Comeet Recruiting Software.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Comeet Recruiting Software**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Comeet Recruiting Software.
-2. In the applications list, select **Comeet Recruiting Software**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Comeet Recruiting Software**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The Comeet Recruiting Software link in the Applications list](common/all-applications.png)
+## Configure Comeet Recruiting Software SSO
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
+To configure single sign-on on **Comeet Recruiting Software** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Comeet Recruiting Software support team](https://support.comeet.co/knowledgebase/adfs-single-sign-on/). They set this setting to have the SAML SSO connection set properly on both sides.
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+### Create Comeet Recruiting Software test user
- ![The Add Assignment pane](common/add-assign-user.png)
+In this section, you create a user called Britta Simon in Comeet Recruiting Software. Work with [Comeet Recruiting Software support team](mailto:support@comeet.co) to add the users in the Comeet Recruiting Software platform. Users must be created and activated before you use single sign-on.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+Comeet Recruiting Software also supports automatic user provisioning, you can find more details [here](./comeet-recruiting-software-provisioning-tutorial.md) on how to configure automatic user provisioning.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+### Test SSO
-7. In the **Add Assignment** dialog click the **Assign** button.
+In this section, you test your Azure AD single sign-on configuration with following options.
-### Create Comeet Recruiting Software test user
+SP initiated:
-In this section, you create a user called Britta Simon in Comeet Recruiting Software. Work with [Comeet Recruiting Software support team](mailto:support@comeet.co) to add the users in the Comeet Recruiting Software platform. Users must be created and activated before you use single sign-on.
+* Click on Test this application in Azure portal. This will redirect to Comeet Recruiting Software Sign on URL where you can initiate the login flow.
-### Test single sign-on
+* Go to Comeet Recruiting Software Sign-on URL directly and initiate the login flow from there.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+IDP initiated:
-When you click the Comeet Recruiting Software tile in the Access Panel, you should be automatically signed in to the Comeet Recruiting Software for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on Test this application in Azure portal and you should be automatically signed in to the Comeet Recruiting Software for which you set up the SSO
-## Additional Resources
+You can also use Microsoft My Apps to test the application in any mode. When you click the Comeet Recruiting Software tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Comeet Recruiting Software for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md) -- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Comeet Recruiting Software you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Dynamicsignal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dynamicsignal-tutorial.md
Previously updated : 02/04/2019 Last updated : 08/24/2021 # Tutorial: Azure Active Directory integration with Dynamic Signal
-In this tutorial, you learn how to integrate Dynamic Signal with Azure Active Directory (Azure AD).
-Integrating Dynamic Signal with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Druva with Azure Active Directory (Azure AD). When you integrate Druva with Azure AD, you can:
-* You can control in Azure AD who has access to Dynamic Signal.
-* You can enable your users to be automatically signed-in to Dynamic Signal (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Druva.
+* Enable your users to be automatically signed-in to Druva with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Dynamic Signal, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Dynamic Signal single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Dynamic Signal single sign-on (SSO) enabled subscription.
## Scenario description
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-
-* Dynamic Signal supports **SP** initiated SSO
-
-* Dynamic Signal supports **Just In Time** user provisioning
-
-## Adding Dynamic Signal from the gallery
-
-To configure the integration of Dynamic Signal into Azure AD, you need to add Dynamic Signal from the gallery to your list of managed SaaS apps.
-
-**To add Dynamic Signal from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+In this tutorial, you configure and test Azure AD SSO in a test environment.
-3. To add new application, click **New application** button on the top of dialog.
+* Dynamic Signal supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+* Dynamic Signal supports **Just In Time** user provisioning.
-4. In the search box, type **Dynamic Signal**, select **Dynamic Signal** from result panel then click **Add** button to add the application.
+* Dynamic Signal supports [Automated user provisioning](dynamic-signal-provisioning-tutorial.md).
- ![Dynamic Signal in the results list](common/search-new-app.png)
+## Add Druva from the gallery
-## Configure and test Azure AD single sign-on
+To configure the integration of Druva into Azure AD, you need to add Druva from the gallery to your list of managed SaaS apps.
-In this section, you configure and test Azure AD single sign-on with Dynamic Signal based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Dynamic Signal needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Druva** in the search box.
+1. Select **Druva** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with Dynamic Signal, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for Druva
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Dynamic Signal Single Sign-On](#configure-dynamic-signal-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Dynamic Signal test user](#create-dynamic-signal-test-user)** - to have a counterpart of Britta Simon in Dynamic Signal that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with Druva using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Druva.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with Druva, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure Dynamic SSO](#configure-dynamic-signal-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create Dynamic Signal test user](#create-dynamic-signal-test-user)** - to have a counterpart of Britta Simon in Dynamic Signal that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with Dynamic Signal, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **Dynamic Signal** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Dynamic Signal** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Dynamic Signal Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<subdomain>.voicestorm.com`
To configure Azure AD single sign-on with Dynamic Signal, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Dynamic Signal Single Sign-On
-
-To configure single sign-on on **Dynamic Signal** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Dynamic Signal support team](mailto:support@dynamicsignal.com). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
+### Create an Azure AD test user
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Dynamic Signal.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Dynamic Signal**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Dynamic Signal.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Dynamic Signal**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Dynamic Signal**.
+## Configure Dynamic Signal SSO
- ![The Dynamic Signal link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Dynamic Signal** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Dynamic Signal support team](mailto:support@dynamicsignal.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Dynamic Signal test user In this section, a user called Britta Simon is created in Dynamic Signal. Dynamic Signal supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Dynamic Signal, a new one is created after authentication.
->[!Note]
->If you need to create a user manually, contact [Dynamic Signal support team](mailto:support@dynamicsignal.com).
+Dynamic Signal also supports automatic user provisioning, you can find more details [here](./dynamic-signal-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+### Test SSO
-### Test single sign-on
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on Test this application in Azure portal. This will redirect to Dynamic Signal Sign-on URL where you can initiate the login flow.
-When you click the Dynamic Signal tile in the Access Panel, you should be automatically signed in to the Dynamic Signal for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Go to Dynamic Signal Sign-on URL directly and initiate the login flow from there.
-## Additional Resources
+* You can use Microsoft My Apps. When you click the Dynamic Signal tile in the My Apps, this will redirect to Dynamic Signal Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md) -- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Dynamic Signal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Elium Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/elium-tutorial.md
Previously updated : 07/27/2021 Last updated : 08/27/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Elium supports **SP and IDP** initiated SSO. * Elium supports **Just In Time** user provisioning.
+* Elium supports [Automated user provisioning](elium-provisioning-tutorial.md).
## Add Elium from the gallery
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called B.Simon is created in Elium. Elium supports **just-in-time provisioning**, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Elium, a new one is created when you attempt to access Elium.
-> [!Note]
-> If you need to create a user manually, contact [Elium support team](mailto:support@elium.com).
+Elium also supports automatic user provisioning, you can find more details [here](./elium-provisioning-tutorial.md) on how to configure automatic user provisioning.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
You can also use Microsoft My Apps to test the application in any mode. When you click the Elium tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Elium for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-## Next Steps
+## Next steps
Once you configure Elium you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Envoy Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/envoy-tutorial.md
Previously updated : 06/25/2021 Last updated : 08/25/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Envoy supports **Just In Time** user provisioning.
+* Envoy supports [Automated user provisioning](envoy-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called Britta Simon is created in Envoy. Envoy supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Envoy, a new one is created after authentication.
+Envoy also supports automatic user provisioning, you can find more details [here](./envoy-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Exium Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/exium-tutorial.md
Previously updated : 03/16/2021 Last updated : 08/26/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Exium supports **SP** initiated SSO.
+* Exium supports [Automated user provisioning](exium-provisioning-tutorial.md).
## Adding Exium from the gallery
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
![screenshot for create test user fields with save button](./media/exium-tutorial/add-user-2.png)
+> [!NOTE]
+>Exium also supports automatic user provisioning, you can find more details [here](./exium-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Flock Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/flock-tutorial.md
Previously updated : 02/15/2019 Last updated : 08/28/2021 # Tutorial: Azure Active Directory integration with Flock
-In this tutorial, you learn how to integrate Flock with Azure Active Directory (Azure AD).
-Integrating Flock with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Flock with Azure Active Directory (Azure AD). When you integrate Flock with Azure AD, you can:
-* You can control in Azure AD who has access to Flock.
-* You can enable your users to be automatically signed-in to Flock (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
+* Control in Azure AD who has access to Flock.
+* Enable your users to be automatically signed-in to Flock with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
## Prerequisites
-To configure Azure AD integration with Flock, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Flock single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Flock single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Flock supports **SP** initiated SSO
+* Flock supports **SP** initiated SSO.
+* Flock supports [Automated user provisioning](flock-provisioning-tutorial.md).
## Adding Flock from the gallery To configure the integration of Flock into Azure AD, you need to add Flock from the gallery to your list of managed SaaS apps.
-**To add Flock from the gallery, perform the following steps:**
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Flock** in the search box.
+1. Select **Flock** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
+## Configure and test Azure AD SSO for Flock
- ![The Azure Active Directory button](common/select-azuread.png)
+Configure and test Azure AD SSO with Flock using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Flock.
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
+To configure and test Azure AD SSO with Flock, perform the following steps:
- ![The Enterprise applications blade](common/enterprise-applications.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure Flock SSO](#configure-flock-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create Flock test user](#create-flock-test-user)** - to have a counterpart of Britta Simon in Flock that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-3. To add new application, click **New application** button on the top of dialog.
+## Configure Azure AD SSO
- ![The New application button](common/add-new-app.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-4. In the search box, type **Flock**, select **Flock** from result panel then click **Add** button to add the application.
+1. In the Azure portal, on the **Flock** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Flock in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Flock based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Flock needs to be established.
-
-To configure and test Azure AD single sign-on with Flock, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Flock Single Sign-On](#configure-flock-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Flock test user](#create-flock-test-user)** - to have a counterpart of Britta Simon in Flock that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
-
-In this section, you enable Azure AD single sign-on in the Azure portal.
-
-To configure Azure AD single sign-on with Flock, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **Flock** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Flock Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<subdomain>.flock.com/`
To configure Azure AD single sign-on with Flock, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Flock.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Flock**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Flock Single Sign-On
+## Configure Flock SSO
1. In a different web browser window, log in to your Flock company site as an administrator. 2. Select **Authentication** tab from the left navigation panel and then select **SAML Authentication**.
- ![Screenshot that shows the "Authentication" tab with "S A M L Authentication" selected.](./media/flock-tutorial/configure1.png)
+ ![Screenshot that shows the "Authentication" tab with "S A M L Authentication" selected.](./media/flock-tutorial/authentication.png)
3. In the **SAML Authentication** section, perform the following steps:
- ![Flock Configuration](./media/flock-tutorial/configure2.png)
+ ![Flock Configuration](./media/flock-tutorial/saml-authentication.png)
a. In the **SAML 2.0 Endpoint(HTTP)** textbox, paste **Login URL** value which you have copied from the Azure portal.
To configure Azure AD single sign-on with Flock, perform the following steps:
d. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Flock.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Flock**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Flock**.
-
- ![The Flock link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Flock test user To enable Azure AD users to log in to Flock, they must be provisioned into Flock. In the case of Flock, provisioning is a manual task.
To enable Azure AD users to log in to Flock, they must be provisioned into Flock
2. Click **Manage Team** from the left navigation panel.
- ![Screenshot that shows "Manage Team" selected.](./media/flock-tutorial/user1.png)
+ ![Screenshot that shows "Manage Team" selected.](./media/flock-tutorial/user-1.png)
3. Click **Add Member** tab and then select **Team Members**.
- ![Screenshot that shows the "Add Member" tab and "Team Members" selected.](./media/flock-tutorial/user2.png)
+ ![Screenshot that shows the "Add Member" tab and "Team Members" selected.](./media/flock-tutorial/user-2.png)
4. Enter the email address of the user like **Brittasimon\@contoso.com** and then select **Add Users**.
- ![Add Employee](./media/flock-tutorial/user3.png)
+ ![Add Employee](./media/flock-tutorial/user-3.png)
+
+> [!NOTE]
+>Flock also supports automatic user provisioning, you can find more details [here](./flock-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
-### Test single sign-on
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to Flock Sign-on URL where you can initiate the login flow.
-When you click the Flock tile in the Access Panel, you should be automatically signed in to the Flock for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Go to Flock Sign-on URL directly and initiate the login flow from there.
-## Additional Resources
+* You can use Microsoft My Apps. When you click the Flock tile in the My Apps, this will redirect to Flock Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md) -- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Flock you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Foodee Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/foodee-tutorial.md
Previously updated : 10/03/2019 Last updated : 08/27/2021
In this tutorial, you'll learn how to integrate Foodee with Azure Active Directo
* Enable your users to be automatically signed-in to Foodee with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Foodee supports **SP and IDP** initiated SSO
-* Foodee supports **Just In Time** user provisioning
+* Foodee supports **SP and IDP** initiated SSO.
+* Foodee supports **Just In Time** user provisioning.
+* Foodee supports [Automated user provisioning](foodee-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this tutorial, you configure and test Azure AD SSO in a test environment.
To configure the integration of Foodee into Azure AD, you need to add Foodee from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Foodee** in the search box. 1. Select **Foodee** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Foodee
+## Configure and test Azure AD SSO for Foodee
Configure and test Azure AD SSO with Foodee using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Foodee.
-To configure and test Azure AD SSO with Foodee, complete the following building blocks:
+To configure and test Azure AD SSO with Foodee, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Foodee, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Foodee** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Foodee** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Foodee**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ### Configure Foodee SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. Click on **profile logo** on the top right corner of the page then navigate to **Single Sign On** and perform the following steps:
- ![Foodee configuration](./media/foodee-tutorial/config01.png)
+ ![Foodee configuration](./media/foodee-tutorial/profile-logo.png)
1. In the **IDP NAME** text box, type the name like ex:Azure. 1. Open the Federation Metadata XML in Notepad, copy its content and paste it in the **IDP METADATA XML** text box.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called B.Simon is created in Foodee. Foodee supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Foodee, a new one is created when you attempt to access Foodee.
+Foodee also supports automatic user provisioning, you can find more details [here](./foodee-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+SP initiated:
+
+* Click on Test this application in Azure portal. This will redirect to Foodee Sign on URL where you can initiate the login flow.
+
+* Go to Foodee Sign-on URL directly and initiate the login flow from there.
-When you click the Foodee tile in the Access Panel, you should be automatically signed in to the Foodee for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+IDP initiated:
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Foodee for which you set up the SSO
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Foodee tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Foodee for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) -- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Foodee with Azure AD](https://aad.portal.azure.com/)
+Once you configure Foodee you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Fortes Change Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortes-change-cloud-tutorial.md
Previously updated : 03/18/2021 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Fortes Change Cloud supports **SP and IDP** initiated SSO.
+* Fortes Change Cloud supports [Automated user provisioning](fortes-change-cloud-provisioning-tutorial.md).
## Adding Fortes Change Cloud from the gallery
To configure single sign-on on **Fortes Change Cloud** side, you need to send th
In this section, you create a user called Britta Simon in Fortes Change Cloud. Work with [Fortes Change Cloud support team](mailto:support@fortes.nl) to add the users in the Fortes Change Cloud platform. Users must be created and activated before you use single sign-on.
+Fortes Change Cloud also supports automatic user provisioning, you can find more details [here](./fortes-change-cloud-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Freshservice Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/freshservice-tutorial.md
Previously updated : 01/15/2021 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Freshservice supports **SP** initiated SSO
+* Freshservice supports **SP** initiated SSO.
+* Freshservice supports [Automated user provisioning](freshservice-provisioning-tutorial.md).
## Add Freshservice from the gallery
To enable Azure AD users to sign in to FreshService, they must be provisioned in
> [!NOTE] > You can use any other FreshService user account creation tools or APIs provided by FreshService to provision Azure AD user accounts.
+
+> [!NOTE]
+>Freshservice also supports automatic user provisioning, you can find more details [here](./freshservice-provisioning-tutorial.md) on how to configure automatic user provisioning.
## Test SSO
active-directory Fuze Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fuze-tutorial.md
Previously updated : 07/21/2021 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with Fuze
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Fuze supports **Just In Time** user provisioning.
+* Fuze supports [Automated user provisioning](fuze-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Fuze** side, you need to send the downloaded **
In this section, a user called B.Simon is created in Fuze. Fuze supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Fuze, a new one is created after authentication.
-## Test SSO
+Fuze also supports automatic user provisioning, you can find more details [here](./fuze-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Getabstract Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/getabstract-tutorial.md
Previously updated : 02/19/2019 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with Getabstract
-In this tutorial, you learn how to integrate Getabstract with Azure Active Directory (Azure AD).
-Integrating Getabstract with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Getabstract with Azure Active Directory (Azure AD). When you integrate Getabstract with Azure AD, you can:
-* You can control in Azure AD who has access to Getabstract.
-* You can enable your users to be automatically signed-in to Getabstract (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Getabstract.
+* Enable your users to be automatically signed-in to Getabstract with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Getabstract, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Getabstract single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Getabstract single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Getabstract, you need the following items
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Getabstract supports **SP** and **IDP** initiated SSO
-
-* Getabstract supports **Just In Time** user provisioning
--
-## Adding Getabstract from the gallery
-
-To configure the integration of Getabstract into Azure AD, you need to add Getabstract from the gallery to your list of managed SaaS apps.
-
-**To add Getabstract from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+* Getabstract supports **SP and IDP** initiated SSO.
-3. To add new application, click **New application** button on the top of dialog.
+* Getabstract supports **Just In Time** user provisioning.
- ![The New application button](common/add-new-app.png)
+* Getabstract supports [Automated user provisioning](getabstract-provisioning-tutorial.md).
-4. In the search box, type **Getabstract**, select **Getabstract** from result panel then click **Add** button to add the application.
-
- ![Getabstract in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Getabstract based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Getabstract needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with Getabstract, you need to complete the following building blocks:
+## Add Getabstract from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Getabstract Single Sign-On](#configure-getabstract-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Getabstract test user](#create-getabstract-test-user)** - to have a counterpart of Britta Simon in Getabstract that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Getabstract into Azure AD, you need to add Getabstract from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Getabstract** in the search box.
+1. Select **Getabstract** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Getabstract
-To configure Azure AD single sign-on with Getabstract, perform the following steps:
+Configure and test Azure AD SSO with Getabstract using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Getabstract.
-1. In the [Azure portal](https://portal.azure.com/), on the **Getabstract** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Getabstract, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure Getabstract SSO](#configure-getabstract-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create Getabstract test user](#create-getabstract-test-user)** - to have a counterpart of Britta Simon in Getabstract that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set-up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Getabstract** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that shows the "Basic S A M L Configuration" section with the "Identifier" and "Reply URL" highlighted and the "Save" button selected.](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a URL:
+ a. In the **Identifier** text box, type the URL:
For Stage/pre_production: `https://int.getabstract.com` For Production: `https://www.getabstract.com`
- b. In the **Reply URL** textbox, type a URL:
+ b. In the **Reply URL** textbox, type the URL:
For Stage/pre_production: `https://int.getabstract.com/ACS.do` For Production: `https://www.getabstract.com/ACS.do` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:-
- ![Getabstract Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
In the **Sign-on URL** textbox, type a URL using the following pattern:
To configure Azure AD single sign-on with Getabstract, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Getabstract Single Sign-On
-
-To configure single sign-on on **Getabstract** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Getabstract support team](https://www.getabstract.com/en/contact). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Getabstract.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Getabstract**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Getabstract.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Getabstract**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Getabstract**.
+## Configure Getabstract SSO
- ![The Getabstract link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+To configure single sign-on on **Getabstract** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Getabstract support team](https://www.getabstract.com/en/contact). They set this setting to have the SAML SSO connection set properly on both sides.
- ![The Add Assignment pane](common/add-assign-user.png)
+### Create Getabstract test user
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+In this section, a user called Britta Simon is created in Getabstract. Getabstract supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Getabstract, a new one is created after authentication.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog, select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+>[!Note]
+>Getabstract also supports automatic user provisioning, you can find more details [here](./getabstract-provisioning-tutorial.md) on how to configure automatic user provisioning.
-7. In the **Add Assignment** dialog, click the **Assign** button.
+### Test SSO
-### Create Getabstract test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, a user called Britta Simon is created in Getabstract. Getabstract supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Getabstract, a new one is created after authentication.
+#### SP initiated:
->[!Note]
->If you need to create a user manually, Contact [Getabstract support team](https://www.getabstract.com/en/contact)
+* Click on Test this application in Azure portal. This will redirect to Getabstract Sign on URL where you can initiate the login flow.
-### Test single sign-on
+* Go to Getabstract Sign-on URL directly and initiate the login flow from there.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+#### IDP initiated:
-When you click the Getabstract tile in the Access Panel, you should be automatically signed in to the Getabstract for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on Test this application in Azure portal and you should be automatically signed in to the Getabstract for which you set up the SSO
-## Additional Resources
+You can also use Microsoft My Apps to test the application in any mode. When you click the Getabstract tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Getabstract for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md) -- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Getabstract you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Github Ae Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-ae-tutorial.md
Previously updated : 01/18/2021 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* GitHub AE supports **SP** and **IDP** initiated SSO
-* GitHub AE supports **Just In Time** user provisioning
+* GitHub AE supports **SP** and **IDP** initiated SSO.
+* GitHub AE supports **Just In Time** user provisioning.
+* GitHub AE supports [Automated user provisioning](github-ae-provisioning-tutorial.md).
## Adding GitHub AE from the gallery
To configure SSO on GitHub AE side, you need to follow the instructions mentione
In this section, a user called B.Simon is created in GitHub AE. GitHub AE supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in GitHub AE, a new one is created after authentication.
+GitHub AE also supports automatic user provisioning, you can find more details [here](./github-ae-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the GitHub AE for which you set up the SSO
-You can also use Microsoft Access Panel to test the application in any mode. When you click the GitHub AE tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub AE for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+You can also use Microsoft My Apps to test the application in any mode. When you click the GitHub AE tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub AE for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Golinks Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/golinks-tutorial.md
Previously updated : 03/24/2020 Last updated : 08/31/2021
In this tutorial, you'll learn how to integrate GoLinks with Azure Active Direct
* Enable your users to be automatically signed-in to GoLinks with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* GoLinks supports **SP and IDP** initiated SSO
-* GoLinks supports **Just In Time** user provisioning
-* Once you configure GoLinks you can enforce Session Control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session Control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+* GoLinks supports **SP and IDP** initiated SSO.
+* GoLinks supports **Just In Time** user provisioning.
+* GoLinks supports [Automated user provisioning](golinks-provisioning-tutorial.md).
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
## Adding GoLinks from the gallery To configure the integration of GoLinks into Azure AD, you need to add GoLinks from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
To configure the integration of GoLinks into Azure AD, you need to add GoLinks f
1. Select **GoLinks** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for GoLinks
+## Configure and test Azure AD SSO for GoLinks
Configure and test Azure AD SSO with GoLinks using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in GoLinks.
-To configure and test Azure AD SSO with GoLinks, complete the following building blocks:
+To configure and test Azure AD SSO with GoLinks, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with GoLinks, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **GoLinks** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **GoLinks** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **GoLinks**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure GoLinks SSO
To configure single sign-on on **GoLinks** side, you need to send the downloaded
In this section, a user called Britta Simon is created in GoLinks. GoLinks supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in GoLinks, a new one is created after authentication.
+GoLinks also supports automatic user provisioning, you can find more details [here](./golinks-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the GoLinks tile in the Access Panel, you should be automatically signed in to the GoLinks for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to GoLinks Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to GoLinks Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the GoLinks for which you set up the SSO
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the GoLinks tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GoLinks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try GoLinks with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure GoLinks you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Harness Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/harness-tutorial.md
Previously updated : 05/18/2021 Last updated : 08/31/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Harness supports **SP and IDP** initiated SSO.
+* Harness supports [Automated user provisioning](harness-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To enable Azure AD users to sign in to Harness, they must be provisioned into Ha
c. Click **Submit**.
+Harness also supports automatic user provisioning, you can find more details [here](./harness-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Hirevue Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hirevue-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with HireVue | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with HireVue'
description: Learn how to configure single sign-on between Azure Active Directory and HireVue.
Previously updated : 06/03/2021 Last updated : 09/13/2021
-# Tutorial: Azure Active Directory integration with HireVue
+# Tutorial: Azure AD SSO integration with HireVue
In this tutorial, you'll learn how to integrate HireVue with Azure Active Directory (Azure AD). When you integrate HireVue with Azure AD, you can:
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * HireVue single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
In this section, you test your Azure AD single sign-on configuration with follow
* Go to HireVue Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the HireVue tile in the My Apps, this will redirect to HireVue Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the HireVue tile in the My Apps, this will redirect to HireVue Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Hootsuite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hootsuite-tutorial.md
Previously updated : 05/31/2021 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Hootsuite supports **SP and IDP** initiated SSO.
+* Hootsuite supports [Automated user provisioning](hootsuite-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Hootsuite** side, you need to send the download
In this section, you create a user called Britta Simon in Hootsuite. Work with [Hootsuite support team](https://hootsuite.com/about/contact-us#) to add the users in the Hootsuite platform. Users must be created and activated before you use single sign-on.
+Hootsuite also supports automatic user provisioning, you can find more details [here](./hootsuite-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Hoxhunt Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hoxhunt-tutorial.md
Previously updated : 09/15/2020 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Hoxhunt supports **SP** initiated SSO
+* Hoxhunt supports **SP** initiated SSO.
+* Hoxhunt supports [Automated user provisioning](hoxhunt-provisioning-tutorial.md).
## Adding Hoxhunt from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Hoxhunt** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Hoxhunt** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
To configure single sign-on on **Hoxhunt** side, you need to send the downloaded
In this section, you create a user called Britta Simon in Hoxhunt. Work with [Hoxhunt support team](mailto:support@hoxhunt.com) to add the users in the Hoxhunt platform. Users must be created and activated before you use single sign-on.
+Hoxhunt also supports automatic user provisioning, you can find more details [here](./hoxhunt-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal. This will redirect to Hoxhunt Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Hoxhunt Sign-on URL where you can initiate the login flow.
-2. Go to Hoxhunt Sign-on URL directly and initiate the login flow from there.
+* Go to Hoxhunt Sign-on URL directly and initiate the login flow from there.
-3. You can use Microsoft Access Panel. When you click the Hoxhunt tile in the Access Panel, this will redirect to Hoxhunt Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the Hoxhunt tile in the My Apps, this will redirect to Hoxhunt Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Hubspot Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hubspot-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with HubSpot | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with HubSpot'
description: Learn how to configure single sign-on between Azure Active Directory and HubSpot.
Previously updated : 12/27/2020 Last updated : 09/07/2021
-# Tutorial: Azure Active Directory integration with HubSpot
+# Tutorial: Azure AD SSO integration with HubSpot
In this tutorial, you'll learn how to integrate HubSpot with Azure Active Directory (Azure AD). When you integrate HubSpot with Azure AD, you can:
In this tutorial, you configure and test Azure AD single sign-on in a test envir
HubSpot supports the following features:
-* **SP-initiated single sign-on**
-* **IDP-initiated single sign-on**
+* **SP-initiated single sign-on**.
+* **IDP-initiated single sign-on**.
-## Adding HubSpot from the gallery
+## Add HubSpot from the gallery
To configure the integration of HubSpot into Azure AD, you need to add HubSpot from the gallery to your list of managed SaaS apps.
To configure the integration of HubSpot into Azure AD, you need to add HubSpot f
## Configure and test Azure AD SSO for HubSpot
-In this section, you configure and test Azure AD single sign-on with HubSpot based on a test user named **Britta Simon**. For single sign-on to work, you must establish a linked relationship between an Azure AD user and the related user in HubSpot.
+Configure and test Azure AD SSO with HubSpot using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HubSpot.
-To configure and test Azure AD single sign-on with HubSpot, you must complete the following building blocks:
+To configure and test Azure AD SSO with HubSpot, perform the following steps:
-| Task | Description |
-| | |
-| **[Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on)** | Enables your users to use this feature. |
-| **[Configure HubSpot single sign-on](#configure-hubspot-single-sign-on)** | Configures the single sign-on settings in the application. |
-| **[Create an Azure AD test user](#create-an-azure-ad-test-user)** | Tests Azure AD single sign-on for a user named Britta Simon. |
-| **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** | Enables Britta Simon to use Azure AD single sign-on. |
-| **[Create a HubSpot test user](#create-a-hubspot-test-user)** | Creates a counterpart of Britta Simon in HubSpot that is linked to the Azure AD representation of the user. |
-| **[Test single sign-on](#test-single-sign-on)** | Verifies that the configuration works. |
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure HubSpot SSO](#configure-hubspot-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create HubSpot test user](#create-hubspot-test-user)** - to have a counterpart of B.Simon in HubSpot that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
1. In the Azure portal, on the **HubSpot** application integration page, find the **Manage** section and select **Single sign-on**. 1. On the **Select a Single sign-on method** page, select **SAML**.
To configure and test Azure AD single sign-on with HubSpot, you must complete th
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. In the **Basic SAML Configuration** pane, to configure *IDP-initiated mode*, complete the following steps:
+1. In the **Basic SAML Configuration** pane, to configure **IDP-initiated mode**, perform the following steps:
1. In the **Identifier** box, enter a URL that has the following pattern: https:\//api.hubspot.com/login-api/v1/saml/login?portalId=\<CUSTOMER ID\>. 1. In the **Reply URL** box, enter a URL that has the following pattern: https:\//api.hubspot.com/login-api/v1/saml/acs?portalId=\<CUSTOMER ID\>.
- ![HubSpot domain and URLs single sign-on information](common/idp-intiated.png)
- > [!NOTE] > To format the URLs, you can also refer to the patterns shown in the **Basic SAML Configuration** pane in the Azure portal.
To configure and test Azure AD single sign-on with HubSpot, you must complete th
1. In the **Sign on URL** box, enter **https:\//app.hubspot.com/login**.
- ![The Set additional URLs option](common/metadata-upload-additional-signon.png)
- 1. In the **Set up Single Sign-On with SAML** pane, in the **SAML Signing Certificate** section, select **Download** next to **Certificate (Base64)**. Select a download option based on your requirements. Save the certificate on your computer. ![The Certificate (Base64) download option](common/certificatebase64.png) 1. In the **Set up HubSpot** section, copy the following URLs based on your requirements:
- * Login URL
- * Azure AD Identifier
- * Logout URL
- ![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure HubSpot single sign-on
-
-1. Open a new tab in your browser and sign in to your HubSpot administrator account.
-
-1. Select the **Settings** icon in the upper-right corner of the page.
-
- ![The Settings icon in HubSpot](./media/hubspot-tutorial/config1.png)
-
-1. Select **Account Defaults**.
-
- ![The Account Defaults option in HubSpot](./media/hubspot-tutorial/config2.png)
-
-1. Scroll down to the **Security** section, and then select **Set up**.
-
- ![The Set up option in HubSpot](./media/hubspot-tutorial/config3.png)
-
-1. In the **Set up single sign-on** section, complete the following steps:
-
- 1. In the **Audience URl (Service Provider Entity ID)** box, select **Copy** to copy the value. In the Azure portal, in the **Basic SAML Configuration** pane, paste the value in the **Identifier** box.
-
- 1. In the **Sign on URl, ACS, Recipient, or Redirect** box, select **Copy** to copy the value. In the Azure portal, in the **Basic SAML Configuration** pane, paste the value in the **Reply URL** box.
-
- 1. In HubSpot, in the **Identity Provider Identifier or Issuer URL** box, paste the value for **Azure AD Identifier** that you copied in the Azure portal.
-
- 1. In HubSpot, in the **Identity Provider Single Sign-On URL** box, paste the value for **Login URL** that you copied in the Azure portal.
-
- 1. In Windows Notepad, open the Certificate(Base64) file that you downloaded. Select and copy the contents of the file. Then, in HubSpot, paste it in the **X.509 Certificate** box.
-
- 1. Select **Verify**.
-
- ![The Set up single sign-on section in HubSpot](./media/hubspot-tutorial/config4.png)
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-### Create a HubSpot test user
+## Configure HubSpot SSO
+
+1. Open a new tab in your browser and sign in to your HubSpot administrator account.
+
+1. Select the **Settings** icon in the upper-right corner of the page.
+
+ ![The Settings icon in HubSpot](./media/hubspot-tutorial/icon.png)
+
+1. Select **Account Defaults**.
+
+ ![The Account Defaults option in HubSpot](./media/hubspot-tutorial/account.png)
+
+1. Scroll down to the **Security** section, and then select **Set up**.
+
+ ![The Set up option in HubSpot](./media/hubspot-tutorial/security.png)
+
+1. In the **Set up single sign-on** section, perform the following steps:
+
+ 1. In the **Audience URl (Service Provider Entity ID)** box, select **Copy** to copy the value. In the Azure portal, in the **Basic SAML Configuration** pane, paste the value in the **Identifier** box.
+
+ 1. In the **Sign on URL, ACS, Recipient, or Redirect** box, select **Copy** to copy the value. In the Azure portal, in the **Basic SAML Configuration** pane, paste the value in the **Reply URL** box.
+
+ 1. In HubSpot, in the **Identity Provider Identifier or Issuer URL** box, paste the value for **Azure AD Identifier** that you copied in the Azure portal.
+
+ 1. In HubSpot, in the **Identity Provider Single Sign-On URL** box, paste the value for **Login URL** that you copied in the Azure portal.
+
+ 1. In Windows Notepad, open the **Certificate(Base64)** file that you downloaded. Select and copy the contents of the file. Then, in HubSpot, paste it in the **X.509 Certificate** box.
+
+ 1. Select **Verify**.
+
+ ![The Set up single sign-on section in HubSpot](./media/hubspot-tutorial/certificate.png)
+
+### Create HubSpot test user
To enable Azure AD a user to sign in to HubSpot, the user must be provisioned in HubSpot. In HubSpot, provisioning is a manual task.
To provision a user account in HubSpot:
1. Select the **Settings** icon in the upper-right corner of the page.
- ![The Settings icon in HubSpot](./media/hubspot-tutorial/config1.png)
+ ![The Settings icon in HubSpot](./media/hubspot-tutorial/icon.png)
1. Select **Users & Teams**.
- ![The Users & Teams option in HubSpot](./media/hubspot-tutorial/user1.png)
+ ![The Users & Teams option in HubSpot](./media/hubspot-tutorial/users.png)
1. Select **Create user**.
- ![The Create user option in HubSpot](./media/hubspot-tutorial/user2.png)
+ ![The Create user option in HubSpot](./media/hubspot-tutorial/teams.png)
1. In the **Add email addess(es)** box, enter the email address of the user in the format brittasimon\@contoso.com, and then select **Next**.
- ![The Add email address(es) box in the Create users section in HubSpot](./media/hubspot-tutorial/user3.png)
+ ![The Add email address(es) box in the Create users section in HubSpot](./media/hubspot-tutorial/add-user.png)
1. In the **Create users** section, select each tab. On each tab, set the relevant options and permissions for the user. Then, select **Next**.
- ![Tabs in the Create users section in HubSpot](./media/hubspot-tutorial/user4.png)
+ ![Tabs in the Create users section in HubSpot](./media/hubspot-tutorial/create-user.png)
1. To send the invitation to the user, select **Send**.
- ![The Send option in HubSpot](./media/hubspot-tutorial/user5.png)
+ ![The Send option in HubSpot](./media/hubspot-tutorial/invitation.png)
> [!NOTE] > The user is activated after the user accepts the invitation.
-### Test single sign-on
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the HubSpot for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the HubSpot for which you set up the SSO.
You can also use Microsoft My Apps to test the application in any mode. When you click the HubSpot tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the HubSpot for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - ## Next steps Once you configure HubSpot you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Insight4grc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/insight4grc-tutorial.md
Previously updated : 03/14/2019 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with Insight4GRC
-In this tutorial, you learn how to integrate Insight4GRC with Azure Active Directory (Azure AD).
-Integrating Insight4GRC with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Insight4GRC with Azure Active Directory (Azure AD). When you integrate Insight4GRC with Azure AD, you can:
-* You can control in Azure AD who has access to Insight4GRC.
-* You can enable your users to be automatically signed-in to Insight4GRC (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Insight4GRC.
+* Enable your users to be automatically signed-in to Insight4GRC with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Insight4GRC, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Insight4GRC single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Insight4GRC single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Insight4GRC supports **SP and IDP** initiated SSO
-* Insight4GRC supports **Just In Time** user provisioning
+* Insight4GRC supports **SP and IDP** initiated SSO.
+* Insight4GRC supports **Just In Time** user provisioning.
+* Insight4GRC supports [Automated user provisioning](insight4grc-provisioning-tutorial.md).
## Adding Insight4GRC from the gallery To configure the integration of Insight4GRC into Azure AD, you need to add Insight4GRC from the gallery to your list of managed SaaS apps.
-**To add Insight4GRC from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Insight4GRC**, select **Insight4GRC** from result panel then click **Add** button to add the application.
-
- ![Insight4GRC in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Insight4GRC** in the search box.
+1. Select **Insight4GRC** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Insight4GRC based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Insight4GRC needs to be established.
-To configure and test Azure AD single sign-on with Insight4GRC, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for Insight4GRC
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Insight4GRC Single Sign-On](#configure-insight4grc-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Insight4GRC test user](#create-insight4grc-test-user)** - to have a counterpart of Britta Simon in Insight4GRC that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with Insight4GRC using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Insight4GRC.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with Insight4GRC, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure Insight4GRC SSO](#configure-insight4grc-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create Insight4GRC test user](#create-insight4grc-test-user)** - to have a counterpart of Britta Simon in Insight4GRC that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with Insight4GRC, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **Insight4GRC** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Insight4GRC** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<subdomain>.Insight4GRC.com/SAML`
To configure Azure AD single sign-on with Insight4GRC, perform the following ste
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://<subdomain>.Insight4GRC.com/Public/Login.aspx`
To configure Azure AD single sign-on with Insight4GRC, perform the following ste
![The Certificate download link](common/copy-metadataurl.png)
-### Configure Insight4GRC Single Sign-On
-
-To configure single sign-on on **Insight4GRC** side, you need to send the **App Federation Metadata Url** to [Insight4GRC support team](mailto:support.ss@rsmuk.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Insight4GRC.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Insight4GRC**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Insight4GRC**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Insight4GRC.
- ![The Insight4GRC link in the Applications list](common/all-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Insight4GRC**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-3. In the menu on the left, select **Users and groups**.
+## Configure Insight4GRC SSO
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Insight4GRC** side, you need to send the **App Federation Metadata Url** to [Insight4GRC support team](mailto:support.ss@rsmuk.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Insight4GRC test user In this section, a user called Britta Simon is created in Insight4GRC. Insight4GRC supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Insight4GRC, a new one is created after authentication. > [!Note]
-> If you need to create a user manually, contact [Insight4GRC Client support team](mailto:support.ss@rsmuk.com).
+> Insight4GRC also supports automatic user provisioning, you can find more details [here](./insight4grc-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Insight4GRC Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Insight4GRC Sign-on URL directly and initiate the login flow from there.
-When you click the Insight4GRC tile in the Access Panel, you should be automatically signed in to the Insight4GRC for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Insight4GRC for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Insight4GRC tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Insight4GRC for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Insight4GRC you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Invision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/invision-tutorial.md
Previously updated : 12/24/2020 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* InVision supports **SP and IDP** initiated SSO
+* InVision supports **SP and IDP** initiated SSO.
+* InVision supports [Automated user provisioning](invision-provisioning-tutorial.md).
## Adding InVision from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **InVision** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
![Screenshot shows the Invite dialog where you can select Invite to proceed.](./media/invision-tutorial/user3.png)
+> [!NOTE]
+> InVision also supports automatic user provisioning, you can find more details [here](./invision-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Ipasssmartconnect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ipasssmartconnect-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with iPass SmartConnect | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with iPass SmartConnect'
description: Learn how to configure single sign-on between Azure Active Directory and iPass SmartConnect.
Previously updated : 06/09/2021 Last updated : 09/01/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with iPass SmartConnect
+# Tutorial: Azure AD SSO integration with iPass SmartConnect
In this tutorial, you'll learn how to integrate iPass SmartConnect with Azure Active Directory (Azure AD). When you integrate iPass SmartConnect with Azure AD, you can:
In this tutorial, you'll learn how to integrate iPass SmartConnect with Azure Ac
* Enable your users to be automatically signed-in to iPass SmartConnect with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* iPass SmartConnect supports **SP and IDP** initiated SSO
-* iPass SmartConnect supports **Just In Time** user provisioning
+* iPass SmartConnect supports **SP and IDP** initiated SSO.
+* iPass SmartConnect supports **Just In Time** user provisioning.
+* iPass SmartConnect supports [Automated user provisioning](ipass-smartconnect-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this tutorial, you configure and test Azure AD SSO in a test environment.
To configure the integration of iPass SmartConnect into Azure AD, you need to add iPass SmartConnect from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **iPass SmartConnect** in the search box. 1. Select **iPass SmartConnect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for iPass SmartConnect
+## Configure and test Azure AD SSO for iPass SmartConnect
Configure and test Azure AD SSO with iPass SmartConnect using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iPass SmartConnect.
-To configure and test Azure AD SSO with iPass SmartConnect, complete the following building blocks:
+To configure and test Azure AD SSO with iPass SmartConnect, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure iPass SmartConnect SSO](#configure-ipass-smartconnect-sso)** - to configure the single sign-on settings on application side.
- * **[Create iPass SmartConnect test user](#create-ipass-smartconnect-test-user)** - to have a counterpart of B.Simon in iPass SmartConnect that is linked to the Azure AD representation of user.
+ 1. **[Create iPass SmartConnect test user](#create-ipass-smartconnect-test-user)** - to have a counterpart of B.Simon in iPass SmartConnect that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **iPass SmartConnect** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **iPass SmartConnect** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **iPass SmartConnect**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure iPass SmartConnect SSO
To configure single sign-on on **iPass SmartConnect** side, you need to send the
In this section, you create a user called Britta Simon in iPass SmartConnect. Work with [iPass SmartConnect support team](mailto:help@ipass.com) to add the users or the domain that must be added to an allow list for the iPass SmartConnect platform. If the domain is added by the team, users will get automatically provisioned to the iPass SmartConnect platform. Users must be created and activated before you use single sign-on.
-## Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to iPass SmartConnect Sign on URL where you can initiate the login flow.
-When you click the iPass SmartConnect tile in the Access Panel, you should be automatically signed in to the iPass SmartConnect for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Go to iPass SmartConnect Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the iPass SmartConnect for which you set up the SSO
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the iPass SmartConnect tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the iPass SmartConnect for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try iPass SmartConnect with Azure AD](https://aad.portal.azure.com/)
+Once you configure iPass SmartConnect you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Iprova Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iprova-tutorial.md
Previously updated : 06/08/2021 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Zenya supports **SP** initiated SSO.
+* Zenya supports [Automated user provisioning](iprova-provisioning-tutorial.md).
## Add Zenya from the gallery
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
10. Scroll down to the end of the page, and select **Finish**.
+> [!NOTE]
+> Zenya also supports automatic user provisioning, you can find more details [here](./iprova-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Iris Intranet Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iris-intranet-tutorial.md
Previously updated : 06/04/2021 Last updated : 09/01/2021 # Tutorial: Azure Active Directory integration with Iris Intranet
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Iris Intranet supports **just-in-time** user provisioning.
+* Iris Intranet supports [Automated user provisioning](iris-intranet-provisioning-tutorial.md).
+ ## Add Iris Intranet from the gallery To configure the integration of Iris Intranet into Azure AD, you need to add Iris Intranet from the gallery to your list of managed SaaS apps.
To configure single sign-on on **Iris Intranet** side, you need to send the **Ap
In this section, a user called Britta Simon is created in Iris Intranet. Iris Intranet supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Iris Intranet, a new one is created after authentication.
+Iris Intranet also supports automatic user provisioning, you can find more details [here](./iris-intranet-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Jira52microsoft Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jira52microsoft-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with JIRA SAML SSO by Microsoft (V5.2) | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with JIRA SAML SSO by Microsoft (V5.2)'
description: Learn how to configure single sign-on between Azure Active Directory and JIRA SAML SSO by Microsoft (V5.2).
Previously updated : 12/28/2020 Last updated : 09/08/2021
-# Tutorial: Azure Active Directory integration with JIRA SAML SSO by Microsoft (V5.2)
+# Tutorial: Azure AD SSO integration with JIRA SAML SSO by Microsoft (V5.2)
In this tutorial, you'll learn how to integrate JIRA SAML SSO by Microsoft (V5.2) with Azure Active Directory (Azure AD). When you integrate JIRA SAML SSO by Microsoft (V5.2) with Azure AD, you can:
Use your Microsoft Azure Active Directory account with Atlassian JIRA server to
To configure Azure AD integration with JIRA SAML SSO by Microsoft (V5.2), you need the following items: -- An Azure AD subscription-- JIRA Core and Software 5.2 should installed and configured on Windows 64-bit version-- JIRA server is HTTPS enabled
+- An Azure AD subscription.
+- JIRA Core and Software 5.2 should installed and configured on Windows 64-bit version.
+- JIRA server is HTTPS enabled.
- Note the supported versions for JIRA Plugin are mentioned in below section.-- JIRA server is reachable on internet particularly to Azure AD Login page for authentication and should able to receive the token from Azure AD-- Admin credentials are set up in JIRA-- WebSudo is disabled in JIRA-- Test user created in the JIRA server application
+- JIRA server is reachable on internet particularly to Azure AD Login page for authentication and should able to receive the token from Azure AD.
+- Admin credentials are set up in JIRA.
+- WebSudo is disabled in JIRA.
+- Test user created in the JIRA server application.
> [!NOTE] > To test the steps in this tutorial, we do not recommend using a production environment of JIRA. Test the integration first in development or staging environment of the application and then use the production environment.
To configure Azure AD integration with JIRA SAML SSO by Microsoft (V5.2), you ne
To test the steps in this tutorial, you should follow these recommendations: - Do not use your production environment, unless it is necessary.-- If you don't have an Azure AD trial environment, you can get a one-month trial here: [Trial offer](https://azure.microsoft.com/pricing/free-trial/).
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
## Supported versions of JIRA
-* JIRA Core and Software: 5.2
-* JIRA also supports 6.0 to 7.12. For more details, click [JIRA SAML SSO by Microsoft](jiramicrosoft-tutorial.md)
+* JIRA Core and Software: 5.2.
+* JIRA also supports 6.0 to 7.12. For more details, click [JIRA SAML SSO by Microsoft](jiramicrosoft-tutorial.md).
> [!NOTE] > Please note that our JIRA Plugin also works on Ubuntu Version 16.04.
To test the steps in this tutorial, you should follow these recommendations:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* JIRA SAML SSO by Microsoft (V5.2) supports **SP** initiated SSO
+* JIRA SAML SSO by Microsoft (V5.2) supports **SP** initiated SSO.
## Adding JIRA SAML SSO by Microsoft (V5.2) from the gallery
To configure and test Azure AD single sign-on with JIRA SAML SSO by Microsoft (V
4. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<domain:port>/plugins/servlet/saml/auth`
-
- b. In the **Identifier** box, type a URL using the following pattern:
+ a. In the **Identifier** box, type a URL using the following pattern:
`https://<domain:port>/`
- c. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<domain:port>/plugins/servlet/saml/auth`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
`https://<domain:port>/plugins/servlet/saml/auth` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Port is optional in case itΓÇÖs a named URL. These values are received during the configuration of Jira plugin, which is explained later in the tutorial.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-On URL. Port is optional in case itΓÇÖs a named URL. These values are received during the configuration of Jira plugin, which is explained later in the tutorial.
5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. Hover on cog and click the **Add-ons**.
- ![Screenshot shows Add-ons selected from the Settings menu.](./media/jira52microsoft-tutorial/addon1.png)
+ ![Screenshot shows Add-ons selected from the Settings menu.](./media/jira52microsoft-tutorial/menu.png)
3. Under Add-ons tab section, click **Manage add-ons**.
- ![Screenshot shows Manage add-ons selected in the Add-ons tab.](./media/jira52microsoft-tutorial/addon7.png)
+ ![Screenshot shows Manage add-ons selected in the Add-ons tab.](./media/jira52microsoft-tutorial/dashboard.png)
4. Download the plugin from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56521). Manually upload the plugin provided by Microsoft using **Upload add-on** menu. The download of plugin is covered under [Microsoft Service Agreement](https://www.microsoft.com/servicesagreement/).
- ![Screenshot shows Manage add-ons with the Upload add-on link called out.](./media/jira52microsoft-tutorial/addon12.png)
+ ![Screenshot shows Manage add-ons with the Upload add-on link called out.](./media/jira52microsoft-tutorial/service.png)
5. Once the plugin is installed, it appears in **User Installed** add-ons section. Click **Configure** to configure the new plugin.
- ![Screenshot shows the Azure A D SAML Single Sign-on for Jira section with Configure selected.](./media/jira52microsoft-tutorial/addon13.png)
+ ![Screenshot shows the Azure A D SAML Single Sign-on for Jira section with Configure selected.](./media/jira52microsoft-tutorial/configure-plugin.png)
6. Perform following steps on configuration page:
- ![Screenshot shows the Microsoft Jira S S O Connector configuration page.](./media/jira52microsoft-tutorial/addon52.png)
+ ![Screenshot shows the Microsoft Jira S S O Connector configuration page.](./media/jira52microsoft-tutorial/configuration.png)
> [!TIP] > Ensure that there is only one certificate mapped against the app so that there is no error in resolving the metadata. If there are multiple certificates, upon resolving the metadata, admin gets an error.
To enable Azure AD users to sign in to JIRA on-premises server, they must be pro
2. Hover on cog and click the **User management**.
- ![Screenshot shows User management selected from the Settings menu.](./media/jira52microsoft-tutorial/user1.png)
+ ![Screenshot shows User management selected from the Settings menu.](./media/jira52microsoft-tutorial/user.png)
3. You are redirected to Administrator Access page to enter **Password** and click **Confirm** button.
- ![Screenshot shows Administrator Access page where you enter your credentials.](./media/jira52microsoft-tutorial/user2.png)
+ ![Screenshot shows Administrator Access page where you enter your credentials.](./media/jira52microsoft-tutorial/access.png)
4. Under **User management** tab section, click **create user**.
- ![Screenshot shows the User management tab where you can Create user.](./media/jira52microsoft-tutorial/user3.png)
+ ![Screenshot shows the User management tab where you can Create user.](./media/jira52microsoft-tutorial/create-user.png)
5. On the **ΓÇ£Create new userΓÇ¥** dialog page, perform the following steps:
- ![Screenshot shows the Create new user dialog box where you can enter the information in this step.](./media/jira52microsoft-tutorial/user4.png)
+ ![Screenshot shows the Create new user dialog box where you can enter the information in this step.](./media/jira52microsoft-tutorial/new-user.png)
a. In the **Email address** textbox, type the email address of user like Brittasimon@contoso.com.
In this section, you test your Azure AD single sign-on configuration with follow
* You can use Microsoft My Apps. When you click the JIRA SAML SSO by Microsoft (V5.2) tile in the My Apps, this will redirect to JIRA SAML SSO by Microsoft (V5.2) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - ## Next steps Once you configure JIRA SAML SSO by Microsoft (V5.2) you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Jostle Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jostle-tutorial.md
Previously updated : 06/14/2021 Last updated : 09/01/2021 # Tutorial: Azure Active Directory integration with Jostle
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Jostle supports **SP** initiated SSO.
+* Jostle supports [Automated user provisioning](jostle-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Jostle** side, you need to send the downloaded
In this section, you create a user called Britta Simon in Jostle. Work with [Jostle support team](mailto:support@jostle.me) to add the users in the Jostle platform. Users must be created and activated before you use single sign-on.
+Jostle also supports automatic user provisioning, you can find more details [here](./jostle-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ > [!NOTE] > The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active.
active-directory Juno Journey Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/juno-journey-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Juno Journey | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Juno Journey'
description: Learn how to configure single sign-on between Azure Active Directory and Juno Journey.
Previously updated : 10/04/2019 Last updated : 09/01/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Juno Journey
+# Tutorial: Azure AD SSO integration with Juno Journey
In this tutorial, you'll learn how to integrate Juno Journey with Azure Active Directory (Azure AD). When you integrate Juno Journey with Azure AD, you can:
In this tutorial, you'll learn how to integrate Juno Journey with Azure Active D
* Enable your users to be automatically signed-in to Juno Journey with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
## Prerequisites
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Juno Journey supports **SP and IDP** initiated SSO
-* Juno Journey supports **Just In Time** user provisioning
+* Juno Journey supports **SP and IDP** initiated SSO.
+* Juno Journey supports **Just In Time** user provisioning.
+* Juno Journey supports [Automated user provisioning](juno-journey-provisioning-tutorial.md).
## Adding Juno Journey from the gallery To configure the integration of Juno Journey into Azure AD, you need to add Juno Journey from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Juno Journey** in the search box. 1. Select **Juno Journey** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Juno Journey
+## Configure and test Azure AD SSO for Juno Journey
Configure and test Azure AD SSO with Juno Journey using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Juno Journey.
-To configure and test Azure AD SSO with Juno Journey, complete the following building blocks:
+To configure and test Azure AD SSO with Juno Journey, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Juno Journey, complete the following bui
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Juno Journey** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Juno Journey** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Juno Journey**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Juno Journey SSO
To configure single sign-on on **Juno Journey** side, you need to send the downl
In this section, a user called B.Simon is created in Juno Journey. Juno Journey supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Juno Journey, a new one is created after authentication.
-## Test SSO
+Juno Journey also supports automatic user provisioning, you can find more details [here](./juno-journey-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on Test this application in Azure portal. This will redirect to Juno Journey Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Juno Journey Sign-on URL directly and initiate the login flow from there.
-When you click the Juno Journey tile in the Access Panel, you should be automatically signed in to the Juno Journey for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+#### IDP initiated:
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Juno Journey for which you set up the SSO
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Juno Journey tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Juno Journey for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) -- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Juno Journey with Azure AD](https://aad.portal.azure.com/)
+Once you configure Juno Journey you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Knowbe4 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/knowbe4-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with KnowBe4 Security Awareness Training | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with KnowBe4 Security Awareness Training'
description: Learn how to configure single sign-on between Azure Active Directory and KnowBe4 Security Awareness Training.
Previously updated : 10/22/2020 Last updated : 09/07/2021
-# Tutorial: Azure Active Directory integration with KnowBe4 Security Awareness Training
+# Tutorial: Azure AD SSO integration with KnowBe4 Security Awareness Training
-In this tutorial, you learn how to integrate KnowBe4 Security Awareness Training with Azure Active Directory (Azure AD).
-Integrating KnowBe4 Security Awareness Training with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate KnowBe4 Security Awareness Training with Azure Active Directory (Azure AD). When you integrate KnowBe4 Security Awareness Training with Azure AD, you can:
-* You can control in Azure AD who has access to KnowBe4 Security Awareness Training.
-* You can enable your users to be automatically signed-in to KnowBe4 Security Awareness Training (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
+* Control in Azure AD who has access to KnowBe4 Security Awareness Training.
+* Enable your users to be automatically signed-in to KnowBe4 Security Awareness Training with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with KnowBe4 Security Awareness Training, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* KnowBe4 Security Awareness Training single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* KnowBe4 Security Awareness Training single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* KnowBe4 Security Awareness Training supports **SP** initiated SSO
+* KnowBe4 Security Awareness Training supports **SP** initiated SSO.
-* KnowBe4 Security Awareness Training supports **Just In Time** user provisioning
+* KnowBe4 Security Awareness Training supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding KnowBe4 from the gallery
+## Add KnowBe4 from the gallery
To configure the integration of KnowBe4 into Azure AD, you need to add KnowBe4 from the gallery to your list of managed SaaS apps.
To configure the integration of KnowBe4 into Azure AD, you need to add KnowBe4 f
1. In the **Add from the gallery** section, type **KnowBe4** in the search box. 1. Select **KnowBe4** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for KnowBe4 Security Awareness Training
In this section, you configure and test Azure AD single sign-on with KnowBe4 based on a test user called **Britta Simon**. For single sign-on to work, a link relationship between an Azure AD user and the related user in KnowBe4 needs to be established.
For single sign-on to work, a link relationship between an Azure AD user and the
To configure and test Azure AD single sign-on with KnowBe4, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD SSO with Britta Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD SSO.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD SSO with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD SSO.
2. **[Configure KnowBe4 Security Awareness Training SSO](#configure-knowbe4-security-awareness-training-sso)** - to configure the SSO settings on application side.
- * **[Create KnowBe4 Security Awareness Training test user](#create-knowbe4-security-awareness-training-test-user)** - to have a counterpart of Britta Simon in KnowBe4 Security Awareness Training that is linked to the Azure AD representation of user.
+ 1. **[Create KnowBe4 Security Awareness Training test user](#create-knowbe4-security-awareness-training-test-user)** - to have a counterpart of Britta Simon in KnowBe4 Security Awareness Training that is linked to the Azure AD representation of user.
3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal. 1. In the Azure portal, on the **KnowBe4** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign on URL** text box, type a URL using the following pattern: `https://<companyname>.KnowBe4.com/auth/saml/<instancename>`
To configure single sign-on on **KnowBe4 Security Awareness Training** side, you
In this section, a user called Britta Simon is created in KnowBe4. KnowBe4 supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in KnowBe4, a new one is created after authentication.
-### Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal. This will redirect to KnowBe4 Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to KnowBe4 Security Awareness Training Sign-on URL where you can initiate the login flow.
-2. Go to KnowBe4 Sign-on URL directly and initiate the login flow from there.
+* Go to KnowBe4 Security Awareness Training Sign-on URL directly and initiate the login flow from there.
-3. You can use Microsoft Access Panel. When you click the KnowBe4 tile in the Access Panel, this will redirect to KnowBe4 Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the KnowBe4 Security Awareness Training tile in the My Apps, this will redirect to KnowBe4 Security Awareness Training Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure KnowBe4 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure KnowBe4 Security Awareness Training you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Kpifire Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kpifire-tutorial.md
Previously updated : 07/13/2020 Last updated : 09/01/2021
In this tutorial, you'll learn how to integrate kpifire with Azure Active Direct
* Enable your users to be automatically signed-in to kpifire with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
## Prerequisites
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* kpifire supports **IDP** initiated SSO
-
-* Once you configure kpifire you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* kpifire supports **IDP** initiated SSO.
+* kpifire supports [Automated user provisioning](kpifire-provisioning-tutorial.md).
## Adding kpifire from the gallery To configure the integration of kpifire into Azure AD, you need to add kpifire from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
To configure the integration of kpifire into Azure AD, you need to add kpifire f
Configure and test Azure AD SSO with kpifire using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in kpifire.
-To configure and test Azure AD SSO with kpifire, complete the following building blocks:
+To configure and test Azure AD SSO with kpifire, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with kpifire, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **kpifire** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **kpifire** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **kpifire**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure kpifire SSO
To configure single sign-on on **kpifire** side, you need to send the downloaded
In this section, you create a user called B.Simon in kpifire. Work with [kpifire support team](mailto:support@kpifire.com) to add the users in the kpifire platform. Users must be created and activated before you use single sign-on.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the kpifire tile in the Access Panel, you should be automatically signed in to the kpifire for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+kpifire also supports automatic user provisioning, you can find more details [here](./kpifire-provisioning-tutorial.md) on how to configure automatic user provisioning.
-## Additional resources
+## Test SSO
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the kpifire for which you set up the SSO
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the kpifire tile in the My Apps, you should be automatically signed in to the kpifire for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try kpifire with Azure AD](https://aad.portal.azure.com/) -- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect kpifire with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure kpifire you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Leapsome Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/leapsome-tutorial.md
Previously updated : 07/22/2021 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Leapsome supports **SP and IDP** initiated SSO.
+* Leapsome supports [Automated user provisioning](leapsome-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Leapsome SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, you create a user called Britta Simon in Leapsome. Work with [Leapsome Client support team](mailto:support@leapsome.com) to add the users or the domain that must be added to an allow list for the Leapsome platform. If the domain is added by the team, users will get automatically provisioned to the Leapsome platform. Users must be created and activated before you use single sign-on.
+Leapsome also supports automatic user provisioning, you can find more details [here](./leapsome-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Liquidfiles Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/liquidfiles-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with LiquidFiles | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with LiquidFiles'
description: Learn how to configure single sign-on between Azure Active Directory and LiquidFiles.
Previously updated : 06/02/2021 Last updated : 09/13/2021
-# Tutorial: Azure Active Directory integration with LiquidFiles
+# Tutorial: Azure AD SSO integration with LiquidFiles
In this tutorial, you'll learn how to integrate LiquidFiles with Azure Active Directory (Azure AD). When you integrate LiquidFiles with Azure AD, you can:
To configure Azure AD integration with LiquidFiles, you need the following items
* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/). * LiquidFiles single sign-on enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
In this section, you test your Azure AD single sign-on configuration with follow
* Go to LiquidFiles Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the LiquidFiles tile in the My Apps, this will redirect to LiquidFiles Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the LiquidFiles tile in the My Apps, this will redirect to LiquidFiles Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Sap Hana Cloud Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sap-hana-cloud-platform-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with SAP Cloud Platform | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with SAP Cloud Platform'
description: Learn how to configure single sign-on between Azure Active Directory and SAP Cloud Platform.
Previously updated : 12/27/2020 Last updated : 09/08/2021
-# Tutorial: Azure Active Directory integration with SAP Cloud Platform
+# Tutorial: Azure AD SSO integration with SAP Cloud Platform
In this tutorial, you'll learn how to integrate SAP Cloud Platform with Azure Active Directory (Azure AD). When you integrate SAP Cloud Platform with Azure AD, you can:
In this tutorial, you'll learn how to integrate SAP Cloud Platform with Azure Ac
## Prerequisites
-To configure Azure AD integration with SAP Cloud Platform, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* SAP Cloud Platform single sign-on enabled subscription
-
-After completing this tutorial, the Azure AD users you have assigned to SAP Cloud Platform will be able to single sign into the application using the [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SAP Cloud Platform single sign-on (SSO) enabled subscription.
>[!IMPORTANT] >You need to deploy your own application or subscribe to an application on your SAP Cloud Platform account to test single sign on. In this tutorial, an application is deployed in the account.
After completing this tutorial, the Azure AD users you have assigned to SAP Clou
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SAP Cloud Platform supports **SP** initiated SSO
+* SAP Cloud Platform supports **SP** initiated SSO.
-## Adding SAP Cloud Platform from the gallery
+## Add SAP Cloud Platform from the gallery
To configure the integration of SAP Cloud Platform into Azure AD, you need to add SAP Cloud Platform from the gallery to your list of managed SaaS apps.
To configure and test Azure AD SSO with SAP Cloud Platform, perform the followin
1. **[Create SAP Cloud Platform test user](#create-sap-cloud-platform-test-user)** - to have a counterpart of Britta Simon in SAP Cloud Platform that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- ![SAP Cloud Platform Domain and URLs single sign-on information](common/sp-identifier-reply.png)
+ a. In the **Identifier** textbox you will provide your SAP Cloud Platform's type a URL using one of the following patterns:
+
+ | **Identifier** |
+ |--|
+ | `https://hanatrial.ondemand.com/<instancename>` |
+ | `https://hana.ondemand.com/<instancename>` |
+ | `https://us1.hana.ondemand.com/<instancename>` |
+ | `https://ap1.hana.ondemand.com/<instancename>` |
+
+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:
- a. In the **Sign On URL** textbox, type the URL used by your users to sign into your **SAP Cloud Platform** application. This is the account-specific URL of a protected resource in your SAP Cloud Platform application. The URL is based on the following pattern: `https://<applicationName><accountName>.<landscape host>.ondemand.com/<path_to_protected_resource>`
+ | **Reply URL** |
+ |-|
+ | `https://<subdomain>.hanatrial.ondemand.com/<instancename>` |
+ | `https://<subdomain>.hana.ondemand.com/<instancename>` |
+ | `https://<subdomain>.us1.hana.ondemand.com/<instancename>` |
+ | `https://<subdomain>.dispatcher.us1.hana.ondemand.com/<instancename>` |
+ | `https://<subdomain>.ap1.hana.ondemand.com/<instancename>` |
+ | `https://<subdomain>.dispatcher.ap1.hana.ondemand.com/<instancename>` |
+ | `https://<subdomain>.dispatcher.hana.ondemand.com/<instancename>` |
+
+ c. In the **Sign On URL** textbox, type the URL used by your users to sign into your **SAP Cloud Platform** application. This is the account-specific URL of a protected resource in your SAP Cloud Platform application. The URL is based on the following pattern: `https://<applicationName><accountName>.<landscape host>.ondemand.com/<path_to_protected_resource>`
>[!NOTE] >This is the URL in your SAP Cloud Platform application that requires the user to authenticate. >
- - `https://<subdomain>.hanatrial.ondemand.com/<instancename>`
- - `https://<subdomain>.hana.ondemand.com/<instancename>`
-
- b. In the **Identifier** textbox you will provide your SAP Cloud Platform's type a URL using one of the following patterns:
-
- - `https://hanatrial.ondemand.com/<instancename>`
- - `https://hana.ondemand.com/<instancename>`
- - `https://us1.hana.ondemand.com/<instancename>`
- - `https://ap1.hana.ondemand.com/<instancename>`
-
- c. In the **Reply URL** textbox, type a URL using the following pattern:
-
- - `https://<subdomain>.hanatrial.ondemand.com/<instancename>`
- - `https://<subdomain>.hana.ondemand.com/<instancename>`
- - `https://<subdomain>.us1.hana.ondemand.com/<instancename>`
- - `https://<subdomain>.dispatcher.us1.hana.ondemand.com/<instancename>`
- - `https://<subdomain>.ap1.hana.ondemand.com/<instancename>`
- - `https://<subdomain>.dispatcher.ap1.hana.ondemand.com/<instancename>`
- - `https://<subdomain>.dispatcher.hana.ondemand.com/<instancename>`
+ | **Sign On URL** |
+ ||
+ | `https://<subdomain>.hanatrial.ondemand.com/<instancename>` |
+ | `https://<subdomain>.hana.ondemand.com/<instancename>` |
> [!NOTE]
- > These values are not real. Update these values with the actual Sign-On URL, Identifier, and Reply URL. Contact [SAP Cloud Platform Client support team](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/5dd739823b824b539eee47b7860a00be.html) to get Sign-On URL and Identifier. Reply URL you can get from trust management section which is explained later in the tutorial.
+ > These values are not real. Update these values with the actual Identifier,Reply URL and Sign on URL. Contact [SAP Cloud Platform Client support team](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/5dd739823b824b539eee47b7860a00be.html) to get Sign-On URL and Identifier. Reply URL you can get from trust management section which is explained later in the tutorial.
> 4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. Click the **Trust** tab.
- ![Trust](./media/sap-hana-cloud-platform-tutorial/ic790800.png "Trust")
+ ![Trust](./media/sap-hana-cloud-platform-tutorial/account.png "Trust")
3. In the Trust Management section, under **Local Service Provider**, perform the following steps:
- ![Screenshot that shows the "Trust Management" section with the "Local Service Provider" tab selected and all text boxes highlighted.](./media/sap-hana-cloud-platform-tutorial/ic793931.png "Trust Management")
+ ![Screenshot that shows the "Trust Management" section with the "Local Service Provider" tab selected and all text boxes highlighted.](./media/sap-hana-cloud-platform-tutorial/service.png "Trust Management")
a. Click **Edit**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. After saving the **Local Service Provider** settings, perform the following to obtain the Reply URL:
- ![Get Metadata](./media/sap-hana-cloud-platform-tutorial/ic793930.png "Get Metadata")
+ ![Get Metadata](./media/sap-hana-cloud-platform-tutorial/certificate.png "Get Metadata")
a. Download the SAP Cloud Platform metadata file by clicking **Get Metadata**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
5. Click the **Trusted Identity Provider** tab, and then click **Add Trusted Identity Provider**.
- ![Screenshot that shows the "Trust Management" page with the "Trusted Identity Provider" tab selected.](./media/sap-hana-cloud-platform-tutorial/ic790802.png "Trust Management")
+ ![Screenshot that shows the "Trust Management" page with the "Trusted Identity Provider" tab selected.](./media/sap-hana-cloud-platform-tutorial/add-service.png "Trust Management")
>[!NOTE] >To manage the list of trusted identity providers, you need to have chosen the Custom configuration type in the Local Service Provider section. For Default configuration type, you have a non-editable and implicit trust to the SAP ID Service. For None, you don't have any trust settings.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
6. Click the **General** tab, and then click **Browse** to upload the downloaded metadata file.
- ![Trust Management](./media/sap-hana-cloud-platform-tutorial/ic793932.png "Trust Management")
+ ![Trust Management](./media/sap-hana-cloud-platform-tutorial/general.png "Trust Management")
>[!NOTE] >After uploading the metadata file, the values for **Single Sign-on URL**, **Single Logout URL**, and **Signing Certificate** are populated automatically.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
8. On the **Attributes** tab, perform the following step:
- ![Attributes](./media/sap-hana-cloud-platform-tutorial/ic790804.png "Attributes")
+ ![Attributes](./media/sap-hana-cloud-platform-tutorial/principal-attribute.png "Attributes")
a. Click **Add Assertion-Based Attribute**, and then add the following assertion-based attributes:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` |lastname | | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |email |
- >[!NOTE]
- >The configuration of the Attributes depends on how the application(s) on SCP are developed, that is, which attribute(s) they expect in the SAML response and under which name (Principal Attribute) they access this attribute in the code.
- >
+ >[!NOTE]
+ >The configuration of the Attributes depends on how the application(s) on SCP are developed, that is, which attribute(s) they expect in the SAML response and under which name (Principal Attribute) they access this attribute in the code.
+ >
b. The **Default Attribute** in the screenshot is just for illustration purposes. It is not required to make the scenario work.
In order to enable Azure AD users to log in to SAP Cloud Platform, you must assi
2. Perform the following:
- ![Authorizations](./media/sap-hana-cloud-platform-tutorial/ic790805.png "Authorizations")
+ ![Authorizations](./media/sap-hana-cloud-platform-tutorial/roles.png "Authorizations")
a. Click **Authorization**.
active-directory Sharefile Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sharefile-tutorial.md
Title: 'Tutorial: Azure AD SSO integration with Citrix ShareFile | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Citrix ShareFile'
description: Learn how to configure single sign-on between Azure Active Directory and Citrix ShareFile.
Previously updated : 09/08/2021 Last updated : 09/13/2021 # Tutorial: Azure AD SSO integration with Citrix ShareFile
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Citrix ShareFile single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. * Citrix ShareFile supports **SP** initiated SSO.
-## Adding Citrix ShareFile from the gallery
+## Add Citrix ShareFile from the gallery
To configure the integration of Citrix ShareFile into Azure AD, you need to add Citrix ShareFile from the gallery to your list of managed SaaS apps.
To configure and test Azure AD single sign-on with Citrix ShareFile, perform the
1. **[Create Citrix ShareFile test user](#create-citrix-sharefile-test-user)** - to have a counterpart of Britta Simon in Citrix ShareFile that is linked to the Azure AD representation of user. 3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Identifier (Entity ID)** textbox, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** textbox, type a URL using one of the following patterns:
| **Identifier** | |--|
Follow these steps to enable Azure AD SSO in the Azure portal.
| `https://<tenant-name>.sharefile1.eu/saml/info` | | `https://<tenant-name>.sharefile.eu/saml/info` |
- b. In the **Reply URL** textbox, type a URL using the following pattern:
+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:
| **Reply URL** | |-|
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Citrix ShareFile Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Citrix ShareFile tile in the My Apps, this will redirect to Citrix ShareFile Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the Citrix ShareFile tile in the My Apps, this will redirect to Citrix ShareFile Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Snowflake Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/snowflake-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Snowflake | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Snowflake'
description: Learn how to configure single sign-on between Azure Active Directory and Snowflake.
Previously updated : 12/27/2020 Last updated : 09/13/2021
-# Tutorial: Azure Active Directory integration with Snowflake
+# Tutorial: Azure AD SSO integration with Snowflake
In this tutorial, you'll learn how to integrate Snowflake with Azure Active Directory (Azure AD). When you integrate Snowflake with Azure AD, you can:
In this tutorial, you'll learn how to integrate Snowflake with Azure Active Dire
To configure Azure AD integration with Snowflake, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Snowflake single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Snowflake single sign-on enabled subscription.
+
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
## Scenario description In this tutorial, you will configure and test Azure AD single sign-on in a test environment. -- Snowflake supports **SP and IDP** initiated SSO-- Snowflake supports [automated user provisioning and deprovisioning](snowflake-provisioning-tutorial.md) (recommended)
+* Snowflake supports **SP and IDP** initiated SSO.
+* Snowflake supports [automated user provisioning and deprovisioning](snowflake-provisioning-tutorial.md) (recommended).
-## Adding Snowflake from the gallery
+## Add Snowflake from the gallery
To configure the integration of Snowflake into Azure AD, you need to add Snowflake from the gallery to your list of managed SaaS apps.
To configure the integration of Snowflake into Azure AD, you need to add Snowfla
Configure and test Azure AD SSO with Snowflake using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Snowflake.
-To configure and test Azure AD SSO with Snowflake, complete the following building blocks:
+To configure and test Azure AD SSO with Snowflake, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Snowflake, complete the following buildi
1. **[Create Snowflake test user](#create-snowflake-test-user)** - to have a counterpart of B.Simon in Snowflake that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png) - ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
> [!NOTE] > This is separate from the context you have selected in the top-right corner under your User Name.
- ![The Snowflake admin](./media/snowflake-tutorial/tutorial_snowflake_accountadmin.png)
+ ![The Snowflake admin](./media/snowflake-tutorial/account.png)
1. Open the **downloaded Base 64 certificate** in notepad. Copy the value between ΓÇ£--BEGIN CERTIFICATE--ΓÇ¥ and ΓÇ£--END CERTIFICATE--" and paste this into the quotation marks next to **certificate** below. In the **ssoUrl**, paste **Login URL** value which you have copied from the Azure portal. Select the **All Queries** and click **Run**.
- ![Snowflake sql](./media/snowflake-tutorial/tutorial_snowflake_sql.png)
+ ![Snowflake sql](./media/snowflake-tutorial/certificate.png)
``` use role accountadmin;
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
alter account set sso_login_page = TRUE; ``` - ### Create Snowflake test user To enable Azure AD users to log in to Snowflake, they must be provisioned into Snowflake. In Snowflake, provisioning is a manual task.
To enable Azure AD users to log in to Snowflake, they must be provisioned into S
2. **Switch Role** to **ACCOUNTADMIN**, by clicking on **profile** on the top right side of page.
- ![The Snowflake admin](./media/snowflake-tutorial/tutorial_snowflake_accountadmin.png)
+ ![The Snowflake admin](./media/snowflake-tutorial/account.png)
3. Create the user by running the below SQL query, ensuring "Login name" is set to the Azure AD username on the worksheet as shown below.
- ![The Snowflake adminsql](./media/snowflake-tutorial/tutorial_snowflake_usersql.png)
+ ![The Snowflake adminsql](./media/snowflake-tutorial/user.png)
``` use role accountadmin; CREATE USER britta_simon PASSWORD = '' LOGIN_NAME = 'BrittaSimon@contoso.com' DISPLAY_NAME = 'Britta Simon'; ```
-### Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Snowflake for which you set up the SSO
-
-You can also use Microsoft My Apps to test the application in any mode. When you click the Snowflake tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Snowflake for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Snowflake for which you set up the SSO.
+You can also use Microsoft My Apps to test the application in any mode. When you click the Snowflake tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Snowflake for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Snowflake you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure Snowflake you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
aks Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/policy-reference.md
Title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
aks Private Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/private-clusters.md
The API server endpoint has no public IP address. To manage the API server, you'
* Create a VM in the same Azure Virtual Network (VNet) as the AKS cluster. * Use a VM in a separate network and set up [Virtual network peering][virtual-network-peering]. See the section below for more information on this option. * Use an [Express Route or VPN][express-route-or-VPN] connection.
-* Use the [AKS Run Command feature](#aks-run-command-preview).
+* Use the [AKS Run Command feature](#aks-run-command).
Creating a VM in the same VNET as the AKS cluster is the easiest option. Express Route and VPNs add costs and require additional networking complexity. Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges.
-### AKS Run Command (Preview)
+### AKS Run Command
Today when you need to access a private cluster, you must do so within the cluster virtual network or a peered network or client machine. This usually requires your machine to be connected via VPN or Express Route to the cluster virtual network or a jumpbox to be created in the cluster virtual network. AKS run command allows you to remotely invoke commands in an AKS cluster through the AKS API. This feature provides an API that allows you to, for example, execute just-in-time commands from a remote laptop for a private cluster. This can greatly assist with quick just-in-time access to a private cluster when the client machine is not on the cluster private network while still retaining and enforcing the same RBAC controls and private API server.
-### Register the `RunCommandPreview` preview feature
+### Prerequisites
-To use the new Run Command API, you must enable the `RunCommandPreview` feature flag on your subscription.
-
-Register the `RunCommandPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "RunCommandPreview"
-```
-
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/RunCommandPreview')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
+* The Azure CLI version 2.24.0 or later
### Use AKS Run Command
Perform a Helm install and pass the specific values manifest
```azurecli-interactive az aks command invoke -g <resourceGroup> -n <clusterName> -c "helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update && helm install my-release -f values.yaml bitnami/nginx" -f values.yaml ```
+> [!NOTE]
+> Secure access to the AKS Run Command by assigning the "AKS Run Command role" to specific users and/or groups in combination with Just-in-Time access or Conditional Access policies.
## Virtual network peering
aks Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
aks Spot Node Pool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/spot-node-pool.md
By default, you create a node pool with a *priority* of *Regular* in your AKS cl
The command also enables the [cluster autoscaler][cluster-autoscaler], which is recommended to use with spot node pools. Based on the workloads running in your cluster, the cluster autoscaler scales up and scales down the number of nodes in the node pool. For spot node pools, the cluster autoscaler will scale up the number of nodes after an eviction if additional nodes are still needed. If you change the maximum number of nodes a node pool can have, you also need to adjust the `maxCount` value associated with the cluster autoscaler. If you do not use a cluster autoscaler, upon eviction, the spot pool will eventually decrease to zero and require a manual operation to receive any additional spot nodes. > [!Important]
-> Only schedule workloads on spot node pools that can handle interruptions, such as batch processing jobs and testing environments. It is recommended that you set up [taints and tolerations][taints-tolerations] on your spot node pool to ensure that only workloads that can handle node evictions are scheduled on a spot node pool. For example, the above command ny default adds a taint of *kubernetes.azure.com/scalesetpriority=spot:NoSchedule* so only pods with a corresponding toleration are scheduled on this node.
+> Only schedule workloads on spot node pools that can handle interruptions, such as batch processing jobs and testing environments. It is recommended that you set up [taints and tolerations][taints-tolerations] on your spot node pool to ensure that only workloads that can handle node evictions are scheduled on a spot node pool. For example, the above command by default adds a taint of *kubernetes.azure.com/scalesetpriority=spot:NoSchedule* so only pods with a corresponding toleration are scheduled on this node.
## Verify the spot node pool
In this article, you learned how to add a spot node pool to an AKS cluster. For
[spot-toleration]: #verify-the-spot-node-pool [taints-tolerations]: operator-best-practices-advanced-scheduler.md#provide-dedicated-nodes-using-taints-and-tolerations [use-multiple-node-pools]: use-multiple-node-pools.md
-[vmss-spot]: ../virtual-machine-scale-sets/use-spot.md
+[vmss-spot]: ../virtual-machine-scale-sets/use-spot.md
api-management Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/policy-reference.md
Title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
app-service App Service Web Restore Snapshots https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-restore-snapshots.md
up your app, see [Scale up an app in Azure](manage-scale-up.md).
## Limitations -- Currently available as public preview for Windows apps only. Linux apps and custom container apps are not supported. - Maximum supported size for snapshot restore is 30GB. Snapshot restore fails if your storage size is greater than 30GB. To reduce your storage size, consider moving files like logs, images, audios, and videos to [Azure Storage](../storage/index.yml), for example. - Any connected database that [standard backup](manage-backup.md#what-gets-backed-up) supports or [mounted Azure storage](configure-connect-to-azure-storage.md?pivots=container-windows) is *not* included in the snapshot. Consider using the native backup capabilities of the connected Azure service (for example, [SQL Database](../azure-sql/database/automated-backups-overview.md) and [Azure Files](../storage/files/storage-snapshots-files.md)). - App Service stops the target app or target slot while restoring a snapshot. To minimize downtime for the production app, restore the snapshot to a [staging slot](deploy-staging-slots.md) first, then swap into production.
up your app, see [Scale up an app in Azure](manage-scale-up.md).
![Screenshot that shows how to specify the restoration destination.](./media/app-service-web-restore-snapshots/3.png) > [!WARNING]
- > If you choose **Overwrite**, all existing data in your app's current file system is erased and overwritten. Before you click **OK**,
- > make sure that it is what you want to do.
+ > As a best practice we recommend restoring to a new slot then performing a swap. If you choose **Overwrite**, all existing data in your app's current file system is erased and overwritten. Before you click **OK**, make sure that it is what you want to do.
> >
up your app, see [Scale up an app in Azure](manage-scale-up.md).
![Screenshot that shows how to restore site configuration.](./media/app-service-web-restore-snapshots/4.png)
-5. Click **OK**.
+5. Click **OK**.
app-service Configure Authentication File Based https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-authentication-file-based.md
With [App Service authentication](overview-authentication-authorization.md), the
1. Create a new JSON file for your configuration at the root of your project (deployed to D:\home\site\wwwroot in your web / function app). Fill in your desired configuration according to the [file-based configuration reference](#configuration-file-reference). If modifying an existing Azure Resource Manager configuration, make sure to translate the properties captured in the `authsettings` collection into your configuration file.
-2. Modify the existing configuration, which is captured in the [Azure Resource Manager](../azure-resource-manager/management/overview.md) APIs under `Microsoft.Web/sites/<siteName>/config/authsettingsV2`. To modify this, you can use an [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) or a tool like [Azure Resource Explorer](https://resources.azure.com/). Within the authsettingsV2 collection, you will need to set three properties (and may remove others):
+2. Modify the existing configuration, which is captured in the [Azure Resource Manager](../azure-resource-manager/management/overview.md) APIs under `Microsoft.Web/sites/<siteName>/config/authsettingsV2`. To modify this, you can use an [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) or a tool like [Azure Resource Explorer](https://resources.azure.com/). Within the authsettingsV2 collection, you will need to set two properties (and may remove others):
1. Set `platform.enabled` to "true" 2. Set `platform.configFilePath` to the name of the file (for example, "auth.json")
The following exhausts possible configuration options within the file:
## More resources - [Tutorial: Authenticate and authorize users end-to-end](tutorial-auth-aad.md)-- [Environment variables and app settings for authentication](reference-app-settings.md#authentication--authorization)
+- [Environment variables and app settings for authentication](reference-app-settings.md#authentication--authorization)
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-java.md
az webapp list-runtimes --linux | grep "JAVA\|TOMCAT\|JBOSSEAP"
## Deploying your app
-You can use [Azure Web App Plugin for Maven](https://github.com/microsoft/azure-maven-plugins/blob/develop/azure-webapp-maven-plugin/README.md) to deploy your .war or .jar files. Deployment with popular IDEs is also supported with the [Azure Toolkit for IntelliJ](/azure/developer/java/toolkit-for-intellij/) or [Azure Toolkit for Eclipse](/azure/developer/java/toolkit-for-eclipse).
+### Build Tools
-Otherwise, your deployment method will depend on your archive type:
+#### Maven
+With the [Maven Plugin for Azure Web Apps](https://github.com/microsoft/azure-maven-plugins/tree/develop/azure-webapp-maven-plugin), you can prepare your Maven Java project for Azure Web App easily with one command in your project root:
-### Java SE
+```shell
+mvn com.microsoft.azure:azure-webapp-maven-plugin:2.1.0:config
+```
+
+This command adds a `azure-webapp-maven-plugin` plugin and related configuration by prompting you to select an existing Azure Web App or create a new one. Then you can deploy your Java app to Azure using the following command:
+```shell
+mvn package azure-webapp:deploy
+```
+
+Here is a sample configuration in `pom/xml`:
+```xml
+<plugin>
+ <groupId>com.microsoft.azure</groupId>
+ <artifactId>azure-webapp-maven-plugin</artifactId>
+ <version>2.1.0</version>
+ <configuration>
+ <subscriptionId>111111-11111-11111-1111111</subscriptionId>
+ <resourceGroup>spring-boot-xxxxxxxxxx-rg</resourceGroup>
+ <appName>spring-boot-xxxxxxxxxx</appName>
+ <pricingTier>B2</pricingTier>
+ <region>westus</region>
+ <runtime>
+ <os>Linux</os>
+ <webContainer>Java SE</webContainer>
+ <javaVersion>Java 11</javaVersion>
+ </runtime>
+ <deployment>
+ <resources>
+ <resource>
+ <type>jar</type>
+ <directory>${project.basedir}/target</directory>
+ <includes>
+ <include>*.jar</include>
+ </includes>
+ </resource>
+ </resources>
+ </deployment>
+ </configuration>
+</plugin>
+```
+
+#### Gradle
+1. Setup the [Gradle Plugin for Azure Web Apps](https://github.com/microsoft/azure-gradle-plugins/tree/master/azure-webapp-gradle-plugin) by adding the plugin to your `build.gradle`:
+ ```groovy
+ plugins {
+ id "com.microsoft.azure.azurewebapp" version "1.1.0"
+ }
+ ```
+
+1. Configure your Web App details, corresponding Azure resources will be created if not exist.
+Here is a sample configuration, for details, please refer to this [document](https://github.com/microsoft/azure-gradle-plugins/wiki/Webapp-Configuration).
+ ```groovy
+ azurewebapp {
+ subscription = '<your subscription id>'
+ resourceGroup = '<your resource group>'
+ appName = '<your app name>'
+ pricingTier = '<price tier like 'P1v2'>'
+ region = '<region like 'westus'>'
+ runtime {
+ os = 'Linux'
+ webContainer = 'Tomcat 9.0' // or 'Java SE' if you want to run an executable jar
+ javaVersion = 'Java 8'
+ }
+ appSettings {
+ <key> = <value>
+ }
+ auth {
+ type = 'azure_cli' // support azure_cli, oauth2, device_code and service_principal
+ }
+ }
+ ```
+
+1. Deploy with one command.
+ ```shell
+ gradle azureWebAppDeploy
+ ```
+
+### IDEs
+Azure provids seamless Java App Service development experience in popular Java IDEs, including:
+- *VS Code*: [Java Web Apps with Visual Studio Code](https://code.visualstudio.com/docs/java/java-webapp#_deploy-web-apps-to-the-cloud)
+- *IntelliJ IDEA*:[Create a Hello World web app for Azure App Service using IntelliJ](/azure/developer/java/toolkit-for-intellij/create-hello-world-web-app)
+- *Eclipse*:[Create a Hello World web app for Azure App Service using Eclipse](/azure/developer/java/toolkit-for-eclipse/create-hello-world-web-app)
+
+### Kudu API
+#### Java SE
To deploy .jar files to Java SE, use the `/api/publish/` endpoint of the Kudu site. For more information on this API, please see [this documentation](./deploy-zip.md#deploy-warjarear-packages). > [!NOTE] > Your .jar application must be named `app.jar` for App Service to identify and run your application. The Maven Plugin (mentioned above) will automatically rename your application for you during deployment. If you do not wish to rename your JAR to *app.jar*, you can upload a shell script with the command to run your .jar app. Paste the absolute path to this script in the [Startup File](/azure/app-service/faq-app-service-linux#built-in-images) textbox in the Configuration section of the portal. The startup script does not run from the directory into which it is placed. Therefore, always use absolute paths to reference files in your startup script (for example: `java -jar /home/myapp/myapp.jar`).
-### Tomcat
+#### Tomcat
To deploy .war files to Tomcat, use the `/api/wardeploy/` endpoint to POST your archive file. For more information on this API, please see [this documentation](./deploy-zip.md#deploy-warjarear-packages). ::: zone pivot="platform-linux"
-### JBoss EAP
+#### JBoss EAP
To deploy .war files to JBoss, use the `/api/wardeploy/` endpoint to POST your archive file. For more information on this API, please see [this documentation](./deploy-zip.md#deploy-warjarear-packages).
app-service Manage Create Arc Environment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-create-arc-environment.md
While a [Log Analytic workspace](../azure-monitor/logs/quick-create-workspace.md
--workspace-name $workspaceName \ --query customerId \ --output tsv)
- logAnalyticsWorkspaceIdEnc=$(printf %s $logAnalyticsWorkspaceId | base64) # Needed for the next step
+ logAnalyticsWorkspaceIdEnc=$(printf %s $logAnalyticsWorkspaceId | base64 -w0) # Needed for the next step
logAnalyticsKey=$(az monitor log-analytics workspace get-shared-keys \ --resource-group $groupName \ --workspace-name $workspaceName \ --query primarySharedKey \ --output tsv)
- logAnalyticsKeyEncWithSpace=$(printf %s $logAnalyticsKey | base64)
- logAnalyticsKeyEnc=$(echo -n "${logAnalyticsKeyEncWithSpace//[[:space:]]/}") # Needed for the next step
+ logAnalyticsKeyEnc=$(printf %s $logAnalyticsKey | base64 -w0) # Needed for the next step
``` # [PowerShell](#tab/powershell)
app-service Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/policy-reference.md
Title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
attestation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/policy-reference.md
Title: Built-in policy definitions for Azure Attestation description: Lists Azure Policy built-in policy definitions for Azure Attestation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
automation Automation Child Runbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-child-runbooks.md
Title: Create modular runbooks in Azure Automation
description: This article tells how to create a runbook that is called by another runbook. Previously updated : 01/17/2019- Last updated : 09/13/2021+
+#Customer intent: As a developer, I want create modular runbooks so that I can be more efficient.
-# Create modular runbooks
-It is a recommended practice in Azure Automation to write reusable, modular runbooks with a discrete function that is called by other runbooks. A parent runbook often calls one or more child runbooks to perform required functionality.
+# Create modular runbooks in Automation
-There are two ways to call a child runbook, and there are distinct differences that you should understand to be able to determine which is best for your scenarios. The following table summarizes the differences between the two ways to call one runbook from another.
+It's a recommended practice in Azure Automation to write reusable, modular runbooks with a discrete function that is called by other runbooks. A parent runbook often calls one or more child runbooks to perform required functionality.
+
+There are two ways to call a child runbook, and there are distinct differences that you should understand to determine which is best for your scenario(s). The following table summarizes the differences between the two ways to call one runbook from another.
| | Inline | Cmdlet | |: |: |: |
There are two ways to call a child runbook, and there are distinct differences t
| **Output** |Parent runbook can directly get output from child runbook. |Parent runbook must retrieve output from child runbook job *or* parent runbook can directly get output from child runbook. | | **Parameters** |Values for the child runbook parameters are specified separately and can use any data type. |Values for the child runbook parameters have to be combined into a single hashtable. This hashtable can only include simple, array, and object data types that use JSON serialization. | | **Automation Account** |Parent runbook can only use child runbook in the same Automation account. |Parent runbooks can use a child runbook from any Automation account, from the same Azure subscription, and even from a different subscription to which you have a connection. |
-| **Publishing** |Child runbook must be published before parent runbook is published. |Child runbook is published any time before parent runbook is started. |
+| **Publishing** |Child runbook must be published before parent runbook is published. |Child runbook is published anytime before parent runbook is started. |
## Invoke a child runbook using inline execution To invoke a runbook inline from another runbook, use the name of the runbook and provide values for its parameters, just like you would use an activity or a cmdlet. All runbooks in the same Automation account are available to all others to be used in this manner. The parent runbook waits for the child runbook to complete before moving to the next line, and any output returns directly to the parent.
-When you invoke a runbook inline, it runs in the same job as the parent runbook. There is no indication in the job history of the child runbook. Any exceptions and any stream outputs from the child runbook are associated with the parent. This behavior results in fewer jobs and makes them easier to track and to troubleshoot.
+When you invoke a runbook inline, it runs in the same job as the parent runbook. There's no indication in the job history of the child runbook. Any exceptions and any stream outputs from the child runbook are associated with the parent. This behavior results in fewer jobs and makes them easier to track and to troubleshoot.
-When a runbook is published, any child runbooks that it calls must already be published. The reason is that Azure Automation builds an association with any child runbooks when it compiles a runbook. If the child runbooks have not already been published, the parent runbook appears to publish properly but generates an exception when it is started. If this happens, you can republish the parent runbook to properly reference the child runbooks. You do not need to republish the parent runbook if any child runbook is changed because the association has already been created.
+When a runbook is published, any child runbooks that it calls must already be published. The reason is that Azure Automation builds an association with any child runbooks when it compiles a runbook. If the child runbooks haven't already been published, the parent runbook appears to publish properly but generates an exception when it's started. If this happens, you can republish the parent runbook to properly reference the child runbooks. You don't need to republish the parent runbook if any child runbook is changed because the association has already been created.
-The parameters of a child runbook called inline can be of any data type, including complex objects. There is no [JSON serialization](start-runbooks.md#work-with-runbook-parameters), as there is when you start the runbook using the Azure portal or with the [Start-AzAutomationRunbook](/powershell/module/Az.Automation/Start-AzAutomationRunbook) cmdlet.
+The parameters of a child runbook called inline can be of any data type, including complex objects. There's no [JSON serialization](start-runbooks.md#work-with-runbook-parameters), as there is when you start the runbook using the Azure portal or with the [Start-AzAutomationRunbook](/powershell/module/Az.Automation/Start-AzAutomationRunbook) cmdlet.
### Runbook types
When your runbook calls a graphical or PowerShell Workflow child runbook using i
The following example starts a test child runbook that accepts a complex object, an integer value, and a boolean value. The output of the child runbook is assigned to a variable. In this case, the child runbook is a PowerShell Workflow runbook.
-```azurepowershell-interactive
+```powershell
$vm = Get-AzVM -ResourceGroupName "LabRG" -Name "MyVM" $output = PSWF-ChildRunbook -VM $vm -RepeatCount 2 -Restart $true ```
-Here is the same example using a PowerShell runbook as the child.
+Here's the same example using a PowerShell runbook as the child.
-```azurepowershell-interactive
+```powershell
$vm = Get-AzVM -ResourceGroupName "LabRG" -Name "MyVM" $output = .\PS-ChildRunbook.ps1 -VM $vm -RepeatCount 2 -Restart $true ```
You can use `Start-AzAutomationRunbook` to start a runbook as described in [To s
The job from a child runbook started with a cmdlet runs separately from the parent runbook job. This behavior results in more jobs than starting the runbook inline, and makes the jobs more difficult to track. The parent can start more than one child runbook asynchronously without waiting for each to complete. For this parallel execution calling the child runbooks inline, the parent runbook must use the [parallel keyword](automation-powershell-workflow.md#use-parallel-processing).
-Child runbook output does not return to the parent runbook reliably because of timing. In addition, variables such as `$VerbosePreference`, `$WarningPreference`, and others might not be propagated to the child runbooks. To avoid these issues, you can start the child runbooks as separate Automation jobs using `Start-AzAutomationRunbook` with the `Wait` parameter. This technique blocks the parent runbook until the child runbook is complete.
+Child runbook output doesn't return to the parent runbook reliably because of timing. Also, variables such as `$VerbosePreference`, `$WarningPreference`, and others might not be propagated to the child runbooks. To avoid these issues, you can start the child runbooks as separate Automation jobs using `Start-AzAutomationRunbook` with the `Wait` parameter. This technique blocks the parent runbook until the child runbook is complete.
If you don't want the parent runbook to be blocked on waiting, you can start the child runbook using `Start-AzAutomationRunbook` without the `Wait` parameter. In this case, your runbook must use [Get-AzAutomationJob](/powershell/module/az.automation/get-azautomationjob) to wait for job completion. It must also use [Get-AzAutomationJobOutput](/powershell/module/az.automation/get-azautomationjoboutput) and [Get-AzAutomationJobOutputRecord](/powershell/module/az.automation/get-azautomationjoboutputrecord) to retrieve the results.
If jobs within the same Automation account work with more than one subscription,
The following example starts a child runbook with parameters and then waits for it to complete using the `Start-AzAutomationRunbook` cmdlet with the `Wait` parameter. Once completed, the example collects cmdlet output from the child runbook. To use `Start-AzAutomationRunbook`, the script must authenticate to your Azure subscription.
-```azurepowershell-interactive
+```powershell
# Ensure that the runbook does not inherit an AzContext Disable-AzContextAutosave -Scope Process
-# Connect to Azure with Run As account
-$ServicePrincipalConnection = Get-AzAutomationConnection -Name 'AzureRunAsConnection'
-
-Connect-AzAccount `
- -ServicePrincipal `
- -Tenant $ServicePrincipalConnection.TenantId `
- -ApplicationId $ServicePrincipalConnection.ApplicationId `
- -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
+# Connect to Azure with user-assigned managed identity
+Connect-AzAccount -Identity
+$identity = Get-AzUserAssignedIdentity -ResourceGroupName <ResourceGroupName> -Name <UserAssignedManagedIdentity>
+Connect-AzAccount -Identity -AccountId $identity.ClientId
-$AzureContext = Set-AzContext -SubscriptionId $ServicePrincipalConnection.SubscriptionID
+$AzureContext = Set-AzContext -SubscriptionId ($identity.id -split "/")[2]
$params = @{"VMName"="MyVM";"RepeatCount"=2;"Restart"=$true}
Start-AzAutomationRunbook `
## Next steps
-* To run run your runbook, see [Start a runbook in Azure Automation](start-runbooks.md).
+* To run your runbook, see [Start a runbook in Azure Automation](start-runbooks.md).
* For monitoring of runbook operation, see [Runbook output and messages in Azure Automation](automation-runbook-output-and-messages.md).
automation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/policy-reference.md
Title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
automation Runbook Input Parameters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/runbook-input-parameters.md
Title: Configure runbook input parameters in Azure Automation
description: This article tells how to configure runbook input parameters, which allow data to be passed to a runbook when it's started. Previously updated : 02/14/2019 Last updated : 09/13/2021
-# Configure runbook input parameters
+
+# Configure runbook input parameters in Automation
Runbook input parameters increase the flexibility of a runbook by allowing data to be passed to it when it's started. These parameters allow runbook actions to be targeted for specific scenarios and environments. This article describes the configuration and use of input parameters in your runbooks.
Type the following code in a text file, and save it as **test.json** somewhere o
### Create the runbook
-Create a new PowerShell runbook named **Test-Json** in Azure Automation. See [My first PowerShell runbook](./learn/powershell-runbook-managed-identity.md).
+Create a new PowerShell runbook named **Test-Json** in Azure Automation.
To accept the JSON data, the runbook must take an object as an input parameter. The runbook can then use the properties defined in the JSON file.
Param(
[object]$json )
-# Connect to Azure account
-$Conn = Get-AutomationConnection -Name AzureRunAsConnection
-Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID `
- -ApplicationID $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
+# Connect to Azure with user-assigned managed identity
+Connect-AzAccount -Identity
+$identity = Get-AzUserAssignedIdentity -ResourceGroupName <ResourceGroupName> -Name <UserAssignedManagedIdentity>
+Connect-AzAccount -Identity -AccountId $identity.ClientId
# Convert object to actual JSON $json = $json | ConvertFrom-Json
automation Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-app-configuration Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/policy-reference.md
Title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-app-configuration Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021 #
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-arc Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-cache-for-redis Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/policy-reference.md
Title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-cache-for-redis Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-functions Create First Function Vs Code Csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-vs-code-csharp.md
There's also a [CLI-based version](create-first-function-cli-csharp.md) of this
Before you get started, make sure you have the following requirements in place:
-# [In-process](#tab/in-process)
+# [In-process](#tab/in-process)
+++ [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) + [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 3.x.
Before you get started, make sure you have the following requirements in place:
+ [.NET 5.0 SDK](https://dotnet.microsoft.com/download) ++ [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download). Required by the build process.+ + [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 3.x. + [Visual Studio Code](https://code.visualstudio.com/) on one of the [supported platforms](https://code.visualstudio.com/docs/supporting/requirements#_platforms).
azure-government Documentation Government Get Started Connect With Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-get-started-connect-with-ps.md
When you start PowerShell, you have to tell Azure PowerShell to connect to Azure
| Connection type | Command | | | |
-| [Azure](/powershell/module/az.accounts/Connect-AzAccount) commands |`Connect-AzAccount -EnvironmentName AzureUSGovernment` |
+| [Azure](/powershell/module/az.accounts/Connect-AzAccount) commands |`Connect-AzAccount -Environment AzureUSGovernment` |
| [Azure Active Directory](/powershell/module/azuread/connect-azuread) commands |`Connect-AzureAD -AzureEnvironmentName AzureUSGovernment` | | [Azure (Classic deployment model)](/powershell/module/servicemanagement/azure.service/add-azureaccount) commands |`Add-AzureAccount -Environment AzureUSGovernment` | | [Azure Active Directory (Classic deployment model)](/previous-versions/azure/jj151815(v=azure.100)) commands |`Connect-MsolService -AzureEnvironment UsGovernment` |
Get-AzureLocation # For classic deployment model
This quickstart showed you how to use PowerShell to connect to Azure Government. Once you are connected to Azure Government, you may want to explore Azure services. Make sure you check out the variations, described in [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md). To learn more about Azure services, continue to the Azure documentation. > [!div class="nextstepaction"]
-> [Azure documentation](../index.yml)
+> [Azure documentation](../index.yml)
azure-monitor Logicapp Flow Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logicapp-flow-connector.md
The Azure Monitor Logs connector has these limits:
* Max query timeout 110 second * Chart visualizations could be available in Logs page and missing in the connector since the connector and Logs page don't use the same charting libraries currently
-The connector may reach limits depending on the query you use and the size of the results. You can often avoid such cases by adjusting the flow recurrence to run more frequent on smaller time range, or aggregate data to reduce the results size. Frequent queries with lower intervals than 100 seconds arenΓÇÖt recommended due to caching.
+The connector may reach limits depending on the query you use and the size of the results. You can often avoid such cases by adjusting the flow recurrence to run more frequent on smaller time range, or aggregate data to reduce the results size. Frequent queries with lower intervals than 120 seconds arenΓÇÖt recommended due to caching.
## Actions The following table describes the actions included with the Azure Monitor Logs connector. Both allow you to run a log query against a Log Analytics workspace or Application Insights application. The difference is in the way the data is returned.
azure-monitor Logs Data Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-data-export.md
Currently, there are no additional charges for the data export feature. Pricing
## Export destinations
+Data export destination must be created before creating the export rule in your workspace. The destination does not have to be in the same subscription as your workspace. When using Azure Lighthouse, it is also possible to have data sent to a destination in another Azure Active Directory tenant.
+ ### Storage account
-Data is sent to storage accounts as it reaches Azure Monitor and stored in hourly append blobs. The data export configuration creates a container for each table in the storage account with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to a container named *am-SecurityEvent*.
-Data is sent to storage accounts as it reaches Azure Monitor and stored in append blobs. The data export configuration creates a container for each table in the storage account a prefix *am-* followed by the name of the table. For example, *SecurityEvent* is exported to a container named *am-SecurityEvent*.
+You need to have 'write' permissions to both workspace and destination to configure data export rule. You shouldn't use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to the data and prevent reaching storage ingestion rate limit and throttling.
-The storage account blob path is in hourly blob path. Starting 15-October 2021, the blob path is in 5 minutes granularity: *WorkspaceResourceId=/subscriptions/subscription-id/resourcegroups/\<resource-group\>/providers/microsoft.operationalinsights/workspaces/\<workspace\>/y=\<four-digit numeric year\>/m=\<two-digit numeric month\>/d=\<two-digit numeric day\>/h=\<two-digit 24-hour clock hour\>/m=\<two-digit 60-minute clock minute\>/PT05M.json*. Since append blobs are limited to 50K writes in storage, the number of exported blobs may extend if the number of appends is high. The naming pattern for blobs in such a case would be PT05M_#.json*, where # is the incremental blob count.
+To send data to immutable storage, set the immutable policy for the storage account as described in [Set and manage immutability policies for Blob storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this article including enabling protected append blobs writes.
-The storage account data format is [JSON lines](../essentials/resource-logs-blob-format.md). This means each record is delimited by a newline, with no outer records array and no commas between JSON records.
+The storage account must be StorageV1 or above and in the same region as your workspace. If you need to replicate your data to other storage accounts in other regions, you can use any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) including GRS and GZRS.
-[![Storage sample data](media/logs-data-export/storage-data.png)](media/logs-data-export/storage-data.png#lightbox)
+Data is sent to storage accounts as it reaches Azure Monitor and stored in hourly append blobs. The export rule setting creates a container for each table in the storage account with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to a container named *am-SecurityEvent*.
+
+Starting 15-October 2021, blobs are stored in 5 minutes folders in the following path structure: *WorkspaceResourceId=/subscriptions/subscription-id/resourcegroups/\<resource-group\>/providers/microsoft.operationalinsights/workspaces/\<workspace\>/y=\<four-digit numeric year\>/m=\<two-digit numeric month\>/d=\<two-digit numeric day\>/h=\<two-digit 24-hour clock hour\>/m=\<two-digit 60-minute clock minute\>/PT05M.json*. Since append blobs are limited to 50K writes in storage, the number of exported blobs may extend if the number of appends is high. The naming pattern for blobs in such case would be PT05M_#.json*, where # is the incremental blob count.
-Log Analytics data export can write append blobs to immutable storage accounts when time-based retention policies have the *allowProtectedAppendWrites* setting enabled. This allows writing new blocks to an append blob, while maintaining immutability protection and compliance. See [Allow protected append blobs writes](../../storage/blobs/immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).
+The storage account data format is in [JSON lines](../essentials/resource-logs-blob-format.md). This means that each record is delimited by a newline, with no outer records array and no commas between JSON records.
+
+[![Storage sample data](media/logs-data-export/storage-data.png)](media/logs-data-export/storage-data.png#lightbox)
### Event hub
-Data is sent to your event hub in near-real-time as it reaches Azure Monitor. An event hub is created for each data type that you export with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to an event hub named *am-SecurityEvent*. If you want the exported data to reach a specific event hub, or if you have a table with a name that exceeds the 47 character limit, you can provide your own event hub name and export all data for defined tables to it.
+
+You need to have 'write' permissions to both workspace and destination to configure data export rule. The shared access policy for the event hub namespace defines the permissions that the streaming mechanism has. Streaming to event hub requires Manage, Send, and Listen permissions. To update the export rule, you must have the ListKey permission on that Event Hubs authorization rule.
+
+The event hub namespace needs to be in the same region as your workspace.
+
+Data is sent to your event hub as it reaches Azure Monitor. An event hub is created for each data type that you export with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to an event hub named *am-SecurityEvent*. If you want the exported data to reach a specific event hub, or if you have a table with a name that exceeds the 47 character limit, you can provide your own event hub name and export all data for defined tables to it.
> [!IMPORTANT] > The [number of supported event hubs per 'Basic' and 'Standard' namespaces tiers is 10](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). If you export more than 10 tables, either split the tables between several export rules to different event hub namespaces, or provide event hub name in the export rule and export all tables to that event hub.
-Considerations:
-1. The 'Basic' event hub SKU supports a lower event size [limit](../../event-hubs/event-hubs-quotas.md#basic-vs-standard-vs-premium-vs-dedicated-tiers) and some logs in your workspace can exceed it and be dropped. We recommend using a 'Standard' or 'Dedicated' event hub as an export destination.
+Considerations for event hub namespace:
+1. The 'Basic' event hub SKU supports a lower event size [limit](../../event-hubs/event-hubs-quotas.md#basic-vs-standard-vs-premium-vs-dedicated-tiers) and some logs in your workspace might exceed it and be dropped. We recommend using a 'Standard' or 'Dedicated' event hub as an export destination.
2. The volume of exported data often increases over time, and the event hub scale needs to be increased to handle larger transfer rates and avoid throttling scenarios and data latency. You should use the auto-inflate feature of Event Hubs to automatically scale up and increase the number of throughput units to meet usage needs. See [Automatically scale up Azure Event Hubs throughput units](../../event-hubs/event-hubs-auto-inflate.md) for details.
-## Prerequisites
-The following prerequisites must be completed before configuring Log Analytics data export:
--- Destinations must be created prior to the export rule configuration and should be in the same region as your Log Analytics workspace. If you need to replicate your data to other storage accounts, you can use any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) including GRS and GZRS.-- The storage account must be StorageV1 or above. Classic storage is not supported.-- If you have configured your storage account to allow access from selected networks, you need to add an exception in your storage account settings to allow Azure Monitor to write to your storage.
+> [!NOTE]
+> Azure Monitor data export can't access event hub resources when virtual networks are enabled. You have to enable the Allow trusted Microsoft services to bypass this firewall setting in Event Hub, so that Azure Monitor data export is granted access to your Event Hubs resources.
## Enable data export The following steps must be performed to enable Log Analytics data export. See the following sections for more details on each.
azure-monitor Resource Manager Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/resource-manager-cluster.md
The following sample creates a new empty Log Analytics cluster.
{ "name": "[parameters('clusterName')]", "type": "Microsoft.OperationalInsights/clusters",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2021-06-01",
"location": "[resourceGroup().location]", "identity": { "type": "SystemAssigned"
The following sample updates a Log Analytics cluster to use customer-managed key
{ "name": "[parameters('clusterName')]", "type": "Microsoft.OperationalInsights/clusters",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2021-06-01",
"location": "[resourceGroup().location]", "identity": { "type": "SystemAssigned"
The following sample updates a Log Analytics cluster to use customer-managed key
* [Get other sample templates for Azure Monitor](../resource-manager-samples.md). * [Learn more about Log Analytics dedicated clusters](./logs-dedicated-clusters.md).
-* [Learn more about agent data sources](../agents/agent-data-sources.md).
+* [Learn more about agent data sources](../agents/agent-data-sources.md).
azure-monitor Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/policy-reference.md
Title: Built-in policy definitions for Azure Monitor description: Lists Azure Policy built-in policy definitions for Azure Monitor. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-monitor Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-netapp-files Azure Netapp Files Solution Architectures https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md
na ms.devlang: na Previously updated : 09/08/2021 Last updated : 09/13/2021 # Solution architectures using Azure NetApp Files
This section provides references to SAP on Azure solutions.
* [SAP HANA scale-out with standby node on Azure VMs with Azure NetApp Files on Red Hat Enterprise Linux](../virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-rhel.md) * [SAP HANA scale-out with HSR and Pacemaker on RHEL - Azure Virtual Machines](../virtual-machines/workloads/sap/sap-hana-high-availability-scale-out-hsr-rhel.md) * [Azure Application Consistent Snapshot tool (AzAcSnap)](azacsnap-introduction.md)
+* [SAP HANA Disaster Recovery with Azure NetApp Files](https://docs.netapp.com/us-en/netapp-solutions-sap/pdfs/sidebar/SAP_HANA_Disaster_Recovery_with_Azure_NetApp_Files.pdf)
### SAP AnyDB
azure-portal Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/policy-reference.md
Title: Built-in policy definitions for Azure portal description: Lists Azure Policy built-in policy definitions for Azure portal. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-resource-manager Bicep Functions Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/bicep-functions-files.md
Title: Bicep functions - files description: Describes the functions to use in a Bicep file to load content from a file. Previously updated : 09/09/2021 Last updated : 09/13/2021 # File functions for Bicep
This article describes the Bicep functions for loading content from external fil
`loadFileAsBase64(filePath)`
-Loads the content of the specified file as a base64 string.
+Loads the file as a base64 string.
### Parameters
Loads the content of the specified file as a base64 string.
### Remarks
-Use this function when you have base64 content that is stored in a separate file. Rather than duplicating the content into your Bicep file, load the content with this function. The file is loaded when the Bicep file is compiled to a JSON template. During deployment, the JSON template contains the contents of the file as a hard-coded string.
+Use this function when you have binary content you would like to include in deployment. Rather than manually encoding the file to a base64 string and adding it to your Bicep file, load the file with this function. The file is loaded when the Bicep file is compiled to a JSON template. During deployment, the JSON template contains the contents of the file as a hard-coded string.
This function requires **Bicep version 0.4.412 or later**.
The maximum allowed size of the file is **96 Kb**.
### Return value
-The contents of the file as a base64 string.
+The file as a base64 string.
## loadTextContent
azure-resource-manager Child Resource Name Type https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/child-resource-name-type.md
description: Describes how to set the name and type for child resources in Bicep
Previously updated : 06/01/2021 Last updated : 09/13/2021 # Set name and type for child resources in Bicep Child resources are resources that exist only within the context of another resource. For example, a [virtual machine extension](/azure/templates/microsoft.compute/virtualmachines/extensions) can't exist without a [virtual machine](/azure/templates/microsoft.compute/virtualmachines). The extension resource is a child of the virtual machine.
-Each parent resource accepts only certain resource types as child resources. The resource type for the child resource includes the resource type for the parent resource. For example, `Microsoft.Web/sites/config` and `Microsoft.Web/sites/extensions` are both child resources of the `Microsoft.Web/sites`. The accepted resource types are specified in the [template schema](https://github.com/Azure/azure-resource-manager-schemas) of the parent resource.
+Each parent resource accepts only certain resource types as child resources. The hierarchy of resource types is available in the [Bicep resource reference](/azure/templates/).
-In Bicep, you can specify the child resource either within the parent resource or outside of the parent resource. The values you provide for the resource name and resource type vary based on whether the child resource is defined inside or outside of the parent resource.
+This article show different ways you can declare a child resource.
### Microsoft Learn To learn more about child resources, and for hands-on guidance, see [Deploy child and extension resources by using Bicep](/learn/modules/child-extension-bicep-templates) on **Microsoft Learn**.
+## Name and type pattern
+
+In Bicep, you can specify the child resource either within the parent resource or outside of the parent resource. The values you provide for the resource name and resource type vary based on how you declare the child resource. However, the full name and type always resolve to the same pattern.
+
+The **full name** of the child resource uses the pattern:
+
+```bicep
+{parent-resource-name}/{child-resource-name}
+```
+
+If you have more two levels in the hierarchy, keep repeating parent names:
+
+```bicep
+{parent-resource-name}/{child-level1-resource-name}/{child-level2-resource-name}
+```
+
+The **full type** of the child resource uses the pattern:
+
+```bicep
+{resource-provider-namespace}/{parent-resource-type}/{child-resource-type}
+```
+
+If you have more than two levels in the hierarchy, keep repeating parent resource types:
+
+```bicep
+{resource-provider-namespace}/{parent-resource-type}/{child-level1-resource-type}/{child-level2-resource-type}
+```
+
+If you count the segments between `/` characters, the number of segments in the type is always one more than the number of segments in the name.
+ ## Within parent resource The following example shows the child resource included within the resources property of the parent resource.
resource <parent-resource-symbolic-name> '<resource-type>@<api-version>' = {
A nested resource declaration must appear at the top level of syntax of the parent resource. Declarations may be nested arbitrarily deep, as long as each level is a child type of its parent resource.
-When defined within the parent resource type, you format the type and name values as a single segment without slashes. The following example shows a storage account with a file service and file share. The file service's name is set to **default** and its type is set to **fileServices**. The file share's name is set **exampleshare** and its type is set to **shares**.
+When defined within the parent resource type, you format the type and name values as a single segment without slashes. The following example shows a storage account with a child resource for the file service, and the file service has a child resource for the file share. The file service's name is set to `default` and its type is set to `fileServices`. The file share's name is set `exampleshare` and its type is set to `shares`.
-```bicep
-resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = {
- name: 'examplestorage'
- location: resourceGroup().location
- kind: 'StorageV2'
- sku: {
- name: 'Standard_LRS'
- }
-
- resource service 'fileServices' = {
- name: 'default'
-
- resource share 'shares' = {
- name: 'exampleshare'
- }
- }
-}
-```
The full resource types are still `Microsoft.Storage/storageAccounts/fileServices` and `Microsoft.Storage/storageAccounts/fileServices/shares`. You don't provide `Microsoft.Storage/storageAccounts/` because it's assumed from the parent resource type and version. The nested resource may optionally declare an API version using the syntax `<segment>@<version>`. If the nested resource omits the API version, the API version of the parent resource is used. If the nested resource specifies an API version, the API version specified is used.
-The child resource names are set to **default** and **exampleshare** but the full names include the parent names. You don't provide **examplestorage** or **default** because they're assumed from the parent resource.
+The child resource names are set to `default` and `exampleshare` but the full names include the parent names. You don't provide `examplestorage` or `default` because they're assumed from the parent resource.
A nested resource can access properties of its parent resource. Other resources declared inside the body of the same parent resource can reference each other by using the symbolic names. A parent resource may not access properties of the resources it contains, this attempt would cause a cyclic-dependency.
When defined outside of the parent resource, you format the type and with slashe
The following example shows a storage account, file service, and file share that are all defined at the root level.
-```bicep
-resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = {
- name: 'examplestorage'
- location: resourceGroup().location
- kind: 'StorageV2'
- sku: {
- name: 'Standard_LRS'
- }
-}
-resource service 'Microsoft.Storage/storageAccounts/fileServices@2021-02-01' = {
- name: 'default'
- parent: storage
-}
+Referencing the child resource symbolic name works the same as referencing the parent.
-resource share 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-02-01' = {
- name: 'exampleshare'
- parent: service
-}
-```
+## Full resource name outside parent
-Referencing the child resource symbolic name works the same as referencing the parent.
+You can also use the full resource name and type when declaring the child resource outside the parent. You don't set the parent property on the child resource. Because the dependency can't be inferred, you must set it explicitly.
++
+> [!IMPORTANT]
+> Setting the full resource name and type isn't the recommended approach. It's not as type safe as using one of the other approaches.
## Next steps
azure-resource-manager Parameters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/parameters.md
description: Describes how to define parameters in a Bicep file.
Previously updated : 09/02/2021 Last updated : 09/13/2021 # Parameters in Bicep
Each parameter must be set to one of the [data types](data-types.md).
To learn more about parameters, and for hands-on guidance, see [Build reusable Bicep templates by using parameters](/learn/modules/build-reusable-bicep-templates-parameters) on **Microsoft Learn**.
-## Minimal declaration
+## Declaration
Each parameter needs a name and type. A parameter can't have the same name as a variable, resource, output, or other parameter in the same scope.
param demoObject object
param demoArray array ```
-## Decorators
+## Default value
-Parameters use decorators for constraints or metadata. The decorators are in the format `@expression` and are placed above the parameter's declaration.
+You can specify a default value for a parameter. The default value is used when a value isn't provided during deployment.
```bicep
-@expression
-param stgAcctName string
+param demoParam string = 'Contoso'
```
-In the sections below, this article shows how to use the decorators that are available in a Bicep file.
+You can use expressions with the default value. Expressions aren't allowed with other parameter properties. You can't use the [reference](bicep-functions-resource.md#reference) function or any of the [list](bicep-functions-resource.md#list) functions in the parameters section. These functions get the resource's runtime state, and can't be executed before deployment when parameters are resolved.
+
+```bicep
+param location string = resourceGroup().location
+```
+
+You can use another parameter value to build a default value. The following template constructs a host plan name from the site name.
+ ## Secure parameters
+Parameters use decorators for constraints or metadata. The decorators are in the format `@expression` and are placed above the parameter's declaration.
+ You can mark string or object parameters as secure. The value of a secure parameter isn't saved to the deployment history and isn't logged. ```bicep
You can define allowed values for a parameter. You provide the allowed values in
param demoEnum string ```
-## Default value
-
-You can specify a default value for a parameter. The default value is used when a value isn't provided during deployment.
-
-```bicep
-param demoParam string = 'Contoso'
-```
-
-To specify a default value along with other properties for the parameter, use the following syntax.
-
-```bicep
-@allowed([
- 'Contoso'
- 'Fabrikam'
-])
-param demoParam string = 'Contoso'
-```
-
-You can use expressions with the default value. Expressions aren't allowed with other parameter properties. You can't use the [reference](bicep-functions-resource.md#reference) function or any of the [list](bicep-functions-resource.md#list) functions in the parameters section. These functions get the resource's runtime state, and can't be executed before deployment when parameters are resolved.
-
-```bicep
-param location string = resourceGroup().location
-```
-
-You can use another parameter value to build a default value. The following template constructs a host plan name from the site name.
-- ## Length constraints You can specify minimum and maximum lengths for string and array parameters. You can set one or both constraints. For strings, the length indicates the number of characters. For arrays, the length indicates the number of items in the array.
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/custom-providers/policy-reference.md
Title: Built-in policy definitions for Azure Custom Resource Providers description: Lists Azure Policy built-in policy definitions for Azure Custom Resource Providers. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/policy-reference.md
Title: Built-in policy definitions for Azure Managed Applications description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/policy-reference.md
Title: Built-in policy definitions for Azure Resource Manager description: Lists Azure Policy built-in policy definitions for Azure Resource Manager. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-resource-manager Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-resource-manager Copy Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/copy-resources.md
The following examples show common scenarios for creating more than one instance
|[Copy storage](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/copystorage.json) |Deploys more than one storage account with an index number in the name. | |[Serial copy storage](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/serialcopystorage.json) |Deploys several storage accounts one at time. The name includes the index number. | |[Copy storage with array](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/copystoragewitharray.json) |Deploys several storage accounts. The name includes a value from an array. |
-| [Copy resource group](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/copyRG.json) | Deploys multiple resource groups. |
+| [Copy resource group](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/copyrg.json) | Deploys multiple resource groups. |
## Next steps
azure-resource-manager Deploy What If https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-what-if.md
Before deploying an Azure Resource Manager template (ARM template), you can prev
You can use the what-if operation with Azure PowerShell, Azure CLI, or REST API operations. What-if is supported for resource group, subscription, management group, and tenant level deployments.
+### Microsoft Learn
+
+To learn more about what-if, and for hands-on guidance, see [Preview Azure deployment changes by using what-if](/learn/modules/arm-template-whatif) on **Microsoft Learn**.
+ ## Install Azure PowerShell module To use what-if in PowerShell, you must have version **4.2 or later of the Az module**.
azure-resource-manager Deployment Script Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-script-template.md
The deployment script resource is only available in the regions where Azure Cont
> [!NOTE] > Retry logic for Azure sign in is now built in to the wrapper script. If you grant permissions in the same template as your deployment scripts, the deployment script service retries sign in for 10 minutes with 10-second interval until the managed identity role assignment is replicated.
+### Microsoft Learn
+
+To learn more about the ARM template test toolkit, and for hands-on guidance, see [Extend ARM templates by using deployment scripts](/learn/modules/extend-resource-manager-template-deployment-scripts) on **Microsoft Learn**.
+ ## Configure the minimum permissions For deployment script API version 2020-10-01 or later, there are two principals involved in deployment script execution:
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/overview.md
If you're trying to decide between using ARM templates and one of the other infr
![Template deployment comparison](./media/overview/template-processing.png)
-* **Modular files**: You can break your templates into smaller, reusable components and link them together at deployment time. You can also nest one template inside another templates.
+* **Modular files**: You can break your templates into smaller, reusable components and link them together at deployment time. You can also nest one template inside another template.
* **Create any Azure resource**: You can immediately use new Azure services and features in templates. As soon as a resource provider introduces new resources, you can deploy those resources through templates. You don't have to wait for tools or modules to be updated before using the new services.
azure-resource-manager Quickstart Create Template Specs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/quickstart-create-template-specs.md
The template spec is a resource type named `Microsoft.Resources/templateSpecs`.
"resources": [ { "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-04-01",
+ "apiVersion": "2021-04-01",
"name": "[[variables('storageAccountName')]", "location": "[[parameters('location')]", "sku": {
To deploy a template spec, use the same deployment commands as you would use to
"resources": [ { "type": "Microsoft.Resources/deployments",
- "apiVersion": "2020-10-01",
+ "apiVersion": "2021-04-01",
"name": "demo", "properties": { "templateLink": {
Rather than creating a new template spec for the revised template, add a new ver
"resources": [ { "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-04-01",
+ "apiVersion": "2021-04-01",
"name": "[[variables('storageAccountName')]", "location": "[[parameters('location')]", "sku": {
Rather than creating a new template spec for the revised template, add a new ver
"resources": [ { "type": "Microsoft.Resources/deployments",
- "apiVersion": "2020-10-01",
+ "apiVersion": "2021-04-01",
"name": "demo", "properties": { "templateLink": {
azure-resource-manager Template Specs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-specs.md
To deploy the template spec, you use standard Azure tools like PowerShell, Azure
> [!NOTE] > To use template spec with Azure PowerShell, you must install [version 5.0.0 or later](/powershell/azure/install-az-ps). To use it with Azure CLI, use [version 2.14.2 or later](/cli/azure/install-azure-cli).
+### Microsoft Learn
+
+To learn more about template specs, and for hands-on guidance, see [Publish libraries of reusable infrastructure code by using template specs](/learn/modules/arm-template-specs) on **Microsoft Learn**.
+ ## Why use template specs? Template specs provide the following benefits:
azure-resource-manager Test Toolkit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/test-toolkit.md
The toolkit contains four sets of tests:
- [Test cases for createUiDefinition.json](createUiDefinition-test-cases.md) - [Test cases for all files](all-files-test-cases.md)
+### Microsoft Learn
+
+To learn more about the ARM template test toolkit, and for hands-on guidance, see [Validate Azure resources by using the ARM Template Test Toolkit](/learn/modules/arm-template-test) on **Microsoft Learn**.
+ ## Install on Windows 1. If you don't already have PowerShell, [install PowerShell on Windows](/powershell/scripting/install/installing-powershell-core-on-windows).
azure-signalr Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/policy-reference.md
Title: Built-in policy definitions for Azure SignalR description: Lists Azure Policy built-in policy definitions for Azure SignalR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-signalr Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SignalR description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-sql Connect Github Actions Sql Db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connect-github-actions-sql-db.md
You can create a [service principal](../../active-directory/develop/app-objects-
Replace the placeholders `server-name` with the name of your SQL server hosted on Azure. Replace the `subscription-id` and `resource-group` with the subscription ID and resource group connected to your SQL server. ```azurecli-interactive
- az ad sp create-for-rbac --name {server-name} --role contributor \
- --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
+ az ad sp create-for-rbac --name {server-name} --role contributor
+ --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}
--sdk-auth ```
When your Azure SQL database and repository are no longer needed, clean up the r
## Next steps > [!div class="nextstepaction"]
-> [Learn about Azure and GitHub integration](/azure/developer/github/)
+> [Learn about Azure and GitHub integration](/azure/developer/github/)
azure-sql Connectivity Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connectivity-architecture.md
Periodically, we will retire Gateways using old hardware and migrate the traffic
| China East 2 | 40.73.82.1 | 52.130.120.88/29 | | China North | 139.219.15.17 | 52.130.128.88/29 | | China North 2 | 40.73.50.0 | 52.130.40.64/29 |
-| East Asia | 52.175.33.150, 13.75.32.4, 13.75.32.14 | 13.75.32.192/29, 13.75.33.192/29 |
+| East Asia | 52.175.33.150, 13.75.32.4, 13.75.32.14, 20.205.77.200, 20.205.83.224 | 13.75.32.192/29, 13.75.33.192/29 |
| East US | 40.121.158.30, 40.79.153.12, 40.78.225.32 | 20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29 | | East US 2 | 40.79.84.180, 52.177.185.181, 52.167.104.0, 191.239.224.107, 104.208.150.3, 40.70.144.193 | 104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29 | | France Central | 40.79.137.0, 40.79.129.1, 40.79.137.8, 40.79.145.12 | 40.79.136.32/29, 40.79.144.32/29 |
azure-sql Ledger Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-overview.md
Typical patterns for solving this problem involve replicating data from the bloc
Each transaction that the database receives is cryptographically hashed (SHA-256). The hash function uses the value of the transaction, along with the hash of the previous transaction, as input to the hash function. (The value includes hashes of the rows contained in the transaction.) The function cryptographically links all transactions together, like a blockchain.
-Cryptographically hashed ([database digests](#database-digests)) represent the state of the database. They're periodically generated and stored outside Azure SQL Database in a tamper-proof storage location. An example of a storage location is the [immutable storage feature of Azure Blob Storage](../../storage/blobs/immutable-storage-overview.md) or [Azure Confidential Ledger](../../confidential-ledger/index.yml). Database digests are later used to verify the integrity of the database by comparing the value of the hash in the digest against the calculated hashes in database.
+Cryptographically hashed [database digests](#database-digests) represent the state of the database. They're periodically generated and stored outside Azure SQL Database in a tamper-proof storage location. An example of a storage location is the [immutable storage feature of Azure Blob Storage](../../storage/blobs/immutable-storage-overview.md) or [Azure Confidential Ledger](../../confidential-ledger/index.yml). Database digests are later used to verify the integrity of the database by comparing the value of the hash in the digest against the calculated hashes in database.
Ledger functionality is introduced to tables in Azure SQL Database in two forms:
Ideally, users should run ledger verification only when the organization that's
- [Quickstart: Create a SQL database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md) - [Access the digests stored in Azure Confidential Ledger](ledger-how-to-access-acl-digest.md)-- [Verify a ledger table to detect tampering](ledger-verify-database.md)
+- [Verify a ledger table to detect tampering](ledger-verify-database.md)
azure-sql Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/policy-reference.md
Title: Built-in policy definitions for Azure SQL Database description: Lists Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-sql Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
azure-sql Restore Sample Database Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/restore-sample-database-quickstart.md
Previously updated : 12/14/2018 Last updated : 09/13/2021 # Quickstart: Restore a database to Azure SQL Managed Instance with SSMS [!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
This quickstart:
> [!NOTE] > For more information on backing up and restoring a SQL Server database using Azure Blob storage and a [Shared Access Signature (SAS) key](../../storage/common/storage-sas-overview.md), see [SQL Server Backup to URL](/sql/relational-databases/backup-restore/sql-server-backup-to-url).
-## Restore from a backup file
+## Restore from a backup file using the restore wizard
+
+In SSMS, follow these steps to restore the Wide World Importers database to SQL Managed Instance by using the restore wizard. The database backup file is stored in a pre-configured Azure Blob Storage account.
+
+1. Open SSMS and connect to your managed instance.
+2. In **Object Explorer**, right-click the databases of your managed instance and select **Restore Database** to open the restore wizard.
+
+ ![Screenshot that shows opening the restore wizard.](./media/restore-sample-database-quickstart/restore-wizard-start.png)
+
+3. In the new restore wizard, select the ellipsis (**...**) to select the source of the backup file to use.
+
+ ![Screenshot that shows opening a new restore wizard window.](./media/restore-sample-database-quickstart/new-restore-wizard.png)
+
+4. In **Select backup devices**, select **Add**. In **Backup media type**, **URL** is the only option because it is the only source type supported. Select **OK**.
+
+ ![Screenshot that shows selecting the device.](./media/restore-sample-database-quickstart/restore-wizard-select-device.png)
+
+5. In **Select a Backup File Location**, you can choose from three options to provide information about backup files are located:
+ - Select a pre-registered storage container from the dropdown.
+ - Enter a new storage container and a shared access signature. (A new SQL credential will be registered for you.)
+ - Select **Add** to browse more storage containers from your Azure subscription.
+
+ ![Screenshot that shows selecting the backup file location.](./media/restore-sample-database-quickstart/restore-wizard-backup-file-location.png)
+
+ Complete the next steps if you select the **Add** button. If you use a different method to provide the backup file location, go to step 12.
+6. In **Connect to a Microsoft Subscription**, select **Sign in** to sign in to your Azure subscription:
+
+ ![Screenshot that shows Azure subscription sign-in.](./media/restore-sample-database-quickstart/restore-wizard-connect-subscription-sign-in.png)
+
+7. Sign in to your Microsoft Account to initiate the session in Azure:
+
+ ![Screenshot that shows signing in to the Azure session.](./media/restore-sample-database-quickstart/restore-wizard-sign-in-session.png)
+
+8. Select the subscription where the storage account with the backup files is located:
+
+ ![Screenshot that shows selecting the subscription.](./media/restore-sample-database-quickstart/restore-wizard-select-subscription.png)
+
+9. Select the storage account where the backup files are located:
+
+ ![Screenshot that shows the storage account.](./media/restore-sample-database-quickstart/restore-wizard-select-storage-account.png)
+
+10. Select the blob container where the backup files are located:
+
+ ![Select Blob container](./media/restore-sample-database-quickstart/restore-wizard-select-container.png)
+
+11. Specify the expiration date of the shared access policy and select **Create Credential**. A shared access signature with the correct permissions is created. Select **OK**.
+
+ ![Screenshot that shows generating the shared access signature.](./media/restore-sample-database-quickstart/restore-wizard-generate-shared-access-signature.png)
+
+12. In the left pane, expand the folder structure to show the folder where the backup files are located. Select all the backup files that are related to the backup set to be restored, and then select **OK**:
+
+ ![Screenshot that shows the backup file selection.](./media/restore-sample-database-quickstart/restore-wizard-backup-file-selection.png)
+
+ SSMS validates the backup set. The process takes up to a few seconds depending on the size of the backup set.
+
+13. If the backup is validated, specify the destination database name or leave the database name of the backup set, and then select **OK**:
+
+ ![Screenshot that shows starting the restore.](./media/restore-sample-database-quickstart/restore-wizard-start-restore.png)
+
+ The restore starts. The duration depends on the size of the backup set.
+
+ ![Screenshot that shows running the restore.](./media/restore-sample-database-quickstart/restore-wizard-running-restore.png)
+
+14. When the restore finishes, a dialog shows that it was successful. Select **OK**.
+
+ ![Screenshot that shows the finished restore.](./media/restore-sample-database-quickstart/restore-wizard-finish-restore.png)
+
+15. Check the restored database in Object Explorer:
+
+ ![Screenshot that shows the restored database.](./media/restore-sample-database-quickstart/restore-wizard-restored-database.png)
++
+## Restore from a backup file using T-SQL
In SQL Server Management Studio, follow these steps to restore the Wide World Importers database to SQL Managed Instance. The database backup file is stored in a pre-configured Azure Blob storage account.
azure-sql Sql Server To Sql Managed Instance Assessment Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-sql-managed-instance-assessment-rules.md
Last updated 12/15/2020 # Assessment rules for SQL Server to Azure SQL Managed Instance migration Migration tools validate your source SQL Server instance by running a number of assessment rules to identify issues that must be addressed before migrating your SQL Server database to Azure SQL Managed Instance.
azure-sql Performance Guidelines Best Practices Checklist https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist.md
For your SQL Server availability group or failover cluster instance, consider th
* If optimizing SQL Server VM performance does not resolve your unexpected failovers, consider [relaxing the monitoring](hadr-cluster-best-practices.md#relaxed-monitoring) for the availability group or failover cluster instance. However, doing so may not address the underlying source of the issue and could mask symptoms by reducing the likelihood of failure. You may still need to investigate and address the underlying root cause. For Windows Server 2012 or higher, use the following recommended values: - **Lease timeout**: Use this equation to calculate the maximum lease time out value: `Lease timeout < (2 * SameSubnetThreshold * SameSubnetDelay)`.
- Start with 40 seconds. If you're using the relaxed `SameSubnetThreshold` and `SameSubnetDelay` values recommended previously, do not exceed 80 seconds for the lease timeout value.
- - **Max failures in a specified period**: Set this value to 6.
+ Start with 40 seconds. If you're using the relaxed `SameSubnetThreshold` and `SameSubnetDelay` values recommended previously, do not exceed 80 seconds for the lease timeout value.
+ - **Max failures in a specified period**: You can set this value to 6.
+ - **Healthcheck timeout**: You can set this value to 60000 initially, adjust as necessary.
* When using the virtual network name (VNN) to connect to your HADR solution, specify `MultiSubnetFailover = true` in the connection string, even if your cluster only spans one subnet. - If the client does not support `MultiSubnetFailover = True` you may need to set `RegisterAllProvidersIP = 0` and `HostRecordTTL = 300` to cache client credentials for shorter durations. However, doing so may cause additional queries to the DNS server. - To connect to your HADR solution using the distributed network name (DNN), consider the following:
azure-vmware Concepts Run Command https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-run-command.md
Now that you've learned about the Run command concepts, you can use the Run comm
- [Configure external identity source for vCenter (Run command)](configure-identity-source-vcenter.md) - Configure Active Directory over LDAP or LDAPS for vCenter, which enables the use of an external identity source as an Active Directory. Then, you can add groups from the external identity source to the CloudAdmin role. -
azure-vmware Configure Dhcp Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-dhcp-azure-vmware-solution.md
Title: Configure DHCP for Azure VMware Solution
description: Learn how to configure DHCP by using either NSX-T Manager to host a DHCP server or use a third-party external DHCP server. Previously updated : 07/13/2021 Last updated : 09/13/2021 # Customer intent: As an Azure service administrator, I want to configure DHCP by using either NSX-T Manager to host a DHCP server or use a third-party external DHCP server.
Last updated 07/13/2021
[!INCLUDE [dhcp-dns-in-azure-vmware-solution-description](includes/dhcp-dns-in-azure-vmware-solution-description.md)]
-In this how-to article, you'll use NSX-T Manager to configure DHCP for Azure VMware Solution in one of the following two ways:
+In this how-to article, you'll use NSX-T Manager to configure DHCP for Azure VMware Solution in one of the following ways:
-- [NSX-T to host your DHCP server](#use-nsx-t-to-host-your-dhcp-server) -- [Third-party external DHCP server](#use-a-third-party-external-dhcp-server)
+- [Use the Azure portal to create a DHCP server or relay](#use-the-azure-portal-to-create-a-dhcp-server-or-relay)
+
+- [Use NSX-T to host your DHCP server](#use-nsx-t-to-host-your-dhcp-server)
+
+- [Use a third-party external DHCP server](#use-a-third-party-external-dhcp-server)
>[!TIP] >If you want to configure DHCP using a simplified view of NSX-T operations, see [Configure DHCP for Azure VMware Solution](configure-dhcp-azure-vmware-solution.md).
In this how-to article, you'll use NSX-T Manager to configure DHCP for Azure VMw
> >DHCP does not work for virtual machines (VMs) on the VMware HCX L2 stretch network when the DHCP server is in the on-premises datacenter. NSX, by default, blocks all DHCP requests from traversing the L2 stretch. For the solution, see the [Configure DHCP on L2 stretched VMware HCX networks](configure-l2-stretched-vmware-hcx-networks.md) procedure.
+## Use the Azure portal to create a DHCP server or relay
+
+You can create a DHCP server or relay directly from Azure VMware Solution in the Azure portal. The DHCP server or relay connects to the Tier-1 gateway created when you deployed Azure VMware Solution. All the segments where you gave DHCP ranges will be part of this DHCP. After you've created a DHCP server or DHCP relay, you must define a subnet or range on segment level to consume it.
+
+1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **DHCP** > **Add**.
+
+2. Select either **DHCP Server** or **DHCP Relay** and then provide a name for the server or relay and three IP addresses.
+
+ >[!NOTE]
+ >For DHCP relay, you only require one IP address for a successful configuration.
+
+ :::image type="content" source="media/networking/add-dhcp-server-relay.png" alt-text="Screenshot showing how to add a DHCP server or DHCP relay in Azure VMware Solutions.":::
+
+4. Complete the DHCP configuration by [providing DHCP ranges on the logical segments](tutorial-nsx-t-network-segment.md#use-azure-portal-to-add-an-nsx-t-segment) and then select **OK**.
++ ## Use NSX-T to host your DHCP server If you want to use NSX-T to host your DHCP server, you'll create a DHCP server and a relay service. Then you'll add a network segment and specify the DHCP IP address range.
azure-vmware Configure Nsx Network Components Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-nsx-network-components-azure-portal.md
+
+ Title: Configure NSX network components using Azure VMware Solution
+description: Learn how to use the Azure VMware Solution to configure NSX-T network segments.
+ Last updated : 09/13/2021+
+# Customer intent: As an Azure service administrator, I want to configure NSX network components using a simplified view of NSX-T operations a VMware administrator needs daily. The simplified view is targeted at users unfamiliar with NSX-T Manager.
+++
+# Configure NSX network components using Azure VMware Solution
+
+An Azure VMware Solution private cloud comes with NSX-T by default. The private cloud comes pre-provisioned with an NSX-T Tier-0 gateway in **Active/Active** mode and a default NSX-T Tier-1 gateway in Active/Standby mode. These gateways let you connect the segments (logical switches) and provide East-West and North-South connectivity.
+
+After deploying Azure VMware Solution, you can configure the necessary NSX-T objects from the Azure portal. It presents a simplified view of NSX-T operations a VMware administrator needs daily and targeted at users not familiar with NSX-T Manager.
+
+You'll have four options to configure NSX-T components in the Azure VMware Solution console:
+
+- **Segments** - Create segments that display in NSX-T Manager and vCenter. For more information, see [Add an NSX-T segment using the Azure portal](tutorial-nsx-t-network-segment.md#use-azure-portal-to-add-an-nsx-t-segment).
+
+- **DHCP** - Create a DHCP server or DHCP relay if you plan to use DHCP. For more information, see [Use the Azure portal to create a DHCP server or relay](configure-dhcp-azure-vmware-solution.md#use-the-azure-portal-to-create-a-dhcp-server-or-relay).
+
+- **Port mirroring** ΓÇô Create port mirroring to help troubleshoot network issues. For more information, see [Configure port mirroring in the Azure portal](configure-port-mirroring-azure-vmware-solution.md).
+
+- **DNS** ΓÇô Create a DNS forwarder to send DNS requests to a designated DNS server for resolution. For more information, see [Configure a DNS forwarder in the Azure portal](configure-dns-azure-vmware-solution.md).
+
+>[!IMPORTANT]
+>You'll still have access to the NSX-T Manager console, where you can use the advanced settings mentioned and other NSX-T features.
+
backup Archive Tier Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/archive-tier-support.md
Supported clients:
>To view recovery points for a different time range, modify the start and the end date accordingly. ## Use PowerShell
+### Check the archivable status of all the recovery points
+
+You can now check the archivable status of all the recovery points of a backup item using the following cmdlet:
+
+```azurepowershell
+$rp = Get-AzRecoveryServicesBackupRecoveryPoint -VaultId $vault.ID -Item $bckItm -StartDate $startdate.ToUniversalTime() -EndDate $enddate.ToUniversalTime()
+
+$rp | select RecoveryPointId, @{ Label="IsArchivable";Expression={$_.RecoveryPointMoveReadinessInfo["ArchivedRP"].IsReadyForMove}}, @{ Label="ArchivableInfo";Expression={$_.RecoveryPointMoveReadinessInfo["ArchivedRP"].AdditionalInfo}}
+```
+ ### Check archivable recovery points ```azurepowershell
To view the move and restore jobs, use the following PowerShell cmdlet:
Get-AzRecoveryServicesBackupJob -VaultId $vault.ID ```
+### Move recovery points to archive tier at scale
+
+You can now use sample scripts to perform at scale operations. [Learn more](https://github.com/hiag) about how to run the sample scripts. You can download the scripts from [here](https://github.com/hiaga/Az.RecoveryServices).
+
+You can perform the following operations using the sample scripts provided by Azure Backup:
+
+- Move all eligible recovery points for a particular database/all databases for a SQL server in Azure VM to the archive tier.
+- Move all recommended recovery points for a particular Azure Virtual Machine to the archive tier.
+
+You can also write a script as per your requirements or modify the above sample scripts to fetch the required backup items.
+ ## Use the portal ### Check archived recovery point
backup Monitoring And Alerts Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/monitoring-and-alerts-overview.md
+
+ Title: Monitoring and reporting solutions for Azure Backup
+description: Learn about different monitoring and reporting solutions provided by Azure Backup.
+ Last updated : 09/10/2021++
+# Monitoring and reporting solutions for Azure Backup
+
+This article provides an overview of different monitoring and reporting solutions provided by Azure Backup.
+
+Azure Backup offers integration with various Azure services, such as Azure Resource Graph, Azure Monitor Alerts, Azure Monitor Logs, and Azure Resource Health. Azure Backup also offers interfaces to various Azure clients, such as Azure portal, Azure PowerShell, Azure CLI, and Azure REST API. Depending on your monitoring and reporting requirements, you can use a combination of these integrations.
+
+## Monitoring and reporting scenarios
+
+The following table provides a summary of the different monitoring and reporting scenarios that commonly arise in enterprise backup deployments, and the different capabilities that Azure Backup provides today for each of these scenarios, along with the relevant document references.
+
+| Scenario | Solutions available |
+| | |
+| Monitor backup jobs and backup instances | <ul><li>**Built-in monitoring**: You can monitor backup jobs and backup instances in real time via the [Backup center](/azure/backup/backup-center-overview) dashboard.</li><li>**Customized monitoring dashboards**: Azure Backup allows you to use non-portal clients, such as [PowerShell](/azure/backup/backup-azure-vms-automation), [CLI](/azure/backup/create-manage-azure-services-using-azure-command-line-interface), and [REST API](/azure/backup/backup-azure-arm-userestapi-managejobs), to query backup monitoring data for use in your custom dashboards. <br><br> In addition, you can query your backups at scale (across vaults, subscriptions, regions, and Lighthouse tenants) using [Azure Resource Graph (ARG)](/azure/backup/query-backups-using-azure-resource-graph). <br><br> [Backup Explorer](/azure/backup/monitor-azure-backup-with-backup-explorer) is one sample monitoring workbook, which uses data in ARG that you can use as a reference to create your own dashboards. </li></ul> |
+| Monitor overall backup health | **Resource Health**: You can monitor the health of your recovery services vault and troubleshoot events causing the resource health issues. [Learn more](/azure/service-health/resource-health-overview). <br><br> You can view the health history and identify events affecting the health of your resource. You can also trigger alerts related to the resource health events. |
+| Get alerted to critical backup incidents | <ul><li>**Built-in alerts using Azure Monitor (preview)**: Azure Backup provides an [alerting solution based on Azure Monitor](/azure/backup/backup-azure-monitoring-built-in-monitor#azure-monitor-alerts-for-azure-backup-preview) for scenarios such as deletion of backup data, disabling of soft-delete, backup failures, and restore failures. <br><br> You can view these alerts and manage via Backup center. To [configure notifications](/azure/backup/backup-azure-monitoring-built-in-monitor#configuring-notifications-for-alerts) for these alerts (for example, emails), you can use Azure Monitor's [Action rules](/azure/azure-monitor/alerts/alerts-action-rules?tabs=portal) and [Action groups](/azure/azure-monitor/alerts/action-groups) to route alerts to a wide range of notification channels. </li><li>**Classic Alerts**: This is the older alerting solution [accessed using the Backup Alerts tab](/azure/backup/backup-azure-monitoring-built-in-monitor#backup-alerts-in-recovery-services-vault) in the Recovery Services vault blade. These alerts canΓÇÖt be viewed in Backup center. If youΓÇÖre using classic alerts, we recommend to start using the Azure Monitor based alert solution (described above) as itΓÇÖs the forward-looking solution for alerting. </li><li>**Custom alerts**: If you've scenarios where an alert needs to be generated based on custom logic, you can make use of [Log Analytics based alerts](/azure/backup/backup-azure-monitoring-use-azuremonitor#create-alerts-by-using-log-analytics) for such scenarios, provided youΓÇÖve configured your vaults to send diagnostics data to a Log Analytics (LA) workspace. Due to the current [frequency at which data in an LA workspace is updated](/azure/backup/backup-azure-monitoring-use-azuremonitor#diagnostic-data-update-frequency), this solution is typically used for scenarios where itΓÇÖs acceptable to have a small time lag between the occurrence of the actual incident and the generation of the alert. </li></ul> |
+| Analyze historical trends | <ul><li>**Built-in reports**: You can use [Backup Reports](/azure/backup/configure-reports) (based on Azure Monitor Logs) to analyze historical trends related to job success and backup usage, and discover optimization opportunities for your backups. You can also [configure periodic emails](/azure/backup/backup-reports-email) of these reports. </li><li>**Customized reporting dashboards**: You can also query the data in Azure Monitor Logs (LA) using the documented [system functions](/azure/backup/backup-reports-system-functions) to create your own dashboards to analyze historical information related to your backups.</li></ul> |
+| Audit user triggered actions on vaults | **Activity Logs**: You can use standard [Activity Logs](/azure/azure-monitor/essentials/activity-log) for your vaults to view information on various user-triggered actions, such as modification of backup policies, restoration of a backup item, and so on. You can also configure alerts on Activity Logs, or export these logs to a Log Analytics workspace for long-term retention.
+
+## Next steps
+
+- [Learn more](/azure/backup/backup-center-overview) about Backup center.
+- [Learn more](/azure/backup/backup-azure-monitoring-built-in-monitor#azure-monitor-alerts-for-azure-backup-preview) about Azure Monitor Alerts.
+- [Learn more](/azure/service-health/resource-health-overview) about Azure Resource Health.
backup Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/policy-reference.md
Title: Built-in policy definitions for Azure Backup description: Lists Azure Policy built-in policy definitions for Azure Backup. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
backup Quick Backup Vm Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/quick-backup-vm-cli.md
az backup protection backup-now \
--vault-name myRecoveryServicesVault \ --container-name myVM \ --item-name myVM \
+ --backup-management-type AzureIaaSVM
--retain-until 18-10-2017 ```
az backup protection disable \
--vault-name myRecoveryServicesVault \ --container-name myVM \ --item-name myVM \
+ --backup-management-type AzureIaaSVM
--delete-backup-data true az backup vault delete \ --resource-group myResourceGroup \
backup Sap Hana Db Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/sap-hana-db-manage.md
These on-demand backups will also show up in the list of restore points for rest
Restores triggered from HANA native clients (using **Backint**) to restore to the same machine can be [monitored](#monitor-manual-backup-jobs-in-the-portal) from the **Backup jobs** page.
+#### Delete
+
+Delete operation from HANA native is **NOT** supported by Azure Backup since the backup policy determines the lifecycle of backups in Azure Recovery services vault.
+ ### Run SAP HANA native client backup to local disk on a database with Azure Backup enabled If you want to take a local backup (using HANA Studio / Cockpit) of a database that's being backed up with Azure Backup, do the following:
backup Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
batch Batch Job Prep Release https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-job-prep-release.md
The job preparation task is executed only on nodes that are scheduled to run a t
> [!NOTE] > [JobPreparationTask](/dotnet/api/microsoft.azure.batch.cloudjob.jobpreparationtask) differs from [CloudPool.StartTask](/dotnet/api/microsoft.azure.batch.cloudpool.starttask) in that JobPreparationTask executes at the start of each job, whereas StartTask executes only when a compute node first joins a pool or restarts.
->## Job release task
+## Job release task
Once a job is marked as completed, the job release task runs on each node in the pool that executed at least one task. You mark a job as completed by issuing a terminate request. This request sets the job state to *terminating*, terminates any active or running tasks associated with the job, and runs the job release task. The job then moves to the *completed* state.
batch Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/policy-reference.md
Title: Built-in policy definitions for Azure Batch description: Lists Azure Policy built-in policy definitions for Azure Batch. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
batch Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 09/03/2021 Last updated : 09/13/2021
blockchain Configure Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/configure-aad.md
- Title: Configure Azure Active Directory access - Azure Blockchain Service
-description: How to configure Azure Blockchain Service with Azure Active Directory access
Previously updated : 05/11/2021--
-#Customer intent: As a node operator, I want to configure Azure Blockchain Service with Azure Active Directory access.
--
-# How to configure Azure Active Directory access for Azure Blockchain Service
-
-In this article, you learn how to grant access and connect to Azure Blockchain Service nodes using Azure Active Directory (Azure AD) user, group, or application IDs.
--
-Azure AD provides cloud-based identity management and allows you to use a single identity across an entire enterprise and access applications in Azure. Azure Blockchain Service is integrated with Azure AD and offers benefits such as ID federation, single sign-on and multi-factor authentication.
-
-## Prerequisites
-
-* [Create a blockchain member using the Azure portal](create-member.md)
-
-## Grant access
-
-You can grant access at both the member level and the node level. Granting access rights at the member level will in turn grant access to all nodes under the member.
-
-### Grant member level access
-
-To grant access permission at the member level.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Navigate to **Access control (IAM) > Add > Add role assignment**.
-1. Select the **Blockchain Member Node Access (Preview)** role and add the Azure AD ID object you wish to grant access to. Azure AD ID object can be:
-
- | Azure AD object | Example |
- |--||
- | Azure AD user | `kim@contoso.onmicrosoft.com` |
- | Azure AD group | `sales@contoso.onmicrosoft.com` |
- | Application ID | `13925ab1-4161-4534-8d18-812f5ca1ab1e` |
-
- ![Add role assignment](./media/configure-aad/add-role-assignment.png)
-
-1. Select **Save**.
-
-### Grant node level access
-
-You can grant access at the node level by navigating to node security and click on the node name that you wish to grant access.
-
-Select the Blockchain Member Node Access (Preview) role and add the Azure AD ID object you wish to grant access to.
-
-For more information, see [Configure Azure Blockchain Service transaction nodes](configure-transaction-nodes.md#azure-active-directory-access-control).
-
-## Connect using Azure Blockchain Connector
-
-Download or clone the [Azure Blockchain Connector from GitHub](https://github.com/Microsoft/azure-blockchain-connector/).
-
-```bash
-git clone https://github.com/Microsoft/azure-blockchain-connector.git
-```
-
-The follow the quickstart section in the **readme** to build the connector from the source code.
-
-### Connect using an Azure AD user account
-
-1. Run the following command to authenticate using an Azure AD user account. Replace \<myAADDirectory\> with an Azure AD domain. For example, `yourdomain.onmicrosoft.com`.
-
- ```
- connector.exe -remote <myMemberName>.blockchain.azure.com:3200 -method aadauthcode -tenant-id <myAADDirectory>
- ```
-
-1. Azure AD prompts for credentials.
-1. Sign in with your user name and password.
-1. Upon successful authentication, your local proxy connects to your blockchain node. You can now attach your Geth client with the local endpoint.
-
- ```bash
- geth attach http://127.0.0.1:3100
- ```
-
-### Connect using an application ID
-
-Many applications authenticate with Azure AD using an application ID instead of an Azure AD user account.
-
-To connect to your node using an application ID, replace **aadauthcode** with **aadclient**.
-
-```
-connector.exe -remote <myBlockchainEndpoint> -method aadclient -client-id <myClientID> -client-secret "<myClientSecret>" -tenant-id <myAADDirectory>
-```
-
-| Parameter | Description |
-|--|-|
-| tenant-id | Azure AD domain, For example, `yourdomain.onmicrosoft.com`
-| client-id | Client ID of the registered application in Azure AD
-| client-secret | Client secret of the registered application in Azure AD
-
-For more information on how to register an application in Azure AD, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md)
-
-### Connect a mobile device or text browser
-
-For a mobile device or text-based browser where the Azure AD authentication pop-up display is not possible, Azure AD generates a one-time passcode. You can copy the passcode and proceed with Azure AD authentication in another environment.
-
-To generate the passcode, replace **aadauthcode** with **aaddevice**. Replace \<myAADDirectory\> with an Azure AD domain. For example, `yourdomain.onmicrosoft.com`.
-
-```
-connector.exe -remote <myBlockchainEndpoint> -method aaddevice -tenant-id <myAADDirectory>
-```
-
-## Next steps
-
-For more information about data security in Azure Blockchain Service, see [Azure Blockchain Service security](data-security.md).
blockchain Configure Transaction Nodes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/configure-transaction-nodes.md
- Title: Configure Azure Blockchain Service transaction nodes
-description: How to configure Azure Blockchain Service transaction nodes
Previously updated : 05/11/2021--
-#Customer intent: As a network operator, I want to use the Azure portal to create and configure transaction nodes.
--
-# Configure Azure Blockchain Service transaction nodes
-
-Transaction nodes are used to send blockchain transactions to Azure Blockchain Service through a public endpoint. The default transaction node contains the private key of the Ethereum account registered on the blockchain, and as such cannot be deleted.
--
-To view the default transaction node details:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Navigate to your Azure Blockchain Service member. Select **Transaction nodes**.
-
- ![Select default transaction node](./media/configure-transaction-nodes/nodes.png)
-
- Overview details include public endpoint addresses and public key.
-
-## Create transaction node
-
-You can add up to nine additional transaction nodes to your blockchain member, for a total of 10 transaction nodes. By adding transaction nodes, you can increase scalability or distribute load. For example, you could have a transaction node endpoint for different client applications.
-
-To add a transaction node:
-
-1. In the Azure portal, navigate to your Azure Blockchain Service member and select **Transaction nodes > Add**.
-1. Complete the settings for the new transaction node.
-
- ![Add transaction node](./media/configure-transaction-nodes/add-node.png)
-
- | Setting | Description |
- ||-|
- | Name | Transaction node name. The name is used to create the DNS address for the transaction node endpoint. For example, `newnode-myblockchainmember.blockchain.azure.com`. The node name cannot be changed once it is created. |
- | Password | Set a strong password. Use the password to access the transaction node endpoint with basic authentication.
-
-1. Select **Create**.
-
- Provisioning a new transaction node takes about 10 minutes. Additional transaction nodes incur cost. For more information on costs, see [Azure pricing](https://aka.ms/ABSPricing).
-
-## Endpoints
-
-Transaction nodes have a unique DNS name and public endpoints.
-
-To view a transaction node's endpoint details:
-
-1. In the Azure portal, navigate to one of your Azure Blockchain Service member transaction nodes and select **Overview**.
-
- ![Screen capture shows the overview for transaction nodes for a blockchain member.](./media/configure-transaction-nodes/endpoints.png)
-
-Transaction node endpoints are secure and require authentication. You can connect to a transaction endpoint using Azure AD authentication, HTTPS basic authentication, and using an access key over HTTPS or Websocket over TLS.
-
-### Azure Active Directory access control
-
-Azure Blockchain Service transaction node endpoints support Azure Active Directory (Azure AD) authentication. You can grant Azure AD user, group, and service principal access to your endpoint.
-
-To grant Azure AD access control to your endpoint:
-
-1. In the Azure portal, navigate to your Azure Blockchain Service member and select **Transaction nodes > Access control (IAM) > Add > Add role assignment**.
-1. Create a new role assignment for a user, group, or service principal (application roles).
-
- ![Add IAM role](./media/configure-transaction-nodes/add-role.png)
-
- | Setting | Action |
- ||-|
- | Role | Select **Owner**, **Contributor**, or **Reader**.
- | Assign access to | Select **Azure AD user, group, or service principal**.
- | Select | Search for the user, group, or service principal you want to add.
-
-1. Select **Save** to add the role assignment.
-
-For more information on Azure AD access control, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md)
-
-For details on how to connect using Azure AD authentication, see [connect to your node using AAD authentication](configure-aad.md).
-
-### Basic authentication
-
-For HTTPS basic authentication, user name and password credentials are passed in the HTTPS header of the request to the endpoint.
-
-You can view a transaction node's basic authentication endpoint details in the Azure portal. Navigate to one of your Azure Blockchain Service member transaction nodes and select **Basic Authentication** in settings.
-
-![Basic authentication](./media/configure-transaction-nodes/basic.png)
-
-The user name is the name of your node and cannot be changed.
-
-To use the URL, replace \<password\> with the password set when the node was provisioned. You can update the password by selecting **Reset password**.
-
-### Access keys
-
-For access key authentication, the access key is included in the endpoint URL. When the transaction node is provisioned, two access keys are generated. Either access key can be used for authentication. Two keys enable you to change and rotate keys.
-
-You can view a transaction node's access key details and copy endpoint addresses that include the access keys. Navigate to one of your Azure Blockchain Service member transaction nodes and select **Access Keys** in settings.
-
-### Firewall rules
-
-Firewall rules enable you to limit the IP addresses that can attempt to authenticate to your transaction node. If no firewall rules are configured for your transaction node, it cannot be accessed by any party.
-
-To view a transaction node's firewall rules, navigate to one of your Azure Blockchain Service member transaction nodes and select **Firewall rules** in settings.
-
-You can add firewall rules by entering a rule name, starting IP address, and an ending IP address in the **Firewall rules** grid.
-
-![Firewall rules](./media/configure-transaction-nodes/firewall-rules.png)
-
-To enable:
-
-* **Single IP address:** Configure the same IP address for the starting and ending IP addresses.
-* **IP address range:** Configure the starting and ending IP address range. For example, a range starting at 10.221.34.0 and ending at 10.221.34.255 would enable the entire 10.221.34.xxx subnet.
-* **Allow all IP addresses:** Configure the starting IP address to 0.0.0.0 and the ending IP address to 255.255.255.255.
-
-## Connection strings
-
-Connection string syntax for your transaction node is provided for basic authentication or using access keys. Connection strings including access keys over HTTPS and WebSockets are provided.
-
-You can view a transaction node's connection strings and copy endpoint addresses. Navigate to one of your Azure Blockchain Service member transaction nodes and select **Connection strings** in settings.
-
-![Connection strings](./media/configure-transaction-nodes/connection-strings.png)
-
-## Sample code
-
-Sample code is provided to quickly enable connecting to your transaction node via Web3, Nethereum, Web3js, and Truffle.
-
-You can view a transaction node's sample connection code and copy it to use with popular developer tools. Go to one of your Azure Blockchain Service member transaction nodes and select **Sample Code** in settings.
-
-Choose the Web3, Nethereum, Truffle, or Web3j tab to view the code sample you want to use.
-
-![Sample code](./media/configure-transaction-nodes/sample-code.png)
-
-## Next steps
-
-> [!div class="nextstepaction"]
-> [Configure transaction nodes using Azure CLI](manage-cli.md)
blockchain Connect Geth https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/connect-geth.md
- Title: Use Geth to attach to Azure Blockchain Service
-description: Attach to a Geth instance on Azure Blockchain Service transaction node
Previously updated : 05/26/2020--
-#Customer intent: As a developer, I want to connect to my blockchain member transaction node so that I can perform actions on a blockchain.
--
-# Quickstart: Use Geth to attach to an Azure Blockchain Service transaction node
-
-In this quickstart, you use the Geth client to attach to a Geth instance on an Azure Blockchain Service transaction node. Once attached, you use the Geth console to call an Ethereum JavaScript API.
---
-## Prerequisites
-
-* Install [Geth](https://github.com/ethereum/go-ethereum/wiki/geth)
-* Complete [Quickstart: Create a blockchain member using the Azure portal](create-member.md) or [Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI](create-member-cli.md)
-
-## Get Geth connection string
-
-You can get the Geth connection string for an Azure Blockchain Service transaction node in the Azure portal.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Go to your Azure Blockchain Service member. Select **Transaction nodes** and the default transaction node link.
-
- ![Select default transaction node](./media/connect-geth/transaction-nodes.png)
-
-1. Select **Connection strings**.
-1. Copy the connection string from **HTTPS (Access key 1)**. You need the string for the next section.
-
- ![Connection string](./media/connect-geth/connection-string.png)
-
-## Connect to Geth
-
-1. Open a command prompt or shell.
-1. Use the Geth attach subcommand to attach to the running Geth instance on your transaction node. Paste the connection string as an argument for the attach subcommand. For example:
-
- ``` bash
- geth attach <connection string>
- ```
-
-1. Once connected to the transaction node's Ethereum console, you can use the Ethereum JavaScript API.
-
- For example, use the following API to find out the chainId.
-
- ``` bash
- admin.nodeInfo.protocols.istanbul.config.chainId
- ```
-
- In this example, the chainId is 661.
-
- ![Azure Blockchain Service option](./media/connect-geth/geth-attach.png)
-
-1. To disconnect from the console, type `exit`.
-
-## Next steps
-
-In this quickstart, you used the Geth client to attach to a Geth instance on an Azure Blockchain Service transaction node. Try the next tutorial to use Azure Blockchain Development Kit for Ethereum to create, build, deploy, and execute a smart contract function via a transaction.
-
-> [!div class="nextstepaction"]
-> [Create, build, and deploy smart contracts on Azure Blockchain Service](send-transaction.md)
blockchain Connect Metamask https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/connect-metamask.md
- Title: Connect MetaMask to an Azure Blockchain Service network
-description: Connect to an Azure Blockchain Service network using MetaMask and deploy a smart contract.
Previously updated : 09/12/2019--
-#Customer intent: As a developer, I want to connect to my blockchain member node so that I can perform actions on a blockchain.
--
-# Quickstart: Use MetaMask to connect and deploy a smart contract
-
-In this quickstart you'll use MetaMask to connect to an Azure Blockchain Service network and use Remix to deploy a smart contract. Metamask is a browser extension to manage an Ether wallet and perform smart contract actions.
---
-## Prerequisites
-
-* Complete [Quickstart: Create a blockchain member using the Azure portal](create-member.md) or [Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI](create-member-cli.md)
-* Install [MetaMask browser extension](https://metamask.io)
-* Generate a MetaMask [wallet](https://metamask.zendesk.com/hc/en-us/articles/360015488971-New-to-MetaMask-Learn-How-to-Setup-MetaMask-the-First-Time)
-
-## Get endpoint address
-
-You need the Azure Blockchain Service endpoint address to connect to the blockchain network. The endpoint address and access keys are in the Azure portal.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Navigate to your Azure Blockchain Service member.
-1. Select **Transaction nodes** and the default transaction node link.
-
- ![Select default transaction node](./media/connect-metamask/transaction-nodes.png)
-
-1. Select **Connection strings > Access keys**.
-1. Copy the endpoint address from **HTTPS (Access key 1)**.
-
- ![Connection string](./media/connect-metamask/connection-string.png)
-
-## Connect MetaMask
-
-1. Open MetaMask browser extension and sign in.
-1. In the network dropdown, select **Custom RPC**.
-
- ![Custom RPC](./media/connect-metamask/custom-rpc.png)
-
-1. In **New Network > New RPC URL**, paste the endpoint address you copied above.
-1. Select **Save**.
-
- If connection was successful, the private network displays in the network drop-down.
-
- ![New network](./media/connect-metamask/new-network.png)
-
-## Deploy smart contract
-
-Remix is a browser-based Solidity development environment. Using MetaMask and Remix together, you can deploy and take actions on smart contracts.
-
-1. In your browser, navigate to `https://remix.ethereum.org`.
-1. Select **New file** in the **Home** tab under **File**.
-
- Name the new file `simple.sol`.
-
- ![Create file](./media/connect-metamask/create-file.png)
-
- Select **OK**.
-1. In the Remix editor, paste in the following **simple smart contract** code.
-
- ```solidity
- pragma solidity ^0.5.0;
-
- contract simple {
- uint balance;
-
- constructor() public{
- balance = 0;
- }
-
- function add(uint _num) public {
- balance += _num;
- }
-
- function get() public view returns (uint){
- return balance;
- }
- }
- ```
-
- The **simple contract** declares a state variable named **balance**. There are two functions defined. The **add** function adds a number to **balance**. The **get** function returns the value of **balance**.
-1. To compile the contract, first select the Solidity compiler pane then select the **Compile simple.sol**.
-
- ![Screen capture shows a contract being compiled.](./media/connect-metamask/compile.png)
-
-1. Select the **Deploy & Run** pane then set the **Environment** to **Injected Web3** to connect through MetaMask to your blockchain member.
-
- ![Run tab](./media/connect-metamask/injected-web3.png)
-
-1. Select the **simple** contract, then **Deploy**.
-
- ![Screen capture shows deploy and run transactions with a contract selected and Deploy selected.](./media/connect-metamask/deploy.png)
--
-1. A MetaMask notification alerts you of insufficient funds to perform the transaction.
-
- For a public blockchain network, you would need Ether to pay for the transaction cost. Since this is a private network in a consortium, you can set gas price to zero.
-
-1. Select **Gas Fee > Edit > Advanced**, set the **Gas Price** to 0.
-
- ![Gas price](./media/connect-metamask/gas-price.png)
-
- Select **Save**.
-
-1. Select **Confirm** to deploy the smart contract to the blockchain.
-1. In the **Deployed Contracts** section, expand the **simple** contract.
-
- ![Deployed contract](./media/connect-metamask/deployed-contract.png)
-
- Two actions, **add** and **get**, map to the functions defined in the contract.
-
-1. To perform an **add** transaction on the blockchain, enter a number to add, then select **add**. You may get a gas estimation failure message from Remix: "You are sending the transaction to a private blockchain that does not require gas." Select **Send Transaction** to force the transaction.
-1. Similar to when you deployed the contract, a MetaMask notification alerts you of insufficient funds to perform the transaction.
-
- Since this is a private network in a consortium, we can set gas price to zero.
-
-1. Select **Gas Fee > Edit > Advanced**, set the **Gas Price** to 0, and select **Save**.
-1. Select **Confirm** to send the transaction to the blockchain.
-1. Select **get** action. This is a call to query node data. A transaction isn't needed.
-
-The debug pane of Remix shows details about the transactions on the blockchain:
-
-![Debug history](./media/connect-metamask/debug.png)
-
-You can see the **simple** contract creation, transaction for **simple.add**, and call to **simple.get**.
-
-To see transaction history in MetaMask, open the MetaMask browser extension and look in the **History** section for a log of the deployed contract and transactions.
-
-## Next steps
-
-In this quickstart, you used the MetaMask browser extension to connect to an Azure Blockchain Service transaction node, deploy a smart contract, and send a transaction to the blockchain. Try the next tutorial to use Azure Blockchain Development Kit for Ethereum and Truffle to create, build, deploy, and execute a smart contract function via a transaction.
-
-> [!div class="nextstepaction"]
-> [Create, build, and deploy smart contracts on Azure Blockchain Service](send-transaction.md)
blockchain Connect Vscode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/connect-vscode.md
- Title: Use Visual Studio Code to connect to Azure Blockchain Service
-description: Connect to an Azure Blockchain Service consortium network using the Azure Blockchain Development Kit for Ethereum extension in Visual Studio Code
Previously updated : 12/04/2020--
-#Customer intent: As a developer, I want to connect to my blockchain consortium so that I can perform actions on a blockchain.
--
-# Quickstart: Use Visual Studio Code to connect to an Azure Blockchain Service consortium network
-
-In this quickstart, you install and use the Azure Blockchain Development Kit for Ethereum Visual Studio Code (VS Code) extension to attach to a consortium on Azure Blockchain Service. The Azure Blockchain Development Kit simplifies how you create, connect, build, and deploy smart contracts on Ethereum blockchain ledgers.
---
-## Prerequisites
-
-* Complete [Quickstart: Create a blockchain member using the Azure portal](create-member.md) or [Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI](create-member-cli.md)
-* [Visual Studio Code](https://code.visualstudio.com/Download)
-* [Azure Blockchain Development Kit for Ethereum extension](https://marketplace.visualstudio.com/items?itemName=AzBlockchain.azure-blockchain)
-* [Node.js 10.15.x or higher](https://nodejs.org)
-* [Git 2.10.x or higher](https://git-scm.com)
-* [Truffle 5.0.0](https://www.trufflesuite.com/docs/truffle/getting-started/installation)
-* [Ganache CLI 6.0.0](https://github.com/trufflesuite/ganache-cli)
-
-On Windows, an installed C++ compiler is required for the node-gyp module. You can use the MSBuild tools:
-
-* If Visual Studio 2017 is installed, configure npm to use the MSBuild tools with the command `npm config set msvs_version 2017 -g`
-* If Visual Studio 2019 is installed, set the MS build tools path for npm. For example, `npm config set msbuild_path "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe"`
-* Otherwise, install the stand-alone VS Build tools using `npm install --global windows-build-tools` in an elevated *Run as administrator* command shell.
-
-For more information about node-gyp, see the [node-gyp repository on GitHub](https://github.com/nodejs/node-gyp).
-
-### Verify Azure Blockchain Development Kit environment
-
-Azure Blockchain Development Kit verifies your development environment prerequisites have been met. To verify your development environment:
-
-From the VS Code command palette, choose **Blockchain: Show Welcome Page**.
-
-Azure Blockchain Development Kit runs a validation script that takes about a minute to complete. You can view the output by selecting **Terminal > New Terminal**. In the terminal menu bar, select the **Output** tab and **Azure Blockchain** in the dropdown. Successful validation looks like the following image:
-
-![Valid development environment](./media/connect-vscode/valid-environment.png)
-
- If you are missing a required tool, a new tab named **Azure Blockchain Development Kit - Preview** lists the required tools with download links.
-
-![Dev kit required apps](./media/connect-vscode/required-apps.png)
-
-Install any missing prerequisites before continuing with the quickstart.
-
-## Connect to consortium member
-
-You can connect to consortium members using the Azure Blockchain Development Kit VS Code extension. Once connected to a consortium, you can compile, build, and deploy smart contracts to an Azure Blockchain Service consortium member.
-
-If you don't have access to an Azure Blockchain Service consortium member, complete the prerequisite [Quickstart: Create a blockchain member using the Azure portal](create-member.md) or [Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI](create-member-cli.md).
-
-1. In the VS Code explorer pane, expand the **Azure Blockchain** extension.
-1. Select **Connect to network**.
-
- ![Connect to network](./media/connect-vscode/connect-consortium.png)
-
- If prompted for Azure authentication, follow the prompts to authenticate using a browser.
-1. Choose **Azure Blockchain Service** in the command palette dropdown.
-1. Choose the subscription and resource group associated with your Azure Blockchain Service consortium member.
-1. Choose your consortium from the list.
-
-The consortium and blockchain members are listed in the VS Code explorer side bar.
-
-![Consortium displayed in explorer](./media/connect-vscode/consortium-node.png)
-
-## Next steps
-
-In this quickstart, you used Azure Blockchain Development Kit for Ethereum VS Code extension to attach to a consortium on Azure Blockchain Service. Try the next tutorial to use Azure Blockchain Development Kit for Ethereum to create, build, deploy, and execute a smart contract function via a transaction.
-
-> [!div class="nextstepaction"]
-> [Create, build, and deploy smart contracts on Azure Blockchain Service](send-transaction.md)
blockchain Consortium https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/consortium.md
- Title: Azure Blockchain Service consortium
-description: Overview of how Azure Blockchain service implements consortium blockchain networks.
Previously updated : 11/21/2019--
-#Customer intent: As a network operator, I want to understand how a consortium works in Azure Blockchain Service so I can manage participants in the consortium.
--
-# Azure Blockchain Service consortium
-
-Using Azure Blockchain Service, you can create private consortium blockchain networks where each blockchain network can be limited to specific participants in the network. Only participants in the private consortium blockchain network can view and interact with the blockchain. Consortium networks in Azure Blockchain Service can contain two types of member participant roles:
-
-* **Administrator** - Privileged participants who can take consortium management actions and can participate in blockchain transactions.
-
-* **User** - Participants who cannot take any consortium management action but can participate in blockchain transactions.
-
-Consortium networks can be a mix of participant roles and can have an arbitrary number of each role type. There must be at least one administrator.
-
-The following diagram shows a consortium network with multiple participants:
-
-![Private consortium network diagram](./media/consortium/network-diagram.png)
-
-With consortium management in Azure Blockchain Service, you can manage participants in the consortium network. Management of the consortium is based on the consensus model of the network. In the current preview release, Azure Blockchain Service provides a centralized consensus model for consortium management. Any privileged participant with an administer role can take consortium management actions, such as adding or removing participants from a network.
-
-## Roles
-
-Participants in a consortium can be individuals or organizations and can be assigned a user role or an administrator role. The following table lists the high-level differences between the two roles:
-
-| Action | User role | Administrator role
-|--|:-:|::|
-| Create new member | Yes | Yes |
-| Invite new members | No | Yes |
-| Set or change member participant role | No | Yes |
-| Change member display name | Only for own member | Only for own member |
-| Remove members | Only for own member | Yes |
-| Participate in blockchain transactions | Yes | Yes |
-
-### User role
-
-Users are consortium participants with no administrator capabilities. They cannot participate in managing members related to the consortium. Users can change their member display name and can remove themselves from a consortium.
-
-### Administrator
-
-An administrator can manage members within the consortium. An administrator can invite members, remove members, or update members roles within the consortium.
-There must always be at least one administrator within a consortium. The last administrator must specify another participant as an administrator role before leaving a consortium.
-
-## Managing members
-
-Only administrators can invite other participants to the consortium. Administrators invite participants using their Azure subscription ID.
-
-Once invited, participants can join the blockchain consortium by deploying a new member in Azure Blockchain Service. To view and join the invited consortium, you must specify the same Azure subscription ID used in the invite by the network administrator.
-
-Administrators can remove any participant from the consortium, including other administrators. Members can only remove themselves from a consortium.
-
-## Consortium management smart contract
-
-Consortium management in Azure Blockchain Service is done via consortium management smart contracts. The smart contracts are automatically deployed to your nodes when you deploy a new blockchain member.
-
-The address of the root consortium management smart contract can be viewed in the Azure portal. The **RootContract address** is in blockchain member's overview section.
-
-![RootContract address](./media/consortium/rootcontract-address.png)
-
-You can interact with the consortium management smart contract using the consortium management [PowerShell module](manage-consortium-powershell.md), Azure portal, or directly through the smart contract using the Azure Blockchain Service generated Ethereum account.
-
-## Ethereum account
-
-When a member is created, an Ethereum account key is created. Azure Blockchain Service uses the key to create transactions related to consortium management. The Ethereum account key is managed by Azure Blockchain Service automatically.
-
-The member account can be viewed in the Azure portal. The member account is in blockchain member's overview section.
-
-![Member account](./media/consortium/member-account.png)
-
-You can reset your Ethereum account by clicking on your member account and entering a new password. Both the Ethereum account address and the password will be reset.
-
-## Next steps
-
-Consortium management actions can be accessed through PowerShell. For more information, see [Manage consortium members in Azure Blockchain Service using PowerShell](manage-consortium-powershell.md).
blockchain Create Member Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-cli.md
- Title: Create an Azure Blockchain Service member - Azure CLI
-description: Create an Azure Blockchain Service member for a blockchain consortium using the Azure CLI.
Previously updated : 07/23/2020---
-#Customer intent: As a network operator, I want use Azure Blockchain Service so that I can create a blockchain member on Azure
--
-# Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI
-
-In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using Azure CLI.
---
-## Prerequisites
-
-None.
-
-## Launch Azure Cloud Shell
-
-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
-
-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.
-
-If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.51 or later. Run `az --version` to find the version. If you need to install or upgrade, see [install Azure CLI](/cli/azure/install-azure-cli).
-
-## Prepare your environment
-
-1. Sign in.
-
- Sign in using the [az login](/cli/azure/reference-index#az_login) command if you're using a local install of the CLI.
-
- ```azurecli
- az login
- ```
-
- Follow the steps displayed in your terminal to complete the authentication process.
-
-1. Install the Azure CLI extension.
-
- When working with extension references for the Azure CLI, you must first install the extension. Azure CLI extensions give you access to experimental and pre-release commands that have not yet shipped as part of the core CLI. To learn more about extensions including updating and uninstalling, see [Use extensions with Azure CLI](/cli/azure/azure-cli-extensions-overview).
-
- Install the [extension for Azure Blockchain Service](/cli/azure/blockchain) by running the following command:
-
- ```azurecli-interactive
- az extension add --name blockchain
- ```
-
-1. Create a resource group.
-
- Azure Blockchain Service, like all Azure resources, must be deployed into a resource group. Resource groups allow you to organize and manage related Azure resources.
-
- For this quickstart, create a resource group named _myResourceGroup_ in the _eastus_ location with the following [az group create](/cli/azure/group#az_group_create) command:
-
- ```azurecli-interactive
- az group create \
- --name "myResourceGroup" \
- --location "eastus"
- ```
-
-## Create a blockchain member
-
-An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network. When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
-
-There are several parameters and properties you need to pass. Replace the example parameters with your values.
-
-```azurecli-interactive
-az blockchain member create \
- --resource-group "MyResourceGroup" \
- --name "myblockchainmember" \
- --location "eastus" \
- --password "strongMemberAccountPassword@1" \
- --protocol "Quorum" \
- --consortium "myconsortium" \
- --consortium-management-account-password "strongConsortiumManagementPassword@1" \
- --sku "Basic"
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources are created. Use the resource group you created in the previous section.
-| **name** | A unique name that identifies your Azure Blockchain Service blockchain member. The name is used for the public endpoint address. For example, `myblockchainmember.blockchain.azure.com`.
-| **location** | Azure region where the blockchain member is created. For example, `westus2`. Choose the location that is closest to your users or your other Azure applications. Features may not be available in some regions. Azure Blockchain Data Manager is available in the following Azure regions: East US and West Europe.
-| **password** | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint.
-| **protocol** | Blockchain protocol. Currently, *Quorum* protocol is supported.
-| **consortium** | Name of the consortium to join or create. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
-| **consortium-management-account-password** | The consortium account password is also known as the member account password. The member account password is used to encrypt the private key for the Ethereum account that is created for your member. You use the member account and member account password for consortium management.
-| **sku** | Tier type. *Standard* or *Basic*. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. Also use the *Standard* tier if you are using Blockchain Data Manager or sending a high volume of private transactions. Changing the pricing tier between basic and standard after member creation is not supported.
-
-It takes about 10 minutes to create the blockchain member and supporting resources.
-
-## Clean up resources
-
-You can use the blockchain member you created for the next quickstart or tutorial. When no longer needed, you can delete the resources by deleting the `myResourceGroup` resource group you created for the quickstart.
-
-Run the following command to remove the resource group and all related resources.
-
-```azurecli-interactive
-az group delete \
- --name myResourceGroup \
- --yes
-```
-
-## Next steps
-
-In this quickstart, you deployed an Azure Blockchain Service member and a new consortium. Try the next quickstart to use Azure Blockchain Development Kit for Ethereum to attach to an Azure Blockchain Service member.
-
-> [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Create Member Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-powershell.md
- Title: Create an Azure Blockchain Service member - Azure PowerShell
-description: Create an Azure Blockchain Service member for a blockchain consortium using Azure PowerShell.
- Previously updated : 9/22/2020--
- - references_regions
- - devx-track-azurepowershell
- - mode-api
-#Customer intent: As a network operator, I want use Azure Blockchain Service so that I can create a blockchain member on Azure
--
-# Quickstart: Create an Azure Blockchain Service blockchain member using Azure PowerShell
-
-In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using Azure PowerShell.
--
-## Prerequisites
-
-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account
-before you begin.
-
-If you choose to use PowerShell locally, this article requires that you install the Az PowerShell
-module and connect to your Azure account using the
-[Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount)
-cmdlet. For more information about installing the Az PowerShell module, see
-[Install Azure PowerShell](/powershell/azure/install-az-ps).
-
-> [!IMPORTANT]
-> While the **Az.Blockchain** PowerShell module is in preview, you must install it separately from from
-> the Az PowerShell module using the `Install-Module` cmdlet. Once this PowerShell module becomes
-> generally available, it becomes part of future Az PowerShell module releases and available
-> natively from within Azure Cloud Shell.
-
-```azurepowershell-interactive
-Install-Module -Name Az.Blockchain
-```
--
-## Register resource provider
-
-If this is your first time using the Azure Blockchain service, you must register the
-**Microsoft.Blockchain** resource provider.
-
-```azurepowershell-interactive
-Register-AzResourceProvider -ProviderNamespace Microsoft.Blockchain
-```
-
-## Choose a specific Azure subscription
-
-If you have multiple Azure subscriptions, choose the appropriate subscription in which the resources
-should be billed. Select a specific subscription using the
-[Set-AzContext](/powershell/module/az.accounts/set-azcontext) cmdlet.
-
-```azurepowershell-interactive
-Set-AzContext -SubscriptionId 00000000-0000-0000-0000-000000000000
-```
-
-## Define variables
-
-You'll be using several pieces of information repeatedly. Create variables to store the information.
-
-```azurepowershell-interactive
-# Name of resource group used throughout this article
-$resourceGroupName = 'myResourceGroup'
-
-# Azure region
-$location = 'eastus'
-```
-
-## Create a resource group
-
-Create an [Azure resource group](../../azure-resource-manager/management/overview.md)
-using the [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup)
-cmdlet. A resource group is a logical container in which Azure resources are deployed and managed as
-a group.
-
-The following example creates a resource group based on the name in the `$resourceGroupName`
-variable in the region specified in the `$location` variable.
-
-```azurepowershell-interactive
-New-AzResourceGroup -Name $resourceGroupName -Location $location
-```
-
-## Create a blockchain member
-
-An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network.
-When provisioning a member, you can create or join a consortium network. You need at least one
-member for a consortium network. The number of blockchain members needed by participants depends on
-your scenario. Consortium participants may have one or more blockchain members or they may share
-members with other participants. For more information on consortia, see
-[Azure Blockchain Service consortium](consortium.md).
-
-There are several parameters and properties you need to pass. Replace the example parameters with
-your values.
-
-```azurepowershell-interactive
-$passwd = Read-Host -Prompt 'Enter the members default transaction node password' -AsSecureString
-$csPasswd = Read-Host -Prompt 'Enter the consortium account password' -AsSecureString
-
-$memberParams = @{
- Name = 'myblockchainmember'
- ResourceGroupName = $resourceGroupName
- Consortium = 'myconsortium'
- ConsortiumManagementAccountPassword = $csPasswd
- Location = $location
- Password = $passwd
- Protocol = 'Quorum'
- Sku = 'S0'
-}
-New-AzBlockchainMember @memberParams
-```
-
-| Parameter | Description |
-||-|
-| **ResourceGroupName** | Resource group name where Azure Blockchain Service resources are created. Use the resource group you created in the previous section.
-| **Name** | A unique name that identifies your Azure Blockchain Service blockchain member. The name is used for the public endpoint address. For example, `myblockchainmember.blockchain.azure.com`.
-| **Location** | Azure region where the blockchain member is created. For example, `westus2`. Choose the location that is closest to your users or your other Azure applications. Features may not be available in some regions. Azure Blockchain Data Manager is available in the following Azure regions: East US and West Europe.
-| **Password** | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint.
-| **Protocol** | Blockchain protocol. Currently, _Quorum_ protocol is supported.
-| **Consortium** | Name of the consortium to join or create. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
-| **ConsortiumManagementAccountPassword** | The consortium account password is also known as the member account password. The member account password is used to encrypt the private key for the Ethereum account that is created for your member. You use the member account and member account password for consortium management.
-| **Sku** | Tier type. **S0** for standard or **B0** for basic. Use the _Basic_ tier for development, testing, and proof of concepts. Use the _Standard_ tier for production grade deployments. You should also use the _Standard_ tier if you are using Blockchain Data Manager or sending a high volume of private transactions. Changing the pricing tier between basic and standard after member creation is not supported.
-
-It takes about 10 minutes to create the blockchain member and supporting resources.
-
-## Clean up resources
-
-You can use the blockchain member you created for the next quickstart or tutorial. When no longer
-needed, you can delete the resources by deleting the `myResourceGroup` resource group you created
-for the quickstart.
-
-> [!CAUTION]
-> The following example deletes the specified resource group and all resources contained within it.
-> If resources outside the scope of this article exist in the specified resource group, they will
-> also be deleted.
-
-```azurepowershell-interactive
-Remove-AzResourceGroup -Name $resourceGroupName
-```
-
-## Next steps
-
-In this quickstart, you deployed an Azure Blockchain Service member and a new consortium. Try the
-next quickstart to use Azure Blockchain Development Kit for Ethereum to attach to an Azure
-Blockchain Service member.
-
-> [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Create Member Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-template.md
- Title: Create an Azure Blockchain Service member by using Azure Resource Manager template
-description: Learn how to create an Azure Blockchain Service member by using Azure Resource Manager template.
- Previously updated : 05/11/2021---
- - subject-armqs
- - references_regions
- - mode-arm
--
-# Quickstart: Create an Azure Blockchain Service member using an ARM template
-
-In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using an Azure Resource Manager template (ARM template).
--
-An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network. When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
--
-If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-
-[![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.blockchain%2Fblockchain-asaservice%2Fazuredeploy.json)
-
-## Prerequisites
-
-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account before you begin.
-
-## Review the template
-
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/blockchain-asaservice/).
--
-Azure resources defined in the template:
-
-* [**Microsoft.Blockchain/blockchainMembers**](/azure/templates/microsoft.blockchain/blockchainmembers)
-
-## Deploy the template
-
-1. Select the following link to sign in to Azure and open a template.
-
- [![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.blockchain%2Fblockchain-asaservice%2Fazuredeploy.json)
-
-1. Specify the settings for the Azure Blockchain Service member.
-
- Setting | Description
- --|
- Subscription | Select the Azure subscription that you want to use for your service. If you have multiple subscriptions, choose the subscription in which you get billed for the resource.
- Resource group | Create a new resource group name or choose an existing one from your subscription.
- Region | Choose a region to create the resource group. All members of the consortium must be in the same location. Available locations for the deployment are *westeurope, eastus, southeastasia, westeurope, northeurope, westus2*, and *japaneast*. Features may not be available in some regions. Azure Blockchain Data Manager is available in the following Azure regions: East US and West Europe.
- Bc Member name | Choose a unique name for the Azure Blockchain Service member. The blockchain member name can only contain lowercase letters and numbers. The first character must be a letter. The value must be between 2 and 20 characters long.
- Consortium name | Enter a unique name. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
- Member password | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint.
- Consortium Management Account Password | The consortium account password is used to encrypt the private key for the Ethereum account that is created for your member. It is used for consortium management.
- Sku tier | The pricing tier for your new service. Choose between **Standard** and **Basic** tiers. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. Also use the *Standard* tier if you are using Blockchain Data Manager or sending a high volume of private transactions. Changing the pricing tier between basic and standard after member creation is not supported.
- Sku name | The node configuration and cost for your new service. Use **B0** for Basic and **S0** for Standard.
- Location | Choose a location to create the member. By default, the resource group location is used `[resourceGroup().location]`. All members of the consortium must be in the same location. Available locations for the deployment are *westeurope, eastus, southeastasia, westeurope, northeurope, westus2*, and *japaneast*. Features may not be available in some regions. Azure Blockchain Data Manager is available in the following Azure regions: East US and West Europe.
-
-1. Select **Review + Create** to verify and deploy the template.
-
- The Azure portal is used here to deploy the template. You can also use the Azure PowerShell, Azure CLI, and REST API. To learn other deployment methods, see [Deploy templates](../../azure-resource-manager/templates/deploy-powershell.md).
-
-## Review deployed resources
-
-You can use the Azure portal to view details of the deployed Azure Blockchain Service member. In the portal, go to the resource group containing your Azure Blockchain Service member. Select the blockchain member you created.
-
-![Deployed Azure Blockchain Member overview details in the Azure portal](./media/create-member-template/deployed-member.png)
-
-## Clean up resources
-
-You can use the blockchain member you created for the next quickstart or tutorial. When no longer needed, you can delete the resources by deleting the resource group you created for the quickstart.
-
-To delete the resource group:
-
-1. In the Azure portal, navigate to **Resource group** in the left navigation pane and select the resource group you want to delete.
-2. Select **Delete resource group**. Verify deletion by entering the resource group name and select **Delete**.
-
-## Next steps
-
-In this quickstart, you deployed an Azure Blockchain Service member and a new consortium. Try the next quickstart to use Azure Blockchain Development Kit for Ethereum to attach to an Azure Blockchain Service member.
-
-> [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Create Member https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member.md
- Title: Create an Azure Blockchain Service member - Azure portal
-description: Create an Azure Blockchain Service member for a blockchain consortium using the Azure portal.
- Previously updated : 07/16/2020--
- - references_regions
- - mode-portal
-#Customer intent: As a network operator, I want use Azure Blockchain Service so that I can create a managed ledger on Azure.
--
-# Quickstart: Create an Azure Blockchain Service blockchain member using the Azure portal
-
-In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using the Azure portal.
---
-## Prerequisites
-
-None.
-
-## Create a blockchain member
-
-An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network.
-
-When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select **Create a resource** in the upper left-hand corner of the Azure portal.
-1. Select **Blockchain** > **Azure Blockchain Service (preview)**.
-
- ![Create Service](./media/create-member/create-member.png)
-
- Setting | Description
- --|
- Subscription | Select the Azure subscription that you want to use for your service. If you have multiple subscriptions, choose the subscription in which you get billed for the resource.
- Resource group | Create a new resource group name or choose an existing one from your subscription.
- Region | Choose a region to create the member. All members of the consortium must be in the same location. Features may not be available in some regions. Azure Blockchain Data Manager is available in the following Azure regions: East US and West Europe.
- Protocol | Currently, Azure Blockchain Service Preview supports the Quorum protocol.
- Consortium | For a new consortium, enter a unique name. If joining a consortium through an invite, choose the consortium you are joining. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
- Name | Choose a unique name for the Azure Blockchain Service member. The blockchain member name can only contain lowercase letters and numbers. The first character must be a letter. The value must be between 2 and 20 characters long.
- Member account password | The member account password is used to encrypt the private key for the Ethereum account that is created for your member. You use the member account and member account password for consortium management.
- Pricing | The node configuration and cost for your new service. Select the **Change** link to choose between **Standard** and **Basic** tiers. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. Also use the *Standard* tier if you are using Blockchain Data Manager or sending a high volume of private transactions. Changing the pricing tier between basic and standard after member creation is not supported.
- Node password | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint.
-
-1. Select **Review + create** to validate your settings. Select **Create** to provision the service. Provisioning takes about 10 minutes.
-1. Select **Notifications** on the toolbar to monitor the deployment process.
-1. After deployment, navigate to your blockchain member.
-
-Select **Overview**, you can view the basic information about your service including the RootContract address and member account.
-
-![Blockchain member overview](./media/create-member/overview.png)
-
-## Clean up resources
-
-You can use the member you created for the next quickstart or tutorial. When no longer needed, you can delete the resources by deleting the `myResourceGroup` resource group you created for the quickstart.
-
-To delete the resource group:
-
-1. In the Azure portal, navigate to **Resource group** in the left navigation pane and select the resource group you want to delete.
-2. Select **Delete resource group**. Verify deletion by entering the resource group name and select **Delete**.
-
-## Next steps
-
-In this quickstart, you deployed an Azure Blockchain Service member and a new consortium. Try the next quickstart to use Azure Blockchain Development Kit for Ethereum to attach to an Azure Blockchain Service member.
-
-> [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Data Manager Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager-cli.md
- Title: Configure Blockchain Data Manager using Azure CLI - Azure Blockchain Service
-description: Create and manage a Blockchain Data Manager for Azure Blockchain Service using Azure CLI
Previously updated : 03/30/2020--
-#Customer intent: As a network operator, I want to use Azure CLI to configure Blockchain Data Manager.
-
-# Configure Blockchain Data Manager using Azure CLI
-
-Configure Blockchain Data Manager for Azure Blockchain Service to capture blockchain data send it to an Azure Event Grid Topic.
--
-To configure a Blockchain Data Manager instance, you:
-
-* Create a Blockchain Manager instance
-* Create an input to an Azure Blockchain Service transaction node
-* Create an output to an Azure Event Grid Topic
-* Add a blockchain application
-* Start an instance
-
-## Prerequisites
-
-* Install the latest [Azure CLI](/cli/azure/install-azure-cli) and signed in using `az login`.
-* Complete [Quickstart: Use Visual Studio Code to connect to a Azure Blockchain Service consortium network](connect-vscode.md). Azure Blockchain Service *Standard* tier is recommended when using Blockchain Data Manager.
-* Create an [Event Grid Topic](../../event-grid/custom-event-quickstart-portal.md#create-a-custom-topic)
-* Learn about [Event handlers in Azure Event Grid](../../event-grid/event-handlers.md)
-
-## Launch Azure Cloud Shell
-
-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
-
-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.
-
-If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.51 or later. Run `az --version` to find the version. If you need to install or upgrade, see [install Azure CLI](/cli/azure/install-azure-cli).
-
-## Create a resource group
-
-Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named *myResourceGroup* in the *eastus* location:
-
-```azurecli-interactive
-az group create --name myRG --location eastus
-```
-
-## Create instance
-
-A Blockchain Data Manager instance monitors an Azure Blockchain Service transaction node. An instance captures all raw block and raw transaction data from the transaction node. Blockchain Data Manager publishes a **RawBlockAndTransactionMsg** message which is a superset of information returned from web3.eth [getBlock](https://web3js.readthedocs.io/en/v1.2.0/web3-eth.html#getblock) and [getTransaction](https://web3js.readthedocs.io/en/v1.2.0/web3-eth.html#gettransaction) queries.
-
-``` azurecli
-az resource create \
- --resource-group <Resource group> \
- --name <Blockchain Data Manager instance name> \
- --resource-type Microsoft.blockchain/watchers \
- --is-full-object \
- --properties <watcher resource properties>
-```
-
-| Parameter | Description |
-|--|-|
-| resource-group | Resource group name where to create the Blockchain Data Manager instance. |
-| name | Name of the Blockchain Data Manager instance. |
-| resource-type | The resource type for a Blockchain Data Manager instance is **Microsoft.blockchain/watchers**. |
-| is-full-object | Indicates properties contain options for the watcher resource. |
-| properties | JSON-formatted string containing properties for the watcher resource. Can be passed as a string or a file. |
-
-### Create instance examples
-
-JSON configuration example to create a Blockchain Manager instance in the **East US** region.
-
-``` json
-{
- "location": "eastus",
- "properties": {
- }
-}
-```
-
-| Element | Description |
-||-|
-| location | Region where to create the watcher resource |
-| properties | Properties to set when creating the watcher resource |
-
-Create a Blockchain Data Manager instance named *mywatcher* using a JSON string for configuration.
-
-``` azurecli-interactive
-az resource create \
- --resource-group myRG \
- --name mywatcher \
- --resource-type Microsoft.blockchain/watchers \
- --is-full-object \
- --properties '{"location":"eastus"}'
-```
-
-Create a Blockchain Data Manager instance named *mywatcher* using a JSON configuration file.
-
-``` azurecli
-az resource create \
- --resource-group myRG \
- --name mywatcher \
- --resource-type Microsoft.blockchain/watchers \
- --is-full-object \
- --properties @watcher.json
-```
-
-## Create input
-
-An input connects Blockchain Data Manager to an Azure Blockchain Service transaction node. Only users with access to the transaction node can create a connection.
-
-``` azurecli
-az resource create \
- --resource-group <Resource group> \
- --name <Input name> \
- --namespace Microsoft.Blockchain \
- --resource-type inputs \
- --parent watchers/<Watcher name> \
- --is-full-object \
- --properties <input resource properties>
-```
-
-| Parameter | Description |
-|--|-|
-| resource-group | Resource group name where to create the input resource. |
-| name | Name of the input. |
-| namespace | Use the **Microsoft.Blockchain** provider namespace. |
-| resource-type | The resource type for a Blockchain Data Manager input is **inputs**. |
-| parent | The path to the watcher to which the input is associated. For example, **watchers/mywatcher**. |
-| is-full-object | Indicates properties contain options for the input resource. |
-| properties | JSON-formatted string containing properties for the input resource. Can be passed as a string or a file. |
-
-### Input examples
-
-Configuration JSON example to create an input resource in the *East US* region that is connected to \<Blockchain member\>.
-
-``` json
-{
- "location": "eastus",
- "properties": {
- "inputType": "Ethereum",
- "dataSource": {
- "resourceId": "/subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.Blockchain/blockchainMembers/<Blockchain member>/transactionNodes/transaction-node"
- }
- }
-}
-```
-
-| Element | Description |
-||-|
-| location | Region where to create the input resource. |
-| inputType | Ledger type of the Azure Blockchain Service member. Currently, **Ethereum** is supported. |
-| resourceId | Transaction node to which the input is connected. Replace \<Subscription ID\>, \<Resource group\>, and \<Blockchain member\> with the values for the transaction node resource. The input connects to the default transaction node for the Azure Blockchain Service member. |
-
-Create an input named *myInput* for *mywatcher* using a JSON string for configuration.
-
-``` azurecli-interactive
-az resource create \
- --resource-group myRG \
- --name myInput \
- --namespace Microsoft.Blockchain \
- --resource-type inputs \
- --parent watchers/mywatcher \
- --is-full-object \
- --properties '{"location":"eastus", "properties":{"inputType":"Ethereum","dataSource":{"resourceId":"/subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.Blockchain/BlockchainMembers/<Blockchain member>/transactionNodes/transaction-node"}}}'
-```
-
-Create an input named *myInput* for *mywatcher* using a JSON configuration file.
-
-``` azurecli
-az resource create \
- --resource-group myRG \
- --name input \
- --namespace Microsoft.Blockchain \ --resource-type inputs \
- --parent watchers/mywatcher \
- --is-full-object \
- --properties @input.json
-```
-
-## Create output
-
-An outbound connection sends blockchain data to Azure Event Grid. You can send blockchain data to a single destination or send blockchain data to multiple destinations. Blockchain Data Manager supports multiple Event Grid Topic outbound connections for any given Blockchain Data Manager instance.
-
-``` azurecli
-az resource create \
- --resource-group <Resource group> \
- --name <Output name> \
- --namespace Microsoft.Blockchain \
- --resource-type outputs \
- --parent watchers/<Watcher name> \
- --is-full-object \
- --properties <output resource properties>
-```
-
-| Parameter | Description |
-|--|-|
-| resource-group | Resource group name where to create the output resource. |
-| name | Name of the output. |
-| namespace | Use the **Microsoft.Blockchain** provider namespace. |
-| resource-type | The resource type for a Blockchain Data Manager output is **outputs**. |
-| parent | The path to the watcher to which the output is associated. For example, **watchers/mywatcher**. |
-| is-full-object | Indicates properties contain options for the output resource. |
-| properties | JSON-formatted string containing properties for the output resource. Can be passed as a string or a file. |
-
-### Output examples
-
-Configuration JSON example to create an output resource in the *East US* region that is connected to an event grid topic named \<event grid topic\>.
-
-``` json
-{
- "location": "eastus",
- "properties": {
- "outputType": "EventGrid",
- "dataSource": {
- "resourceId": "/subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.EventGrid/topics/<event grid topic>"
- }
- }
-}
-```
-
-| Element | Description |
-||-|
-| location | Region where to create the output resource. |
-| outputType | Type of output. Currently, **EventGrid** is supported. |
-| resourceId | Resource to which the output is connected. Replace \<Subscription ID\>, \<Resource group\>, and \<Blockchain member\> with the values for the event grid resource. |
-
-Create an output named *myoutput* for *mywatcher* that connects to an event grid topic using a JSON configuration string.
-
-``` azurecli-interactive
-az resource create \
- --resource-group myRG \
- --name myoutput \
- --namespace Microsoft.Blockchain \
- --resource-type outputs \
- --parent watchers/mywatcher \
- --is-full-object \
- --properties '{"location":"eastus","properties":{"outputType":"EventGrid","dataSource":{"resourceId":"/subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.EventGrid/topics/<event grid topic>"}}}'
-```
-
-Create an output named *myoutput* for *mywatcher* that connects to an event grid topic using a JSON configuration file.
-
-``` azurecli
-az resource create \
- --resource-group myRG \
- --name myoutput \
- --namespace Microsoft.Blockchain \
- --resource-type outputs \
- --parent watchers/mywatcher \
- --is-full-object \
- --properties @output.json
-```
-
-## Add blockchain application
-
-If you add a blockchain application, Blockchain Data Manager decodes event and property state for the application. Otherwise, only raw block and raw transaction data is sent. Blockchain Data Manager also discovers contract addresses when the contract is deployed. You can add multiple blockchain applications to a Blockchain Data Manager instance.
--
-> [!IMPORTANT]
-> Currently, blockchain applications that declare Solidity [array types](https://solidity.readthedocs.io/en/v0.5.12/types.html#arrays) or [mapping types](https://solidity.readthedocs.io/en/v0.5.12/types.html#mapping-types) are not fully supported. Properties declared as array or mapping types will not be decoded in *ContractPropertiesMsg* or *DecodedContractEventsMsg* messages.
-
-``` azurecli
-az resource create \
- --resource-group <Resource group> \
- --name <Application name> \
- --namespace Microsoft.Blockchain \
- --resource-type artifacts \
- --parent watchers/<Watcher name> \
- --is-full-object \
- --properties <Application resource properties>
-```
-
-| Parameter | Description |
-|--|-|
-| resource-group | Resource group name where to create the application resource. |
-| name | Name of the application. |
-| namespace | Use the **Microsoft.Blockchain** provider namespace. |
-| resource-type | The resource type for a Blockchain Data Manager application is **artifacts**. |
-| parent | The path to the watcher to which the application is associated. For example, **watchers/mywatcher**. |
-| is-full-object | Indicates properties contain options for the application resource. |
-| properties | JSON-formatted string containing properties for the application resource. Can be passed as a string or a file. |
-
-### Blockchain application examples
-
-Configuration JSON example to create an application resource in the *East US* region that monitors a smart contract defined by the contract ABI and bytecode.
-
-``` json
-{
- "location": "eastus",
- "properties": {
- "artifactType": "EthereumSmartContract",
- "content": {
- "abiFileUrl": "<ABI URL>",
- "bytecodeFileUrl": "<Bytecode URL>",
- "queryTargetTypes": [
- "ContractProperties",
- "ContractEvents"
- ]
- }
- }
-}
-```
-
-| Element | Description |
-||-|
-| location | Region where to create the application resource. |
-| artifactType | Type of application. Currently, **EthereumSmartContract** is supported. |
-| abiFileUrl | URL for smart contract ABI JSON file. For more information on obtaining contract ABI and creating a URL, see [Get Contract ABI and bytecode](data-manager-portal.md#get-contract-abi-and-bytecode) and [Create contract ABI and bytecode URL](data-manager-portal.md#create-contract-abi-and-bytecode-url). |
-| bytecodeFileUrl | URL for smart contract deployed bytecode JSON file. For more information on obtaining the smart contract deployed bytecode and creating a URL, see [Get Contract ABI and bytecode](data-manager-portal.md#get-contract-abi-and-bytecode) and [Create contract ABI and bytecode URL](data-manager-portal.md#create-contract-abi-and-bytecode-url). Note: Blockchain Data Manager requires the **deployed bytecode**. |
-| queryTargetTypes | Published message types. Specifying **ContractProperties** publishes *ContractPropertiesMsg* message type. Specifying **ContractEvents** publishes *DecodedContractEventsMsg* message type. Note: *RawBlockAndTransactionMsg* and *RawTransactionContractCreationMsg* message types are always published. |
-
-Create an application named *myApplication* for *mywatcher* that monitors a smart contract defined by a JSON string.
-
-``` azurecli-interactive
-az resource create \
- --resource-group myRG \
- --name myApplication \
- --namespace Microsoft.Blockchain \
- --resource-type artifacts \
- --parent watchers/mywatcher \
- --is-full-object \
- --properties '{"location":"eastus","properties":{"artifactType":"EthereumSmartContract","content":{"abiFileUrl":"<ABI URL>","bytecodeFileUrl":"<Bytecode URL>","queryTargetTypes":["ContractProperties","ContractEvents"]}}}'
-```
-
-Create an application named *myApplication* for *mywatcher* that watches a smart contract defined using a JSON configuration file.
-
-``` azurecli
-az resource create \
- --resource-group myRG \
- --name myApplication \
- --namespace Microsoft.Blockchain \
- --resource-type artifacts \
- --parent watchers/mywatcher \
- --is-full-object \
- --properties @artifact.json
-```
-
-## Start instance
-
-When running, a Blockchain Manager instance monitors blockchain events from the defined inputs and sends data to the defined outputs.
-
-``` azurecli
-az resource invoke-action \
- --action start \
- --ids /subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.Blockchain/watchers/<Watcher name>
-```
-
-| Parameter | Description |
-|--|-|
-| action | Use **start** to run the watcher. |
-| ids | Watcher resource ID. Replace \<Subscription ID\>, \<Resource group\>, and \<Watcher name\> with the values for the watcher resource.|
-
-### Start instance example
-
-Start a Blockchain Data Manager instance named *mywatcher*.
-
-``` azurecli-interactive
-az resource invoke-action \
- --action start \
- --ids /subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.Blockchain/watchers/mywatcher
-```
-
-## Stop instance
-
-Stop a Blockchain Data Manager instance.
-
-``` azurecli
-az resource invoke-action \
- --action stop \
- --ids /subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.Blockchain/watchers/<Watcher name>
-```
-
-| Parameter | Description |
-|--|-|
-| action | Use **stop** to stop the watcher. |
-| ids | Name of the watcher. Replace \<Subscription ID\>, \<Resource group\>, and \<Watcher name\> with the values for the watcher resource. |
-
-### Stop watcher example
-
-Stop an instance named *mywatcher*.
-
-``` azurecli-interactive
-az resource invoke-action \
- --action stop \
- --ids /subscriptions/<Subscription ID>/resourceGroups/<Resource group>/providers/Microsoft.Blockchain/watchers/mywatcher
-```
-
-## Delete instance
-
-Delete a Blockchain Data Manager instance.
-
-``` azurecli
-az resource delete \
- --resource-group <Resource group> \
- --name <Watcher name> \
- --resource-type Microsoft.Blockchain/watchers
-```
-
-| Parameter | Description |
-|--|-|
-| resource-group | Resource group name of the watcher to delete. |
-| name | Name of the watcher to delete. |
-| resource-type | The resource type for a Blockchain Data Manager watcher is **Microsoft.blockchain/watchers**. |
-
-### Delete instance example
-
-Delete an instance named *mywatcher* in the *myRG* resource group.
-
-``` azurecli-interactive
-az resource delete \
- --resource-group myRG \
- --name mywatcher \
- --resource-type Microsoft.blockchain/watchers
-```
-
-## Next steps
-
-Try the next tutorial creating a blockchain transaction message explorer using Blockchain Data Manager and Azure Cosmos DB.
-
-> [!div class="nextstepaction"]
-> [Use Blockchain Data Manager to send data to Azure Cosmos DB](data-manager-cosmosdb.md)
blockchain Data Manager Cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager-cosmosdb.md
- Title: Use Blockchain Data Manager to update Azure Cosmos DB - Azure Blockchain Service
-description: Use Blockchain Data Manager for Azure Blockchain Service to send blockchain data to Azure Cosmos DB
Previously updated : 03/08/2020--
-#Customer intent: As a developer, I want to use Blockchain Data Manager to send blockchain data to Azure Cosmos DB
-
-# Tutorial: Use Blockchain Data Manager to send data to Azure Cosmos DB
-
-In this tutorial, you use Blockchain Data Manager for Azure Blockchain Service to record blockchain transaction data in Azure Cosmos DB.
--
-Blockchain Data Manager captures, transforms, and delivers blockchain ledger data to Azure Event Grid Topics. From Azure Event Grid, you use an Azure Logic App connector to create documents in an Azure Cosmos DB database. When finished with tutorial, you can explore blockchain transaction data in Azure Cosmos DB Data Explorer.
-
-[![Screenshot shows blockchain transaction details.](./media/data-manager-cosmosdb/raw-msg.png)](./media/data-manager-cosmosdb/raw-msg.png#lightbox)
-
-In this tutorial, you:
-
-> [!div class="checklist"]
-> * Create a Blockchain Data Manager instance
-> * Add a blockchain application to decode transaction properties and events
-> * Create an Azure Cosmos DB account and database to store transaction data
-> * Create an Azure Logic App to connect an Azure Event Grid Topic to Azure Cosmos DB
-> * Send a transaction to a blockchain ledger
-> * View the decoded transaction data in Azure Cosmos DB
--
-## Prerequisites
-
-* Complete [Quickstart: Create a blockchain member using the Azure portal](create-member.md) or [Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI](create-member-cli.md)
-* Complete [Quickstart: Use Visual Studio Code to connect to an Azure Blockchain Service consortium network](connect-vscode.md). The quickstart guides you though installing [Azure Blockchain Development Kit for Ethereum](https://marketplace.visualstudio.com/items?itemName=AzBlockchain.azure-blockchain) and setting up your blockchain development environment.
-* Complete [Tutorial: Use Visual Studio Code to create, build, and deploy smart contracts](send-transaction.md). The tutorial walks through creating a sample smart contract.
-* Create an [Event Grid Topic](../../event-grid/custom-event-quickstart-portal.md#create-a-custom-topic)
-* Learn about [Event handlers in Azure Event Grid](../../event-grid/event-handlers.md)
-
-## Create instance
-
-A Blockchain Data Manager instance connects and monitors an Azure Blockchain Service transaction node. An instance captures all raw block and raw transaction data from the transaction node. An outbound connection sends blockchain data to Azure Event Grid. You configure a single outbound connection when you create the instance.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Go to the Azure Blockchain Service member you created in the prerequisite [Quickstart: Create a blockchain member using the Azure portal](create-member.md). Select **Blockchain Data Manager**.
-1. Select **Add**.
-
- ![Add Blockchain Data Manager](./media/data-manager-cosmosdb/add-instance.png)
-
- Enter the following details:
-
- Setting | Example | Description
- --||
- Name | mywatcher | Enter a unique name for a connected Blockchain Data Manager.
- Transaction node | myblockchainmember | Choose the default transaction node of the Azure Blockchain Service member you created in the prerequisite.
- Connection name | cosmosdb | Enter a unique name of the outbound connection where blockchain transaction data is sent.
- Event grid endpoint | myTopic | Choose an event grid topic you created in the prerequisite. Note: The Blockchain Data Manager instance and the event grid topic must be in the same subscription.
-
-1. Select **OK**.
-
- It takes less than a minute to create a Blockchain Data Manager instance. After the instance is deployed, it is automatically started. A running Blockchain Data Manager instance captures blockchain events from the transaction node and sends data to event grid.
-
-## Add application
-
-Add the **helloblockchain** blockchain application so that Blockchain Data Manager decodes event and property state. Blockchain Data Manager requires the smart contract ABI and bytecode file to add the application.
-
-### Get contract ABI and bytecode
-
-The contract ABI defines the smart contract interfaces. It describes how to interact with the smart contract. You can use the [Azure Blockchain Development Kit for Ethereum extension](https://marketplace.visualstudio.com/items?itemName=AzBlockchain.azure-blockchain) to copy the contract ABI to the clipboard.
-
-1. In the Visual Studio Code explorer pane, expand the **build/contracts** folder of the **helloblockchain** Solidity project you created in the prerequisite [Tutorial: Use Visual Studio Code to create, build, and deploy smart contracts](send-transaction.md).
-1. Right-click the contract metadata JSON file. The file name is the smart contract name followed by the **.json** extension.
-1. Select **Copy Contract ABI**.
-
- ![Visual Studio Code pane with the Copy Contract ABI selection](./media/data-manager-cosmosdb/abi-devkit.png)
-
- The contract ABI is copied to the clipboard.
-
-1. Save the **abi** array as a JSON file. For example, *abi.json*. You use the file in a later step.
-
-Blockchain Data Manager requires the deployed bytecode for the smart contract. The deployed bytecode is different than the smart contract bytecode. You use the Azure blockchain development kit extension to copy the bytecode to the clipboard.
-
-1. In the Visual Studio Code explorer pane, expand the **build/contracts** folder of your Solidity project.
-1. Right-click the contract metadata JSON file. The file name is the smart contract name followed by the **.json** extension.
-1. Select **Copy Transaction Bytecode**.
-
- ![Visual Studio Code pane with the Copy Transaction Bytecode selection](./media/data-manager-cosmosdb/bytecode-devkit.png)
-
- The bytecode is copied to the clipboard.
-
-1. Save the **bytecode** value as a JSON file. For example, *bytecode.json*. You use the file in a later step.
-
-The following example shows *abi.json* and *bytecode.json* files open in the VS Code editor. Your files should look similar.
-
-![Example of abi.json and bytecode.json files](./media/data-manager-cosmosdb/contract-files.png)
-
-### Create contract ABI and bytecode URL
-
-Blockchain Data Manager requires the contract ABI and bytecode files to be accessible by a URL when adding an application. You can use an Azure Storage account to provide a privately accessible URL.
-
-#### Create storage account
--
-#### Upload contract files
-
-1. Create a new container for the storage account. Select **Containers > Container**.
-
- ![Create a storage account container](./media/data-manager-cosmosdb/create-container.png)
-
- | Setting | Description |
- ||-|
- | Name | Name the container. For example, *smartcontract* |
- | Public access level | Choose *Private (no anonymous access)* |
-
-1. Select **OK** to create the container.
-1. Select the container then select **Upload**.
-1. Choose both JSON files you created in the [Get Contract ABI and bytecode](#get-contract-abi-and-bytecode) section.
-
- ![Upload blob](./media/data-manager-cosmosdb/upload-blobs.png)
-
- Select **Upload**.
-
-#### Generate URL
-
-For each blob, generate a shared access signature.
-
-1. Select the ABI JSON blob.
-1. Select **Generate SAS**
-1. Set desired access signature expiration then select **Generate blob SAS token and URL**.
-
- ![Generate SAS token](./media/data-manager-cosmosdb/generate-sas.png)
-
-1. Copy the **Blob SAS URL** and save it for the next section.
-1. Repeat the [Generate URL](#generate-url) steps for the bytecode JSON blob.
-
-### Add helloblockchain application to instance
-
-1. Select your Blockchain Data Manager instance from the instance list.
-1. Select **Blockchain applications**.
-1. Select **Add**.
-
- ![Add a blockchain application](./media/data-manager-cosmosdb/add-application.png)
-
- Enter the name of the blockchain application and the smart contract ABI and bytecode URLs.
-
- Setting | Description
- --|
- Name | Enter a unique name for the blockchain application to track.
- Contract ABI | URL path to the Contract ABI file. For more information, see [Create contract ABI and bytecode URL](#create-contract-abi-and-bytecode-url).
- Contract Bytecode | URL path to bytecode file. For more information, see [Create contract ABI and bytecode URL](#create-contract-abi-and-bytecode-url).
-
-1. Select **OK**.
-
- Once the application is created, the application appears in the list of blockchain applications.
-
- ![Blockchain application list](./media/data-manager-cosmosdb/artifact-list.png)
-
-You can delete the Azure Storage account or use it to configure more blockchain applications. If you wish to delete the Azure Storage account, you can delete the resource group. Deleting the resource group also deletes the associated storage account, and any other resources associated with the resource group.
-
-## Create Azure Cosmos DB
--
-### Add a database and container
-
-You can use the Data Explorer in the Azure portal to create a database and container.
-
-1. Select **Data Explorer** from the left navigation on your Azure Cosmos DB account page, and then select **New Container**.
-1. In the **Add container** pane, enter the settings for the new container.
-
- ![Add container settings](./media/data-manager-cosmosdb/add-container.png)
-
- | Setting | Description
- ||-|
- | Database ID | Enter **blockchain-data** as the name for the new database. |
- | Throughput | Leave the throughput at **400** request units per second (RU/s). If you want to reduce latency, you can scale up the throughput later.|
- | Container ID | Enter **Messages** as the name for your new container. |
- | Partition key | Use **/MessageType** as the partition key. |
-
-1. Select **OK**. The Data Explorer displays the new database and the container that you created.
-
-## Create Logic App
-
-Azure Logic Apps helps you schedule and automate business processes and workflows when you need to integrate systems and services. You can use a logic app to connect Event Grid to Azure Cosmos DB.
-
-1. In the [Azure portal](https://portal.azure.com), select **Create a resource** > **Integration** > **Logic App**.
-1. Provide details on where to create your logic app. After you're done, select **Create**.
-
- For more information on creating logic apps, see [Create automated workflows with Azure Logic Apps](../../logic-apps/quickstart-create-first-logic-app-workflow.md).
-
-1. After Azure deploys your app, select your logic app resource.
-1. In the Logic Apps Designer, under **Templates**, select **Blank Logic App**.
-
-### Add Event Grid trigger
-
-Every logic app must start with a trigger, which fires when a specific event happens or when a specific condition is met. Each time the trigger fires, the Logic Apps engine creates a logic app instance that starts and runs your workflow. Use an Azure Event Grid trigger to sends blockchain transaction data from Event Grid to Cosmos DB.
-
-1. In the Logic Apps Designer, search for and select the **Azure Event Grid** connector.
-1. From the **Triggers** tab, select **When a resource event occurs**.
-1. Create an API connection to your Event Grid Topic.
-
- ![Event grid trigger settings](./media/data-manager-cosmosdb/event-grid-trigger.png)
-
- | Setting | Description
- ||-|
- | Subscription | Choose the subscription that contains the Event Grid Topic. |
- | Resource Type | Choose **Microsoft.EventGrid.Topics**. |
- | Resource Name | Choose the name of the Event Grid Topic where Blockchain Data Manager is sending transaction data messages. |
-
-### Add Cosmos DB action
-
-Add an action to create a document in Cosmos DB for each transaction. Use the transaction message type as the partition key to categorize the messages.
-
-1. Select **New step**.
-1. On **Choose an action**, search for **Azure Cosmos DB**.
-1. Choose **Azure Cosmos DB > Actions > Create or update document**.
-1. Create an API connection to your Cosmos DB database.
-
- ![Cosmos DB connection settings](./media/data-manager-cosmosdb/cosmosdb-connection.png)
-
- | Setting | Description
- ||-|
- | Connection Name | Choose the subscription that contains the Event Grid Topic. |
- | DocumentDB Account | Choose the DocumentDB account you created in the [Create Azure Cosmos DB account](#create-azure-cosmos-db) section. |
-
-1. Enter the **Database ID** and **Collection ID** for your Azure Cosmos DB that you created previously in the [Add a database and container](#add-a-database-and-container) section.
-
-1. Select the **Document** setting. In the *Add dynamic content* pop-out, select **Expression** and copy and paste the following expression:
-
- ```
- addProperty(triggerBody()?['data'], 'id', utcNow())
- ```
-
- The expression gets the data portion of the message and sets the ID to a timestamp value.
-
-1. Select **Add new parameter** and choose **Partition key value**.
-1. Set the **Partition key value** to `"@{triggerBody()['data']['MessageType']}"`. The value must be surrounded by double quotes.
-
- ![Logic Apps Designer with Cosmos DB settings](./media/data-manager-cosmosdb/create-action.png)
-
- The value sets the partition key to the transaction message type.
-
-1. Select **Save**.
-
-The logic app monitors the Event Grid Topic. When a new transaction message is sent from Blockchain Data Manager, the logic app creates a document in Cosmos DB.
-
-## Send a transaction
-
-Next, send a transaction to the blockchain ledger to test what you created. Use the **HelloBlockchain** contract's **SendRequest** function you created in the prerequisite [Tutorial: Use Visual Studio Code to create, build, and deploy smart contracts](send-transaction.md).
-
-1. Use the Azure Blockchain Development Kit smart contract interaction page to call the **SendRequest** function. Right-click **HelloBlockchain.sol** and choose **Show Smart Contract Interaction Page** from the menu.
-
- ![Choose Show Smart Contract Interaction Page from menu](./media/data-manager-cosmosdb/contract-interaction.png)
-
-1. Choose **SendRequest** contract action and enter **Hello, Blockchain!** for the **requestMessage** parameter. Select **Execute** to call the **SendRequest** function via a transaction.
-
- ![Execute SendRequest action](./media/data-manager-cosmosdb/sendrequest-action.png)
-
-The SendRequest function sets the **RequestMessage** and **State** fields. The current state for **RequestMessage** is the argument you passed **Hello, Blockchain**. The **State** field value remains **Request**.
-
-## View transaction data
-
-Now that you have connected your Blockchain Data Manager to Azure Cosmos DB, you can view the blockchain transaction messages in Cosmos DB Data Explorer.
-
-1. Go to the Cosmos DB Data Explorer view. For example, **cosmosdb-blockchain > Data Explorer > blockchain-data > Messages > Items**.
-
- ![Cosmos DB Data Explorer](./media/data-manager-cosmosdb/data-explorer.png)
-
- Data Explorer lists the blockchain data messages that were created in the Cosmos DB database.
-
-1. Browse through the messages by selecting item ID and find the message with the matching transaction hash.
-
- [![Screenshot shows the blockchain transaction details of a selected item.](./media/data-manager-cosmosdb/raw-msg.png)](./media/data-manager-cosmosdb/raw-msg.png#lightbox)
-
- The raw transaction message contains detail about the transaction. However, the property information is encrypted.
-
- Since you added the HelloBlockchain smart contract to the Blockchain Data Manager instance, a **ContractProperties** message type is also sent that contains decoded property information.
-
-1. Find the **ContractProperties** message for the transaction. It should be the next message in the list.
-
- [![Blockchain transaction detail](./media/data-manager-cosmosdb/properties-msg.png)](./media/data-manager-cosmosdb/properties-msg.png#lightbox)
-
- The **DecodedProperties** array contains the properties of the transaction.
-
-Congratulations! You have successfully created a transaction message explorer using Blockchain Data Manager and Azure Cosmos DB.
-
-## Clean up resources
-
-When no longer needed, you can delete the resources and resource groups you used for this tutorial. To delete a resource group:
-
-1. In the Azure portal, navigate to **Resource group** in the left navigation pane and select the resource group you want to delete.
-1. Select **Delete resource group**. Verify deletion by entering the resource group name and select **Delete**.
-
-## Next steps
-
-Learn more about integrating with blockchain ledgers.
-
-> [!div class="nextstepaction"]
-> [Using the Ethereum Blockchain connector with Azure Logic Apps](ethereum-logic-app.md)
blockchain Data Manager Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager-portal.md
- Title: Configure Blockchain Data Manager using Azure portal - Azure Blockchain Service
-description: Create and manage Blockchain Data Manager for Azure Blockchain Service using the Azure portal.
Previously updated : 03/30/2020--
-#Customer intent: As a network operator, I want to use the Azure portal to configure Blockchain Data Manager.
-
-# Configure Blockchain Data Manager using the Azure portal
-
-Configure Blockchain Data Manager for Azure Blockchain Service to capture blockchain data and send it to an Azure Event Grid Topic.
--
-To configure a Blockchain Data Manager instance, you:
-
-* Create a Blockchain Data Manager instance for an Azure Blockchain Service transaction node
-* Add your blockchain applications
-
-## Prerequisites
-
-* Complete [Quickstart: Create a blockchain member using the Azure portal](create-member.md) or [Quickstart: Create an Azure Blockchain Service blockchain member using Azure CLI](create-member-cli.md). Azure Blockchain Service *Standard* tier is recommended when using Blockchain Data Manager.
-* Create an [Event Grid Topic](../../event-grid/custom-event-quickstart-portal.md#create-a-custom-topic)
-* Learn about [Event handlers in Azure Event Grid](../../event-grid/event-handlers.md)
-
-## Create instance
-
-A Blockchain Data Manager instance connects and monitors an Azure Blockchain Service transaction node. Only users with access to the transaction node can create a connection. An instance captures all raw block and raw transaction data from the transaction node. Blockchain Data Manager publishes a **RawBlockAndTransactionMsg** message which is a superset of information returned from web3.eth [getBlock](https://web3js.readthedocs.io/en/v1.2.0/web3-eth.html#getblock) and [getTransaction](https://web3js.readthedocs.io/en/v1.2.0/web3-eth.html#gettransaction) queries.
-
-An outbound connection sends blockchain data to Azure Event Grid. You configure a single outbound connection when you create the instance. Blockchain Data Manager supports multiple Event Grid Topic outbound connections for any given Blockchain Data Manager instance. You can send blockchain data to a single destination or send blockchain data to multiple destinations. To add another destination, just add additional outbound connections to the instance.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Go to the Azure Blockchain Service member you want to connect to Blockchain Data Manager. Select **Blockchain Data Manager**.
-1. Select **Add**.
-
- ![Add Blockchain Data Manager](./media/data-manager-portal/add-instance.png)
-
- Enter the following details:
-
- Setting | Description
- --|
- Name | Enter a unique name for a connected Blockchain Data Manager. The Blockchain Data Manager name can contain lower case letters and numbers and has a maximum length of 20 characters.
- Transaction node | Choose a transaction node. Only transaction nodes you have read access are listed.
- Connection name | Enter a unique name of the outbound connection where blockchain transaction data is sent.
- Event grid endpoint | Choose an event grid topic in the same subscription as the Blockchain Data Manager instance.
-
-1. Select **OK**.
-
- It takes less than a minute to create a Blockchain Data Manager instance. After the instance is deployed, it is automatically started. A running Blockchain Data Manager instance captures blockchain events from the transaction node and sends data to the outbound connections.
-
- The new instance appears in the list of Blockchain Data Manager instances for the Azure Blockchain Service member.
-
- ![List of Blockchain Data Member instances](./media/data-manager-portal/instance-list.png)
-
-## Add blockchain application
-
-If you add a blockchain application, Blockchain Data Manager decodes event and property state for the application. Otherwise, only raw block and raw transaction data is sent. Blockchain Data Manager also discovers contract addresses when the contract is deployed. You can add multiple blockchain applications to a Blockchain Data Manager instance.
-
-> [!IMPORTANT]
-> Currently, blockchain applications that declare Solidity [array types](https://solidity.readthedocs.io/en/v0.5.12/types.html#arrays) or [mapping types](https://solidity.readthedocs.io/en/v0.5.12/types.html#mapping-types) are not fully supported. Properties declared as array or mapping types will not be decoded in *ContractPropertiesMsg* or *DecodedContractEventsMsg* messages.
-
-Blockchain Data Manager requires a smart contract ABI and deployed bytecode file to add the application.
-
-### Get Contract ABI and bytecode
-
-The contract ABI defines the smart contract interfaces. It describes how to interact with the smart contract. You can use the [Azure Blockchain Development Kit for Ethereum extension](https://marketplace.visualstudio.com/items?itemName=AzBlockchain.azure-blockchain) to copy the contract ABI to the clipboard.
-
-1. In the Visual Studio Code explorer pane, expand the **build/contracts** folder of your Solidity project.
-1. Right-click the contract metadata JSON file. The file name is the smart contract name followed by the **.json** extension.
-1. Select **Copy Contract ABI**.
-
- ![Visual Studio Code pane with the Copy Contract ABI selection](./media/data-manager-portal/abi-devkit.png)
-
- The contract ABI is copied to the clipboard.
-
-1. Save the **abi** array as a JSON file. For example, *abi.json*. You use the file in a later step.
-
-Blockchain Data Manager requires the deployed bytecode for the smart contract. The deployed bytecode is different than the smart contract bytecode. You use the Azure blockchain development kit extension to copy the bytecode to the clipboard.
-
-1. In the Visual Studio Code explorer pane, expand the **build/contracts** folder of your Solidity project.
-1. Right-click the contract metadata JSON file. The file name is the smart contract name followed by the **.json** extension.
-1. Select **Copy Transaction Bytecode**.
-
- ![Visual Studio Code pane with the Copy Transaction Bytecode selection](./media/data-manager-portal/bytecode-devkit.png)
-
- The bytecode is copied to the clipboard.
-
-1. Save the **bytecode** value as a JSON file. For example, *bytecode.json*. You use the file in a later step.
-
-The following example shows *abi.json* and *bytecode.json* files open in the VS Code editor. Your files should look similar.
-
-![Example of abi.json and bytecode.json files](./media/data-manager-portal/contract-files.png)
-
-### Create contract ABI and bytecode URL
-
-Blockchain Data Manager requires the contract ABI and bytecode files to be accessible by a URL when adding an application. You can use an Azure Storage account to provide a privately accessible URL.
-
-#### Create storage account
--
-#### Upload contract files
-
-1. Create a new container for the storage account. Select **Containers > Container**.
-
- ![Create a storage account container](./media/data-manager-portal/create-container.png)
-
- | Field | Description |
- |-|-|
- | Name | Name the container. For example, *smartcontract* |
- | Public access level | Choose *Private (no anonymous access)* |
-
-1. Select **OK** to create the container.
-1. Select the container then select **Upload**.
-1. Choose both JSON files you created in the [Get Contract ABI and bytecode](#get-contract-abi-and-bytecode) section.
-
- ![Upload blob](./media/data-manager-portal/upload-blobs.png)
-
- Select **Upload**.
-
-#### Generate URL
-
-For each blob, generate a shared access signature.
-
-1. Select the ABI JSON blob.
-1. Select **Generate SAS**
-1. Set desired access signature expiration then select **Generate blob SAS token and URL**.
-
- ![Generate SAS token](./media/data-manager-portal/generate-sas.png)
-
-1. Copy the **Blob SAS URL** and save it for the next section.
-1. Repeat the [Generate URL](#generate-url) steps for the bytecode JSON blob.
-
-### Add application to instance
-
-1. Select your Blockchain Data Manager instance from the instance list.
-1. Select **Blockchain applications**.
-1. Select **Add**.
-
- ![Add a blockchain application](./media/data-manager-portal/add-application.png)
-
- Enter the name of the blockchain application and the smart contract ABI and bytecode URLs.
-
- Setting | Description
- --|
- Name | Enter a unique name for the blockchain application to track.
- Contract ABI | URL path to the Contract ABI file. For more information, see [Create contract ABI and bytecode URL](#create-contract-abi-and-bytecode-url).
- Contract Bytecode | URL path to bytecode file. For more information, see [Create contract ABI and bytecode URL](#create-contract-abi-and-bytecode-url).
-
-1. Select **OK**.
-
- Once the application is created, the application appears in the list of blockchain applications.
-
- ![Blockchain application list](./media/data-manager-portal/artifact-list.png)
-
-You can delete the Azure Storage account or use it to configure more blockchain applications. If you wish to delete the Azure Storage account, you can delete the resource group. Deleting the resource group also deletes the associated storage account, and any other resources associated with the resource group.
-
-## Stop instance
-
-Stop the Blockchain Manager instance when you want to stop capturing blockchain events and sending data to the outbound connections. When the instance is stopped, no charges are incurred for Blockchain Data Manager. For more information, see [pricing](https://azure.microsoft.com/pricing/details/blockchain-service).
-
-1. Go to **Overview** and select **Stop**.
-
- ![Stop instance](./media/data-manager-portal/stop-instance.png)
-
-## Next steps
-
-Try the next tutorial creating a blockchain transaction message explorer using Blockchain Data Manager and Azure Cosmos DB.
-
-> [!div class="nextstepaction"]
-> [Use Blockchain Data Manager to send data to Azure Cosmos DB](data-manager-cosmosdb.md)
blockchain Data Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager.md
- Title: What is Blockchain Data Manager for Azure Blockchain Service
-description: Blockchain Data Manager to captures, transforms, and delivers blockchain data to Event Grid Topics.
Previously updated : 11/04/2019--
-#Customer intent: As a developer, I want to understand how I can use Blockchain Data Manager to get data from a blockchain ledger.
-
-# What is Blockchain Data Manager for Azure Blockchain Service?
-
-Blockchain Data Manager captures, transforms, and delivers Azure Blockchain Service transaction data to Azure Event Grid Topics providing reliable and scalable blockchain ledger integration with Azure services.
-
-In most enterprise blockchain scenarios, a blockchain ledger is one part of a solution. For example, to transfer an asset from one entity to another, you need a mechanism for submitting the transaction. You then need a mechanism for reading ledger data to ensure the transaction occurred, was accepted, and the resulting state changes are then integrated with your end-to-end solution. In this example, if you write a smart contract to transfer assets, you can use Blockchain Data Manager to integrate off-chain applications and data stores. For the asset transfer example, when an asset is transferred on the blockchain, events and property state changes are delivered by Blockchain Data Manager via Event Grid. You can then use multiple possible event handlers for Event Grid to store blockchain data off-chain or react to state changes in real time.
-
-Blockchain Data Manager performs three main functions: capture, transform, and deliver.
-
-![Blockchain Data Manager functions](./media/data-manager/functions.png)
-
-## Capture
-
-Each Blockchain Data Manager instance connects to one Azure Blockchain Service member transaction node. Only users with access to the transaction node can create a connection ensuring proper access control to customer data. A Blockchain Data Manager instance reliably captures all raw block and raw transaction data from the transaction node and can scale to support enterprise workloads.
-
-## Transform
-
-You can use Blockchain Data Manager to decode event and property state by configuring smart contract applications within Blockchain Data Manager. To add a smart contract, you provide the contract ABI and bytecode. Blockchain Data Manager uses the smart contract artifacts to decode and discover contract addresses. After adding the blockchain application to the instance, Blockchain Data Manager dynamically discovers the smart contract address when the smart contract is deployed to the consortium and sends decoded event and property state to configured destinations.
-
-## Deliver
-
-Blockchain Data Manager supports multiple Event Grid Topic outbound connections for any given Blockchain Data Manager instance. You can send blockchain data to a single destination or send blockchain data to multiple destinations. Using Blockchain Data Manager, you can build a scalable event-based data publishing solution for any blockchain deployment.
-
-## Configuration options
-
-You can configure Blockchain Data Manager to meet the needs of your solution. For example, you can provision:
-
-* A single Blockchain Data Manager instance for an Azure Blockchain Service member.
-* A Blockchain Data Manager instance per Azure Blockchain Service transaction node. For example, private transaction nodes can have their own Blockchain Data Manager instance to maintain confidentiality.
-* A Blockchain Data Manager instance can support multiple output connections. One Blockchain Data Manager instance can be used to manage all data publishing integration points for an Azure Blockchain Service member.
-
-## Next steps
-
-Try [creating a Blockchain Data Manager instance](data-manager-portal.md) for an Azure Blockchain Service member.
blockchain Data Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-security.md
- Title: Azure Blockchain Service security
-description: Azure Blockchain Service data access and security concepts
Previously updated : 11/22/2019--
-#Customer intent: As a network operator, I want to understand how Azure Blockchain Service implements data access and security
--
-# Azure Blockchain Service security
-
-Azure Blockchain Service uses several Azure capabilities to keep your data secure and available. Data is secured using isolation, encryption, and authentication.
-
-## Isolation
-
-Azure Blockchain Service resources are isolated in a private virtual network. Each transaction and validation node is a virtual machine (VM). VMs in one virtual network cannot communicate directly to VMs in a different virtual network. Isolation ensures communication remains private within the virtual network. For more information on Azure virtual network isolation, see [isolation in the Azure Public Cloud](../../security/fundamentals/isolation-choices.md#networking-isolation).
-
-![VNET diagram](./media/data-security/vnet.png)
-
-## Encryption
-
-User data is stored in Azure storage. User data is encrypted in motion and at rest for security and confidentiality. For more information, see: [Azure Storage security guide](../../storage/blobs/security-recommendations.md).
-
-## Authentication
-
-Transactions can be sent to blockchain nodes via an RPC endpoint. Clients communicate with a transaction node using a reverse proxy server that handles user authentication and encrypts data over TLS.
-
-![Authentication diagram](./media/data-security/authentication.png)
-
-There are three modes of authentication for RPC access.
-
-### Basic authentication
-
-Basic authentication uses an HTTP authentication header containing the user name and password. User name is the name of the blockchain node. Password is set during provisioning of a member or node. The password can be changed using the Azure portal or CLI.
-
-### Access keys
-
-Access keys use a randomly generated string included in the endpoint URL. Two access keys help enable key rotation. Keys can be regenerated from the Azure portal and CLI.
-
-### Azure Active Directory
-
-Azure Active Directory (Azure AD) uses a claim-based authentication mechanism where the user is authenticated by Azure AD using Azure AD user credentials. Azure AD provides cloud-based identity management and allows customers to use a single identity across an entire enterprise and access applications on the cloud. Azure Blockchain Service integrates with Azure AD enabling ID federation, single sign-on and multi-factor authentication. You can assign users, groups, and application roles in your organization for blockchain member and node access.
-
-The Azure AD client proxy is available on [GitHub](https://github.com/Microsoft/azure-blockchain-connector/releases). The client proxy directs the user to the Azure AD sign-in page and obtains a bearer token upon successful authentication. Subsequently, the user connects an Ethereum client application such as Geth or Truffle to the client proxy's endpoint. Finally, when a transaction is submitted, the client proxy injects the bearer token in the http header and the reverse proxy validates the token using OAuth protocol.
-
-## Keys and Ethereum accounts
-
-When provisioning an Azure Blockchain Service member, an Ethereum account and a public and private key pair is generated. The private key is used to send transactions to the blockchain. The Ethereum account is the last 20 bytes of the public key's hash. The Ethereum account is also called a wallet.
-
-The private and public key pair is stored as a keyfile in JSON format. The private key is encrypted using the password entered when the blockchain ledger service is created.
-
-Private keys are used to digitally sign transactions. In private blockchains, a smart contract signed by a private key represents the
-signer's identity. To verify the validity of the signature, the receiver can compare the public key of the signer with the address
-computed from the signature.
-
-Constellation keys are used to uniquely identify a Quorum node. Constellation keys are generated at the time of node provisioning and are specified in the privateFor parameter of a private transaction in Quorum.
-
-## Next steps
-
-See [How to configure Azure Active Directory access for Azure Blockchain Service](configure-aad.md).
blockchain Develop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/develop.md
- Title: Azure Blockchain Service development overview
-description: Introduction on developing solutions on Azure Blockchain Service.
Previously updated : 03/26/2020--
-#Customer intent: As a blockchain developer, I want to understand common development tools I can use with Azure Blockchain Service, so that I can get started developing blockchain applications using Azure.
--
-# Azure Blockchain Service development overview
-
-With Azure Blockchain Service, you can create consortium blockchain networks to enable enterprise scenarios like asset tracking, digital token, loyalty and reward, supply chain financial, and provenance. The following sections introduce Azure Blockchain Service development for implementing enterprise blockchain solutions.
-
-## Connecting to Azure Blockchain Service
-
-There are different types of clients for blockchain networks including full nodes, light nodes, and remote clients. Azure Blockchain Service builds a blockchain network that includes nodes. You can use different clients as your gateway to Azure Blockchain Service for blockchain development. Azure Blockchain Service offers basic authentication or access key as a development endpoint. The following are popular clients you can use connect.
-
-### Visual Studio Code
-
-You can connect to consortium members using the Azure Blockchain Development Kit Visual Studio Code extension. Once connected to a consortium, you can compile, build, and deploy smart contracts to an Azure Blockchain Service consortium member.
-
-To develop sophisticated enterprise blockchain solutions, a development framework is needed to connect to different blockchain networks and manage smart contract lifecycles. Most projects interact with at least two blockchain nodes. Developers use a local blockchain during development. When the application is ready for test or release, the developer deploys to a blockchain network. For example, the main public Ethereum network or Azure Blockchain Service. Azure Blockchain Development Kit for Ethereum extension in Visual Studio Code uses Truffle. Truffle is a popular blockchain development framework to write, compile, deploy, and test decentralized applications on Ethereum blockchains. You can also think of Truffle as a framework that attempts to seamlessly integrate smart contract development and traditional web development.
-
-For more information, see [Quickstart: Use Visual Studio Code to connect to an Azure Blockchain Service consortium network](connect-vscode.md).
-
-### MetaMask
-
-MetaMask is a browser-based wallet (remote client), RPC client, and basic contract explorer. Unlike other browser wallets, MetaMask injects a web3 instance into the browser JavaScript context, acting as an RPC client that connects to a variety of Ethereum blockchains (*mainnet*, *Ropsten testnet*, *Kovan testnet*, local RPC node, etc.). You can set up custom RPC easily to connect to Azure Blockchain Service and start blockchain development using Remix.
-
-For more information, see [Quickstart: Use MetaMask to connect and deploy a smart contract](connect-metamask.md)
-
-### Geth
-
-Geth is the command-line interface for running a full Ethereum node implemented in Go. You don't need to run full node but can launch its interactive console that provides a JavaScript runtime environment exposing a JavaScript API to interact with Azure Blockchain Service.
-
-For more information, see [Quickstart: Use Geth to attach to an Azure Blockchain Service transaction node](connect-geth.md).
-
-## Ethereum Quorum private transactions
-
-Quorum is an Ethereum-based distributed ledger protocol with transaction plus contract privacy and new consensus mechanisms. Key
-enhancements over Go-Ethereum include:
-
-* **Privacy** - Quorum supports private transactions and private contracts through public and private state separation and utilizes peer-to-peer encrypted message exchanges for directed transfer of private data to network participants.
-* **Alternative consensus mechanisms** - proof-of-work or proof-of-stake consensus is not needed for a permissioned network. Quorum offers multiple consensus mechanisms that are designed for consortium chains such as RAFT and IBFT.  Azure Blockchain Service uses the IBFT consensus mechanism.
-* **Peer permissioning** - node and peer permissioning using smart contracts ensures only known parties can join the network.
-* **Higher Performance** - Quorum offers higher performance than public Geth.
-
-## Block explorers
-
-Block explorers are online blockchain browsers that display individual block content, transaction address data, and history. Basic block information is available through Azure Monitor in Azure Blockchain Service. However, if you need more detail information during development, block explorers can be useful. The following block explorers work with Azure Blockchain Service:
-
-* [Epirus Azure Blockchain Service Explorer](https://azuremarketplace.microsoft.com/marketplace/apps/blk-technologies.azure-blockchain-explorer-template?tab=Overview) from Web3 Labs
-* [BlockScout](https://github.com/Azure-Samples/blockchain/blob/master/ledger/template/ethereum-on-azure/technology-samples/blockscout/README.md)
-
-You can also build your own block explorer by using Blockchain Data Manager and Azure Cosmos DB, see [Tutorial: Use Blockchain Data Manager to send data to Azure Cosmos DB](data-manager-cosmosdb.md).
-
-## TPS measurement
-
-As blockchain is used in more enterprise scenarios, transactions per second (TPS) speed is important to avoid bottlenecks and system inefficiencies. High transaction rates can be difficult to maintain within a decentralized blockchain. An accurate TPS measurement may be affected by different factors such as server thread, transaction queue size, network latency, and security. If you need to measure TPS speed during development, a popular open-source tool is [ChainHammer](https://github.com/drandreaskrueger/chainhammer).
-
-## Next steps
-
-Try a quickstart using Azure Blockchain Development Kit for Ethereum to attach to a consortium on Azure Blockchain Service.
-
-> [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Ethereum Logic App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/ethereum-logic-app.md
- Title: Use Ethereum Blockchain connector with Azure Logic Apps - Azure Blockchain Service
-description: Use the Ethereum Blockchain connector with Azure Logic Apps to trigger smart contract functions and respond to smart contract events.
Previously updated : 08/31/2020--
-#Customer intent: As a developer, I want to use Azure Logic Apps and Azure Blockchain Service so that I can trigger smart contract functions and respond to smart contract events.
--
-# Use the Ethereum Blockchain connector with Azure Logic Apps
-
-Use the [Ethereum Blockchain connector](/connectors/blockchainethereum/) with [Azure Logic Apps](../../logic-apps/index.yml) to perform smart contract actions and respond to smart contract events.
--
-This article explains how you might use the Ethereum Blockchain connector to send blockchain information to another service or call a blockchain function. For example, let's say you want to create a REST-based microservice that returns information from a blockchain ledger. By using a logic app, you can accept HTTP requests that query information stored in a blockchain ledger.
-
-## Prerequisites
--- Complete the optional prerequisite [Quickstart: Use Visual Studio Code to connect to an Azure Blockchain Service consortium network](connect-vscode.md). The quickstart guides you though installing [Azure Blockchain Development Kit for Ethereum](https://marketplace.visualstudio.com/items?itemName=AzBlockchain.azure-blockchain) and setting up your blockchain development environment.-- If you are new to Azure Logic Apps, consider reviewing the Microsoft Learn modules [Introduction to Azure Logic Apps](/learn/modules/intro-to-logic-apps/) and [Call an API from a Logic Apps workflow using a custom connector](/learn/modules/logic-apps-and-custom-connectors/).-
-## Create a logic app
-
-Azure Logic Apps helps you schedule and automate business processes and workflows when you need to integrate systems and services. First, you create a logic that uses the Ethereum Blockchain connector.
-
-1. In the [Azure portal](https://portal.azure.com), select **Create a resource** > **Integration** > **Logic App**.
-1. Under **Create logic app**, provide details on where to create your logic app. After you're done, select **Create**.
-
- For more information on creating logic apps, see [Create automated workflows with Azure Logic Apps](../../logic-apps/quickstart-create-first-logic-app-workflow.md).
-
-1. After Azure deploys your app, select your logic app resource.
-1. In the Logic Apps Designer, under **Templates**, select **Blank Logic App**.
-
-Every logic app must start with a trigger, which fires when a specific event happens or when a specific condition is met. Each time the trigger fires, the Logic Apps engine creates a logic app instance that starts and runs your workflow.
-
-The Ethereum Blockchain connector has one trigger and several actions. Which trigger or action you use depends on your scenario. Follow the section in this article that best matches your scenario.
-
-If your workflow:
-
-* Triggers when an event occurs on the blockchain, [Use the event trigger](#use-the-event-trigger).
-* Queries or deploys a smart contract, [Use actions](#use-actions).
-* Follows a common scenario, [Generate a workflow by using the developer kit](#generate-a-workflow).
-
-## Use the event trigger
-
-Use Ethereum Blockchain event triggers when you want a logic app to run after a smart contract event occurs. For example, you want to send an email when a smart contract function is called.
-
-1. In the Logic Apps Designer, select the Ethereum Blockchain connector.
-1. From the **Triggers** tab, select **When a smart contract event occurs**.
-1. Change or [create an API connection](#create-an-api-connection) to Azure Blockchain Service.
-1. Enter the details about the smart contract that you want to check for events.
-
- ![Logic Apps Designer with Event trigger properties](./media/ethereum-logic-app/event-properties.png)
-
- | Property | Description |
- |-|-|
- | **Contract ABI** | The contract application binary interface (ABI) defines the smart contract interfaces. For more information, see [Get the contract ABI](#get-the-contract-abi). |
- | **Smart contract address** | The contract address is the smart contract destination address on the Ethereum blockchain. For more information, see [Get the contract address](#get-the-contract-address). |
- | **Event name** | Select a smart contract event to check. The event triggers the logic app. |
- | **Interval** and **Frequency** | Select how often you want to check for the event. |
-
-1. Select **Save**.
-
-To complete your logic app, you can add a new step that performs an action based on the Ethereum Blockchain event trigger. For example, send an email.
-
-## Use actions
-
-Use the Ethereum Blockchain actions when you want a logic app to perform an action on the blockchain ledger. For example, you want to create a REST-based microservice that calls a smart contract function when an HTTP request is made to a logic app.
-
-Connector actions require a trigger. You can use an Ethereum Blockchain connector action as the next step after a trigger, such as an HTTP request trigger for a microservice.
-
-1. In the Logic Apps Designer, select **New step** following a trigger.
-1. Select the Ethereum Blockchain connector.
-1. From the **Actions** tab, select one of the available actions.
-
- ![Logic Apps Designer with Actions properties](./media/ethereum-logic-app/action-properties.png)
-
-1. Change or [create an API connection](#create-an-api-connection) to Azure Blockchain Service.
-1. Depending on the action you chose, provide the following details about your smart contract function.
-
- | Property | Description |
- |-|-|
- | **Contract ABI** | The contract ABI defines the smart contract interfaces. For more information, see [Get the contract ABI](#get-the-contract-abi). |
- | **Contract bytecode** | The compiled smart contract bytecode. For more information, see [Get the contract bytecode](#get-the-contract-bytecode). |
- | **Smart contract address** | The contract address is the smart contract destination address on the Ethereum blockchain. For more information, see [Get the contract address](#get-the-contract-address). |
- | **Smart contract function name** | Select the smart contract function name for the action. The list is populated from the details in the contract ABI. |
-
- After selecting a smart contract function name, you might see required fields for function parameters. Enter the values or dynamic content required for your scenario.
-
-You can now use your logic app. When the logic app event is triggered, the Ethereum Blockchain action runs. For example, an HTTP request trigger runs an Ethereum blockchain action to query a smart contract state value. This query results in an HTTP response that returns the value.
-
-## Generate a workflow
-
-The Azure Blockchain Development Kit for Ethereum Visual Studio Code extension can generate logic app workflows for common scenarios. Four scenarios are available:
-
-* Data publishing to an Azure SQL Database instance
-* Event publishing to an instance of Azure Event Grid or Azure Service Bus
-* Report publishing
-* REST-based microservice
-
- The Azure Blockchain Development Kit uses Truffle to simplify blockchain development. To generate a logic app based on a smart contract, you need a Truffle solution for the smart contract. You also need a connection to your Azure Blockchain Service consortium network. For more information, see [Use Visual Studio Code to connect to an Azure Blockchain Service consortium network quickstart](connect-vscode.md).
-
-For example, the following steps generate a REST-based microservice logic app based on the quickstart **HelloBlockchain** smart contract:
-
-1. In the Visual Studio Code explorer sidebar, expand the **contracts** folder in your solution.
-1. Right-click **HelloBlockchain.sol** and select **Generate Microservices for Smart Contracts** from the menu.
-
- ![Visual Studio Code pane with the Generate Microservices for Smart Contracts selection](./media/ethereum-logic-app/generate-logic-app.png)
-
-1. In the command palette, select **Logic App**.
-1. Enter the **contract address**. For more information, see [Get the contract address](#get-the-contract-address).
-1. Select the Azure subscription and resource group for the logic app.
-
- The logic app configuration and code files are generated in the **generatedLogicApp** directory.
-
-1. View the **generatedLogicApp/HelloBlockchain** directory. There's a logic app JSON file for each smart contract function, event, and property.
-1. Open the **generatedLogicApp/HelloBlockchain/Service/property.RequestMessage.logicapp.json** file and copy the contents.
-
- ![JSON file with code to copy](./media/ethereum-logic-app/requestmessage.png)
-
-1. In your logic app, select **Logic app code view**. Replace the existing JSON with the generated logic app JSON.
-
- ![Logic app code view with new replaced app code](./media/ethereum-logic-app/code-view.png)
-
-1. Select **Designer** to switch to the designer view.
-1. The logic app includes the basic steps for the scenario. However, you need to update the configuration details for the Ethereum Blockchain connector.
-1. Select the **Connections** step and change or [create an API connection](#create-an-api-connection) to Azure Blockchain Service.
-
- ![Designer view with the Connections selection](./media/ethereum-logic-app/microservice-logic-app.png)
-
-1. You can now use your logic app. To test the REST-based microservice, issue an HTTP POST request to the logic app request URL. Copy the **HTTP POST URL** contents from the **When an HTTP request is received** step.
-
- ![Logic Apps Designer pane with the HTTP POST URL](./media/ethereum-logic-app/post-url.png)
-
-1. Use cURL to create an HTTP POST request. Replace the placeholder text *\<HTTP POST URL\>* with the URL from the previous step.
-
- ``` bash
- curl -d "{}" -H "Content-Type: application/json" -X POST "<HTTP POST URL>"
- ```
-
- The cURL command returns a response from the logic app. In this case, the response is the output from the **RequestMessage** smart contract function.
-
- ![Code output from the RequestMessage smart contract function](./media/ethereum-logic-app/curl.png)
-
-For more information about using the development kit, see the [Azure Blockchain Development Kit for Ethereum wiki page](https://github.com/Microsoft/vscode-azure-blockchain-ethereum/wiki).
-
-## Create an API connection
-
-An API connection to a blockchain is required for the Ethereum Blockchain connector. You can use the API connector for multiple logic apps. Some properties are required and others depend on your scenario.
-
-> [!IMPORTANT]
-> A private key or account address and password are required for creating transactions on a blockchain. Only one form of authentication is needed. You don't need to provide both the private key and account details. Querying contracts does not require a transaction. If you are using actions that query contract state, the private key or account address and password are not required.
-
-To help you set up a connection to an Azure Blockchain Service member, the following list has possible properties you might need depending on your scenario.
-
-| Property | Description |
-|-|-|
-|**Connection name** | Name of the API connection. Required. |
-|**Ethereum RPC endpoint** | HTTP address of the Azure Blockchain Service transaction node. Required. For more information, see [Get the RPC endpoint](#get-the-rpc-endpoint). |
-|**Private key** | Ethereum account private key. Private key or account address and password are required for transactions. For more information, see [Get the private key](#get-the-private-key). |
-|**Account address** | Azure Blockchain Service member account address. Private key or account address and password are required for transactions. For more information, see [Get the account address](#get-the-account-address). |
-|**Account password** | The account password is set when you create the member. For information on resetting the password, see [Ethereum account](consortium.md#ethereum-account).|
-
-## Get the RPC endpoint
-
-The Azure Blockchain Service RPC endpoint address is required to connect to a blockchain network. You can get the endpoint address by using the Azure Blockchain Development Kit for Ethereum or the Azure portal.
-
-**To use the development kit:**
-
-1. Under **Azure Blockchain Service** in Visual Studio Code, right-click the consortium.
-1. Select **Copy RPC Endpoint Address**.
-
- ![Visual Studio Code pane showing the consortium with the Copy RPC Endpoint Address selection](./media/ethereum-logic-app/devkit-rpc.png)
-
- The RPC endpoint is copied to your clipboard.
-
-**To use the Azure portal:**
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Go to your Azure Blockchain Service member. Select **Transaction nodes** and the default transaction node link.
-
- ![Transaction nodes page with the (default node) selection](./media/ethereum-logic-app/transaction-nodes.png)
-
-1. Select **Connection strings** > **Access keys**.
-1. Copy the endpoint address from **HTTPS (Access key 1)** or **HTTPS (Access key 2)**.
-
- ![Azure portal with the connection string access keys](./media/ethereum-logic-app/connection-string.png)
-
- The RPC endpoint is the HTTPS URL, which includes the address and access key of your Azure Blockchain Service member transaction node.
-
-## Get the private key
-
-You can use the Ethereum account's private key to authenticate when sending a transaction to the blockchain. Your Ethereum account's public and private keys are generated from a 12-word mnemonic. The Azure Blockchain Development Kit for Ethereum generates a mnemonic when you connect to an Azure Blockchain Service consortium member. You can get the endpoint address by using the development kit extension.
-
-1. In Visual Studio Code, open the command palette (F1).
-1. Select **Blockchain: Retrieve private key**.
-1. Select the mnemonic you saved when connecting to the consortium member.
-
- ![Command palette with an option to select the mnemonic](./media/ethereum-logic-app/private-key.png)
-
- The private key is copied to your clipboard.
-
-## Get the account address
-
-You can use the member account and password to authenticate when you send a transaction to the blockchain. The password is set when you create the member.
-
-1. In the Azure portal, go to your Azure Blockchain Service overview page.
-1. Copy the **Member account** address.
-
- ![Overview page with the member account address](./media/ethereum-logic-app/member-account.png)
-
-For more information on the account address and password, see [Ethereum account](consortium.md#ethereum-account).
-
-## Get the contract ABI
-
-The contract ABI defines the smart contract interfaces. It describes how to interact with the smart contract. You can get the contract ABI by using the Azure Blockchain Development Kit for Ethereum. You can also get it from the contract metadata file created by the Solidity compiler.
-
-**To use the development kit:**
-
-If you used the development kit or Truffle to build your smart contract, you can use the extension to copy the contract ABI to the clipboard.
-
-1. In the Visual Studio Code explorer pane, expand the **build/contracts** folder of your Solidity project.
-1. Right-click the contract metadata JSON file. The file name is the smart contract name followed by the **.json** extension.
-1. Select **Copy Contract ABI**.
-
- ![Visual Studio Code pane with the Copy Contract ABI selection](./media/ethereum-logic-app/abi-devkit.png)
-
- The contract ABI is copied to the clipboard.
-
-**To use the contract metadata file:**
-
-1. Open the contract metadata file contained in the **build/contracts** folder of your Solidity project. The file name is the smart contract name followed by the **.json** extension.
-1. Find the **abi** section in the JSON file.
-1. Copy the **abi** JSON array.
-
- ![ABI code in the contract metadata file](./media/ethereum-logic-app/abi-metadata.png)
-
-## Get the contract bytecode
-
-The contract bytecode is the compiled smart contract executed by the Ethereum virtual machine. You can get the contract bytecode by using the Azure Blockchain Development Kit for Ethereum. You can also get it from the Solidity compiler.
-
-**To use the development kit:**
-
-If you used the development kit or Truffle to build your smart contract, you can use the extension to copy the contract bytecode to the clipboard.
-
-1. In the Visual Studio Code explorer pane, expand the **build/contracts** folder of your Solidity project.
-1. Right-click the contract metadata JSON file. The file name is the smart contract name followed by the **.json** extension.
-1. Select **Copy Contract Bytecode**.
-
- ![Visual Studio Code pane with the Copy Contract Bytecode selection](./media/ethereum-logic-app/bytecode-devkit.png)
-
- The contract bytecode is copied to the clipboard.
-
-**To use the contract metadata file:**
-
-1. Open the contract metadata file contained in the **build/contracts** folder of your Solidity project. The file name is the smart contract name followed by the **.json** extension.
-1. Find the **bytecode** element in the JSON file.
-1. Copy the **bytecode** value.
-
- ![Visual Studio Code pane with bytecode in the metadata](./media/ethereum-logic-app/bytecode-metadata.png)
-
-**To use the Solidity compiler:**
-
-Use the command `solc --bin <smart contract>.sol` to generate the contract bytecode.
-
-## Get the contract address
-
-The contract address is the smart contract destination address on the Ethereum blockchain. You use this address to send a transaction or query state of a smart contract. You can get the contract address from the Truffle migration output or the contract metadata file.
-
-**To use the Truffle migrate output:**
-
-Truffle displays the contract address after deployment of the smart contract. Copy the **contract address** from the output.
-
-![Truffle migration output with the contract address in Visual Studio Code](./media/ethereum-logic-app/contract-address-truffle.png)
-
-**To use the contract metadata file:**
-
-1. Open the contract metadata file contained in the **build/contracts** folder of your Solidity project. The file name is the smart contract name followed by the **.json** extension.
-1. Find the **networks** section in the JSON file.
-1. Private networks are identified by an integer network ID. Find the address value within the network section.
-1. Copy the **address** value.
-
-![Metadata with the address value in Visual Studio Code](./media/ethereum-logic-app/contract-address-metadata.png)
-
-## Next steps
-
-Watch common scenarios in the video [Doing more with Logic Apps](https://channel9.msdn.com/Shows/Blocktalk/Doing-more-with-Logic-Apps?term=logic%20apps%20blockchain&lang-en=true).
blockchain Ledger Versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/ledger-versions.md
- Title: Azure Blockchain Service ledger versions, patching, & upgrade
-description: Overview of the supported ledgers versions in Azure Blockchain Service. Including policies for systems patching and upgrades.
Previously updated : 06/30/2020--
-#Customer intent: As an operator, I want to understand supported upgrades and versions for Azure Blockchain Service.
--
-# Supported Azure Blockchain Service ledger versions
-
-Azure Blockchain Service uses the Ethereum-based [Quorum](https://www.goquorum.com/developers) ledger designed for the processing of private transactions within a group of known participants, identified as a consortium in Azure Blockchain Service.
-
-Currently, Azure Blockchain Service supports [Quorum version 2.6.0](https://github.com/jpmorganchase/quorum/releases/tag/v2.6.0) and [Tessera transaction manager](https://github.com/jpmorganchase/tessera).
-
-## Managing updates and upgrades
-
-Versioning in Quorum is done through a major, minor, and patch releases. For example, if the Quorum version is 2.0.1, release type would be categorized as follows:
-
-|Major | Minor | Patch |
-| : | :-- | :-- |
-| 2 | 0 | 1 |
-
-Azure Blockchain Service automatically updates patch releases of Quorum to existing running members within 30 days of being made available from Quorum.
-
-## Availability of new ledger versions
-
-Azure Blockchain Service provides the latest major and minor versions of the Quorum ledger within 60 days of being available from the Quorum manufacturer. A maximum of four minor releases are provided for consortia to choose from when provisioning a new member and consortium. Upgrading from to a major or minor release is currently not supported. For example, if you are running version 2.x, an upgrade to version 3.x is currently not supported. Similarly, if you are running version 2.2, an upgrade to version 2.3 is currently not supported.
-
-## How to check Quorum ledger version
-
-You can check the Quorum version on your Azure Blockchain Service member by attaching to your node using geth or viewing diagnostic logs.
-
-### Using geth
-
-Attach to your Azure Blockchain Service node using geth. For example, `geth attach https://myblockchainmember.blockchain.azure.com:3200/<Access key>`.
-
-Once your node is connected, geth reports the Quorum version similar to the following output:
-
-``` text
-instance: Geth/v1.9.7-stable-9339be03(quorum-v2.6.0)/linux-amd64/go1.13.12
-```
-
-For more information on using geth, see [Quickstart: Use Geth to attach to an Azure Blockchain Service transaction node](connect-geth.md).
-
-### Using diagnostic logs
-
-If you enable diagnostic logs, the Quorum version is reported for transaction nodes. For example, the following node informational log message includes the Quorum version.
-
-``` text
-{"NodeName":"transaction-node","Message":"INFO [06-22|05:31:45.156] Starting peer-to-peer node instance=Geth/v1.9.7-stable-9339be03(quorum-v2.6.0)/linux-amd64/go1.13.12\n"}
-{"NodeName":"transaction-node","Message":"[*] Starting Quorum node with QUORUM_VERSION=2.6.0, TESSERA_VERSION=0.10.5 and PRIVATE_CONFIG=/working-dir/c/tm.ipc\n"}
-111
-```
-
-For more information on diagnostic logs, see [Monitor Azure Blockchain Service through Azure Monitor](monitor-azure-blockchain-service.md#diagnostic-settings).
-
-## How to check genesis file content
-
-To check genesis file content of your blockchain node, you can use the following Ethereum JavaScript API:
-
-``` bash
-admin.nodeInfo.protocols
-```
-You can call the API using a geth console or a web3 library. For more information on using geth, see [Quickstart: Use Geth to attach to an Azure Blockchain Service transaction node](connect-geth.md).
-
-## Next steps
-
-[Limits in Azure Blockchain Service](limits.md)
blockchain Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/limits.md
- Title: Azure Blockchain Service limits
-description: Overview of the service and functional limits in Azure Blockchain Service
Previously updated : 04/02/2020--
-#Customer intent: As an operator or architect, I want to understand service and functional limits for Azure Blockchain Service.
--
-# Limits in Azure Blockchain Service
-
-Azure Blockchain Service has service and functional limits such as the number of nodes a member can have, consortium restrictions, and storage amounts.
-
-## Pricing tier
-
-Maximum limits on transactions and validator nodes depend on whether you provision Azure Blockchain Service at basic or standard pricing tiers.
-
-| Pricing tier | Max transaction nodes | Max validator nodes |
-|:|::|::|
-| Basic | 10 | 1 |
-| Standard | 10 | 2 |
-
-Your consortium network should have a least two Azure Blockchain Service standard tier nodes. Standard tier nodes include two validator nodes. Four validator nodes are required to meet [Istanbul Byzantine Fault Tolerance consensus](https://github.com/jpmorganchase/quorum/wiki/Quorum-Consensus).
-
-Use the basic tier is for development, testing, and proof of concepts. Use the standard tier for production grade deployments. You should also use the *Standard* tier if you are using Blockchain Data Manager or sending a high volume of private transactions.
-
-Changing the pricing tier between basic and standard after member creation is not supported.
-
-## Storage capacity
-
-The maximum amount of storage that can be used per node for ledger data and logs is 1.8 terabytes.
-
-Decreasing ledger and log storage size is not supported.
-## Consortium limits
-
-* **Consortium and member names must be unique** from other consortium and member names in the Azure Blockchain Service.
-
-* **Member and consortium names cannot be changed**
-
-* **All members in a consortium must be in the same pricing tier**
-
-* **All members that participate in a consortium must reside in the same region**
-
- The first member created in a consortium dictates the region. Invited members to the consortium must reside in the same region as the first member. Limiting all members to the same region helps ensure network consensus is not negatively impacted.
-
-* **A consortium must have at least one administrator**
-
- If there is only one administrator in a consortium, they cannot remove themselves from the consortium or delete their member until another administrator is added or promoted in the consortium.
-
-* **Members removed from the consortium cannot be added again**
-
- Rather, they must be reinvited to join the consortium and create a new member. Their existing member resources are not deleted to preserve historical transactions.
-
-* **All members in a consortium must be using the same ledger version**
-
- For more information on the patching, updates, and ledger versions available in Azure Blockchain Service, see [Patching, updates, and versions](ledger-versions.md).
-
-## Performance
-
-Do not use *eth.estimate* gas function for each transaction submission. The *eth.estimate* function is memory intensive. Calling the function multiple times reduces transactions per second drastically.
-
-If possible, use a conservative gas value for submitting transactions and minimize the use of *eth.estimate*.
-
-## Next steps
-
-Learn more about policies regarding systems patching and upgrades - [Patching, updates, and versions](ledger-versions.md).
blockchain Manage Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/manage-cli.md
- Title: Manage Azure Blockchain Service using Azure CLI
-description: How to manage Azure Blockchain Service with Azure CLI
Previously updated : 07/23/2020--
-#Customer intent: As a network operator, I want to use CLI to configure transaction nodes.
--
-# Manage Azure Blockchain Service using Azure CLI
-
-In addition to the Azure portal, you can use Azure CLI to manage blockchain members and transaction nodes for your Azure Blockchain Service.
-
-## Launch Azure Cloud Shell
-
-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
-
-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.
-
-If you prefer to install and use the CLI locally, see [install Azure CLI](/cli/azure/install-azure-cli).
-
-## Prepare your environment
-
-1. Sign in.
-
- Sign in using the [az login](/cli/azure/reference-index#az_login) command if you're using a local install of the CLI.
-
- ```azurecli
- az login
- ```
-
- Follow the steps displayed in your terminal to complete the authentication process.
-
-1. Install the Azure CLI extension.
-
- When working with extension references for the Azure CLI, you must first install the extension. Azure CLI extensions give you access to experimental and pre-release commands that have not yet shipped as part of the core CLI. To learn more about extensions including updating and uninstalling, see [Use extensions with Azure CLI](/cli/azure/azure-cli-extensions-overview).
-
- Install the [extension for Azure Blockchain Service](/cli/azure/blockchain) by running the following command:
-
- ```azurecli-interactive
- az extension add --name blockchain
- ```
-
-## Create blockchain member
-
-Example [creates a blockchain member](/cli/azure/blockchain/member#az_blockchain_member_create) in Azure Blockchain Service that runs the Quorum ledger protocol in a new consortium.
-
-```azurecli
-az blockchain member create \
- --resource-group <myResourceGroup> \
- --name <myMemberName> \
- --location <myBlockchainLocation> \
- --password <strongMemberAccountPassword> \
- --protocol "Quorum" \
- --consortium <myConsortiumName> \
- --consortium-management-account-password <strongConsortiumManagementPassword> \
- --sku <skuName>
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources are created. |
-| **name** | A unique name that identifies your Azure Blockchain Service blockchain member. The name is used for the public endpoint address. For example, `myblockchainmember.blockchain.azure.com`. |
-| **location** | Azure region where the blockchain member is created. For example, `eastus`. Choose the location that is closest to your users or your other Azure applications. Features may not be available in some regions. |
-| **password** | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint. The password must meet three of the following four requirements: length needs to be between 12 & 72 characters, 1 lower case character, 1 upper case character, 1 number, and 1 special character that is not number sign(#), percent(%), comma(,), star(*), back quote(\`), double quote("), single quote('), dash(-) and semicolumn(;)|
-| **protocol** | Blockchain protocol. Currently, *Quorum* protocol is supported. |
-| **consortium** | Name of the consortium to join or create. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md). |
-| **consortium-management-account-password** | The consortium account password is also known as the member account password. The member account password is used to encrypt the private key for the Ethereum account that is created for your member. You use the member account and member account password for consortium management. |
-| **sku** | Tier type. *Standard* or *Basic*. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. You should also use the *Standard* tier if you are using Blockchain Data Manager or sending a high volume of private transactions. Changing the pricing tier between basic and standard after member creation is not supported. |
-
-## Change blockchain member passwords or firewall rules
-
-Example [updates a blockchain member](/cli/azure/blockchain/member#az_blockchain_member_update)'s password, consortium management password, and firewall rule.
-
-```azurecli
-az blockchain member update \
- --resource-group <myResourceGroup> \
- --name <myMemberName> \
- --password <strongMemberAccountPassword> \
- --consortium-management-account-password <strongConsortiumManagementPassword> \
- --firewall-rules <firewallRules>
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources are created. |
-| **name** | Name that identifies your Azure Blockchain Service member. |
-| **password** | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint. The password must meet three of the following four requirements: length needs to be between 12 & 72 characters, 1 lower case character, 1 upper case character, 1 number, and 1 special character that is not number sign(#), percent(%), comma(,), star(*), back quote(\`), double quote("), single quote('), dash(-) and semicolumn(;)|
-| **consortium-management-account-password** | The consortium account password is also known as the member account password. The member account password is used to encrypt the private key for the Ethereum account that is created for your member. You use the member account and member account password for consortium management. |
-| **firewall-rules** | Start and end IP address for IP allowlist. |
-
-## Create transaction node
-
-[Create a transaction node](/cli/azure/blockchain/transaction-node#az_blockchain_transaction_node_create) inside an existing blockchain member. By adding transaction nodes, you can increase security isolation and distribute load. For example, you could have a transaction node endpoint for different client applications.
-
-```azurecli
-az blockchain transaction-node create \
- --resource-group <myResourceGroup> \
- --member-name <myMemberName> \
- --password <strongTransactionNodePassword> \
- --name <myTransactionNodeName>
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources are created. |
-| **location** | Azure region of the blockchain member. |
-| **member-name** | Name that identifies your Azure Blockchain Service member. |
-| **password** | The password for the transaction node. Use the password for basic authentication when connecting to the transaction node public endpoint. The password must meet three of the following four requirements: length needs to be between 12 & 72 characters, 1 lower case character, 1 upper case character, 1 number, and 1 special character that is not number sign(#), percent(%), comma(,), star(*), back quote(\`), double quote("), single quote('), dash(-) and semicolumn(;)|
-| **name** | Transaction node name. |
-
-## Change transaction node password
-
-Example [updates a transaction node](/cli/azure/blockchain/transaction-node#az_blockchain_transaction_node_update) password.
-
-```azurecli
-az blockchain transaction-node update \
- --resource-group <myResourceGroup> \
- --member-name <myMemberName> \
- --password <strongTransactionNodePassword> \
- --name <myTransactionNodeName>
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources exist. |
-| **member-name** | Name that identifies your Azure Blockchain Service member. |
-| **password** | The password for the transaction node. Use the password for basic authentication when connecting to the transaction node public endpoint. The password must meet three of the following four requirements: length needs to be between 12 & 72 characters, 1 lower case character, 1 upper case character, 1 number, and 1 special character that is not number sign(#), percent(%), comma(,), star(*), back quote(\`), double quote("), single quote('), dash(-) and semicolumn(;)|
-| **name** | Transaction node name. |
-
-## List API keys
-
-API keys can be used for node access similar to user name and password. There are two API keys to support key rotation. Use the following command to [list your API keys](/cli/azure/blockchain/member#az_blockchain_transaction_node_list-api-key).
-
-```azurecli
-az blockchain member list-api-key \
- --resource-group <myResourceGroup> \
- --name <myMemberName>
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources exist. |
-| **name** | Name of the Azure Blockchain Service blockchain member |
-
-## Regenerate API keys
-
-Use the following command to [regenerate your API keys](/cli/azure/blockchain/member#az_blockchain_transaction_node_regenerate-api-key).
-
-```azurecli
-az blockchain member regenerate-api-key \
- --resource-group <myResourceGroup> \
- --name <myMemberName> \
- [--key-name {<keyValue1>, <keyValue2>}]
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources exist. |
-| **name** | Name of the Azure Blockchain Service blockchain member. |
-| **keyName** | Replace \<keyValue\> with either key1, key2, or both. |
-
-## Delete a transaction node
-
-Example [deletes a blockchain member transaction node](/cli/azure/blockchain/transaction-node#az_blockchain_transaction_node_delete).
-
-```azurecli
-az blockchain transaction-node delete \
- --resource-group <myResourceGroup> \
- --member-name <myMemberName> \
- --name <myTransactionNode>
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources exist. |
-| **member-name** | Name of the Azure Blockchain Service blockchain member that also includes the transaction node name to be deleted. |
-| **name** | Transaction node name to delete. |
-
-## Delete a blockchain member
-
-Example [deletes a blockchain member](/cli/azure/blockchain/member#az_blockchain_member_delete).
-
-```azurecli
-az blockchain member delete \
- --resource-group <myResourceGroup> \
- --name <myMemberName>
-
-```
-
-| Parameter | Description |
-||-|
-| **resource-group** | Resource group name where Azure Blockchain Service resources exist. |
-| **name** | Name of the Azure Blockchain Service blockchain member to be deleted. |
-
-## Azure Active Directory
-
-### Grant access for Azure AD user
-
-```azurecli
-az role assignment create \
- --role <role> \
- --assignee <assignee> \
- --scope /subscriptions/<subId>/resourceGroups/<groupName>/providers/Microsoft.Blockchain/blockchainMembers/<myMemberName>
-```
-
-| Parameter | Description |
-||-|
-| **role** | Name of the Azure AD role. |
-| **assignee** | Azure AD user ID. For example, `user@contoso.com` |
-| **scope** | Scope of the role assignment. Can be either a blockchain member or transaction node. |
-
-**Example:**
-
-Grant node access for Azure AD user to blockchain **member**:
-
-```azurecli
-az role assignment create \
- --role 'myRole' \
- --assignee user@contoso.com \
- --scope /subscriptions/mySubscriptionId/resourceGroups/contosoResourceGroup/providers/Microsoft.Blockchain/blockchainMembers/contosoMember1
-```
-
-**Example:**
-
-Grant node access for Azure AD user to blockchain **transaction node**:
-
-```azurecli
-az role assignment create \
- --role 'MyRole' \
- --assignee user@contoso.com \
- --scope /subscriptions/mySubscriptionId/resourceGroups/contosoResourceGroup/providers/Microsoft.Blockchain/blockchainMembers/contosoMember1/transactionNodes/contosoTransactionNode1
-```
-
-### Grant node access for Azure AD group or application role
-
-```azurecli
-az role assignment create \
- --role <role> \
- --assignee-object-id <assignee_object_id>
-```
-
-| Parameter | Description |
-||-|
-| **role** | Name of the Azure AD role. |
-| **assignee-object-id** | Azure AD group ID or application ID. |
-| **scope** | Scope of the role assignment. Can be either a blockchain member or transaction node. |
-
-**Example:**
-
-Grant node access for **application role**
-
-```azurecli
-az role assignment create \
- --role 'myRole' \
- --assignee-object-id 22222222-2222-2222-2222-222222222222 \
- --scope /subscriptions/mySubscriptionId/resourceGroups/contosoResourceGroup/providers/Microsoft.Blockchain/blockchainMembers/contosoMember1
-```
-
-### Remove Azure AD node access
-
-```azurecli
-az role assignment delete \
- --role <myRole> \
- --assignee <assignee> \
- --scope /subscriptions/mySubscriptionId/resourceGroups/<myResourceGroup>/providers/Microsoft.Blockchain/blockchainMembers/<myMemberName>/transactionNodes/<myTransactionNode>
-```
-
-| Parameter | Description |
-||-|
-| **role** | Name of the Azure AD role. |
-| **assignee** | Azure AD user ID. For example, `user@contoso.com` |
-| **scope** | Scope of the role assignment. Can be either a blockchain member or transaction node. |
-
-## Next steps
-
-Learn how to [Configure Azure Blockchain Service transaction nodes with the Azure portal](configure-transaction-nodes.md).
blockchain Manage Consortium Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/manage-consortium-powershell.md
- Title: Manage Azure Blockchain Service consortium members - PowerShell
-description: Learn how to manage Azure Blockchain Service consortium members by using Azure PowerShell.
Previously updated : 10/14/2019--
-#Customer intent: As a network operator, I want to manage members in the consortium so that I can control access to a private blockchain.
--
-# Manage consortium members in Azure Blockchain Service using PowerShell
-
-You can use PowerShell to manage blockchain consortium members for your Azure Blockchain Service.
--
-Members who have administrator privileges can invite, add, remove, and change roles for all participants in the blockchain consortium. Members who have user privileges can view all participants in the blockchain consortium and change their member display name.
-
-## Prerequisites
-
-* Create a blockchain member by using the [Azure portal](create-member.md).
-* For more information about consortia, members, and nodes, see [Azure Blockchain Service consortium](consortium.md).
-
-## Open Azure Cloud Shell
-
-Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
-
-You can also open Cloud Shell in a separate browser tab by going to [shell.azure.com/powershell](https://shell.azure.com/powershell). Select **Copy** to copy the blocks of code, paste it into Cloud Shell, and select **Enter** to run it.
-
-## Install the PowerShell module
-
-Install the Microsoft.AzureBlockchainService.ConsortiumManagement.PS package from the PowerShell Gallery.
-
-```powershell-interactive
-Install-Module -Name Microsoft.AzureBlockchainService.ConsortiumManagement.PS -Scope CurrentUser
-Import-Module Microsoft.AzureBlockchainService.ConsortiumManagement.PS
-```
-
-## Set the information preference
-
-You can get more information when executing the cmdlets by setting the information preference variable. By default, *$InformationPreference* is set to *SilentlyContinue*.
-
-For more verbose information from cmdlets, set the preference in the PowerShell as follows:
-
-```powershell-interactive
-$InformationPreference = 'Continue'
-```
-
-## Establish a Web3 connection
-
-To manage consortium members, establish a Web3 connection to your Blockchain Service member endpoint. You can use this script to set global variables for calling the consortium management cmdlets.
-
-```powershell-interactive
-$Connection = New-Web3Connection -RemoteRPCEndpoint '<Endpoint address>'
-$MemberAccount = Import-Web3Account -ManagedAccountAddress '<Member account address>' -ManagedAccountPassword '<Member account password>'
-$ContractConnection = Import-ConsortiumManagementContracts -RootContractAddress '<RootContract address>' -Web3Client $Connection
-```
-
-Replace *\<Member account password\>* with the member account password that you used when you created the member.
-
-Find the other values in the Azure portal:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Go to your default Blockchain Service member **Overview** page.
-
- ![Member overview](./media/manage-consortium-powershell/member-overview.png)
-
- Replace *\<Member account\>* and *\<RootContract address\>* with the values from the portal.
-
-1. For the endpoint address, select **Transaction nodes**, and then select the **default transaction node**. The default node has the same name as the blockchain member.
-1. Select **Connection strings**.
-
- ![Connection strings](./media/manage-consortium-powershell/connection-strings.png)
-
- Replace *\<Endpoint address\>* with the value from **HTTPS (Access key 1)** or **HTTPS (Access key 2)**.
-
-## Manage the network and smart contracts
-
-Use the network and smart contract cmdlets to establish a connection to the blockchain endpoint's smart contracts responsible for consortium management.
-
-### Import-ConsortiumManagementContracts
-
-Use this cmdlet to connect to the consortium management's smart contracts. These contracts are used to manage and enforce members within the consortium.
-
-`Import-ConsortiumManagementContracts -RootContractAddress <String> -Web3Client <IClient>`
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| RootContractAddress | Root contract address of the consortium management smart contracts | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-```powershell-interactive
-Import-ConsortiumManagementContracts -RootContractAddress '<RootContract address>' -Web3Client $Connection
-```
-
-### Import-Web3Account
-
-Use this cmdlet to create an object to hold the information for a remote node's management account.
-
-`Import-Web3Account -ManagedAccountAddress <String> -ManagedAccountPassword <String>`
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| ManagedAccountAddress | Blockchain member account address | Yes |
-| ManagedAccountPassword | Account address password | Yes |
-
-#### Example
-
-```powershell-interactive
-Import-Web3Account -ManagedAccountAddress '<Member account address>' -ManagedAccountPassword '<Member account password>'
-```
-
-### New-Web3Connection
-
-Use this cmdlet to establish a connection to the RPC endpoint of a transaction node.
-
-`New-Web3Connection [-RemoteRPCEndpoint <String>]`
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| RemoteRPCEndpoint | Blockchain member endpoint address | Yes |
-
-#### Example
-
-```powershell-interactive
-New-Web3Connection -RemoteRPCEndpoint '<Endpoint address>'
-```
-
-## Manage the consortium members
-
-Use consortium member management cmdlets to manage members within the consortium. The available actions depend on your consortium role.
-
-### Get-BlockchainMember
-
-Use this cmdlet to get member details or list members of the consortium.
-
-`Get-BlockchainMember [[-Name] <String>] -Members <IContract> -Web3Client <IClient>`
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| Name | The name of the Blockchain Service member that you want to retrieve details about. When a name is entered, it returns the member's details. When a name is omitted, it returns a list of all consortium members. | No |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection variable.
-
-```powershell-interactive
-$ContractConnection | Get-BlockchainMember -Name <Member Name>
-```
-
-#### Example output
-
-```
-Name : myblockchainmember
-CorrelationId : 0
-DisplayName : myCompany
-SubscriptionId : <Azure subscription ID>
-AccountAddress : 0x85b911c9e103d6405573151258d668479e9ebeef
-Role : ADMIN
-```
-
-### Remove-BlockchainMember
-
-Use this cmdlet to remove a blockchain member.
-
-`Remove-BlockchainMember -Name <String> -Members <IContract> -Web3Account <IAccount> -Web3Client <IClient>`
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| Name | Member name to remove | Yes |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Account | Web3Account object obtained from Import-Web3Account | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection and $MemberAccount variables.
-
-```powershell-interactive
-$ContractConnection | Remove-BlockchainMember -Name <Member Name> -Web3Account $MemberAccount
-```
-
-### Set-BlockchainMember
-
-Use this cmdlet to set blockchain member attributes, including the display name and the consortium role.
-
-Consortium administrators can set **DisplayName** and **Role** for all members. A consortium member with the user role can change only their own member's display name.
-
-```
-Set-BlockchainMember -Name <String> [-DisplayName <String>] [-AccountAddress <String>] [-Role <String>]
- -Members <IContract> -Web3Account <IAccount> -Web3Client <IClient>
-```
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| Name | Name of the blockchain member | Yes |
-| DisplayName | New display name | No |
-| AccountAddress | Account address | No |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Account | Web3Account object obtained from Import-Web3Account | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection| Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection and $MemberAccount variables.
-
-```powershell-interactive
-$ContractConnection | Set-BlockchainMember -Name <Member Name> -DisplayName <Display name> -Web3Account $MemberAccount
-```
-
-## Manage the consortium members' invitations
-
-Use the consortium member invitation management cmdlets to manage consortium members' invitations. The available actions depend on your consortium role.
-
-### New-BlockchainMemberInvitation
-
-Use this cmdlet to invite new members to the consortium.
-
-```
-New-BlockchainMemberInvitation -SubscriptionId <String> -Role <String> -Members <IContract>
- -Web3Account <IAccount> -Web3Client <IClient>
-```
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| SubscriptionId | Azure subscription ID of the member to invite | Yes |
-| Role | The consortium role. Values can be ADMIN or USER. ADMIN is the consortium administrator role. USER is the consortium member role. | Yes |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Account | Web3Account object obtained from Import-Web3Account | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection and $MemberAccount variables.
-
-```powershell-interactive
-$ContractConnection | New-BlockchainMemberInvitation -SubscriptionId <Azure Subscription ID> -Role USER -Web3Account $MemberAccount
-```
-
-### Get-BlockchainMemberInvitation
-
-Use this cmdlet to retrieve or list a consortium member's invitation status.
-
-`Get-BlockchainMemberInvitation [[-SubscriptionId] <String>] -Members <IContract> -Web3Client <IClient>`
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| SubscriptionId | The Azure subscription ID of the member to invite. If the subscription ID is provided, it returns the subscription ID's invitation details. If the subscription ID is omitted, it returns a list of all member invitations. | No |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection variable.
-
-```powershell-interactive
-$ContractConnection | Get-BlockchainMemberInvitation ΓÇôSubscriptionId <Azure subscription ID>
-```
-
-#### Example output
-
-```
-SubscriptionId Role CorrelationId
- -
-<Azure subscription ID> USER 2
-```
-
-### Remove-BlockchainMemberInvitation
-
-Use this cmdlet to revoke a consortium member's invitation.
-
-```
-Remove-BlockchainMemberInvitation -SubscriptionId <String> -Members <IContract> -Web3Account <IAccount>
- -Web3Client <IClient>
-```
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| SubscriptionId | Azure subscription ID of the member to revoke | Yes |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Account | Web3Account object obtained from Import-Web3Account | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection and $MemberAccount variables.
-
-```powershell-interactive
-$ContractConnection | Remove-BlockchainMemberInvitation -SubscriptionId <Subscription ID> -Web3Account $MemberAccount
-```
-
-### Set-BlockchainMemberInvitation
-
-Use this cmdlet to set the **Role** for an existing invitation. Only consortium administrators can change invitations.
-
-```
-Set-BlockchainMemberInvitation -SubscriptionId <String> -Role <String> -Members <IContract>
- -Web3Account <IAccount> -Web3Client <IClient>
-```
-
-| Parameter | Description | Required |
-|--|-|:--:|
-| SubscriptionId | Azure subscription ID of the member to invite | Yes |
-| Role | New consortium role for invitation. Values can be **USER** or **ADMIN**. | Yes |
-| Members | Members object obtained from Import-ConsortiumManagementContracts | Yes |
-| Web3Account | Web3Account object obtained from Import-Web3Account | Yes |
-| Web3Client | Web3Client object obtained from New-Web3Connection | Yes |
-
-#### Example
-
-[Establish a Web3 connection](#establish-a-web3-connection) to set the $ContractConnection and $MemberAccount variables.
-
-```powershell-interactive
-$ContractConnection | Set-BlockchainMemberInvitation -SubscriptionId <Azure subscription ID> -Role USER -Web3Account $MemberAccount
-```
-
-## Next steps
-
-For more information about consortia, members, and nodes, see [Azure Blockchain Service consortium](consortium.md)
blockchain Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/migration-guide.md
- Title: Azure Blockchain Service retirement notification and guidance
-description: Migrate Azure Blockchain Service to a managed or self-managed blockchain offering
Previously updated : 05/10/2021--
-#Customer intent: As a network operator, I want to migrate Azure Blockchain Service to an alterative offering so that I can use blockchain after Azure Blockchain Service retirement.
--
-# Migrate Azure Blockchain Service
-
-You can migrate ledger data from Azure Blockchain Service to an alternate offering.
-
-> [!IMPORTANT]
-> On **September 10, 2021**, Azure Blockchain will be retired. Please migrate ledger data from Azure Blockchain Service to an alternative offering based on your development status in production or evaluation.
-
-## Evaluate alternatives
-
-The first step when planning a migration is to evaluate alternative offerings. Evaluate the following alternatives based on your development status of being in production or evaluation.
-
-### Production or pilot phase
-
-If you have already deployed and developed a blockchain solution that is in the production or pilot phase, consider the following alternatives.
-
-#### Quorum Blockchain Service
-
-Quorum Blockchain Service is a managed offering by ConsenSys on Azure that supports Quorum as ledger technology.
--- **Managed offering** - Quorum Blockchain Service has no extra management overhead compared to Azure Blockchain Service.-- **Ledger technology** - Based on ConsenSys Quorum which is an enhanced version of the GoQuorum Ledger technology used in Azure Blockchain Service. No new learning is required. For more information, see the [Consensys Quorum FAQ](https://consensys.net/quorum/faq).-- **Continuity** - You can migrate your existing data on to Quorum Blockchain Service by ConsenSys. For more information, see [Export data from Azure Blockchain Service](#export-data-from-azure-blockchain-service)-
-For more information, see [Quorum Blockchain Service](https://consensys.net/QBS).
-
-#### Azure VM-based deployment
-
-There are several blockchain resource management templates you can use to deploy blockchain on IaaS VMs.
--- **Ledger technology** - You can continue to use Quorum ledger technology including the new ConsenSys Quorum.-- **Self-management** - Once deployed, you manage the infrastructure and blockchain stack.-
-### New deployment or evaluation phase
-
-If you are starting to develop a new solution or are in an evaluation phase, consider the following alternatives based on your scenario requirements.
--- [Quorum template from Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/consensys.quorum-dev-quickstart)-- Besu template from Azure Marketplace-
-### How to migrate to an alternative
-
-To migrate a production workload, first [export your data from Azure Blockchain Service](#export-data-from-azure-blockchain-service). Once you have a copy of your data, you can transition this data to your preferred alternative.
-
-The recommended migration destination is ConsenSys Quorum Blockchain Service. To onboard to this service, register at the [Quorum Blockchain Service](https://consensys.net/QBS) page.
-
-To self-manage your blockchain solution using virtual machines in Azure, see [Azure VM-based Quorum guidance](#azure-vm-based-quorum-guidance) to set up transaction and validator nodes.
-## Export data from Azure Blockchain Service
-
-Based on your current development state, you can either opt to use existing ledger data on Azure Blockchain Service or start a new network and use the solution of your choice. We recommend creating a new consortium based on a solution of your choice in all scenarios where you do not need or intend to use existing ledger data on Azure Blockchain Service.
-
-### Open support case
-
-If you have a paid support plan, open a Microsoft Support ticket to pause the consortium and export your blockchain data.
-
-1. Use the Azure portal to open a support ticket. In *Problem description*, enter the following details:
-
- ![Support ticket problem description form in the Azure portal](./media/migration-guide/problem-description.png)
-
- | Field | Response |
- |-| |
- | Issue type | Technical |
- | Service | Azure Blockchain Service - Preview |
- | Summary | Request data for migration |
- | Problem type | other |
-
-1. In *Additional details*, include the following details:
-
- ![Support ticket additional details form in the Azure portal](./media/migration-guide/additional-details.png)
-
- - Subscription ID or Azure Resource Manager resource ID
- - Tenant
- - Consortium name
- - Region
- - Member name
- - Preferred Datetime for initiating migration
-
-If your consortium has multiple members, each member is required to open a separate support ticket for respective member data.
-
-### Pause consortium
-
-You are required to coordinate with members of consortium to data export since the consortium will be paused for data export and transactions during this time will fail.
-
-Azure Blockchain Service team pauses the consortium, exports a snapshot of data, and makes the data available through short-lived SAS URL for download in an encrypted format. The consortium is resumed after taking the snapshot.
-
-> [!IMPORTANT]
-> You should stop all applications initiating new
-> blockchain transactions on to the network. Active applications may lead to data loss or your original and migrated networks being out of sync.
-
-### Download data
-
-#### Data format v1
-
-Download the data using the Microsoft Support provided short-lived SAS URL link.
-
-> [!IMPORTANT]
-> You are required to download your data within seven days.
-
-Decrypt the data using the API access key. You can [get the key from the Azure portal](configure-transaction-nodes.md#access-keys) or [through the REST API](/rest/api/blockchain/2019-06-01-preview/blockchainmembers/listapikeys).
-
-> [!CAUTION]
-> Only the default transaction node API access key 1 is used to encrypt all the nodes data of that member.
->
-> Do not reset the API access key in between of the migration.
-
-#### Data format v2
-
-In this version, the SAS token is encrypted instead of the data, resulting in faster snapshot creation. *If* you choose to migrate to ConsenSys Quorum Blockchain Service, importing to Quorum Blockchain Service is also faster.
-
-After the SAS token is decrypted, data can be downloaded as normal. The data itself won't have an additional layer of encryption.
-
-> [!IMPORTANT]
-> Creating a snapshot in data format v2 is about 8-10 times faster, so you have less downtime.
-
-> [!CAUTION]
-> The default transaction node API access key 1 is used to encrypt the SAS token.
->
-> Do not reset the API access key between or during migration.
-
-You can use the data with either ConsenSys Quorum Blockchain service or your IaaS VM-based deployment.
-
-For ConsenSys Quorum Blockchain Service migration, contact ConsenSys at [qbsmigration@consensys.net](mailto:qbsmigration@consensys.net).
-
-For using the data with your IaaS VM-based deployment, follow the steps in the [Azure VM based Quorum guidance](#azure-vm-based-quorum-guidance) section of this article.
-
-### Delete resources
-
-Once you have completed your data copy, it is recommended that you delete the Azure Blockchain member resources. You will continue to get billed while these resources exist.
-
-## Azure VM-based Quorum guidance
-
-Use the following the steps to create transaction nodes and validator nodes.
-
-### Transaction node
-
-A transaction node has two components. Tessera is used for the private transactions and Geth is used for the Quorum application. Validator nodes require only the Geth component.
-
-#### Tessera
-
-1. Install Java 11. For example, `apt install default-jre`.
-1. Update paths in `tessera-config.json`. Change all references of `/working-dir/**` to `/opt/blockchain/data/working-dir/**`.
-1. Update the IP address of other transaction nodes as per new IP address. HTTPS won't work since it is not enabled in the Tessera configuration. For information on how to configure TLS, see the [Tessera configure TLS](https://docs.tessera.consensys.net/en/stable/HowTo/Configure/TLS/) article.
-1. Update NSG rules to allow inbound connections to port 9000.
-1. Run Tessera using the following command:
-
- ```bash
- java -Xms512M -Xmx1731M -Dlogback.configurationFile=/tessera/logback-tessera.xml -jar tessera.jar -configfile /opt/blockchain/data/working-dir/tessera-config.json > tessera.log 2>&1 &
- ```
-
-#### Geth
-
-1. Update IPs in enode addresses in `/opt/blockchain/data/working-dir/dd/static-nodes.json`. Public IP address is allowed.
-1. Make the same IP address changes under StaticNodes key in `/geth/config.toml`.
-1. Update NSG rules to allow inbound connections to port 30303.
-1. Run Geth using the following commands:
-
- ```bash
- export NETWORK_ID='' # Get network ID from metadata. The network ID is the same for consortium.
-
- PRIVATE_CONFIG=tm.ipc geth --config /geth/config.toml --datadir /opt/blockchain/data/working-dir/dd --networkid $NETWORK_ID --istanbul.blockperiod 5 --nodiscover --nousb --allow-insecure-unlock --verbosity 3 --txpool.globalslots 80000 --txpool.globalqueue 80000 --txpool.accountqueue 50000 --txpool.accountslots 50000 --targetgaslimit 700000000 --miner.gaslimit 800000000 --syncmode full --rpc --rpcaddr 0.0.0.0 --rpcport 3100 --rpccorsdomain '*' --rpcapi admin,db,eth,debug,net,shh,txpool,personal,web3,quorum,istanbul --ws --wsaddr 0.0.0.0 --wsport 3000 --wsorigins '*' --wsapi admin,db,eth,debug,net,shh,txpool,personal,web3,quorum,istanbul
- ```
-
-### Validator Node
-
-Validator node steps are similar to the transaction node except that Geth startup command will have the additional flag `-mine`. Tessera is not started on a validator node. To run Geth without a paired Tessera, you pass `PRIVATE_CONFIG=ignore` in the Geth command. Run Geth using the following commands:
-
-```bash
-export NETWORK_ID=`j q '.APP_SETTINGS | fromjson | ."network-id"' env.json`
-
-PRIVATE_CONFIG=ignore geth --config /geth/config.toml --datadir /opt/blockchain/data/working-dir/dd --networkid $NETWORK_ID --istanbul.blockperiod 5 --nodiscover --nousb --allow-insecure-unlock --verbosity 3 --txpool.globalslots 80000 --txpool.globalqueue 80000 --txpool.accountqueue 50000 --txpool.accountslots 50000 --targetgaslimit 700000000 --miner.gaslimit 800000000 --syncmode full --rpc --rpcaddr 0.0.0.0 --rpcport 3100 --rpccorsdomain '*' --rpcapi admin,db,eth,debug,net,shh,txpool,personal,web3,quorum,istanbul --ws --wsaddr 0.0.0.0 --wsport 3000 --wsorigins '*' --wsapi admin,db,eth,debug,net,shh,txpool,personal,web3,quorum,istanbul ΓÇômine
-```
-
-## Upgrading Quorum
-
-Azure Blockchain Service may be in running one of the following listed versions of Quorum. You can choose to use the same Quorum version or follow the below steps to use latest version of ConsenSys Quorum.
-
-### Upgrade Quorum version 2.6.0 or 2.7.0 to ConsenSys 21.1.0
-
-Upgrading from Quorum version 2.6 or 2.7 version is straightforward. Download and update using the following links.
-1. Download [ConsenSys Quorum and related binaries v21.1.0](https://github.com/ConsenSys/quorum/releases/tag/v21.1.0).
-1. Download the latest version of Tessera [tessera-app-21.1.0-app.jar](https://github.com/ConsenSys/tessera/releases/tag/tessera-21.1.0).
-
-### Upgrade Quorum version 2.5.0 to ConsenSys 21.1.0
-
-1. Download [ConsenSys Quorum and related binaries v21.1.0](https://github.com/ConsenSys/quorum/releases/tag/v21.1.0).
-1. Download the latest version of Tessera [tessera-app-21.1.0-app.jar](https://github.com/ConsenSys/tessera/releases/tag/tessera-21.1.0).
-For versions 2.5.0, there are some minor genesis file changes. Make the following changes in the genesis file.
-
-1. The value `byzantiumBlock` was set to 1 and it cannot be less than `constantinopleBlock` which is 0. Set the `byzantiumBlock` value to 0.
-1. Set `petersburgBlock`, `istanbulBlock` to a future block. This value should be same across all nodes.
-1. This step is optional. `ceil2Nby3Block` was incorrectly placed in Azure Blockchain Service Quorum 2.5.0 version. This needs to be inside the istanbul config and set the value future block. This value should be same across all nodes.
-1. Run geth to reinitialize genesis block using following command:
-
- ```bash
- geth --datadir "Data Directory Path" init "genesis file path"
- ```
-
-1. Run Geth.
-
-## Exported data reference
-
-This section describes the metadata, and folder structure to help import the data into your IaaS VM deployment.
-
-### Metadata info
-
-| Name | Sample | Description |
-|--|--|--|
-| consortium_name | \<ConsortiumName\> | Consortium name (unique across Azure Blockchain Service). |
-| Consortium_Member_Count || Number of members in the consortium |
-| member_name | \<memberName\> | Blockchain member name (unique across Azure Blockchain Service). |
-| node_name | transaction-node | Node name (each member has multiple nodes). |
-| network_id | 543 | Geth network ID. |
-| is_miner | False | Is_Miner == true (Validator Node), Is_Miner == false (Transaction node) |
-| quorum_version | 2.7.0 | Version of Quorum |
-| tessera_version | 0.10.5 | Tessera version |
-| java_version | java-11-openjdk-amd64 | Java version Tessera uses |
-| CurrentBlockNumber | | Current block number for the blockchain network |
-
-## Migrated Data Folder structure
-
-At the top level, there are folders that correspond to each of the nodes of the members.
--- **Standard SKU** - Two validator nodes (validator-node-0
-and validator-node-1)
-- **Basic SKU** - One validator node (validator-node-0)-- **Transaction Node** - Default transaction node named transaction-node.-
-Other transaction node folders are named after the transaction node name.
-
-### Node level folder structure
-
-Each node level folder contains a zip file that is encrypted using the encryption key. For details on the obtaining the encryption key, see the [Download data](#download-data) section of this article.
-
-| Directory/File | Description |
-|-|--|
-| /config/config.toml | Geth parameters. Command line parameters take precedence |
-| /config/genesis.json | Genesis file |
-| /config/logback-tessera.xml | Logback configuration for Tessera |
-| /config/static-nodes.json | Static nodes. Bootstrap nodes are removed and auto-discovery is disabled. |
-| /config/tessera-config.json | Tessera configuration |
-| /data/c/ | Tessera DB |
-| /data/dd/ | Geth data directory |
-| /env/env | Metadata |
-| /keys/ | Tessera keys |
-| /scripts/ | Startup scripts (provided for reference only) |
-
-## Frequently asked questions
-
-### What does service retirement mean for existing customers?
-
-The existing Azure Blockchain Service deployments cannot be continued beyond September 10, 2021. Start evaluating alternatives suggested in this article before retirement based on your requirements.
-
-### What happens to existing deployments after the announcement of retirement?
-
-Existing deployments are supported until September 10, 2021. Evaluate the suggested alternatives, migrate the data to the alternate offering, operate your requirement on the alternative offering, and start migrating from the deployment on Azure Blockchain Service.
-
-### How long will the existing deployments be supported on Azure Blockchain Service?
-
-Existing deployments are supported until September 10, 2021.
-
-### Will I be allowed to create new Azure Blockchain members while in retirement phase?
-
-After May 10, 2021, no new member creation or deployments are supported.
blockchain Monitor Azure Blockchain Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/monitor-azure-blockchain-service.md
- Title: Monitoring Azure Blockchain Service (ABS)
-description: Monitoring Azure Blockchain Service through Azure Monitor
Previously updated : 01/08/2020----
-# Monitor Azure Blockchain Service through Azure Monitor
-
-As customers run production grade blockchain scenarios on Azure Blockchain Service (ABS), it becomes critical to monitor the resources for availability, performance, and operations. This article describes the monitoring data generated by Azure Blockchain Service and how one can use the various features and integrations of Azure Monitor to analyze and alert on, to manage production grade environments.
-
-## What is Azure Monitor?
-
-Azure Blockchain Service creates monitoring data using Azure Monitor, which is a full stack monitoring service in Azure that provides a complete set of features to monitor your Azure resources. For more information about Azure Monitor, see [Monitoring Azure resources with Azure Monitor](../../azure-monitor/essentials/monitor-azure-resource.md).
-ΓÇ»
-
-The following sections build on this article by describing the specific data gathered from Azure Blockchain Service and providing examples for configuring data collection and analyzing this data with Azure tools.
-
-## Monitor data collected from Azure Blockchain Service
-
-Azure Blockchain Service collects the same kind of monitoring data as other Azure resources, which are described in [Monitoring data](../../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data) from Azure resources. See [Monitor Azure Blockchain Service data reference](#monitor-azure-blockchain-service-data-reference) for a detailed reference of the logs and metrics created by Azure Blockchain Service.
-
-The overview page in the Azure portal for each Azure Blockchain Service member resource includes a brief view of the transactions including the requests handled and processed blocks. Some of this data is collected automatically and available for analysis once you create the Azure Blockchain Service member resource, while you can enable additional data collection with additional configuration.
-
-## Diagnostic settings
-
-Platform metrics and the Activity log are collected automatically, but you must create a diagnostic setting to collect resource logs or forward them outside of Azure Monitor. See [Create diagnostic setting to collect platform logs and metrics in Azure](../../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell.
-
-When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Blockchain Service are listed below.
-
-**Blockchain proxy logs** ΓÇô Select the category if you want to monitor the NGNIX proxy logs. All the customer transaction details are available for audit and debug purpose.
-
-**Blockchain application logs** ΓÇô Select the category to get logs of the blockchain application hosted by the managed service. For example, for an ABS-Quorum member, these logs would be the logs from Quorum itself.
-
-**Metric requests**: Select the option to collect metric data from Azure Cosmos DB to the destinations in the diagnostic setting, which is collected automatically in Azure Metrics. Collect metric data with resource logs to analyze both kinds of data together and to send metric data outside of Azure Monitor.
-
-## Analyze metric data
-
-You can analyze metrics for Azure Blockchain Service with Metrics explorer, navigate to Metrics tab under Monitoring section in ABS resource blade. See [Getting started with Azure Metrics Explorer](../../azure-monitor/essentials/metrics-getting-started.md) for details on using the tool. The complete metrics for Azure Blockchain Service are in the namespace Azure Blockchain Service standard metrics.
-
-You can use **node** dimension when adding a filter or splitting the metrics, which basically provides metric values per transaction nodes and validator nodes of the ABS member.
-
-## Analyze log data
-
-Here are some queries that you can enter in the Log search bar to help you monitor your Azure Blockchain Service members. These queries work with the [new language](../../azure-monitor/logs/log-query-overview.md).
-
-To query the error conditions in the Blockchain application logs, use the below query:
-
-```
-BlockchainApplicationLog | where BlockchainMessage contains "ERROR" or BlockchainMessage contains "fatal"
-
-```
-
-To query the error conditions in the Blockchain proxy logs, use the below query
--
-```
-BlockchainProxyLog
-| filter Code != 200
-| limit 500
-
-```
-You can use the time filters available in Azure logs to filter the query for a specific time range.
-
-## Monitor Azure Blockchain Service data reference
-
-This article provides a reference of log and metric data collected to analyze the performance and availability of Azure Blockchain Service.
-
-### Resource logs
-
-All resource logs share a top-level common schema with few unique properties specific to the blockchain service. You can refer to the article [Top-level resource logs schema](../../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema), details of the Azure Blockchain Service specific properties are covered below
-
-The following table lists the properties for Azure Blockchain proxy logs when they're collected in Azure Monitor Logs or Azure Storage.
--
-| Property name | Description |
-|:|:|
-| time | The date and time (UTC) when the operation occurred. |
-| resourceID | The Azure Blockchain Service resource for which logs are enabled. |
-| category |For Azure Blockchain Service, the values possible are **Proxylogs** and **Applicationlogs**. |
-| operationName | The name of the operation represented by this event. |
-| Log level | By default, Azure Blockchain Service enables **Informational** log level. |
-| NodeLocation | Azure region where the blockchain member is deployed. |
-| BlockchainNodeName | The name of the node of the Azure Blockchain Service member on which operation is performed. |
-| EthMethod | The method, which is called by the underlying blockchain protocol, in Quorum, it could be eth_sendTransactions, eth_getBlockByNumber etc. |
-| Agent | The user agent that is acting on behalf of a user, such as web browser Mozilla, Edge etc. Examples of the values are: "Mozilla/5.0 (Linux x64) node.js/8.16.0 v8/6.2.414.77" |
-| Code | HTTP error codes. Usually 4XX and 5XX are error conditions. |
-| NodeHost | The DNS name of the node. |
-| RequestMethodName | HTTP method called, the possible values here are PUT for create member, GET for getting details of existing member, DELETE for delete member, PATCH for updating member. |
-| BlockchainMemberName | Azure Blockchain Service member name provided by the user. |
-| Consortium | Name of the consortium as provided by the user. |
-| Remote | The IP of the client where the request is coming. |
-| RequestSize | Size of the request made in bytes. |
-| RequestTime | The duration of the request in milliseconds.|
----
-The following table lists the properties for Azure Blockchain application logs.
--
-| Property name | Description |
-|:|:|
-| time | The date and time (UTC) when the operation occurred. |
-| resourceID | The Azure Blockchain Service resource for which logs are enabled.|
-| category |For Azure Blockchain Service, the value possible are **Proxylogs** and **Applicationlogs**. |
-| operationName | The name of the operation represented by this event. |
-| Log level | By default, Azure Blockchain Service enables **Informational** log level. |
-| NodeLocation | Azure region where the blockchain member is deployed. |
-| BlockchainNodeName | The name of the node of the Azure Blockchain Service member on which operation is performed. |
-| BlockchainMessage | This field will contain the Blockchain application log that is the data plain logs. For ABS-Quorum, this would have Quorum logs. It has information about what type of log entry is it that is informational, error, warning and a string that gives more information on the action executed. |
-| TenantID | The region-specific tenant of the Azure Blockchain Service. The format of this field is https://westlake-rp-prod.<region>.cloudapp.azure.com where region specifies the Azure region of the member deployed. |
-| SourceSystem | The system populates the logs, in this case it is **Azure**. |
---
-### Metrics
-
-The following tables lists the platform metrics collected for Azure Blockchain Service. All metrics are stored in the namespace **Azure Blockchain Service** standard metrics.
-
-For a list of all Azure Monitor supported metrics (including Azure Blockchain Service), see [Azure Monitor supported metrics](../../azure-monitor/essentials/metrics-supported.md).
-
-### Blockchain metrics
-
-The following table specifies the list of Blockchain metrics that are collected for the Azure Blockchain Service member resource.
--
-| Metric name | Unit | Aggregation type| Description |
-|||||
-| Pending Transactions | Count | Average | The number of transactions that are waiting to be mined. |
-| Processed Blocks | Count | Sum | The number of blocks processed in each time interval. Currently the block size is 5 seconds, hence in a minute each node will process 12 blocks and 60 blocks in 5 minutes. |
-|Processed Transactions | Count | Sum | The number of transactions processed in a block. |
-|Queued Transactions | Count | Average | The number of transactions that cannot be immediately mined. It can be because they arrived out of order and the future one is waiting for previous transaction to arrive. Or, it can be two transactions have the same number only used once (nonce) and the same gas value, hence the second one cannot be mined. |
-
-### Connection metrics
-
-The following table lists the different connection metrics that are collected for the Azure Blockchain Service member resource. These are NGINX proxy metrics.
--
-| Metric name | Unit | Aggregation type| Description |
-|||||
-| Accepted Connections | Count | Sum | The total number of accepted client connections. |
-| Active Connections | Count | Average | The current number of active client connections including Waiting connections. |
-|Handled Connections | Count | Sum | The total number of handled connections. Generally, the parameter value is the same as accepted connections unless some resource limits have been reached. |
-|Handled Requests | Count | Sum | The total number of client requests. |
--
-### Performance Metrics
-
-The following table lists the performance metrics that are collected for each of the nodes of the Azure Blockchain member resource.
--
-| Metric name | Unit | Aggregation type| Description |
-|||||
-| CPU Usage percentage | Percentage | Max | The percentage of the CPU usage. |
-| IO Read Bytes | Kilobytes | Sum | The sum of IO read bytes across all nodes of the blockchain member resource. |
-|IO Write Bytes | Kilobytes | Sum | The sum of IO writes bytes across all nodes of the blockchain member resource. |
-|Memory Limit | Gigabytes | Average | Maximum memory available for the blockchain process per node. |
-|Memory Usage | Gigabytes | Average | The amount of memory used averaged across all nodes. |
-| Memory Usage Percentage | Percentage | Average | The percentage of the memory used averaged across all nodes. |
-|Storage Usage | Gigabytes | Average | The GB of storage used averaged across all nodes. |
--
-## Next Steps
-
-Learn more about [Blockchain Data Manager](./data-manager.md) to capture and transform blockchain data to Azure Event Grid.
blockchain Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/overview.md
- Title: Azure Blockchain Service overview
-description: Overview of Azure Blockchain Service
Previously updated : 03/15/2021--
-#Customer intent: As a network operator or developer, I want to understand how I can use Azure Blockchain Service to build and manage consortium blockchain networks on Azure
--
-# What is Azure Blockchain Service?
-
-Azure Blockchain Service is a fully managed ledger service that gives users the ability to grow and operate blockchain networks at scale in Azure.
--
-By providing unified control for both infrastructure management as well as blockchain network governance, Azure Blockchain Service provides:
-
-* Simple network deployment and operations
-* Built-in consortium management
-* Develop smart contracts with familiar development tools
-
-Azure Blockchain Service is designed to support multiple ledger protocols. Currently, it provides support for the Ethereum [Quorum](https://www.goquorum.com/) ledger using the [Istanbul Byzantine Fault Tolerance (IBFT)](https://docs.goquorum.consensys.net/en/stable/Concepts/Consensus/IBFT/) consensus mechanism.
-
-These capabilities require almost no administration and all are provided at no additional cost. You can focus on app development and business logic rather than allocating time and resources to managing virtual machines and infrastructure. In addition, you can continue to develop your application with the open-source tools and platform of your choice to deliver your solutions without having to learn new skills.
-
-## Network deployment and operations
-
-Deploying Azure Blockchain Service is done through the Azure portal, Azure CLI, or through Visual Studio code using the Azure Blockchain extension. Deployment is simplified, including provisioning both transaction and validator nodes, Azure Virtual Networks for security isolation as well as service-managed storage. In addition, when deploying a new blockchain member, users also create, or join, a consortium. Consortiums enable multiple parties in different Azure subscriptions to be able to securely communicate with one another on a shared blockchain. This simplified deployment reduces blockchain network deployment from days to minutes.
-
-### Performance and service tiers
-
-Azure Blockchain Service offers two service tiers: *Basic* and *Standard*. Each tier offers different performance and capabilities to support lightweight development and test workloads up to massively scaled production blockchain deployments. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. Both tiers include at least one transaction node, and one validator node (Basic) or two validator nodes (Standard).
-
-![Pricing tiers](./media/overview/pricing-tiers.png)
-
-In addition to offering two validator nodes, the *Standard* tier provides two *vCores* for each transaction and validator node whereas the *Basic* tier offers a 1 vCore configuration. By offering 2 vCores for transaction and validator nodes, 1 vCore can be dedicated to the Quorum ledger while the remaining 1 vCore can be used for other infrastructure-related services, ensuring optimal performance for production blockchain workloads. For more information on pricing details, see [Azure Blockchain Service pricing](https://azure.microsoft.com/pricing/details/blockchain-service).
-
-### Security and maintenance
-
-After provisioning your first blockchain member, you have the ability to add additional transaction nodes to your member. By default, transaction nodes are secured through firewall rules and require configuration for access. Additionally, all transaction nodes encrypt data in motion via TLS. Multiple options exist for securing transaction node access, including firewall rules, basic authentication, access keys, and Azure Active Directory integration. For more information, see [configure transaction nodes](configure-transaction-nodes.md) and [configure Azure Active Directory access](configure-aad.md).
-
-As a managed service, Azure Blockchain Service ensures that your blockchain member's nodes are patched with the latest host operating system and ledger software stack updates, configured for high-availability (Standard tier only), eliminating much of the DevOps required for traditional IaaS blockchain nodes. For more information on patching and updates, see [supported Azure Blockchain Service ledger versions](ledger-versions.md).
-
-### Monitoring and logging
-
-In addition, Azure Blockchain Service provides rich metrics through Azure Monitor Service providing insights into nodes' CPU, memory, and storage usage. Azure Monitor also provides helpful insights into blockchain network activity such as transactions and blocks mined, transaction queue depth, and active connections. Metrics can be customized to provide views into the insights that are important to your blockchain application. In addition, thresholds can be defined through alerts enabling users to trigger actions such as sending an email or text message, running a Logic App, Azure Function or sending to a custom-defined webhook.
-
-![Screen capture shows monitoring, with values for blocks, transactions, pending transactions, and handled requests.](./media/overview/metrics.png)
-
-Through Azure Log Analytics, users can view logs related to the Quorum ledger, or other important information such as attempted connections to the transaction nodes.
-
-## Built-in consortium management
-
-When deploying your first blockchain member, you either join or create a new consortium. A consortium is a logical group used to manage the governance and connectivity between blockchain members who transact in a multi-party process. Azure Blockchain Service provides built-in governance controls through pre-defined smart contracts, which determine what actions members in the consortium can take. These governance controls can be customized as necessary by the administrator of the consortium. When you create a new consortium, your blockchain member is the default administrator of the consortium, enabling the ability to invite other parties to join your consortium. You can join a consortium only if you have been previously invited. When joining a consortium, your blockchain member is subject to the governance controls put in place by the consortium's administrator.
-
-![Consortium management](./media/overview/consortium.png)
-
-Consortium management actions such as adding and removing members from a consortium can be accessed through PowerShell and a REST API. You can programmatically manage a consortium using common interfaces rather than modifying and submitting solidity-based smart contracts. For more information, see [consortium management](consortium.md).
-
-## Develop using familiar development tools
-
-Based on the open-sourced Quorum Ethereum ledger, you can develop applications for Azure Blockchain Service the same way as you do for existing Ethereum applications. Working with leading industry partners, the Azure Blockchain Development Kit Visual Studio Code extension allows developers to leverage familiar tools like Truffle Suite to build smart contracts. Using the Azure Blockchain Visual Studio Code extension, you can create or connect to an existing consortium so that you can build and deploy your smart contracts all from one IDE. For more information, see [Azure Blockchain Development Kit in the VS Code marketplace](https://aka.ms/vscodebcextension) and the [Azure Blockchain Development Kit user guide](https://aka.ms/vscodebcextensionwiki).
-
-## Publish blockchain data
-
-Blockchain Data Manager for Azure Blockchain Service captures, transforms, and delivers Azure Blockchain Service transaction data to Azure Event Grid Topics providing reliable and scalable blockchain ledger integration with Azure services. You can use Blockchain Data Manager to integrate off-chain applications and data stores. For more information, see [Blockchain Data Manager for Azure Blockchain Service](data-manager.md).
-
-## Support and feedback
-
-For Azure Blockchain news, visit the [Azure Blockchain blog](https://azure.microsoft.com/blog/topics/blockchain/) to stay up to date on blockchain service offerings and information from the Azure Blockchain engineering team.
-
-To provide product feedback or to request new features, post or vote for an idea via the [Azure feedback forum for blockchain](https://aka.ms/blockchainuservoice).
-
-### Community support
-
-Engage with Microsoft engineers and Azure Blockchain community experts.
-
-* [Microsoft Q&A question page for Azure Blockchain Service](/answers/topics/azure-blockchain-service.html)
-* [Microsoft Tech Community](https://techcommunity.microsoft.com/t5/Blockchain/bd-p/AzureBlockchain)
-* [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-blockchain-service)
-
-## Next steps
-
-To get started, try a quickstart or find out more details from these resources.
-* [Create a blockchain member using the Azure portal](create-member.md) or [create a blockchain member using Azure CLI](create-member-cli.md)
-* Follow the Microsoft Learn path [Get started with blockchain development](/learn/paths/ethereum-blockchain-development)
-* Watch the [Beginner's series to blockchain](https://channel9.msdn.com/Series/Beginners-Series-to-Blockchain)
-* For cost comparisons and calculators, see the [pricing page](https://azure.microsoft.com/pricing/details/blockchain-service)
-* Build your first app using the [Azure Blockchain Development Kit](https://github.com/Azure-Samples/blockchain-devkit)
-* Azure Blockchain VSCode Extension [user guide](https://github.com/Microsoft/vscode-azure-blockchain-ethereum/wiki)
blockchain Send Transaction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/send-transaction.md
- Title: Create, build, & deploy smart contracts tutorial - Azure Blockchain Service
-description: Tutorial on how to use the Azure Blockchain Development Kit for Ethereum extension in Visual Studio Code to create, build, and deploy a smart contract on Azure Blockchain Service.
Previously updated : 11/30/2020---
-#Customer intent: As a developer, I want to use Azure Blockchain Service so that I can execute smart contract functions on a consortium blockchain network.
--
-# Tutorial: Create, build, and deploy smart contracts on Azure Blockchain Service
-
-In this tutorial, use the Azure Blockchain Development Kit for Ethereum extension in Visual Studio Code to create, build, and deploy a smart contract on Azure Blockchain Service. You also use the development kit to execute a smart contract function via a transaction.
--
-You use Azure Blockchain Development Kit for Ethereum to:
-
-> [!div class="checklist"]
-> * Create a smart contract
-> * Deploy a smart contract
-> * Execute a smart contract function via a transaction
--
-## Prerequisites
-
-* Complete [Quickstart: Use Visual Studio Code to connect to a Azure Blockchain Service consortium network](connect-vscode.md)
-* [Visual Studio Code](https://code.visualstudio.com/Download)
-* [Azure Blockchain Development Kit for Ethereum extension](https://marketplace.visualstudio.com/items?itemName=AzBlockchain.azure-blockchain)
-* [Node.js 10.15.x or higher](https://nodejs.org/download)
-* [Git 2.10.x or higher](https://git-scm.com)
-* [Truffle 5.0.0](https://www.trufflesuite.com/docs/truffle/getting-started/installation)
-* [Ganache CLI 6.0.0](https://github.com/trufflesuite/ganache-cli)
-
-On Windows, an installed C++ compiler is required for the node-gyp module. You can use the MSBuild tools:
-
-* If Visual Studio 2017 is installed, configure npm to use the MSBuild tools with the command `npm config set msvs_version 2017 -g`
-* If Visual Studio 2019 is installed, set the MS build tools path for npm. For example, `npm config set msbuild_path "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe"`
-* Otherwise, install the stand-alone VS Build tools using `npm install --global windows-build-tools` in an elevated *Run as administrator* command shell.
-
-For more information about node-gyp, see the [node-gyp repository on GitHub](https://github.com/nodejs/node-gyp).
-
-## Create a smart contract
-
-The Azure Blockchain Development Kit for Ethereum uses project templates and Truffle tools to help scaffold, build, and deploy contracts. Before you begin, complete the prerequisite [Quickstart: Use Visual Studio Code to connect to a Azure Blockchain Service consortium network](connect-vscode.md). The quickstart guides you through the installation and configuration of the Azure Blockchain Development Kit for Ethereum.
-
-1. From the VS Code command palette, choose **Blockchain: New Solidity Project**.
-1. Choose **Create basic project**.
-1. Create a new folder named `HelloBlockchain` and **Select new project path**.
-
-The Azure Blockchain Development Kit creates and initializes a new Solidity project for you. The basic project includes a sample **HelloBlockchain** smart contract and all the necessary files to build and deploy to your consortium member in Azure Blockchain Service. It may take several minutes for the project to be created. You can monitor the progress in VS Code's terminal panel by selecting the output for Azure Blockchain.
-
-The project structure looks like the following example:
-
- ![Solidity project](./media/send-transaction/solidity-project.png)
-
-## Build a smart contract
-
-Smart contracts are located in the project's **contracts** directory. You compile smart contracts before you deploy them to a blockchain. Use the **Build Contracts** command to compile all the smart contracts in your project.
-
-1. In the VS Code explorer sidebar, expand the **contracts** folder in your project.
-1. Right-click **HelloBlockchain.sol** and choose **Build Contracts** from the menu.
-
- ![Choose Build contracts menu ](./media/send-transaction/build-contracts.png)
-
-Azure Blockchain Development Kit uses Truffle to compile the smart contracts.
-
-![Truffle compiler output](./media/send-transaction/compile-output.png)
-
-## Deploy a smart contract
-
-Truffle uses migration scripts to deploy your contracts to an Ethereum network. Migrations are JavaScript files located in the project's **migrations** directory.
-
-1. To deploy your smart contract, right-click **HelloBlockchain.sol** and choose **Deploy Contracts** from the menu.
-1. Choose your Azure Blockchain consortium network in the command palette. The consortium blockchain network was added to the project's Truffle configuration file when you created the project.
-1. Choose **Generate mnemonic**. Choose a filename and save the mnemonic file in the project folder. For example, `myblockchainmember.env`. The mnemonic file is used to generate an Ethereum private key for your blockchain member.
-
-Azure Blockchain Development Kit uses Truffle to execute the migration script to deploy the contracts to the blockchain.
-
-![Successfully deployed contract](./media/send-transaction/deploy-contract.png)
-
-## Call a contract function
-The **HelloBlockchain** contract's **SendRequest** function changes the **RequestMessage** state variable. Changing the state of a blockchain network is done via a transaction. You can create a script to execute the **SendRequest** function via a transaction.
-
-1. Create a new file in the root of your Truffle project and name it `sendrequest.js`. Add the following Web3 JavaScript code to the file.
-
- ```javascript
- var HelloBlockchain = artifacts.require("HelloBlockchain");
-
- module.exports = function(done) {
- console.log("Getting the deployed version of the HelloBlockchain smart contract")
- HelloBlockchain.deployed().then(function(instance) {
- console.log("Calling SendRequest function for contract ", instance.address);
- return instance.SendRequest("Hello, blockchain!");
- }).then(function(result) {
- console.log("Transaction hash: ", result.tx);
- console.log("Request complete");
- done();
- }).catch(function(e) {
- console.log(e);
- done();
- });
- };
- ```
-
-1. When Azure Blockchain Development Kit creates a project, the Truffle configuration file is generated with your consortium blockchain network endpoint details. Open **truffle-config.js** in your project. The configuration file lists two networks: one named development and one with the same name as the consortium.
-1. In VS Code's terminal pane, use Truffle to execute the script on your consortium blockchain network. In the terminal pane menu bar, select the **Terminal** tab and **PowerShell** in the dropdown.
-
- ```PowerShell
- truffle exec sendrequest.js --network <blockchain network>
- ```
-
- Replace \<blockchain network\> with the name of the blockchain network defined in the **truffle-config.js**.
-
-Truffle executes the script on your blockchain network.
-
-![Output showing transaction has been sent](./media/send-transaction/execute-transaction.png)
-
-When you execute a contract's function via a transaction, the transaction isn't processed until a block is created. Functions meant to be executed via a transaction return a transaction ID instead of a return value.
-
-## Query contract state
-
-Smart contract functions can return the current value of state variables. Let's add a function to return the value of a state variable.
-
-1. In **HelloBlockchain.sol**, add a **getMessage** function to the **HelloBlockchain** smart contract.
-
- ``` solidity
- function getMessage() public view returns (string memory)
- {
- if (State == StateType.Request)
- return RequestMessage;
- else
- return ResponseMessage;
- }
- ```
-
- The function returns the message stored in a state variable based on the current state of the contract.
-
-1. Right-click **HelloBlockchain.sol** and choose **Build Contracts** from the menu to compile the changes to the smart contract.
-1. To deploy, right-click **HelloBlockchain.sol** and choose **Deploy Contracts** from the menu. When prompted, choose your Azure Blockchain consortium network in the command palette.
-1. Next, create a script using to call the **getMessage** function. Create a new file in the root of your Truffle project and name it `getmessage.js`. Add the following Web3 JavaScript code to the file.
-
- ```javascript
- var HelloBlockchain = artifacts.require("HelloBlockchain");
-
- module.exports = function(done) {
- console.log("Getting the deployed version of the HelloBlockchain smart contract")
- HelloBlockchain.deployed().then(function(instance) {
- console.log("Calling getMessage function for contract ", instance.address);
- return instance.getMessage();
- }).then(function(result) {
- console.log("Request message value: ", result);
- console.log("Request complete");
- done();
- }).catch(function(e) {
- console.log(e);
- done();
- });
- };
- ```
-
-1. In VS Code's terminal pane, use Truffle to execute the script on your blockchain network. In the terminal pane menu bar, select the **Terminal** tab and **PowerShell** in the dropdown.
-
- ```bash
- truffle exec getmessage.js --network <blockchain network>
- ```
-
- Replace \<blockchain network\> with the name of the blockchain network defined in the **truffle-config.js**.
-
-The script queries the smart contract by calling the getMessage function. The current value of the **RequestMessage** state variable is returned.
-
-![Output from getmessage query showing the current value of RequestMessage state variable](./media/send-transaction/execute-get.png)
-
-Notice the value is not **Hello, blockchain!**. Instead, the returned value is a placeholder. When you change and deploy the contract, the changed contract is deployed at a new address and the state variables are assigned values in the smart contract constructor. The Truffle sample **2_deploy_contracts.js** migration script deploys the smart contract and passes a placeholder value as an argument. The constructor sets the **RequestMessage** state variable to the placeholder value and that's what is returned.
-
-1. To set the **RequestMessage** state variable and query the value, run the **sendrequest.js** and **getmessage.js** scripts again.
-
- ![Output from sendrequest and getmessage scripts showing RequestMessage has been set](./media/send-transaction/execute-set-get.png)
-
- **sendrequest.js** sets the **RequestMessage** state variable to **Hello, blockchain!** and **getmessage.js** queries the contract for value of **RequestMessage** state variable and returns **Hello, blockchain!**.
-## Clean up resources
-
-When no longer needed, you can delete the resources by deleting the `myResourceGroup` resource group you created in the *Create a blockchain member* prerequisite quickstart.
-
-To delete the resource group:
-
-1. In the Azure portal, navigate to **Resource group** in the left navigation pane and select the resource group you want to delete.
-1. Select **Delete resource group**. Verify deletion by entering the resource group name and select **Delete**.
-
-## Next steps
-
-In this tutorial, you created a sample Solidity project using Azure Blockchain Development Kit. You built and deployed a smart contract then called a function via a transaction on a blockchain consortium network hosted on Azure Blockchain Service.
-
-> [!div class="nextstepaction"]
-> [Developing blockchain applications using Azure Blockchain Service](develop.md)
blockchain Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/whats-new.md
- Title: What's new? Release notes - Azure Blockchain Service
-description: Learn what is new with Azure Blockchain Service, such as the latest release notes, versions, known issues, and upcoming changes.
Previously updated : 06/30/2020----
-# What's new in Azure Blockchain Service?
-
-> Get notified about when to revisit this page for updates by copying and pasting this URL: `https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Blockchain+Service%22&locale=en-us` into your RSS feed reader [![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png)](/api/search/rss?locale=en-us&search=%2522Release%2bnotes%2b-%2bAzure%2bBlockchain%2bService%2522).
-
-Azure Blockchain Service receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
--- New capabilities-- Version upgrades-- Known issues---
-## May 2021
--
-## June 2020
-
-### Version upgrades
--- Quorum version upgrade to 2.6.0. With version 2.6.0, you can send signed private transactions. For more information on sending private transactions, see the [Quorum API documentation](https://docs.goquorum.consensys.net/en/latest/Reference/APIs/ContractExtensionAPIs/#apis).-- Tessera version upgrade to 0.10.5.-
-### Contract size and transaction size increased to 128 KB
-
-Type: Configuration change
-
-Contract size (MaxCodeSize) was increased to 128 KB so that you can deploy larger size smart contracts. Also, transaction size (txnSizeLimit) was increased to 128 KB. Configuration changes apply to new consortiums created on Azure Blockchain Service after June 19 2020.
-
-### TrieTimeout value reduced
-
-Type: Configuration change
-
-The TrieTimeout value was reduced so that in-memory state is written to disk more frequently. The lower value ensures faster recovery of a node in the rare case of a node crash.
-
-## May 2020
-
-### Version upgrades
--- Ubuntu version upgrade to 18.04-- Quorum version upgrade to 2.5.0-- Tessera version upgrade 0.10.4-
-### Azure Blockchain Service supports sending rawPrivate transactions
-
-Type: Feature
-
-Customers can sign private transactions outside of the account on the node.
-
-### Two-phase member provisioning
-
-Type: Enhancement
-
-Two phases help optimize scenarios where a member is being created in a long existing consortium. The member infrastructure is provisioned in first phase. In the second phase, the member is synchronized with blockchain. Two-phase provisioning helps avoid member creation failure due to timeouts.
-
-## Known issues
-
-### eth.estimateGas function throws exception in Quorum v2.6.0
-
-In Quorum v2.6.0, calls to *eth.estimateGas* function without providing the additional *value* parameter cause a *method handler crashed* exception. The Quorum team has been notified and a fix is expected end of July 2020. You can use the following workarounds until a fix is available:
--- Avoid using *eth.estimateGas* since it can affect performance. For more information about eth.estimateGas performance issues, see [Calling eth.estimateGas function reduces performance](#calling-ethestimategas-function-reduces-performance). Include a gas value for each transaction. Most libraries will call eth.estimateGas if a gas value is not provided which causes Quorum v2.6.0 to crash.-- If you need to call *eth.estimateGas*, the Quorum team suggests you pass the additional parameter *value* as *0* as a workaround.-
-### Mining stops if fewer than four validator nodes
-
-Production networks should have at least four validator nodes. Quorum recommends at least four validator nodes are required to meet the IBFT crash fault tolerance (3F+1). You should have at least two Azure Blockchain Service *Standard* tier nodes to get four validator nodes. A standard node is provisioned with two validator nodes.
-
-If the Blockchain network on Azure Blockchain Service doesn't have four validator nodes, then mining might stop on the network. You can detect mining has stopped by setting an alert on processed blocks. In a healthy network, processed block will be 60 blocks per node per five minutes.
-
-As a mitigation, the Azure Blockchain Service team has to restart the node. Customers need to open a support request to restart the node. The Azure Blockchain Service team is working toward detecting and fixing mining issues automatically.
-
-Use the *Standard* tier for production grade deployments. Use the *Basic* tier for development, testing, and proof of concepts. Changing the pricing tier between basic and standard after member creation is not supported.
-
-### Blockchain Data Manager requires Standard tier node
-
-Use the *Standard* tier if you are using Blockchain Data Manager. The *Basic* tier has 4-GB memory only. Hence, it is not able to scale to the usage required by Blockchain Data Manager and other services running on it.
-
-Use the *Basic* tier for development, testing, and proof of concepts. Changing the pricing tier between basic and standard after member creation is not supported.
-
-### Large volume of unlock account calls causes geth to crash
-
-A large volume of unlock account calls while submitting transaction can cause geth to crash on a transaction node. As a result, you have to stop ingesting transactions. Otherwise, the pending transaction queue increases.
-
-Geth restarts automatically within less than a minute. Depending on the node, the syncing might take a long time. The Azure Blockchain Service team is enabling an archiving feature that will reduce the time to sync.
-
-To identify geth crashes, you can check logs for any error message in Blockchain messages in application logs. You can also check if processed blocks decrease while pending transactions increase.
-
-To mitigate the issue, send signed transactions instead of sending unsigned transactions with a command to unlock the account. For transactions that are already signed externally, there is no need to unlock the account.
-
-If you want to send unsigned transactions, unlock the account for infinite time by sending 0 as the time parameter in the unlock command. You can lock the account back after all the transactions are submitted.
-
-The following are the geth parameters that Azure Blockchain Service uses. You cannot adjust these parameters.
--- Istanbul block period: 5 secs-- Floor gas limit: 700000000-- Ceil gas limit: 800000000-
-### Large volume of private transactions reduces performance
-
-If you are using Azure Blockchain Service Basic tier and private transactions, Tessera may crash.
-
-You can detect the Tessera crash by reviewing the Blockchain application logs and searching for the message `Tessera crashed. Restarting Tessera...`.
-
-Azure Blockchain Service restarts Tessera when there is a crash. Restart takes about a minute.
-
-Use the *Standard* tier if you are sending a high volume of private transactions. Use the *Basic* tier for development, testing, and proof of concepts. Changing the pricing tier between basic and standard after member creation is not supported.
-
-### Calling eth.estimateGas function reduces performance
-
-Calling *eth.estimateGas* function multiple times reduces transactions per second drastically. Do not use *eth.estimateGas* function for each transaction submission. The *eth.estimateGas* function is memory intensive.
-
-If possible, use a conservative gas value for submitting transactions and minimize the use of *eth.estimateGas*.
-
-### Unbounded loops in smart contracts reduces performance
-
-Avoid unbounded loops in smart contracts as they can reduce performance. For more information, see the following resources:
--- [Avoid unbounded loops](https://blog.b9lab.com/getting-loopy-with-solidity-1d51794622ad )-- [Smart contract security best practices](https://github.com/ConsenSys/smart-contract-best-practices)-- [Smart contract guidelines provided by Quorum](https://docs.goquorum.consensys.net/en/stable/Concepts/Security/Framework/DecentralizedApplication/SmartContractsSecurity/)-- [Guidelines on gas limits and loops provided by Solidity](https://solidity.readthedocs.io/en/develop/security-considerations.html#gas-limit-and-loops)
blockchain Ethereum Poa Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/templates/ethereum-poa-deployment.md
- Title: Deploy Ethereum Proof-of-Authority consortium solution template on Azure
-description: Use the Ethereum Proof-of-Authority consortium solution to deploy and configure a multi-member consortium Ethereum network on Azure
Previously updated : 03/01/2021-----
-# Deploy Ethereum proof-of-authority consortium solution template on Azure
-
-You can use [the Ethereum Proof-of-Authority Consortium preview Azure solution template](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-azure-blockchain.azure-blockchain-ethereum) to deploy, configure, and govern a multi-member consortium proof-of-authority Ethereum network with minimal Azure and Ethereum knowledge.
-
-The solution template can be used by each consortium member to provision a blockchain network footprint using
-Microsoft Azure compute, networking, and storage services. Each consortium member's network footprint consists of a set of load-balanced validator nodes that an application or user can interact with to submit Ethereum transactions.
--
-## Choose an Azure Blockchain solution
-
-Before choosing to use the Ethereum proof-of-authority consortium solution template, compare your scenario with the common use cases of available Azure Blockchain options.
-
-> [!IMPORTANT]
-> Consider using [Azure Blockchain Service](../service/overview.md) rather than the Ethereum on Azure solution template. Azure Blockchain Service is a supported managed Azure Service. Parity Ethereum transitioned to community driven development and maintenance. For more information, see [Transitioning Parity Ethereum to OpenEthereum DAO](https://www.parity.io/parity-ethereum-openethereum-dao/).
-
-Option | Service model | Common use case
--||--
-Solution templates | IaaS | Solution templates are Azure Resource Manager templates you can use to provision a fully configured blockchain network topology. The templates deploy and configure Microsoft Azure compute, networking, and storage services for a given blockchain network type. Solution templates are provided without a service level agreement. Use the [Microsoft Q&A question page](/answers/topics/azure-blockchain-workbench.html) for support.
-[Azure Blockchain Service](../service/overview.md) | PaaS | Azure Blockchain Service Preview simplifies the formation, management, and governance of consortium blockchain networks. Use Azure Blockchain Service for solutions requiring PaaS, consortium management, or contract and transaction privacy.
-[Azure Blockchain Workbench](../workbench/overview.md) | IaaS and PaaS | Azure Blockchain Workbench Preview is a collection of Azure services and capabilities designed to help you create and deploy blockchain applications to share business processes and data with other organizations. Use Azure Blockchain Workbench for prototyping a blockchain solution or a blockchain application proof of concept. Azure Blockchain Workbench is provided without a service level agreement. Use the [Microsoft Q&A question page](/answers/topics/azure-blockchain-workbench.html) for support.
-
-## Solution architecture
-
-Using the Ethereum solution template, you can deploy a single or multi-region based multi-member Ethereum proof-of-authority consortium network.
-
-![deployment architecture](./media/ethereum-poa-deployment/deployment-architecture.png)
-
-Each consortium member deployment includes:
-
-* Virtual Machines for running the PoA validators
-* Azure Load Balancer for distributing RPC, peering, and governance DApp requests
-* Azure Key Vault for securing the validator identities
-* Azure Storage for hosting persistent network information and coordinating leasing
-* Azure Monitor for aggregating logs and performance statistics
-* VNet Gateway (optional) for allowing VPN connections across private VNets
-
-By default, the RPC and peering endpoints are accessible over public IP to enable simplified connectivity across subscriptions and clouds. For application level access-controls, you can use [Parity's permissioning contracts](https://openethereum.github.io/Permissioning.html). Networks deployed behind VPNs, which leverage VNet gateways for cross-subscription connectivity are supported. Since VPN and VNet deployments are more complex, you may want to start with a public IP model when prototyping a solution.
-
-Docker containers are used for reliability and modularity. Azure Container Registry is used to host and serve versioned images as part of each deployment. The container images consist of:
-
-* Orchestrator - Generates identities and governance contracts. Stores identities in an identity store.
-* Parity client - Leases identity from the identity store. Discovers and connects to peers.
-* EthStats Agent - Collects local logs and stats via RPC and pushes information to Azure Monitor.
-* Governance DApp - Web interface for interacting with Governance contracts.
-
-### Validator nodes
-
-In the proof-of-authority protocol, validator nodes take the place of traditional miner nodes. Each validator has a unique Ethereum identity allowing it to participate in the block creation process. Each consortium member can provision two or more validator nodes across five regions, for geo-redundancy. Validator nodes communicate with other validator nodes to come to consensus on the state of the underlying distributed ledger. To ensure fair participation on the network, each consortium member is prohibited from using more validators than the first member on the network. For example, if the first member deploys three validators, each member can only have up to three validators.
-
-### Identity store
-
-An identity store is deployed in each member's subscription that securely holds the generated Ethereum identities. For each validator, the orchestration container generates an Ethereum private key and stores it in Azure Key Vault.
-
-## Deploy Ethereum consortium network
-
-In this walk through, let's assume you are creating a multi-party Ethereum consortium network. The following flow is an example of a multi-party deployment:
-
-1. Three members each generate an Ethereum account using MetaMask
-1. *Member A* deploys Ethereum PoA, providing their Ethereum public address
-1. *Member A* provides the consortium URL to *Member B* and *Member C*
-1. *Member B* and *Member C* deploy, Ethereum PoA, providing their Ethereum Public Address and *Member A*'s consortium URL
-1. *Member A* votes in *Member B* as an admin
-1. *Member A* and *Member B* both vote *Member C* as an admin
-
-The next sections show you how to configure the first member's footprint in the network.
-
-### Create resource
-
-In the [Azure portal](https://portal.azure.com), select **Create a resource** in the upper left-hand corner.
-
-Select **Blockchain** > **Ethereum Proof-of-Authority Consortium (preview)**.
-
-### Basics
-
-Under **Basics**, specify values for standard parameters for any deployment.
-
-![Basics](./media/ethereum-poa-deployment/basic-blade.png)
-
-Parameter | Description | Example value
--|-|--
-Create a new network or join existing network | You can create a new consortium network or join a pre-existing consortium network. Joining an existing network requires additional parameters. | Create new
-Email Address | You receive an email notification when your deployment completes with information about your deployment. | A valid email address
-VM user name | Administrator username of each deployed VM | 1-64 alphanumeric characters
-Authentication type | The method to authenticate to the virtual machine. | Password
-Password | The password for the administrator account for each of the virtual machines deployed. All VMs initially have the same password. You can change the password after provisioning. | 12-72 characters
-Subscription | The subscription to which to deploy the consortium network |
-Resource Group| The resource group to which to deploy the consortium network. | myResourceGroup
-Location | The Azure region for resource group. | West US 2
-
-Select **OK**.
-
-### Deployment regions
-
-Under *Deployment regions*, specify the number of regions
-and locations for each. You can deploy in maximum of five regions. The first region should match the resource group location from *Basics* section. For development or test networks, you can use a single region per member. For production, deploy across two or more regions for high-availability.
-
-![deployment regions](./media/ethereum-poa-deployment/deployment-regions.png)
-
-Parameter | Description | Example value
--|-|--
-Number of region(s)|Number of regions to deploy the consortium network| 2
-First region | First region to deploy the consortium network | West US 2
-Second region | Second region to deploy the consortium network. Additional regions are visible when number of regions is two or greater. | East US 2
-
-Select **OK**.
-
-### Network size and performance
-
-Under *Network size and performance*, specify inputs for the size of the consortium network. The validator node storage size dictates the potential size of the blockchain. The size can be changed after deployment.
-
-![Network size and performance](./media/ethereum-poa-deployment/network-size-and-performance.png)
-
-Parameter | Description | Example value
--|-|--
-Number of load balanced validator nodes | The number of validator nodes to provision as part of the network. | 2
-Validator node storage performance | The type of managed disk for each of the deployed validator nodes. For details on pricing, see [storage pricing](https://azure.microsoft.com/pricing/details/managed-disks/) | Standard SSD
-Validator node virtual machine size | The virtual machine size used for validator nodes. For details on pricing, see [virtual machine pricing](https://azure.microsoft.com/pricing/details/virtual-machines/windows/) | Standard D2 v3
-
-Virtual machine and storage tier affect network performance. Use the following table to help choose cost efficiency:
-
-Virtual Machine SKU|Storage Tier|Price|Throughput|Latency
-||||
-F1|Standard SSD|low|low|high
-D2_v3|Standard SSD|medium|medium|medium
-F16s|Premium SSD|high|high|low
-
-Select **OK**.
-
-### Ethereum settings
-
-Under *Ethereum Settings*, specify Ethereum-related configuration settings.
-
-![Ethereum settings](./media/ethereum-poa-deployment/ethereum-settings.png)
-
-Parameter | Description | Example value
--|-|--
-Consortium Member ID | The ID associated with each member participating in the consortium network. It's used to configure IP address spaces to avoid collision. For a private network, Member ID should be unique across different organizations in the same network. A unique member ID is needed even when the same organization deploys to multiple regions. Make note of the value of this parameter since you need to share it with other joining members to ensure there's no collision. The valid range is 0 through 255. | 0
-Network ID | The network ID for the consortium Ethereum network being deployed. Each Ethereum network has its own Network ID, with 1 being the ID for the public network. The valid range is 5 through 999,999,999 | 10101010
-Admin Ethereum Address | The Ethereum account address used for participating in PoA governance. You can use MetaMask to generate an Ethereum address. |
-Advanced Options | Advanced options for Ethereum settings | Enable
-Deploy using Public IP | If Private VNet is selected, the network is deployed behind a VNet Gateway and removes peering access. For Private VNet, all members must use a VNet Gateway for the connection to be compatible. | Public IP
-Block Gas Limit | The starting block gas limit of the network. | 50000000
-Block Reseal Period (sec) | The frequency at which empty blocks will be created when there are no transactions on the network. A higher frequency will have faster finality but increased storage costs. | 15
-Transaction Permission Contract | Bytecode for the Transaction Permissioning contract. Restricts smart contract deployment and execution to a permitted list of Ethereum accounts. |
-
-Select **OK**.
-
-### Monitoring
-
-Monitoring allows you to configure a log resource for your network. The monitoring agent collects and surfaces useful
-metrics and logs from your network providing the ability to quickly check the network health or debug issues.
-
-![Azure monitor](./media/ethereum-poa-deployment/azure-monitor.png)
-
-Parameter | Description | Example value
--|-|--
-Monitoring | Option to enable monitoring | Enable
-Connect to existing Azure Monitor logs | Option to create a new Azure Monitor logs instance or join an existing instance | Create new
-Location | The region where the new instance is deployed | East US
-Existing log analytics workspace ID (Connect to existing Azure Monitor logs = Join Existing)|Workspace ID of the existing Azure Monitor logs instance|NA
-Existing log analytics primary key (Connect to existing Azure Monitor logs = Join Existing)|The primary key used to connect to the existing Azure Monitor logs instance|NA
-
-Select **OK**.
-
-### Summary
-
-Click through the summary to review the inputs specified and run basic pre-deployment validation. Before deploying, you can download the template and parameters.
-
-Select **Create** to deploy.
-
-If the deployment includes VNet Gateways, the deployment can take up 45 to 50 minutes.
-
-## Deployment output
-
-Once the deployment has completed, you can access the necessary parameters using the Azure portal.
-
-### Confirmation email
-
-If you provide an email address ([Basics Section](#basics)), an email is sent that includes the deployment information and links to this documentation.
-
-![deployment email](./media/ethereum-poa-deployment/deployment-email.png)
-
-### Portal
-
-Once the deployment has completed successfully and all resources have been provisioned, you can view the output parameters in your resource group.
-
-1. Go to your resource group in the portal.
-1. Select **Overview > Deployments**.
-
- ![Resource group overview](./media/ethereum-poa-deployment/resource-group-overview.png)
-
-1. Select the **microsoft-azure-blockchain.azure-blockchain-ether-...** deployment.
-1. Select the **Outputs** section.
-
- ![Deployment outputs](./media/ethereum-poa-deployment/deployment-outputs.png)
-
-## Growing the consortium
-
-To expand your consortium, you must first connect the physical network. If deploying behind a VPN, see the section [Connecting VNet Gateway](#connecting-vnet-gateways) configure the network connection as part of the new member deployment. Once your deployment completes, use the [Governance DApp](#governance-dapp) to become a network admin.
-
-### New member deployment
-
-Share the following information with the joining member. The information is found in your post-deployment email or in the portal deployment output.
-
-* Consortium Data URL
-* The number of nodes you deployed
-* VNet Gateway Resource ID (if using VPN)
-
-The deploying member should use the same Ethereum Proof-of-Authority consortium solution template when deploying their network presence using the following guidance:
-
-* Select **Join Existing**
-* Choose the same number of validator nodes as the rest of the members on the network to ensure fair representation
-* Use the same Admin Ethereum address
-* Use the provided *Consortium Data Url* in the *Ethereum Settings*
-* If the rest of the network is behind a VPN, select **Private VNet** under the advanced section
-
-### Connecting VNet gateways
-
-This section is only required if you deployed using a private VNet. You can skip this section if you are using public IP addresses.
-
-For a private network, the different members are connected via VNet gateway connections. Before a member can join the network and see transaction traffic, an existing member must do a final configuration on their VPN gateway to accept the connection. The Ethereum nodes of the joining member won't run until a connection is established. To reduce chances of a single point of failure, create redundant network connections in the consortium.
-
-After the new member deploys, the existing member must complete the bi-directional connection by setting up a VNet gateway connection to the new member. The existing member needs:
-
-* The VNet gateway ResourceID of the connecting member. See [deployment output](#deployment-output).
-* The shared connection key.
-
-The existing member must run the following PowerShell script to complete the connection. You can use Azure Cloud Shell located in the top-right navigation bar in the portal.
-
-![cloud shell](./media/ethereum-poa-deployment/cloud-shell.png)
-
-```powershell
-$MyGatewayResourceId = "<EXISTING_MEMBER_RESOURCEID>"
-$OtherGatewayResourceId = "<NEW_MEMBER_RESOURCEID]"
-$ConnectionName = "Leader2Member"
-$SharedKey = "<NEW_MEMBER_KEY>"
-
-## $myGatewayResourceId tells me what subscription I am in, what ResourceGroup and the VNetGatewayName
-$splitValue = $MyGatewayResourceId.Split('/')
-$MySubscriptionid = $splitValue[2]
-$MyResourceGroup = $splitValue[4]
-$MyGatewayName = $splitValue[8]
-
-## $otherGatewayResourceid tells me what the subscription and VNet GatewayName are
-$OtherGatewayName = $OtherGatewayResourceId.Split('/')[8]
-$Subscription=Select-AzSubscription -SubscriptionId $MySubscriptionid
-
-## create a PSVirtualNetworkGateway instance for the gateway I want to connect to
-$OtherGateway=New-Object Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway
-$OtherGateway.Name = $OtherGatewayName
-$OtherGateway.Id = $OtherGatewayResourceId
-$OtherGateway.GatewayType = "Vpn"
-$OtherGateway.VpnType = "RouteBased"
-
-## get a PSVirtualNetworkGateway instance for my gateway
-$MyGateway = Get-AzVirtualNetworkGateway -Name $MyGatewayName -ResourceGroupName $MyResourceGroup
-
-## create the connection
-New-AzVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $MyResourceGroup -VirtualNetworkGateway1 $MyGateway -VirtualNetworkGateway2 $OtherGateway -Location $MyGateway.Location -ConnectionType Vnet2Vnet -SharedKey $SharedKey -EnableBgp $True
-```
-
-## Governance DApp
-
-At the heart of proof-of-authority is decentralized governance. Since proof-of-authority relies upon a permitted list of network authorities to keep the network healthy, it's important to provide a fair mechanism to make modifications to this permission list. Each deployment comes with a set of smart-contracts and portal for on-chain governance of this permitted list. Once a proposed change reaches a majority vote by consortium members, the change is enacted. Voting allows new consensus participants to be added or compromised participants to be removed in a transparent way that encourages an honest network.
-
-The governance DApp is a set of pre-deployed [smart contracts](https://github.com/Azure-Samples/blockchain/tree/master/ledger/template/ethereum-on-azure/permissioning-contracts) and a web application that are used to govern the authorities on the network. Authorities are broken up into admin identities and validator nodes.
-Admins have the power to delegate consensus participation to a set of validator nodes. Admins also may vote other admins into or out of the network.
-
-![Governance DApp](./media/ethereum-poa-deployment/governance-dapp.png)
-
-* **Decentralized Governance:** Changes in network authorities are administered through on-chain voting by select administrators.
-* **Validator Delegation:** Authorities can manage their validator nodes that are set up in each PoA deployment.
-* **Auditable Change History:** Each change is recorded on the blockchain providing transparency and auditability.
-
-### Getting started with governance
-
-To perform any kind of transactions through the Governance DApp, you need to use an Ethereum wallet. The most straightforward approach is to use an in-browser wallet such as [MetaMask](https://metamask.io); however, because these smart contracts are deployed on the network you may also automate your interactions to the Governance contract.
-
-After installing MetaMask, navigate to the Governance DApp in the browser. You can locate the URL through Azure portal in the deployment output. If you don't have an in-browser wallet installed you won't be able to perform any actions; however, you can view the administrator state.
-
-### Becoming an admin
-
-If you're the first member that deployed on the network, then you automatically become an admin and your parity nodes are listed as validators. If you're joining the network, you need to get voted in as an admin by a majority (greater than 50%) of the existing admin set. If you choose not to become an admin, your nodes still sync and validate the blockchain; however, they don't participate in the block creation process. To start the voting process to become an admin, select **Nominate** and enter your Ethereum address and alias.
-
-![Nominate](./media/ethereum-poa-deployment/governance-dapp-nominate.png)
-
-### Candidates
-
-Selecting the **Candidates** tab shows you the current set of candidate administrators. Once a candidate reaches a majority vote by the current admins, the candidate gets promoted to an admin. To vote on a candidate, select the row and select **Vote in**. If you change your mind on a vote, select the candidate and select **Rescind vote**.
-
-![Candidates](./media/ethereum-poa-deployment/governance-dapp-candidates.png)
-
-### Admins
-
-The **Admins** tab shows the current set of admins and provides you the ability to vote against. Once an admin loses more than 50% support, they are removed as an admin