Updates from: 09/15/2023 01:12:49
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Inbound Provisioning Api Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-postman.md
In this step, you'll configure the Postman app and invoke the API using the conf
1. From the **Workspaces** menu, select **Create Workspace** to create a new Workspace called **Microsoft Entra ID Provisioning API**. 1. Download the following Postman collections and save it in your local directory. - [Entra ID Inbound Provisioning.postman_collection.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Entra%20ID%20Inbound%20Provisioning.postman_collection.json) (Request collection)
- - [Test-API2AAD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AAD.postman_environment.json) (Environment collection for API-driven provisioning to on-premises AD)-
+ - [Test-API2AAD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AAD.postman_environment.json) (Environment collection for API-driven provisioning to Azure AD)-
- [Test-API2AD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AD.postman_environment.json) (Environment collection for API-driven provisioning to on-premises AD) 1. Use the **Import** option in Postman to import both of these files into your Workspace. :::image type="content" source="media/inbound-provisioning-api-postman/postman-import-elements.png" alt-text="Screenshot of Postman Import elements." lightbox="media/inbound-provisioning-api-postman/postman-import-elements.png":::
active-directory App Proxy Protect Ndes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/app-proxy-protect-ndes.md
Previously updated : 04/19/2023 Last updated : 09/13/2023
Azure AD Application Proxy is built on Azure. It gives you a massive amount of n
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy.
-1. In left navigation panel, select **Azure Active Directory**.
-1. Under **Manage**, select **Application proxy**.
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.
1. Select **Download connector service**. ![Download connector service to see the Terms of Service](./media/app-proxy-protect-ndes/application-proxy-download-connector-service.png)
active-directory Application Proxy Add On Premises Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md
Previously updated : 04/04/2022 Last updated : 09/13/2023 # Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory
-Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. To learn more about Application Proxy, see [What is App Proxy?](what-is-application-proxy.md). This tutorial prepares your environment for use with Application Proxy. Once your environment is ready, you'll use the Azure portal to add an on-premises application to your Azure AD tenant.
+Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. To learn more about Application Proxy, see [What is App Proxy?](what-is-application-proxy.md). This tutorial prepares your environment for use with Application Proxy. Once your environment is ready, use the Entra admin center to add an on-premises application to your tenant.
:::image type="content" source="./media/application-proxy-add-on-premises-application/app-proxy-diagram.png" alt-text="Application Proxy Overview Diagram" lightbox="./media/application-proxy-add-on-premises-application/app-proxy-diagram.png":::
-Before you get started, make sure you are familiar with app management and **Single Sign-On (SSO)** concepts. Check out the following links:
+Before you get started, make sure you're familiar with app management and **single sign-on (SSO)** concepts. Check out the following links:
- [Quickstart Series on App Management in Azure AD](../manage-apps/view-applications-portal.md)-- [What is Single Sign-On (SSO)?](../manage-apps/what-is-single-sign-on.md)
+- [What is single sign-on (SSO)?](../manage-apps/what-is-single-sign-on.md)
Connectors are a key part of Application Proxy. To learn more about connectors, see [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md).
To add an on-premises application to Azure AD, you need:
* A [Microsoft Azure AD premium subscription](https://azure.microsoft.com/pricing/details/active-directory) * An application administrator account
-* User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
+* User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. Identity synchronization allows Azure AD to preauthenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
### Windows server
-To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.
+To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.
For high availability in your production environment, we recommend having more than one Windows server. For this tutorial, one Windows server is sufficient.
For high availability in your production environment, we recommend having more t
> > **HTTP 2.0** >
-> If you are installing the connector on Windows Server 2019, you must disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. This is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables it on Windows Server 2019. Note that this is a machine-wide registry key.
+> If you're installing the connector on Windows Server 2019, you must disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. This is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables it on Windows Server 2019. Note that this is a machine-wide registry key.
> > ``` > Windows Registry Editor Version 5.00
To enable TLS 1.2:
1. Restart the server. > [!NOTE]
-> Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the C) for more information.
+> Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the C).
## Prepare your on-premises environment
Allow access to the following URLs:
| `login.windows.net` <br> `secure.aadcdn.microsoftonline-p.com` <br> `*.microsoftonline.com` <br> `*.microsoftonline-p.com` <br> `*.msauth.net` <br> `*.msauthimages.net` <br> `*.msecnd.net` <br> `*.msftauth.net` <br> `*.msftauthimages.net` <br> `*.phonefactor.net` <br> `enterpriseregistration.windows.net` <br> `management.azure.com` <br> `policykeyservice.dc.ad.msft.net` <br> `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 443/HTTPS | The connector uses these URLs during the registration process. | | `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 80/HTTP | The connector uses these URLs during the registration process. |
-You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other URLs above if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.
+You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other URLs if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.
> [!IMPORTANT] > Avoid all forms of inline inspection and termination on outbound TLS communications between Azure AD Application Proxy connectors and Azure AD Application Proxy Cloud services. ### DNS name resolution for Azure AD Application Proxy endpoints
-Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records pointing to an A record. This ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Azure AD Application Proxy Connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`. However, during the name resolution the CNAME records might contain DNS records with different host names and suffixes. Due to this, you must ensure that the device (depending on your setup - connector server, firewall, outbound proxy) can resolve all the records in the chain and allows connection to the resolved IP addresses. Since the DNS records in the chain might be changed from time to time, we cannot provide you with any list DNS records.
+Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records pointing to an A record. Setting up the records this way ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Azure AD Application Proxy Connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`. However, during the name resolution the CNAME records might contain DNS records with different host names and suffixes. Due to the difference, you must ensure that the device (depending on your setup - connector server, firewall, outbound proxy) can resolve all the records in the chain and allows connection to the resolved IP addresses. Since the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.
## Install and register a connector
To use Application Proxy, install a connector on each Windows server you're usin
To install the connector:
-1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is `contoso.com`, the admin should be `admin@contoso.com` or any other admin alias on that domain.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy.
-1. In left navigation panel, select **Azure Active Directory**.
-1. Under **Manage**, select **Application proxy**.
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.
1. Select **Download connector service**. ![Download connector service to see the Terms of Service](./media/application-proxy-add-on-premises-application/application-proxy-download-connector-service.png)
To install the connector:
If you've previously installed a connector, reinstall to get the latest version. To see information about previously released versions and what changes they include, see [Application Proxy: Version Release History](./application-proxy-release-version-history.md).
-If you choose to have more than one Windows server for your on-premises applications, you'll need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](./application-proxy-connector-groups.md).
+If you choose to have more than one Windows server for your on-premises applications, you need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](./application-proxy-connector-groups.md).
If you have installed connectors in different regions, you can optimize traffic by selecting the closest Application Proxy cloud service region to use with each connector group, see [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md)
You can use the Azure portal or your Windows server to confirm that a new connec
To confirm the connector installed and registered correctly:
-1. Sign in to your tenant directory in the [Azure portal](https://portal.azure.com).
-1. In the left navigation panel, select **Azure Active Directory**, and then select **Application Proxy** under the **Manage** section. All of your connectors and connector groups appear on this page.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy.
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.
1. View a connector to verify its details. The connectors should be expanded by default. If the connector you want to view isn't expanded, expand the connector to view the details. An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages. ![Azure AD Application Proxy Connectors](./media/application-proxy-add-on-premises-application/app-proxy-connectors.png)
To confirm the connector installed and registered correctly:
## Add an on-premises app to Azure AD Now that you've prepared your environment and installed a connector, you're ready to add on-premises applications to Azure AD.-
-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.
-2. In the left navigation panel, select **Azure Active Directory**.
-3. Select **Enterprise applications**, and then select **New application**.
-4. Select **Add an on-premises application** button which appears about halfway down the page in the **On-premises applications** section. Alternatively, you can select **Create your own application** at the top of the page and then select **Configure Application Proxy for secure remote access to an on-premises application**.
-5. In the **Add your own on-premises application** section, provide the following information about your application:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select **New application**.
+1. Select **Add an on-premises application** button, which appears about halfway down the page in the **On-premises applications** section. Alternatively, you can select **Create your own application** at the top of the page and then select **Configure Application Proxy for secure remote access to an on-premises application**.
+1. In the **Add your own on-premises application** section, provide the following information about your application:
| Field | Description | | : | :-- |
- | **Name** | The name of the application that will appear on My Apps and in the Azure portal. |
+ | **Name** | The name of the application that appears on My Apps and in the Azure portal. |
| **Maintenance Mode** | Select if you would like to enable maintenance mode and temporarily disable access for all users to the application. | | **Internal URL** | The URL for accessing the application from inside your private network. You can provide a specific path on the backend server to publish, while the rest of the server is unpublished. In this way, you can publish different sites on the same server as different apps, and give each one its own name and access rules.<br><br>If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your application. For example, if your app is at `https://yourapp/app` and uses images located at `https://yourapp/media`, then you should publish `https://yourapp/` as the path. This internal URL doesn't have to be the landing page your users see. For more information, see [Set a custom home page for published apps](application-proxy-configure-custom-home-page.md). | | **External URL** | The address for users to access the app from outside your network. If you don't want to use the default Application Proxy domain, read about [custom domains in Azure AD Application Proxy](./application-proxy-configure-custom-domain.md). | | **Pre Authentication** | How Application Proxy verifies users before giving them access to your application.<br><br>**Azure Active Directory** - Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication. **Azure Active Directory** is required for monitoring the application with Microsoft Defender for Cloud Apps.<br><br>**Passthrough** - Users don't have to authenticate against Azure AD to access the application. You can still set up authentication requirements on the backend. | | **Connector Group** | Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don't have any connector groups created yet, your app is assigned to **Default**.<br><br>If your application uses WebSockets to connect, all connectors in the group must be version 1.5.612.0 or later. |
-6. If necessary, configure **Additional settings**. For most applications, you should keep these settings in their default states.
+1. If necessary, configure **Additional settings**. For most applications, you should keep these settings in their default states.
| Field | Description | | : | :-- |
- | **Backend Application Timeout** | Set this value to **Long** only if your application is slow to authenticate and connect. At default, the backend application timeout has a length of 85 seconds. When set to long, the backend timeout is increased to 180 seconds. |
- | **Use HTTP-Only Cookie** | Select to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. If using Remote Desktop Services, keep this unselected. |
- | **Use Persistent Cookie**| Keep this unselected. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](./application-proxy-configure-cookie-settings.md).
- | **Translate URLs in Headers** | Keep this selected unless your application required the original host header in the authentication request. |
- | **Translate URLs in Application Body** | Keep this unselected unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Select if you plan to monitor this application with Microsoft Defender for Cloud Apps. For more information, see [Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |
+ | **Backend Application Timeout** | Set this value to **Long** only if your application is slow to authenticate and connect. At default, the backend application timeout has a length of 85 seconds. When set too long, the backend timeout is increased to 180 seconds. |
+ | **Use HTTP-Only Cookie** | Select to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. If using Remote Desktop Services, keep the option unselected. |
+ | **Use Persistent Cookie**| Keep the option unselected. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](./application-proxy-configure-cookie-settings.md).
+ | **Translate URLs in Headers** | Keep the option selected unless your application required the original host header in the authentication request. |
+ | **Translate URLs in Application Body** | Keep the option unselected unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Select if you plan to monitor this application with Microsoft Defender for Cloud Apps. For more information, see [Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |
| **Validate Backend SSL Certificate** | Select to enable backend SSL certificate validation for the application. |
-7. Select **Add**.
+1. Select **Add**.
## Test the application
-You're ready to test the application is added correctly. In the following steps, you'll add a user account to the application, and try signing in.
+You're ready to test the application is added correctly. In the following steps, you add a user account to the application, and try signing in.
### Add a user for testing
For troubleshooting, see [Troubleshoot Application Proxy problems and error mess
## Clean up resources
-When no longer needed, delete the resources you created in this tutorial.
+Don't forget to delete any of the resources you created in this tutorial when you're done.
## Next steps
active-directory How To Authentication Find Coverage Gaps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md
After your admins are enforced for multifactor authentication and have been usin
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) You can read more about these authentication methods and their security considerations in [Azure AD authentication methods](concept-authentication-methods.md).+
+## Next steps
+
+[Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)
active-directory How To Authentication Methods Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-methods-manage.md
Previously updated : 03/22/2023 Last updated : 09/13/2023
Record which users are in scope for SSPR (either all users, one specific group,
### Authentication methods policy
-To check settings in the Authentication methods policy, sign in as an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) and go to **Azure Active Directory** > **Security** > **Authentication methods** > **Policies**. A new tenant has all methods **Off** by default, which makes migration easier because legacy policy settings don't need to be merged with existing settings.
+To check settings in the Authentication methods policy, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) and browse to **Protection** > **Authentication methods** > **Policies**. A new tenant has all methods **Off** by default, which makes migration easier because legacy policy settings don't need to be merged with existing settings.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** >
:::image type="content" source="media/concept-authentication-methods-manage/authentication-methods-policy.png" alt-text="Screenshot that shows the authentication methods." lightbox="media/concept-authentication-methods-manage/authentication-methods-policy.png":::
active-directory How To Authentication Sms Supported Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-sms-supported-apps.md
SMS-based authentication is available to Microsoft apps integrated with the Micr
| Microsoft One Note | ΓùÅ | | | Microsoft Teams | ΓùÅ | ΓùÅ | | Company portal | ΓùÅ | ΓùÅ |
-| My Apps Portal | ΓùÅ |Not available|
+| My Apps portal | ΓùÅ |Not available|
| Microsoft Forms | ΓùÅ |Not available| | Microsoft Edge | ΓùÅ | | | Microsoft Power BI | ΓùÅ | |
SMS-based authentication is available to Microsoft apps integrated with the Micr
*_SMS sign-in isn't available for office applications, such as Word, Excel, etc., when accessed directly on the web, but is available when accessed through the [Office 365 web app](https://www.office.com)_
-The above mentioned Microsoft apps support SMS sign-in is because they use the Microsoft Identity login (`https://login.microsoftonline.com/`), which allows user to enter phone number and SMS code.
+The above mentioned Microsoft apps support SMS sign-in is because they use the Microsoft Identity login (`https://login.microsoftonline.com/`), which allows users to enter phone number and SMS code.
## Unsupported Microsoft apps Microsoft 365 desktop (Windows or Mac) apps and Microsoft 365 web apps (except MS One Note) that are accessed directly on the web don't support SMS sign-in. These apps use the Microsoft Office login (`https://office.live.com/start/*`) that requires a password to sign in.
-For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Company Portal, and Microsoft Azure) don't support SMS sign-in.
+For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Company portal, and Microsoft Azure) don't support SMS sign-in.
| Unsupported Microsoft apps| Examples | | | | | Native desktop Microsoft apps | Microsoft Teams, O365 apps, Word, Excel, etc.|
-| Native mobile Microsoft apps (except Microsoft Teams, Company Portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
+| Native mobile Microsoft apps (except Microsoft Teams, Company portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|
| Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx)| ## Support for Non-Microsoft apps
active-directory How To Certificate Based Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md
description: Topic that shows how to configure Azure AD certificate-based authen
Previously updated : 02/09/2023 Last updated : 09/13/2023
Optionally, you can also configure authentication bindings to map certificates t
## Step 1: Configure the certification authorities
-You can configure CAs by using the Azure portal or PowerShell.
+You can configure CAs by using the Microsoft Entra admin center or PowerShell.
-### Configure certification authorities using the Azure portal
+### Configure certification authorities using the Microsoft Entra admin center
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-To enable the certificate-based authentication and configure user bindings in the Azure portal, complete the following steps:
+To enable the certificate-based authentication and configure user bindings in the Microsoft Entra admin center, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
-1. Click **Azure Active Directory** > **Security**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Certifacte-based authentication**.
:::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate-authorities.png" alt-text="Screenshot of certification authorities.":::
For more information, see [Understanding the certificate revocation process](./c
>[!IMPORTANT] >A user is considered capable for **MFA** when the user is in scope for **Certificate-based authentication** in the Authentication methods policy. This policy requirement means a user can't use proof up as part of their authentication to register other available methods. If the users do not have access to certificates they will be locked out and not be able to register other methods for MFA. So the admin needs to enable users who have a valid certificate into the CBA scope. Do not use all users for CBA target and use groups of users who have valid certificates available. For more information, see [Azure AD MFA](concept-mfa-howitworks.md).
-To enable the certificate-based authentication in the Azure portal, complete the following steps:
+To enable the certificate-based authentication in the Microsoft Entra admin center, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator.
-1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
-1. Under **Manage**, select **Authentication methods** > **Certificate-based Authentication**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Certificate-based Authentication**.
1. Under **Enable and Target**, click **Enable**. 1. Click **All users**, or click **Add groups** to select specific groups.
Once certificate-based authentication is enabled on the tenant, all users in the
The authentication binding policy helps determine the strength of authentication to either a single factor or multi factor. An admin can change the default value from single-factor to multifactor and configure custom policy rules by mapping to issuer Subject or policy OID fields in the certificate.
-To enable Azure AD CBA and configure user bindings in the Azure portal, complete the following steps:
+To enable Azure AD CBA and configure user bindings in the Microsoft Entra admin center, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator.
-1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
-1. Click **Authentication methods** > **Policies**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Policies**.
1. Under **Manage**, select **Authentication methods** > **Certificate-based Authentication**. :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/policy.png" alt-text="Screenshot of Authentication policy.":::
active-directory How To Mfa Additional Context https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-additional-context.md
description: Learn how to use additional context in MFA notifications
Previously updated : 01/29/2023 Last updated : 09/13/2023
This topic covers how to improve the security of user sign-in by adding the appl
## Prerequisites -- Your organization needs to enable Microsoft Authenticator passwordless and push notifications for some users or groups by using the new Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API.
+- Your organization needs to enable Microsoft Authenticator passwordless and push notifications for some users or groups by using the new Authentication methods policy. You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API.
>[!NOTE] >The policy schema for Microsoft Graph APIs has been improved. The older policy schema is now deprecated. Make sure you use the new schema to help prevent errors.
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
#### Example of how to enable application name and geographic location for separate groups In **featureSettings**, change **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.**
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationM
#### Example of how to disable application name and only enable geographic location In **featureSettings**, change the state of **displayAppInformationRequiredState** to **default** or **disabled** and **displayLocationInformationRequiredState** to **enabled.**
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
#### Example of how to exclude a group from application name and geographic location In **featureSettings**, change the states of **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.**
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.
-In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Azure portal. This change excludes that group from seeing application name or geographic location.
+In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Microsoft Entra admin center. This change excludes that group from seeing application name or geographic location.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
To turn off additional context, you'll need to PATCH **displayAppInformationRequ
} ```
-## Enable additional context in the portal
+## Enable additional context in the Microsoft Entra admin center
-To enable application name or geographic location in the Azure portal, complete the following steps:
+To enable application name or geographic location in the Microsoft Entra admin center, complete the following steps:
-1. In the Azure portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Microsoft Authenticator**.
1. On the **Basics** tab, click **Yes** and **All users** to enable the policy for everyone, and change **Authentication mode** to **Any**. Only users who are enabled for Microsoft Authenticator here can be included in the policy to show the application name or geographic location of the sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see application name or geographic location.
active-directory How To Mfa Authenticator Lite https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-authenticator-lite.md
Previously updated : 04/25/2023 Last updated : 09/13/2023
Users receive a notification in Outlook mobile to approve or deny sign-in, or th
>[!NOTE] >These are important security enhancements for users authenticating via telecom transports:
->- On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from 'default' to ΓÇÿdisabledΓÇÖ or scope it to only a group of users.
->- Starting September 18, Authenticator Lite will be enabled as part of the *Notification through mobile app* verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below.
+>- On June 26, the Microsoft managed value of this feature changed from **Disabled** to **Enabled** in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from **Default** to **Disabled** or scope it to only a group of users.
+>- Starting September 18, Authenticator Lite will be enabled as part of the **Notification through mobile app* verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below.
## Prerequisites -- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature.
+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature.
>[!TIP] >We recommend that you also enable [system-preferred multifactor authentication (MFA)](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign-in with Authenticator Lite before they try less secure telephony methods like SMS or voice call.
Users receive a notification in Outlook mobile to approve or deny sign-in, or th
By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) in the Authentication methods policy. On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ. Authenticator Lite is also included as part of the *Notification through mobile app* verification option in the per-user MFA policy.
-### Disabling Authenticator Lite in Azure portal UX
+### Disabling Authenticator Lite in the Microsoft Entra admin center
-To disable Authenticator Lite in the Azure portal, complete the following steps:
+To disable Authenticator Lite in the Microsoft Entra admin center, complete the following steps:
- 1. In the Azure portal, click Azure Active Directory > Security > Authentication methods > Microsoft Authenticator.
- In the Entra admin center, on the sidebar select Azure Active Directory > Protect & Secure > Authentication methods > Microsoft Authenticator.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Microsoft Authenticator**.
- 2. On the Enable and Target tab, click Enable and All users to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to Any or Push.
+2. On the **Enable and Target** tab, click **Enable** and **All users** to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to **Any** or **Push**.
-Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.
+ Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.
-<img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">
+ <img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">
- 3. On the Configure tab, for **Microsoft Authenticator on companion applications**, change Status to Disabled, and click Save.
+3. On the **Configure** tab, for **Microsoft Authenticator on companion applications**, change Status to **Disabled**, and click **Save**.
-<img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png">
+ <img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png">
->[!NOTE]
-> If your organization still manages authentication methods in the per-user MFA policy, you'll need to disable *Notification through mobile app* as a verification option there in addition to the steps above. We recommend doing this only after you've enabled Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend [migrating](how-to-authentication-methods-manage.md) management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2024.
+ >[!NOTE]
+ > If your organization still manages authentication methods in the per-user MFA policy, you need to disable *Notification through mobile app* as a verification option there in addition to the preceding steps. We recommend doing this only after you enable Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend [migrating](how-to-authentication-methods-manage.md) management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2024.
### Enable Authenticator Lite via Graph APIs
active-directory How To Mfa Number Match https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md
Users who are enabled for MFA push notifications in the legacy MFA policy will a
:::image type="content" border="true" source="./media/how-to-mfa-number-match/notifications-through-mobile-app.png" alt-text="Screenshot of Notifications through mobile app setting.":::
-### Why does the portal still show the control to enable number matching?
-
-You might need to refresh the browser to update the portal after number matching is enabled by default beginning May 8, 2023.
- ### Is number matching supported with MFA Server? No, number matching isn't enforced because it's not a supported feature for MFA Server, which is [deprecated](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454).
active-directory How To Mfa Registration Campaign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md
Previously updated : 09/08/2023 Last updated : 09/13/2023
# How to run a registration campaign to set up Microsoft Authenticator - Microsoft Authenticator
-You can nudge users to set up Microsoft Authenticator during sign-in. Users will go through their regular sign-in, perform multifactor authentication as usual, and then be prompted to set up Microsoft Authenticator. You can include or exclude users or groups to control who gets nudged to set up the app. This allows targeted campaigns to move users from less secure authentication methods to the Authenticator app.
+You can nudge users to set up Microsoft Authenticator during sign-in. Users go through their regular sign-in, perform multifactor authentication as usual, and then get prompted to set up Microsoft Authenticator. You can include or exclude users or groups to control who gets nudged to set up the app. This allows targeted campaigns to move users from less secure authentication methods to Authenticator.
-In addition to choosing who can be nudged, you can define how many days a user can postpone, or "snooze", the nudge. If a user taps **Not now** to postpone the app setup, they'll be nudged again on the next MFA attempt after the snooze duration has elapsed. Users with free and trial subscriptions can postpone the app setup up to three times.
+You can also define how many days a user can postpone, or "snooze," the nudge. If a user taps **Not now** to postpone the app setup, they get nudged again on the next MFA attempt after the snooze duration has elapsed. Users with free and trial subscriptions can postpone the app setup up to three times.
>[!NOTE] >As users go through their regular sign-in, Conditional Access policies that govern security info registration apply before the user is prompted to set up Authenticator. For example, if a Conditional Access policy requires security info updates can only occur on an internal network, then users won't be prompted to set up Authenticator unless they are on the internal network. ## Prerequisites -- Your organization must have enabled Azure AD Multi-Factor Authentication. Every edition of Azure AD includes Azure AD Multi-Factor Authentication. No additional license is needed for a registration campaign.
+- Your organization must have enabled Azure AD Multi-Factor Authentication. Every edition of Azure AD includes Azure AD Multi-Factor Authentication. No other license is needed for a registration campaign.
- Users can't have already set up the Authenticator app for push notifications on their account. - Admins need to enable users for the Authenticator app using one of these policies: - MFA Registration Policy: Users will need to be enabled for **Notification through mobile app**.
In addition to choosing who can be nudged, you can define how many days a user c
![Snooze installation](./media/how-to-nudge-authenticator-app/snooze.png)
-## Enable the registration campaign policy using the portal
-To enable a registration campaign in the Azure portal, complete the following steps:
+## Enable the registration campaign policy using the Microsoft Entra admin center
++
+To enable a registration campaign in the Microsoft Entra admin center, complete the following steps:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). 1. Browse to **Protection** > **Authentication methods** > **Registration campaign**.
To enable a registration campaign in the Azure portal, complete the following st
## Enable the registration campaign policy using Graph Explorer
-In addition to using the Azure portal, you can also enable the registration campaign policy using Graph Explorer. To enable the registration campaign policy, you must use the Authentication Methods Policy using Graph APIs. **Global administrators** and **Authentication Method Policy administrators** can update the policy.
+In addition to using the Microsoft Entra admin center, you can also enable the registration campaign policy using Graph Explorer. To enable the registration campaign policy, you must use the Authentication Methods Policy using Graph APIs. **Global Administrators** and **Authentication Method Policy Administrators** can update the policy.
To configure the policy using Graph Explorer:
Here are a few sample JSONs you can use to get started!
- Include all users
- If you want to include ALL users in your tenant simply [download this JSON](https://download.microsoft.com/download/1/4/E/14E6151E-C40A-42FB-9F66-D8D374D13B40/All%20Users%20Enabled.json) and paste it in Graph Explorer and run `PATCH` on the endpoint.
+ If you want to include ALL users in your tenant, [download this JSON](https://download.microsoft.com/download/1/4/E/14E6151E-C40A-42FB-9F66-D8D374D13B40/All%20Users%20Enabled.json) and paste it in Graph Explorer and run `PATCH` on the endpoint.
```json {
Here are a few sample JSONs you can use to get started!
### Identify the GUIDs of users to insert in the JSONs
-1. Navigate to the Azure portal.
-1. Tap **Azure Active Directory**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
1. In the **Manage** blade, tap **Users**. 1. In the **Users** page, identify the specific user you want to target. 1. When you tap the specific user, youΓÇÖll see their **Object ID**, which is the userΓÇÖs GUID.
Here are a few sample JSONs you can use to get started!
### Identify the GUIDs of groups to insert in the JSONs
-1. Navigate to the Azure portal.
-1. Tap **Azure Active Directory**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
1. In the **Manage** blade, tap **Groups**. 1. In the **Groups** page, identify the specific group you want to target. 1. Tap the group and get the **Object ID**.
Nudge is available only on browsers and not on applications.
Nudge is not available on mobile devices.
-**How long will the campaign run for?**
+**How long does the campaign run for?**
-You can use the APIs to enable the campaign for as long as you like. Whenever you want to be done running the campaign, simply use the APIs to disable the campaign.
+You can enable the campaign for as long as you like. Whenever you want to be done running the campaign, use the admin center or APIs to disable the campaign.
**Can each group of users have a different snooze duration?**
If this user doesnΓÇÖt have the Authenticator app set up for push notifications
Yes. If the Authenticator app is not set up for push notifications and the user is enabled for it by policy, yes, the user will see the nudge.
-**If a user just went through MFA registration, will they be nudged in the same sign-in session?**
+**If a user just went through MFA registration, are they nudged in the same sign-in session?**
No. To provide a good user experience, users won't be nudged to set up the Authenticator in the same session that they registered other authentication methods.
No. The feature, for now, aims to nudge users to set up the Authenticator app on
**Is there a way for me to hide the snooze option and force my users to setup the Authenticator app?**
-Users in organizations with free and trial subscriptions can postpone the app setup up to three times. There is no way to hide the snooze option on the nudge for organizations with paid subscriptions yet. You can set the snoozeDuration to 0, which will ensure that users will see the nudge during each MFA attempt.
+Users in organizations with free and trial subscriptions can postpone the app setup up to three times. There is no way to hide the snooze option on the nudge for organizations with paid subscriptions yet. You can set the snoozeDuration to 0, which ensures that users see the nudge during each MFA attempt.
**Will I be able to nudge my users if I am not using Azure AD Multi-Factor Authentication?**
-No. The nudge will only work for users who are doing MFA using the Azure AD Multi-Factor Authentication service.
+No. The nudge only works for users who are doing MFA using the Azure AD Multi-Factor Authentication service.
**Will Guest/B2B users in my tenant be nudged?**
active-directory How To Mfa Server Migration Utility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
As mentioned in the confirmation message, it can take several minutes for the mi
You can use Audit logs or Log Analytics to view details of MFA Server to Azure MFA user migrations. ##### Use Audit logs
-To access the Audit logs in the Azure portal to view details of MFA Server to Azure MFA user migrations, follow these steps:
+To access the Audit logs in the Microsoft Entra admin center to view details of MFA Server to Azure MFA user migrations, follow these steps:
-1. Click **Azure Active Directory** > **Audit logs**. To filter the logs, click **Add filters**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Identity** > **Monitoring & health** > **Audit logs**. To filter the logs, click **Add filters**.
:::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/add-filter.png" alt-text="Screenshot of how to add filters.":::
active-directory Howto Authentication Methods Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-methods-activity.md
Previously updated : 05/25/2023 Last updated : 09/13/2023
The following roles have the required permissions:
To access authentication method usage and insights:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Click **Azure Active Directory** > **Security** > **Authentication Methods** > **Activity**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication Methods** > **Activity**.
1. There are two tabs in the report: **Registration** and **Usage**. ![Authentication Methods Activity overview](media/how-to-authentication-methods-usage-insights/registration-usage-tabs.png) ## Registration details
-You can access the [**Registration tab**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade) to show the number of users capable of multi-factor authentication, passwordless authentication, and self-service password reset.
+You can access the **Registration** tab to show the number of users capable of multi-factor authentication, passwordless authentication, and self-service password reset.
Click any of the following options to pre-filter a list of user registration details:
active-directory Howto Authentication Passwordless Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md
Microsoft offers the following [three passwordless authentication options](conce
## Use the passwordless methods wizard
-The [Azure portal](https://portal.azure.com) now has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences. If you haven't yet determined the appropriate methods, see [https://aka.ms/passwordlesswizard](https://aka.ms/passwordlesswizard), then return to this article to continue planning for your selected methods. **You need administrator rights to access this wizard.**
+The [Microsoft Entra admin center](https://entra.microsoft.com) has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences. If you haven't yet determined the appropriate methods, see [https://aka.ms/passwordlesswizard](https://aka.ms/passwordlesswizard), then return to this article to continue planning for your selected methods. **You need administrator rights to access this wizard.**
## Passwordless authentication scenarios
The following are sample test cases for passwordless authentication with the Aut
| User can register the Authenticator app.| User can register app from https://aka.ms/mysecurityinfo. | | User can enable phone sign-in| Phone sign-in configured for work account. | | User can access an app with phone sign-in.| User goes through phone sign-in flow and reaches application. |
-| Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the Azure portal| Previously enabled users unable to use passwordless sign-in from the Authenticator app. |
+| Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the [Microsoft Entra admin center](https://entra.microsoft.com)| Previously enabled users unable to use passwordless sign-in from the Authenticator app. |
| Removing phone sign-in from the Authenticator app| Work account no longer available on the Authenticator app. |
Here are the sample test cases for passwordless authentication with security key
| The user can register FIDO2 device at aka.ms/mysecurityinfo using Firefox| Registration should succeed | | The user can sign in to OneDrive online using FIDO2 device using Microsoft Edge| Sign-in should succeed | | The user can sign in to OneDrive online using FIDO2 device using Firefox| Sign-in should succeed |
-| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the Azure portal| Users will: <li> be prompted to sign in using their security key <li> successfully sign in and see an error: "Your company policy requires that you use a different method to sign in". <li>be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
+| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the [Microsoft Entra admin center](https://entra.microsoft.com)| Users will: <li> be prompted to sign in using their security key <li> successfully sign in and see an error: "Your company policy requires that you use a different method to sign in". <li>be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
### Troubleshoot security key sign-in
Here are the sample test cases for passwordless authentication with security key
## Manage passwordless authentication
-To manage your user's passwordless authentication methods in the [Azure portal](https://portal.azure.com), select your user account, and then select Authentication methods.
+To manage your user's passwordless authentication methods in the [Microsoft Entra admin center](https://entra.microsoft.com), select your user account, and then select Authentication methods.
### Microsoft Graph APIs
For more information on what authentication methods can be managed in Microsoft
Though passwordless authentication is a lightweight feature with minimal impact on end users, it may be necessary to roll back.
-Rolling back requires the administrator to sign in to the Azure portal, select the desired strong authentication methods, and change the enable option to No. This process turns off the passwordless functionality for all users.
+Rolling back requires the administrator to sign in to the [Microsoft Entra admin center](https://entra.microsoft.com), select the desired strong authentication methods, and change the enable option to No. This process turns off the passwordless functionality for all users.
![Passwordless rollback](media/howto-authentication-passwordless-deployment/passwordless-rollback.png)
Azure AD adds entries to the audit logs when:
* A user enables or disables their account on a security key or resets the second factor for the security key on their Win 10 machine. See event IDs: 4670 and 5382.
-**Azure AD keeps most auditing data for 30 days** and makes the data available via Azure Admin portal or API for you to download into your analysis systems. If you require longer retention, export and consume logs in a SIEM tool such as [Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md), Splunk, or Sumo Logic. We recommend longer retention for auditing, trend analysis, and other business needs as applicable
+**Azure AD keeps most auditing data for 30 days** and makes the data available by using the [Microsoft Entra admin center](https://entra.microsoft.com) or API for you to download into your analysis systems. If you require longer retention, export and consume logs in a SIEM tool such as [Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md), Splunk, or Sumo Logic. We recommend longer retention for auditing, trend analysis, and other business needs as applicable
There are two tabs in the Authentication methods activity dashboard - Registration and Usage.
-The [Registration tab](https://portal.azure.com/) shows the number of users capable of passwordless authentication as well as other authentication methods. This tab displays two graphs:
+The **Registration** tab shows the number of users capable of passwordless authentication as well as other authentication methods. This tab displays two graphs:
* Users registered by authentication method.
The [Registration tab](https://portal.azure.com/) shows the number of users capa
![Registration tab to view auth methods](media/howto-authentication-passwordless-deployment/monitoring-registration-tab.png)
-The [Usage tab](https://portal.azure.com/)shows the sign-ins by authentication method.
+The **Usage** tab shows the sign-ins by authentication method.
![Usage tab to view auth methods](media/howto-authentication-passwordless-deployment/monitoring-usage-tab.png)
active-directory Howto Authentication Passwordless Phone https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-phone.md
Previously updated : 05/16/2023 Last updated : 09/13/2023
Azure AD lets you choose which authentication methods can be used during the sig
To enable the authentication method for passwordless phone sign-in, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) with an *Authentication Policy Administrator* account.
-1. Search for and select *Azure Active Directory*, then browse to **Security** > **Authentication methods** > **Policies**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Policies**.
1. Under **Microsoft Authenticator**, choose the following options: 1. **Enable** - Yes or No 1. **Target** - All users or Select users
active-directory Howto Authentication Passwordless Security Key On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md
For information about compliant security keys, see [FIDO2 security keys](concept
### What can I do if I lose my security key?
-To delete an enrolled security key, sign in to the [Azure portal](https://portal.azure.com), and then go to the **Security info** page.
+To delete an enrolled security key, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com), and then go to the **Security info** page.
### What can I do if I'm unable to use the FIDO security key immediately after I create a hybrid Azure AD-joined machine?
active-directory Howto Authentication Passwordless Security Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-security-key.md
Previously updated : 06/02/2023 Last updated : 09/13/2023
Registration features for passwordless authentication methods rely on the combin
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication method policy**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Authentication method policy**.
1. Under the method **FIDO2 Security Key**, click **All users**, or click **Add groups** to select specific groups. *Only security groups are supported*. 1. **Save** the configuration.
There are some optional settings on the **Configure** tab to help manage how sec
![Screenshot of FIDO2 security key options](media/howto-authentication-passwordless-security-key/optional-settings.png) -- **Allow self-service set up** should remain set to **Yes**. If set to no, your users won't be able to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.
+- **Allow self-service set up** should remain set to **Yes**. If set to no, your users won't be able to register a FIDO key through MySecurityInfo, even if enabled by Authentication Methods policy.
- **Enforce attestation** setting to **Yes** requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass MicrosoftΓÇÖs additional set of validation testing. For more information, see [What is a Microsoft-compatible security key?](concept-authentication-passwordless.md#fido2-security-key-providers) **Key Restriction Policy**
There are some optional settings on the **Configure** tab to help manage how sec
To remove a FIDO2 key associated with a user account, delete the key from the userΓÇÖs authentication method.
-1. Sign in to the [Azure portal](https://portal.azure.com) and search for the user account from which the FIDO key is to be removed.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) and search for the user account from which the FIDO key is to be removed.
1. Select **Authentication methods** > right-click **FIDO2 security key** and click **Delete**. ![View Authentication Method details](media/howto-authentication-passwordless-deployment/security-key-view-details.png)
active-directory Howto Authentication Sms Signin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-sms-signin.md
There are three main steps to enable and use SMS-based authentication in your or
First, let's enable SMS-based authentication for your Azure AD tenant.
-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.
-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
-1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Policies**.
1. From the list of available authentication methods, select **SMS**. ![Screenshot that shows how to select the SMS authentication method.](./media/howto-authentication-sms-signin/authentication-methods-policy.png)
active-directory Howto Authentication Temporary Access Pass https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-temporary-access-pass.md
Previously updated : 06/14/2023 Last updated : 09/23/2023
A Temporary Access Pass is a time-limited passcode that can be configured for si
A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.
-This article shows you how to enable and use a Temporary Access Pass in Azure AD using the Azure portal.
+This article shows you how to enable and use a Temporary Access Pass in Azure AD using the the [Microsoft Entra admin center](https://entra.microsoft.com).
You can also perform these actions using the REST APIs. ## Enable the Temporary Access Pass policy
Although you can create a Temporary Access Pass for any user, only users include
Global administrator and Authentication Policy administrator role holders can update the Temporary Access Pass authentication method policy. To configure the Temporary Access Pass authentication method policy:
-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.
-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
-1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods** > **Policies**.
1. From the list of available authentication methods, select **Temporary Access Pass**. :::image type="content" border="true" source="./media/how-to-authentication-temporary-access-pass/select-temporary-access-pass-policy.png" alt-text="Screenshot of how to manage Temporary Access Pass within the authentication method policy experience.":::
These roles can perform the following actions related to a Temporary Access Pass
- Authentication Administrators can create, delete, and view a Temporary Access Pass on members (except themselves) - Global Reader can view the Temporary Access Pass details on the user (without reading the code itself).
-1. Sign in to the [Azure portal](https://portal.azure.com) by using one of the preceding roles.
-1. Select **Azure Active Directory**, browse to Users, select a user, such as *Chris Green*, then choose **Authentication methods**.
-1. If needed, select the option to **Try the new user authentication methods experience**.
-1. Select the option to **Add authentication methods**.
-1. Below **Choose method**, select **Temporary Access Pass**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Authentication methods**.
+1. Select **Temporary Access Pass**.
1. Define a custom activation time or duration and select **Add**. ![Screenshot of how to create a Temporary Access Pass.](./media/how-to-authentication-temporary-access-pass/create.png)
active-directory Howto Authentication Use Email Signin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md
Previously updated : 06/01/2023 Last updated : 09/13/2023
Email as an alternate login ID applies to [Azure AD B2B collaboration](../extern
Once users with the *ProxyAddresses* attribute applied are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign in with email as an alternate login ID for your tenant. This feature tells the Azure AD login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address.
-During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Azure portal or Graph PowerShell to set up the feature.
+During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Microsoft Entra admin center or Graph PowerShell to set up the feature.
-### Azure portal
+### Microsoft Entra admin center
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com) as a *Global Administrator*.
-1. Search for and select **Azure Active Directory**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
1. From the navigation menu on the left-hand side of the Azure Active Directory window, select **Azure AD Connect > Email as alternate login ID**.
- ![Screenshot of email as alternate login ID option in the Azure portal.](media/howto-authentication-use-email-signin/azure-ad-connect-screen.png)
+ ![Screenshot of email as alternate login ID option in the Microsoft Entra admin center.](media/howto-authentication-use-email-signin/azure-ad-connect-screen.png)
1. Click the checkbox next to *Email as an alternate login ID*. 1. Click **Save**.
- ![Screenshot of email as alternate login ID blade in the Azure portal.](media/howto-authentication-use-email-signin/email-alternate-login-id-screen.png)
+ ![Screenshot of email as alternate login ID blade in the Microsoft Entra admin center.](media/howto-authentication-use-email-signin/email-alternate-login-id-screen.png)
-With the policy applied, it can take up to 1 hour to propagate and for users to be able to sign in using their alternate login ID.
+With the policy applied, it can take up to one hour to propagate and for users to be able to sign in using their alternate login ID.
### PowerShell
active-directory Howto Mfa Adfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-adfs.md
Previously updated : 01/29/2023 Last updated : 09/13/2023
The first thing we need to do is to configure the AD FS claims. Create two claim
15. Click **Ok**. 16. Close AD FS Management.
-### Configure Azure AD Multi-Factor Authentication Trusted IPs with Federated Users
+### Configure Azure AD Multi-Factor Authentication Trusted IPs with federated users
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] Now that the claims are in place, we can configure trusted IPs.
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Conditional Access** > **Named locations**.
3. From the **Conditional Access - Named locations** blade, select **Configure MFA trusted IPs** ![Azure AD Conditional Access named locations Configure MFA trusted IPs](./media/howto-mfa-adfs/trustedip6.png)
active-directory Howto Mfa App Passwords https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-app-passwords.md
Previously updated : 01/29/2023 Last updated : 09/13/2023
In this scenario, you use the following credentials:
By default, users can't create app passwords. The app passwords feature must be enabled before users can use them. To give users the ability to create app passwords, **admin needs** to complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Search for and select **Azure Active Directory**, then choose **Security**.
-3. Select **Conditional Access** from the left navigation blade.
-4. Selet **Named location** from the left navigation blade.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Conditional Access** > **Named locations**.
5. Click on **"Configure MFA trusted IPs"** in the bar across the top of the *Conditional Access | Named Locations* window. 6. On the **multi-factor authentication** page, select the **Allow users to create app passwords to sign in to non-browser apps** option.
- ![Screenshot of the Azure portal that shows the service settings for multi-factor authentication to allow the user of app passwords](media/concept-authentication-methods/app-password-authentication-method.png)
+ ![Screenshot that shows the service settings for multi-factor authentication to allow the user of app passwords](media/concept-authentication-methods/app-password-authentication-method.png)
> [!NOTE] >
active-directory Howto Mfa Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md
Previously updated : 03/06/2023 Last updated : 09/13/2023 -+ # Plan an Azure Active Directory Multi-Factor Authentication deployment
You can monitor authentication method registration and usage across your organiz
The Azure AD sign-in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication.
-NPS extension and AD FS logs for cloud MFA activity are now included in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md), and no longer published to **Security** > **MFA** > **Activity report**.
+NPS extension and AD FS logs for cloud MFA activity are now included in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md), and no longer published to the **Activity report**.
For more information, and additional Azure AD Multi-Factor Authentication reports, see [Review Azure AD Multi-Factor Authentication events](howto-mfa-reporting.md#view-the-azure-ad-sign-ins-report).
active-directory Howto Mfa Nps Extension Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-errors.md
Previously updated : 01/29/2023 Last updated : 09/13/2023
If you encounter errors with the NPS extension for Azure AD Multi-Factor Authent
| **CONTACT_SUPPORT** | [Contact support](#contact-microsoft-support), and mention the list of steps for collecting logs. Provide as much information as you can about what happened before the error, including tenant ID, and user principal name (UPN). | | **CLIENT_CERT_INSTALL_ERROR** | There may be an issue with how the client certificate was installed or associated with your tenant. Follow the instructions in [Troubleshooting the MFA NPS extension](howto-mfa-nps-extension.md#troubleshooting) to investigate client cert problems. | | **ESTS_TOKEN_ERROR** | Follow the instructions in [Troubleshooting the MFA NPS extension](howto-mfa-nps-extension.md#troubleshooting) to investigate client cert and security token problems. |
-| **HTTPS_COMMUNICATION_ERROR** | The NPS server is unable to receive responses from Azure AD MFA. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and that TLS 1.2 is enabled (default). If TLS 1.2 is disabled, user authentication will fail and event ID 36871 with source SChannel is entered in the System log in Event Viewer. To verify TLS 1.2 is enabled, see [TLS registry settings](/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings). |
+| **HTTPS_COMMUNICATION_ERROR** | The NPS server is unable to receive responses from Azure AD MFA. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and that TLS 1.2 is enabled (default). If TLS 1.2 is disabled, user authentication fails and event ID 36871 with source SChannel is entered in the System log in Event Viewer. To verify TLS 1.2 is enabled, see [TLS registry settings](/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings). |
| **HTTP_CONNECT_ERROR** | On the server that runs the NPS extension, verify that you can reach `https://adnotifications.windowsazure.com` and `https://login.microsoftonline.com/`. If those sites don't load, troubleshoot connectivity on that server. |
-| **NPS Extension for Azure AD MFA (AccessReject):** <br> NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request. | This error usually reflects an authentication failure in AD or that the NPS server is unable to receive responses from Azure AD. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and `https://login.microsoftonline.com` using ports 80 and 443. It is also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy". This error can also trigger if the user is not assigned a license. |
-| **NPS Extension for Azure AD MFA (AccessChallenge):** <br> NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessChallenge, ignoring request. | This response is used when additional information is required from the user to complete the authentication or authorization process. The NPS server sends a challenge to the user, requesting further credentials or information. It usually preceeds an Access-Accept or Access-Reject response. |
+| **NPS Extension for Azure AD MFA (AccessReject):** <br> NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request. | This error usually reflects an authentication failure in AD or that the NPS server is unable to receive responses from Azure AD. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and `https://login.microsoftonline.com` using ports 80 and 443. It's also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy". This error can also trigger if the user isn't assigned a license. |
+| **NPS Extension for Azure AD MFA (AccessChallenge):** <br> NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessChallenge, ignoring request. | This response is used when additional information is required from the user to complete the authentication or authorization process. The NPS server sends a challenge to the user, requesting further credentials or information. It usually precedes an Access-Accept or Access-Reject response. |
| **REGISTRY_CONFIG_ERROR** | A key is missing in the registry for the application, which may be because the [PowerShell script](howto-mfa-nps-extension.md#install-the-nps-extension) wasn't run after installation. The error message should include the missing key. Make sure you have the key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa. |
-| **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute.Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request. |
+| **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute. Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension doesn't work when installed over such installations and errors out since it can't read the details from the authentication request. |
| **REQUEST_MISSING_CODE** | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. **PAP** supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. **CHAPV2** and **EAP** support phone call and mobile app notification. |
-| **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you are using cross-forest trusts, [contact support](#contact-microsoft-support) for further help. |
-| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP will observe user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). |
+| **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you use forest trusts, [contact support](#contact-microsoft-support) for further help. |
+| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP see user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP isn't an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). |
### Alternate login ID errors | Error code | Error message | Troubleshooting steps | | - | - | |
-| **ALTERNATE_LOGIN_ID_ERROR** | Error: userObjectSid lookup failed | Verify that the user exists in your on-premises Active Directory instance. If you are using cross-forest trusts, [contact support](#contact-microsoft-support) for further help. |
+| **ALTERNATE_LOGIN_ID_ERROR** | Error: userObjectSid lookup failed | Verify that the user exists in your on-premises Active Directory instance. If you use forest trusts, [contact support](#contact-microsoft-support) for further help. |
| **ALTERNATE_LOGIN_ID_ERROR** | Error: Alternate LoginId lookup failed | Verify that LDAP_ALTERNATE_LOGINID_ATTRIBUTE is set to a [valid active directory attribute](/windows/win32/adschema/attributes-all). <br><br> If LDAP_FORCE_GLOBAL_CATALOG is set to True, or LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that you have configured a Global Catalog and that the AlternateLoginId attribute is added to it. <br><br> If LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that the value is correct. If there is more than one forest name, the names must be separated with semi-colons, not spaces. <br><br> If these steps don't fix the problem, [contact support](#contact-microsoft-support) for more help. | | **ALTERNATE_LOGIN_ID_ERROR** | Error: Alternate LoginId value is empty | Verify that the AlternateLoginId attribute is configured for the user. |
If you encounter errors with the NPS extension for Azure AD Multi-Factor Authent
| Error code | Error message | Troubleshooting steps | | - | - | |
-| **AccessDenied** | Caller tenant does not have access permissions to do authentication for the user | Check whether the tenant domain and the domain of the user principal name (UPN) are the same. For example, make sure that user@contoso.com is trying to authenticate to the Contoso tenant. The UPN represents a valid user for the tenant in Azure. |
+| **AccessDenied** | Caller tenant doesn't have access permissions to do authentication for the user | Check whether the tenant domain and the domain of the user principal name (UPN) are the same. For example, make sure that user@contoso.com is trying to authenticate to the Contoso tenant. The UPN represents a valid user for the tenant in Azure. |
| **AuthenticationMethodNotConfigured** | The specified authentication method was not configured for the user | Have the user add or verify their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). |
-| **AuthenticationMethodNotSupported** | Specified authentication method is not supported. | Collect all your logs that include this error, and [contact support](#contact-microsoft-support). When you contact support, provide the username and the secondary verification method that triggered the error. |
-| **BecAccessDenied** | MSODS Bec call returned access denied, probably the username is not defined in the tenant | The user is present in Active Directory on-premises but is not synced into Azure AD by AD Connect. Or, the user is missing for the tenant. Add the user to Azure AD and have them add their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). |
+| **AuthenticationMethodNotSupported** | Specified authentication method isn't supported. | Collect all your logs that include this error, and [contact support](#contact-microsoft-support). When you contact support, provide the username and the secondary verification method that triggered the error. |
+| **BecAccessDenied** | MSODS Bec call returned access denied, probably the username isn't defined in the tenant | The user is present in Active Directory on-premises but isn't synced into Azure AD by AD Connect. Or, the user is missing for the tenant. Add the user to Azure AD and have them add their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). |
| **InvalidFormat** or **StrongAuthenticationServiceInvalidParameter** | The phone number is in an unrecognizable format | Have the user correct their verification phone numbers. | | **InvalidSession** | The specified session is invalid or may have expired | The session has taken more than three minutes to complete. Verify that the user is entering the verification code, or responding to the app notification, within three minutes of initiating the authentication request. If that doesn't fix the problem, check that there are no network latencies between client, NAS Server, NPS Server, and the Azure AD MFA endpoint. | | **NoDefaultAuthenticationMethodIsConfigured** | No default authentication method was configured for the user | Have the user add or verify their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). Verify that the user has chosen a default authentication method, and configured that method for their account. |
-| **OathCodePinIncorrect** | Wrong code and pin entered. | This error is not expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. |
-| **ProofDataNotFound** | Proof data was not configured for the specified authentication method. | Have the user try a different verification method, or add a new verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). If the user continues to see this error after you confirmed that their verification method is set up correctly, [contact support](#contact-microsoft-support). |
-| **SMSAuthFailedWrongCodePinEntered** | Wrong code and pin entered. (OneWaySMS) | This error is not expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. |
-| **TenantIsBlocked** | Tenant is blocked | [Contact support](#contact-microsoft-support) with the *Tenant ID* from the Azure AD properties page in the Azure portal. |
+| **OathCodePinIncorrect** | Wrong code and pin entered. | This error isn't expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. |
+| **ProofDataNotFound** | Proof data was not configured for the specified authentication method. | Have the user try a different verification method, or add a new verification method according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). If the user continues to see this error after you confirmed that their verification method is set up correctly, [contact support](#contact-microsoft-support). |
+| **SMSAuthFailedWrongCodePinEntered** | Wrong code and pin entered. (OneWaySMS) | This error isn't expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. |
+| **TenantIsBlocked** | Tenant is blocked | [Contact support](#contact-microsoft-support) with the *Tenant ID* from the Azure AD properties page in the Microsoft Entra admin center. |
| **UserNotFound** | The specified user was not found | The tenant is no longer visible as active in Azure AD. Check that your subscription is active and you have the required first party apps. Also make sure the tenant in the certificate subject is as expected and the cert is still valid and registered under the service principal. | ## Messages your users may encounter that aren't errors
Sometimes, your users may get messages from Multi-Factor Authentication because
| **OathCodeIncorrect** | Wrong code entered\OATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. | | **SMSAuthFailedMaxAllowedCodeRetryReached** | Maximum allowed code retry reached | The user failed the verification challenge too many times. Depending on your settings, they may need to be unblocked by an admin now. | | **SMSAuthFailedWrongCodeEntered** | Wrong code entered/Text Message OTP Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
-| **AuthenticationThrottled** | Too many attempts by user in a short period of time. Throttling. | Microsoft may limit repeated authentication attempts that are performed by the same user in a short period of time. This limitation does not apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes. |
-| **AuthenticationMethodLimitReached** | Authentication Method Limit Reached. Throttling. | Microsoft may limit repeated authentication attempts that are performed by the same user using the same authentication method type in a short period of time, specifically Voice call or SMS. This limitation does not apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.|
+| **AuthenticationThrottled** | Too many attempts by user in a short period of time. Throttling. | Microsoft may limit repeated authentication attempts that are performed by the same user in a short period of time. This limitation doesn't apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes. |
+| **AuthenticationMethodLimitReached** | Authentication Method Limit Reached. Throttling. | Microsoft may limit repeated authentication attempts that are performed by the same user using the same authentication method type in a short period of time, specifically Voice call or SMS. This limitation doesn't apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.|
## Errors that require support
If you encounter one of these errors, we recommend that you [contact support](#c
| **InvalidParameter** | ObjectId must not be null or empty for ReplicationScope:{0} | | **InvalidParameter** | The length of CompanyName \{0}\ is longer than the maximum allowed length {1} | | **InvalidParameter** | UserPrincipalName must not be null or empty |
-| **InvalidParameter** | The provided TenantId is not in correct format |
+| **InvalidParameter** | The provided TenantId isn't in correct format |
| **InvalidParameter** | SessionId must not be null or empty | | **InvalidParameter** | Could not resolve any ProofData from request or Msods. The ProofData is unKnown | | **InternalError** | |
The [Azure AD MFA NPS Extension health check script](/samples/azure-samples/azur
### Contact Microsoft support
-If you need additional help, contact a support professional through [Azure Multi-Factor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.
+If you need additional help, contact a support professional through [MFA support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.
To collect debug logs for support diagnostics, run the [Azure AD MFA NPS Extension health check script](/samples/azure-samples/azure-mfa-nps-extension-health-check/azure-mfa-nps-extension-health-check/) on the NPS server and choose option **4** to collect the logs to provide them to Microsoft support.
active-directory Howto Mfa Nps Extension Rdg https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md
Previously updated : 01/29/2023 Last updated : 09/13/2023
Follow the steps in [What does Azure AD Multi-Factor Authentication mean for me?
This section provides instructions for configuring RDS infrastructure to use Azure AD MFA for client authentication with the Remote Desktop Gateway.
-### Acquire Azure Active Directory tenant ID
+### Obtain the directory tenant ID
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-As part of the configuration of the NPS extension, you need to supply admin credentials and the Azure AD ID for your Azure AD tenant. To get the tenant ID, complete the following steps:
+As part of the configuration of the NPS extension, you must supply administrator credentials and the ID of your Azure AD tenant. To get the tenant ID, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of the Azure tenant.
-1. In the Azure portal menu, select **Azure Active Directory**, or search for and select **Azure Active Directory** from any page.
-1. On the **Overview** page, the *Tenant information* is shown. Next to the *Tenant ID*, select the **Copy** icon, as shown in the following example screenshot:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Global Administrator](../roles/permissions-reference.md#global-administrator).
+1. Browse to **Identity** > **Settings**.
- ![Getting the Tenant ID from the Azure portal](./media/howto-mfa-nps-extension-rdg/azure-active-directory-tenant-id-portal.png)
+ ![Getting the Tenant ID from the Microsoft Entra admin center](./media/howto-mfa-nps-extension-vpn/tenant-id.png)
### Install the NPS extension
On the server where you installed the NPS extension for Azure AD MFA, you can fi
## Troubleshoot Guide
-If the configuration is not working as expected, the first place to start to troubleshoot is to verify that the user is configured to use Azure AD MFA. Have the user sign in to the [Azure portal](https://portal.azure.com). If users are prompted for secondary verification and can successfully authenticate, you can eliminate an incorrect configuration of Azure AD MFA.
+If the configuration is not working as expected, the first place to start to troubleshoot is to verify that the user is configured to use Azure AD MFA. Have the user sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). If users are prompted for secondary verification and can successfully authenticate, you can eliminate an incorrect configuration of Azure AD MFA.
If Azure AD MFA is working for the user(s), you should review the relevant Event logs. These include the Security Event, Gateway operational, and Azure AD MFA logs that are discussed in the previous section.
active-directory Howto Mfa Nps Extension Vpn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md
Previously updated : 01/29/2023 Last updated : 09/23/2023
If the value is set to *TRUE* or is blank, all authentication requests are subje
-### Obtain the Azure Active Directory tenant ID
+### Obtain the directory tenant ID
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] As part of the configuration of the NPS extension, you must supply administrator credentials and the ID of your Azure AD tenant. To get the tenant ID, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of the Azure tenant.
-1. In the Azure portal menu, select **Azure Active Directory**, or search for and select **Azure Active Directory** from any page.
-1. On the **Overview** page, the *Tenant information* is shown. Next to the *Tenant ID*, select the **Copy** icon, as shown in the following example screenshot:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Global Administrator](../roles/permissions-reference.md#global-administrator).
+1. Browse to **Identity** > **Settings**.
- ![Getting the Tenant ID from the Azure portal](./media/howto-mfa-nps-extension-vpn/azure-active-directory-tenant-id-portal.png)
+ ![Getting the Tenant ID from the Microsoft Entra admin center](./media/howto-mfa-nps-extension-vpn/tenant-id.png)
### Install the NPS extension
Get-WinEvent -Logname Security | where {$_.ID -eq '6272'} | FL
## Troubleshooting guide
-If the configuration is not working as expected, begin troubleshooting by verifying that the user is configured to use MFA. Have the user sign in to the [Azure portal](https://portal.azure.com). If the user is prompted for secondary authentication and can successfully authenticate, you can eliminate an incorrect configuration of MFA as an issue.
+If the configuration is not working as expected, begin troubleshooting by verifying that the user is configured to use MFA. Have the user sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). If the user is prompted for secondary authentication and can successfully authenticate, you can eliminate an incorrect configuration of MFA as an issue.
If MFA is working for the user, review the relevant Event Viewer logs. The logs include the security event, Gateway operational, and Azure AD Multi-Factor Authentication logs that are discussed in the previous section.
active-directory Howto Mfa Nps Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md
Previously updated : 04/10/2023 Last updated : 09/13/2023
The following libraries are installed automatically with the extension.
The Microsoft Azure Active Directory Module for Windows PowerShell is also installed through a configuration script you run as part of the setup process, if not already present. There's no need to install this module ahead of time if it's not already installed.
-### Azure Active Directory
+### Obtain the directory tenant ID
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Everyone using the NPS extension must be synced to Azure AD using Azure AD Connect, and must be registered for MFA.
+As part of the configuration of the NPS extension, you must supply administrator credentials and the ID of your Azure AD tenant. To get the tenant ID, complete the following steps:
-When you install the extension, you need the *Tenant ID* and admin credentials for your Azure AD tenant. To get the tenant ID, complete the following steps:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Global Administrator](../roles/permissions-reference.md#global-administrator).
+1. Browse to **Identity** > **Settings**.
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of the Azure tenant.
-1. Search for and select the **Azure Active Directory**.
-1. On the **Overview** page, the *Tenant information* is shown. Next to the *Tenant ID*, select the **Copy** icon, as shown in the following example screenshot:
-
- ![Getting the Tenant ID from the Azure portal](./media/howto-mfa-nps-extension/azure-active-directory-tenant-id-portal.png)
+ ![Getting the Tenant ID from the Microsoft Entra admin center](./media/howto-mfa-nps-extension-vpn/tenant-id.png)
### Network requirements
Additionally, connectivity to the following URLs is required to complete the [se
## Prepare your environment
-Before you install the NPS extension, prepare you environment to handle the authentication traffic.
+Before you install the NPS extension, prepare your environment to handle the authentication traffic.
### Enable the NPS role on a domain-joined server
Depending on which VPN solution you use, the steps to configure your RADIUS auth
This step may already be complete on your tenant, but it's good to double-check that Azure AD Connect has synchronized your databases recently.
-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.
-2. Select **Azure Active Directory** > **Azure AD Connect**
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect**.
3. Verify that your sync status is **Enabled** and that your last sync was less than an hour ago. If you need to kick off a new round of synchronization, see [Azure AD Connect sync: Scheduler](../hybrid/connect/how-to-connect-sync-feature-scheduler.md#start-the-scheduler).
If you need to create and configure a test account, use the following steps:
1. Sign in to [https://aka.ms/mfasetup](https://aka.ms/mfasetup) with a test account. 2. Follow the prompts to set up a verification method.
-3. In the Azure portal as an admin user, [create a Conditional Access policy](howto-mfa-getstarted.md#plan-conditional-access-policies) to require multi-factor authentication for the test account.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).
+1. Browse to **Protection** > **Multifactor authentication** and enable for the test account.
> [!IMPORTANT] >
To provide load-balancing capabilities or for redundancy, repeat these steps on
``` 1. When prompted, sign in to Azure AD as a Global administrator.
-1. PowerShell prompts for your tenant ID. Use the *Tenant ID* GUID that you copied from the Azure portal in the prerequisites section.
+1. PowerShell prompts for your tenant ID. Use the *Tenant ID* GUID that you copied in the prerequisites section.
1. A success message is shown when the script is finished. If your previous computer certificate has expired, and a new certificate has been generated, you should delete any expired certificates. Having expired certificates can cause issues with the NPS Extension starting.
For customers that use the Azure Government or Azure operated by 21Vianet clouds
1. If you're an Azure Government or Azure operated by 21Vianet customer, open **Registry Editor** on the NPS server. 1. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa`.
-1. For Azure Government customers, set the following key values.:
+1. For Azure Government customers, set the following key values:
| Registry key | Value | |--|--|
The [Azure AD MFA NPS Extension health check script](/samples/azure-samples/azur
### How to fix the error "Service principal was not found" while running `AzureMfaNpsExtnConfigSetup.ps1` script?
-If for any reason the "Azure Multi-Factor Auth Client" service principal was not created in the tenant , it can be manually created by running the `New-MsolServicePrincipal` cmdlet as shown below.
+If for any reason the "Azure Multi-Factor Auth Client" service principal was not created in the tenant, it can be manually created by running the `New-MsolServicePrincipal` cmdlet as shown below.
```powershell import-module MSOnline Connect-MsolService New-MsolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -DisplayName "Azure Multi-Factor Auth Client" ```
-Once done, sign in to the [Azure portal](https://portal.azure.com) > **Azure Active Directory** > **Enterprise Applications** > Search for "Azure Multi-Factor Auth Client" > Check properties for this app > Confirm if the service principal is enabled or disabled > Click on the application entry > Go to Properties of the app > If the option "Enabled for users to sign-in?" is set to `No` in Properties of this app, please set it to `Yes`.
+Once done, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Browse to **Identity** > **Applications** > **Enterprise applications** > and search for "Azure Multi-Factor Auth Client". Then click **Check properties for this app**. Confirm if the service principal is enabled or disabled. Click the application entry > **Properties**. If the option **Enabled for users to sign-in?** is set to **No**, set it to **Yes**.
-Run the `AzureMfaNpsExtnConfigSetup.ps1` script again and it should not return the `Service principal was not found` error.
+Run the `AzureMfaNpsExtnConfigSetup.ps1` script again and it should not return the **Service principal was not found** error.
### How do I verify that the client cert is installed as expected?
active-directory Howto Mfa Server Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-server-settings.md
Title: Configure MFA Server
-description: Learn how to configure settings for Azure MFA Server in the Azure portal
+description: Learn how to configure settings for Azure MFA Server
Previously updated : 01/29/2023 Last updated : 09/13/2023 -+ # Configure MFA Server settings
-This article helps you to manage Azure MFA Server settings in the Azure portal.
+This article helps you to manage Azure MFA Server settings.
> [!IMPORTANT] > In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
The one-time bypass feature allows a user to authenticate a single time without
To create a one-time bypass, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.
-1. Search for and select **Azure Active Directory**, then browse to **Security** > **MFA** > **One-time bypass**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Protection** > **Multifactor authentication** > **One-time bypass**.
1. Select **Add**. 1. If necessary, select the replication group for the bypass. 1. Enter the username as `username@domain.com`. Enter the number of seconds that the bypass should last and the reason for the bypass.
active-directory Howto Mfa Userdevicesettings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md
When managing Azure AD Multi-Factor Authentication methods for your users, Authe
## Add authentication methods for a user
-You can add authentication methods for a user via the Azure portal or Microsoft Graph.
+You can add authentication methods for a user by using the Microsoft Entra admin center or Microsoft Graph.
> [!NOTE] > For security reasons, public user contact information fields should not be used to perform MFA. Instead, users should populate their authentication method numbers to be used for MFA.
-To add authentication methods for a user via the Azure portal:
+To add authentication methods for a user in the Microsoft Entra admin center:
-1. Sign into the **Azure portal**.
-1. Browse to **Azure Active Directory** > **Users** > **All users**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
1. Choose the user for whom you wish to add an authentication method and select **Authentication methods**. 1. At the top of the window, select **+ Add authentication method**. 1. Select a method (phone number or email). Email may be used for self-password reset but not authentication. When adding a phone number, select a phone type and enter phone number with valid format (e.g. +1 4255551234).
Authentication methods can also be managed using Microsoft Graph APIs. For more
If you're assigned the *Authentication Administrator* role, you can require users to reset their password, re-register for MFA, or revoke existing MFA sessions from their user object. To manage user settings, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. On the left, select **Azure Active Directory** > **Users** > **All users**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
1. Choose the user you wish to perform an action on and select **Authentication methods**. At the top of the window, then choose one of the following options for the user: - **Reset Password** resets the user's password and assigns a temporary password that must be changed on the next sign-in. - **Require Re-register MFA** makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method.
If you're assigned the *Authentication Administrator* role, you can require user
> The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable. - **Revoke MFA Sessions** clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.
- :::image type="content" source="media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png" alt-text="Manage authentication methods from the Azure portal":::
+ :::image type="content" source="media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png" alt-text="Manage authentication methods from the Microsoft Entra admin center":::
## Delete users' existing app passwords
For users that have defined app passwords, administrators can also choose to del
To delete a user's app passwords, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. On the left-hand side, select **Azure Active Directory** > **Users** > **All users**.
-1. Select **Multi-Factor Authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full Azure portal window and menu location:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
+1. Select **Multi-Factor Authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location:
[![Select Multi-Factor Authentication from the Users window in Azure AD.](media/howto-mfa-userstates/selectmfa-cropped.png)](media/howto-mfa-userstates/selectmfa.png#lightbox) 1. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right. 1. Select **Manage user settings**, then check the box for **Delete all existing app passwords generated by the selected users**, as shown in the following example:
active-directory Howto Mfa Userstates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userstates.md
All users start out *Disabled*. When you enroll users in per-user Azure AD Multi
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-To view and manage user states, complete the following steps to access the Azure portal page:
+To view and manage user states, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global administrator.
-1. Search for and select **Azure Active Directory**, then select **Users** > **All users**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
1. Select **Per-user MFA**. :::image type="content" border="true" source="media/howto-mfa-userstates/selectmfa-cropped.png" alt-text="Screenshot of select Multi-Factor Authentication from the Users window in Azure AD."::: 1. A new page opens that displays the user state, as shown in the following example.
active-directory Howto Create Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-service-principal-portal.md
You must have sufficient permissions to register an application with your Azure
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for and Select **Azure Active Directory**.
-1. Select **App registrations**, then select **New registration**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **App registrations** then select **New registration**.
1. Name the application, for example "example-app". 1. Select a supported account type, which determines who can use the application. 1. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to.
The next section shows how to get values that are needed when signing in program
When programmatically signing in, pass the tenant ID and the application ID in your authentication request. You also need a certificate or an authentication key. To obtain the directory (tenant) ID and application ID:
-1. Search for select **Azure Active Directory**.
-1. From **App registrations** in Azure AD, select your application.
+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.
1. On the app's overview page, copy the Directory (tenant) ID value and store it in your application code. 1. Copy the Application (client) ID value and store it in your application code.
There are two types of authentication available for service principals: password
To upload the certificate file:
-1. Search for and select **Azure Active Directory**.
-1. From **App registrations** in Azure AD, select your application.
+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.
1. Select **Certificates & secrets**. 1. Select **Certificates**, then select **Upload certificate** and then select the certificate file to upload. 1. Select **Add**. Once the certificate is uploaded, the thumbprint, start date, and expiration values are displayed.
Export this certificate to a file using the [Manage User Certificate](/dotnet/fr
To upload the certificate:
-1. Search for and select **Azure Active Directory**.
-1. From **App registrations** in Azure AD, select your application.
+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.
1. Select **Certificates & secrets**. 1. Select **Certificates**, then select **Upload certificate** and then select the certificate (an existing certificate or the self-signed certificate you exported). 1. Select **Add**.
After registering the certificate with your application in the application regis
If you choose not to use a certificate, you can create a new application secret.
-1. Search for and select **Azure Active Directory**.
-1. Select **App registrations** and select your application from the list.
+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.
1. Select **Certificates & secrets**. 1. Select **Client secrets**, and then Select **New client secret**. 1. Provide a description of the secret, and a duration.
active-directory Msal Android Shared Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-shared-devices.md
Frontline workers such as retail associates, flight crew members, and field service workers often use a shared mobile device to do their work. That becomes problematic when they start sharing passwords or pin numbers to access customer and business data on the shared device.
-Shared device mode allows you to configure an Android device so that it can be easily shared by multiple employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device and it will be immediately ready for the next employee to use.
+Shared device mode allows you to configure an Android device so that it can be easily shared by multiple employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device, and it will be immediately ready for the next employee to use.
Shared device mode also provides Microsoft identity backed management of the device.
The following object model illustrates the type of object you may receive and wh
![public client application inheritance model](media/v2-shared-device-mode/ipublic-client-app-inheritance.png)
-You'll need to do a type check and cast to the appropriate interface when you get your `PublicClientApplication` object. The following code checks for multiple account mode or single account mode, and casts the application object appropriately:
+You need to do a type check and cast to the appropriate interface when you get your `PublicClientApplication` object. The following code checks for multiple account modes or single account modes, and casts the application object appropriately:
```java private IPublicClientApplication mApplication;
The following differences apply depending on whether your app is running on a sh
## Why you may want to only support single-account mode
-If you're writing an app that will only be used for frontline workers using a shared device, we recommend you write your application to only support single-account mode. This includes most applications that are task focused such as medical records apps, invoice apps, and most line-of-business apps. Only supporting single-account mode simplifies development because you won't need to implement the additional features that are part of multiple-account apps.
+If you're writing an app that will only be used for frontline workers using a shared device, we recommend you write your application to only support single-account mode. This includes most applications that are task focused such as medical records apps, invoice apps, and most line-of-business apps. Only supporting single-account mode simplifies development because you won't need to implement the other features that are part of multiple-account apps.
## What happens when the device mode changes
These Microsoft applications support Azure AD's shared device mode:
- [Microsoft Power BI Mobile](/power-bi/consumer/mobile/mobile-app-shared-device-mode) (preview) - [Microsoft Viva Engage](/viva/engage/overview) (previously [Yammer](/yammer))
+## Third-party MDMs that support shared device mode
+
+This third-party Mobile Device Management (MDM) that supports Azure AD's shared device mode:
+
+- [VMware Workspace ONE](https://blogs.vmware.com/euc/2023/08/announcing-general-availability-of-shared-device-conditional-access-with-vmware-workspace-one-and-microsoft-entra-id.html)
+ ## Shared device sign-out and the overall app lifecycle
-When a user signs out, you'll need to take action to protect the privacy and data of the user. For example, if you're building a medical records app you'll want to make sure that when the user signs out previously displayed patient records are cleared. Your application must be prepared for data privacy and check every time it enters the foreground.
+When a user signs out, you need to take action to protect the privacy and data of the user. For example, if you're building a medical records app you want to make sure that when the user signs out previously displayed patient records are cleared. Your application must be prepared for data privacy and check every time it enters the foreground.
When your app uses MSAL to sign out the user in an app running on device that is in shared mode, the signed-in account and cached tokens are removed from both the app and the device.
-The following diagram shows the overall app lifecycle and common events that may occur while your app runs. The diagram covers from the time an activity launches, signing in and signing out an account, and how events such as pausing, resuming, and stopping the activity fit in.
+The following diagram shows the overall app lifecycle and common events that may occur while your app runs. The diagram covers from the time an activity launch, signing in and signing out an account, and how events such as pausing, resuming, and stopping the activity fit in.
![Shared device app lifecycle](media/v2-shared-device-mode/lifecycle.png)
active-directory Msal Js Known Issues Ie Edge Browsers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-known-issues-ie-edge-browsers.md
# Known issues on Internet Explorer and Microsoft Edge browsers (MSAL.js) ## Issues due to security zones
-We had multiple reports of issues with authentication in IE and Microsoft Edge (since the update of the *Microsoft Edge browser version to 40.15063.0.0*). We are tracking these and have informed the Microsoft Edge team. While Microsoft Edge works on a resolution, here is a description of the frequently occurring issues and the possible workarounds that can be implemented.
+We had multiple reports of issues with authentication in IE and Microsoft Edge (since the update of the *Microsoft Edge browser version to 40.15063.0.0*). We're tracking these and have informed the Microsoft Edge team. While Microsoft Edge works on a resolution, here's a description of the frequently occurring issues and the possible workarounds that can be implemented.
### Cause The cause for most of these issues is as follows. The session storage and local storage are partitioned by security zones in the Microsoft Edge browser. In this particular version of Microsoft Edge, when the application is redirected across zones, the session storage and local storage are cleared. Specifically, the session storage is cleared in the regular browser navigation, and both the session and local storage are cleared in the InPrivate mode of the browser. MSAL.js saves certain state in the session storage and relies on checking this state during the authentication flows. When the session storage is cleared, this state is lost and hence results in broken experiences. ### Issues -- **Infinite redirect loops and page reloads during authentication**. When users sign in to the application on Microsoft Edge, they are redirected back from the AAD login page and are stuck in an infinite redirect loop resulting in repeated page reloads. This is usually accompanied by an `invalid_state` error in the session storage.
+- **Infinite redirect loops and page reloads during authentication**. When users sign in to the application on Microsoft Edge, they're redirected back from the AAD login page and are stuck in an infinite redirect loop resulting in repeated page reloads. This is usually accompanied by an `invalid_state` error in the session storage.
-- **Infinite acquire token loops and AADSTS50058 error**. When an application running on Microsoft Edge tries to acquire a token for a resource, the application may get stuck in an infinite loop of the acquire token call along with the following error from AAD in your network trace:
+- **Infinite acquire token loops and AADSTS50058 error**. When an application that is run on Microsoft Edge tries to acquire a token for a resource, the application may get stuck in an infinite loop of the acquire token call. The following error is returned from AAD in your network trace:
`Error :login_required; Error description:AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com)` - **Pop-up window doesn't close or is stuck when using login through pop-up window to authenticate**. When authenticating through a pop-up window in Microsoft Edge or IE (InPrivate), after entering credentials and signing in, if multiple domains across security zones are involved in the navigation, the pop-up window doesn't close because `MSAL.js` loses the handle to the pop-up window.
+- **Cannot log in using redirect URL prefixed with tauri**. The only supported schemes for redirect URIs are `https:` for production apps and `http://localhost` for local development. If you attempt to use a different scheme, like `tauri://localhost`, for a mobile or desktop application, the below error message appears. This error arises as a result of how the backend of the SPA is designed.
+
+ `AADSTS90023: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type or 'Native' client-type with origin registered in AllowedOriginForNativeAppCorsRequestInOAuthToken allow list.`
+ ### Update: Fix available in MSAL.js 0.2.3 Fixes for the authentication redirect loop issues have been released in [MSAL.js 0.2.3](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases). Enable the flag `storeAuthStateInCookie` in the MSAL.js config to take advantage of this fix. By default this flag is set to false.
-When the `storeAuthStateInCookie` flag is enabled, MSAL.js will use the browser cookies to store the request state required for validation of the auth flows.
+When the `storeAuthStateInCookie` flag is enabled, MSAL.js uses the browser cookies to store the request state required for validation of the auth flows.
> [!NOTE]
-> This fix is not yet available for the `msal-angular` and `msal-angularjs` wrappers. This fix does not address the issue with pop-up windows.
-
-Use workarounds below.
+> This fix is not yet available for the `msal-angular` and `msal-angularjs` wrappers. This fix doesn't address the issue with pop-up windows.
#### Other workarounds Make sure to test that your issue is occurring only on the specific version of Microsoft Edge browser and works on the other browsers before adopting these workarounds.
-1. As a first step to get around these issues, ensure that the application domain and any other sites involved in the redirects of the authentication flow are added as trusted sites in the security settings of the browser, so that they belong to the same security zone.
+1. As a first step to get around these issues, ensure that the application domain and any other sites involved in the redirects of the authentication flow are added as trusted sites in the security settings of the browser. This ensures the redirects belong to the same security zone.
To do so, follow these steps: - Open **Internet Explorer** and click on the **settings** (gear icon) in the top-right corner - Select **Internet Options** - Select the **Security** tab - Under the **Trusted Sites** option, click on the **sites** button and add the URLs in the dialog box that opens.
-2. As mentioned before, since only the session storage is cleared during the regular navigation, you may configure MSAL.js to use the local storage instead. This can be set as the `cacheLocation` config parameter while initializing MSAL.
+4. As mentioned before, since only the session storage is cleared during the regular navigation, you may configure MSAL.js to use the local storage instead. This can be set as the `cacheLocation` config parameter while initializing MSAL.
-Note, this will not solve the issue for InPrivate browsing since both session and local storage are cleared.
+Note, these workarounds won't solve the issue for InPrivate browsing since both session and local storage are cleared.
## Issues due to popup blockers
-There are cases when popups are blocked in IE or Microsoft Edge, for example when a second popup occurs during [multi-factor authentication](../authentication/concept-mfa-howitworks.md). You will get an alert in the browser to allow for the pop-up window once or always. If you choose to allow, the browser opens the pop-up window automatically and returns a `null` handle for it. As a result, the library does not have a handle for the window and there is no way to close the pop-up window. The same issue does not happen in Chrome when it prompts you to allow pop-up windows because it does not automatically open a pop-up window.
+There are cases when popups are blocked in IE or Microsoft Edge, for example when a second popup occurs during [multi-factor authentication](../authentication/concept-mfa-howitworks.md). You'll get an alert in the browser to allow for the pop-up window once or always. If you choose to allow, the browser opens the pop-up window automatically and returns a `null` handle for it. As a result, the library doesn't have a handle for the window and there's no way to close the pop-up window. The same issue doesn't happen in Chrome when it prompts you to allow pop-up windows because it doesn't automatically open a pop-up window.
-As a **workaround**, developers will need to allow popups in IE and Microsoft Edge before they start using their app to avoid this issue.
+As a **workaround**, developers need to allow popups in IE and Microsoft Edge before they start using their app to avoid this issue.
## Next steps Learn more about [Using MSAL.js in Internet Explorer](msal-js-use-ie-browser.md).
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md
The following samples show an application that accesses the Microsoft Graph API
> [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | > | -- | -- |-- |-- |
-> | .NET Core | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi) <br/> &#8226; [Using managed identity and Azure key vault](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/3-Using-KeyVault)| [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|
+> | .NET Core | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi) <br/> &#8226; [Using managed identity and Azure Key Vault](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/3-Using-KeyVault)| [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|
> | ASP.NET |[Multi-tenant with Microsoft identity platform endpoint](https://github.com/Azure-Samples/ms-identity-aspnet-daemon-webapp) | [MSAL.NET](/entra/msal/dotnet) | Client credentials grant| > | Java | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Client credentials grant| > | Node.js | [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | [MSAL Node](/javascript/api/@azure/msal-node) | Client credentials grant |
active-directory V2 Protocols Oidc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-protocols-oidc.md
description: Sign in Azure AD users by using the Microsoft identity platform's i
Previously updated : 05/30/2023 Last updated : 09/13/2023
The *ID token* introduced by OpenID Connect is issued by the authorization serve
ID tokens aren't issued by default for an application registered with the Microsoft identity platform. ID tokens for an application are enabled by using one of the following methods: 1. Sign in to the [Azure portal](https://portal.azure.com) and select **Azure Active Directory** > **App registrations** > *\<your application\>* > **Authentication**.
+1. Under **Platform configurations**, select **Add a platform**.
+1. In the pane that opens, select the appropriate platform for your application. For example, select **Web** for a web application.
+1. Under Redirect URIs, add the redirect URI of your application. For example, `https://localhost:8080/`.
1. Under **Implicit grant and hybrid flows**, select the **ID tokens (used for implicit and hybrid flows)** checkbox. Or:
active-directory Groups Self Service Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md
Groups created in | Security group default behavior | Microsoft 365 group defaul
![Azure Active Directory groups general settings.](./media/groups-self-service-management/groups-settings-general.png) > [!NOTE]
- > In November 2023, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to ΓÇÿYes,ΓÇÖ end users will be able to access My Groups in November 2023, but will not be able to see security groups.
+ > In June 2024, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to ΓÇÿYes,ΓÇÖ end users will be able to access My Groups in June 2024, but will not be able to see security groups.
3. Set **Owners can manage group membership requests in the Access Panel** to **Yes**.
active-directory Reset Redemption Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/reset-redemption-status.md
To reset a user's redemption status, you'll need one of the following roles:
- [User Administrator](../roles/permissions-reference.md#user-administrator) - [Global Administrator](../roles/permissions-reference.md#global-administrator)
-## Use the Azure portal to reset redemption status
+## Use the Microsoft Entra admin center to reset redemption status
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or User administrator account for the directory.
-1. Search for and select **Azure Active Directory**.
-1. Select **Users**.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
1. In the list, select the user's name to open their user profile. 1. (Optional) If the user wants to sign in using a different email: 1. Select the **Edit properties** icon.
active-directory Self Service Sign Up Add Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md
To use an [API connector](api-connectors-overview.md), you first create the API
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **External Identities**.
-4. Select **All API connectors**, and then select **New API connector**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **Overview**.
+1. Select **All API connectors**, and then select **New API connector**.
:::image type="content" source="media/self-service-sign-up-add-api-connector/api-connector-new.png" alt-text="Screenshot of adding a new API connector to External Identities.":::
-5. Provide a display name for the call. For example, **Check approval status**.
-6. Provide the **Endpoint URL** for the API call.
-7. Choose the **Authentication type** and configure the authentication information for calling your API. Learn how to [Secure your API Connector](self-service-sign-up-secure-api-connector.md).
+1. Provide a display name for the call. For example, **Check approval status**.
+1. Provide the **Endpoint URL** for the API call.
+1. Choose the **Authentication type** and configure the authentication information for calling your API. Learn how to [Secure your API Connector](self-service-sign-up-secure-api-connector.md).
:::image type="content" source="media/self-service-sign-up-add-api-connector/api-connector-config.png" alt-text="Screenshot of configuring an API connector.":::
-8. Select **Save**.
+1. Select **Save**.
## The request sent to your API An API connector materializes as an **HTTP POST** request, sending user attributes ('claims') as key-value pairs in a JSON body. Attributes are serialized similarly to [Microsoft Graph](/graph/api/resources/user#properties) user properties.
Additionally, the claims are typically sent in all request:
Follow these steps to add an API connector to a self-service sign-up user flow.
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **External Identities**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **Overview**.
4. Select **User flows**, and then select the user flow you want to add the API connector to. 5. Select **API connectors**, and then select the API endpoints you want to invoke at the following steps in the user flow:
active-directory Self Service Sign Up Add Approvals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-add-approvals.md
This article gives an example of how to integrate with an approval system. In th
You need to register your approval system as an application in your Azure AD tenant so it can authenticate with Azure AD and have permission to create users. Learn more about [authentication and authorization basics for Microsoft Graph](/graph/auth/auth-concepts).
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **App registrations**, and then select **New registration**.
-4. Enter a **Name** for the application, for example, _Sign-up Approvals_.
-5. Select **Register**. You can leave other fields at their defaults.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **Applications** > **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application, for example, _Sign-up Approvals_.
+1. Select **Register**. You can leave other fields at their defaults.
:::image type="content" source="media/self-service-sign-up-add-approvals/register-approvals-app.png" alt-text="Screenshot that highlights the Register button.":::
-6. Under **Manage** in the left menu, select **API permissions**, and then select **Add a permission**.
-7. On the **Request API permissions** page, select **Microsoft Graph**, and then select **Application permissions**.
-8. Under **Select permissions**, expand **User**, and then select the **User.ReadWrite.All** check box. This permission allows the approval system to create the user upon approval. Then select **Add permissions**.
+1. Under **Manage** in the left menu, select **API permissions**, and then select **Add a permission**.
+1. On the **Request API permissions** page, select **Microsoft Graph**, and then select **Application permissions**.
+1. Under **Select permissions**, expand **User**, and then select the **User.ReadWrite.All** check box. This permission allows the approval system to create the user upon approval. Then select **Add permissions**.
:::image type="content" source="media/self-service-sign-up-add-approvals/request-api-permissions.png" alt-text="Screenshot of requesting API permissions.":::
To create these connectors, follow the steps in [create an API connector](self-s
Now you'll add the API connectors to a self-service sign-up user flow with these steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **External Identities**.
-4. Select **User flows**, and then select the user flow you want to enable the API connector for.
-5. Select **API connectors**, and then select the API endpoints you want to invoke at the following steps in the user flow:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External identities** > **User flows**, and then select the user flow you want to enable the API connector for.
+1. Select **API connectors**, and then select the API endpoints you want to invoke at the following steps in the user flow:
- **After federating with an identity provider during sign-up**: Select your approval status API connector, for example _Check approval status_. - **Before creating the user**: Select your approval request API connector, for example _Request approval_.
Now you'll add the API connectors to a self-service sign-up user flow with these
:::image type="content" source="media/self-service-sign-up-add-approvals/api-connectors-user-flow-api.png" alt-text="Screenshot of API connector in a user flow.":::
-6. Select **Save**.
+1. Select **Save**.
## Control the sign-up flow with API responses
active-directory Self Service Sign Up Secure Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-secure-api-connector.md
HTTP basic authentication is defined in [RFC 2617](https://tools.ietf.org/html/r
To configure an API Connector with HTTP basic authentication, follow these steps:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Under **Azure services**, select **Azure AD**.
-1. In the left menu, select **External Identities**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **Overview**.
1. Select **All API connectors**, and then select the **API Connector** you want to configure. 1. For the **Authentication type**, select **Basic**. 1. Provide the **Username**, and **Password** of your REST API endpoint.
You can then [export the certificate](../../key-vault/certificates/how-to-export
To configure an API Connector with client certificate authentication, follow these steps:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Under **Azure services**, select **Azure AD**.
-1. In the left menu, select **External Identities**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **Overview**.
1. Select **All API connectors**, and then select the **API Connector** you want to configure. 1. For the **Authentication type**, select **Certificate**. 1. In the **Upload certificate** box, select your certificate's .pfx file with a private key.
active-directory Self Service Sign Up User Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-user-flow.md
Before you can add a self-service sign-up user flow to your applications, you ne
> [!NOTE] > This setting can also be configured with the [authenticationFlowsPolicy](/graph/api/resources/authenticationflowspolicy?view=graph-rest-1.0&preserve-view=true) resource type in the Microsoft Graph API.
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-1. Under **Manage** in the left menu, select **Users**.
-1. Select **User settings**, and then under **External users**, select **Manage external collaboration settings**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **Users** > **User settings**, and then under **External users**, select **Manage external collaboration settings**.
1. Set the **Enable guest self-service sign up via user flows** toggle to **Yes**. :::image type="content" source="media/self-service-sign-up-user-flow/enable-self-service-sign-up.png" alt-text="Screenshot of the enable guest self-service sign up toggle.":::
Before you can add a self-service sign-up user flow to your applications, you ne
Next, you'll create the user flow for self-service sign-up and add it to an application.
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **External Identities**.
-4. Select **User flows**, and then select **New user flow**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **User flows**, and then select **New user flow**.
:::image type="content" source="media/self-service-sign-up-user-flow/new-user-flow.png" alt-text="Screenshot of the new user flow button.":::
-5. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**).
-6. On the **Create** page, enter a **Name** for the user flow. The name is automatically prefixed with **B2X_1_**.
-7. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
-8. Under **User attributes**, choose the attributes you want to collect from the user. For more attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.
+1. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**).
+1. On the **Create** page, enter a **Name** for the user flow. The name is automatically prefixed with **B2X_1_**.
+1. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
+1. Under **User attributes**, choose the attributes you want to collect from the user. For more attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.
:::image type="content" source="media/self-service-sign-up-user-flow/create-user-flow.png" alt-text="Screenshot of the new user flow creation page. "::: > [!NOTE] > You can only collect attributes when a user signs up for the first time. After a user signs up, they will no longer be prompted to collect attribute information, even if you change the user flow.
-8. Select **Create**.
-9. The new user flow appears in the **User flows** list. If necessary, refresh the page.
+1. Select **Create**.
+1. The new user flow appears in the **User flows** list. If necessary, refresh the page.
## Select the layout of the attribute collection form You can choose order in which the attributes are displayed on the sign-up page.
-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.
-2. Select **External Identities**, select **User flows**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **User flows**.
3. Select the self-service sign-up user flow from the list. 4. Under **Customize**, select **Page layouts**. 5. The attributes you chose to collect are listed. To change the order of display, select an attribute, and then select **Move up**, **Move down**, **Move to top**, or **Move to bottom**.
You can choose order in which the attributes are displayed on the sign-up page.
Now you'll associate applications with the user flow to enable sign-up for those applications. New users who access the associated applications will be presented with your new self-service sign-up experience.
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **External Identities**.
-4. Under **Self-service sign up**, select **User flows**.
-5. Select the self-service sign-up user flow from the list.
-6. In the left menu, under **Use**, select **Applications**.
-7. Select **Add application**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **User flows**
+1. Under **Self-service sign up**, select **User flows**.
+1. Select the self-service sign-up user flow from the list.
+1. In the left menu, under **Use**, select **Applications**.
+1. Select **Add application**.
:::image type="content" source="media/self-service-sign-up-user-flow/assign-app-to-user-flow.png" alt-text="Screenshot of adding an application to the user flow.":::
-8. Select the application from the list. Or use the search box to find the application, and then select it.
-9. Click **Select**.
+1. Select the application from the list. Or use the search box to find the application, and then select it.
+1. Click **Select**.
## Next steps
active-directory Tenant Restrictions V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tenant-restrictions-v2.md
In your organization's [cross-tenant access settings](cross-tenant-access-overvi
- **Windows tenant restrictions v2**. For your corporate-owned Windows devices, you can enforce both authentication plane and data plane protection by enforcing tenant restrictions directly on devices. Tenant restrictions are enforced upon resource access, providing data path coverage and protection against token infiltration. A corporate proxy isn't required for policy enforcement. Devices can be Azure AD managed or domain-joined devices that are managed via Group Policy. > [!NOTE]
-> This article describes how to configure tenant restrictions v2 using the Azure portal. You can also use the [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) to create these same tenant restrictions policies.
+> This article describes how to configure tenant restrictions v2 using the Microsoft Entra admin center. You can also use the [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) to create these same tenant restrictions policies.
### Supported scenarios
The following table compares the features in each version.
|**Microsoft Accounts** |Uses a Restrict-MSA header to block access to consumer accounts. | Allows control of Microsoft Accounts (MSA and Live ID) authentication on both the identity and data planes.<br></br>For example, if you enforce tenant restrictions by default, you can create a Microsoft Accounts-specific policy that allows users to access specific apps with their Microsoft Accounts, for example: <br> Microsoft Learn (app ID `18fbca16-2224-45f6-85b0-f7bf2b39b3f3`), or <br> Microsoft Enterprise Skills Initiative (app ID `195e7f27-02f9-4045-9a91-cd2fa1c2af2f`). | |**Proxy management** | Manage corporate proxies by adding tenants to the Azure AD traffic allowlist. | For corporate proxy authentication plane protection, configure the proxy to set tenant restrictions v2 signals on all traffic. | |**Platform support** |Supported on all platforms. Provides only authentication plane protection. | Universal tenant restrictions in Global Secure Access (preview) support any operating system, browser, or device form factor.<br></br>Corporate proxy authentication plane protection supports macOS, Chrome browser, and .NET applications.<br></br>Windows device management supports Windows operating systems and Microsoft Edge. |
-|**Portal support** |No user interface in the Azure portal for configuring the policy. | User interface available in the Azure portal for setting up the cloud policy. |
+|**Portal support** |No user interface in the Microsoft Entra admin center for configuring the policy. | User interface available in the Microsoft Entra admin center for setting up the cloud policy. |
|**Unsupported apps** | N/A | Block unsupported app use with Microsoft endpoints by using Windows Defender Application Control (WDAC) or Windows Firewall (for example, for Chrome, Firefox, and so on). See [Block Chrome, Firefox and .NET applications like PowerShell](#block-chrome-firefox-and-net-applications-like-powershell). | ### Migrate tenant restrictions v1 policies to v2
To configure tenant restrictions, you need:
### Step 1: Configure default tenant restrictions v2
-Settings for tenant restrictions v2 are located in the Azure portal under **Cross-tenant access settings**. First, configure the default tenant restrictions you want to apply to all users, groups, apps, and organizations. Then, if you need partner-specific configurations, you can add a partner's organization and customize any settings that differ from your defaults.
+Settings for tenant restrictions v2 are located in the Microsoft Entra admin center under **Cross-tenant access settings**. First, configure the default tenant restrictions you want to apply to all users, groups, apps, and organizations. Then, if you need partner-specific configurations, you can add a partner's organization and customize any settings that differ from your defaults.
#### To configure default tenant restrictions
active-directory Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/troubleshoot.md
Sometimes, the external guest user you're inviting conflicts with an existing [C
## How does ΓÇÿ\#ΓÇÖ, which isn't normally a valid character, sync with Azure AD?
-ΓÇ£\#ΓÇ¥ is a reserved character in UPNs for Azure AD B2B collaboration or external users, because the invited account user@contoso.com becomes user_contoso.com#EXT#@fabrikam.onmicrosoft.com. Therefore, \# in UPNs coming from on-premises aren't allowed to sign in to the Azure portal.
+ΓÇ£\#ΓÇ¥ is a reserved character in UPNs for Azure AD B2B collaboration or external users, because the invited account user@contoso.com becomes user_contoso.com#EXT#@fabrikam.onmicrosoft.com. Therefore, \# in UPNs coming from on-premises aren't allowed to sign in to the Microsoft Entra admin center.
## I receive an error when adding external users to a synchronized group
When you try to collaborate with another Azure AD organization in a separate Mic
## Invitation is blocked due to disabled Microsoft B2B Cross Cloud Worker application
-Rarely, you might see this message: ΓÇ£This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited userΓÇÖs tenant. Ask the invited userΓÇÖs admin to re-enable it, then try again.ΓÇ¥ This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration userΓÇÖs home tenant. This app is typically enabled, but it might have been disabled by an admin in the userΓÇÖs home tenant, either through PowerShell or the portal (see [Disable how a user signs in](../manage-apps/disable-user-sign-in-portal.md)). An admin in the userΓÇÖs home tenant can re-enable the app through PowerShell or the Azure portal. In the portal, search for ΓÇ£Microsoft B2B Cross Cloud WorkerΓÇ¥ to find the app, select it, and then choose to re-enable it.
+Rarely, you might see this message: ΓÇ£This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited userΓÇÖs tenant. Ask the invited userΓÇÖs admin to re-enable it, then try again.ΓÇ¥ This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration userΓÇÖs home tenant. This app is typically enabled, but it might have been disabled by an admin in the userΓÇÖs home tenant, either through PowerShell or the portal (see [Disable how a user signs in](../manage-apps/disable-user-sign-in-portal.md)). An admin in the userΓÇÖs home tenant can re-enable the app through PowerShell or the Microsoft Entra admin center. In the admin center, search for ΓÇ£Microsoft B2B Cross Cloud WorkerΓÇ¥ to find the app, select it, and then choose to re-enable it.
## I receive the error that Azure AD can't find the aad-extensions-app in my tenant
If you accidentally deleted the `aad-extensions-app`, you have 30 days to recove
1. Find the application in the list where the display name begins with `aad-extensions-app` and copy its `ObjectId` property value. 1. Run the PowerShell command `Restore-AzureADDeletedApplication -ObjectId {id}`. Replace the `{id}` portion of the command with the `ObjectId` from the previous step.
-You should now see the restored app in the Azure portal.
+You should now see the restored app in the Microsoft Entra admin center.
## A guest user was invited successfully but the email attribute isn't populating
active-directory Tutorial Bulk Invite https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tutorial-bulk-invite.md
# Tutorial: Bulk invite Azure AD B2B collaboration users
-If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time. In this tutorial, you learn how to use the Azure portal to send bulk invitations to external users. Specifically, you'll follow these steps:
+If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time. In this tutorial, you learn how to use the Microsoft Entra admin center to send bulk invitations to external users. Specifically, you'll follow these steps:
> [!div class="checklist"] >
If you use Azure Active Directory (Azure AD) B2B collaboration to work with exte
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is a global administrator in the organization.
-2. In the navigation pane, select **Azure Active Directory**.
-3. Under **Manage**, select **All Users**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **Users** > **All Users**.
4. Select **Bulk operations** > **Bulk invite**. :::image type="content" source="media/tutorial-bulk-invite/bulk-invite-button.png" alt-text="Screenshot of the bulk invite button.":::
The rows in a downloaded CSV template are as follows:
## Verify guest users in the directory
-Check to see that the guest users you added exist in the directory either in the Azure portal or by using PowerShell.
+Check to see that the guest users you added exist in the directory either in the Microsoft Entra admin center or by using PowerShell.
-### View guest users in the Azure portal
+### View guest users in the Microsoft Entra admin center
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is a User administrator in the organization.
-2. In the navigation pane, select **Azure Active Directory**.
-3. Under **Manage**, select **Users**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
4. Under **Show**, select **Guest users only** and verify the users you added are listed. ### View guest users with PowerShell
active-directory Use Dynamic Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/use-dynamic-groups.md
# Create dynamic groups in Azure Active Directory B2B collaboration ## What are dynamic groups?
-A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the [Azure portal](https://portal.azure.com). Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as [userType](user-properties.md), department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about [dedicated groups in Azure Active Directory](../fundamentals/how-to-manage-groups.md).
+A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the [Microsoft Entra admin center](https://entra.microsoft.com). Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as [userType](user-properties.md), department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about [dedicated groups in Azure Active Directory](../fundamentals/how-to-manage-groups.md).
## Prerequisites [Azure AD Premium P1 or P2 licensing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) is required to create and use dynamic groups. Learn more in [Create attribute-based rules for dynamic group membership in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md).
A dynamic group is a dynamic configuration of security group membership for Azur
You can create a group containing all users within a tenant using a membership rule. When users are added or removed from the tenant in the future, the group's membership is adjusted automatically.
-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is assigned the Global administrator or User administrator role in the tenant.
-1. Select **Azure Active Directory**.
-2. Under **Manage**, select **Groups**, and then select **New group**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **Groups** > **All groups**, and then select **New group**.
1. On the **New Group** page, under **Group type**, select **Security**. Enter a **Group name** and **Group description** for the new group. 2. Under **Membership type**, select **Dynamic User**, and then select **Add dynamic query**. 4. Above the **Rule syntax** text box, select **Edit**. On the **Edit rule syntax** page, type the following expression in the text box:
active-directory User Flow Add Custom Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/user-flow-add-custom-attributes.md
For each application, you might have different requirements for the information you want to collect during sign-up. Azure AD comes with a built-in set of information stored in attributes, such as Given Name, Surname, City, and Postal Code. With Azure AD, you can extend the set of attributes stored on a guest account when the external user signs up through a user flow.
-You can create custom attributes in the Azure portal and use them in your [self-service sign-up user flows](self-service-sign-up-user-flow.md). You can also read and write these attributes by using the [Microsoft Graph API](../../active-directory-b2c/microsoft-graph-operations.md). Microsoft Graph API supports creating and updating a user with extension attributes. Extension attributes in the Graph API are named by using the convention `extension_<extensions-app-id>_attributename`. For example:
+You can create custom attributes in the Microsoft Entra admin center and use them in your [self-service sign-up user flows](self-service-sign-up-user-flow.md). You can also read and write these attributes by using the [Microsoft Graph API](../../active-directory-b2c/microsoft-graph-operations.md). Microsoft Graph API supports creating and updating a user with extension attributes. Extension attributes in the Graph API are named by using the convention `extension_<extensions-app-id>_attributename`. For example:
```JSON "extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyNumber": "212342"
The `<extensions-app-id>` is specific to your tenant. To find this identifier, n
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.
-2. Under **Azure services**, select **Azure Active Directory**.
-3. In the left menu, select **External Identities**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
+1. Browse to **Identity** > **External Identities** > **Overview**.
4. Select **Custom user attributes**. The available user attributes are listed. :::image type="content" source="media/user-flow-add-custom-attributes/user-attributes.png" alt-text="Screenshot of selecting custom user attributes for sign-up." lightbox="media/user-flow-add-custom-attributes/user-attributes-large-image.png":::
active-directory Add Application Portal Setup Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-setup-sso.md
# Enable single sign-on for an enterprise application
-In this article, you use the Azure portal to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials.
+In this article, you use the Microsoft Entra admin center to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials.
Azure AD has a gallery that contains thousands of pre-integrated applications that use SSO. This article uses an enterprise application named **Azure AD SAML Toolkit 1** as an example, but the concepts apply for most pre-configured enterprise applications in the gallery.
active-directory Add Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal.md
# Quickstart: Add an enterprise application
-In this quickstart, you use the Azure portal to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been preintegrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).
+In this quickstart, you use the Microsoft Entra admin center to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been preintegrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).
It's recommended that you use a nonproduction environment to test the steps in this quickstart.
active-directory Admin Consent Workflow Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/admin-consent-workflow-overview.md
If the user doesnΓÇÖt know who to contact to grant them access, they may be unab
As an admin, the following options exist for you to determine how users consent to applications: - Disable user consent. For example, a high school may want to turn off user consent so that the school IT administration has full control over all the applications that are used in their tenant. - Allow users to consent to the required permissions. It's NOT recommended to keep user consent open if you have sensitive data in your tenant. -- If you still want to retain admin-only consent for certain permissions but want to assist your end-users in onboarding their application, you can use the admin consent workflow to evaluate and respond to admin consent requests. This way, you can have a queue of all the requests for admin consent for your tenant and can track and respond to them directly through the Azure portal.
+- If you still want to retain admin-only consent for certain permissions but want to assist your end-users in onboarding their application, you can use the admin consent workflow to evaluate and respond to admin consent requests. This way, you can have a queue of all the requests for admin consent for your tenant and can track and respond to them directly through the Microsoft Entra admin center.
To learn how to configure the admin consent workflow, see [configure-admin-consent-workflow.md](configure-admin-consent-workflow.md). ## How the admin consent workflow works
When you configure the admin consent workflow, your end users can request for co
When an administrator responds to a request, the user receives an email alert informing them that the request has been processed.
-When the user submits a consent request, the request shows up in the admin consent request page in the Azure portal. Administrators and designated reviewers sign in to [view and act on the new requests](review-admin-consent-requests.md). Reviewers only see consent requests that were created after they were designated as reviewers. Requests show up in the following two tabs in the admin consent requests blade.
+When the user submits a consent request, the request shows up in the admin consent request page in the Microsoft Entra admin center. Administrators and designated reviewers sign in to [view and act on the new requests](review-admin-consent-requests.md). Reviewers only see consent requests that were created after they were designated as reviewers. Requests show up in the following two tabs in the admin consent requests blade.
- My pending: This shows any active requests that have the signed-in user designated as a reviewer. Although reviewers can block or deny requests, only people with the correct RBAC permissions to consent to the requested permissions can do so. - All(Preview): All requests, active or expired, that exist in the tenant. Each request includes information about the application and the user(s) requesting the application.
active-directory App Management Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/app-management-videos.md
___
>[!Video https://www.youtube.com/embed/19v7WSt9HwU] :::column-end::: :::column:::
- 2 - [How do I grant admin consent in the Azure portal](https://www.youtube.com/watch?v=LSYcelwdhHI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=5)(1:19)
+ 2 - [How do I grant admin consent in the Microsoft Entra admin center](https://www.youtube.com/watch?v=LSYcelwdhHI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=5)(1:19)
:::column-end::: :::column::: >[!Video https://www.youtube.com/embed/LSYcelwdhHI]
active-directory Application List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-list.md
When filtered to **All Applications**, the **All Applications** **List** shows e
- When you add any application from the application gallery, including:
- - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Azure portal. Usually apps integrated using the SAML standard.
- - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Azure portal. Usually custom developed apps using the Open ID Connect and OAuth standards.
+ - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Microsoft Entra admin center. Usually apps integrated using the SAML standard.
+ - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Microsoft Entra admin center. Usually custom developed apps using the Open ID Connect and OAuth standards.
- **Application Proxy Applications** ΓÇô An application running in your on-premises environment that you want to provide secure single-sign on to externally - When signing up for, or signing in to, a third-party application integrated with Azure Active Directory. One example is [Smartsheet](https://app.smartsheet.com/b/home) or [DocuSign](https://www.docusign.net/member/MemberLogin.aspx). - Microsoft apps such as Microsoft 365.
active-directory Application Management Certs Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-management-certs-faq.md
There is no option to edit or customize these email notifications received from
## Who can update the certificates?
-The owner of the application or Global Administrator or Application Administrator can update the certificates through Azure portal UI, PowerShell or Microsoft Graph.
+The owner of the application or Global Administrator or Application Administrator can update the certificates through Microsoft Entra admin center UI, PowerShell or Microsoft Graph.
## I need more details about certificate signing options
active-directory Application Sign In Other Problem Access Panel https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-other-problem-access-panel.md
My Apps is a web-based portal that enables a user with a work or school account
To learn more about using Azure AD as an identity provider for an app, see the [What is Application Management in Azure AD](what-is-application-management.md). To get up to speed quickly, check out the [Quickstart Series on Application Management](view-applications-portal.md).
-These applications are configured on behalf of the user in the Azure portal. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.
+These applications are configured on behalf of the user in the Microsoft Entra admin center. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.
The type of apps a user may be seeing fall in the following categories:
active-directory Application Sign In Unexpected User Consent Error https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md
These errors all occur when the application a user is trying to consent to is re
* Consenting to the resource application
-* Granting the application permissions via the Azure portal
+* Granting the application permissions via the Microsoft Entra admin center
* Adding the application from the Azure AD Application Gallery
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
To apply the HRD policy after you've created it, you can assign it to multiple a
You need the **ObjectID** of the service principals to which you want to assign the policy. There are several ways to find the **ObjectID** of service principals.
-You can use the [Azure portal](https://portal.azure.com), or you can query [Microsoft Graph](/graph/api/resources/serviceprincipal). You can also go to the [Graph Explorer Tool](https://developer.microsoft.com/graph/graph-explorer) and sign in to your Azure AD account to see all your organization's service principals.
+You can use the [Microsoft Entra admin center](https://entra.microsoft.com), or you can query [Microsoft Graph](/graph/api/resources/serviceprincipal). You can also go to the [Graph Explorer Tool](https://developer.microsoft.com/graph/graph-explorer) and sign in to your Azure AD account to see all your organization's service principals.
Because you're using PowerShell, you can use the following cmdlet to list the service principals and their IDs.
active-directory Configure User Consent Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent-groups.md
You can configure which users are allowed to consent to apps accessing their gro
:::zone pivot="portal"
-To configure group and team owner consent settings through the Azure portal:
+To configure group and team owner consent settings through the Microsoft Entra admin center:
Follow these steps to manage group owner consent to apps accessing group data:
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent.md
To configure user consent, you need:
:::zone pivot="portal"
-To configure user consent settings through the Azure portal:
+To configure user consent settings through the Microsoft Entra admin center:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
active-directory Datawiza Sso Mfa To Owa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-mfa-to-owa.md
time, effort, and errors.
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-To provide more sign-in security, you can enforce Microsoft Entra ID Multi-Factor Authentication. The process starts in the Azure portal.
+To provide more sign-in security, you can enforce Microsoft Entra ID Multi-Factor Authentication. The process starts in the Microsoft Entra admin center.
-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
-
-2. Select **Azure Active Directory**.
-
-3. Select **Manage**
-
-4. Select **Properties**
-
-5. Under **Tenant properties**, select **Manage security defaults**
-
- ![Screenshot shows the manage security defaults.](media/datawiza-access-proxy/manage-security-defaults.png)
-
-6. For **Enable Security defaults**, select **Yes**
-
-7. Select **Save**
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
+2. Browse to **Identity** > **Overview** > **Properties** tab.
+3. Under **Security defaults**, select **Manage security defaults**.
+4. On the **Security defaults** pane, toggle the dropdown menu to select **Enabled**.
+5. Select **Save**.
## Next steps
active-directory Disable User Sign In Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/disable-user-sign-in-portal.md
zone_pivot_groups: enterprise-apps-all
There may be situations while configuring or managing an application where you don't want tokens to be issued for an application. Or, you may want to block an application that you don't want your employees to try to access. To block user access to an application, you can disable user sign-in for the application, which prevents all tokens from being issued for that application.
-In this article, you learn how to prevent users from signing in to an application in Azure Active Directory through both the Azure portal and PowerShell. If you're looking for how to block specific users from accessing an application, use [user or group assignment](./assign-user-or-group-access-portal.md).
+In this article, you learn how to prevent users from signing in to an application in Azure Active Directory through both the Microsoft Entra admin center and PowerShell. If you're looking for how to block specific users from accessing an application, use [user or group assignment](./assign-user-or-group-access-portal.md).
## Prerequisites
active-directory F5 Big Ip Headers Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-headers-easy-button.md
Integrating a BIG-IP with Azure AD provides many benefits, including:
* See, [Zero Trust security](../../security/fundamentals/zero-trust.md) * Full SSO between Azure AD and BIG-IP published services * Managed identities and access from one control plane
- * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)
+ * See, the [Microsoft Entra admin center](https://entra.microsoft.com)
Learn more:
For the scenario you need:
* An Azure subscription * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
-* For the account, have Azure AD Application Administrator permissions
+* One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator
* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md) * Any of the following F5 BIG-IP license SKUs:
Learn more: [Quickstart: Register an application with the Microsoft identity pla
Create a tenant app registration to authorize the Easy Button access to Graph. With these permissions, the BIG-IP pushes the configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.
-2. In the left navigation, select **Azure Active Directory**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+2. Browse to **Identity** > **Applications** > **App registrations** > **New registration**.
3. Under **Manage**, select **App registrations > New registration**. 4. Enter an application **Name**. 5. Specify who uses the application.
active-directory Grant Admin Consent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/grant-admin-consent.md
To grant tenant-wide admin consent to an app listed in **Enterprise applications
## Grant admin consent in App registrations
-For applications your organization has developed, or which are registered directly in your Azure AD tenant, you can also grant tenant-wide admin consent from **App registrations** in the Azure portal.
+For applications your organization has developed, or which are registered directly in your Azure AD tenant, you can also grant tenant-wide admin consent from **App registrations** in the Microsoft Entra admin centerMicrosoft Entra admin center.
To grant tenant-wide admin consent from **App registrations**:
To grant tenant-wide admin consent from **App registrations**:
## Construct the URL for granting tenant-wide admin consent
-When granting tenant-wide admin consent using either method described above, a window opens from the Azure portal to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.
+When granting tenant-wide admin consent using either method described above, a window opens from the Microsoft Entra admin center to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.
The tenant-wide admin consent URL follows the following format:
active-directory Grant Consent Single User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/grant-consent-single-user.md
To grant consent to an application on behalf of one user, you need:
## Grant consent on behalf of a single user
-Before you start, record the following details from the Azure portal:
+Before you start, record the following details from the Microsoft Entra admin center:
- The app ID for the app that you're granting consent. For purposes of this article, we'll call it the "client application." - The API permissions that are required by the client application. Find out the app ID of the API and the permission IDs or claim values.
active-directory Manage Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-consent-requests.md
When you're evaluating a request to grant admin consent, here are some recommend
## Grant tenant-wide admin consent
-For step-by-step instructions for granting tenant-wide admin consent from the Azure portal, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).
+For step-by-step instructions for granting tenant-wide admin consent from the Microsoft Entra admin center, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).
## Revoke tenant wide admin consent
active-directory Migrate Adfs Plan Management Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-plan-management-insights.md
Once you've migrated the apps, consider applying the following suggestions to en
## Secure app access
-Azure AD provides a centralized access location to manage your migrated apps. Sign in to the [Azure portal](https://portal.azure.com/) and enable the following capabilities:
+Azure AD provides a centralized access location to manage your migrated apps. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) and enable the following capabilities:
- **Secure user access to apps.** Enable [Conditional Access policies](../conditional-access/overview.md)or [Identity Protection](../identity-protection/overview-identity-protection.md)to secure user access to applications based on device state, location, and more. - **Automatic provisioning.** Set up [automatic provisioning of users](../app-provisioning/user-provisioning.md) with various third-party SaaS apps that users need to access. In addition to creating user identities, it includes the maintenance and removal of user identities as status or roles change.
Azure AD provides a centralized access location to manage your migrated apps. Si
## Audit and gain insights of your apps
-You can also use the [Azure portal](https://portal.azure.com/) to audit all your apps from a centralized location,
+You can also use the [Microsoft Entra admin center](https://entra.microsoft.com) to audit all your apps from a centralized location,
- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Azure AD Reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools. - **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth/OpenID Connect.
active-directory Myapps Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/myapps-overview.md
# My Apps portal overview
-My Apps is a web-based portal that is used for managing and launching applications in Azure Active Directory (Azure AD). To work with applications in My Apps, use an organizational account in Azure AD and obtain access granted by the Azure AD administrator. My Apps is separate from the Azure portal and doesn't require users to have an Azure subscription or Microsoft 365 subscription.
+My Apps is a web-based portal that is used for managing and launching applications in Azure Active Directory (Azure AD). To work with applications in My Apps, use an organizational account in Azure AD and obtain access granted by the Azure AD administrator. My Apps is separate from the Microsoft Entra admin center and doesn't require users to have an Azure subscription or Microsoft 365 subscription.
Users access the My Apps portal to:
Users access the My Apps portal to:
- Create personal collections of applications - Manage access to applications
-The following conditions determine whether an application in the enterprise applications list in the Azure portal appears to a user or group in the My Apps portal:
+The following conditions determine whether an application in the enterprise applications list in the Microsoft Entra admin center appears to a user or group in the My Apps portal:
- The application is set to be visible in its properties - The application is assigned to the user or group > [!NOTE]
-> The **Users can only see Office 365 apps in the Office 365 portal** property in the Azure portal can affect whether users can only see Office 365 applications in the Office 365 portal. If this setting is set to **No**, then users will be able to see Office 365 applications in both the My Apps portal and the Office 365 portal. This setting can be found under **Manage** in **Enterprise applications > User settings**.
+> The **Users can only see Office 365 apps in the Office 365 portal** property in the Microsoft Entra admin center can affect whether users can only see Office 365 applications in the Office 365 portal. If this setting is set to **No**, then users will be able to see Office 365 applications in both the My Apps portal and the Office 365 portal. This setting can be found under **Manage** in **Enterprise applications > User settings**.
Administrators can configure:
For more information, see [Properties of an enterprise application](application-
### Discover applications
-When signed in to the [My Apps](https://myapps.microsoft.com) portal, the applications that have been made visible are shown. For an application to be visible in the My Apps portal, set the appropriate properties in the [Azure portal](https://portal.azure.com). Also in the Azure portal, assign a user or group with the appropriate members.
+When signed in to the [My Apps](https://myapps.microsoft.com) portal, the applications that have been made visible are shown. For an application to be visible in the My Apps portal, set the appropriate properties in the [Microsoft Entra admin center](https://entra.microsoft.com). Also in the Microsoft Entra admin center, assign a user or group with the appropriate members.
In the My Apps portal, to search for an application, enter an application name in the search box at the top of the page to find an application. The applications that are listed can be formatted in **List view** or a **Grid view**. :::image type="content" source="./media/myapps-overview/myapp-app-list.png" alt-text="Screenshot that shows the search box for the My Apps portal."::: > [!IMPORTANT]
-> It can take several minutes for an application to appear in the My Apps portal after it has been added to the tenant in the Azure portal. There may also be a delay in how soon users can access the application after it has been added.
+> It can take several minutes for an application to appear in the My Apps portal after it has been added to the tenant in the Microsoft Entra admin center. There may also be a delay in how soon users can access the application after it has been added.
Applications can be hidden. For more information, see [Hide an Enterprise application](hide-application-from-user-portal.md). ## Assign company branding
-In the Azure portal, define the logo and name for the application to represent company branding in the My Apps portal. The banner logo appears at the top of the page, such as the Contoso demo logo shown below.
+In the Microsoft Entra admin center, define the logo and name for the application to represent company branding in the My Apps portal. The banner logo appears at the top of the page, such as the Contoso demo logo shown below.
:::image type="content" source="./media/myapps-overview/banner-logo.png" alt-text="Screenshot that shows the banner logo in the My Apps portal.":::
The permissions that are shown have been consented to by an administrator or hav
### Self-service access
-Access can be granted on a tenant level, assigned to specific users, or from self-service access. Before users can self-discover applications from the My Apps portal, enable self-service application access in the Azure portal. This feature is available for applications when added using these methods:
+Access can be granted on a tenant level, assigned to specific users, or from self-service access. Before users can self-discover applications from the My Apps portal, enable self-service application access in the Microsoft Entra admin center. This feature is available for applications when added using these methods:
- The Azure AD application gallery - Azure AD Application Proxy - Using user or admin consent
-Enable users to discover and request access to applications by using the My Apps portal. To do so, complete the following tasks in the Azure portal:
+Enable users to discover and request access to applications by using the My Apps portal. To do so, complete the following tasks in the Microsoft Entra admin center:
- Enable self-service group management - Enable the application for single sign-on
For more information, see [Enable self-service application assignment](manage-se
### Single sign-on
-Enable single sign-on (SSO) in the Azure portal for all applications that are made available in the My Apps portal whenever possible. If SSO is set up, users have a seamless experience without the need to enter their credentials. To learn more, see [Single sign-on options in Azure AD](what-is-single-sign-on.md#single-sign-on-options).
+Enable single sign-on (SSO) in the Microsoft Entra admin center for all applications that are made available in the My Apps portal whenever possible. If SSO is set up, users have a seamless experience without the need to enter their credentials. To learn more, see [Single sign-on options in Azure AD](what-is-single-sign-on.md#single-sign-on-options).
Applications can be added by using the Linked SSO option. Configure an application tile that links to the URL of the existing web application. Linked SSO allows the direction of users to the My Apps portal without migrating all the applications to Azure AD SSO. Gradually move to Azure AD SSO-configured applications to prevent disrupting the usersΓÇÖ experience.
active-directory One Click Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/one-click-sso-tutorial.md
The one-click SSO feature is designed to configure single sign-on for Azure Mark
![SSO configured](./media/one-click-sso-tutorial/sso-configured.png)
-10. After the configuration is successful, you're signed out of the application and returned to the Azure portal.
+10. After the configuration is successful, you're signed out of the application and returned to the [Microsoft Entra admin center](https://entra.microsoft.com).
11. You can select **Test** to test single sign-on.
active-directory Overview Application Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/overview-application-gallery.md
The Azure Active Directory (Azure AD) application gallery is a collection of sof
To find the gallery when signed into your tenant, select **Enterprise applications**, select **All applications**, and then select **New application**. The applications available from the gallery follow the SaaS model that allows users to connect to and use cloud-based applications over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365).
The gallery contains thousands of applications that have been pre-integrated int
If you donΓÇÖt find the application that you are looking for in the featured applications, you can search for a specific application by name. When searching for an application, you can also specify specific filters, such as single sign-on options, automated provisioning, and categories.
When searching for an application, you can also specify specific filters, such a
Applications that are specific to major cloud platforms, such as AWS, Google, or Oracle can be found by selecting the appropriate platform. ### On-premises applications
On-premises applications are connected to Azure AD using Azure AD Application Pr
- Use the documentation to learn more about how to use Application Proxy to secure remote access to on-premises applications. - Manage any Application Proxy connectors that you've already created. ### Featured applications A collection of featured applications is listed by default when you open the Azure AD gallery. Each application is marked with a symbol to enable you to identify whether it supports federated SSO or automated provisioning. - **Federated SSO** - When you set up [SSO](what-is-single-sign-on.md) to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, user experiences, and implementation. Some applications implement federated SSO as SAML-based or as OIDC-based. For SAML applications, when you select create, the application is added to your tenant. For OIDC applications, the administrator must first sign up or sign-in on the application's website to add the application to Azure AD. - **Provisioning** - Azure AD to SaaS [application provisioning](../app-provisioning/user-provisioning.md) refers to automatically creating user identities and roles in the SaaS applications that users need access to.
active-directory Plan An Application Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-an-application-integration.md
The following articles describe ways you can manage access to applications once
## Next steps
-For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../architecture/deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Azure portal](https://portal.azure.com).
+For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../architecture/deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Microsoft Entra admin center](https://entra.microsoft.com).
-To download a deployment plan from the Azure portal:
+To download a deployment plan from the Microsoft Entra admin center:
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
2. Select **Enterprise Applications** | **Pick an App** | **Deployment Plan**.
active-directory Plan Sso Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-sso-deployment.md
To learn more about Azure AD administrative roles, see [Azure AD built-in roles]
When you enable federation on SAML application, Azure AD creates a certificate that is by default valid for three years. You can customize the expiration date for that certificate if needed. Ensure that you have processes in place to renew certificates prior to their expiration.
-You change that certificate duration in the Azure portal. Make sure to document the expiration and know how you'll manage your certificate renewal. ItΓÇÖs important to identify the right roles and email distribution lists involved with managing the lifecycle of the signing certificate. The following roles are recommended:
+You change that certificate duration in the Microsoft Entra admin center. Make sure to document the expiration and know how you'll manage your certificate renewal. ItΓÇÖs important to identify the right roles and email distribution lists involved with managing the lifecycle of the signing certificate. The following roles are recommended:
- Owner for updating user properties in the application - Owner On-Call for application troubleshooting support
active-directory Restore Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/restore-application.md
zone_pivot_groups: enterprise-apps-minus-portal
In this article, you learn how to restore a soft deleted enterprise application in your Azure Active Directory (Azure AD) tenant. Soft deleted enterprise applications can be restored from the recycle bin within the first 30 days after their deletion. After the 30-day window, the enterprise application is permanently deleted and can't be restored. >[!IMPORTANT]
->If you deleted an [application registration](../develop/howto-remove-app.md) in its home tenant through app registrations in the Azure portal, the enterprise application, which is its corresponding service principal also got deleted. If you restore the deleted application registration through the Azure portal, its corresponding service principal, is also restored. You'll therefore be able to recover the service principal's previous configurations, except its previous policies such as Conditional Access policies, which aren't restored.
+>If you deleted an [application registration](../develop/howto-remove-app.md) in its home tenant through app registrations in the Microsoft Entra admin center, the enterprise application, which is its corresponding service principal also got deleted. If you restore the deleted application registration through the Microsoft Entra admin center, its corresponding service principal, is also restored. You'll therefore be able to recover the service principal's previous configurations, except its previous policies such as Conditional Access policies, which aren't restored.
[!INCLUDE [portal updates](../includes/portal-update.md)]
active-directory Restore Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/restore-permissions.md
In this article, you learn how to restore previously revoked permissions that were granted to an application. You can restore permissions for an application that was granted permissions to access your organization's data. You can also restore permissions for an application that was granted permissions to act as a user.
-Currently, restoring permissions is only possible through Microsoft Graph PowerShell and Microsoft Graph API calls. You can't restore permissions through the Azure portal. In this article, you learn how to restore permissions using Microsoft Graph PowerShell.
+Currently, restoring permissions is only possible through Microsoft Graph PowerShell and Microsoft Graph API calls. You can't restore permissions through the Microsoft Entra admin center. In this article, you learn how to restore permissions using Microsoft Graph PowerShell.
## Prerequisites
You can try different methods for restoring permissions:
- If you know the specific permission that was revoked, you can grant it again manually using [PowerShell](/powershell/microsoftgraph/tutorial-grant-delegated-api-permissions?view=graph-powershell-1.0&preserve-view=true) or the [Microsoft Graph API](/graph/permissions-grant-via-msgraph?tabs=http&pivots=grant-delegated-permissions). - If you don't know the revoked permissions, you can use the scripts provided in this article to detect and restore revoked permissions.
-First, set the servicePrincipalId value in the script to the ID value for the enterprise app whose permissions you want to restore. This ID is also called the `object ID` in the Azure portal **Enterprise applications** page.
+First, set the servicePrincipalId value in the script to the ID value for the enterprise app whose permissions you want to restore. This ID is also called the `object ID` in the Microsoft Entra admin center **Enterprise applications** page.
Then, run each script with `$ForceGrantUpdate = $false` in order to see a list of delegated or app-only permissions that maybe have been removed. Even if the permissions have already been restored, revoke events from your audit logs may still appear in the script results.
active-directory User Admin Consent Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/user-admin-consent-overview.md
Users are in control of their data. A Privileged Administrator can configure whe
As an administrator, you can choose whether user consent is allowed. If you choose to allow user consent, you can also choose what conditions must be met before an application can be consented to by a user.
-By choosing which application consent policies apply for all users, you can set limits on when users are allowed to grant consent to applications and on when theyΓÇÖll be required to request administrator review and approval. The Azure portal provides the following built-in options:
+By choosing which application consent policies apply for all users, you can set limits on when users are allowed to grant consent to applications and on when theyΓÇÖll be required to request administrator review and approval. The Microsoft Entra admin center provides the following built-in options:
- *You can disable user consent*. Users can't grant permissions to applications. Users continue to sign in to applications they've previously consented to or to applications that administrators have granted consent to on their behalf, but they won't be allowed to consent to new permissions to applications on their own. Only users who have been granted a directory role that includes the permission to grant consent can consent to new applications.
Before you grant tenant-wide admin consent, ensure that you trust the applicatio
For step-by-step guidance on whether to grant an application admin consent, see [Evaluating a request for tenant-wide admin consent](manage-consent-requests.md#evaluate-a-request-for-tenant-wide-admin-consent).
-For step-by-step instructions for granting tenant-wide admin consent from the Azure portal, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).
+For step-by-step instructions for granting tenant-wide admin consent from the Microsoft Entra admin center, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).
### Grant consent on behalf of a specific user
For a broader overview, including how to handle other complex scenarios, see [Us
The admin consent workflow gives users a way to request admin consent for applications when they aren't allowed to consent themselves. When the admin consent workflow is enabled, users are presented with an "Approval required" window for requesting admin approval for access to the application.
-After users submit the admin consent request, the admins who have been designated as reviewers receive a notification. The users are notified after a reviewer has acted on their request. For step-by-step instructions for configuring the admin consent workflow by using the Azure portal, see [configure the admin consent workflow](configure-admin-consent-workflow.md).
+After users submit the admin consent request, the admins who have been designated as reviewers receive a notification. The users are notified after a reviewer has acted on their request. For step-by-step instructions for configuring the admin consent workflow by using the Microsoft Entra admin center, see [configure the admin consent workflow](configure-admin-consent-workflow.md).
### How users request admin consent
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/view-applications-portal.md
# Quickstart: View enterprise applications
-In this quickstart, you learn how to use the Azure portal to search for and view the enterprise applications that are already configured in your Azure Active Directory (Azure AD) tenant.
+In this quickstart, you learn how to use the Microsoft Entra admin center to search for and view the enterprise applications that are already configured in your Azure Active Directory (Azure AD) tenant.
It's recommended that you use a nonproduction environment to test the steps in this quickstart.
active-directory What Is Access Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/what-is-access-management.md
Some applications combine these methods. For example, certain Microsoft applicat
Users can access Microsoft 365 applications through their Office 365 portals. You can also show or hide Microsoft 365 applications in the My Apps with the [Office 365 visibility toggle](hide-application-from-user-portal.md) in your directory's **User settings**.
-As with enterprise apps, you can [assign users](assign-user-or-group-access-portal.md) to certain Microsoft applications via the Azure portal or, if the portal option isn't available, by using PowerShell.
+As with enterprise apps, you can [assign users](assign-user-or-group-access-portal.md) to certain Microsoft applications via the Microsoft Entra admin center or, using PowerShell.
## Next steps
active-directory Multi Tenant Organization Microsoft 365 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/multi-tenant-organization-microsoft-365.md
Previously updated : 08/22/2023 Last updated : 09/14/2023
The multi-tenant organization capability is designed for organizations that own
## New Microsoft Teams
-The [new Microsoft Teams](/microsoftteams/new-teams-desktop-admin) experience improves upon Microsoft 365 people search and Teams external access for a unified seamless collaboration experience. For this improved experience to light up, the multi-tenant organization representation in Azure AD is required and collaborating users shall be provisioned as B2B members.
+The [new Microsoft Teams](/microsoftteams/new-teams-desktop-admin) experience improves upon Microsoft 365 people search and Teams external access for a unified seamless collaboration experience. For this improved experience to light up, the multi-tenant organization representation in Azure AD is required and collaborating users shall be provisioned as B2B members. For more information, see [Announcing more seamless collaboration in Microsoft Teams for multi-tenant organizations](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-more-seamless-collaboration-in-microsoft-teams-for/ba-p/3901092).
## Collaborating user set
active-directory Multi Tenant Organization Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/multi-tenant-organization-overview.md
Previously updated : 08/22/2023 Last updated : 09/14/2023
Here are the primary benefits of a multi-tenant organization:
In Azure AD, external users originating from within a multi-tenant organization can be differentiated from external users originating from outside the multi-tenant organization. This differentiation facilitates the application of different policies for in-organization and out-of-organization external users. - Improved collaborative experience in Microsoft Teams
- In new Microsoft Teams, multi-tenant organization users can expect an improved collaborative experience across tenants with chat, calling, and meeting start notifications from all connected tenants across the multi-tenant organization. Tenant switching is more seamless and faster. For more information, see [Microsoft Teams: Advantages of the new architecture](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-advantages-of-the-new-architecture/ba-p/3775704).
+ In new Microsoft Teams, multi-tenant organization users can expect an improved collaborative experience across tenants with chat, calling, and meeting start notifications from all connected tenants across the multi-tenant organization. Tenant switching is more seamless and faster. For more information, see [Announcing more seamless collaboration in Microsoft Teams for multi-tenant organizations](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-more-seamless-collaboration-in-microsoft-teams-for/ba-p/3901092) and [Microsoft Teams: Advantages of the new architecture](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-advantages-of-the-new-architecture/ba-p/3775704).
- Improved people search experience across tenants
active-directory Azure Pim Resource Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
Title: View audit report for Azure resource roles in Privileged Identity Managem
description: View activity and audit history for Azure resource roles in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: ''
Previously updated : 06/24/2022- Last updated : 09/12/2023+ # View activity and audit history for Azure resource roles in Privileged Identity Management
-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).
+Privileged Identity Management (PIM) in Microsoft Entra ID (Azure AD), enables you to view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).
> [!NOTE] > If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](../../lighthouse/overview.md), role assignments authorized by that service provider won't be shown here. ## View activity and activations - To see what actions a specific user took in various resources, you can view the Azure resource activity that's associated with a given activation period. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator).
Resource audit gives you a view of all role activity for a resource.
[![Resource audit list filtered by Activate audit type](media/azure-pim-resource-rbac/rbac-audit-activity.png "Resource audit list filtered by Activate")](media/azure-pim-resource-rbac/rbac-audit-activity.png) ![Resource audit list that is filtered by Activate audit type](media/azure-pim-resource-rbac/rbac-audit-activity.png)
-1. Under **Action**, click **(activity)** for a user to see that user's activity detail in Azure resources.
+1. Under **Action**, select **(activity)** for a user to see that user's activity detail in Azure resources.
![User activity details for a particular action](media/azure-pim-resource-rbac/rbac-audit-activity-details.png)
active-directory Concept Pim For Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/concept-pim-for-groups.md
Title: Privileged Identity Management (PIM) for Groups
description: How to manage Azure AD Privileged Identity Management (PIM) for Groups. documentationcenter: ''-+ ms.assetid:
na Previously updated : 8/15/2023- Last updated : 9/12/2023+
# Privileged Identity Management (PIM) for Groups
-With Azure Active Directory (Azure AD), part of Microsoft Entra, you can provide users just-in-time membership in the group and just-in-time ownership of the group using the Azure AD Privileged Identity Management for Groups feature. These groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
+Microsoft Entra ID, formerly known as Azure AD, allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups. Groups can be used to control access to a variety of scenarios, including Azure AD roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications.
## What is PIM for Groups?
-PIM for Groups is part of Azure AD Privileged Identity Management ΓÇô alongside with PIM for Azure AD Roles and PIM for Azure Resources, PIM for Groups enables users to activate the ownership or membership of an Azure AD security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
+PIM for Groups is part of Azure AD Privileged Identity Management ΓÇô alongside with PIM for Azure AD Roles and PIM for Azure Resources, PIM for Groups enables users to activate the ownership or membership of an Azure AD security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
With PIM for Groups you can use policies similar to ones you use in PIM for Azure AD Roles and PIM for Azure Resources: you can require approval for membership or ownership activation, enforce multi-factor authentication (MFA), require justification, limit maximum activation time, and more. Each group in PIM for Groups has two policies: one for activation of membership and another for activation of ownership in the group. Up until January 2023, PIM for Groups feature was called ΓÇ£Privileged Access GroupsΓÇ¥. [!INCLUDE [PIM for Groups note](../includes/pim-for-groups-include.md)]
-## What are Azure AD role-assignable groups?
+## What are Entra ID role-assignable groups?
-With Azure Active Directory (Azure AD), part of Microsoft Entra, you can assign a cloud Azure AD security group or Microsoft 365 group to an Azure AD role. This is possible only with groups that are created as role-assignable.
+When working with Entra ID, you can assign an Entra ID security group or Microsoft 365 group to an Entra ID role. This is possible only with groups that are created as role-assignable.
-To learn more about Azure AD role-assignable groups, see [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md).
+To learn more about Entra ID role-assignable groups, see [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md).
Role-assignable groups benefit from extra protections comparing to non-role-assignable groups:-- For role-assignable groups, only the Global Administrator, Privileged Role Administrator, or the group Owner can manage the group. Also, no other users can change the credentials of the users who are (active) members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.-- For non-role-assignable groups, various Azure AD roles can manage group ΓÇô that includes Exchange Administrators, Groups Administrators, User Administrators, etc. Also, various roles Azure AD roles can change the credentials of the users who are (active) members of the group ΓÇô that includes Authentication Administrators, Helpdesk Administrators, User Administrators, etc.
-To learn more about Azure AD built-in roles and their permissions, see [Azure AD built-in roles](../roles/permissions-reference.md).
+- **Role-assignable groups** - only the Global Administrator, Privileged Role Administrator, or the group Owner can manage the group. Also, no other users can change the credentials of the users who are (active) members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.
+- **Non-role-assignable groups** - various Azure AD roles can manage these groups ΓÇô that includes Exchange Administrators, Groups Administrators, User Administrators, etc. Also, various roles Azure AD roles can change the credentials of the users who are (active) members of the group ΓÇô that includes Authentication Administrators, Helpdesk Administrators, User Administrators, etc.
-One Azure AD tenant can have up to 500 role-assignable groups. To learn more about Azure AD service limits and restrictions, see [Azure AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md).
+To learn more about Entra ID built-in roles and their permissions, see [Azure AD built-in roles](../roles/permissions-reference.md).
Azure AD role-assignable group feature is not part of Azure AD Privileged Identity Management (Azure AD PIM). For more information on licensing, see [Microsoft Entra ID Governance licensing fundamentals](../../active-directory/governance/licensing-fundamentals.md) . ## Relationship between role-assignable groups and PIM for Groups
-Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Azure AD security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group does not have to be role-assignable group to be enabled in PIM for Groups.
+Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Entra ID security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group doesn't have to be role-assignable group to be enabled in PIM for Groups.
-If you want to assign Azure AD role to a group, it has to be role-assignable. Even if you do not intend to assign Azure AD role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have ΓÇô see [ΓÇ£What are Azure AD role-assignable groups?ΓÇ¥](#what-are-azure-ad-role-assignable-groups) in the section above.
+If you want to assign an Entra ID role to a group, it has to be role-assignable. Even if you don't intend to assign an Entra ID role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have ΓÇô see [ΓÇ£What are Entra ID role-assignable groups?ΓÇ¥](#what-are-entra-id-role-assignable-groups) in the section above.
-Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.
+>[!IMPORTANT]
+> Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.
-## Making group of users eligible for Azure AD role
+## Making group of users eligible for Entra ID role
+
+There are two ways to make a group of users eligible for Entra ID role:
-There are two ways to make a group of users eligible for Azure AD role:
1. Make active assignments of users to the group, and then assign the group to a role as eligible for activation. 2. Make active assignment of a role to a group and assign users to be eligible to group membership.
-To provide a group of users with just-in-time access to Azure AD directory roles with permissions in SharePoint, Exchange, or Security & Microsoft Purview compliance portal (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation (Option #1 above). If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.
+To provide a group of users with just-in-time access to Azure AD roles with permissions in SharePoint, Exchange, or Security & Microsoft Purview compliance portal (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation (Option #1 above). If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.
## Privileged Identity Management and group nesting
-In Azure AD, role-assignable groups canΓÇÖt have other groups nested inside them. To learn more, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). This is applicable to active membership: one group cannot be an active member of another group that is role-assignable.
+In Entra ID, role-assignable groups canΓÇÖt have other groups nested inside them. To learn more, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). This is applicable to active membership: one group can't be an active member of another group that is role-assignable.
One group can be an eligible member of another group, even if one of those groups is role-assignable.
-If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation will be only for the user that requested the activation for, it does not mean that the entire Group A becomes an active member of Group B.
+If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation is only for the user that requested the activation for, it doesn't mean that the entire Group A becomes an active member of Group B.
## Privileged Identity Management and app provisioning (Public Preview)
active-directory Groups Activate Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-activate-roles.md
Title: Activate your group membership or ownership in Privileged Identity Manage
description: Learn how to activate your group membership or ownership in Privileged Identity Management (PIM). documentationcenter: ''-+ na Previously updated : 6/7/2023- Last updated : 09/12/2023+
# Activate your group membership or ownership in Privileged Identity Management
-In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to have just-in-time membership in the group or just-in-time ownership of the group.
+You can use Privileged Identity Management (PIM) In Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), to have just-in-time membership in the group or just-in-time ownership of the group.
This article is for eligible members or owners who want to activate their group membership or ownership in PIM.
This article is for eligible members or owners who want to activate their group
## Activate a role - When you need to take on a group membership or ownership, you can request activation by using the **My roles** navigation option in PIM. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
When you need to take on a group membership or ownership, you can request activa
1. If necessary, specify a custom activation start time. The membership or ownership is to be activated only after the selected time.
-1. Depending on the groupΓÇÖs setting, justification for activation may be required. If required, provide it in the **Reason** box.
+1. Depending on the groupΓÇÖs setting, justification for activation may be required. If needed, provide the justification in the **Reason** box.
:::image type="content" source="media/pim-for-groups/pim-group-7.png" alt-text="Screenshot of where to provide a justification in the Reason box." lightbox="media/pim-for-groups/pim-group-7.png":::
If the [role requires approval](pim-resource-roles-approval-workflow.md) to acti
## View the status of your requests
-You can view the status of your pending requests to activate. It is specifically important when your requests undergo approval of another person.
+You can view the status of your pending requests to activate. It is important when your requests undergo approval of another person.
1. Sign in to the [Azure portal](https://portal.azure.com).
You can view the status of your pending requests to activate. It is specifically
1. For the request that you want to cancel, select **Cancel**.
-When you select **Cancel**, the request will be canceled. To activate the role again, you will have to submit a new request for activation.
+When you select **Cancel**, the request is canceled. To activate the role again, you have to submit a new request for activation.
## Next steps
active-directory Groups Approval Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-approval-workflow.md
Title: Approve activation requests for group members and owners description: Learn how to approve activation requests for group members and owners in Azure AD Privileged Identity Management (PIM). -+ na Previously updated : 6/7/2023- Last updated : 09/12/2023+
# Approve activation requests for group members and owners
-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), which is part of Microsoft Entra, you can configure activation of group membership and ownership to require approval. You can also choose users or groups from your Azure AD organization as delegated approvers.
+With Privileged Identity Management (PIM) and Entra ID (Previously known as Azure AD), you can configure activation of group membership and ownership to require approval. You can also choose users or groups from your Azure AD organization as delegated approvers.
We recommend that you select two or more approvers for each group. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, the eligible user must resubmit a new request. The 24-hour approval time window isn't configurable.
As a delegated approver, you receive an email notification when an Azure resourc
1. Select **Confirm**. Your approval generates an Azure notification.
- :::image type="content" source="media/pim-for-groups/pim-group-10.png" alt-text="Screenshot that shows an Azure notification that's generated by your approval." lightbox="media/pim-for-groups/pim-group-10.png":::
+ :::image type="content" source="media/pim-for-groups/pim-group-10.png" alt-text="Screenshot that shows what an Azure notification generated by your approval looks like." lightbox="media/pim-for-groups/pim-group-10.png":::
## Deny requests
As a delegated approver, you receive an email notification when an Azure resourc
Here's some information about workflow notifications: -- Approvers are notified by email when a request for a group assignment is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
+- Approvers receive notifications by email when a request for a group assignment is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
- Requests are resolved by the first approver who approves or denies. - When an approver responds to the request, all approvers are notified of the action.
active-directory Groups Assign Member Owner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md
Title: Assign eligibility for a group in Privileged Identity Management
description: Learn how to assign eligibility for a group in Privileged Identity Management. documentationcenter: ''-+ na Previously updated : 6/7/2023- Last updated : 09/12/2023+
# Assign eligibility for a group in Privileged Identity Management
-In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.
+In Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.
When a membership or ownership is assigned, the assignment:
When a membership or ownership is assigned, the assignment:
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Follow these steps to make a user eligible member or owner of a group. You will need permissions to manage groups. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).
+Follow these steps to make a user eligible member or owner of a group. You'll need permissions to manage groups. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).
> [!NOTE] > Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable M365 groups) and administrators with assignments scoped at administrative unit level can manage groups through Groups API/UX and override changes made in Azure AD PIM.
Follow these steps to make a user eligible member or owner of a group. You will
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Follow these steps to update or remove an existing role assignment. You will need permissions to manage groups. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).
+Follow these steps to update or remove an existing role assignment. You'll need permissions to manage groups. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).
> [!NOTE] > Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable M365 groups) and administrators with assignments scoped at administrative unit level can manage groups through Groups API/UX and override changes made in Azure AD PIM.
active-directory Groups Audit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-audit.md
Title: Audit activity history for group assignments in Privileged Identity Manag
description: View activity and audit activity history for group assignments in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 6/7/2023- Last updated : 09/12/2023+ # Audit activity history for group assignments in Privileged Identity Management
-With Privileged Identity Management (PIM), you can view activity, activations, and audit history for group membership or ownership changes done through PIM for groups within your organization in Azure Active Directory (Azure AD), part of Microsoft Entra.
+When working with your organization's groups in Privileged Identity Management (PIM), you can view activity, activations, and audit history for Entra ID (Azure AD) group membership or ownership changes.
> [!NOTE] > If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](../../lighthouse/overview.md), role assignments authorized by that service provider won't be shown here.
Follow these steps to view the audit history for groups in Privileged Identity M
## View resource audit history - **Resource audit** gives you a view of all activity associated with groups in PIM. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
active-directory Groups Discover Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-discover-groups.md
Title: Bring groups into Privileged Identity Management
description: Learn how to bring groups into Privileged Identity Management. documentationcenter: ''-+ na Previously updated : 6/7/2023- Last updated : 09/12/2023+ # Bring groups into Privileged Identity Management
-In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. Groups can be used to provide access to Azure AD Roles, Azure roles, and various other scenarios. To manage an Azure AD group in PIM, you must bring it under management in PIM.
+In Entra ID (Azure AD), you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. Groups can be used to provide access to Azure AD Roles, Azure roles, and various other scenarios. To manage an Azure AD group in PIM, you must bring it under management in PIM.
## Identify groups to manage [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Before you will start, you need an Azure AD Security group or Microsoft 365 group. To learn more about group management in Azure AD, see [Manage Azure Active Directory groups and group membership](../fundamentals/how-to-manage-groups.md).
+Before starting, you need an Entra ID Security group or Microsoft 365 group. To learn more about group management in Azure AD, see [Manage Azure Active Directory groups and group membership](../fundamentals/how-to-manage-groups.md).
Dynamic groups and groups synchronized from on-premises environment cannot be managed in PIM for Groups.
active-directory Groups Renew Extend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-renew-extend.md
Title: Extend or renew PIM for groups assignments
description: Learn how to extend or renew PIM for groups assignments. documentationcenter: ''-+
na
Last updated 6/7/2023-+ # Extend or renew PIM for groups assignments
-Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for group membership and ownership. Administrators can assign start and end date-time properties for group membership and ownership. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
+Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for group membership and ownership. Administrators can assign start and end date-time properties for group membership and ownership. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access isn't extended.
## Who can extend and renew
active-directory Groups Role Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-role-settings.md
Title: Configure PIM for Groups settings
description: Learn how to configure PIM for Groups settings. documentationcenter: ''-+ na Previously updated : 6/7/2023- Last updated : 09/12/2023+ # Configure PIM for Groups settings
-In Privileged Identity Management (PIM) for groups in Azure Active Directory (Azure AD), which is part of Microsoft Entra, role settings define membership or ownership assignment properties. These properties include multifactor authentication and approval requirements for activation, assignment maximum duration, and notification settings. This article shows you how to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.
+In Privileged Identity Management (PIM) for groups in Entra ID (Azure AD), role settings define membership or ownership assignment properties. These properties include multifactor authentication and approval requirements for activation, assignment maximum duration, and notification settings. This article shows you how to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.
You need group management permissions to manage settings. For role-assignable groups, you must have a Global Administrator or Privileged Role Administrator role or be an owner of the group. For non-role assignable groups, you must have a Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, or User Administrator role or be an owner of the group. Role assignments for administrators should be scoped at directory level (not at the administrative unit level).
active-directory Pim Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-apis.md
Title: API concepts in Privileged Identity management
description: Information for understanding the APIs in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 04/18/2022- Last updated : 09/12/2023+
Find more details about APIs that allow to manage assignments in the documentati
- [PIM for Azure AD roles API reference](/graph/api/resources/privilegedidentitymanagementv3-overview) - [PIM for Azure resource roles API reference](/rest/api/authorization/privileged-role-eligibility-rest-sample) - [PIM for Groups API reference](/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview)-- [PIM Alerts for Azure AD Roles API reference](/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-beta#building-blocks-of-the-pim-alerts-apis)
+- [PIM Alerts for Azure AD Roles API reference](/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-beta#building-blocks-of-the-pim-alerts-apis&preserve-view=true)
- [PIM Alerts for Azure Resources API reference](/rest/api/authorization/role-management-alert-rest-sample)
There have been several iterations of the PIM API over the past few years. You'l
### Iteration 1 ΓÇô Deprecated
-Under the /beta/privilegedRoles endpoint, Microsoft had a classic version of the PIM API which only supported Azure AD roles and is no longer supported. Access to this API was deprecated in June 2021.
+Under the /beta/privilegedRoles endpoint, Microsoft had a classic version of the PIM API, which only supported Azure AD roles and is no longer supported. Access to this API was deprecated in June 2021.
### Iteration 2 ΓÇô Supports Azure AD roles and Azure resource roles
active-directory Pim Approval Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-approval-workflow.md
Title: Approve or deny requests for Azure AD roles in PIM
description: Learn how to approve or deny requests for Azure AD roles in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: ''
na Previously updated : 05/11/2023- Last updated : 09/12/2023+
With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD),
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.
+As a delegated approver, you receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
active-directory Pim Complete Roles And Resource Roles Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-complete-roles-and-resource-roles-review.md
Title: Complete an access review of Azure resource and Azure AD roles in PIM
description: Learn how to complete an access review of Azure resource and Azure AD roles Privileged Identity Management. documentationcenter: ''-+ editor: ''
na Previously updated : 5/11/2023- Last updated : 09/12/2023+
On the detail page, the following options are available for managing the review
### Stop an access review
-All access reviews have an end date, but you can use the **Stop** button to finish it early. The **Stop** button is only selectable when the review instance is active. You cannot restart a review after it's been stopped.
+All access reviews have an end date, but you can use the **Stop** button to finish it early. The **Stop** button is only selectable when the review instance is active. You can't restart a review after it's been stopped.
### Reset an access review
When the review instance is active and at least one decision has been made by re
### Apply an access review
-After an access review is completed, either because you've reached the end date or stopped it manually, the **Apply** button removes denied users' access to the role. If a user's access was denied during the review, this is the step that will remove their role assignment. If the **Auto apply** setting is configured on review creation, this button will always be disabled because the review will be applied automatically instead of manually.
+After an access review is completed, either because you've reached the end date or stopped it manually, the **Apply** button removes denied users' access to the role. If a user's access was denied during the review, this is the step that removes their role assignment. If the **Auto apply** setting is configured on review creation, this button will always be disabled because the review will be applied automatically instead of manually.
### Delete an access review
-If you are not interested in the review any further, delete it. To remove the access review from the Privileged Identity Management service, select the **Delete** button.
+If you aren't interested in the review any further, delete it. To remove the access review from the Privileged Identity Management service, select the **Delete** button.
> [!IMPORTANT] > You will not be required to confirm this destructive change, so verify that you want to delete that review.
active-directory Pim Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-configure.md
Title: What is Privileged Identity Management?
description: Provides an overview of Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 11/4/2022- Last updated : 09/12/2023+
Organizations want to minimize the number of people who have access to secure in
However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access. ## License requirements+ [!INCLUDE [entra-id-license-pim.md](../../../includes/entra-id-license-pim.md)]
Privileged Identity Management provides time-based and approval-based role activ
## What can I do with it?
-Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you'll choose between options such as managing **Azure AD roles**, managing **Azure resource** roles, or PIM for Groups. When you choose what you want to manage, you see the appropriate set of options for that option.
+Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you can choose between options such as managing **Azure AD roles**, managing **Azure resource** roles, or PIM for Groups. When you choose what you want to manage, you see the appropriate set of options for that option.
![Screenshot of Privileged Identity Management in the Azure portal.](./media/pim-configure/pim-quickstart.png)
To better understand Privileged Identity Management and its documentation, you s
| active | Type | A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role. | | activate | | The process of performing one or more actions to use a role that a user is eligible for. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. | | assigned | State | A user that has an active role assignment. |
-| activated | State | A user that has an eligible role assignment, performed the actions to activate the role, and is now active. Once activated, the user can use the role for a pre-configured period of time before they need to activate again. |
+| activated | State | A user that has an eligible role assignment, performed the actions to activate the role, and is now active. Once activated, the user can use the role for a preconfigured period of time before they need to activate again. |
| permanent eligible | Duration | A role assignment where a user is always eligible to activate the role. | | permanent active | Duration | A role assignment where a user can always use the role without performing any actions. | | time-bound eligible | Duration | A role assignment where a user is eligible to activate the role only within start and end dates. |
The following screenshot shows how members activate their role to a limited time
![Screenshot of Privileged Identity Management role activation.](./media/pim-configure/role-activation.png)
-If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification will appear in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role.
+If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification appears in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role.
For more information, check out the following articles: [Activate Azure AD roles](pim-how-to-activate-role.md), [Activate my Azure resource roles](pim-resource-roles-activate-your-roles.md), and [Activate my PIM for Groups roles](groups-activate-roles.md) ### Approve or deny
-Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they'll be able to manage that particular resource group.
+Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they are able to manage that particular resource group.
For more information, check out the following articles: [Approve or deny requests for Azure AD roles](./pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for PIM for Groups](groups-approval-workflow.md)
Some organizations use tools like Azure AD business-to-business (B2B) collaborat
### Activate multiple role assignments in one request
-With the PIM for Groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. Before today it would require four consecutive requests, which are a process that takes some time. Instead, you can create a role assignable group called ΓÇ£Tier 3 Office AdminsΓÇ¥, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can configure the just-in-time settings for members of the group and assign your admins and owners as eligible. When the admins elevate into the group, theyΓÇÖll become members of all four Azure AD roles.
+With the PIM for Groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. Before today it would require four consecutive requests, which are a process that takes some time. Instead, you can create a role assignable group called ΓÇ£Tier 3 Office AdminsΓÇ¥, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can configure the just-in-time settings for members of the group and assign your admins and owners as eligible. When an admin elevates into the group, they become members of all four Azure AD roles.
## Invite guest users and assign Azure resource roles in Privileged Identity Management
active-directory Pim Create Roles And Resource Roles Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review.md
Title: Create an access review of Azure resource and Azure AD roles in PIM
description: Learn how to create an access review of Azure resource and Azure AD roles in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 5/11/2023- Last updated : 09/12/2023+
active-directory Pim Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-deployment-plan.md
Title: Plan a Privileged Identity Management deployment
description: Learn how to deploy Privileged Identity Management (PIM) in your Azure AD organization. documentationcenter: ''-+ editor: '' Previously updated : 2/3/2023- Last updated : 09/12/2023+
You can assign the following to these roles or groups:
* **Users**- To get just-in-time access to Azure AD roles, Azure roles, and PIM for Groups.
-* **Groups**- Anyone in a group to get just-in-time access to Azure AD roles and Azure roles. For Azure AD roles, the group must be a newly created cloud group thatΓÇÖs marked as assignable to a role while for Azure roles, the group can be any Azure AD security group. We do not recommend assigning/nesting a group to a PIM for Groups.
+* **Groups**- Anyone in a group to get just-in-time access to Azure AD roles and Azure roles. For Azure AD roles, the group must be a newly created cloud group thatΓÇÖs marked as assignable to a role while for Azure roles, the group can be any Azure AD security group. We don't recommend assigning/nesting a group to a PIM for Groups.
> [!NOTE] >You cannot assign service principals as eligible to Azure AD roles, Azure roles, and PIM for Groups but you can grant a time limited active assignment to all three.
At each stage of your deployment ensure that you are evaluating that the results
### Plan communications
-Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
+Communication is critical to the success of any new service. Proactively communicate with your users how their experience changes, when it changes, and how to gain support if they experience issues.
Set up time with your internal IT support to walk them through the PIM workflow. Provide them with the appropriate documentations and your contact information.
The following table shows an example test case:
| | | | |Global Administrator| <li> Require MFA <br><li> Require Approval <br><li> Approver receives notification and can approve <br><li> Role expires after preset time|
-For both Azure AD and Azure resource role, make sure that youΓÇÖve users represented who will take those roles. In addition, consider the following roles when you test PIM in your staged environment:
+For both Azure AD and Azure resource role, make sure that you have users represented who will take those roles. In addition, consider the following roles when you test PIM in your staged environment:
| Roles| Azure AD roles| Azure Resource roles| PIM for Groups | | | | | |
A delegated approver receives an email notification when a request is pending fo
[View audit history for all role assignments and activations](pim-how-to-use-audit-log.md) within past 30 days for Azure AD roles. You can access the audit logs if you are a Global Administrator or a privileged role administrator.
-**We recommend** youΓÇÖve at least one administrator read through all audit events on a weekly basis and export your audit events on a monthly basis.
+**We recommend** you have at least one administrator read through all audit events on a weekly basis and export your audit events on a monthly basis.
### Security alerts for Azure AD roles
-[Configure security alerts for the Azure AD roles](pim-how-to-configure-security-alerts.md) which will trigger an alert in case of suspicious and unsafe activity.
+[Configure security alerts for the Azure AD roles](pim-how-to-configure-security-alerts.md) which triggers an alert in case of suspicious and unsafe activity.
## Plan and implement PIM for Azure Resource roles
When these important events occur in Azure resource roles, PIM sends [email noti
### Security alerts for Azure Resource roles
-[Configure security alerts for the Azure resource roles](pim-resource-roles-configure-alerts.md) which will trigger an alert in case of any suspicious and unsafe activity.
+[Configure security alerts for the Azure resource roles](pim-resource-roles-configure-alerts.md) which triggers an alert in case of any suspicious and unsafe activity.
## Plan and implement PIM for PIM for Groups
Follow these tasks to prepare PIM to manage PIM for Groups.
### Discover PIM for Groups
-It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They will have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.
+It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.
In this case, you should use PIM for Groups. Create a PIM for Groups and grant it permanent active access to multiple roles. See [Privileged Identity Management (PIM) for Groups (preview)](concept-pim-for-groups.md).
The following table shows example settings:
| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration | | | | | | | | |||
-| Owner| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the resource| 1 Hour| None| n/a| 3 months |
-| Member| :heavy_check_mark:| :heavy_check_mark:| :x:| None| 5 Hour| None| n/a| 3 months |
+| Owner| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the resource| One Hour| None| n/a| Three months |
+| Member| :heavy_check_mark:| :heavy_check_mark:| :x:| None| Five Hours| None| n/a| 3 months |
### Assign eligibility for PIM for Groups
You can [assign eligibility to members or owners of the PIM for Groups.](groups-
![Diagram of assign eligibility for PIM for Groups.](media/pim-deployment-plan/pim-for-groups.png)
-When group assignment nears its expiration, use [PIM to extend or renew the group assignment](groups-renew-extend.md). YouΓÇÖll require an approval from the group owner.
+When group assignment nears its expiration, use [PIM to extend or renew the group assignment](groups-renew-extend.md). This operation requires group owner approval.
### Approve or deny PIM activation request
active-directory Pim Email Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-email-notifications.md
Title: Email notifications in Privileged Identity Management (PIM)
description: Describes email notifications in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ na Previously updated : 10/07/2021- Last updated : 09/13/2023+
# Email notifications in PIM
-Privileged Identity Management (PIM) lets you know when important events occur in your Azure Active Directory (Azure AD) organization, such as when a role is assigned or activated. Privileged Identity Management keeps you informed by sending you and other participants email notifications. These emails might also include links to relevant tasks, such activating or renewing a role. This article describes what these emails look like, when they are sent, and who receives them.
+Privileged Identity Management (PIM) lets you know when important events occur in your Entra ID (Previously known as Azure AD) organization, such as when a role is assigned or activated. Privileged Identity Management keeps you informed by sending you and other participants email notifications. These emails might also include links to relevant tasks, such activating or renewing a role. This article describes what these emails look like, when they are sent, and who receives them.
>[!NOTE] >One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management.
These emails include a **PIM** prefix in the subject line. Here's an example:
## Email timing for activation approvals
-When users activate their role and the role setting requires approval, approvers will receive two emails for each approval:
+When users activate their role and the role setting requires approval, approvers receive two emails for each approval:
- Request to approve or deny the user's activation request (sent by the request approval engine) - The user's request is approved (sent by the request approval engine)
Also, Global Administrators and Privileged Role Administrators receive an email
- The user's role is activated (sent by Privileged Identity Management)
-The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.
+The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be longer, up to fifteen minutes.
-If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if the they didn't get an email but it's the expected behavior.
+If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if they didn't get an email but it's the expected behavior.
## Notifications for Azure AD roles
active-directory Pim Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-getting-started.md
Title: Start using PIM
description: Learn how to enable and get started using Privileged Identity Management (PIM) in the Microsoft Entra admin center. documentationcenter: ''-+ editor: ''
Previously updated : 10/07/2021- Last updated : 09/13/2023+
This article describes how to enable Privileged Identity Management (PIM) and get started using it.
-Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Microsoft 365 or Microsoft Intune.
+Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Entra ID (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Microsoft 365 or Microsoft Intune.
## Prerequisites
Once Privileged Identity Management is set up, you can learn your way around.
| **Azure AD roles** | Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. | | **Azure resources** | Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
-## Add a PIM tile to the dashboard
--
-To make it easier to open Privileged Identity Management, add a PIM tile to your Microsoft Entra admin center dashboard.
-
-1. Sign in to the [Microsoft Entra admin center all services page](https://entra.microsoft.com/#allservices/category/All)
-
-1. Find the **Azure AD Privileged Identity Management** service.
-
- ![Azure AD Privileged Identity Management in All services](./media/pim-getting-started/pim-all-services-find.png)
-
-1. Select the Privileged Identity Management **Quick start**.
-
-1. Select **Pin blade to dashboard** to pin the Privileged Identity Management **Quick start** page to the dashboard.
-
- ![Pushpin icon to pin Privileged Identity Management page to dashboard](./media/pim-getting-started/pim-quickstart-pin-to-dashboard.png)
-
- On the Azure dashboard, you'll see a tile like this:
-
- ![Privileged Identity Management Quick start tile on dashboard](./media/pim-getting-started/pim-quickstart-dashboard-tile.png)
## Next steps
active-directory Pim How To Activate Role https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md
Title: Activate Azure AD roles in PIM
description: Learn how to activate Azure AD roles in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 3/15/2023- Last updated : 09/13/2023+ # Activate an Azure AD role in PIM
-Azure Active Directory (Azure AD) Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Microsoft 365 or Microsoft Intune.
+Microsoft Entra Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Microsoft 365 or Microsoft Intune.
If you have been made *eligible* for an administrative role, then you must *activate* the role assignment when you need to perform privileged actions. For example, if you occasionally manage Microsoft 365 features, your organization's privileged role administrators might not make you a permanent Global Administrator, since that role impacts other services, too. Instead, they would make you eligible for Azure AD roles such as Exchange Online Administrator. You can request to activate that role when you need its privileges, and then you'll have administrator control for a predetermined time period.
This article is for administrators who need to activate their Azure AD role in P
## Activate a role - When you need to assume an Azure AD role, you can request activation by opening **My roles** in Privileged Identity Management. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
Content-Type: application/json
You can view the status of your pending requests to activate.
-1. Open Azure AD Privileged Identity Management.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
+
+1. Browse to **Identity governance** > **Privileged Identity Management** > **My requests**.
-1. Select **My requests** to see a list of your Azure AD role and Azure resource role requests.
+1. When you select **My requests** you see a list of your Azure AD role and Azure resource role requests.
![My requests - Azure AD page showing your pending requests](./media/pim-how-to-activate-role/my-requests-page.png)
You can view the status of your pending requests to activate.
If you don't require activation of a role that requires approval, you can cancel a pending request at any time.
-1. Open Azure AD Privileged Identity Management.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
-1. Select **My requests**.
+1. Browse to **Identity governance** > **Privileged Identity Management** > **My requests**.
1. For the role that you want to cancel, select the **Cancel** link.
active-directory Pim How To Add Role To User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md
Title: Assign Azure AD roles in PIM
description: Learn how to assign Azure AD roles in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 02/02/2022- Last updated : 09/13/2023+
Privileged Identity Management support both built-in and custom Azure AD roles.
## Assign a role - Follow these steps to make a user eligible for an Azure AD admin role. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator).
active-directory Pim How To Change Default Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md
Title: Configure Azure AD role settings in PIM
description: Learn how to configure Azure AD role settings in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: ''
Last updated 6/7/2023-+
PIM role settings are also known as PIM policies.
## Open role settings - To open the settings for an Azure AD role: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator).
On the **Notifications** tab on the **Role settings** page, Privileged Identity
>[!NOTE] >One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management.+ ## Manage role settings by using Microsoft Graph To manage settings for Azure AD roles by using PIM APIs in Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicy).
active-directory Pim How To Configure Security Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md
Title: Security alerts for Azure AD roles in PIM
description: Configure security alerts for Azure AD roles Privileged Identity Management. documentationcenter: ''-+ editor: ''
Previously updated : 07/29/2022- Last updated : 09/13/2023+
Privileged Identity Management (PIM) generates alerts when there's suspicious or
![Screenshot that shows the alerts page with a list of alerts and their severity.](./media/pim-how-to-configure-security-alerts/view-alerts.png) ## License requirements+ [!INCLUDE [entra-id-license-pim.md](../../../includes/entra-id-license-pim.md)] ## Security alerts
Severity: **Low**
## Customize security alert settings - Follow these steps to configure security alerts for Azure AD roles in Privileged Identity Management: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator).
active-directory Pim How To Renew Extend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-renew-extend.md
Title: Renew Azure AD role assignments in PIM
-description: Learn how to extend or renew Azure Active Directory role assignments in Privileged Identity Management (PIM).
+description: Learn how to extend or renew Azure Active Directory role assignments in Microsoft Entra Privileged Identity Management (PIM)
documentationcenter: ''-+ editor: ''
na Previously updated : 06/24/2022- Last updated : 09/13/2023+
# Extend or renew Azure AD role assignments in Privileged Identity Management
-Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for roles in Azure Active Directory (Azure AD), part of Microsoft Entra. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to Azure AD administrators to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
+Microsoft Entra Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for roles in Microsoft Entra ID (Azure AD). Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to Azure AD administrators to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
## Who can extend and renew?
In the following request, an administrator extends an active assignment using Mi
#### HTTP request + ````HTTP POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
After the request has been submitted, administrators are notified of a pending r
### Admin approves
-Azure AD administrators can access the renewal request from the link in the email notification, or by accessing Privileged Identity Management from the Microsoft Entra admin center and selecting **Approve requests** in PIM.
+Entra ID administrators can access the renewal request from the link in the email notification, or by accessing Privileged Identity Management from the Microsoft Entra admin center and selecting **Approve requests** in PIM.
![Azure AD roles - Approve requests page listing requests and links to approve or deny](./media/pim-how-to-renew-extend/extend-admin-approve-list.png)
active-directory Pim How To Use Audit Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-use-audit-log.md
Title: View audit log report for Azure AD roles in Azure AD PIM
description: Learn how to view the audit log history for Azure AD roles in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ editor: '' Previously updated : 06/24/2022- Last updated : 09/13/2023+
# View audit history for Azure AD roles in Privileged Identity Management
-You can use the Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). If you want to see the full audit history of activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra, including administrator, end user, and synchronization activity, you can use the [Azure Active Directory security and activity reports](../reports-monitoring/overview-reports.md).
+You can use the Microsoft Entra Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). If you want to see the full audit history of activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra, including administrator, end user, and synchronization activity, you can use the [Azure Active Directory security and activity reports](../reports-monitoring/overview-reports.md).
Follow these steps to view the audit history for Azure AD roles.
active-directory Pim Perform Roles And Resource Roles Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review.md
Title: Perform an access review of Azure resource and Azure AD roles in PIM
description: Learn how to review access of Azure resource and Azure AD roles in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: ''
na Previously updated : 5/11/2023- Last updated : 09/13/2023+
If you're a privileged role administrator or global administrator interested in
## Approve or deny access - You can approve or deny access based on whether the user still needs access to the role. Choose **Approve** if you want them to stay in the role, or **Deny** if they don't need the access anymore. The users' assignment status won't change until the review closes and the administrator applies the results. Common scenarios in which certain denied users can't have results applied to them may include the following: - **Reviewing members of a synced on-premises Windows AD group**: If the group is synced from an on-premises Windows AD, the group can't be managed in Azure AD, and therefore membership can't be changed.
active-directory Pim Resource Roles Activate Your Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md
Title: Activate Azure resource roles in PIM
description: Learn how to activate your Azure resource roles in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+
na
Last updated 4/14/2023-+
# Activate my Azure resource roles in Privileged Identity Management
-Use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).
+Use Microsoft Entra Privileged Identity Management (PIM), to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).
This article is for members who need to activate their Azure resource role in Privileged Identity Management.
When you need to take on an Azure resource role, you can request activation by u
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator).
-1. Browse to **Identity governance** > **Privileged Identity Management**.
-
-1. For information about how to add the Privileged Identity Management tile to your dashboard, see [Start using Privileged Identity Management](pim-getting-started.md).
-
-1. Select **My roles**.
+1. Browse to **Identity governance** > **Privileged Identity Management** > **My roles**.
![My roles page showing roles you can activate](./media/pim-resource-roles-activate-your-roles/resources-my-roles.png)
active-directory Pim Resource Roles Approval Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md
Title: Approve requests for Azure resource roles in PIM
description: Learn how to approve or deny requests for Azure resource roles in Privileged Identity Management (PIM). documentationcenter: ''-+ na Previously updated : 06/24/2022- Last updated : 09/14/2023+
# Approve or deny requests for Azure resource roles in Privileged Identity Management
-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure roles to require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each role to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.
+Microsoft Entra Privileged Identity Management (PIM) enables you to configure roles so that they require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each role to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window isn't configurable.
Follow the steps in this article to approve or deny requests for Azure resource roles. ## View pending requests -
-As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
+As a delegated approver, you receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
As a delegated approver, you'll receive an email notification when an Azure reso
![Approve requests - Azure resources page showing request to review](./media/pim-resource-roles-approval-workflow/resources-approve-requests.png)
- In the **Requests for role activations** section, you'll see a list of requests pending your approval.
+ In the **Requests for role activations** section, you see a list of requests pending your approval.
## Approve requests
active-directory Pim Resource Roles Assign Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md
Title: Assign Azure resource roles in Privileged Identity Management
description: Learn how to assign Azure resource roles in Privileged Identity Management (PIM). documentationcenter: ''-+ na Previously updated : 07/29/2022- Last updated : 09/13/2023+ # Assign Azure resource roles in Privileged Identity Management
-With Azure AD Privileged Identity Management (Azure AD PIM), part of Microsoft Entra, you can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
+With Microsoft Entra Privileged Identity Management (PIM), you can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
- Owner - User Access Administrator
For more information, see [What is Azure attribute-based access control (Azure A
## Assign a role - Follow these steps to make a user eligible for an Azure resource role. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Access Administrator](../roles/permissions-reference.md#user-administrator).
Follow these steps to make a user eligible for an Azure resource role.
Azure AD PIM for Azure resources provides two distinct assignment types:
- - **Eligible** assignments require the member to activate the role before using it. Administrator may require role member to perform certain actions before role activation which might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
+ - **Eligible** assignments require the member to activate the role before using it. Administrator may require role member to perform certain actions before role activation, which might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
- **Active** assignments don't require the member to activate the role before usage. Members assigned as active have the privileges assigned ready to use. This type of assignment is also available to customers that don't use Azure AD PIM.
active-directory Pim Resource Roles Configure Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md
Title: Configure security alerts for Azure roles in Privileged Identity Manageme
description: Learn how to configure security alerts for Azure resource roles in Privileged Identity Management (PIM). documentationcenter: ''-+
na
Last updated 3/29/2023-+
active-directory Pim Resource Roles Configure Role Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md
Title: Configure Azure resource role settings in PIM
description: Learn how to configure Azure resource role settings in Privileged Identity Management (PIM). documentationcenter: ''-+
na
Last updated 6/7/2023-+
To open the settings for an Azure resource role:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Identity governance** > **Privileged Identity Management** > **Approve Resources**. This page shows a list of Azure resources discovered in Privileged Identity Management. Use the **Resource type** filter to select all required resource types.
+1. Browse to **Identity governance** > **Privileged Identity Management** > **Azure Resources**. This page shows a list of Azure resources discovered in Privileged Identity Management. Use the **Resource type** filter to select all required resource types.
:::image type="content" source="media/pim-resource-roles-configure-role-settings/resources-list.png" alt-text="Screenshot that shows the list of Azure resources discovered in Privileged Identity Management." lightbox="media/pim-resource-roles-configure-role-settings/resources-list.png":::
active-directory Pim Resource Roles Custom Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-custom-role-policy.md
Title: Use Azure custom roles in PIM
description: Learn how to use Azure custom roles in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ na Previously updated : 06/27/2022- Last updated : 09/13/2023+ # Use Azure custom roles in Privileged Identity Management
-You might need to apply stricter just-in-time settings to some users in a privileged role in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra, while providing greater autonomy for others. For example, if your organization hired several contract associates to help develop an application that will run in an Azure subscription.
+You might need to apply stricter just-in-time settings to some users in a privileged role in your organization in Microsoft Entra ID (Azure AD), while providing greater autonomy for others. For example, if your organization hired several contract associates to help develop an application that will run in an Azure subscription.
As a resource administrator, you want employees to be eligible for access without requiring approval. However, all contract associates must be approved when they request access to the organization's resources.
active-directory Pim Resource Roles Discover Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-discover-resources.md
Title: Discover Azure resources to manage in PIM
description: Learn how to discover Azure resources to manage in Privileged Identity Management (PIM). documentationcenter: ''-+ na Previously updated : 06/27/2022- Last updated : 09/13/2023+
When you first set up Privileged Identity Management for Azure resources, you ne
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-You can view and manage the management groups or subscriptions to which you have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner roles. If you are not a subscription owner, but are a Global Administrator and don't see any Azure subscriptions or management groups to manage, then you can [elevate access to manage your resources](../../role-based-access-control/elevate-access-global-admin.md).
+You can view and manage the management groups or subscriptions to which you have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner roles. If you aren't a subscription owner, but are a Global Administrator and don't see any Azure subscriptions or management groups to manage, then you can [elevate access to manage your resources](../../role-based-access-control/elevate-access-global-admin.md).
## Discover resources
active-directory Pim Resource Roles Overview Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-overview-dashboards.md
Title: Resource dashboards for access reviews in PIM
description: Describes how to use a resource dashboard to perform an access review in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ editor: markwahl-msft
na Previously updated : 06/27/2022- Last updated : 09/13/2023+
active-directory Pim Resource Roles Renew Extend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-renew-extend.md
Title: Renew Azure resource role assignments in PIM
description: Learn how to extend or renew Azure resource role assignments in Privileged Identity Management (PIM). documentationcenter: ''-+ editor: ''
na Previously updated : 10/19/2021- Last updated : 09/13/2023+
# Extend or renew Azure resource role assignments in Privileged Identity Management
-Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
+Microsoft Entra Privileged Identity Management (PIM), provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
## Who can extend and renew?
When approving a request to extend role assignment, resource administrators can
### Admin initiated extension
-If a user assigned to a role doesn't request an extension for the role assignment, an administrator can extend an assignment on behalf of the user. Administrative extensions of role assignment do not require approval, but notifications are sent to all other administrators after the role has been extended.
+If a user assigned to a role doesn't request an extension for the role assignment, an administrator can extend an assignment on behalf of the user. Administrative extensions of role assignment don't require approval, but notifications are sent to all other administrators after the role has been extended.
To extend a role assignment, browse to the resource role or assignment view in Privileged Identity Management. Find the assignment that requires an extension. Then select **Extend** in the action column.
active-directory Pim Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-roles.md
Title: Roles you cannot manage in Privileged Identity Management
description: Describes the roles you cannot manage in Azure AD Privileged Identity Management (PIM). documentationcenter: ''-+ editor: ''
Previously updated : 06/27/2022- Last updated : 09/13/2023+
active-directory Pim Security Wizard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-security-wizard.md
Title: Azure AD roles Discovery and insights (preview) in Privileged Identity Ma
description: Discovery and insights (formerly Security Wizard) help you convert permanent Azure AD role assignments to just-in-time assignments with Privileged Identity Management. documentationcenter: ''-+ editor: ''
Previously updated : 07/29/2022- Last updated : 09/13/2023+
Also, keep role assignments permanent if a user has a Microsoft account (in othe
## Open Discovery and insights (preview) - 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator). 1. Browse to **Identity governance** > **Privileged Identity Management** > **Azure ad roles** >**Discovery and insights (Preview)**.
active-directory Pim Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-troubleshoot.md
As an active owner or user access administrator for an Azure resource, you are a
### Cause
-This problem can happen when the User Access Administrator role for the PIM service principal was accidentally removed from the subscription. For the Privileged Identity Management service to be able to access Azure resources, the MS-PIM service principal should always have be assigned the [User Access Administrator role](../../role-based-access-control/built-in-roles.md#user-access-administrator) over the Azure subscription.
+This problem can happen when the User Access Administrator role for the PIM service principal was accidentally removed from the subscription. For the Privileged Identity Management service to be able to access Azure resources, the MS-PIM service principal should always have the [User Access Administrator role](../../role-based-access-control/built-in-roles.md#user-access-administrator) role assigned.
### Resolution
active-directory Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/best-practices.md
Previously updated : 09/01/2023 Last updated : 09/14/2023
Follow these steps to help you find the right role.
1. Use the **Service** filter to narrow down the list of roles.
- ![Roles and administrators page in Azure AD with Service filter open](./media/best-practices/roles-administrators.png)
+ :::image type="content" source="media/best-practices/roles-administrators.png" alt-text="Roles and administrators page in admin center with Service filter open." lightbox="media/best-practices/roles-administrators.png":::
1. Refer to the [Azure AD built-in roles](permissions-reference.md) documentation. Permissions associated with each role are listed together for better readability. To understand the structure and meaning of role permissions, see [How to understand role permissions](privileged-roles-permissions.md#how-to-understand-role-permissions).
Follow these steps to help you find the right role.
## 2. Use Privileged Identity Management to grant just-in-time access
-One of the principles of least privilege is that access should be granted only for a specific period of time. [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) lets you grant just-in-time access to your administrators. Microsoft recommends that you enable PIM in Azure AD. Using PIM, a user can be made an eligible member of an Azure AD role where they can then activate the role for a limited time when needed. Privileged access is automatically removed when the timeframe expires. You can also [configure PIM settings](../privileged-identity-management/pim-how-to-change-default-settings.md) to require approval or receive notification emails when someone activates their role assignment. Notifications provide an alert when new users are added to highly privileged roles.
+One of the principles of least privilege is that access should be granted only when required. [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) lets you grant just-in-time access to your administrators. Microsoft recommends that you use PIM in Azure AD. Using PIM, a user can be made eligible for an Azure AD role where they can then activate the role for a limited time when needed. Privileged access is automatically removed when the timeframe expires. You can also configure PIM settings to require approval, receive notification emails when someone activates their role assignment, or other role settings. Notifications provide an alert when new users are added to highly privileged roles. For more information, see [Configure Azure AD role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md).
## 3. Turn on multi-factor authentication for all your administrator accounts
You can enable MFA on Azure AD roles using two methods:
Access reviews enable organizations to review administrator's access regularly to make sure only the right people have continued access. Regular auditing your administrators is crucial because of following reasons: - A malicious actor can compromise an account.-- People move teams within a company. If there is no auditing, they can amass unnecessary access over time.
-
-For information about access reviews for roles, see [Create an access review of Azure AD roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). For information about access reviews of groups that are assigned roles, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md).
+- People move teams within a company. If there's no auditing, they can amass unnecessary access over time.
+
+Microsoft recommends that you use access reviews to find and remove role assignments that are no longer needed. This helps you reduce the risk of unauthorized or excessive access and maintain your compliance standards.
+
+For information about access reviews for roles, see [Create an access review of Azure resource and Azure AD roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). For information about access reviews of groups that are assigned roles, see [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md).
## 5. Limit the number of Global Administrators to less than 5 As a best practice, Microsoft recommends that you assign the Global Administrator role to **fewer than five** people in your organization. Global Administrators essentially have unrestricted access, and it is in your best interest to keep the attack surface low. As stated previously, all of these accounts should be protected with multi-factor authentication.
-By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. Users who are assigned the Global Administrator role can read and modify every administrative setting in your Azure AD organization. With a few exceptions, Global Administrators can also read and modify all configuration settings in your Microsoft 365 organization. Global Administrators also have the ability to elevate their access to read data.
+If you have 5 or more privileged Global Administrator role assignments, a **Global Administrators** alert card is displayed on the Azure AD Overview page to help you monitor Global Administrator role assignments.
++
+By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is assigned the Global Administrators role. Users who are assigned the Global Administrator role can read and modify almost every administrative setting in your Azure AD organization. With a few exceptions, Global Administrators can also read and modify all configuration settings in your Microsoft 365 organization. Global Administrators also have the ability to elevate their access to read data.
Microsoft recommends that you keep two break glass accounts that are permanently assigned to the Global Administrator role. Make sure that these accounts don't require the same multi-factor authentication mechanism as your normal administrative accounts to sign in, as described in [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md). ## 6. Limit the number of privileged role assignments to less than 10
-Some roles include privileged permissions, such as the ability to update credentials. Since these roles can potentially lead to elevation of privilege, you should limit the use of these privileged role assignments to **fewer than 10** in your organization. You can identity roles, permissions, and role assignments that are privileged by looking for the **PRIVILEGED** label. For more information, see [Privileged roles and permissions in Azure AD](privileged-roles-permissions.md).
+Some roles include privileged permissions, such as the ability to update credentials. Since these roles can potentially lead to elevation of privilege, you should limit the use of these privileged role assignments to **fewer than 10** in your organization. If you exceed 10 privileged role assignments, a warning is displayed on the Roles and administrators page.
++
+ You can identity roles, permissions, and role assignments that are privileged by looking for the **PRIVILEGED** label. For more information, see [Privileged roles and permissions in Azure AD](privileged-roles-permissions.md).
## 7. Use groups for Azure AD role assignments and delegate the role assignment
-If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups, instead of individual users. You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. For more information, see [Privileged Identity Management (PIM) for Groups (preview)](../privileged-identity-management/concept-pim-for-groups.md).
+If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups, instead of individual users. You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. For more information, see [Privileged Identity Management (PIM) for Groups](../privileged-identity-management/concept-pim-for-groups.md).
You can assign an owner to role-assignable groups. That owner decides who is added to or removed from the group, so indirectly, decides who gets the role assignment. In this way, a Global Administrator or Privileged Role Administrator can delegate role management on a per-role basis by using groups. For more information, see [Use Azure AD groups to manage role assignments](groups-concept.md). ## 8. Activate multiple roles at once using PIM for Groups
-It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They will have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.
+It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They'll have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.
-In this case, you should use [Privileged Identity Management (PIM) for Groups (preview)](../privileged-identity-management/concept-pim-for-groups.md). Create a PIM for Groups and grant it permanent access to multiple roles (Azure AD and/or Azure). Make that user an eligible member or owner of this group. With just one activation, they will have access to all the linked resources.
+In this case, you should use [Privileged Identity Management (PIM) for Groups](../privileged-identity-management/concept-pim-for-groups.md). Create a PIM for Groups and grant it permanent access to multiple roles (Azure AD and/or Azure). Make that user an eligible member or owner of this group. With just one activation, they'll have access to all the linked resources.
![PIM for Groups diagram showing activating multiple roles at once](./media/best-practices/pim-for-groups.png)
active-directory Privileged Roles Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/privileged-roles-permissions.md
Previously updated : 09/01/2023 Last updated : 09/14/2023
> Privileged roles and permissions are currently in PREVIEW. > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-Azure Active Directory (Azure AD) has roles and permissions that are identified as privileged. These roles and permissions can be used to delegate management of directory resources to other users or make either network or data security configuration changes. Privileged role assignments can lead to elevation of privilege if not used in a secure and intended manner. Privileged roles and permissions can pose a security threat so they should be used with caution. This article describes privileged roles and permissions and best practices for how to use.
+Azure Active Directory (Azure AD) has roles and permissions that are identified as privileged. These roles and permissions can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. Privileged role assignments can lead to elevation of privilege if not used in a secure and intended manner. This article describes privileged roles and permissions and best practices for how to use.
## Which roles and permissions are privileged?
Here are some best practices for using privileged roles.
- Limit the number of Global Administrators to less than 5 - Limit the number of privileged role assignments to less than 10
-If you have 5 or more privileged Global Administrator role assignments, a **Global Administrators** alert card is displayed on the Azure AD Overview page to help you monitor Global Administrator role assignments.
--
-If you exceed 10 privileged role assignments, a warning is displayed on the Roles and administrators page.
- For more information, see [Best practices for Azure AD roles](best-practices.md). ## Privileged permissions versus protected actions
To understand privileged roles and permissions in Azure AD, it helps to know som
| | | | action | An activity a security principal can perform on an object type. Sometimes referred to as an operation. | | permission | A definition that specifies the activity a security principal can perform on an object type. A permission includes one or more actions. |
-| privileged permission | In Azure AD, permissions that can be used to delegate management of directory resources to other users or make either network or data security configuration changes. Privileged permissions can lead to elevation of privilege if not used in a secure and intended manner. |
+| privileged permission | In Azure AD, permissions that can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. |
| privileged role | A built-in or custom role that has one or more privileged permissions. | | privileged role assignment | A role assignment that uses a privileged role. | | elevation of privilege | When a security principal obtains more permissions than their assigned role initially provided by impersonating another role. |
aks App Routing Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-migration.md
+
+ Title: Migrate from HTTP application routing to the application routing add-on
+description: Learn how to migrate from the HTTP application routing feature to the application routing add-on.
++++ Last updated : 08/18/2023++
+# Migrate from HTTP application routing to the application routing add-on
+
+In this article, you'll learn how to migrate your Azure Kubernetes Service (AKS) cluster from HTTP application routing feature to the [application routing add-on](./app-routing.md). The HTTP application routing add-on has been retired and won't work on any cluster Kubernetes version currently in support, so we recommend migrating as soon as possible to maintain a supported configuration.
+
+## Prerequisites
+
+Azure CLI version `2.49.0` or later. If you haven't yet, follow the instructions to [Install Azure CLI][install-azure-cli]. Run `az --version` to find the version, and run `az upgrade` to upgrade the version if not already on the latest.
+
+> [!NOTE]
+> These steps detail migrating from an unsupported configuration. As such, AKS cannot offer support for issues that arise during the migration process.
+
+## Update your cluster's add-ons, ingresses, and IP usage
+
+1. Enable the application routing add-on.
+
+ ```azurecli-interactive
+ az aks enable-addons -g <ResourceGroupName> -n <ClusterName> --addons web_application_routing
+ ```
+
+2. Update your ingresses, setting `ingressClassName` to `webapprouting.kubernetes.azure.com`. Remove the `kubernetes.io/ingress.class` annotation. You'll also need to update the host to one that you own, as the application routing add-on doesn't have a managed cluster DNS zone. If you don't have a DNS zone, follow instructions to [create][app-routing-dns-create] and [configure][app-routing-dns-configure] one.
+
+ Initially, your ingress configuration will look something like this:
+
+ ```yaml
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: aks-helloworld
+ annotations:
+ kubernetes.io/ingress.class: addon-http-application-routing # Remove the ingress class annotation
+ spec:
+ rules:
+ - host: aks-helloworld.<CLUSTER_SPECIFIC_DNS_ZONE>
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: aks-helloworld
+ port:
+ number: 80
+ ```
+
+ After you've properly updated, the same configuration will look like the following:
+
+ ```yaml
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: aks-helloworld
+ spec:
+ ingressClassName: webapprouting.kubernetes.azure.com # Set the ingress class property to refer to the application routing add-on ingress class
+ rules:
+ - http:
+ host: aks-helloworld.<CLUSTER_SPECIFIC_DNS_ZONE> # Replace with your own hostname
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: aks-helloworld
+ port:
+ number: 80
+ ```
+
+3. Update the ingress controller's IP (such as in DNS records) with the new IP address. You can find the new IP by using `kubectl get`. For example:
+
+ ```bash
+ kubectl get svc nginx --namespace app-routing-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+ ```
+
+4. Disable the HTTP application routing add-on.
+
+ ```azurecli-interactive
+ az aks disable-addons -g <ResourceGroupName> -n <ClusterName> --addons http_application_routing
+ ```
+
+## Remove and delete all HTTP application routing resources
+
+1. After the HTTP application routing add-on is disabled, some related Kubernetes resources may remain in your cluster. These resources include *configmaps* and *secrets* that are created in the *kube-system* namespace. To maintain a clean cluster, you may want to remove these resources. Look for *addon-http-application-routing* resources using the following [`kubectl get`][kubectl-get] commands:
+
+ ```bash
+ kubectl get deployments --namespace kube-system
+ kubectl get services --namespace kube-system
+ kubectl get configmaps --namespace kube-system
+ kubectl get secrets --namespace kube-system
+ ```
+
+ The following example output shows *configmaps* that should be deleted:
+
+ ```output
+ NAMESPACE NAME DATA AGE
+ kube-system addon-http-application-routing-nginx-configuration 0 9m7s
+ kube-system addon-http-application-routing-tcp-services 0 9m7s
+ kube-system addon-http-application-routing-udp-services 0 9m7s
+ ```
+
+1. Delete remaining resources using the [`kubectl delete`][kubectl-delete] command. Make sure to specify the resource type, resource name, and namespace. The following example deletes one of the previous configmaps:
+
+ ```bash
+ kubectl delete configmaps addon-http-application-routing-nginx-configuration --namespace kube-system
+ ```
+
+1. Repeat the previous `kubectl delete` step for all *addon-http-application-routing* resources remaining in your cluster.
+
+## Next steps
+
+After migrating to the application routing add-on, learn how to [monitor ingress controller metrics with Prometheus and Grafana](./app-routing-nginx-prometheus.md).
+
+<!-- INTERNAL LINKS -->
+[install-azure-cli]: /cli/azure/install-azure-cli
+[ingress-https]: ./ingress-tls.md
+[app-routing-dns-create]: ./app-routing.md?tabs=without-osm#create-an-azure-dns-zone
+[app-routing-dns-configure]: ./app-routing.md?tabs=without-osm#configure-the-add-on-to-use-azure-dns-to-manage-dns-zones
+
+<!-- EXTERNAL LINKS -->
+[dns-pricing]: https://azure.microsoft.com/pricing/details/dns/
+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
+[kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete
aks Azure Cni Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overview.md
+
+ Title: Azure CNI networking in Azure Kubernetes Service (AKS) overview
+description: Learn about the requirements and limitations of Azure CNI networking in Azure Kubernetes Service (AKS).
+++++ Last updated : 9/13/2023+
+#CustomerIntent: As a network administrator, I want learn about Azure CNI networking so that I can deploy Azure CNI networking in an AKS cluster.
++
+# Azure CNI networking in Azure Kubernetes Service (AKS) overview
+
+By default, AKS clusters use [kubenet][kubenet] and create a virtual network and subnet. With *kubenet*, nodes get an IP address from a virtual network subnet. Network address translation (NAT) is then configured on the nodes, and pods receive an IP address "hidden" behind the node IP. This approach reduces the number of IP addresses that you need to reserve in your network space for pods to use.
+
+With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. These IP addresses must be unique across your network space and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.
+
+## Prerequisites
+
+* The virtual network for the AKS cluster must allow outbound internet connectivity.
+
+* AKS clusters may not use `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` for the Kubernetes service address range, pod address range, or cluster virtual network address range.
+
+* The cluster identity used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:
+
+ * `Microsoft.Network/virtualNetworks/subnets/join/action`
+
+ * `Microsoft.Network/virtualNetworks/subnets/read`
+
+ * `Microsoft.Authorization/roleAssignments/write`
+
+* The subnet assigned to the AKS node pool can't be a [delegated subnet](../virtual-network/subnet-delegation-overview.md).
+
+* AKS doesn't apply Network Security Groups (NSGs) to its subnet and doesn't modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic within the node CIDR range. For more information, see [Network security groups][aks-network-nsg].
++
+## Plan IP addressing for your cluster
+
+Clusters configured with Azure CNI networking require extra planning. The size of your virtual network and its subnet must accommodate the number of pods you plan to run and the number of nodes for the cluster.
+
+IP addresses for the pods and the cluster's nodes are assigned from the specified subnet within the virtual network. Each node is configured with a primary IP address. Azure CNI preconfigures 30 extra IP addresses by default. These IP addresses are assigned to pods scheduled on the node. When you scale out your cluster, each node is similarly configured with IP addresses from the subnet. You can also view the [maximum pods per node](#maximum-pods-per-node).
+
+> [!IMPORTANT]
+> The number of IP addresses required should include considerations for upgrade and scaling operations. If you set the IP address range to only support a fixed number of nodes, you can't upgrade or scale your cluster.
+>
+> * When you **upgrade** your AKS cluster, a new node is deployed into the cluster. Services and workloads begin to run on the new node, and an older node is removed from the cluster. This rolling upgrade process requires a minimum of one additional block of IP addresses to be available. Your node count is then `n + 1`.
+> * This consideration is particularly important when you use Windows Server node pools. Windows Server nodes in AKS do not automatically apply Windows Updates, instead you perform an upgrade on the node pool. This upgrade deploys new nodes with the latest Window Server 2019 base node image and security patches. For more information on upgrading a Windows Server node pool, see [Upgrade a node pool in AKS][nodepool-upgrade].
+>
+> * When you **scale** an AKS cluster, a new node is deployed into the cluster. Services and workloads begin to run on the new node. Your IP address range needs to take into considerations how you may want to scale up the number of nodes and pods your cluster can support. One additional node for upgrade operations should also be included. Your node count is then `n + number-of-additional-scaled-nodes-you-anticipate + 1`.
+
+If you expect your nodes to run the maximum number of pods, and regularly destroy and deploy pods, you should also factor in some extra IP addresses per node. A few seconds may be required to delete a service and release its IP address for a new service to be deployed and acquire the address. These extra IP addresses consider this possibility.
+
+The IP address plan for an AKS cluster consists of a virtual network, at least one subnet for nodes and pods, and a Kubernetes service address range.
+
+| Address range / Azure resource | Limits and sizing |
+| | - |
+| Virtual network | The Azure virtual network can be as large as /8, but is limited to 65,536 configured IP addresses. Consider all your networking needs, including communicating with services in other virtual networks, before configuring your address space. For example, if you configure too large of an address space, you may run into issues with overlapping other address spaces within your network.|
+| Subnet | Must be large enough to accommodate the nodes, pods, and all Kubernetes and Azure resources that might be provisioned in your cluster. For example, if you deploy an internal Azure Load Balancer, its front-end IPs are allocated from the cluster subnet, not public IPs. The subnet size should also take into account upgrade operations or future scaling needs.<p/> To calculate the *minimum* subnet size including an extra node for upgrade operations: `(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)`<p/> Example for a 50 node cluster: `(51) + (51 * 30 (default)) = 1,581` (/21 or larger)<p/>Example for a 50 node cluster that also includes preparation to scale up an extra 10 nodes: `(61) + (61 * 30 (default)) = 1,891` (/21 or larger)<p>If you don't specify a maximum number of pods per node when you create your cluster, the maximum number of pods per node is set to *30*. The minimum number of IP addresses required is based on that value. If you calculate your minimum IP address requirements on a different maximum value, see [how to configure the maximum number of pods per node](#configure-maximumnew-clusters) to set this value when you deploy your cluster. |
+| Kubernetes service address range | Any network element on or connected to this virtual network must not use this range. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters. |
+| Kubernetes DNS service IP address | IP address within the Kubernetes service address range that is used by cluster service discovery. Don't use the first IP address in your address range. The first address in your subnet range is used for the *kubernetes.default.svc.cluster.local* address. |
+
+## Maximum pods per node
+
+The maximum number of pods per node in an AKS cluster is 250. The *default* maximum number of pods per node varies between *kubenet* and *Azure CNI* networking, and the method of cluster deployment.
+
+| Deployment method | Kubenet default | Azure CNI default | Configurable at deployment |
+| | | | |
+| Azure CLI | 110 | 30 | Yes (up to 250) |
+| Resource Manager template | 110 | 30 | Yes (up to 250) |
+| Portal | 110 | 110 (configurable in the Node Pools tab) | Yes (up to 250) |
+
+### Configure maximum - new clusters
+
+You're able to configure the maximum number of pods per node at cluster deployment time or as you add new node pools. You can set the maximum pods per node value as high as 250.
+
+If you don't specify maxPods when creating new node pools, you receive a default value of 30 for Azure CNI.
+
+A minimum value for maximum pods per node is enforced to guarantee space for system pods critical to cluster health. The minimum value that can be set for maximum pods per node is 10 if and only if the configuration of each node pool has space for a minimum of 30 pods. For example, setting the maximum pods per node to the minimum of 10 requires each individual node pool to have a minimum of 3 nodes. This requirement applies for each new node pool created as well, so if 10 is defined as maximum pods per node each subsequent node pool added must have at least 3 nodes.
+
+| Networking | Minimum | Maximum |
+| | | |
+| Azure CNI | 10 | 250 |
+| Kubenet | 10 | 250 |
+
+> [!NOTE]
+> The minimum value in the previous table is strictly enforced by the AKS service. You can not set a maxPods value lower than the minimum shown as doing so can prevent the cluster from starting.
+
+* **Azure CLI**: Specify the `--max-pods` argument when you deploy a cluster with the [`az aks create`][az-aks-create] command. The maximum value is 250.
+* **Resource Manager template**: Specify the `maxPods` property in the [ManagedClusterAgentPoolProfile] object when you deploy a cluster with a Resource Manager template. The maximum value is 250.
+* **Azure portal**: Change the `Max pods per node` field in the node pool settings when creating a cluster or adding a new node pool.
+
+### Configure maximum - existing clusters
+
+The maxPod per node setting can be defined when you create a new node pool. If you need to increase the maxPod per node setting on an existing cluster, add a new node pool with the new desired maxPod count. After migrating your pods to the new pool, delete the older pool. To delete any older pool in a cluster, ensure you're setting node pool modes as defined in the [system node pools document][system-node-pools].
+
+## Deployment parameters
+
+When you create an AKS cluster, the following parameters are configurable for Azure CNI networking:
+
+**Virtual network**: The virtual network into which you want to deploy the Kubernetes cluster. If you want to create a new virtual network for your cluster, select *Create new* and follow the steps in the *Create virtual network* section. If you want to select an existing virtual network, make sure it's in the same location and Azure subscription as your Kubernetes cluster. For information about the limits and quotas for an Azure virtual network, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits).
+
+**Subnet**: The subnet within the virtual network where you want to deploy the cluster. If you want to create a new subnet in the virtual network for your cluster, select *Create new* and follow the steps in the *Create subnet* section. For hybrid connectivity, the address range shouldn't overlap with any other virtual networks in your environment.
+
+**Azure Network Plugin**: When Azure network plugin is used, the internal LoadBalancer service with "externalTrafficPolicy=Local" can't be accessed from VMs with an IP in clusterCIDR that doesn't belong to AKS cluster.
+
+**Kubernetes service address range**: This parameter is the set of virtual IPs that Kubernetes assigns to internal [services][services] in your cluster. This range can't be updated after you create your cluster. You can use any private address range that satisfies the following requirements:
+
+* Must not be within the virtual network IP address range of your cluster
+* Must not overlap with any other virtual networks with which the cluster virtual network peers
+* Must not overlap with any on-premises IPs
+* Must not be within the ranges `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24`
+
+Although it's technically possible to specify a service address range within the same virtual network as your cluster, doing so isn't recommended. Unpredictable behavior can result if overlapping IP ranges are used. For more information, see the [FAQ](#frequently-asked-questions) section of this article. For more information on Kubernetes services, see [Services][services] in the Kubernetes documentation.
+
+**Kubernetes DNS service IP address**: The IP address for the cluster's DNS service. This address must be within the *Kubernetes service address range*. Don't use the first IP address in your address range. The first address in your subnet range is used for the *kubernetes.default.svc.cluster.local* address.
+
+## Frequently asked questions
+
+* **Can I deploy VMs in my cluster subnet?**
+
+ Yes.
+
+* **What source IP do external systems see for traffic that originates in an Azure CNI-enabled pod?**
+
+ Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod.
+
+* **Can I configure per-pod network policies?**
+
+ Yes, Kubernetes network policy is available in AKS. To get started, see [Secure traffic between pods by using network policies in AKS][network-policy].
+
+* **Is the maximum number of pods deployable to a node configurable?**
+
+ Yes, when you deploy a cluster with the Azure CLI or a Resource Manager template. See [Maximum pods per node](#maximum-pods-per-node).
+
+ You can't change the maximum number of pods per node on an existing cluster.
+
+* **How do I configure additional properties for the subnet that I created during AKS cluster creation? For example, service endpoints.**
+
+ The complete list of properties for the virtual network and subnets that you create during AKS cluster creation can be configured in the standard virtual network configuration page in the Azure portal.
+
+* **Can I use a different subnet within my cluster virtual network for the *Kubernetes service address range*?**
+
+ It's not recommended, but this configuration is possible. The service address range is a set of virtual IPs (VIPs) that Kubernetes assigns to internal services in your cluster. Azure Networking has no visibility into the service IP range of the Kubernetes cluster. Due to the lack of visibility into the cluster's service address range, it's possible to later create a new subnet in the cluster virtual network that overlaps with the service address range. If such an overlap occurs, Kubernetes could assign a service an IP that's already in use by another resource in the subnet, causing unpredictable behavior or failures. By ensuring you use an address range outside the cluster's virtual network, you can avoid this overlap risk.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Configure Azure CNI networking in Azure Kubernetes Service (AKS)](configure-azure-cni.md)
+
+Learn more about networking in AKS in the following articles:
+
+* [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md)
+
+* [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md)
+
+* [Create a basic ingress controller with external network connectivity][aks-ingress-basic]
+
+* [Enable the HTTP application routing add-on][aks-http-app-routing]
+
+* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal]
+
+* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls]
+
+* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls]
+
+<!-- IMAGES -->
+[advanced-networking-diagram-01]: ./media/networking-overview/advanced-networking-diagram-01.png
+[portal-01-networking-advanced]: ./media/networking-overview/portal-01-networking-advanced.png
+
+<!-- LINKS - External -->
+[services]: https://kubernetes.io/docs/concepts/services-networking/service/
+[cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md
+[kubenet]: concepts-network.md#kubenet-basic-networking
+[github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml
+
+<!-- LINKS - Internal -->
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[aks-ssh]: ssh.md
+[ManagedClusterAgentPoolProfile]: /azure/templates/microsoft.containerservice/managedclusters#managedclusteragentpoolprofile-object
+[aks-network-concepts]: concepts-network.md
+[aks-network-nsg]: concepts-network.md#network-security-groups
+[aks-ingress-basic]: ingress-basic.md
+[aks-ingress-tls]: ingress-tls.md
+[aks-ingress-static-tls]: ingress-static-ip.md
+[aks-http-app-routing]: http-application-routing.md
+[aks-ingress-internal]: ingress-internal-ip.md
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[network-policy]: use-network-policies.md
+[nodepool-upgrade]: manage-node-pools.md#upgrade-a-single-node-pool
+[network-comparisons]: concepts-network.md#compare-network-models
+[system-node-pools]: use-system-pools.md
+[prerequisites]: configure-azure-cni.md#prerequisites
aks Http Application Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-application-routing.md
# HTTP application routing add-on for Azure Kubernetes Service (AKS) > [!CAUTION]
-> The HTTP application routing add-on is in the process of being retired and isn't recommended for production use. We recommend using the [Application Routing add-on](./app-routing.md) instead.
+> The HTTP application routing add-on is in the process of being retired and isn't recommended for production use. We recommend migrating to the [Application Routing add-on](./app-routing-migration.md) instead.
The HTTP application routing add-on makes it easy to access applications that are deployed to your Azure Kubernetes Service (AKS) cluster by:
aks Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md
There are many open-source and third-party integrations you can install on your
| [Linkerd][linkerd] | An open-source service mesh. | [Linkerd Getting Started][linkerd-install] | | [Consul][consul] | An open-source, identity-based networking solution. | [Getting Started with Consul Service Mesh for Kubernetes][consul-install] |
+### Third-party integrations for Windows containers
+
+Microsoft has collaborated with partners to ensure your build, test, deployment, configuration, and monitoring of your applications perform optimally with Windows containers on AKS.
+
+For more details, see [Windows AKS partner solutions][windows-aks-partner-solutions].
+ <!-- LINKS --> [http-app-routing]: http-application-routing.md [container-insights]: ../azure-monitor/containers/container-insights-overview.md
There are many open-source and third-party integrations you can install on your
[github-actions]: /azure/developer/github/github-actions [github-actions-aks]: kubernetes-action.md [az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons
+[windows-aks-partner-solutions]: windows-aks-partner-solutions.md
aks Use Cvm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-cvm.md
Last updated 08/14/2023
You can use [confidential VM sizes (DCav5/ECav5)][cvm-announce] to add a node pool to your AKS cluster with CVM. Confidential VMs with AMD SEV-SNP support bring a new set of security features to protect data-in-use with full VM memory encryption. These features enable node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS. The nodes in a node pool created with CVM use a customized Ubuntu 20.04 image specially configured for CVM. For more details on CVM, see [Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs][cvm].
-Adding a node pool with CVM to your AKS cluster is currently in preview.
- ## Before you begin Before you begin, make sure you have the following:
api-management Send Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/send-request-policy.md
The `send-request` policy sends the provided request to the specified URL, waiti
## Usage -- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error-- [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- **[Policy sections:](./api-management-howto-policies.md#sections)** inbound, outbound, backend, on-error
+- **[Policy scopes:](./api-management-howto-policies.md#scopes)** global, workspace, product, API, operation
+- **[Gateways:](api-management-gateways-overview.md)** dedicated, consumption, self-hosted
+
+### Usage notes
+
+If your API Management instance is deployed (injected) in a VNet in *internal* mode and you use this policy to send an API request to an API that's exposed in the same API Management instance, you may encounter a timeout with an HTTP 500 BackendConnectionFailure error. This is the result of an [Azure Load Balancer limitation](../load-balancer/load-balancer-troubleshoot-backend-traffic.md).
+
+To chain API requests to the gateway in this scenario, configure `set-url` to use the localhost loopback URL `https://127.0.0.1`. Additionally, set the `HOST` header to specify this API Management instance's gateway host. You may use the default `azure-api.net` or your custom domain host. For example:
+
+```xml
+<send-request>
+ <set-url>https://127.0.0.1/myapi/myoperation</set-url>
+ <set-header name="Host">
+ <value>myapim.azure-api.net</value>
+ </set-header>
+</send-request>
+```
++
+For more information, see this [blog post](https://techcommunity.microsoft.com/t5/azure-paas-blog/self-chained-apim-request-limitation-in-internal-virtual-network/ba-p/1940417).
## Example
This example shows one way to verify a reference token with an authorization ser
* [API Management advanced policies](api-management-advanced-policies.md) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]++++
app-service Version Comparison https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/version-comparison.md
App Service Environment has three versions. App Service Environment v3 is the la
|Dedicated host group |No |No |[Yes](creation.md#deployment-considerations) (not compatible with zone redundancy) | |Upgrade preference for planned maintenance |No |No |[Yes](how-to-upgrade-preference.md) | |FTPS |Yes |Yes |Yes, [must be explicitly enabled](configure-network-settings.md#ftp-access). Access to FTPS endpoint using custom domain suffix isn't supported. |
+|FTPS endpoint structure |ftps://APP-NAME.ASE-NAME.appserviceenvironment.net |ftps://APP-NAME.ASE-NAME.appserviceenvironment.net - Custom domain suffix is supported if you have one configured by replacing the App Service Environment name and the default domain suffix with your custom domain suffix. |ftps://ASE-NAME.ftp.appserviceenvironment.net/site/wwwroot - Custom domain suffix isn't supported. Each app on the same App Service Environment v3 uses the same FTPS endpoint but has its own unique application scope credentials for authentication. |
|Remote debugging |Yes |Yes |Yes, [must be explicitly enabled](configure-network-settings.md#remote-debugging-access) | |[Azure virtual network (classic)](../../virtual-network/create-virtual-network-classic.md) support |Yes |No |No |
azure-app-configuration Quickstart Azure Kubernetes Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-azure-kubernetes-service.md
Now that you have an application running in AKS, you'll deploy the App Configura
```console helm install azureappconfiguration.kubernetesprovider \ oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \
- --version 1.0.0-preview3 \
+ --version 1.0.0-preview4 \
--namespace azappconfig-system \ --create-namespace ```
azure-app-configuration Reference Kubernetes Provider https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/reference-kubernetes-provider.md
The `spec.target` property has the following child property.
|Name|Description|Required|Type| ||||| |configMapName|The name of the ConfigMap to be created|true|string|
+|configMapData|The setting that specifies how the retrieved data should be populated in the generated ConfigMap|false|object|
-If the `spec.auth` property isn't set, the system-assigned managed identity is used. It has the following child properties. Only one authentication method should be set.
+If the `spec.target.configMapData` property is not set, the generated ConfigMap will be populated with the list of key-values retrieved from Azure App Configuration, which allows the ConfigMap to be consumed as environment variables. Update this property if you wish to consume the ConfigMap as a mounted file. This property has the following child properties.
+
+|Name|Description|Required|Type|
+|||||
+|type|The setting that indicates how the retrieved data is constructed in the generated ConfigMap. The allowed values include `default`, `json`, `yaml` and `properties`|optional|string|
+|key|The key name of the retrieved data when the `type` is set to `json`, `yaml` or `properties`. Set it to the file name if the ConfigMap is set up to be consumed as a mounted file|conditional|string|
+
+The `spec.auth` property isn't required if the connection string of your App Configuration store is provided by setting the `spec.connectionStringReference` property. Otherwise, one of the identities, service principal, workload identity, or managed identity, will be used for authentication. The `spec.auth` has the following child properties. Only one of them should be specified. If none of them are set, the system-assigned managed identity of the virtual machine scale set will be used.
|Name|Description|Required|Type| |||||
-|managedIdentityClientId|The Client ID of user-assigned managed identity|false|string|
|servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal|false|string|
+|workloadIdentity|The settings for using workload identity|false|object|
+|managedIdentityClientId|The Client ID of user-assigned managed identity of virtual machine scale set|false|string|
-The `spec.keyValues` has the following child properties. The `spec.keyValues.keyVaults` property is required if any Key Vault references are expected to be downloaded.
+The `spec.auth.workloadIdentity` property has the following child property.
+|Name|Description|Required|Type|
+|||||
+|managedIdentityClientId|The Client ID of the user-assigned managed identity associated with the workload identity|true|string|
+
+The `spec.keyValues` has the following child properties. The `spec.keyValues.keyVaults` property is required if any Key Vault references are expected to be downloaded.
+
|Name|Description|Required|Type| ||||| |selectors|The list of selectors for key-value filtering|false|object array|
If the `spec.keyValues.keyVaults.auth` property isn't set, the system-assigned m
|Name|Description|Required|Type| |||||
-|managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with vaults that don't have individual authentication methods specified|false|string|
|servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with vaults that don't have individual authentication methods specified|false|string|
+|workloadIdentity|The settings of the workload identity used for authentication with vaults that don't have individual authentication methods specified. It has the same child properties as `spec.auth.workloadIdentity`|false|object|
+|managedIdentityClientId|The client ID of a user-assigned managed identity of virtual machine scale set used for authentication with vaults that don't have individual authentication methods specified|false|string|
|vaults|The authentication methods for individual vaults|false|object array|
-The authentication method of each *vault* can be specified with the following properties. One of `managedIdentityClientId` and `servicePrincipalReference` must be provided.
+The authentication method of each *vault* can be specified with the following properties. One of `managedIdentityClientId`, `servicePrincipalReference` or `workloadIdentity` must be provided.
|Name|Description|Required|Type| ||||| |uri|The URI of a vault|true|string|
-|managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with a vault|false|string|
|servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with a vault|false|string|
+|workloadIdentity|The settings of the workload identity used for authentication with a vault. It has the same child properties as `spec.auth.workloadIdentity`|false|object|
+|managedIdentityClientId|The client ID of a user-assigned managed identity of virtual machine scale set used for authentication with a vault|false|string|
The `spec.keyValues.refresh` property has the following child properties.
The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
### Authentication
-#### Use System-Assigned Managed Identity
+#### Use system-assigned managed identity of virtual machine scale set
1. [Enable the system-assigned managed identity in the virtual machine scale set](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#enable-system-assigned-managed-identity-on-an-existing-virtual-machine-scale-set) used by the Azure Kubernetes Service (AKS) cluster.+ 1. [Grant the system-assigned managed identity **App Configuration Data Reader** role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration) in Azure App Configuration.+ 1. Deploy the following sample `AzureAppConfigurationProvider` resource to the AKS cluster. ``` yaml
The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
configMapName: configmap-created-by-appconfig-provider ```
-#### Use User-Assigned Managed Identity
+#### Use user-assigned managed identity of virtual machine scale set
1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.+ 1. [Assign the user-assigned managed identity to the virtual machine scale set](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) used by the Azure Kubernetes Service (AKS) cluster.+ 1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) in Azure App Configuration.+ 1. Set the `spec.auth.managedIdentityClientId` property to the client ID of the user-assigned managed identity in the following sample `AzureAppConfigurationProvider` resource and deploy it to the AKS cluster. ``` yaml
The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
managedIdentityClientId: <your-managed-identity-client-id> ```
-#### Use Service Principal
+#### Use service principal
1. [Create a Service Principal](/azure/active-directory/develop/howto-create-service-principal-portal)+ 1. [Grant the service principal **App Configuration Data Reader** role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration) in Azure App Configuration.+ 1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add *azure_client_id*, *azure_client_secret*, and *azure_tenant_id* of the service principal to the Secret.+ 1. Set the `spec.auth.servicePrincipalReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster. ``` yaml
The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
servicePrincipalReference: <your-service-principal-secret-name> ```
-#### Use Connection String
+#### Use workload identity
+
+1. [Enable Workload Identity](/azure/aks/workload-identity-deploy-cluster#update-an-existing-aks-cluster) on the Azure Kubernetes Service (AKS) cluster.
+
+1. [Get the OIDC issuer URL](/azure/aks/workload-identity-deploy-cluster#retrieve-the-oidc-issuer-url) of the AKS cluster.
+
+1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.
+
+1. Create the federated identity credential between the managed identity, OIDC issuer, and subject using the Azure CLI.
+
+ ``` azurecli
+ az identity federated-credential create --name "${FEDERATED_IDENTITY_CREDENTIAL_NAME}" --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:azappconfig-system:az-appconfig-k8s-provider --audience api://AzureADTokenExchange
+ ```
+
+1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) in Azure App Configuration.
+
+1. Set the `spec.auth.workloadIdentity.managedIdentityClientId` property to the client ID of the user-assigned managed identity in the following sample `AzureAppConfigurationProvider` resource and deploy it to the AKS cluster.
+
+ ``` yaml
+ apiVersion: azconfig.io/v1beta1
+ kind: AzureAppConfigurationProvider
+ metadata:
+ name: appconfigurationprovider-sample
+ spec:
+ endpoint: <your-app-configuration-store-endpoint>
+ target:
+ configMapName: configmap-created-by-appconfig-provider
+ auth:
+ workloadIdentity:
+ managedIdentityClientId: <your-managed-identity-client-id>
+ ```
+
+#### Use connection string
1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add Azure App Configuration connection string with key *azure_app_configuration_connection_string* in the Secret.+ 1. Set the `spec.connectionStringReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster. ``` yaml
The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which
target: configMapName: configmap-created-by-appconfig-provider ```+ ### Key-value selection Use the `selectors` property to filter the key-values to be downloaded from Azure App Configuration.
spec:
label: common - key: sentinelKey label: development
+```
+
+### Consume ConfigMap
+
+Applications running in Kubernetes typically consume the ConfigMap either as environment variables or as configuration files. If the `configMapData.type` property is absent or is set to default, the ConfigMap is populated with the itemized list of data retrieved from Azure App Configuration, which can be easily consumed as environment variables. If the `configMapData.type` property is set to json, yaml or properties, data retrieved from Azure App Configuration is grouped into one item with key name specified by the `configMapData.key` property in the generated ConfigMap, which can be consumed as a mounted file.
+
+The following examples show how the data is populated in the generated ConfigMap with different settings of the `configMapData.type` property.
+
+Assuming an App Configuration store has these key-values:
+
+|key|value|
+|||
+|key1|value1|
+|key2|value2|
+|key3|value3|
+
+#### [default](#tab/default)
+
+and the `configMapData.type` property is absent or set to `default`,
+
+``` yaml
+apiVersion: azconfig.io/v1beta1
+kind: AzureAppConfigurationProvider
+metadata:
+ name: appconfigurationprovider-sample
+spec:
+ endpoint: <your-app-configuration-store-endpoint>
+ target:
+ configMapName: configmap-created-by-appconfig-provider
+```
+
+the generated ConfigMap will be populated with the following data:
+
+``` yaml
+data:
+ key1: value1
+ key2: value2
+ key3: value3
+```
+
+#### [json](#tab/json)
+
+and the `configMapData.type` property is set to `json`,
+
+``` yaml
+apiVersion: azconfig.io/v1beta1
+kind: AzureAppConfigurationProvider
+metadata:
+ name: appconfigurationprovider-sample
+spec:
+ endpoint: <your-app-configuration-store-endpoint>
+ target:
+ configMapName: configmap-created-by-appconfig-provider
+ configMapData:
+ type: json
+ key: appSettings.json
+```
+
+the generated ConfigMap will be populated with the following data:
+
+``` yaml
+data:
+ appSettings.json: >-
+ {"key1":"value1","key2":"value2","key3":"value3"}
+```
+
+#### [yaml](#tab/yaml)
+
+and the `configMapData.type` property is set to `yaml`,
+
+``` yaml
+apiVersion: azconfig.io/v1beta1
+kind: AzureAppConfigurationProvider
+metadata:
+ name: appconfigurationprovider-sample
+spec:
+ endpoint: <your-app-configuration-store-endpoint>
+ target:
+ configMapName: configmap-created-by-appconfig-provider
+ configMapData:
+ type: yaml
+ key: appSettings.yaml
+```
+
+the generated ConfigMap will be populated with the following data:
+
+``` yaml
+data:
+ appSettings.yaml: >-
+ key1: value1
+ key2: value2
+ key3: value3
+```
+
+#### [properties](#tab/properties)
+
+and the `configMapData.type` property is set to `properties`,
+
+``` yaml
+apiVersion: azconfig.io/v1beta1
+kind: AzureAppConfigurationProvider
+metadata:
+ name: appconfigurationprovider-sample
+spec:
+ endpoint: <your-app-configuration-store-endpoint>
+ target:
+ configMapName: configmap-created-by-appconfig-provider
+ configMapData:
+ type: properties
+ key: app.properties
+```
+
+the generated ConfigMap will be populated with the following data:
+
+``` yaml
+data:
+ app.properties: >-
+ key1=value1
+ key2=value2
+ key3=value3
```
azure-arc Configure Transparent Data Encryption Sql Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/configure-transparent-data-encryption-sql-managed-instance.md
In customer-managed mode, TDE uses a service-managed database master key and use
1. Create a certificate. 1. Store the certificate as a secret in the same Kubernetes namespace as the instance.
-> [!NOTE]
-> If you need to change from one mode to the other, you must disable TDE from the current mode before you apply the new mode. To disable, before you proceed, follow the instructions at [Turn off TDE on the managed instance](#turn-off-tde-on-the-managed-instance).
- ### Enable # [Service-managed](#tab/service-managed)
To enable TDE in customer-managed mode:
kubectl patch sqlmi sqlmi-tde --namespace arc --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "CustomerManaged", "protectorSecret": "sqlmi-tde-protector-cert-secret" } } } }' ``` + ## Turn off TDE on the managed instance
Example:
kubectl patch sqlmi sqlmi-tde --namespace arc --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "Disabled" } } } }' ``` + ## Back up a TDE credential
When you back up credentials from the managed instance, the credentials are stor
Similar to above, to restore the credentials, copy them into the container and run the corresponding T-SQL afterwards. + > [!NOTE] > If the `kubectl cp` command is run from Windows, the command may fail when using absolute Windows paths. Use relative paths or the commands specified below. > To restore database backups that have been taken before enabling TDE, you would need to disable TDE on the SQL Managed Instance, restore the database backup and enable TDE again.
Similar to above, to restore the credentials, copy them into the container and r
## Next steps [Transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption)+
azure-arc License Extended Security Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/license-extended-security-updates.md
Title: License provisioning guidelines for Extended Security Updates for Windows Server 2012 description: Learn about license provisioning guidelines for Extended Security Updates for Windows Server 2012 through Azure Arc. Previously updated : 08/18/2023 Last updated : 09/14/2023 # License provisioning guidelines for Extended Security Updates for Windows Server 2012
-Flexibility is critical when enrolling end of support infrastructure in Extended Security Updates (ESUs) through Azure Arc to receive critical patches. To give ease of options across virtualization and disaster recovery scenarios, you must first provision Windows Server 2012 Arc ESU licenses and then link those licenses to your Azure Arc-enabled servers. The linking and provisioning of licenses can be done through Azure portal, ARM templates, CLI, or Azure Policy.
+Flexibility is critical when enrolling end of support infrastructure in Extended Security Updates (ESUs) through Azure Arc to receive critical patches. To give ease of options across virtualization and disaster recovery scenarios, you must first provision Windows Server 2012 Arc ESU licenses and then link those licenses to your Azure Arc-enabled servers. The linking and provisioning of licenses can be done through the Azure portal.
-When provisioning WS2012 ESU licenses, you need to specify whether you'll need to select between virtual core and physical core licensing, select between standard and datacenter licensing, and attest to the number of associated cores (broken down by the number of 2-core and 16-core packs). To assist with this license provisioning process, this article provides general guidance and sample customer scenarios for planning your deployment of WS2012 ESUs through Azure Arc.
+When provisioning WS2012 ESU licenses, you need to specify:
-## General guidance: Standard vs. Datacenter, Physical vs. Virtual Cores
+* Either virtual core or physical core license
+* Standard or datacenter license
+* Attest to the number of associated cores (broken down by the number of 2-core and 16-core packs).
+
+To assist with the license provisioning process, this article provides general guidance and sample customer scenarios for planning your deployment of WS2012 ESUs through Azure Arc.
+
+## General guidance: Standard vs. Datacenter, Physical vs. Virtual Cores
### Physical core licensing
-If you choose to license based on physical cores, the licensing requires a minimum of 16 physical cores per license. Most customers choose to license based on physical cores and select Standard or Datacenter edition to match their original Windows Server licensing. While Standard licensing can be applied to up to two virtual machines (VMs), Datacenter licensing has no limit to the number of VMs it can be applied to. Depending on the number of VMs covered, it may make sense to opt for the Datacenter license instead of the Standard license.
+If you choose to license based on physical cores, the licensing requires a minimum of 16 physical cores per license. Most customers choose to license based on physical cores and select Standard or Datacenter edition to match their original Windows Server licensing. While Standard licensing can be applied to up to two virtual machines (VMs), Datacenter licensing has no limit to the number of VMs it can be applied to. Depending on the number of VMs covered, it may make sense to choose the Datacenter license instead of the Standard license.
### Virtual core licensing
-If you choose to license based on virtual cores, the licensing requires a minimum of eight virtual cores per Virtual Machine. There are two main scenarios where this model is advisable:
+If you choose to license based on virtual cores, the licensing requires a minimum of eight virtual cores per Virtual Machine. There are two main scenarios where this model is advisable:
1. If the VM is running on a third-party host or hyper scaler like AWS, GCP, or OCI.
If you choose to license based on virtual cores, the licensing requires a minimu
An additional scenario (scenario 1, below) is a candidate for VM/Virtual core licensing when the WS2012 VMs are running on a newer Windows Server host (that is, Windows Server 2016 or later). > [!IMPORTANT]
-> In all cases, customers are required to attest to their conformance with SA or SPLA. There is no exception for these requirements. Software Assurance or an equivalent Server Subscription is required for customers to purchase Extended Security Updates on-premises and in hosted environments. Customers will be able to purchase Extended Security Updates via Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), and Enrollment for Education Solutions (EES). On Azure, customers do not need Software Assurance to get free Extended Security Updates, but Software Assurance or Server Subscription is required to take advantage of the Azure Hybrid Benefit.
->
+> In all cases, you are required to attest to their conformance with SA or SPLA. There is no exception for these requirements. Software Assurance or an equivalent Server Subscription is required for you to purchase Extended Security Updates on-premises and in hosted environments. You will be able to purchase Extended Security Updates from Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), and Enrollment for Education Solutions (EES). On Azure, you do not need Software Assurance to get free Extended Security Updates, but Software Assurance or Server Subscription is required to take advantage of the Azure Hybrid Benefit.
+>
-## Scenario based examples: Compliant and Cost Effective Licensing
+## Scenario based examples: Compliant and Cost Effective Licensing
### Scenario 1: Eight modern 32-core hosts (not Windows Server 2012). While each of these hosts are running four 8-core VMs, only one VM on each host is running Windows Server 2012 R2
-In this scenario, you can use virtual core-based licensing to avoid covering the entire host by provisioning eight Windows Server 2012 Standard licenses for eight virtual cores each and link each of those licenses to the VMs running Windows Server 2012 R2. Alternatively, you could consider consolidating your Windows Server 2012 R2 VMs into two of the hosts to take advantage of physical core-based licensing options.
+In this scenario, you can use virtual core-based licensing to avoid covering the entire host by provisioning eight Windows Server 2012 Standard licenses for eight virtual cores each and link each of those licenses to the VMs running Windows Server 2012 R2. Alternatively, you could consider consolidating your Windows Server 2012 R2 VMs into two of the hosts to take advantage of physical core-based licensing options.
### Scenario 2: A branch office with four VMs, each 8-cores, on a 32-core Windows Server 2012 Standard host
-In this case, you should provision two WS2012 Standard licenses for 16 physical cores each and apply to the four Arc-enabled servers. Alternatively, you could provision four WS2012 Standard licenses for eight virtual cores each and apply individually to the four Arc-enabled servers.
+In this case, you should provision two WS2012 Standard licenses for 16 physical cores each and apply to the four Arc-enabled servers. Alternatively, you could provision four WS2012 Standard licenses for eight virtual cores each and apply individually to the four Arc-enabled servers.
-### Scenario 3: Eight physical servers in retail stores, each server is standard with eight cores each and there's no virtualization
+### Scenario 3: Eight physical servers in retail stores, each server is standard with eight cores each and there's no virtualization
-In this scenario, you should apply eight WS2012 Standard licenses for 16 physical cores each and link each license to a physical server. Note that the 16 physical core minimum applies to the provisioned licenses.
+In this scenario, you should apply eight WS2012 Standard licenses for 16 physical cores each and link each license to a physical server. Note that the 16 physical core minimum applies to the provisioned licenses.
### Scenario 4: Multicloud environment with 12 AWS VMs, each of which have 12 cores and are running Windows Server 2012 R2 Standard In this scenario, you should apply 12 Windows Server 2012 Standard licenses with 12 virtual cores each, and link individually to each AWS VM.
-### Scenario 5: Customer has already purchased the traditional Windows Server 2012 ESUs through Volume Licensing
+### Scenario 5: You have already purchased the traditional Windows Server 2012 ESUs through Volume Licensing
-In this scenario, the Azure Arc-enabled servers that have been enrolled in Extended Security Updates through an activated MAK Key are as enrolled in ESUs in Azure portal. You have the flexibility to switch from this key-based traditional ESU model to WS2012 ESUs enabled by Azure Arc between Year 1 and Year 2.
+In this scenario, the Azure Arc-enabled servers that have been enrolled in Extended Security Updates through an activated MAK Key are as enrolled in ESUs in the Azure portal. You have the flexibility to switch from this key-based traditional ESU model to WS2012 ESUs enabled by Azure Arc between Year one and Year two.
### Scenario 6: Migrating or retiring your Azure Arc-enabled servers enrolled in Windows Server 2012 ESUs In this scenario, you can deactivate or decommission the ESU Licenses associated with these servers. If only part of the server estate covered by a license no longer requires ESUs, you can modify the ESU license details to reduce the number of associated cores. ### Scenario 7: 128-core Windows Server 2012 Datacenter server running between 10 and 15 Windows Server 2012 R2 VMs that get provisioned and deprovisioned regularly
-
-In this scenario, you should provision a Windows Server 2012 Datacenter license associated with 128 physical cores and link this license to the Arc-enabled Windows Server 2012 R2 VMs running on it. The deletion of the underlying VM also deletes the corresponding Arc-enabled server resource, enabling you to link another Arc-enabled server.
+
+In this scenario, you should provision a Windows Server 2012 Datacenter license associated with 128 physical cores and link this license to the Arc-enabled Windows Server 2012 R2 VMs running on it. The deletion of the underlying VM also deletes the corresponding Arc-enabled server resource, enabling you to link another Arc-enabled server.
### Scenario 8: A insurance customer is running a 16 node VMware cluster with 1024 cores, licensed with Windows Server Datacenter for maximum virtualization use rights. There are 120 Windows VMs ranging from 4 to 12 cores, with 44 Windows Server 2012 R2 machines with a total of 506 cores.
-In this scenario, the customer should purchase an Arc ESU Windows Server 2012 Datacenter edition license associated with 506 physical cores and link this license to their 44 machines. Each of the 44 machines should be onboarded to Azure Arc, and can be onboarded at scale with Arc-enabled VMware vSphere. If the customer migrates to AVS, these servers will be eligible for free WS2012 ESUs.
+In this scenario, you should purchase an Arc ESU Windows Server 2012 Datacenter edition license associated with 506 physical cores and link this license to their 44 machines. Each of the 44 machines should be onboarded to Azure Arc, and can be onboarded at scale with Arc-enabled VMware vSphere (AVS). If you migrate to AVS, these servers are eligible for free WS2012 ESUs.
## Next steps
azure-arc Vmware Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/vmware-faq.md
Title: Azure Arc-enabled servers VMware Frequently Asked Questions description: Learn how to use Azure Arc-enabled servers on virtual machines running in VMware vSphere environments. Previously updated : 08/10/2023 Last updated : 09/14/2023
The easiest way to think of this is as follows:
- Azure Arc-enabled VMware vSphere is a superset of Arc-enabled servers that extends management capabilities beyond the guest operating system to the VM itself. This provides lifecycle management and CRUD (Create, Read, Update, and Delete) operations on a VMware vSphere VM. These lifecycle management capabilities are exposed in the Azure portal and look and feel just like a regular Azure VM. See [What is Azure Arc-enabled VMware vSphere](../vmware-vsphere/overview.md) to learn more.
-> [!NOTE]
-> Azure Arc-enabled VMware vSphere also provides guest operating system managementΓÇöin fact, it uses the same components as Azure Arc-enabled servers. However, during Public Preview, not all [Azure services supported by Azure Arc-enabled servers](./manage-vm-extensions.md) are available for Arc-enabled VMware vSphere - currently, Azure Monitor, Update Management, and Microsoft Defender for Cloud are not supported. In addition, Arc-enabled VMware vSphere is [supported by Azure VMware Solution (AVS)](../../azure-vmware/deploy-arc-for-azure-vmware-solution.md).
- ## Can I use Azure Arc-enabled server on VMs running in VMware environments? Yes. Azure Arc-enabled servers work with VMs running in an on-premises VMware vSphere environment as well as Azure VMware Solution (AVS) and support the full breadth of guest management capabilities across security, monitoring, and governance.
azure-cache-for-redis Cache Tutorial Aks Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-tutorial-aks-get-started.md
+
+ Title: 'Tutorial: Get started connecting an AKS application to a cache'
+description: In this tutorial, you learn how to connect your AKS-hosted application to an Azure Cache for Redis instance.
+++++ Last updated : 08/15/2023
+#CustomerIntent: As a developer, I want to see how to use a Azure Cache for Redis instance with an AKS container so that I see how I can use my cache instance with a Kubernetes cluster.
+++
+# Tutorial: Connect to Azure Cache for Redis from your application hosted on Azure Kubernetes Service
+
+In this tutorial, you adapt the [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master) to use with an Azure Cache for Redis instance instead. The original sample uses a Redis cache deployed as a container to your AKS cluster. Following some simple steps, you can configure the AKS sample voting application to connect to your Azure Cache for Redis instance.
+
+## Prerequisites
+
+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- An Azure Kubernetes Service Cluster - For more information on creating a cluster, see [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal).
+
+> [!IMPORTANT]
+> This tutorial assumes that you are familiar with basic Kubernetes concepts like containers, pods and service.
+
+## Set up an Azure Cache for Redis instance
+
+1. Create a new Azure Cache for Redis instance by using the Azure portal or your preferred CLI tool. Use the [quickstart guide](quickstart-create-redis.md) to get started.
+
+ For this tutorial, use a Standard C1 cache.
+ :::image type="content" source="media/cache-tutorial-aks-get-started/cache-new-instance.png" alt-text="Screenshot of creating a Standard C1 cache in the Azure portal":::
+
+1. On the **Advanced** tab, enable **Non-TLS port**.
+ :::image type="content" source="media/cache-tutorial-aks-get-started/cache-non-tls.png" alt-text="Screenshot of the Advanced tab with Non-TLS enabled during cache creation.":::
+
+1. Follow the steps through to create the cache.
+
+> [!IMPORTANT]
+> This tutorial uses a non-TLS port for demonstration, but we highly recommend that you use a TLS port for anything in production.
+
+Creating the cache can take a few minutes. You can move to the next section while the process finishes.
+
+## Install and connect to your AKS cluster
+
+In this section, you first install the Kubernetes CLI and then connect to an AKS cluster.
+
+### Install the Kubernetes CLI
+
+Use the Kubernetes CLI, _kubectl_, to connect to the Kubernetes cluster from your local computer. If you're running locally, then you can use the following command to install _kubectl_.
+
+```bash
+az aks install-cli
+```
+
+If you use Azure Cloud Shell, _kubectl_ is already installed, and you can skip this step.
+
+### Connect to your AKS cluster
+
+Use the portal to copy the resource group and cluster name for your AKS cluster. To configure _kubectl_ to connect to your AKS cluster, use the following command with your resource group and cluster name:
+
+```bash
+ az aks get-credentials --resource-group myResourceGroup --name myClusterName
+ ```
+
+Verify that you're able to connect to your cluster by running the following command:
+
+```bash
+kubectl get nodes
+```
+
+You should see similar output showing the list of your cluster nodes.
+
+```output
+NAME STATUS ROLES AGE VERSION
+aks-agentpool-21274953-vmss000001 Ready agent 1d v1.24.15
+aks-agentpool-21274953-vmss000003 Ready agent 1d v1.24.15
+aks-agentpool-21274953-vmss000006 Ready agent 1d v1.24.15
+```
+
+## Update the voting application to use Azure Cache for Redis
+
+Use the [.yml file](https://github.com/Azure-Samples/azure-voting-app-redis/blob/master/azure-vote-all-in-one-redis.yaml) in the sample for reference.
+
+Make the following changes to the deployment file before you save the file as _azure-vote-sample.yaml_.
+
+1. Remove the deployment and service named `azure-vote-back`. This deployment is used to deploy a Redis container to your cluster that is not required when using Azure Cache for Redis.
+
+2. Replace the value `REDIS` variable from "azure-vote-back" to the _hostname_ of the Azure Cache for Redis instance that you created earlier. This change indicates that your application should use Azure Cache for Redis instead of a Redis container.
+
+3. Define variable named `REDIS_PWD`, and set the value to the _access key_ for the Azure Cache for Redis instance that you created earlier.
+
+After all the changes, the deployment file should look like following file with your _hostname_ and _access key_. Save your file as _azure-vote-sample.yaml_.
+
+```YAML
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: azure-vote-front
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: azure-vote-front
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 1
+ minReadySeconds: 5
+ template:
+ metadata:
+ labels:
+ app: azure-vote-front
+ spec:
+ nodeSelector:
+ "kubernetes.io/os": linux
+ containers:
+ - name: azure-vote-front
+ image: mcr.microsoft.com/azuredocs/azure-vote-front:v1
+ ports:
+ - containerPort: 80
+ resources:
+ requests:
+ cpu: 250m
+ limits:
+ cpu: 500m
+ env:
+ - name: REDIS
+ value: myrediscache.redis.cache.windows.net
+ - name: REDIS_PWD
+ value: myrediscacheaccesskey
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: azure-vote-front
+spec:
+ type: LoadBalancer
+ ports:
+ - port: 80
+ selector:
+ app: azure-vote-front
+```
+
+## Deploy and test your application
+
+Run the following command to deploy this application to your AKS cluster:
+
+```bash
+kubectl apply -f azure-vote-sample.yaml
+```
+
+You get a response indicating your deployment and service was created:
+
+```output
+deployment.apps/azure-vote-front created
+service/azure-vote-front created
+```
+
+To test the application, run the following command to check if the pod is running:
+
+```bash
+kubectl get pods
+```
+
+You see your pod running successfully like:
+
+```output
+NAME READY STATUS RESTARTS AGE
+azure-vote-front-7dd44597dd-p4cnq 1/1 Running 0 68s
+```
+
+Run the following command to get the endpoint for your application:
+
+```bash
+kubectl get service azure-vote-front
+```
+
+You might see that the EXTERNAL-IP has status `<pending>` for a few minutes. Keep retrying until the status is replaced by an IP address.
+
+```output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+azure-vote-front LoadBalancer 10.0.166.147 20.69.136.105 80:30390/TCP 90s
+```
+
+Once the External-IP is available, open a web browser to the External-IP address of your service and you see the application running as follows:
++
+## Clean up your deployment
+
+To clean up your cluster, run the following commands:
+
+```bash
+kubectl delete deployment azure-vote-front
+kubectl delete service azure-vote-front
+```
++
+## Related content
+
+- [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal)
+- [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master)
azure-functions Functions Deployment Technologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-deployment-technologies.md
You can use a few different technologies to deploy your Azure Functions project
## Deployment methods
-The deployment technology you use to publish code to Azure is generally determined by the way in which you publish your app. The appropriate deployment method is determined by specific needs and the point in the development cycle. For example, during development and testing you may deploy directly from your development tool, such as Visual Studio Code. When your app is in production, you are more likely to publish continuously from source control or by using an automated publishing pipeline, which includes additional validation and testing.
+The deployment technology you use to publish code to your function app in Azure depends on your specific needs and the point in the development cycle. For example, during development and testing you may deploy directly from your development tool, such as Visual Studio Code. When your app is in production, you're more likely to publish continuously from source control or by using an automated publishing pipeline, which can include validation and testing.
-The following table describes the available deployment methods for your Function project.
+The following table describes the available deployment methods for your code project.
| Deployment&nbsp;type | Methods | Best for... |
-| -- | -- | -- |
-| Tools-based | &bull;&nbsp;[Visual&nbsp;Studio&nbsp;Code&nbsp;publish](functions-develop-vs-code.md#publish-to-azure)<br/>&bull;&nbsp;[Visual Studio publish](functions-develop-vs.md#publish-to-azure)<br/>&bull;&nbsp;[Core Tools publish](functions-run-local.md#publish) | Deployments during development and other ad hoc deployments. Deployments are managed locally by the tooling. |
+| | | |
+| Tools-based | &bull;&nbsp;[Visual&nbsp;Studio&nbsp;Code&nbsp;publish](functions-develop-vs-code.md#publish-to-azure)<br/>&bull;&nbsp;[Visual Studio publish](functions-develop-vs.md#publish-to-azure)<br/>&bull;&nbsp;[Core Tools publish](functions-run-local.md#publish) | Deployments during development and other improvised deployments. Deploying your code on-demand using [local development tools](functions-develop-local.md#local-development-environments). |
| App Service-managed| &bull;&nbsp;[Deployment&nbsp;Center&nbsp;(CI/CD)](functions-continuous-deployment.md)<br/>&bull;&nbsp;[Container&nbsp;deployments](./functions-how-to-custom-container.md#enable-continuous-deployment-to-azure) | Continuous deployment (CI/CD) from source control or from a container registry. Deployments are managed by the App Service platform (Kudu).|
-| External pipelines|&bull;&nbsp;[Azure Pipelines](functions-how-to-azure-devops.md)<br/>&bull;&nbsp;[GitHub Actions](functions-how-to-github-actions.md) | Production and Azure pipelines that include additional validation, testing, and other actions be run as part of an automated deployment. Deployments are managed by the pipeline. |
+| External pipelines|&bull;&nbsp;[Azure Pipelines](functions-how-to-azure-devops.md)<br/>&bull;&nbsp;[GitHub Actions](functions-how-to-github-actions.md) | Production pipelines that include validation, testing, and other actions that must be run as part of an automated deployment. Deployments are managed by the pipeline. |
-While specific Functions deployments use the best technology based on their context, most deployment methods are based on [zip deployment](#zip-deploy).
+Specific deployments should use the best technology based on the specific scenario. Many of the deployment methods are based on [zip deployment](#zip-deploy), which is recommended for deployment.
## Deployment technology availability
-Azure Functions supports cross-platform local development and hosting on Windows and Linux. Currently, three hosting plans are available:
+The deployment method also depends on the hosting plan and operating system on which you run your function app.
+Currently, Functions offers three hosting plans:
+ [Consumption](consumption-plan.md) + [Premium](functions-premium-plan.md) + [Dedicated (App Service)](dedicated-plan.md)
-Each plan has different behaviors. Not all deployment technologies are available for each flavor of Azure Functions. The following chart shows which deployment technologies are supported for each combination of operating system and hosting plan:
+Each plan has different behaviors. Not all deployment technologies are available for each hosting plan and operating system. This chart provides information on the supported deployment technologies:
| Deployment technology | Windows Consumption | Windows Premium | Windows Dedicated | Linux Consumption | Linux Premium | Linux Dedicated | |--|:-:|:-:|::|::|:-:|::|
-| External package URL<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
-| Zip deploy |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
-| Docker container | | | | |Γ£ö|Γ£ö|
-| Web Deploy |Γ£ö|Γ£ö|Γ£ö| | | |
-| Source control |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
-| Local Git<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
-| Cloud sync<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
-| FTP<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
-| In-portal editing<sup>2</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö<sup>3</sup>|Γ£ö<sup>3</sup>|
-
-<sup>1</sup> Deployment technology that requires [manual trigger syncing](#trigger-syncing).
+| [External package URL](#external-package-url)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+| [Zip deploy](#zip-deploy) |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+| [Docker container](#docker-container) | | | | |Γ£ö|Γ£ö|
+| [Web Deploy](#web-deploy-msdeploy) |Γ£ö|Γ£ö|Γ£ö| | | |
+| [Source control](#source-control) |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
+| [Local Git](#local-git)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
+| [Cloud sync](#cloud-sync)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
+| [FTPS](#ftps)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|
+| [In-portal editing](#portal-editing)<sup>2</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö<sup>3</sup>|Γ£ö<sup>3</sup>|
+
+<sup>1</sup> Deployment technologies that require you to [manually sync triggers](#trigger-syncing) aren't recommended.
<sup>2</sup> In-portal editing is disabled when code is deployed to your function app from outside the portal. For more information, including language support details for in-portal editing, see [Language support details](supported-languages.md#language-support-details). <sup>3</sup> In-portal editing is enabled only for HTTP and Timer triggered functions running on Linux in Premium and Dedicated plans.
When you change any of your triggers, the Functions infrastructure must be aware
+ Restart your function app in the Azure portal. + Send an HTTP POST request to `https://{functionappname}.azurewebsites.net/admin/host/synctriggers?code=<API_KEY>` using the [master key](functions-bindings-http-webhook-trigger.md#authorization-keys).
-+ Send an HTTP POST request to `https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Web/sites/<FUNCTION_APP_NAME>/syncfunctiontriggers?api-version=2016-08-01`. Replace the placeholders with your subscription ID, resource group name, and the name of your function app.
++ Send an HTTP POST request to `https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Web/sites/<FUNCTION_APP_NAME>/syncfunctiontriggers?api-version=2016-08-01`. Replace the placeholders with your subscription ID, resource group name, and the name of your function app. This request requires an [access token](/rest/api/azure/#acquire-an-access-token) in the [`Authorization` request header](/rest/api/azure/#request-header).
-When you deploy using an external package URL and the contents of the package change but the URL itself doesn't change, you need to manually restart your function app to fully sync your updates.
+When you deploy using an external package URL, you need to manually restart your function app to fully sync your updates when the package changes without changing the URL.
### Remote build Azure Functions can automatically perform builds on the code it receives after zip deployments. These builds behave slightly differently depending on whether your app is running on Windows or Linux.
-# [Windows](#tab/windows)
+#### [Windows](#tab/windows)
All function apps running on Windows have a small management app, the SCM site provided by [Kudu](https://github.com/projectkudu/kudu). This site handles much of the deployment and build logic for Azure Functions. When an app is deployed to Windows, language-specific commands, like `dotnet restore` (C#) or `npm install` (JavaScript) are run.
-# [Linux](#tab/linux)
+#### [Linux](#tab/linux)
-To enable remote build on Linux, you must set the following in your application settings:
+To enable remote build on Linux, you must set these application settings:
+ [`ENABLE_ORYX_BUILD=true`](functions-app-settings.md#enable_oryx_build) + [`SCM_DO_BUILD_DURING_DEPLOYMENT=true`](functions-app-settings.md#scm_do_build_during_deployment)
The following considerations apply when using remote builds during deployment:
### App content storage
-Several deployment methods store the deployed or built application payload on the storage account associated with the function app. The Azure Files content share is generally used if configured, but some methods will instead store the payload in the blob store associated with the `AzureWebJobsStorage` connection. See the details in the "Where app content is stored" paragraphs of each deployment technology covered in the next section.
+Several deployment methods store the deployed or built application payload on the storage account associated with the function app. Functions tries to use the Azure Files content share when configured, but some methods instead store the payload in the blob storage instance associated with the `AzureWebJobsStorage` connection. See the details in the _Where app content is stored_ paragraphs of each deployment technology covered in the next section.
[!INCLUDE [functions-storage-access-note](../../includes/functions-storage-access-note.md)]
You can use local Git to push code from your local machine to Azure Functions by
>__How to use it:__ Follow the instructions in [Local Git deployment to Azure App Service](../app-service/deploy-local-git.md).
->__When to use it:__ In general, we recommend that you use a different deployment method. When you publish from local Git, you must [manually sync triggers](#trigger-syncing).
+>__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible.
>__Where app content is stored:__ App content is stored on the file system, which may be backed by Azure Files from the storage account specified when the function app was created.
Use cloud sync to sync your content from Dropbox and OneDrive to Azure Functions
>__How to use it:__ Follow the instructions in [Sync content from a cloud folder](../app-service/deploy-content-sync.md).
->__When to use it:__ In general, we recommend other deployment methods. When you publish by using cloud sync, you must [manually sync triggers](#trigger-syncing).
+>__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible.
>__Where app content is stored:__ The app content is in the cloud store, but a local copy is stored on the app file system, which may be backed by Azure Files from the storage account specified when the function app was created.
-### FTP
+### FTP/S
-You can use FTP to directly transfer files to Azure Functions.
+You can use FTP/S to directly transfer files to Azure Functions, although this deployment method isn't recommended. When you're not planning on using FTP, you should disable it. If you do choose to use FTP, you should enforce FTPS. To learn how in the Azure portal, see [Enforce FTPS](../app-service/deploy-ftp.md#enforce-ftps).
->__How to use it:__ Follow the instructions in [Deploy content by using FTP/s](../app-service/deploy-ftp.md).
+>__How to use it:__ Follow the instructions in [FTPS deployment settings](functions-how-to-use-azure-function-app-settings.md#ftps-deployment-settings) to get the URL and credentials you can use to deploy to your function app using FTPS.
->__When to use it:__ In general, we recommend other deployment methods. When you publish by using FTP, you must [manually sync triggers](#trigger-syncing).
+>__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible.
>__Where app content is stored:__ App content is stored on the file system, which may be backed by Azure Files from the storage account specified when the function app was created.
You can use FTP to directly transfer files to Azure Functions.
In the portal-based editor, you can directly edit the files that are in your function app (essentially deploying every time you save your changes).
->__How to use it:__ To be able to edit your functions in the [Azure portal](https://portal.azure.com), you must have [created your functions in the portal](./functions-get-started.md). To preserve a single source of truth, using any other deployment method makes your function read-only and prevents continued portal editing. To return to a state in which you can edit your files in the Azure portal, you can manually turn the edit mode back to `Read/Write` and remove any deployment-related application settings (like [`WEBSITE_RUN_FROM_PACKAGE`](functions-app-settings.md#website_run_from_package).
+>__How to use it:__ To be able to edit your functions in the [Azure portal](https://portal.azure.com), you must have [created your functions in the portal](./functions-get-started.md). To preserve a single source of truth, using any other deployment method makes your function read-only and prevents continued portal editing. To return to a state in which you can edit your files in the Azure portal, you can manually turn the edit mode back to `Read/Write` and remove any deployment-related application settings (like [`WEBSITE_RUN_FROM_PACKAGE`](functions-app-settings.md#website_run_from_package)).
>__When to use it:__ The portal is a good way to get started with Azure Functions. For more advanced development work, we recommend that you use one of the following client tools: >
The following table shows the operating systems and languages that support in-po
## Deployment behaviors
-When you deploy updates to your function app code, currently executing functions are terminated. After deployment completes, the new code is loaded to begin processing requests. Please review [Improve the performance and reliability of Azure Functions](performance-reliability.md#write-functions-to-be-stateless) to learn how to write stateless and defensive functions.
+When you deploy updates to your function app code, currently executing functions are terminated. After deployment completes, the new code is loaded to begin processing requests. Review [Improve the performance and reliability of Azure Functions](performance-reliability.md#write-functions-to-be-stateless) to learn how to write stateless and defensive functions.
If you need more control over this transition, you should use deployment slots.
When you deploy your function app to Azure, you can deploy to a separate deploym
Read these articles to learn more about deploying your function apps: + [Continuous deployment for Azure Functions](functions-continuous-deployment.md)
-+ [Continuous delivery by using Azure DevOps](functions-how-to-azure-devops.md)
++ [Continuous delivery by using Azure Pipelines](functions-how-to-azure-devops.md) + [Zip deployments for Azure Functions](deployment-zip-push.md) + [Run your Azure Functions from a package file](run-functions-from-deployment-package.md) + [Automate resource deployment for your function app in Azure Functions](functions-infrastructure-as-code.md)
azure-functions Functions How To Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-how-to-github-actions.md
Since GitHub Actions uses your publish profile to access your function app durin
### Download your publish profile
-To download the publishing profile of your function app:
-
-1. Select the function app's **Overview** page, and then select **Get publish profile**.
-
- :::image type="content" source="media/functions-how-to-github-actions/get-publish-profile.png" alt-text="Download publish profile":::
-
-1. Save and copy the contents of the file.
### Add the GitHub secret
azure-functions Functions How To Use Azure Function App Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-how-to-use-azure-function-app-settings.md
These settings are stored encrypted. To learn more, see [Application settings se
Application settings can be managed from the [Azure portal](functions-how-to-use-azure-function-app-settings.md?tabs=portal#settings) and by using the [Azure CLI](functions-how-to-use-azure-function-app-settings.md?tabs=azurecli#settings) and [Azure PowerShell](functions-how-to-use-azure-function-app-settings.md?tabs=powershell#settings). You can also manage application settings from [Visual Studio Code](functions-develop-vs-code.md#application-settings-in-azure) and from [Visual Studio](functions-develop-vs.md#function-app-settings).
-# [Portal](#tab/portal)
+### [Portal](#tab/portal)
To find the application settings, see [Get started in the Azure portal](#get-started-in-the-azure-portal).
To add a setting in the portal, select **New application setting** and add the n
![Function app settings in the Azure portal.](./media/functions-how-to-use-azure-function-app-settings/azure-function-app-settings-tab.png)
-# [Azure CLI](#tab/azure-cli)
+### [Azure CLI](#tab/azure-cli)
The [`az functionapp config appsettings list`](/cli/azure/functionapp/config/appsettings#az-functionapp-config-appsettings-list) command returns the existing application settings, as in the following example:
az functionapp config appsettings set --name <FUNCTION_APP_NAME> \
--settings CUSTOM_FUNCTION_APP_SETTING=12345 ```
-# [Azure PowerShell](#tab/azure-powershell)
+### [Azure PowerShell](#tab/azure-powershell)
The [`Get-AzFunctionAppSetting`](/powershell/module/az.functions/get-azfunctionappsetting) cmdlet returns the existing application settings, as in the following example:
Update-AzFunctionAppSetting -Name <FUNCTION_APP_NAME> -ResourceGroupName <RESOUR
When you develop a function app locally, you must maintain local copies of these values in the local.settings.json project file. To learn more, see [Local settings file](functions-develop-local.md#local-settings-file).
+## FTPS deployment settings
+
+Azure Functions supports deploying project code to your function app by using FTPS. Because this deployment method requires you to [sync triggers](functions-deployment-technologies.md#trigger-syncing), it's not recommended. To securely transfer project files, always use FTPS and not FTP.
+
+You can get the credentials required for FTPS deployment using one of these methods:
+
+### [Portal](#tab/portal)
+
+You can get the FTPS publishing credentials in the Azure portal by downloading the publishing profile for your function app.
+
+> [!IMPORTANT]
+> The publishing profile contains important security credentials. You should always secure the downloaded file on your local computer.
++
+3. In the file, locate the `publishProfile` element with the attribute `publishMethod="FTP"`. In this element, the `publishUrl`, `userName`, and `userPWD` attributes contain the target URL and credentials for FTPS publishing.
+
+### [Azure CLI](#tab/azure-cli)
+
+Run this Azure CLI command that returns the FTPS credentials from the publishing profile.
+
+```azurecli
+az functionapp deployment list-publishing-profiles --name <APP_NAME> --resource-group <GROUP_NAME> --query "[?publishMethod=='FTP'].{URL:publishUrl, username:userName, password:userPWD}" -o table
+```
+
+In this example, replace `<APP_NAME>` with your function app name and `<GROUP_NAME>` with the resource group. The returned `URL`, `username`, and `password` columns contain the target URL and credentials for FTPS publishing.
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+Run this Azure PowerShell command that returns the FTPS credentials from the publishing profile.
+
+```azurepowershell
+$profile = [xml](Get-AzWebAppPublishingProfile -ResourceGroupName "<GROUP_NAME>" -Name "<APP_NAME>" -Format "Ftp")
+$profile.publishData.publishProfile | Where-Object -Property publishMethod -eq Ftp | Select-Object -Property @{Name="URL"; Expression = {$_.publishUrl}},
+@{Name="username"; Expression = {$_.userName}}, @{Name="password"; Expression = {$_.userPWD}} | Format-Table
+```
+
+In this example, replace `<APP_NAME>` with your function app name and `<GROUP_NAME>` with the resource group. The returned `URL`, `username`, and `password` columns contain the target URL and credentials for FTPS publishing.
+++ ## Hosting plan type When you create a function app, you also create a hosting plan in which the app runs. A plan can have one or more function apps. The functionality, scaling, and pricing of your functions depend on the type of plan. To learn more, see [Azure Functions hosting options](functions-scale.md).
The following values indicate the plan type:
| [Premium](functions-premium-plan.md) | **ElasticPremium** | `ElasticPremium` | | [Dedicated (App Service)](dedicated-plan.md) | Various | Various |
-# [Portal](#tab/portal)
+### [Portal](#tab/portal)
To determine the type of plan used by your function app, see **App Service plan** in the **Overview** tab for the function app in the [Azure portal](https://portal.azure.com). To see the pricing tier, select the name of the **App Service Plan**, and then select **Properties** from the left pane. ![View scaling plan in the portal](./media/functions-scale/function-app-overview-portal.png)
-# [Azure CLI](#tab/azure-cli)
+### [Azure CLI](#tab/azure-cli)
Run the following Azure CLI command to get your hosting plan type:
azure-functions Security Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/security-concepts.md
At this time, Key Vault isn't supported for deployment credentials. To learn mor
By default, each function app has an FTP endpoint enabled. The FTP endpoint is accessed using deployment credentials.
-FTP isn't recommended for deploying your function code. FTP deployments are manual, and they require you to synchronize triggers. To learn more, see [FTP deployment](functions-deployment-technologies.md#ftp).
+FTP isn't recommended for deploying your function code. FTP deployments are manual, and they require you to synchronize triggers. To learn more, see [FTP deployment](functions-deployment-technologies.md#ftps).
When you're not planning on using FTP, you should disable it in the portal. If you do choose to use FTP, you should [enforce FTPS](../app-service/deploy-ftp.md#enforce-ftps).
azure-maps Azure Maps Qps Rate Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/azure-maps-qps-rate-limits.md
# Azure Maps QPS rate limits Azure Maps doesn't have any maximum daily limits on the number of requests that can be made, however there are limits to the maximum number of queries per second (QPS).
+> [!NOTE]
+>
+> **Azure Maps Gen1 price tier retirement**
+>
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].
The following list shows the QPS usage limits for each Azure Maps service by Pricing Tier.
The following list shows the QPS usage limits for each Azure Maps service by Pri
When QPS limits are reached, an HTTP 429 error is returned. If you're using the Gen 2 or Gen 1 S1 pricing tiers, you can create an Azure Maps *Technical* Support Request in the [Azure portal] to increase a specific QPS limit if needed. QPS limits for the Gen 1 S0 pricing tier can't be increased. [Azure portal]: https://portal.azure.com/
+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
azure-maps Choose Map Style https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/choose-map-style.md
The following image shows the style picker control displayed in `list` layout.
:::image type="content" source="./media/choose-map-style/style-picker-list-layout.png" alt-text="Style picker list layout"::: > [!IMPORTANT]
-> By default the style picker control lists all the styles available under the S0 pricing tier of Azure Maps. If you want to reduce the number of styles in this list, pass an array of the styles you want to appear in the list into the `mapStyle` option of the style picker. If you are using Gen 1 (S1) or Gen 2 pricing tier and want to show all available styles, set the `mapStyles` option of the style picker to `"all"`.
+> By default the style picker control lists all the styles available under the Gen1 (S0) pricing tier of Azure Maps. If you want to reduce the number of styles in this list, pass an array of the styles you want to appear in the list into the `mapStyle` option of the style picker. If you are using Gen1 (S1) or Gen2 pricing tier and want to show all available styles, set the `mapStyles` option of the style picker to `"all"`.
+>
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].
The following code shows you how to override the default `mapStyles` base style list. In this example, we're setting the `mapStyles` option to list the base styles to display in the style picker control.
See the following articles for more code samples to add to your maps:
[style options]: /javascript/api/azure-maps-control/atlas.styleoptions [base map styles]: supported-map-styles.md
+[Add a bubble layer]: map-add-bubble-layer.md
+[Add a symbol layer]: map-add-pin.md
+[Add map controls]: map-add-controls.md
+[Azure Maps Samples]: https://samples.azuremaps.com
[grayscale_dark]: supported-map-styles.md#grayscale_dark
+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
+[Map style options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Map/Map%20style%20options/Map%20style%20options.html
+[Map style options]: https://samples.azuremaps.com/map/map-style-options
+[Map]: /javascript/api/azure-maps-control/atlas.map
[setStyle]: /javascript/api/azure-maps-control/atlas.map#azure-maps-control-atlas-map-setstyle [Style Control Options]: /javascript/api/azure-maps-control/atlas.stylecontroloptions
-[Map]: /javascript/api/azure-maps-control/atlas.map
-[StyleOptions]: /javascript/api/azure-maps-control/atlas.styleoptions
[StyleControl]: /javascript/api/azure-maps-control/atlas.control.stylecontrol [StyleControlOptions]: /javascript/api/azure-maps-control/atlas.stylecontroloptions
-[Add map controls]: map-add-controls.md
-[Add a symbol layer]: map-add-pin.md
-[Add a bubble layer]: map-add-bubble-layer.md
-[Map style options]: https://samples.azuremaps.com/map/map-style-options
-[Map style options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Map/Map%20style%20options/Map%20style%20options.html
-[Azure Maps Samples]: https://samples.azuremaps.com
+[StyleOptions]: /javascript/api/azure-maps-control/atlas.styleoptions
azure-maps Choose Pricing Tier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/choose-pricing-tier.md
- Title: Choose the right pricing tier for Microsoft Azure Maps
-description: Learn about Azure Maps pricing tiers. See which features are offered at which tiers, and view key considerations for choosing a pricing tier.
-- Previously updated : 11/11/2021-----
-# Choose the right pricing tier in Azure Maps
-
-Azure Maps now offers two pricing tiers: Gen 1 and Gen 2. The new Gen 2 pricing tier contains all Azure Maps capabilities included in the Gen 1 tier, but with increased QPS (Queries Per Second) limits, allowing you to achieve cost savings as Azure Maps transactions increase. This article helps you determine the right pricing tier for your needs.
-
-## Pricing tier targeted customers
-
-The following **pricing tier targeted customers** table shows the Gen 1 and Gen 2 pricing tiers. For more information, see [Azure Maps pricing]. If you're a current Azure Maps customer, you can learn how to change from Gen 1 to Gen 2 pricing in the [Manage the pricing tier of your Azure Maps account] article.
-
-| Pricing tier | SKU | Targeted Customers|
-||::| |
-|**Gen 1**|S0| The S0 pricing tier works for applications in all stages of production: from proof-of-concept development and early stage testing to application production and deployment. However, this tier is designed for small-scale development, or customers with low concurrent users, or both. S0 has a restriction of 50 QPS for all services combined.
-| |S1| The S1 pricing tier is for customers with large-scale enterprise applications, mission-critical applications, or high volumes of concurrent users. It's also for those customers who require advanced geospatial services.
-| **Gen 2** | Maps/Location Insights | Gen 2 pricing is for new and current Azure Maps customers. Gen 2 comes with a free monthly tier of transactions to be used to test and build on Azure maps. Maps and Location Insights SKUs contain all Azure Maps capabilities. It allows you to achieve cost savings as Azure Maps transactions increases. Additionally, it has higher QPS limits than Gen 1. The Gen 2 pricing tier is required when using [Creator for indoor maps].
-
-For more information on QPS limits, see [Azure Maps QPS rate limits].
-
-For pricing information on [Creator for indoor maps], see the *Creator* section in [Azure Maps pricing].
-
-## Next steps
-
-Learn more about how to view and change pricing tiers:
-
-> [!div class="nextstepaction"]
-> [Manage the pricing tier of your Azure Maps account]
-
-[Azure Maps pricing]: https://aka.ms/CreatorPricing
-[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
-[Creator for indoor maps]: creator-indoor-maps.md
-[Azure Maps QPS rate limits]: azure-maps-qps-rate-limits.md
azure-maps How To Manage Pricing Tier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-manage-pricing-tier.md
description: You can use the Azure portal to manage your Microsoft Azure Maps account and its pricing tier. Previously updated : 05/12/2020 Last updated : 09/14/2023
# Manage the pricing tier of your Azure Maps account
-You can manage the pricing tier of your Azure Maps account through the Azure portal. You can also view or change your account's pricing tier after you create an [Azure account].
-
-Get more information about [choosing the right pricing tier in Azure Maps].
+You can manage the pricing tier of your Azure Maps account through the [Azure portal] or an [Azure Resource Manager (ARM) template].
> [!NOTE]
-> Switching to Gen 1 pricing tier is not available for Gen 2 Azure Maps Creator customers. Gen 1 Azure Maps Creator will be deprecated on 8/6/2021.
-
-## View your pricing tier
-
-To view your chosen pricing tier, navigate to the **Pricing Tier** option in the settings menu.
-
+>
+> **Azure Maps Gen1 Price Tier Retirement**
+>
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated.
+>
+> After 9/14/23, Gen1 pricing tier will no longer be available when creating new Azure Maps accounts via the Azure Portal. After 10/12/23, Gen1 pricing tier will no longer be available when creating new Azure Maps accounts using ARM templates.
+>
+> For more information on Gen2 pricing tier, see [Azure Maps pricing].
## Change a pricing tier
-After you create your Azure Maps account, you can upgrade or downgrade the pricing tier for your Azure Maps account. To upgrade or downgrade, navigate to the **Pricing Tier** option in the settings menu. Select the pricing tier from drop down list. Note ΓÇô current pricing tier is the default selection. Select the **Save** button to save your chosen pricing tier option.
+### Azure portal
+
+To change your pricing tier from Gen1 to Gen2 in the Azure Portal, navigate to the Pricing tier option in the settings menu of your Azure Maps account. Select Gen2 from the Pricing tier drop-down list then the Save button.
> [!NOTE]
-> You don't have to generate new subscription keys or client ID (for Azure AD authentication) if you upgrade or downgrade the pricing tier for your Azure Maps account.
+> You don't have to generate new subscription keys, client ID (for Azure AD authentication) or shared access signature (SAS) tokens if you change the pricing tier for your Azure Maps account.
:::image type="content" source="./media/how-to-manage-pricing-tier/change-pricing-tier.png" border="true" alt-text="Change a pricing tier":::
+### ARM template
+
+To change your pricing tier from Gen1 to Gen2 in the ARM template, update `pricingTier` to **G2** and `kind` to **Gen2**. For more info on using ARM templates, see [Create account with ARM template].
++
+<!
+```json
+ "pricingTier": {
+ "type": "string",
+ "allowedValues":[
+ "G2"
+ ],
+ "defaultValue": "G2",
+ "metadata": {
+ "description": "The pricing tier SKU for the account."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues":[
+ "Gen2"
+ ],
+ "defaultValue": "Gen2",
+ "metadata": {
+ "description": "The pricing tier for the account."
+ }
+ }
+```
+
+>
+ ## Next steps Learn how to see the API usage metrics for your Azure Maps account:
Learn how to see the API usage metrics for your Azure Maps account:
> [!div class="nextstepaction"] > [View usage metrics]
-[Azure account]: https://azure.microsoft.com/free/?WT.mc_id=A261C142F
+[Azure Maps pricing]: https://azure.microsoft.com/pricing/details/azure-maps/
+[Azure Portal]: https://portal.azure.com/
+[Azure Resource Manager (ARM) template]: how-to-create-template.md
+[Create account with ARM template]: how-to-create-template.md
[View usage metrics]: how-to-view-api-usage.md
-[choosing the right pricing tier in Azure Maps]: choose-pricing-tier.md
azure-maps How To Render Custom Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-render-custom-data.md
Use the Azure Maps [Data service] to store and render overlays.
## Render pushpins with labels and a custom image > [!NOTE]
-> The procedure in this section requires an Azure Maps account in the Gen 1 or Gen 2 pricing tier.
-The Azure Maps account Gen 1 Standard S0 tier supports only a single instance of the `pins` parameter. It allows you to render up to five pushpins, specified in the URL request, with a custom image.
+> The procedure in this section requires an Azure Maps account in the Gen1 or Gen2 pricing tier.
+The Azure Maps account Gen1 Standard S0 tier supports only a single instance of the `pins` parameter. It allows you to render up to five pushpins, specified in the URL request, with a custom image.
+>
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].
### Get static image with custom pins and labels
To get a static image with custom pins and labels:
## Upload pins and path data > [!NOTE]
-> The procedure in this section requires an Azure Maps account Gen 1 (S1) or Gen 2 pricing tier.
+> The procedure in this section requires an Azure Maps account Gen1 (S1) or Gen2 pricing tier.
In this section, you upload path and pin data to Azure Map data storage.
To render the uploaded pins and path data on the map:
## Render a polygon with color and opacity > [!NOTE]
-> The procedure in this section requires an Azure Maps account Gen 1 (S1) or Gen 2 pricing tier.
+> The procedure in this section requires an Azure Maps account Gen1 (S1) or Gen2 pricing tier.
You can modify the appearance of a polygon by using style modifiers with the [path parameter].
To render a polygon with color and opacity:
## Render a circle and pushpins with custom labels > [!NOTE]
-> The procedure in this section requires an Azure Maps account Gen 1 (S1) or Gen 2 pricing tier.
+> The procedure in this section requires an Azure Maps account Gen1 (S1) or Gen2 pricing tier.
You can modify the appearance of the pins by adding style modifiers. For example, to make pushpins and their labels larger or smaller, use the `sc` "scale style" modifier. This modifier takes a value that's greater than zero. A value of 1 is the standard scale. Values larger than 1 makes the pins larger, and values smaller than 1 makes them smaller. For more information about style modifiers, see [static image service path parameters].
Similarly, you can change, add, and remove other style modifiers.
> [!div class="nextstepaction"] > [Data service] - [Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account [Render - Get Map Image]: /rest/api/maps/render/getmapimage [Data service]: /rest/api/maps/data [Data Upload]: /rest/api/maps/data-v2/upload
+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
[path parameter]: /rest/api/maps/render/getmapimage#uri-parameters [Postman]: https://www.postman.com/ [Render service]: /rest/api/maps/render/get-map-image
azure-maps How To Request Weather Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-request-weather-data.md
This video provides examples for making REST calls to Azure Maps Weather service
>[!VIDEO https://learn.microsoft.com/Shows/Internet-of-Things-Show/Azure-Maps-Weather-services-for-developers/player?format=ny]
+</br>
+ ## Prerequisites * An [Azure Maps account] * A [subscription key] >[!IMPORTANT]
- >The [Get Minute Forecast API] requires a Gen 1 (S1) or Gen 2 pricing tier. All other APIs require an S0 pricing tier key.
+ >The [Get Minute Forecast API] requires a Gen1 (S1) or Gen2 pricing tier.
This tutorial uses the [Postman] application, but you may choose a different API development environment.
In this example, you use the [Get Severe Weather Alerts API] to retrieve current
The [Get Daily Forecast API] returns detailed daily weather forecast such as temperature and wind. The request can specify how many days to return: 1, 5, 10, 15, 25, or 45 days for a given coordinate location. The response includes details such as temperature, wind, precipitation, air quality, and UV index. In this example, we request for five days by setting `duration=5`. >[!IMPORTANT]
->In the S0 pricing tier, you can request daily forecast for the next 1, 5, 10, and 15 days. In either Gen 1 (S1) or Gen 2 pricing tier, you can request daily forecast for the next 25 days, and 45 days.
+>In the S0 pricing tier, you can request daily forecast for the next 1, 5, 10, and 15 days. In either Gen1 (S1) or Gen2 pricing tier, you can request daily forecast for the next 25 days, and 45 days.
+>
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].
In this example, you use the [Get Daily Forecast API] to retrieve the five-day weather forecast for coordinates located in Seattle, WA.
In this example, you use the [Get Daily Forecast API] to retrieve the five-day w
The [Get Hourly Forecast API] returns detailed weather forecast by the hour for the next 1, 12, 24 (1 day), 72 (3 days), 120 (5 days), and 240 hours (10 days) for the given coordinate location. The API returns details such as temperature, humidity, wind, precipitation, and UV index. >[!IMPORTANT]
->In the S0 pricing tier, you can request hourly forecast for the next 1, 12, 24 hours (1 day), and 72 hours (3 days). In either Gen 1 (S1) or Gen 2 pricing tier, you can request hourly forecast for the next 120 (5 days) and 240 hours (10 days).
+>In the Gen1 (S0) pricing tier, you can request hourly forecast for the next 1, 12, 24 hours (1 day), and 72 hours (3 days). In either Gen1 (S1) or Gen2 pricing tier, you can request hourly forecast for the next 120 (5 days) and 240 hours (10 days).
In this example, you use the [Get Hourly Forecast API] to retrieve the hourly weather forecast for the next 12 hours at coordinates located in Seattle, WA.
In this example, you use the [Get Minute Forecast API] to retrieve the minute-by
[Get Hourly Forecast API]: /rest/api/maps/weather/gethourlyforecast [Get Minute Forecast API]: /rest/api/maps/weather/getminuteforecast [Get Severe Weather Alerts API]: /rest/api/maps/weather/getsevereweatheralerts
+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
[Postman]: https://www.postman.com/ [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [Weather service concepts]: weather-services-concepts.md
azure-maps How To Secure Sas App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-sas-app.md
The following steps describe how to create and configure an Azure Maps account w
1. Create a template file *azuredeploy.json* to provision the Azure Maps account, role assignment, and SAS token.
+ > [!NOTE]
+ >
+ > **Azure Maps Gen1 Price Tier Retirement**
+ >
+ > Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].
+ ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
Find the API usage metrics for your Azure Maps account:
Explore samples that show how to integrate Azure AD with Azure Maps: > [!div class="nextstepaction"] > [Azure Maps samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples)+
+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
azure-maps How To Use Map Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-map-control.md
The Azure Maps Web SDK provides a [Map Control] that enables the customization o
This article uses the Azure Maps Web SDK, however the Azure Maps services work with any map control. For a list of third-party map control plug-ins, see [Azure Maps community - Open-source projects].
-> [!IMPORTANT]
-> If you have existing applications incorporating Azure Maps using version 2 of the [Map Control], it is recomended to start using version 3. Version 3 is backwards compatible and has several benifits including [WebGL 2 Compatibility], increased performance and support for [3D terrain tiles].
+> [!NOTE]
+>
+> **Azure Maps Web SDK Map Control v1 retirement**
+>
+> Version 1 of the Web SDK Map Control is now deprecated and will be retired on 9/19/26. To avoid service disruptions, migrate to version 3 of the Web SDK Map Control by 9/19/26. Version 3 is backwards compatible and has several benifits including [WebGL 2 Compatibility], increased performance and support for [3D terrain tiles]. For more information, see [The Azure Maps Web SDK v1 migration guide].
## Prerequisites
For a list of samples showing how to integrate Azure AD with Azure Maps, see:
[Map Control]: https://www.npmjs.com/package/azure-maps-control [ng-azure-maps]: https://github.com/arnaudleclerc/ng-azure-maps [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account
+[The Azure Maps Web SDK v1 migration guide]: web-sdk-migration-guide.md
[Vue Azure Maps]: https://github.com/rickyruiz/vue-azure-maps [WebGL 2 Compatibility]: #webgl-2-compatibility [WebGL 2]: https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#webgl_2
azure-maps Migrate From Bing Maps Web Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps-web-services.md
Batch geocoding is the process of taking a large number of addresses or places,
Bing Maps allows up to 200,000 addresses to be passed in a single batch geocode request. This request goes into a queue and usually processes over a period of time, anywhere from a few minutes to a few hours depending on the size of the data set and the load on the service. Each address in the request generated a transaction.
-Azure Maps has a batch geocoding service, however it allows up to 10,000 addresses to be passed in a single request and is processed over seconds to a few minutes depending on the size of the data set and the load on the service. Each address in the request generated a transaction. In Azure Maps, the batch geocoding service is only available the Gen 2 or S1 pricing tier. For more information on pricing tiers, see [Choose the right pricing tier in Azure Maps].
+Azure Maps has a batch geocoding service, however it allows up to 10,000 addresses to be passed in a single request and is processed over seconds to a few minutes depending on the size of the data set and the load on the service. Each address in the request generated a transaction.
-Another option for geocoding a large number addresses with Azure Maps is to make parallel requests to the standard search APIs. These services only accept a single address per request but can be used with the S0 tier that also provides free usage limits. The S0 tier allows up to 50 requests per second to the Azure Maps platform from a single account. So if you process limit these to stay within that limit, it's possible to geocode upwards of 180,000 address an hour. The Gen 2 or S1 pricing tier doesnΓÇÖt have a documented limit on the number of queries per second that can be made from an account, so a lot more data can be processed faster when using that pricing tier, however using the batch geocoding service helps reduce the total amount of data transferred, reducing network traffic.
+Another option for geocoding a large number addresses with Azure Maps is to make parallel requests to the standard search APIs. These services only accept a single address per request but can be used with the S0 tier that also provides free usage limits. The S0 tier allows up to 50 requests per second to the Azure Maps platform from a single account. So if you process limit these to stay within that limit, it's possible to geocode upwards of 180,000 address an hour. The Gen2 or Gen1 (S1) pricing tier doesnΓÇÖt have a documented limit on the number of queries per second that can be made from an account, so a lot more data can be processed faster when using that pricing tier, however using the batch geocoding service helps reduce the total amount of data transferred, reducing network traffic.
+
+> [!NOTE]
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1). If your Azure Maps account has Gen1 selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated.
+For more information on the Gen1 pricing tier retirement, see [Manage the pricing tier of your Azure Maps account].
* [Free-form address geocoding]: Specify a single address string (like `"1 Microsoft way, Redmond, WA"`) and process the request immediately. This service is recommended if you need to geocode individual addresses quickly. * [Structured address geocoding]: Specify the parts of a single address, such as the street name, city, country/region, and postal code and process the request immediately. This service is recommended if you need to geocode individual addresses quickly and the data is already parsed into its individual address parts.
Learn more about the Azure Maps REST services.
[Best practices for Azure Maps Route service]: how-to-use-best-practices-for-routing.md [Best practices for Azure Maps Search service]: how-to-use-best-practices-for-search.md [Calculate route]: /rest/api/maps/route/getroutedirections
-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md
[Cross street reverse geocoder]: /rest/api/maps/search/getsearchaddressreversecrossstreet [free account]: https://azure.microsoft.com/free/ [Free-form address geocoding]: /rest/api/maps/search/getsearchaddress
Learn more about the Azure Maps REST services.
[Geolocation API]: /rest/api/maps/geolocation/get-ip-to-location [Localization support in Azure Maps]: supported-languages.md [manage authentication in Azure Maps]: how-to-manage-authentication.md
+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md
[Map image render]: /rest/api/maps/render/getmapimagerytile [Map imagery tile]: /rest/api/maps/render/getmapimagerytile [Map Tiles]: /rest/api/maps/render/getmaptile
azure-maps Migrate From Bing Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps.md
In this tutorial, you'll learn:
## Prerequisites
-If you don't have an Azure subscription, create a [free account] before you begin.
+If you don't have an Azure subscription, create a [free Azure account] before you begin.
* An [Azure Maps account] * A [subscription key]
Here are some licensing-related resources for Azure Maps:
* [Azure Maps pricing page] * [Azure pricing calculator] * [Azure Maps term of use] (Scroll down to the Azure Maps section)
-* [Choose the right pricing tier in Azure Maps]
## Suggested migration plan
Learn the details of how to migrate your Bing Maps application with these articl
[Azure support options]: https://azure.microsoft.com/support/options/ [azure.com]: https://azure.com [Basic snap to road logic]: https://samples.azuremaps.com/?search=Snap%20to%20road&sample=basic-snap-to-road-logic
-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md
-[free account]: https://azure.microsoft.com/free/
[free Azure account]: https://azure.microsoft.com/free/ [manage authentication in Azure Maps]: how-to-manage-authentication.md [Microsoft Azure terms of use]: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31
azure-maps Migrate From Google Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-google-maps.md
Here are some related resources for Azure Maps:
* [Azure Maps pricing page] * [Azure pricing calculator]
-* [Choose the right pricing tier in Azure Maps]
* [Azure Maps term of use] - included in the Microsoft Online Services Terms. ## Suggested migration plan
Learn the details of how to migrate your Google Maps application with these arti
[Azure pricing calculator]: https://azure.microsoft.com/pricing/calculator/?service=azure-maps [Azure subscription]: https://azure.com [Azure support options]: https://azure.microsoft.com/support/options
-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md
[free account]: https://azure.microsoft.com/free/ [Manage authentication in Azure Maps]: how-to-manage-authentication.md [Microsoft learning center shows]: https://aka.ms/AzureMapsVideos
azure-maps Set Android Map Styles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/set-android-map-styles.md
This article shows you two ways to set map styles using the Azure Maps Android S
Be sure to complete the steps in the Quickstart: [Create an Android app].
->[!IMPORTANT]
->The procedure in this section requires an Azure Maps account in Gen 1 or Gen 2 pricing tier. For more information on pricing tiers, see [Choose the right pricing tier in Azure Maps].
- ## Set map style in the layout You can set a map style in the layout file for your activity class when adding the map control. The following code sets the center location, zoom level, and map style.
See the following articles for more code samples to add to your maps:
[Add a bubble layer]: map-add-bubble-layer-android.md [Add a symbol layer]: how-to-add-symbol-to-android-map.md
-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md
[Create an Android app]: quick-android-map.md [supported map styles in Azure Maps]: supported-map-styles.md
azure-maps Supported Map Styles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/supported-map-styles.md
Azure Maps supports several different built-in map styles as described in this article.
->[!important]
->The procedure in this section requires an Azure Maps account in Gen 1 or Gen 2 pricing tier. For more information on pricing tiers, see [Choose the right pricing tier in Azure Maps].
- ## road A **road** map is a standard map that displays roads. It also displays natural and artificial features, and the labels for those features.
Learn about how to set a map style in Azure Maps:
> [!div class="nextstepaction"] > [Choose a map style]
-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md
[Map image]: /rest/api/maps/render/getmapimage [Map tile]: /rest/api/maps/render/getmaptile [Satellite tile]: /rest/api/maps/render/getmapimagerytilepreview
-[Choose a map style]: choose-map-style.md
+[Choose a map style]: choose-map-style.md
azure-maps Understanding Azure Maps Transactions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/understanding-azure-maps-transactions.md
When you useΓÇ»[Azure Maps Services], the API requests you make generate transactions. Your transaction usage is available for review in yourΓÇ»[Azure portal] Metrics report. For more information, see [View Azure Maps API usage metrics]. These transactions can be either billable or nonbillable usage, depending on the service and the feature. ItΓÇÖs important to understand which usage generates a billable transaction and how itΓÇÖs calculated so you can plan and budget for the costs associated with using Azure Maps. Billable transactions show up in your Cost Analysis report within the Azure portal.
-The following table summarizes the Azure Maps services that generate transactions, billable and nonbillable, along with any notable aspects that are helpful to understand in how the number of transactions are calculated.
+> [!NOTE]
+>
+> **Azure Maps Gen1 price tier retirement**
+>
+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].
## Azure Maps Transaction information by service
+The following table summarizes the Azure Maps services that generate transactions, billable and nonbillable, along with any notable aspects that are helpful to understand in how the number of transactions are calculated.
+ | Azure Maps Service | Billable | Transaction Calculation | Meter | |--|-|-|-| | [Data v1]<br>[Data v2]<br>[Data registry] | Yes, except for `MapDataStorageService.GetDataStatus` and `MapDataStorageService.GetUserData`, which are nonbillable| One request = 1 transaction| <ul><li>Location Insights Data (Gen2 pricing)</li></ul>|
azure-monitor Azure Monitor Agent Transformation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-transformation.md
To complete this procedure, you need:
For information about the KQL operators that transformations support, see [Structure of transformation in Azure Monitor](../essentials/data-collection-transformations-structure.md#kql-limitations). > [!Note]
- > The only columns that are available to apply transfroms against are TimeGenerated and RawData. Other columns are added to the table automatically after the transformation and are not availiable at the time of transformation.
- > The _ResourceId column can't be used in the trasnformation.
+ > The only columns that are available to apply transforms against are TimeGenerated and RawData. Other columns are added to the table automatically after the transformation and are not available at the time of transformation.
+ > The _ResourceId column can't be used in the transformation.
**Example**
azure-monitor Alerts Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-plan.md
Title: 'Azure Monitor best practices: Alerts and automated actions'
+ Title: 'Plan your Alerts and automated actions'
description: Recommendations for deployment of Azure Monitor alerts and automated actions.
-# Deploy Azure Monitor: Alerts and automated actions
+# Plan your alerts and automated actions
This article provides guidance on alerts in Azure Monitor. Alerts proactively notify you of important data or patterns identified in your monitoring data. You can view alerts in the Azure portal. You can create alerts that:
azure-monitor Itsm Connector Secure Webhook Connections Azure Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsm-connector-secure-webhook-connections-azure-configuration.md
To register the application with Azure Active Directory (Azure AD):
1. Follow the steps in [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). 1. In Azure AD, select **Expose application**.
-1. Select **Set** for **Application ID URI**.
+1. Select **Add** for **Application ID URI**.
[![Screenshot that shows the option for setting the U R I of the application I D.](media/itsm-connector-secure-webhook-connections-azure-configuration/azure-ad.png)](media/itsm-connector-secure-webhook-connections-azure-configuration/azure-ad-expand.png#lightbox) 1. Select **Save**.
azure-monitor Opentelemetry Add Modify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md
Dependencies
- [Redis-4](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-redis-4) - [Azure SDK](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/instrumentation/opentelemetry-instrumentation-azure-sdk)
+Auto instrumentation of Logs are currently only supported when using `applicationinsights` v3 Beta package. (https://www.npmjs.com/package/applicationinsights/v/beta)
Logs - [Node.js console](https://nodejs.org/api/console.html) - [Bunyan](https://github.com/trentm/node-bunyan#readme)
Other OpenTelemetry Instrumentations are available [here](https://github.com/ope
```javascript const { useAzureMonitor } = require("@azure/monitor-opentelemetry");
- const { metrics, trace } = require("@opentelemetry/api");
+ const { metrics, trace, ProxyTracerProvider } = require("@opentelemetry/api");
const { registerInstrumentations } = require( "@opentelemetry/instrumentation"); const { ExpressInstrumentation } = require('@opentelemetry/instrumentation-express'); useAzureMonitor();
- const tracerProvider = trace.getTracerProvider().getDelegate();
+ const tracerProvider = (trace.getTracerProvider() as ProxyTracerProvider).getDelegate();
const meterProvider = metrics.getMeterProvider(); registerInstrumentations({ instrumentations: [
Adding one or more span attributes populates the `customDimensions` field in the
```typescript const { useAzureMonitor } = require("@azure/monitor-opentelemetry");
- const { trace } = require("@opentelemetry/api");
+ const { trace, ProxyTracerProvider } = require("@opentelemetry/api");
const { ReadableSpan, Span, SpanProcessor } = require("@opentelemetry/sdk-trace-base");
+ const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");
const { SemanticAttributes } = require("@opentelemetry/semantic-conventions"); useAzureMonitor();
- const tracerProvider = trace.getTracerProvider().getDelegate();
+ const tracerProvider = ((trace.getTracerProvider() as ProxyTracerProvider).getDelegate() as NodeTracerProvider);
class SpanEnrichingProcessor implements SpanProcessor{ forceFlush(): Promise<void>{
Logback, Log4j, and java.util.logging are [autoinstrumented](#logs). Attaching c
* [Log4j 1.2 MDC](https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/MDC.html) #### [Node.js](#tab/nodejs)
-
-Attributes could be added only when calling manual track APIs only. Log attributes for console, bunyan and Winston are currently not supported.
```typescript const { useAzureMonitor } = require("@azure/monitor-opentelemetry"); const { logs } = require("@opentelemetry/api-logs");
+ import { Logger } from "@opentelemetry/sdk-logs";
useAzureMonitor();
- const logger = logs.getLogger("testLogger");
+ const logger = (logs.getLogger("testLogger") as Logger);
const logRecord = {
- body : "testEvent",
- attributes: {
+ body: "testEvent",
+ attributes: {
"testAttribute1": "testValue1", "testAttribute2": "testValue2", "testAttribute3": "testValue3" } };
- logger.emit({
- name: "testEvent",
- properties: attributes
- });
+ logger.emit(logRecord);
``` #### [Python](#tab/python)
See [sampling overrides](java-standalone-config.md#sampling-overrides-preview) a
```typescript const { useAzureMonitor, ApplicationInsightsOptions } = require("@azure/monitor-opentelemetry");
+ const { HttpInstrumentationConfig }= require("@opentelemetry/instrumentation-http");
const { IncomingMessage } = require("http"); const { RequestOptions } = require("https");
- const { HttpInstrumentationConfig }= require("@opentelemetry/instrumentation-http");
const httpInstrumentationConfig: HttpInstrumentationConfig = { enabled: true,
azure-monitor Opentelemetry Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md
For more information about Java, see the [Java supplemental documentation](java-
#### [Node.js](#tab/nodejs)
-1. Install the [OpenTelemetry Collector Trace Exporter](https://www.npmjs.com/package/@opentelemetry/exporter-trace-otlp-http) package in your project.
+1. Install the [OpenTelemetry Collector Trace Exporter](https://www.npmjs.com/package/@opentelemetry/exporter-trace-otlp-http) and other OpenTelemetry packages in your project.
```sh
+ npm install @opentelemetry/api
npm install @opentelemetry/exporter-trace-otlp-http
+ npm install @opentelemetry/@opentelemetry/sdk-trace-base
+ npm install @opentelemetry/sdk-trace-node
``` 2. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-js/tree/main/examples/otlp-exporter-node). ```typescript const { useAzureMonitor, AzureMonitorOpenTelemetryOptions } = require("@azure/monitor-opentelemetry");
- const { trace } = require("@opentelemetry/api");
+ const { trace, ProxyTracerProvider } = require("@opentelemetry/api");
const { BatchSpanProcessor } = require('@opentelemetry/sdk-trace-base');
+ const { NodeTracerProvider } = require('@opentelemetry/sdk-trace-node');
const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http'); useAzureMonitor(); const otlpExporter = new OTLPTraceExporter();
- const tracerProvider = trace.getTracerProvider().getDelegate();
+ const tracerProvider = ((trace.getTracerProvider() as ProxyTracerProvider).getDelegate() as NodeTracerProvider);
tracerProvider.addSpanProcessor(new BatchSpanProcessor(otlpExporter)); ```
azure-monitor Sampling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling.md
In Metrics Explorer, rates such as request and exception counts are multiplied b
``` 1. **Enable the fixed-rate sampling module.** Add this snippet to [`ApplicationInsights.config`](./configuration-with-applicationinsights-config.md):+
+ In this example, SamplingPercentage is 20, so **20%** of all items will be sampled. Values in Metrics Explorer will be multiplied by (100/20) = **5** to compensate.
```xml <TelemetryProcessors> <Add Type="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel.SamplingTelemetryProcessor, Microsoft.AI.ServerTelemetryChannel"> <!-- Set a percentage close to 100/N where N is an integer. --> <!-- E.g. 50 (=100/2), 33.33 (=100/3), 25 (=100/4), 20, 1 (=100/100), 0.1 (=100/1000) -->
- <SamplingPercentage>10</SamplingPercentage>
+ <SamplingPercentage>20</SamplingPercentage>
</Add> </TelemetryProcessors> ```
azure-monitor Azure Monitor Data Explorer Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/azure-monitor-data-explorer-proxy.md
To create a new alert rule based on a cross-service query, follow the steps in [
* Database names are case sensitive. * Identifying the Timestamp column in the cluster isn't supported. The Log Analytics Query API won't pass along the time filter. * The cross-service query ability is used for data retrieval only.
-* [Private Link](../logs/private-link-security.md) does not support cross-service queries.
+* [Private Link](../logs/private-link-security.md) (private endpoints) and [IP restrictions](/azure/data-explorer/security-network-restrict-public-access) are not support cross-service queries.
* mv-expand is limited to 2000 records. * the following operators do not work with the cross query with ability with Azure Resource Graph:
azure-resource-manager Bicep Functions Parameters File https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions-parameters-file.md
Title: Bicep functions - parameters file
-description: Describes the functions used in the Bicep parameters files.
+description: This article describes the Bicep functions to be used in Bicep parameter files.
Last updated 06/05/2023
Last updated 06/05/2023
Bicep provides a function called `readEnvironmentVariable()` that allows you to retrieve values from environment variables. It also offers the flexibility to set a default value if the environment variable does not exist. This function can only be used in the `.bicepparam` files. For more information, see [Bicep parameters file](./parameter-files.md).
+## getSecret
+
+`getSecret(subscriptionId, resourceGroupName, keyVaultName, secretName, secretVersion)`
+
+Returns a secret from an [Azure Key Vault](../../key-vault/secrets/about-secrets.md). Use this function to pass a secret to a secure string parameter of a Bicep file.
+
+> [!NOTE]
+> You can also use the [keyVaultName.getSecret(secretName)](./bicep-functions-resource.md#getsecret) function from within a `.bicep` file.
+
+```bicep
+using './main.bicep'
+
+param secureUserName = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretUserName')
+param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')
+```
+
+You'll get an error if you use this function with string interpolation.
+
+A [namespace qualifier](bicep-functions.md#namespaces-for-functions) (`az`) can be used, but it's optional, because the function is available from the _default_ Azure Namespace.
+
+### Parameters
+
+| Parameter | Required | Type | Description |
+|: |: |: |: |
+| subscriptionId | Yes | string | The ID of the subscription that has the key vault resource. |
+| resourceGroupName | Yes | string | The name of the resource group that has the key vault resource. |
+| keyVaultName | Yes | string | The name of the key vault. |
+| secretName | Yes | string | The name of the secret stored in the key vault. |
+| secretVersion | No | string | The version of the secret stored in the key vault. |
+
+### Return value
+
+The value for the secret.
+
+### Example
+
+The following `.bicepparam` file has a `securePassword` parameter that will have the latest value of the _\<secretName\>_ secret.
+
+```bicep
+using './main.bicep'
+
+param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')
+```
+
+The following `.bicepparam` file has a `securePassword` parameter that will have the value of the _\<secretName\>_ secret, but it's pinned to a specific _\<secretValue\>_.
+
+```bicep
+using './main.bicep'
+
+param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword', 'exampleSecretVersion')
+```
+ ## readEnvironmentVariable() `readEnvironmentVariable(variableName, [defaultValue])`
azure-resource-manager Bicep Functions Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions-resource.md
Built-in policy definitions are tenant level resources. For an example of deploy
Returns a secret from an Azure Key Vault. Use this function to pass a secret to a secure string parameter of a Bicep module.
+> [!NOTE]
+> `az.getSecret(subscriptionId, resourceGroupName, keyVaultName, secretName, secretVersion)` function can be used in `.bicepparam` files to retrieve key vault secrets. For more information, see [getSecret](./bicep-functions-parameters-file.md#getsecret).
+ You can only use the `getSecret` function from within the `params` section of a module. You can only use it with a `Microsoft.KeyVault/vaults` resource. ```bicep
module sql './sql.bicep' = {
} ```
-You'll get an error if you attempt to use this function in any other part of the Bicep file. You'll also get an error if you use this function with string interpolation, even when used in the params section.
+You get an error if you attempt to use this function in any other part of the Bicep file. You also get an error if you use this function with string interpolation, even when used in the params section.
The function can be used only with a module parameter that has the `@secure()` decorator.
The secret value for the secret name.
### Example
-The following Bicep file is used as a module. It has an `adminPassword` parameter defined with the `@secure()` decorator.
+The following Bicep file is used as a module. It has an `adminPassword` parameter defined with the `@secure()` decorator.
```bicep param sqlServerName string
azure-resource-manager Bicep Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions.md
The following functions are available for working with objects. All of these fun
## Parameters file functions
+The [getSecret function](./bicep-functions-parameters-file.md) is available in Bicep to get secure value from a KeyVault. This function is in the `az` namespace.
+ The [readEnvironmentVariable function](./bicep-functions-parameters-file.md) is available in Bicep to read environment variable values. This function is in the `sys` namespace. ## Resource functions
azure-resource-manager Key Vault Parameter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/key-vault-parameter.md
module sql './sql.bicep' = {
} ```
+Also, `getSecret` function (or with the namespace qualifier `az.getSecret`) can be used in a `.bicepparam` file to retrieve the value of a secret from a key vault.
+
+```bicep
+using './main.bicep'
+
+param secureUserName = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretUserName', 'exampleSecretVersion')
+param securePassword = az.getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')
+```
+ ## Reference secrets in parameters file If you don't want to use a module, you can reference the key vault directly in the parameters file. The following image shows how the parameters file references the secret and passes that value to the Bicep file.
azure-resource-manager Parameter Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/parameter-files.md
Title: Create parameters files for Bicep deployment
description: Create parameters file for passing in values during deployment of a Bicep file Previously updated : 06/26/2023 Last updated : 09/12/2023 # Create parameters files for Bicep deployment
using './main.bicep'
param intFromEnvironmentVariables = int(readEnvironmentVariable('intEnvVariableName')) ```
+You can define and use variables. Bicep CLI version 0.21.1 or newer is required for using variables in .bicepparam file. Here are some examples:
+
+```bicep
+using './main.bicep'
+
+var storagePrefix = 'myStorage'
+param primaryStorageName = '${storagePrefix}Primary'
+param secondaryStorageName = '${storagePrefix}Secondary'
+```
+
+```bicep
+using './main.bicep'
+
+var testSettings = {
+ instanceSize: 'Small'
+ instanceCount: 1
+}
+
+var prodSettings = {
+ instanceSize: 'Large'
+ instanceCount: 4
+}
+
+param environmentSettings = {
+ test: testSettings
+ prod: prodSettings
+}
+```
+ # [JSON parameters file](#tab/JSON) ```json
azure-resource-manager Scenarios Secrets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/scenarios-secrets.md
module exampleModule 'module.bicep' = {
} ```
+### Use a key vault in a .bicepparam file
+
+When you use `.bicepparam` file format, you can provide secure values to parameters by using [the `getSecret` function](bicep-functions-parameters-file.md#getsecret).
+
+Reference the KeyVault by providing the subscription ID, resource group name, and key vault name. You can get the value of the secret by providing the secret name. You can optionally provide the secret version. If you don't provide the secret version, the latest version is used.
+
+```bicep
+using './main.bicep'
+
+param secureUserName = az.getSecret('<subscriptionId>', '<resourceGroupName>', '<keyVaultName>', '<secretName>', '<secretVersion>')
+param securePassword = az.getSecret('<subscriptionId>', '<resourceGroupName>', '<keyVaultName>', '<secretName>')
+```
+ ## Work with secrets in pipelines When you deploy your Azure resources by using a pipeline, you need to take care to handle your secrets appropriately.
azure-resource-manager User Defined Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/user-defined-functions.md
Title: User-defined functions in Bicep
description: Describes how to define and use user-defined functions in Bicep. Previously updated : 08/30/2023 Last updated : 09/13/2023 # User-defined functions in Bicep (Preview)
output addNameArray array = addNameArray('John')
The outputs from the preceding examples are: - | Name | Type | Value | | - | - | -- | | azureUrl | String | https://microsoft.com/azure |
The outputs from the preceding examples are:
| nameArray | Array | ["John"] | | addNameArray | Array | ["Mary","Bob","John"] |
+User-defined functions support using [user-defined data types](./user-defined-data-types.md). For example:
+
+```bicep
+@minValue(0)
+type positiveInt = int
+
+func typedArg(input string[]) positiveInt => length(input)
+
+param inArray array = [
+ 'Bicep'
+ 'ARM'
+ 'Terraform'
+]
+
+output elements positiveInt = typedArg(inArray)
+```
+
+The output from the preceding example is:
+
+| Name | Type | Value |
+| - | - | -- |
+| elements | positiveInt | 3 |
+ ## Limitations When defining a user function, there are some restrictions:
azure-web-pubsub Socket Io Howto Integrate Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/socket-io-howto-integrate-web-app.md
Now head over to your browser and visit your deployed Web App. The url usually i
## Next steps > [!div class="nextstepaction"]
-> [Check out more Socket.IO samples](https://github.com/Azure/azure-webpubsub/tree/main/experimental/sdk/webpubsub-socketio-extension/examples)
+> [Check out more Socket.IO samples](https://aka.ms/awps/sio/sample)
azure-web-pubsub Socketio Build Realtime Code Streaming App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/socketio-build-realtime-code-streaming-app.md
As mentioned [earlier](#the-finished-app), you have two user roles on the client
### Locate the repo
-The preceding sections covered the core logic related to synchronizing the editor state between viewers and the writer. You can find the complete code in the [examples repository](https://github.com/Azure/azure-webpubsub/tree/main/experimental/sdk/webpubsub-socketio-extension/examples/codestream).
+The preceding sections covered the core logic related to synchronizing the editor state between viewers and the writer. You can find the complete code in the [examples repository](https://aka.ms/awps/sio/sample/codestream).
### Clone the repo
azure-web-pubsub Socketio Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/socketio-quickstart.md
This quickstart demonstrates how to create a Web PubSub for Socket.IO resource and quickly incorporate it in your Socket.IO app to simplify development, speed up deployment, and achieve scalability without complexity.
-Code shown in this quickstart is in CommonJS. If you want to use an ECMAScript module, see the [chat demo for Socket.IO with Azure Web PubSub](https://github.com/Azure/azure-webpubsub/tree/main/experimental/sdk/webpubsub-socketio-extension/examples/chat).
+Code shown in this quickstart is in CommonJS. If you want to use an ECMAScript module, see the [chat demo for Socket.IO with Azure Web PubSub](https://aka.ms/awps/sio/sample/quickstart-esm).
## Prerequisites
backup Backup Azure Vms Enhanced Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-enhanced-policy.md
Title: Back up Azure VMs with Enhanced policy description: Learn how to configure Enhanced policy to back up VMs. Previously updated : 05/15/2023 Last updated : 09/14/2023
Follow these steps:
Note that Hourly backup frequency is in preview. - **Instant Restore**: You can set the retention of recovery snapshot from _1_ to _30_ days. The default value is set to _7_.
- - **Retention range**: Options for retention range are auto-selected based on backup frequency you choose. The default retention for daily, weekly, monthly, and yearly backup points are set to 180 days, 12 weeks, 60 months, and 10 years respectively. You can customize these values as required.
+ - **Retention range**: Options for retention range are autoselected based on backup frequency you choose. The default retention for daily, weekly, monthly, and yearly backup points are set to 180 days, 12 weeks, 60 months, and 10 years respectively. You can customize these values as required.
:::image type="content" source="./media/backup-azure-vms-enhanced-policy/enhanced-backup-policy-settings.png" alt-text="Screenshot showing to configure the enhanced backup policy.":::
$SchPol.ScheduleRunTimezone = "PST"
```
-This sample cmdlet, contains the following parameters:
+This sample cmdlet contains the following parameters:
- `$ScheduleInterval`: Defines the difference (in hours) between two successive backups per day. Currently, the acceptable values are *4*, *6*, *8* and *12*. -- `$ScheduleWindowStartTime`: The time at which the first backup job is triggered, in case of *hourly backups*. The current limits (in policy's timezone) are:
+- `$ScheduleWindowStartTime`: The time at which the first backup job is triggered in case of *hourly backups*. The current limits (in policy's timezone) are:
- `Minimum: 00:00` - `Maximum:19:30`
Trusted Launch VMs can only be backed up using Enhanced policies.
>- Enhanced policy is only available to unprotected VMs that are new to Azure Backup. Note that Azure VMs that are protected with existing policy can't be moved to Enhanced policy. >- Back up an Azure VM with disks that has public network access disabled is not supported.
-## Enable selective disk backup and restore (preview)
+## Enable selective disk backup and restore
-You can exclude non-critical disks from backup by using selective disk backup to save costs. Using this capability, you can selectively back up a subset of the data disks that are attached to your VM, and then restore a subset of the disks that are available in a recovery point, both from instant restore and vault tier. [Learn more](selective-disk-backup-restore.md).
+You can exclude noncritical disks from backup by using selective disk backup to save costs. Using this capability, you can selectively back up a subset of the data disks that are attached to your VM, and then restore a subset of the disks that are available in a recovery point, both from instant restore and vault tier. [Learn more](selective-disk-backup-restore.md).
## Next steps
backup Selective Disk Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/selective-disk-backup-restore.md
Title: Selective disk backup and restore for Azure virtual machines description: In this article, learn about selective disk backup and restore using the Azure virtual machine backup solution. Previously updated : 04/05/2023 Last updated : 05/14/2023
Azure Backup supports backing up all the disks (operating system and data) in a VM together using the virtual machine backup solution. Now, using the selective disks backup and restore functionality, you can back up a subset of the data disks in a VM.
-This is supported both for Enhanced Policy (preview) as well as Standard Policy. This provides an efficient and cost-effective solution for your backup and restore needs. Each recovery point contains only the disks that are included in the backup operation. This further allows you to have a subset of disks restored from the given recovery point during the restore operation. This applies to both restore from snapshots and the vault.
+This is supported both for Enhanced Policy as well as Standard Policy. This provides an efficient and cost-effective solution for your backup and restore needs. Each recovery point contains only the disks that are included in the backup operation. This further allows you to have a subset of disks restored from the given recovery point during the restore operation. This applies to both restore from snapshots and the vault.
>[!Important] > [Enhanced policy](backup-azure-vms-enhanced-policy.md) now supports protecting Ultra SSD (preview). To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/1GLRnNCntU). >[!Note] >- This is supported for both backup policies - [Enhanced policy](backup-azure-vms-enhanced-policy.md) and [Standard policy](backup-during-vm-creation.md#create-a-vm-with-backup-configured).
->- The *Selective disk backup and restore in Enhanced policy (preview)* is available in public Azure regions only.
+>- The *Selective disk backup and restore in Enhanced policy* is available in all Azure regions including Public, Government, and Air-Gapped regions.
+>- If you use selective disk backup with *Enhanced policy* on a Linux VM, ensure that *lsblk* and *lssci* are available in your distribution so that the disks are [excluded](selective-disk-backup-restore.md#enhanced-policy).
## Scenarios
This solution is useful particularly in the following scenarios:
1. If you have critical data to be backed up in only one disk, or a subset of the disks and donΓÇÖt want to back up the rest of the disks attached to a VM to minimize the backup storage costs. 2. If you've other backup solutions for part of your VM or data. For example, if you back up your databases or data using a different workload backup solution and you want to use Azure VM level backup for the rest of the data or disks to build an efficient and robust system using the best capabilities available.- 3. If you're using [Enhanced policy](backup-azure-vms-enhanced-policy.md), you can use this solution to exclude unsupported disks (Shared Disks) and configure a VM for backup. Using PowerShell, Azure CLI, or Azure portal, you can configure selective disk backup of the Azure VM. Using a script, you can include or exclude data disks using their *LUN numbers*. The ability to configure selective disks backup via the Azure portal is limited to the *Backup OS Disk* only for the Standard policy, but can be configured for all data disks for Enhanced policy.
When you enable backup using Azure portal, you can choose the **Backup OS Disk o
![Configure backup for the OS disk only](./media/selective-disk-backup-restore/configure-backup-operating-system-disk.png)
-## Configure Selective Disk Backup in the Azure Portal (Enhanced Policy)
+## Configure Selective Disk Backup in the Azure portal (Enhanced Policy)
When you enable the backup operation using the Azure portal, you can choose the data disks that you want to include in the backup (the OS disk is always included). You can also choose to include disks that are added in the future for backup automatically by enabling the ΓÇ£Include future disksΓÇ¥ option.
+>[!NOTE]
+>Currently, you can only configure a set of disks in a portal when the VM is protected for the first time. You need to use the [CLI](selective-disk-backup-restore.md#modify-protection-for-already-backed-up-vms-with-azure-cli) or [PowerShell](selective-disk-backup-restore.md#modify-protection-for-already-backed-up-vms-with-powershell) commands to edit the set of disks backed up after protection or during a *resume protection* operation.
## Using Azure REST API
If you're using Enhanced policy, **Protected Instance (PI)** cost, snapshot cost
| OS type | Limitation | | | | | Windows | - **Spanned volumes**: For spanned volumes (volumes spread across more than one physical disk), ensure that all disks are included in the backup. If not, Azure Backup might not be able to reliably restore the data and exclude it in billing. <br><br> - **Storage pool**: If you're using disks carved out of a storage pool and if a *LUN number* included for backup is common across virtual disks and data disks, the size of the virtual disk is also included in the backup size in addition to the data disks. |
-| Linux | - **Logical volumes**: For logical volumes spread across more than one disk, ensure that all disks are included in the backup. If not, Azure Backup might not be able to reliably restore the data and exclude it in billing. <br><br> - **Distro support**: Azure Backup uses *lsscsi* and *lsblk* to determine the disks being excluded for backup. If your distro (Debian 8.11, 10.13, and so on) doesn't support *lsscsi*, install it using `sudo apt install lsscsi` to ensure Selective disk backup works. |
+| Linux | - **Logical volumes**: For logical volumes spread across more than one disk, ensure that all disks are included in the backup. If not, Azure Backup might not be able to reliably restore the data and exclude it in billing. <br><br> - **Distro support**: Azure Backup uses *lsscsi* and *lsblk* to determine the disks being excluded for backup and to estimate the size of the data backed up for the [Protected Instance fee](selective-disk-backup-restore.md#how-is-protected-instance-pi-cost-calculated-for-only-os-disk-backup-in-windows-and-linux) calculation. If your distro (Debian 8.11, 10.13, and so on) doesn't support *lsscsi*, install it using `sudo apt install lsscsi` to ensure Selective disk backup works. If not, the Protected Instance fee will be calculated based on the backup data transferred instead of using *lsscsi* and *lsblk*. |
If you've chosen the Cross Region Restore (CRR) feature, then the [CRR pricing](https://azure.microsoft.com/pricing/details/backup/) applies on the backup storage cost after excluding the disk.
backup Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/whats-new.md
Title: What's new in Azure Backup description: Learn about new features in Azure Backup. Previously updated : 08/30/2023 Last updated : 09/14/2023
You can learn more about the new releases by bookmarking this page or by [subscr
## Updates summary
+- September 2023
+ - [Support for selective disk backup with enhanced policy for Azure VM is now generally available](whats-new.md#support-for-selective-disk-backup-with-enhanced-policy-for-azure-vm-is-now-generally-available)
- August 2023 - [Save your MARS backup passphrase securely to Azure Key Vault (preview)](#save-your-mars-backup-passphrase-securely-to-azure-key-vault-preview) - [Cross Region Restore for MARS Agent (preview)](#cross-region-restore-for-mars-agent-preview)
You can learn more about the new releases by bookmarking this page or by [subscr
- March 2023 - [Multiple backups per day for Azure VMs is now generally available](#multiple-backups-per-day-for-azure-vms-is-now-generally-available) - [Immutable vault for Azure Backup is now generally available](#immutable-vault-for-azure-backup-is-now-generally-available)
- - [Support for selective disk backup with enhanced policy for Azure VM (preview)](#support-for-selective-disk-backup-with-enhanced-policy-for-azure-vm-preview)
+ - [Support for selective disk backup with enhanced policy for Azure VM (preview)](whats-new.md#support-for-selective-disk-backup-with-enhanced-policy-for-azure-vm-is-now-generally-available)
- [Azure Kubernetes Service backup (preview)](#azure-kubernetes-service-backup-preview) - [Azure Blob vaulted backups (preview)](#azure-blob-vaulted-backups-preview) - October 2022
Azure Backup now supports immutable vaults that help you ensure that recovery po
For more information, see the [concept of Immutable vault for Azure Backup](backup-azure-immutable-vault-concept.md).
-## Support for selective disk backup with enhanced policy for Azure VM (preview)
+## Support for selective disk backup with enhanced policy for Azure VM is now generally available
Azure Backup now provides *Selective Disk backup and restore* capability to Enhanced policy. Using this capability, you can selectively back up a subset of the data disks that are attached to your VM, and then restore a subset of the disks that are available in a recovery point, both from instant restore and vault tier.
bastion Kerberos Authentication Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/kerberos-authentication-portal.md
description: Learn how to configure Bastion to use Kerberos authentication via t
Previously updated : 06/12/2023 Last updated : 09/14/2023
This article shows you how to configure Azure Bastion to use Kerberos authentica
## Considerations * The Kerberos setting for Azure Bastion can be configured in the Azure portal only and not with native client.
-* VMs migrated from on-premises to Azure are not currently supported for Kerberos. 
-* Cross-realm authentication is not currently supported for Kerberos. 
-* Changes to DNS server are not currently supported for Kerberos. After making any changes to DNS server, you will need to delete and re-create the Bastion resource.
+* VMs migrated from on-premises to Azure aren't currently supported for Kerberos. 
+* Cross-realm authentication isn't currently supported for Kerberos. 
+* Changes to DNS server aren't currently supported for Kerberos. After making any changes to DNS server, you'll need to delete and re-create the Bastion resource.
* If additional DC (domain controllers) are added, Bastion will only recognize the first DC.
-* If additional DCs are added for different domains, the added domains cannot successfully authenticate with Kerberos.
+* If additional DCs are added for different domains, the added domains can't successfully authenticate with Kerberos.
## Prerequisites
In this section, the following steps help you modify your virtual network and ex
1. [Update the DNS settings](#update-vnet-dns-servers) for your virtual network. 1. Go to the portal page for your Bastion deployment and select **Configuration**. 1. On the Configuration page, select **Kerberos authentication**, then select **Apply**.
-1. Bastion will update with the new configuration settings.
+1. Bastion updates with the new configuration settings.
## To verify Bastion is using Kerberos
-> [!NOTE]
+> [!NOTE]
> You must use the User Principal Name (UPN) to sign in using Kerberos. Once you have enabled Kerberos on your Bastion resource, you can verify that it's actually using Kerberos for authentication to the target domain-joined VM.
Once you have enabled Kerberos on your Bastion resource, you can verify that it'
1. End the VM session. 1. Connect to the target VM again using Bastion. Sign-in should succeed, indicating that Bastion used Kerberos (and not NTLM) for authentication.
-## Quickstart: Setup Bastion with Kerberos - Resource Manager template
+ > [!NOTE]
+ > To prevent failback to NTLM, make sure you follow the preceding steps. Enabling Kerberos (without following the procedure) won't prevent failback to NTLM.
+
+## Quickstart: Set up Bastion with Kerberos - Resource Manager template
### Review the template
Once you have enabled Kerberos on your Bastion resource, you can verify that it'
The following resources have been defined in the template: - Deploys the following Azure resources: - [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks): create an Azure virtual network.
- - [**Microsoft.Network/bastionHosts**](/azure/templates/microsoft.network/bastionHosts): create a Standard SKU Bastion with a public IP and Kerberos feature enabled
- - Create a Windows 10 ClientVM and a Windows Server 2019 ServerVM
-- Have the DNS Server of the VNET point to the private IP address of the ServerVM (domain controller).
+ - [**Microsoft.Network/bastionHosts**](/azure/templates/microsoft.network/bastionHosts): create a Standard SKU Bastion with a public IP and Kerberos feature enabled.
+ - Create a Windows 10 ClientVM and a Windows Server 2019 ServerVM.
+- Have the DNS Server of the VNet point to the private IP address of the ServerVM (domain controller).
- Runs a Custom Script Extension on the ServerVM to promote it to a domain controller with domain name: `bastionkrb.test`. - Runs a Custom Script Extension on the ClientVM to have it: - **Restrict NTLM: Incoming NTLM traffic** = Deny all domain accounts (this is to ensure Kerberos is used for authentication). - Domain-join the `bastionkrb.test` domain. ## Deploy the template
-To setup Kerberos, deploy the ARM template above by running the following PS cmd:
+To set up Kerberos, deploy the preceding ARM template by running the following PowerShell cmd:
``` New-AzResourceGroupDeployment -ResourceGroupName <your-rg-name> -TemplateFile "<path-to-template>\KerberosDeployment.json"` ``` ## Review deployed resources
-Now, login to ClientVM using Bastion with Kerberos authentication:
+Now, sign in to ClientVM using Bastion with Kerberos authentication:
- credentials: username = `serveruser@bastionkrb.test` and password = `<password-entered-during-deployment>`.
batch Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/best-practices.md
Title: Best practices description: Learn best practices and useful tips for developing your Azure Batch solutions. Previously updated : 01/18/2023 Last updated : 09/13/2023
initiates communication to the compute nodes, and compute nodes also require com
node communication model, compute nodes initiate communication with the Batch service. Due to the reduced scope of inbound/outbound connections required, and not requiring Azure Storage outbound access for baseline operation, the recommendation is to use the simplified node communication model. Some future improvements to the Batch service will also require the simplified
-node communication model.
+node communication model. The classic node communication model will be
+[retired on March 31, 2026](batch-pools-to-simplified-compute-node-communication-model-migration-guide.md).
- **Job and task run time considerations:** If you have jobs comprised primarily of short-running tasks, and the expected total task counts are small, so that the overall expected run time of the job isn't long, don't allocate a new pool for each job. The allocation time of the nodes will diminish the run time of the job. - **Multiple compute nodes:** Individual nodes aren't guaranteed to always be available. While uncommon, hardware failures, operating system updates, and a host of other issues can cause individual nodes to be offline. If your Batch workload requires deterministic, guaranteed progress, you should allocate pools with multiple nodes. -- **Images with impending end-of-life (EOL) dates:** We strongly recommended avoiding images with impending Batch support
+- **Images with impending end-of-life (EOL) dates:** It's strongly recommended to avoid images with impending Batch support
end of life (EOL) dates. These dates can be discovered via the [`ListSupportedImages` API](/rest/api/batchservice/account/listsupportedimages), [PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or
batch Security Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/security-best-practices.md
Title: Batch security and compliance best practices description: Learn best practices and useful tips for enhancing security with your Azure Batch solutions. Previously updated : 11/15/2022 Last updated : 09/13/2023
Pools can also be configured in one of two node communication modes, classic or
In the classic node communication model, the Batch service initiates communication to the compute nodes, and compute nodes also require communicating to Azure Storage. In the simplified node communication model, compute nodes initiate communication with the Batch service. Due to the reduced scope of inbound/outbound connections required, and not requiring Azure Storage
-outbound access for baseline operation, the recommendation is to use the simplified node communication model.
+outbound access for baseline operation, the recommendation is to use the simplified node communication model. The classic
+node communication model will be
+[retired on March 31, 2026](batch-pools-to-simplified-compute-node-communication-model-migration-guide.md).
### Batch account authentication
In addition to operations specific to a Batch account, [management operations](/
Batch management operations via Azure Resource Manager are encrypted using HTTPS, and each request is authenticated using Azure AD authentication.
-### Batch pool nodes
+### Batch pool compute nodes
The Batch service communicates with a Batch node agent that runs on each node in the pool. For example, the service instructs the node agent to run a task, stop a task, or get the files for a task. Communication with the node agent is enabled by one or more load balancers, the number of which depends on the number of nodes in a pool. The load balancer forwards the communication to the desired node, with each node being addressed by a unique port number. By default, load balancers have public IP addresses associated with them. You can also remotely access pool nodes via RDP or SSH (this access is enabled by default, with communication via load balancers).
+#### Batch compute node OS
+
+Batch supports both Linux and Windows operating systems. Batch supports Linux with an aligned node agent for a subset of Linux OS
+distributions. It's recommended that the operating system is kept up-to-date with the latest patches provided by the OS
+publisher.
+
+Batch support for images and node agents phase out over time, typically aligned with publisher support timelines. It's
+recommended to avoid using images with impending end-of-life (EOL) dates or images that are past their EOL date.
+It's your responsibility to periodically refresh your view of the EOL dates pertinent to your pools and migrate your workloads
+before the EOL date occurs. If you're using a custom image with a specified node agent, ensure that you follow Batch support
+end-of-life dates for the image for which your custom image is derived or aligned with. An image without a specified
+`batchSupportEndOfLife` date indicates that such a date hasn't been determined yet by the Batch service. Absence of a date
+doesn't indicate that the respective image will be supported indefinitely. An EOL date may be added or updated in the future
+at any time. EOL dates can be discovered via the
+[`ListSupportedImages` API](/rest/api/batchservice/account/listsupportedimages),
+[PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or
+[Azure CLI](/cli/azure/batch/pool/supported-images).
+
+#### Windows OS Transport Layer Security (TLS)
+
+The Batch node agent doesn't modify operating system level defaults for SSL/TLS versions or cipher suite ordering. In Windows,
+SSL/TLS versions and cipher suite order is controlled at the operating system level, and therefore the Batch node agent adopts
+the settings set by the image used by each compute node. Although the Batch node agent attempts to utilize the
+most secure settings available when possible, it can still be limited by operating system level settings. We recommend that
+you review your OS level defaults and set them appropriately for the most secure mode that is amenable for your workflow and
+organizational requirements. For more information, please visit
+[Manage TLS](https://learn.microsoft.com/windows-server/security/tls/manage-tls) for cipher suite order enforcement and
+[TLS registry settings](https://learn.microsoft.com/windows-server/security/tls/tls-registry-settings) for SSL/TLS version
+control for Schannel SSP. Note that some setting changes require a reboot to take effect. Utilizing a newer operating system
+with modern security defaults or a [custom image](batch-sig-images.md) with modified settings is recommended instead of
+application of such settings with a Batch start task.
+ ### Restricting access to Batch endpoints Several capabilities are available to limit access to the various Batch endpoints, especially when the solution uses a virtual network.
communication-services Send Email https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/email/send-email.md
Last updated 04/10/2023
-zone_pivot_groups: acs-azcli-js-csharp-java-python-logic-apps
+zone_pivot_groups: acs-azcli-js-csharp-java-python-portal-nocode
# Quickstart: How to send an email using Azure Communication Service In this quick start, you'll learn about how to send email using our Email SDKs. + ::: zone pivot="platform-azcli" [!INCLUDE [Send email with Azure CLI](./includes/send-email-az-cli.md)] ::: zone-end
In this quick start, you'll learn about how to send email using our Email SDKs.
[!INCLUDE [Send Email with Python SDK](./includes/send-email-python.md)] ::: zone-end [!INCLUDE [Azure Logic Apps](./includes/send-email-logic-app.md)] ::: zone-end
confidential-computing Virtual Machine Solutions Sgx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions-sgx.md
Because of their specialized hardware, you can only resize Intel SGX VM instance
### Image
-To provide Intel SGX support on confidential compute instances, all deployments must run on Generation 2 images. Azure confidential computing supports workloads running on **Ubuntu 20.04 Gen 2**, **Ubuntu 18.04 Gen 2**, and **Windows Server 2019 Gen 2**. For more information about supported and unsupported scenarios, see [support for Generation 2 VMs on Azure](../virtual-machines/generation-2.md).
+To provide Intel SGX support on confidential compute instances, all deployments must run on Generation 2 images. Azure confidential computing supports workloads running on **Ubuntu 20.04 Gen 2**, **Windows Server 2019 Gen 2** and **Ubuntu 22.04 Gen 2**. For more information about supported and unsupported scenarios, see [support for Generation 2 VMs on Azure](../virtual-machines/generation-2.md).
### Storage
cosmos-db Choose Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/choose-service.md
Previously updated : 09/05/2023 Last updated : 09/14/2023 # Differences between Azure Managed Instance for Apache Cassandra and Azure Cosmos DB for Apache Cassandra
The following table shows the common scenarios, workload requirements, and aspir
## Next steps * [Build a Java app to manage Azure Cosmos DB for Apache Cassandra data](manage-data-java-v4-sdk.md)
-* [Create an Azure Managed instance for Apache Cassandra cluster in Azure portal](../../managed-instance-apache-cassandr)
+* [Create an Azure Managed Instance for Apache Cassandra cluster in Azure portal](../../managed-instance-apache-cassandr)
defender-for-cloud Upcoming Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md
The following table explains how each capability will be provided after the Log
##### Log analytics and Azure Monitoring agents autoprovisioning experience -- The MMA autoprovisioning mechanism and its related policy initiative will remain optional until August 2024.
+The current provisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted according to the plan mentioned above: 
-- In October 2023, the current shared Log Analytics agent/Azure Monitor agent autoprovisioning mechanism will be updated and applied to the Log Analytics agent only. The Azure Monitor agent related (Public Preview) policy initiatives will be deprecated.
+1. MMA auto-provisioning mechanism and its related policy initiative will remain optional and supported until August 2024 through the Defender for Cloud platform.   
+1. In October 2023: 
+ 1. The current shared ‘Log Analytics agent’/’Azure Monitor agent’ auto-provisioning mechanism will be updated and applied to ‘Log Analytics agent’ only.  
-- The AMA autoprovisioning mechanism will still serve current customers with the Public Preview policy initiative enabled, but they won't be eligible for support. To disable the Azure Monitor agent provisioning, manually remove the policy initiative.
+ 1. **Azure Monitor agent** (AMA) related Public Preview policy initiatives will be deprecated and replaced with the new auto-provisioning process for Azure Monitor agent (AMA), targeting only Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). 
-- If MMA autoprovisioning is enabled and AMA agents are already installed on the machines, MMA wonΓÇÖt be provisioned. However, AMA will remain functional.
+1. Current customers with AMA with the Public Preview policy initiative enabled will still be supported but are recommended to migrate to the new policy. 
To ensure the security of your servers and receive all the security updates from Defender for Servers, make sure to have [Defender for Endpoint integration](integration-defender-for-endpoint.md) and [agentless disk scanning](concept-agentless-data-collection.md) enabled on your subscriptions. This will also keep your servers up-to-date with the alternative deliverables.
+#### Agents migration planning 
+
+**First, all Defender for Servers customers are advised to enable Defender for Endpoint integration and agentless disk scanning as part of the Defender for Servers offering, at no additional cost.** This will ensure you are automatically covered with the new alternative deliverables, with no additional onboarding required.    
+
+Following that, plan your migration plan according to your organization requirements: 
+
+||Azure Monitor agent (AMA) required (for Defender for SQL or other scenarios)|FIM/EPP discovery/Baselined is required as part of Defender for Server|What should I do|
+| -- | -- | -- | -- |
+| |No |Yes |You can remove MMA starting April 2024, using GA version of Defender for Server capabilities according to your needs (preview versions will be available earlier)  |
+| |No |No |You can remove MMA starting now |
+| |Yes |No |You can start migration from MMA to AMA now |
+| |Yes |Yes |You can either start migration from MMA to AMA starting April 2024 or alternatively, you can use both agents side by side starting now. |
+
+**Customers with Log analytics Agent** **(MMA) enabled** 
+
+- If the following features are required in your organization: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations), you can start retiring from MMA in April 2024 when an alternative will be delivered in GA (preview versions will be available earlier). 
+
+- If the features mentioned above are required in your organization, and Azure Monitor agent (AMA) is required for other services as well, you can start migrating from MMA to AMA in April 2024. Alternatively, use both MMA and AMA to get all GA features, then remove MMA in April 2024. 
+
+- If the features mentioned above are not required, and Azure Monitor agent (AMA) is required for other services, you can start migrating from MMA to AMA now. However, note that the preview Defender for Servers capabilities over AMA will be deprecated in April 2024. 
+
+**Customers with Azure Monitor agent (AMA) enabled** 
+
+No action is required from your end. 
+
+- YouΓÇÖll receive all Defender for Servers GA capabilities through Agentless and Defender for Endpoint. The following features will be available in GA in April 2024: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations). The preview Defender for Servers capabilities over AMA will be deprecated in April 2024.
+ > [!IMPORTANT] > For more information about how to plan for this change, see [Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341).
Customers will have until September 30, 2023 to resolve this issue. After this d
## Next steps For all recent changes to Defender for Cloud, see [What's new in Microsoft Defender for Cloud?](release-notes.md).+
defender-for-iot Concept Supported Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/concept-supported-protocols.md
Title: Protocols supported by Microsoft Defender for IoT description: Learn about protocols that Microsoft Defender for IoT supports. Previously updated : 01/30/2023 Last updated : 08/31/2023
OT network sensors can detect the following protocols when identifying assets an
|**DNP. org** | DNP3 | |**Emerson** | DeltaV<br> DeltaV - Discovery<br> Emerson OpenBSI/BSAP<br> Ovation DCS ADMD<br>Ovation DCS DPUSTAT<br> Ovation DCS SSRPC | |**Emerson Fischer** | ROC |
-|**GE** | Bentley Nevada (System 1 / BN3500)<br>ClassicSDI (MarkVle) <br> EGD<br> GSM (GE MarkVI and MarkVIe)<br> InterSite<br> SDI (MarkVle) <br> SRTP (GE)<br> GE_CMP |
+|**GE** | ADL (MarkVIe) <br>Bentley Nevada (System 1 / BN3500)<br>ClassicSDI (MarkVle) <br> EGD<br> GSM (GE MarkVI and MarkVIe)<br> InterSite<br> SDI (MarkVle) <br> SRTP (GE)<br> GE_CMP |
|**Generic Applications** | Active Directory<br> RDP<br> Teamviewer<br> VNC<br> | |**Honeywell** | ENAP<br> Experion DCS CDA<br> Experion DCS FDA<br> Honeywell EUCN <br> Honeywell Discovery | |**IEC** | Codesys V3<br>IEC 60870-5-7 (IEC 62351-3 + IEC 62351-5)<br> IEC 60870-5-104<br> IEC 60870-5-104 ASDU_APCI<br> IEC 60870 ICCP TASE.2<br> IEC 61850 GOOSE<br> IEC 61850 MMS<br> IEC 61850 SMV (SAMPLED-VALUES)<br> LonTalk (LonWorks) | |**IEEE** | LLC<br> STP<br> VLAN | |**IETF** | ARP<br> DHCP<br> DCE RPC<br> DNS<br> FTP (FTP_ADAT<br> FTP_DATA)<br> GSSAPI (RFC2743)<br> HTTP<br> ICMP<br> IPv4<br> IPv6<br> LLDP<br> MDNS<br> NBNS<br> NTLM (NTLMSSP Auth Protocol)<br> RPC<br> SMB / Browse / NBDGM<br> SMB / CIFS<br> SNMP<br> SPNEGO (RFC4178)<br> SSH<br> Syslog<br> TCP<br> Telnet<br> TFTP<br> TPKT<br> UDP | |**ISO** | CLNP (ISO 8473)<br> COTP (ISO 8073)<br> ISO Industrial Protocol<br> MQTT (IEC 20922) |
+| **Jenesys** |FOX <br>Niagara |
|**Medical** |ASTM<br> HL7 | |**Microsoft** | Horizon community dissectors<br> Horizon proprietary dissectors (developed by customers) | |**Mitsubishi** | Melsoft / Melsec (Mitsubishi Electric) |
-|**Omron** | FINS |
-|**OPC** | UA |
+|**Omron** | FINS <br>HTTP |
+|**OPC** | AE <br>Common <br> DA <br>HDA <br> UA |
|**Oracle** | TDS<br> TNS | |**Rockwell Automation** | CSP2<br> ENIP<br> EtherNet/IP CIP (including Rockwell extension)<br> EtherNet/IP CIP FW version 27 and above | |**Samsung** | Samsung TV |
OT network sensors can detect the following protocols when identifying assets an
|**Schneider Electric / Invensys** | Foxboro Evo<br> Foxboro I/A<br> Trident<br> TriGP<br> TriStation | |**Schneider Electric / Modicon** | Modbus RTU | |**Schneider Electric / Wonderware** | Wonderware Suitelink |
+| **SEL** | FTP <br> Telnet |
|**Siemens** | CAMP<br> PCS7<br> PCS7 WinCC ΓÇô Historian<br> Profinet DCP<br> Profinet I/O<br> Profinet Realtime<br> Siemens PHD<br> Siemens S7<br> Siemens S7 - Firmware and model extraction<br> Siemens S7 ΓÇô key state<br> Siemens S7-Plus<br> Siemens SICAM<br> Siemens WinCC | |**Toshiba** |Toshiba Computer Link | |**Yokogawa** | Centum ODEQ (Centum / ProSafe DCS)<br> HIS Equalize<br> FA-M3<br> Vnet/IP |
defender-for-iot How To Manage Device Inventory For Organizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations.md
Title: Manage your device inventory from the Azure portal description: Learn how to view and manage OT and IoT devices (assets) from the Device inventory page in the Azure portal. Previously updated : 05/17/2023 Last updated : 08/27/2023
Use any of the following options to modify or filter the devices shown:
|Option |Steps | ||| | **Sort devices** | Select a column header to sort the devices by that column. Select it again to change the sort direction. |
-|**Filter devices shown** | Either use the **Search** box to search for specific device details, or select **Add filter** to filter the devices shown. <br><br> In the **Add filter** box, define your filter by column name, operator, and value. Select **Apply** to apply your filter.<br><br> You can apply multiple filters at the same time. Search results and filters aren't saved when you refresh the **Device inventory** page. <br><br> The **Network location (Preview)** filter is on by default. |
+|**Filter devices shown** | Either use the **Search** box to search for specific device details, or select **Add filter** to filter the devices shown. <br><br> In the **Add filter** box, define your filter by column name, operator, and value. Select **Apply** to apply your filter.<br><br> You can apply multiple filters at the same time. Search results and filters aren't saved when you refresh the **Device inventory** page. <br><br> The **Last active time** and **Network location (Preview)** filters are on by default. |
|**Modify columns shown** | Select **Edit columns** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/edit-columns-icon.png" border="false":::. In the **Edit columns** pane:<br><br> - Select the **+ Add Column** button to add new columns to the grid.<br> - Drag and drop fields to change the columns order.<br>- To remove a column, select the **Delete** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/trashcan-icon.png" border="false"::: icon to the right.<br>- To reset the columns to their default settings, select **Reset** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/reset-icon.png" border="false":::. <br><br>Select **Save** to save any changes made. | | **Group devices** | From the **Group by** above the gird, select a category, such as **Class**, **Data source**, **Location**, **Purdue level**, **Site**, **Type**, **Vendor**, or **Zone**, to group the devices shown. Inside each group, devices retain the same column sorting. To remove the grouping, select **No grouping**. |
defender-for-iot How To Troubleshoot Sensor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-troubleshoot-sensor.md
Title: Troubleshoot the sensor
-description: Troubleshoot your sensor to eliminate any problems you might be having.
Previously updated : 03/14/2023
+ Title: Troubleshoot the sensor | Microsoft Defender for IoT
+description: Learn how to troubleshoot your Microsoft Defender for IoT OT sensor.
Last updated : 09/07/2023
+#CustomerIntent: As a Defender for IoT sensor admin, I want to know how to troubleshoot sensor issues so that I can get it back online quickly.
# Troubleshoot the sensor
To perform the procedures in this article, make sure that you have:
- Access to the OT network sensor as a **Support** user. For more information, see [Default privileged on-premises users](roles-on-premises.md#default-privileged-on-premises-users).
+## Check sensor - cloud connectivity issues
+
+OT sensors automatically run connectivity checks to ensure that your sensor has access to all required endpoints. If a sensor isn't connected, an error is indicated in the Azure portal, on the **Sites and sensors** page, and on the sensor's **Overview** page. For example:
++
+Use the **Cloud connectivity troubleshooting** page in your OT sensor to learn more about the error that occurred and recommended mitigation actions you can take.
+
+**To troubleshoot connectivity errors**, sign into your OT sensor and do one of the following:
+
+- From the sensor's **Overview** page, select the **Troubleshoot*** link in the error at the top of the page
+- Select **System settings > Sensor management > Health and troubleshooting > Cloud connectivity troubleshooting**
+
+The **Cloud connectivity troubleshooting** pane opens on the right. If the sensor is connected to the Azure portal, the pane indicates that **The sensor is connected to cloud successfully**. If the sensor isn't connected, a description of the issue and any mitigation instructions are listed instead. For example: <!--need new image-->
++
+The **Cloud connectivity troubleshooting** pane covers the following types of issues:
+
+|Issue |Description |
+|||
+|**Errors establishing secure connections** | Occurs for SSL errors, which typically means that the sensor doesn't trust the certificate found. <br><br>This might occur due to an incorrect sensor time configuration, or using an SSL inspection service. SSL inspection services are often found in proxies and can lead to potential certificate errors. <br><br>For more information, see [Manage SSL/TLS certificates](how-to-manage-individual-sensors.md#manage-ssltls-certificates) and [Synchronize time zones on an OT sensor](how-to-manage-individual-sensors.md#synchronize-time-zones-on-an-ot-sensor).|
+|**General connection errors** | Occurs when the sensor can't connect with one or more required endpoints. <br><br>In such cases, ensure that all required endpoints are accessible from your sensor, and consider configuring more endpoints in your firewall. For more information, see [Provision sensors for cloud management](ot-deploy/provision-cloud-management.md). |
+|**Unreachable DNS server errors** | Occurs when the sensor can't perform name resolution due to an unreachable DNS server. In such cases, verify that your sensor can access the DNS server. For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration) |
+|**Proxy authentication issues** | Occurs when a proxy demands authentication, but no credentials, or incorrect credentials, are provided. <br><br>In such cases, make sure that you've configured the proxy credentials correctly. For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration). |
+|**Name resolution failures** | Occurs when the sensor can't perform name resolution for a specific endpoint. <br><br>In such cases, if your DNS server is reachable, make sure that the DNS server is configured on your sensor correctly. If the configuration is correct, we recommend reaching out to your DNS administrator. <br><br>For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration). |
+|**Unreachable proxy server errors** | Occurs when the sensor can't establish a connection with the proxy server. In such cases, confirm the reachability of your proxy server with your network team. <br><br>For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration). |
++ ## Check system health Check your system health from the sensor.
defender-for-iot Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/release-notes.md
Title: OT monitoring software versions - Microsoft Defender for IoT description: This article lists Microsoft Defender for IoT on-premises OT monitoring software versions, including release and support dates and highlights for new features. Previously updated : 08/09/2023 Last updated : 09/14/2023 # OT monitoring software versions
Cloud features may be dependent on a specific sensor version. Such features are
| Version / Patch | Release date | Scope | Supported until | | - | | -- | - | | **23.1** | | | |
+| 23.1.3 | 09/2023 | Patch | 08/2024 |
| 23.1.2 | 07/2023 | Major | 06/2024 | | **22.3** | | | | |22.3.10|07/2023|Patch|06/2024|
To understand whether a feature is supported in your sensor version, check the r
## Versions 23.1.x
+### Version 23.1.3
+
+**Release date**: 09/2023
+
+**Supported until**: 08/2024
+
+This version includes the following updates and enhancements:
+
+- [Connectivity troubleshooting enhancements from the OT sensor](how-to-troubleshoot-sensor.md#check-sensorcloud-connectivity-issues)
+- [Read Only users can access the Event Timeline](roles-on-premises.md)
+ ### Version 23.1.2 **Release date**: 07/2023
defender-for-iot Roles On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/roles-on-premises.md
Title: On-premises users and roles for Defender for IoT - Microsoft Defender for IoT description: Learn about the on-premises user roles available for OT monitoring with Microsoft Defender for IoT network sensors and on-premises management consoles. Previously updated : 09/19/2022 Last updated : 08/27/2023
Permissions applied to each role differ between the sensor and the on-premises m
| **Control map zoom views** | - | - | Γ£ö | | **View alerts** | Γ£ö | Γ£ö | Γ£ö | | **Manage alerts**: acknowledge, learn, and mute |- | Γ£ö | Γ£ö |
-| **View events in a timeline** | - | Γ£ö | Γ£ö |
+| **View events in a timeline** | Γ£ö | Γ£ö | Γ£ö |
| **Authorize devices**, known scanning devices, programming devices | - | Γ£ö | Γ£ö | | **Merge and delete devices** |- |- | Γ£ö | | **View investigation data** | Γ£ö | Γ£ö | Γ£ö |
defender-for-iot Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/whats-new.md
Title: What's new in Microsoft Defender for IoT description: This article describes features available in Microsoft Defender for IoT, across both OT and Enterprise IoT networks, and both on-premises and in the Azure portal. Previously updated : 08/28/2023 Last updated : 09/14/2023
Features released earlier than nine months ago are described in the [What's new
> Noted features listed below are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. >
+## September 2023
+
+|Service area |Updates |
+|||
+| **OT networks** | **Version 23.1.3**: <br>- [Troubleshoot OT sensor connectivity](#troubleshoot-ot-sensor-connectivity) <br>- [Event timeline access for OT sensor Read Only users](#event-timeline-access-for-ot-sensor-read-only-users)|
+
+### Troubleshoot OT sensor connectivity
+
+Starting in version 23.1.3, OT sensors automatically help you troubleshoot connectivity issues with the Azure portal. If a cloud-managed sensor isn't connected, an error is indicated in the Azure portal on the **Sites and sensors** page, and on the sensor's **Overview** page.
+
+For example:
++
+From your sensor, do one of the following to open the **Cloud connectivity troubleshooting** pane, which provides details about the connectivity issues and mitigation steps:
+
+- On the **Overview** page, select the **Troubleshoot** link at the top of the page
+- Select **System settings > Sensor management > Health and troubleshooting > Cloud connectivity troubleshooting**
++
+For more information, see [Check sensor - cloud connectivity issues](how-to-troubleshoot-sensor.md#check-sensorcloud-connectivity-issues).
+
+### Event timeline access for OT sensor Read Only users
+
+Starting in version 23.1.3, *Read Only* users on the OT sensor can view the **Event Timeline** page. For example:
++
+For more information, see:
+
+- [Track network and sensor activity with the event timeline](how-to-track-sensor-activity.md)
+- [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md)
+ ## August 2023 |Service area |Updates |
dev-box Quickstart Create Dev Box https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-create-dev-box.md
After you create a dev box, one way to access it quickly is through a browser:
1. Select **Open in browser**.
- :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-card-rdp.png" alt-text="Screenshot of dev box card that shows the option for opening in a browser.":::
+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-open-in-browser.png" alt-text="Screenshot of dev box card that shows the option for opening in a browser.":::
A new tab opens with a Remote Desktop session through which you can use your dev box.
A new tab opens with a Remote Desktop session through which you can use your dev
When you no longer need your dev box, you can delete it:
-1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
-
-1. For the dev box you that you want to delete, from the **Actions** menu, select **Delete**.
-
- :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-delete-dev-box.png" alt-text="Screenshot of the menu command for deleting a dev box.":::
-
-1. To confirm the deletion, select **Delete**.
-
- :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-delete-dev-box-confirm.png" alt-text="Screenshot of the Delete button in the confirmation message about deleting a dev box.":::
## Next steps
event-hubs Monitor Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/monitor-event-hubs.md
If you use **Azure Storage** to store the diagnostic logging information, the in
If you use **Azure Event Hubs** to store the diagnostic logging information, the information is stored in Event Hubs instances named **insights-logs-operationlogs** and **insights-metrics-pt1m**. You can also select an existing event hub except for the event hub for which you are configuring diagnostic settings. ### Log Analytics
-If you use **Log Analytics** to store the diagnostic logging information, the information is stored in tables named **AzureDiagnostics** and **AzureMetrics**.
+If you use **Log Analytics** to store the diagnostic logging information, the information is stored in tables named **AzureDiagnostics** / **AzureMetrics** or **resource specific tables**
> [!IMPORTANT] > Enabling these settings requires additional Azure services (storage account, event hub, or Log Analytics), which may increase your cost. To calculate an estimated cost, visit the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator).
For a detailed reference of the logs and metrics, see [Azure Event Hubs monitori
Following are sample queries that you can use to help you monitor your Azure Event Hubs resources:
+### [AzureDiagnostics](#tab/AzureDiagnostics)
+ + Get errors from the past seven days ```Kusto
Following are sample queries that you can use to help you monitor your Azure Eve
| where ResourceProvider =="MICROSOFT.EVENTHUB" | where Category == "RuntimeAuditLogs" ```-- + Get access attempts to a key vault that resulted in "key not found" error. ```Kusto
Following are sample queries that you can use to help you monitor your Azure Eve
| where ResourceProvider == "MICROSOFT.EVENTHUB" | where Category == "ArchiveLogs" | summarize count() by "failures", "durationInSeconds"
+ ```
+
+### [Resource Specific Table](#tab/Resourcespecifictable)
+++ Get Operational Logs for event hub resource for last 7 days +
+ ```Kusto
+ AZMSOperationalLogs
+ | where Timegenerated > ago(7d)
+ | where Provider == "EVENTHUB"
+ | where resourceId == "<Resource Id>" // Replace your resource Id
``` ++ Get capture logs for event hub for last 7 days +
+ ```Kusto
+ AZMSArchiveLogs
+ | where EventhubName == "<Event Hub Name>" //Enter event hub entity name
+ | where TimeGenerated > ago(7d)
+ ```
+++ ## Use runtime logs Azure Event Hubs allows you to monitor and audit data plane interactions of your client applications using runtime audit logs and application metrics logs.
To collect sample runtime audit logs in your Event Hubs namespace, you can publi
### Analyze runtime audit logs You can analyze the collected runtime audit logs using the following sample query.
+### [AzureDiagnostics](#tab/AzureDiagnosticsforRuntimeAudit)
+ ```kusto AzureDiagnostics | where TimeGenerated > ago(1h) | where ResourceProvider == "MICROSOFT.EVENTHUB" | where Category == "RuntimeAuditLogs" ```
+### [Resource Specific Table](#tab/ResourcespecifictableforRuntimeAudit)
+
+```kusto
+AZMSRuntimeAuditLogs
+| where TimeGenerated > ago(1h)
+| where Provider == "EVENTHUB"
+```
+ Up on the execution of the query you should be able to obtain corresponding audit logs in the following format. :::image type="content" source="./media/monitor-event-hubs/runtime-audit-logs.png" alt-text="Image showing the result of a sample query to analyze runtime audit logs." lightbox="./media/monitor-event-hubs/runtime-audit-logs.png":::
By analyzing these logs you should be able to audit how each client application
### Analyze application metrics You can analyze the collected application metrics logs using the following sample query.
+### [AzureDiagnostics](#tab/AzureDiagnosticsforAppMetrics)
+ ```kusto AzureDiagnostics | where TimeGenerated > ago(1h) | where Category == "ApplicationMetricsLogs" ```
+### [Resource Specific Table](#tab/ResourcespecifictableforAppMetrics)
+
+```kusto
+AZMSApplicationMetricLogs
+| where TimeGenerated > ago(1h)
+| where Provider == "EVENTHUB"
+```
+ Application metrics includes the following runtime metrics. :::image type="content" source="./media/monitor-event-hubs/application-metrics-logs.png" alt-text="Image showing the result of a sample query to analyze application metrics." lightbox="./media/monitor-event-hubs/application-metrics-logs.png":::
event-hubs Resource Manager Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/resource-manager-exceptions.md
The following sections provide various exceptions/errors that are surfaced throu
| - | - | - | -- | -- | | BadRequest | 40000 | PartitionCount can't be changed for an event hub. | Basic, standard, or premium tier of Azure Event Hubs doesn't support changing partitions. | Create a new event hub with the wanted number of partitions in your basic, standard, or premium tier namespace. Partition scale-out is supported for [dedicated clusters](event-hubs-dedicated-overview.md). | | BadRequest | 40000 | The value '#' for MessageRetentionInDays isn't valid for the Basic tier. the value can't exceed '1' day(s). | Basic tier Event Hubs namespaces only support message retention of up to 1 day. | If more than one day of message retention is wanted, [create a standard Event Hubs namespace](event-hubs-create.md). |
+| BadRequest | 40000 | The event hub can't be disabled. | The Capture feature is enabled for continuous flow of messages. | Disable the Capture feature and then try disabling the event hub. |
| BadRequest | none | The specified name isn't available. | Namespace names must be unique, and the specified name is already taken. | If you're the owner of the existing namespace with the specified name, you can delete it, which will cause data loss. Then, try again with the same name. If the namespace isn't safe to delete (or you aren't the owner), choose another namespace name. | | BadRequest | none | The specified subscription has reached its quota of namespaces. | Your subscription has reached the [quota](event-hubs-quotas.md) for the number of namespaces it can hold. | Consider deleting unused namespaces in this subscription, creating another subscription, or upgrading to a [dedicated cluster](event-hubs-dedicated-overview.md). | | BadRequest | none | Can't update a namespace that is secondary | The namespace can't be updated because it's the secondary namespace in a [GeoDR pairing](event-hubs-geo-dr.md). | If appropriate, make the change to the primary namespace in this pairing instead. Otherwise break the GeoDR pairing to make the change. |
global-secure-access Reference Remote Network Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/reference-remote-network-configurations.md
Title: Global Secure Access remote network configurations
-description: Global Secure Access configurations for remote network device links.
+description: Valid Global Secure Access configurations for custom remote network device links settings, including IKE, ASN, IPSec, and DH group.
Previously updated : 06/01/2023 Last updated : 09/13/2023
When you select **Default** as your IPsec/IKE policy when configuring remote net
| Properties | Combination 1 | Combination 2 | Combination 3 | | | | | |
-| IPSec encryption | GCMAES256 | GCMAES256 | GCMAES128 |
-| IPSec integrity | GCMAES192 | GCMAES192 | GCMAES128 |
+| IPSec encryption | GCMAES256 | GCMAES192 | GCMAES128 |
+| IPSec integrity | GCMAES256 | GCMAES192 | GCMAES128 |
| PFS Group | None | None | None | ## Custom IPSec/IKE combinations
hdinsight Apache Hadoop Dotnet Csharp Mapreduce Streaming https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-dotnet-csharp-mapreduce-streaming.md
description: Learn how to use C# to create MapReduce solutions with Apache Hadoo
Previously updated : 08/23/2022 Last updated : 09/14/2023 # Use C# with MapReduce streaming on Apache Hadoop in HDInsight
hdinsight Apache Hadoop Use Hive Curl https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-use-hive-curl.md
description: Learn how to remotely submit Apache Pig jobs to Azure HDInsight usi
Previously updated : 08/30/2022 Last updated : 09/14/2023 # Run Apache Hive queries with Apache Hadoop in HDInsight using REST
hdinsight Apache Hadoop Use Hive Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-use-hive-powershell.md
description: Use PowerShell to run Apache Hive queries in Apache Hadoop in Azure
Previously updated : 08/30/2022 Last updated : 09/14/2023 # Run Apache Hive queries using PowerShell
hdinsight Hdinsight Troubleshoot Cluster Creation Fails https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/hdinsight-troubleshoot-cluster-creation-fails.md
description: Learn how to troubleshoot Apache cluster creation issues for Azure
Previously updated : 08/28/2022 Last updated : 09/14/2023 #Customer intent: As an HDInsight user, I would like to understand how to resolve common cluster creation failures.
hdinsight Hdinsight Troubleshoot Data Lake Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/hdinsight-troubleshoot-data-lake-files.md
Title: Unable to access Data Lake storage files in Azure HDInsight
description: Unable to access Data Lake storage files in Azure HDInsight Previously updated : 08/28/2022 Last updated : 09/13/2023 # Unable to access Data Lake storage files in Azure HDInsight
hdinsight Hdinsight Hadoop Migrate Dotnet To Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-migrate-dotnet-to-linux.md
description: Learn how to use .NET applications for streaming MapReduce on Linux
Previously updated : 08/05/2022 Last updated : 09/14/2023 # Migrate .NET solutions for Windows-based HDInsight to Linux-based HDInsight
hdinsight Hdinsight Hadoop Windows Tools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-windows-tools.md
description: Work from a Windows PC in Hadoop on HDInsight. Manage and query clu
Previously updated : 08/05/2022 Last updated : 09/14/2023 # Work in the Apache Hadoop ecosystem on HDInsight from a Windows PC
Apache Spark clusters in HDInsight include Apache Zeppelin notebooks and kernels
If you come across a situation where you must use a tool or technology that is only available on Linux, consider the following options:
-* **Bash on Ubuntu on Windows 10** provides a Linux subsystem on Windows. Bash allows you to directly run Linux utilities without having to maintain a dedicated Linux installation. See [Windows Subsystem for Linux Installation Guide for Windows 10](/windows/wsl/install-win10) for installation steps. Other [Unix shells](https://www.gnu.org/software/bash/) will work as well.
+* **Bash on Ubuntu on Windows 10** provides a Linux subsystem on Windows. Bash allows you to directly run Linux utilities without having to maintain a dedicated Linux installation. See [Windows Subsystem for Linux Installation Guide for Windows 10](/windows/wsl/install-win10) for installation steps. Other [Unix shells](https://www.gnu.org/software/bash/) work as well.
* **Docker for Windows** provides access to many Linux-based tools, and can be run directly from Windows. For example, you can use Docker to run the Beeline client for Hive directly from Windows. You can also use Docker to run a local Jupyter Notebook and remotely connect to Spark on HDInsight. [Get started with Docker for Windows](https://docs.docker.com/docker-for-windows/) * **[MobaXTerm](https://mobaxterm.mobatek.net/)** allows you to graphically browse the cluster file system over an SSH connection.
The Azure command-line interface (CLI) is Microsoft's cross-platform command-lin
## Next steps
-If you're new to working in Linux-based clusters, see the follow articles:
+If you're new to work in Linux-based clusters, see the following articles:
* [Set up Apache Hadoop, Apache Kafka, Apache Spark, or other clusters](hdinsight-hadoop-provision-linux-clusters.md) * [Tips for HDInsight clusters on Linux](hdinsight-hadoop-linux-information.md)
hdinsight Troubleshoot Workload Management Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/interactive-query/troubleshoot-workload-management-issues.md
Previously updated : 07/19/2022 Last updated : 09/14/2023 # Troubleshoot Hive LLAP Workload Management issues
WLM entities information can also be viewed from following tables in Hive Metast
## WLM metrics
-WLM Metrics can be accessed directly via HS2Interactive UI under the Metrics Dump Tab. <br>
+WLM Metrics can be accessed directly via `HS2Interactive` UI under the Metrics Dump Tab. <br>
:::image type="content" source="./media/hive-workload-management/hs2-interactive-wlm.jpg" alt-text="HS2 Interactive UI." lightbox="./media/hive-workload-management/hs2-interactive-wlm.jpg"::: Example metrics published by WLM for a given pool in a resource plan.
Example metrics published by WLM for a given pool in a resource plan.
"NumExecutorsMax" : 10 ```
-HS2Interactive UI may not work for the ESP(Enterprise Security Package) enabled clusters released before Apr 2021. In such cases, WLM-related metrics can be obtained from customized Grafana dashboards.
+`HS2Interactive` UI may not work for the ESP(Enterprise Security Package) enabled clusters released before Apr 2021. In such cases, WLM-related metrics can be obtained from customized Grafana dashboards.
<br> The metrics name follows the below patterns: ```
CREATE POOL wlm_basic.default WITH ALLOC_FRACTION = 0.5, QUERY_PARALLELISM = 2,
Running queries in WLM can get killed automatically for following cases: 1. When Move Trigger is applied to a query and destination pool that doesn't have any Tez AMs available, then query is killed instead. <br> The above is a design limitation of WLM feature. You can work around this feature by increasing the `QUERY_PARALLELISM` property for the destination pool so that even for maximum load scenario, the queries submitted to the cluster can be supported by this pool. Also, tune the `wm` queue size to accommodate this change. <br>
-2. When WLM is disabled, all the inflight queries will fail with following exception pattern:
+2. When WLM is disabled, all the inflight queries fail with following exception pattern:
``` FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.tez.TezTask. Dag received [DAG_TERMINATE, DAG_KILL] in RUNNING state. ```
hdinsight Selective Logging Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/selective-logging-analysis.md
description: Learn how to use the selective logging feature with a script action
Previously updated : 07/31/2022 Last updated : 09/13/2023 # Use selective logging with a script action in Azure HDInsight
hdinsight Apache Azure Spark History Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/apache-azure-spark-history-server.md
description: Use the extended features in the Apache Spark History Server to deb
Previously updated : 08/23/2022 Last updated : 09/13/2023 # Use the extended features of the Apache Spark History Server to debug and diagnose Spark applications
hdinsight Apache Spark Ipython Notebook Machine Learning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/apache-spark-ipython-notebook-machine-learning.md
description: Tutorial - Step-by-step instructions on how to build Apache Spark m
Previously updated : 08/28/2022 Last updated : 09/14/2023 # Customer intent: As a developer new to Apache Spark and to Apache Spark in Azure HDInsight, I want to learn how to create a simple machine learning Spark application.
This application uses a Spark [ML pipeline](https://spark.apache.org/docs/2.2.0/
In the code snippet, you define a function that compares the actual temperature with the target temperature. If the actual temperature is greater, the building is hot, denoted by the value **1.0**. Otherwise the building is cold, denoted by the value **0.0**.
-1. Configure the Spark machine learning pipeline that consists of three stages: tokenizer, hashingTF, and lr.
+1. Configure the Spark machine learning pipeline that consists of three stages: `tokenizer`, `hashingTF`, and `lr`.
```PySpark tokenizer = Tokenizer(inputCol="SystemInfo", outputCol="words")
hdinsight Apache Spark Shell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/apache-spark-shell.md
description: An interactive Spark Shell provides a read-execute-print process fo
Previously updated : 08/30/2022 Last updated : 09/13/2023 # Run Apache Spark from the Spark Shell
The Spark Shell command (`spark-shell`, or `pyspark`) supports many command-line
| switch | description | example | | | | |
-| --master MASTER_URL | Specifies the master URL. In HDInsight, this value is always `yarn`. | `--master yarn`|
-| --jars JAR_LIST | Comma-separated list of local jars to include on the driver and executor classpaths. In HDInsight, this list is composed of paths to the default filesystem in Azure Storage or Data Lake Storage. | `--jars /path/to/examples.jar` |
-| --packages MAVEN_COORDS | Comma-separated list of maven coordinates of jars to include on the driver and executor classpaths. Searches the local maven repo, then maven central, then any additional remote repositories specified with `--repositories`. The format for the coordinates is *groupId*:*artifactId*:*version*. | `--packages "com.microsoft.azure:azure-eventhubs:0.14.0"`|
-| --py-files LIST | For Python only, a comma-separated list of .zip, .egg, or .py files to place on the PYTHONPATH. | `--pyfiles "samples.py"` |
+| `--master MASTER_URL` | Specifies the master URL. In HDInsight, this value is always `yarn`. | `--master yarn`|
+| `--jars JAR_LIST` | Comma-separated list of local jars to include on the driver and executor classpaths. In HDInsight, this list is composed of paths to the default filesystem in Azure Storage or Data Lake Storage. | `--jars /path/to/examples.jar` |
+| `--packages MAVEN_COORDS` | Comma-separated list of maven coordinates of jars to include on the driver and executor classpaths. Searches the local maven repo, then maven central, then any additional remote repositories specified with `--repositories`. The format for the coordinates is *groupId*:*artifactId*:*version*. | `--packages "com.microsoft.azure:azure-eventhubs:0.14.0"`|
+| `--py-files LIST` | For Python only, a comma-separated list of `.zip`, `.egg`, or `.py` files to place on the PYTHONPATH. | `--pyfiles "samples.py"` |
## Next steps
hdinsight Apache Spark Structured Streaming Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/apache-spark-structured-streaming-overview.md
description: How to use Spark Structured Streaming applications on HDInsight Spa
Previously updated : 08/26/2022 Last updated : 09/14/2023 # Overview of Apache Spark Structured Streaming
hdinsight Use Scp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/use-scp.md
description: This document provides information on connecting to HDInsight using
Previously updated : 08/30/2022 Last updated : 09/14/2023 # Use SCP with Apache Hadoop in Azure HDInsight
healthcare-apis How To Run A Reindex https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/how-to-run-a-reindex.md
content-type: application/fhir+json
"parameter": [ { "name": "targetSearchParameterTypes",
- "valueString": "{url of custom search parameter. In case of multiple custom search parameters, url list can be comma seperated.}"
+ "valueString": "{url of custom search parameter. In case of multiple custom search parameters, url list can be comma separated.}"
} ]
iot-hub-device-update Device Update Ubuntu Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-ubuntu-agent.md
Read the license terms before you use a package. Your installation and use of a
}, ```
+ :::image type="content" source="media/import-update/device-twin-ppr.png" alt-text="Screenshot that shows twin with tag information." lightbox="media/import-update/device-twin-ppr.png":::
+
+ _This screenshot shows the section where the tag needs to be added in the twin._
+ ## Import the update 1. Go to [Device Update releases](https://github.com/Azure/iot-hub-device-update/releases) in GitHub and select the **Assets** dropdown list. Download `Tutorial_IoTEdge_PackageUpdate.zip` by selecting it. Extract the contents of the folder to discover a sample APT manifest (sample-1.0.2-aziot-edge-apt-manifest.json) and its corresponding import manifest (sample-1.0.2-aziot-edge-importManifest.json).
machine-learning How To Deploy For Real Time Inference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/how-to-deploy-for-real-time-inference.md
If you enable **Application Insights diagnostics** in the UI deploy wizard, or s
| flow_latency | histogram | flow,response_code,streaming,response_type| request execution cost, response_type means whether it's full/firstbyte/lastbyte| | flow_request | counter | flow,response_code,exception,streaming | flow request count | | node_latency | histogram | flow,node,run_status | node execution cost |
-| node_request | counter | flow,node,exception,run_status | node execution failure count |
+| node_request | counter | flow,node,exception,run_status | node execution count |
| rpc_latency | histogram | flow,node,api_call | rpc cost | | rpc_request | counter | flow,node,api_call,exception | rpc count | | flow_streaming_response_duration | histogram | flow | streaming response sending cost, from sending first byte to sending last byte |
machine-learning How To Secure Prompt Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/how-to-secure-prompt-flow.md
When you're developing your LLM application using prompt flow, you may want a se
- Container registry: you may also want to secure your container registry with virtual network. - Endpoint: you may want to limit Azure services or IP address to access your endpoint. - Related Azure Cognitive Services as such Azure OpenAI, Azure content safety and Azure cognitive search, you can use network config to make them as private then using private endpoint to let Azure Machine Learning services communicate with them.
+- Other non Azure resources such as SerpAPI, pinecone etc. If you have strict outbound rule, you need add FQDN rule to access them.
## Secure prompt flow with workspace managed virtual network
-Workspace managed virtual network is the recommend way to support network isolation in prompt flow. It provides easily configuration to secure your workspace. After you enable managed virtual network in the workspace level, resources related to workspace in the same virtual network, will use the same network setting in the workspace level. You can also configure the workspace to use private endpoint to access other Azure resources such as Azure OpenAI, Azure content safety, and Azure cognitive search. You also can configure FQDN rule to approve outbound to non-Azure resources use by your prompt flow such as OpenAI, Pinecone etc.
+Workspace managed virtual network is the recommended way to support network isolation in prompt flow. It provides easily configuration to secure your workspace. After you enable managed virtual network in the workspace level, resources related to workspace in the same virtual network, will use the same network setting in the workspace level. You can also configure the workspace to use private endpoint to access other Azure resources such as Azure OpenAI, Azure content safety, and Azure cognitive search. You also can configure FQDN rule to approve outbound to non-Azure resources use by your prompt flow such as OpenAI, Pinecone etc.
1. Follow [Workspace managed network isolation](../how-to-managed-network.md) to enable workspace managed virtual network.
Workspace managed virtual network is the recommend way to support network isolat
## Limitations
+- Only public access enable storage account is supported. You can't use private storage account now.
- Workspace hub / lean workspace and AI studio don't support bring your own virtual network. - Managed online endpoint only supports workspace managed virtual network. If you want to use your own virtual network, you may need one workspace for prompt flow authoring with your virtual network and another workspace for prompt flow deployment using managed online endpoint with workspace managed virtual network.
+## FAQ
+
+### Why I can't create or upgrade my flow when I disable public network access of storage account?
+Prompt flow rely on fileshare to store snapshot of flow. Prompt flow didn't support private storage account now. Here are some workarounds you can try:
+- Make the storage account as public access enabled if there is no security concern.
+- If you are only use UI to authoring promptflow, you can add following flights (flight=PromptFlowCodeFirst=false) to use our old UI.
+- You can use our CLI/SDK to authoring promptflow, CLI/SDK authong didn't rely on fileshare. See [Integrate Prompt Flow with LLM-based application DevOps ](how-to-integrate-with-llm-app-devops.md).
+ ## Next steps - [Secure workspace resources](../how-to-secure-workspace-vnet.md)
machine-learning Resource Azure Container For Pytorch https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/resource-azure-container-for-pytorch.md
The following configurations are supported:
| Environment Name | OS | GPU Version| Python Version | PyTorch Version | ORT-training Version | DeepSpeed Version | torch-ort Version | Nebula Version | | | | | | | | | | |
-|acpt-pytorch-2.0-cuda11.7|Ubuntu 20.04|cu117|3.8|2.0|1.15.0|0.9.5 |1.15.0|0.16.2|
-|acpt-pytorch-1.13-cuda11.7|Ubuntu 20.04|cu117|3.8|1.13.1|1.15.0|0.9.5|1.15.0|0.16.2|
-|acpt-pytorch-1.12-py39-cuda11.6|Ubuntu 20.04|cu116|3.9|1.12.1|1.15.0|0.9.5|1.15.0|0.16.2|
-|acpt-pytorch-1.12-cuda11.6|Ubuntu 20.04|cu116|3.8|1.12.1|1.15.0|0.9.5|1.15.0|0.16.2|
-|acpt-pytorch-1.11-cuda11.3|Ubuntu 20.04|cu113|3.8|1.11.0|1.15.0|0.9.5|1.15.0|0.16.2|
+|acpt-pytorch-2.0-cuda11.7|Ubuntu 20.04|cu117|3.8|2.0.1|1.15.1|0.9.5 |1.15.0|0.16.5|
+|acpt-pytorch-1.13-cuda11.7|Ubuntu 20.04|cu117|3.8|1.13.1|1.15.1|0.9.5|1.15.0|0.16.5|
Other packages like fairscale, horovod, msccl, protobuf, pyspark, pytest, pytorch-lightning, tensorboard, NebulaML, torchvision, torchmetrics to support all training needs To learn more, see [Create custom ACPT curated environments](how-to-azure-container-for-pytorch-environment.md).
-> [!NOTE]
-> Currently, due to underlying cuda and cluster incompatibilities, on [NC series](../virtual-machines/nc-series.md) only acpt-pytorch-1.11-cuda11.3 with cuda 11.3 and torch 1.11 can be used.
- ## Support Version updates for supported environments, including the base images they reference, are released every two weeks to address vulnerabilities no older than 30 days. Based on usage, some environments may be deprecated (hidden from the product but usable) to support more common machine learning scenarios.
managed-grafana How To Authentication Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-authentication-permissions.md
After your workspace has been created, you can still turn on or turn off system-
## Next steps > [!div class="nextstepaction"]
-> [Sync Grafana teams with Azure Active Directory groups](./how-to-sync-teams-with-aad-groups.md)
+> [Sync Grafana teams with Azure Active Directory groups](./how-to-sync-teams-with-azure-ad-groups.md)
managed-grafana How To Sync Teams With Azure Ad Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-sync-teams-with-azure-ad-groups.md
+
+ Title: Sync Grafana teams with Azure Active Directory groups
+description: Learn how to set up Grafana teams using Azure Active Directory groups in Azure Managed Grafana
++++ Last updated : 9/11/2023
+
+
+# Sync Grafana teams with Azure Active Directory groups (preview)
+
+In this guide, you learn how to use Azure Active Directory (Azure AD) groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) (Azure AD group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders).
+
+Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Azure AD. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Azure AD group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with an Azure AD group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Azure AD group.
+
+> [!IMPORTANT]
+> Azure AD group sync is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Set up Azure AD group sync
+
+To use Azure AD group sync, you add a new team to your Grafana workspace and link it to an existing Azure AD group through its group ID. Follow these steps to set up an Azure AD-backed Grafana team.
+
+1. In the Azure portal, open your Grafana instance and select **Configuration** under *Settings*.
+1. Select the **Azure AD Team Sync Settings** tab.
+1. Select **+ Create new Grafana team**.
+
+ :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Azure AD team sync.":::
+
+1. Enter a name for the Grafana team and select **Add**.
+
+ :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team.":::
+
+1. In **Assign access to**, select the newly created Grafana team.
+1. Select **+ Add an Azure AD Group**.
+
+ :::image type="content" source="media/azure-ad-group-sync/add-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Adding an Azure AD group to Grafana team.":::
+
+1. In the **Select** search box, enter an Azure AD group name.
+1. Select the group name in the search result and **Select**.
+
+ :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting an Azure AD group.":::
+
+1. Repeat the previous three steps to add more Azure AD groups to the Grafana team as appropriate.
+
+ :::image type="content" source="media/azure-ad-group-sync/view-grafana-team.png" alt-text="Screenshot of the Azure portal. Viewing a Grafana team and Azure AD group(s) linked to it.":::
+
+## Remove Azure AD group sync
+
+If you no longer need a Grafana team, follow these steps to delete it, which also removes the link to the Azure AD group.
+
+1. In the Azure portal, open your Azure Managed Grafana workspace.
+1. Select **Administration > Teams**.
+1. Select the **X** button to the right of a team you're deleting.
+
+ :::image type="content" source="media/azure-ad-group-sync/remove-azure-ad-group-sync.png" alt-text="Screenshot of the Grafana platform. Removing a Grafana team.":::
+
+1. Select **Delete** to confirm.
+
+## Next steps
+
+In this how-to guide, you learned how to set up Grafana teams backed by Azure AD groups. To learn how to use teams to control access to dashboards in your workspace, see [Manage dashboard permissions](https://grafana.com/docs/grafana/latest/administration/user-management/manage-dashboard-permissions/).
+
migrate Concepts Assessment Calculation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/concepts-assessment-calculation.md
ms. Previously updated : 08/02/2023- Last updated : 08/29/2023+ # Assessment overview (migrate to Azure VMs)
Here's what's included in an Azure VM assessment:
| **Target location** | The location to which you want to migrate. The assessment currently supports these target Azure regions:<br><br> Australia Central, Australia Central 2, Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, China East, China East 2, China North, China North 2, East Asia, East US, East US 2, France Central, France South, Germany North, Germany West Central, Japan East, Japan West, Korea Central, Korea South, North Central US, North Europe, Norway East, Norway West, South Africa North, South Africa West, South Central US, Southeast Asia, South India, Switzerland North, Switzerland West, UAE Central, UAE North, UK South, UK West, West Central US, West Europe, West India, West US, West US 2, JioIndiaCentral, JioIndiaWest, US Gov Arizona, US Gov Iowa, US Gov Texas, US Gov Virginia. **Target storage disk (as-is sizing)** | The type of disk to use for storage in Azure. <br><br> Specify the target storage disk as Premium-managed, Standard SSD-managed, Standard HDD-managed, or Ultra disk.
-**Target storage disk (performance-based sizing)** | Specifies the type of target storage disk as automatic, Premium-managed, Standard HDD-managed, Standard SSD-managed, or Ultra disk.<br><br> **Automatic**: The disk recommendation is based on the performance data of the disks, meaning the IOPS and throughput.<br><br>**Premium or Standard or Ultra disk**: The assessment recommends a disk SKU within the storage type selected.<br><br> If you want a single-instance VM service-level agreement (SLA) of 99.9%, consider using Premium-managed disks. This use ensures that all disks in the assessment are recommended as Premium-managed disks.<br><br> If you're looking to run data-intensive workloads that need high throughput, high IOPS, and consistent low latency disk storage, consider using Ultra disks.<br><br> Azure Migrate supports only managed disks for migration assessment.
-**Savings options (compute)** | Specify the savings option that you want the assessment to consider to help optimize your Azure compute cost. <br><br> [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (1 year or 3 year reserved) are a good option for the most consistently running resources.<br><br> [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (1 year or 3 year savings plan) provide additional flexibility and automated cost optimization. Ideally post migration, you could use Azure reservation and savings plan at the same time (reservation will be consumed first), but in the Azure Migrate assessments, you can only see cost estimates of 1 savings option at a time. <br><br> When you select 'None', the Azure compute cost is based on the Pay as you go rate or based on actual usage.<br><br> You need to select pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than 'None', the 'Discount (%)' and 'VM uptime' properties are not applicable.The monthly cost estimates are calculated by multiplying 744 hours in the VM uptime field with the hourly price of the recommended SKU.
+**Target storage disk (performance-based sizing)** | Specifies the type of target storage disk as Premium-managed, Standard HDD-managed, Standard SSD-managed, or Ultra disk.<br><br> **Premium or Standard or Ultra disk**: The assessment recommends a disk SKU within the storage type selected.<br><br> If you want a single-instance VM service-level agreement (SLA) of 99.9%, consider using Premium-managed disks. This use ensures that all disks in the assessment are recommended as Premium-managed disks.<br><br> If you're looking to run data-intensive workloads that need high throughput, high IOPS, and consistent low latency disk storage, consider using Ultra disks.<br><br> Azure Migrate supports only managed disks for migration assessment.
+**Savings options (compute)** | Specify the savings option that you want the assessment to consider to help optimize your Azure compute cost. <br><br> [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (1 year or 3 year reserved) are a good option for the most consistently running resources.<br><br> [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (1 year or 3 year savings plan) provide additional flexibility and automated cost optimization. Ideally post migration, you could use Azure reservation and savings plan at the same time (reservation will be consumed first), but in the Azure Migrate assessments, you can only see cost estimates of 1 savings option at a time. <br><br> When you select 'None', the Azure compute cost is based on the Pay as you go rate or based on actual usage.<br><br> You need to select pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than 'None', the 'Discount (%)' and 'VM uptime' properties are not applicable. The monthly cost estimates are calculated by multiplying 744 hours in the VM uptime field with the hourly price of the recommended SKU.
**Sizing criteria** | Used to rightsize the Azure VM.<br><br> Use as-is sizing or performance-based sizing. **Performance history** | Used with performance-based sizing. Performance history specifies the duration used when performance data is evaluated. **Percentile utilization** | Used with performance-based sizing. Percentile utilization specifies the percentile value of the performance sample used for rightsizing.
For storage sizing in an Azure VM assessment, Azure Migrate tries to map each di
1. Assessment adds the read and write IOPS of a disk to get the total IOPS required. Similarly, it adds the read and write throughput values to get the total throughput of each disk. In the case of import-based assessments, you have the option to provide the total IOPS, total throughput and total no. of disks in the imported file without specifying individual disk settings. If you do this, individual disk sizing is skipped and the supplied data is used directly to compute sizing, and select an appropriate VM SKU.
-1. If you've specified the storage type as automatic, the selected type is based on the effective IOPS and throughput values. The Assessment determines whether to map the disk to a Standard HDD, Standard SSD, Premium disk, or Ultra disk in Azure. If the storage type is set to one of those disk types, the assessment tries to find a disk SKU within the storage type selected.
1. Disks are selected as follows: - If assessment can't find a disk with the required IOPS and throughput, it marks the server as unsuitable for Azure. - If assessment finds a set of suitable disks, it selects the disks that support the location specified in the assessment settings.
Costs are displayed in the currency specified in the assessment settings.
- Learn about running assessments for servers running in [VMware](./tutorial-discover-vmware.md) and [Hyper-V ](./tutorial-discover-hyper-v.md) environment, and [physical servers](./tutorial-discover-physical.md). - Learn about assessing servers [imported with a CSV file](./tutorial-discover-import.md).-- Learn about setting up [dependency visualization](concepts-dependency-visualization.md).
+- Learn about setting up [dependency visualization](concepts-dependency-visualization.md).
migrate Troubleshoot Assessment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-assessment.md
This article helps you troubleshoot issues with assessment and dependency visualization with [Azure Migrate: Discovery and assessment](migrate-services-overview.md#azure-migrate-discovery-and-assessment-tool).
+## Common assessment errors
+
+Assessment service uses the [configuration data](discovered-metadata.md) and the [performance data](concepts-assessment-calculation.md#how-does-the-appliance-calculate-performance-data) for calculating the assessments. The data is fetched by the Azure Migrate appliance at specific intervals in case of appliance-based discovery and assessments.
+The following table summarizes the errors encountered while fetching the data by the assessment service.
+
+**Error** | **Cause** | **Action**
+ | |
+60001:UnableToConnectToPhysicalServer | Either the prerequisites to connect to the server have not been met or there are network issues in connecting to the server, for instance some proxy settings. | - Ensure that the server meets the prerequisites and port access requirements. <br/><br/> - Add the IP addresses of the remote machines (discovered servers) to the WinRM TrustedHosts list on the Azure Migrate appliance and retry the operation. This is to allow remote inbound connections on servers: *Windows: WinRM port 5985 (HTTP) and Linux: SSH port 22 (TCP)*. <br/><br/> - Ensure that you have chosen the correct authentication method on the appliance to connect to the server. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).
+60002: InvalidServerCredentials | Unable to connect to server due to incorrect credentials on the appliance, or the credentials previously provided have expired or the server credentials have changed. | - Ensure that you have provided the correct credentials for the server on the appliance. You can check that by trying to connect to the server using those credentials. <br/><br/> - If the credentials added are incorrect or have expired, edit the credentials on the appliance and revalidate the added servers. If the validation succeeds, the issue is resolved. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).
+60004: NoPerfDataAvailableForServers | The appliance is unable to fetch the required performance data from the server due to network issues or the credentials provided on the appliance do not have enough permissions to fetch the metadata. | - Ensure that the server is accessible from the appliance. <br/><br/> - Ensure that the guest credentials provided on the appliance have [required permissions](migrate-support-matrix-physical.md#physical-server-requirements). <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).
+60005: SSHOperationTimeout | The operation took longer than expected either due to network latency issues or due to the lack of latest updates on Linux server.| - Ensure that the impacted server has the latest kernel and OS updates installed. <br/><br/> - Ensure that there is no network latency between the appliance and the server. It is recommended to have the appliance and source server on the same domain to avoid latency issues.<br/><br/> - Connect to the impacted server from the appliance and run the commands documented here to check if they return null or empty data. <br/><br/> - If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager).
+60006: ServerAccessDenied | The operation could not be completed due to forbidden access on the server. The guest credentials provided do not have enough permissions to access the servers. |
+60011: ServerWindowsWMICallFailed | WMI call failed due to WMI service failure. This might be a transient error, if the server is unreachable due to network issue or in case of physical sever the server might be switched off. | - Please ensure WinRM is running and the server is reachable from the appliance VM. <br/><br/> - Ensure that the server is switched on.<br/><br/> - For troubleshooting with physical servers, follow the [instructions](migrate-support-matrix-physical.md#physical-server-requirements).<br/><br/> - If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager).
+10004: CredentialNotProvidedForGuestOSType | The credentials for the server OS type weren't added on the appliance. | - Ensure that you add the credentials for the OS type of the affected server on the appliance.<br/><br/> - You can now add multiple server credentials on the appliance.
+751: Unable to connect to Server | Unable to connect to the server due to connectivity issues. | Resolve the connectivity issue mentioned in the error message.
+754: Performance Data not available | Azure Migrate is unable to collect performance data if the vCentre is not configured to give out the performance data | Configure the statistics level on VCentre server to 3 to make the performance data available. Wait for a day before running the assessment for the data to populate.
+757: Virtual Machine not found | The Azure Migrate service is unable to locate the specified virtual machine. This may occur if the virtual machine has been deleted by the administrator on the VMware environment.| Please verify that the virtual machine still exists in the VMware environment.
+758: Request timeout while fetching Performance data | Azure Migrate assessment service is unable to retrieve performance data. This could happen if the vCenter server is not reachable. | - Please verify the vCenter server credentials are correct.<br/><br/> - Ensure that the server is reachable before attempting to retrieve performance data again.<br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).
+760: Unable to get Performance counters | Azure Migrate assessment service is unable to retrieve performance counters. This can happen due to multiple reasons. Check the error message to find the exact reason.| - Ensure that you resolve the error flagged in the error message.<br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).
+8002: Virtual Machine could not be found | Azure Migrate discovery service could not find the virtual machine. This could happen if the virtual machine is deleted or its UUID has changed. | - Ensure that the on-premises virtual machine exists and then restart the job. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).
+9003: Operating system type running on the server isn't supported. | The operating system running on the server isn't Windows or Linux. | Only Windows and Linux OS types are supported. If the server is running Windows or Linux OS, check the operating system type specified in vCenter Server.
+9004: Server isn't in a running state. | The server is in a powered-off state. | Ensure that the server is in a running state.
+9010: The server is powered off. | The server is in a powered-off state. | Ensure that the server is in a running state.
+9014: Unable to retrieve the file containing the discovered metadata because of an error encountered on the ESXi host | The error details will be mentioned with the error.| Ensure that port 443 is open on the ESXi host on which the server is running. Learn more on how to remediate the issue.
+9015: The vCenter Server user account provided for server discovery doesn't have guest operations privileges enabled. | The required privileges of guest operations haven't been enabled on the vCenter Server user account. | Ensure that the vCenter Server user account has privileges enabled for **Virtual Machines** > **Guest Operations** to interact with the server and pull the required data. [Learn more](troubleshoot-discovery.md#error-9014-httpgetrequesttoretrievefilefailed) on how to set up the vCenter Server account with required privileges.
+9022: The access is denied to run the Get-WmiObject cmdlet on the server. | The role associated with the credentials provided on the appliance or a group policy on-premises is restricting access to the WMI object. You encounter this issue when you try the following credentials on the server: `FriendlyNameOfCredentials`. | Check if the credentials provided on the appliance have created file administrator privileges and have WMI enabled.<br/><br/> If the credentials on the appliance don't have the required permissions, either provide another set of credentials or edit an existing one. (Find the friendly name of the credentials tried by Azure Migrate in the possible causes.) <br/><br/> [Learn more](tutorial-discover-vmware.md#prepare-vmware) on how to remediate the issue.
++ ## Azure VM assessment readiness issues This table lists help for fixing the following assessment readiness issues.
migrate Tutorial Assess Vmware Azure Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-vmware-azure-vm.md
ms. Previously updated : 08/24/2023 Last updated : 09/13/2023 #Customer intent: As a VMware VM admin, I want to assess my VMware VMs in preparation for migration to Azure.
To view an assessment:
- The Azure readiness graph displays the status of the VM. - The Supportability section displays the distribution by OS license support status and the distribution by Windows Server version. - The Savings option section displays the estimated savings on moving to Azure.
-
+ ### Review readiness 1. Select **Azure readiness**.
Confidence ratings are as follows.
[Learn more](concepts-assessment-calculation.md#confidence-ratings-performance-based) about confidence ratings.
+### Review issues
+
+In the Assessment report, you can see a list of errors if there are any issues faced by the assessment service for any VM. To troubleshoot the issues, select **Details** in the **Issues** column to view errors corresponding to a VM. A context pane will open with detailed information about the errors. Use this information to resolve the issues.
+
+![Screenshot of issue details.](./media/tutorial-assess-vmware-azure-vm/issue-details.png)
+ ## Next steps - Find server dependencies using [dependency mapping](concepts-dependency-visualization.md).
mysql Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/whats-new.md
Azure Database for MySQL - Flexible server now supports Universal Read Replicas
- **Private Link for Azure Database for MySQL - Flexible Server (General Availability)** You can now enable private endpoints to provide a secure means to access Azure Database for MySQL Flexible Server via a Private Link, allowing both public and private access simultaneously. If necessary, you have the choice to restrict public access, ensuring that connections are exclusively routed through private endpoints for heightened network security. It's also possible to configure or update Private Link settings either during or after the creation of the server. [Learn more](./concepts-networking-private-link.md).
+- **Azure MySQL Import Smart Defaults for Azure Database for MySQL - Single to Flexible Server migration (Public Preview)**
+You can now migrate an Azure Database for MySQL Single Server to an Azure Database for MySQL Flexible Server by running a single CLI command with minimal inputs as the command leverages smart defaults for target Flexible Server provisioning based on the source server SKU and properties! [Learn more](../migrate/migrate-single-flexible-mysql-import-cli.md)
+
+- **Nominate eligible Azure DB for MySQL Single Server instance for in-place automigration to Flexible Server**
+If you own a Azure DB for MySQL Single Server workload with Basic or GP SKU, data storage used < 10 GiB and no complex features (CMK, AAD, Read Replica, Private Link) enabled, you can now nominate yourself (if not already scheduled by the service) for in-place automigration to Flexible Server by submitting your server details through this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4lhLelkCklCuumNujnaQ-ZUQzRKSVBBV0VXTFRMSDFKSUtLUDlaNTA5Wi4u)
+ ## August 2023 - **Universal Geo Restore in Azure Database for MySQL - Flexible Server (Public Preview)**
mysql Migrate Single Flexible In Place Auto Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/migrate/migrate-single-flexible-in-place-auto-migration.md
The in-place migration provides a highly resilient and self-healing offline migr
* **Target Flexible Server is deployed**, inheriting all feature set and properties (including server parameters and firewall rules) from source Single Server. Source Single Server is set to read-only and backup from source Single Server is copied to the target Flexible Server. * **DNS switch and cutover** are performed successfully within the planned maintenance window with minimal downtime, allowing maintenance of the same connection string post-migration. Client applications seamlessly connect to the target flexible server without any user driven manual updates. In addition to both connection string formats (Single and Flexible Server) being supported on migrated Flexible Server, both username formats ΓÇô username@server_name and username are also supported on the migrated Flexible Server.
-* The **migrated Flexible Server is online** and can now be managed via Azure portal/CLI. Stopped Single Server is deleted post days set as it's Backup Retention Period.
+* The **migrated Flexible Server is online** and can now be managed via Azure portal/CLI. Stopped Single Server is deleted 7 days after the migration.
> [!NOTE] > In-place migration is only for Single Server database workloads with Basic or GP SKU, data storage used < 10 GiB and no complex features (CMK, AAD, Read Replica, Private Link) enabled. All other Single Server workloads are recommended to use user-initiated migration tooling offered by Azure - Azure DMS, Azure MySQL Import to migrate.
network-watcher Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/data-residency.md
In Azure, single region data residency is currently provided by default only in
## Next steps
-To learn more about Network Watcher features and capabilities, see [Network Watcher overview](./network-watcher-monitoring-overview.md).
+To learn more about Network Watcher features and capabilities, see [What is Azure Network Watcher?](network-watcher-overview.md)
network-watcher Diagnose Network Security Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-network-security-rules.md
az group delete --name 'myResourceGroup' --yes --no-wait
## Next steps-- To learn about other Network Watcher tools, see [Azure Network Watcher overview](network-watcher-monitoring-overview.md).
+- To learn about other Network Watcher tools, see [What is Azure Network Watcher?](network-watcher-overview.md)
- To learn how to troubleshoot virtual machine routing problems, see [Diagnose a virtual machine network routing problem](diagnose-vm-network-routing-problem.md).
network-watcher Diagnose Vm Network Routing Problem Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-vm-network-routing-problem-cli.md
az group delete --name myResourceGroup --yes
In this article, you created a VM and diagnosed network routing from the VM. You learned that Azure creates several default routes and tested routing to two different destinations. Learn more about [routing in Azure](../virtual-network/virtual-networks-udr-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and how to [create custom routes](../virtual-network/manage-route-table.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#create-a-route).
-For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL, over time using the Network Watcher connection monitor capability. To learn how, see [Monitor a network connection](connection-monitor.md).
+For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md).
network-watcher Diagnose Vm Network Routing Problem Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-vm-network-routing-problem-powershell.md
Remove-AzResourceGroup -Name myResourceGroup -Force
In this article, you created a VM and diagnosed network routing from the VM. You learned that Azure creates several default routes and tested routing to two different destinations. Learn more about [routing in Azure](../virtual-network/virtual-networks-udr-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and how to [create custom routes](../virtual-network/manage-route-table.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#create-a-route).
-For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-powershell.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL, over time using the Network Watcher connection monitor capability. To learn how, see [Monitor a network connection](connection-monitor.md).
+For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-powershell.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md).
network-watcher Diagnose Vm Network Routing Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-vm-network-routing-problem.md
For outbound VM connections, you can use Network Watcher [connection troubleshoo
To learn how to monitor communication between two virtual machines, advance to the next tutorial. > [!div class="nextstepaction"]
-> [Monitor a network connection](connection-monitor.md)
+> [Monitor a network connection](monitor-vm-communication.md)
network-watcher Network Watcher Security Group View Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-security-group-view-overview.md
You can select a rule to see associated source and destination prefixes.
### Next steps -- To learn about Network Watcher, see [What is Azure Network Watcher?](network-watcher-monitoring-overview.md)
+- To learn about Network Watcher, see [What is Azure Network Watcher?](network-watcher-overview.md)
- To learn how traffic is evaluated with network security groups, see [How network security groups work](../virtual-network/network-security-group-how-it-works.md).
network-watcher Resource Move https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/resource-move.md
The Network Watcher resource represents the backend service for Network Watcher
Moving resources across regions is currently not supported for any child resource of the `networkWatcher` resource type. ## Next Steps
-* For more information about Network Watcher, see the [Network Watcher overview](./network-watcher-monitoring-overview.md).
-* For answers to the frequently asked questions, see the [Network Watcher FAQ](./frequently-asked-questions.yml).
+* For more information about Network Watcher, see [What is Azure Network Watcher?](network-watcher-overview.md)
+* For answers to the frequently asked questions, see [Network Watcher FAQ](frequently-asked-questions.yml).
postgresql Concepts Connection Pooling Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-connection-pooling-best-practices.md
Although there are different tools for connection pooling, in this section, we d
**PgBouncer** is an efficient connection pooler designed for PostgreSQL, offering the advantage of reducing processing time and optimizing resource usage in managing multiple client connections to one or more databases. **PgBouncer** incorporates three distinct pooling mode for connection rotation: -- **Session pooling:** This method assigns a server connection to the client application for the entire duration of the client's connection. Upon disconnection of the client application, **PgBouncer** promptly returns the server connection back to the pool. This pooling mechanism is the default setting. (Note: It isn't recommended in most of the cases and don't give any performance benefits over classic connections).-- **Transaction pooling:** With transaction pooling, a server connection is dedicated to the client application during a transaction. Once the transaction is successfully completed, **PgBouncer** intelligently releases the server connection, making it available again within the pool. Transaction pooling is the default mode in Flexible server, and it does not support prepared transactions.
+- **Session pooling:** This method assigns a server connection to the client application for the entire duration of the client's connection. Upon disconnection of the client application, **PgBouncer** promptly returns the server connection back to the pool. Session pooling mechanism is the default mode in Open Source PgBouncer. See [PgBouncer configuration](https://www.pgbouncer.org/config.html)
+- **Transaction pooling:** With transaction pooling, a server connection is dedicated to the client application during a transaction. Once the transaction is successfully completed, **PgBouncer** intelligently releases the server connection, making it available again within the pool. Transaction pooling is the default mode in Azure PostgreSQL Flexible Server's in-built PgBouncer, and it does not support prepared transactions.
- **Statement pooling:** In statement pooling, a server connection is allocated to the client application for each individual statement. Upon the statement's completion, the server connection is promptly returned to the connection pool. It's important to note that multi-statement transactions are not supported in this mode. The effective utilization of PgBouncer can be categorized into three distinct usage patterns.
By considering PgBouncer as an AKS sidecar, you can use these advantages to enha
**Limitations:** -- **Connection Performance Issues:** Largehund-scale applications that utilize thousands of pods, each running sidecar PgBouncer, may encounter potential challenges related to database connection exhaustion. This situation can result in performance degradation and service disruptions. Deploying a sidecar PgBouncer for each pod increases the number of concurrent connections to the database server, which can exceed its capacity. As a result, the database may struggle to handle the high volume of incoming connections, may lead to performance issues such as increased response times or even service outages.
+- **Connection Performance Issues:** Large-scale applications that utilize thousands of pods, each running sidecar PgBouncer, may encounter potential challenges related to database connection exhaustion. This situation can result in performance degradation and service disruptions. Deploying a sidecar PgBouncer for each pod increases the number of concurrent connections to the database server, which can exceed its capacity. As a result, the database may struggle to handle the high volume of incoming connections, may lead to performance issues such as increased response times or even service outages.
- **Complex Deployment:** The utilization of the sidecar pattern introduces a level of complexity to the deployment process, as it involves running two containers within the same pod. This can potentially complicate troubleshooting and debugging activities, requiring extra effort to identify and resolve issues.-- **Scaling Challenges:** Moreover, it's important to note that the sidecar pattern may not be the ideal choice for applications that demand high scalability. The inclusion of a sidecar container can impose more resource requirements, potentially limiting the number of pods that can be effectively created and managed.
+- **Scaling Challenges:** It's important to note that the sidecar pattern may not be the ideal choice for applications that demand high scalability. The inclusion of a sidecar container can impose more resource requirements, potentially limiting the number of pods that can be effectively created and managed.
While considering this sidecar pattern, it's crucial to carefully assess the trade-offs between deployment complexity and scalability requirements to determine the most appropriate approach for your specific application scenario.
-## 2. Application independent - centralized PgBouncer deployment
+## 2. Application independent - Centralized PgBouncer deployment
When utilizing this approach, PgBouncer is deployed as a centralized service, independent of the application. The PgBouncer service can be deployed either on traditional virtual machines or within a microservices-based architecture as highlighted:
-### I. PgBouncer deployed in ubuntu VM
+### I. PgBouncer deployed in ubuntu VM behind Azure Load Balancer
-**PgBouncer** connection proxy is set up between the application and database layer as shown in the image. Since Azure Database for PostgreSQL is a fully managed platform service, user won't be able to install any external services on DB server. In this case, if your application is running on an Azure VM, you can set up **PgBouncer** on the same VM. If the application is running on a managed service like Azure App Services or Azure Functions, you need to provision a separate Ubuntu VM to run **PgBouncer** proxy.
+**PgBouncer** connection proxy is set up between the application and database layer behind a Azure Load Balancer as shown in the image. In this pattern multiple PgBouncer instances are deployed behind a load balancer as a service to mitigate single point of failure.This pattern is also suitable in scenarios where the application is running on a managed service like Azure App Services or Azure Functions and connecting to **PgBouncer** service for easy integration with your existing infrastructure.
Refer [link](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/steps-to-install-and-setup-pgbouncer-connection-pooling-proxy/ba-p/730555) to install and set up PgBouncer connection pooling proxy with Azure Database for PostgreSQL. - :::image type="content" source="./media/concepts-connection-pooling-best-practices/deploying-vm.png" alt-text="Diagram for App co-location on Vm with Load Balancer."::: Some of the key benefits & limitations of this deployment method are: **Benefits:**
+- **Removing Single Point of Failure:** Application connectivity may not be affected by the failure of a single PgBouncer VM, as there are several PgBouncer instances behind Azure Load Balancer.
- **Seamless Integration with Managed - **Simplified Setup on Azure VM:** If you're already running your application on an Azure VM, setting up PgBouncer on the same VM is straightforward. deploying the PgBouncer in VM ensures that PgBouncer is deployed in close proximity to your application, minimizing network latency and maximizing performance. - **Non-Intrusive Configuration:** By deploying PgBouncer on a VM, you can avoid modifying server parameters on Azure PostgreSQL. This is useful when you want to configure PgBouncer on a flexible server. For example, changing the SSLMODE parameter to "required" on Azure PostgreSQL might cause certain applications that rely on SSLMODE=FALSE to fail. Deploying PgBouncer on a separate VM allows you to maintain the default server configuration while still using PgBouncer's benefits.
By considering these benefits, deploying PgBouncer on a VM offers a convenient a
**Limitations:** -- **Single point of failure:** As **PgBouncer** is configured on standalone VM, connection pooling might not work if the VM is unavailable. This may result in errors in application connectivity. - **Management overhead:** As **PgBouncer** is installed in VM, there might be management overhead to manage multiple configuration files. This makes it difficult to cope up with version upgrades, new releases, and product updates. - **Feature parity:** If you're migrating from traditional PostgreSQL to Azure PostgreSQL and using **PgBouncer**, there might be some features gaps. For example, lack of md5 support in Azure PostgreSQL.
private-5g-core Enable Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/enable-azure-active-directory.md
If your deployment contains multiple sites, you can use the same two redirect UR
|||| | **Tenant ID** | In the Azure portal, search for Azure Active Directory. You can find the **Tenant ID** field in the Overview page. | `tenant_id` | | **Application (client) ID** | Navigate to the new local monitoring app registration you just created. You can find the **Application (client) ID** field in the Overview page, under the **Essentials** heading. | `client_id` |
- | **Authorization URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 authorization endpoint (v2)** field. | `auth_url` |
- | **Token URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 token endpoint (v2)** field. | `token_url` |
+ | **Authorization URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 authorization endpoint (v2)** field. <br /><br /> **Note:** <br />If the string contains `organizations`, replace `organizations` with the Tenant ID value. For example, <br />`https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize`<br /> becomes <br />`https://login.microsoftonline.com/72f998bf-86f1-31af-91ab-2d7cd001db56/oauth2/v2.0/authorize`. | `auth_url` |
+ | **Token URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 token endpoint (v2)** field. <br /><br /> **Note:** <br />If the string contains `organizations`, replace `organizations` with the Tenant ID value. For example, <br />`https://login.microsoftonline.com/organizations/oauth2/v2.0/token`<br /> becomes <br />`https://login.microsoftonline.com/72f998bf-86f1-31af-91ab-2d7cd001db56/oauth2/v2.0/token`. | `token_url` |
| **Client secret** | You collected this when creating the client secret in the previous step. | `client_secret` | | **Distributed tracing redirect URI root** | Make a note of the following part of the redirect URI: **https://*\<local monitoring domain\>***. | `redirect_uri_root` | | **Packet core dashboards redirect URI root** | Make a note of the following part of the packet core dashboards redirect URI: **https://*\<local monitoring domain\>*/grafana**. | `root_url` |
security Secure Dev Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/secure-dev-overview.md
applications and to help secure your applications on Azure:
[Microsoft Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) (SDL) - The SDL is a software development process from Microsoft that helps developers build more secure software. It helps you address security compliance requirements while reducing development costs.
-[Open Web Application Security Project](https://www.owasp.org/) (OWASP) - OWASP is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.
+[Open Worldwide Application Security Project](https://www.owasp.org/) (OWASP) - OWASP is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.
[Pushing Left, Like a Boss](https://wehackpurple.com/pushing-left-like-a-boss-part-1/) - A series of online articles that outline different types of application security activities that developers should complete to create more secure code.
service-bus-messaging Monitor Service Bus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/monitor-service-bus.md
For a detailed reference of the logs and metrics, see [Azure Service Bus monitor
Following are sample queries that you can use to help you monitor your Azure Service Bus resources:
+### [AzureDiagnostics](#tab/AzureDiagnostics)
+ + Get management operations in the last 7 days.
- ```Kusto
+ ```kusto
AzureDiagnostics | where TimeGenerated > ago(7d) | where ResourceProvider =="MICROSOFT.SERVICEBUS"
Following are sample queries that you can use to help you monitor your Azure Ser
``` + Get runtime audit logs generated in the last one hour.
- ```Kusto
+ ```kusto
AzureDiagnostics | where TimeGenerated > ago(1h) | where ResourceProvider =="MICROSOFT.SERVICEBUS" | where Category == "RuntimeAuditLogs" ```-- + Get access attempts to a key vault that resulted in "key not found" error.
- ```Kusto
+ ```kusto
AzureDiagnostics | where ResourceProvider == "MICROSOFT.SERVICEBUS" | where Category == "Error" and OperationName == "wrapkey"
Following are sample queries that you can use to help you monitor your Azure Ser
+ Get errors from the past 7 days
- ```Kusto
+ ```kusto
AzureDiagnostics | where TimeGenerated > ago(7d) | where ResourceProvider =="MICROSOFT.SERVICEBUS"
Following are sample queries that you can use to help you monitor your Azure Ser
+ Get operations performed with a key vault to disable or restore the key.
- ```Kusto
+ ```kusto
AzureDiagnostics | where ResourceProvider == "MICROSOFT.SERVICEBUS" | where (Category == "info" and (OperationName == "disable" or OperationName == "restore"))
Following are sample queries that you can use to help you monitor your Azure Ser
| where EventName_s startswith "AutoDelete" | summarize count() by EventName_s, _ResourceId ```
-
+ ### [Resource Specific Table](#tab/Resourcespecifictable)
+++ Get deny connection events for namespace+
+ ```kusto
+ AZMSVNetConnectionEvents
+ | extend NamespaceName = tostring(split(_ResourceId, "/")[8])
+ | where Provider =~ "ServiceBus"
+ | where Action == "Deny Connection"
+ | project Action, SubscriptionId, NamespaceName, AddressIp, Reason, Count
+ | summarize by Action, NamespaceName
+ ```
+++ Get failed operation logs for namespace+
+ ```kusto
+ AZMSOperationalLogs
+ | extend NamespaceName = tostring(split(_ResourceId, "/")[8])
+ | where Provider =~ "ServiceBus"
+ | where isnotnull(NamespaceName) and Status != "Succeeded"
+ | project NamespaceName, ResourceId, EventName, Status, Caller, SubscriptionId
+ | summarize by NamespaceName, EventName
+ ```
+++ Get Send message events for namespace+
+ ```kusto
+ AZMSRunTimeAuditLogs
+ | extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
+ | where Provider =~ "ServiceBus"
+ | where isnotnull(NamespaceInfo) and ActivityName = "SendMessage"
+ | project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, ResourceId
+ | summarize by NamespaceInfo, ActivityName
+ ```
++ Get Failed authorization results for AAD+
+ ```kusto
+ AZMSRunTimeAuditLogs
+ | extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])
+ | where Provider =~ "ServiceBus"
+ | where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == "AAD" and Status != "Success"
+ | project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, ResourceId
+ | summarize by NamespaceInfo, AuthKey, ActivityName
+ ```
+ ## Alerts You can access alerts for Azure Service Bus by selecting **Alerts** from the **Azure Monitor** section on the home page for your Service Bus namespace. See [Create, view, and manage metric alerts using Azure Monitor](../azure-monitor/alerts/alerts-metric.md) for details on creating alerts.
site-recovery Azure To Azure Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-support-matrix.md
Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5,
18.04 LTS |[9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0)| 4.15.0-196-generic <br> 4.15.0-1157-azure <br> 5.4.0-1098-azure <br> 4.15.0-1158-azure <br> 4.15.0-1159-azure <br> 4.15.0-201-generic <br> 4.15.0-202-generic <br> 5.4.0-1100-azure <br> 5.4.0-136-generic | 18.04 LTS | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |4.15.0-1151-azure </br> 4.15.0-193-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic</br>4.15.0-1153-azure </br>4.15.0-194-generic </br>5.4.0-1094-azure </br>5.4.0-128-generic </br>5.4.0-131-generic | |||
-20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure |
+20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-79-generic <br> 5.4.0-156-generic|
20.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-146-generic <br> 5.4.0-147-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-70-generic <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.4.0-1107-azure <br> 5.4.0-148-generic <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.15.0-73-generic <br> 5.15.0-1039-azure | 20.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.4.0-1101-azure <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.4.0-1103-azure <br> 5.4.0-139-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic <br> 5.4.0-1104-azure <br> 5.4.0-144-generic | 20.04 LTS | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | 5.4.0-1095-azure <br> 5.15.0-1023-azure <br> 5.4.0-1098-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.4.0-1100-azure <br> 5.4.0-136-generic <br> 5.4.0-137-generic | 20.04 LTS | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |5.13.0-1009-azure </br> 5.13.0-1012-azure </br> 5.13.0-1013-azure </br> 5.13.0-1014-azure </br> 5.13.0-1017-azure </br> 5.13.0-1021-azure </br> 5.13.0-1022-azure </br> 5.13.0-1023-azure </br> 5.13.0-1025-azure </br> 5.13.0-1028-azure </br> 5.13.0-1029-azure </br> 5.13.0-1031-azure </br> 5.13.0-21-generic </br> 5.13.0-22-generic </br> 5.13.0-23-generic </br> 5.13.0-25-generic </br> 5.13.0-27-generic </br> 5.13.0-28-generic </br> 5.13.0-30-generic </br> 5.13.0-35-generic </br> 5.13.0-37-generic </br> 5.13.0-39-generic </br> 5.13.0-40-generic </br> 5.13.0-41-generic </br> 5.13.0-44-generic </br> 5.13.0-48-generic </br> 5.13.0-51-generic </br> 5.13.0-52-generic </br> 5.15.0-1007-azure </br> 5.15.0-1008-azure </br> 5.15.0-1013-azure </br> 5.15.0-1014-azure </br> 5.15.0-1017-azure </br> 5.15.0-1019-azure </br> 5.15.0-1020-azure </br> 5.15.0-33-generic </br> 5.15.0-51-generic </br> 5.15.0-43-generic </br> 5.15.0-46-generic </br> 5.15.0-48-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic </br> 5.15.0-1021-azure </br> 5.15.0-1022-azure </br> 5.15.0-50-generic </br> 5.15.0-52-generic </br> 5.4.0-1094-azure </br> 5.4.0-128-generic </br> 5.4.0-131-generic | |||
-22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure |
+22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-1044-azure <br> 5.15.0-79-generic |
22.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.15.0-70-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.15.0-73-generic <br> 5.15.0-1039-azure | 22.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.15.0-1003-azure <br> 5.15.0-1005-azure <br> 5.15.0-1007-azure <br> 5.15.0-1008-azure <br> 5.15.0-1010-azure <br> 5.15.0-1012-azure <br> 5.15.0-1013-azure <br> 5.15.0-1014-azure <br> 5.15.0-1017-azure <br> 5.15.0-1019-azure <br> 5.15.0-1020-azure <br> 5.15.0-1021-azure <br> 5.15.0-1022-azure <br> 5.15.0-1023-azure <br> 5.15.0-1024-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-25-generic <br> 5.15.0-27-generic <br> 5.15.0-30-generic <br> 5.15.0-33-generic <br> 5.15.0-35-generic <br> 5.15.0-37-generic <br> 5.15.0-39-generic <br> 5.15.0-40-generic <br> 5.15.0-41-generic <br> 5.15.0-43-generic <br> 5.15.0-46-generic <br> 5.15.0-47-generic <br> 5.15.0-48-generic <br> 5.15.0-50-generic <br> 5.15.0-52-generic <br> 5.15.0-53-generic <br> 5.15.0-56-generic <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic |
Debian 9.1 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azu
Debian 9.1 | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | No new Debian 9.1 kernels supported in this release. | Debian 9.1 | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) | No new Debian 9.1 kernels supported in this release. | |||
-Debian 10 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 |
+Debian 10 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 <br> 4.19.0-25-amd64 <br> 4.19.0-25-cloud-amd64 <br> 5.10.0-0.deb10.24-amd64 <br> 5.10.0-0.deb10.24-cloud-amd64 |
Debian 10 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.10.0-0.bpo.3-amd64 <br> 5.10.0-0.bpo.3-cloud-amd64 <br> 5.10.0-0.bpo.4-amd64 <br> 5.10.0-0.bpo.4-cloud-amd64 <br> 5.10.0-0.bpo.5-amd64 <br> 5.10.0-0.bpo.5-cloud-amd64 <br> 4.19.0-24-amd64 <br> 4.19.0-24-cloud-amd64 <br> 5.10.0-0.deb10.22-amd64 <br> 5.10.0-0.deb10.22-cloud-amd64 <br> 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 | Debian 10 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| 5.10.0-0.deb10.21-amd64 <br> 5.10.0-0.deb10.21-cloud-amd64 | Debian 10 | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | 4.19.0-23-amd64 <br> 4.19.0-23-cloud-amd64 <br> 5.10.0-0.deb10.20-amd64 <br> 5.10.0-0.deb10.20-cloud-amd64 | Debian 10 | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) | 4.19.0-22-amd64 </br> 4.19.0-22-cloud-amd64 </br> 5.10.0-0.deb10.19-amd64 </br> 5.10.0-0.deb10.19-cloud-amd64 | |||
-Debian 11 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| No new Debian 11 kernels supported in this release. |
+Debian 11 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-24-amd64 <br> 5.10.0-24-cloud-amd64 <br> 5.10.0-25-amd64 <br> 5.10.0-25-cloud-amd64 |
Debian 11 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.10.0-22-amd64 <br> 5.10.0-22-cloud-amd64 <br> 5.10.0-23-amd64 <br> 5.10.0-23-cloud-amd64 | Debian 11 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.10.0-21-amd64 </br> 5.10.0-21-cloud-amd64 | Debian 11 | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | 5.10.0-10-amd64 </br> 5.10.0-10-cloud-amd64 </br> 5.10.0-12-amd64 <br> 5.10.0-12-cloud-amd64 <br> 5.10.0-13-amd64 <br> 5.10.0-13-cloud-amd64 <br> 5.10.0-14-amd64 <br> 5.10.0-14-cloud-amd64 <br> 5.10.0-15-amd64 <br> 5.10.0-15-cloud-amd64 <br> 5.10.0-16-amd64 <br> 5.10.0-16-cloud-amd64 <br> 5.10.0-17-amd64 <br> 5.10.0-17-cloud-amd64 <br> 5.10.0-18-amd64 <br> 5.10.0-18-cloud-amd64 <br> 5.10.0-19-amd64 <br> 5.10.0-19-cloud-amd64 <br> 5.10.0-20-amd64 <br> 5.10.0-20-cloud-amd64 |
Debian 11 | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azur
**Release** | **Mobility service version** | **Kernel version** | | | |
-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 |
+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 <br> 4.12.14-16.146-azure:5 |
SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.130-azure:5 <br> 4.12.14-16.133-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.124-azure:5 <br> 4.12.14-16.127-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.115-azure:5 <br> 4.12.14-16.120-azure:5 |
SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.51](https://suppo
**Release** | **Mobility service version** | **Kernel version** | | | |
-SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 |
+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 <br> 5.14.21-150400.14.60-azure:4 |
SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.40-azure:4 <br> 5.14.21-150400.14.43-azure:4 <br> 5.14.21-150400.14.46-azure:4 <br> 5.14.21-150400.14.49-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.31-azure:4 <br> 5.14.21-150400.14.34-azure:4 <br> 5.14.21-150400.14.37-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.12-azure:4 <br> 5.14.21-150400.14.10-azure:4 <br> 5.14.21-150400.14.13-azure:4 <br> 5.14.21-150400.14.16-azure:4 <br> 5.14.21-150400.14.7-azure:4 <br> 5.3.18-150300.38.83-azure:3 <br> 5.14.21-150400.14.21-azure:4 <br> 5.14.21-150400.14.28-azure:4 <br> 5.3.18-150300.38.88-azure:3 |
site-recovery Hyper V Azure Failback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-azure-failback.md
This article describes how to fail back Azure VMs that were created after failov
## Before you start 1. [Review the types of failback](failover-failback-overview.md#hyper-v-reprotectionfailback) you can use - original location recovery and alternate location recovery.
-2. Ensure that the Azure VMs are using a storage account and not managed disks. Failback of Hyper-V virtual machines, that failed over to Azure machines using managed disks, isn't supported.
+2. Ensure that the Azure VMs are using managed disks. Failback of Hyper-V virtual machines, that failed over to Azure machines using managed disks, is supported. It is not recommended to use storage accounts, as they will be [fully retired on September 30, 2025](../virtual-machines/unmanaged-disks-deprecation.md).
3. Check that the on-premises Hyper-V host (or System Center VMM server if you're using with Site Recovery) is running and connected to Azure. 4. Make sure that failover and commit are complete for the VMs. You don't need to set up any specific Site Recovery components for failback of Hyper-V VMs from Azure. 5. The time needed to complete data synchronization and start the on-premises VM will depend on a number of factors. To speed up data download, you can configure the Microsoft Recovery Services agent to use more threads to parallelize the download. [Learn more](https://support.microsoft.com/help/3056159/how-to-manage-on-premises-to-azure-protection-network-bandwidth-usage).
site-recovery Hyper V Azure Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-azure-support-matrix.md
UEFI Secure boot | No | No
Availability sets | Yes | Yes Availability zones | No | No HUB | Yes | Yes
-Managed disks | Yes, for failover.<br/><br/> Failback of managed disks isn't supported. | Yes, for failover.<br/><br/> Failback of managed disks isn't supported.
+Managed disks | Yes, for both failover and failback. | Yes, both failover and failback.
## Azure VM requirements
storage Container Storage Aks Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/container-storage/container-storage-aks-quickstart.md
description: Learn how to install Azure Container Storage Preview on an Azure Ku
Previously updated : 09/12/2023 Last updated : 09/13/2023
## Install Azure Container Storage
-Follow these instructions to install Azure Container Storage on your AKS cluster using an installation script.
-
-1. Run the `az login` command to sign in to Azure.
-
-1. Download and save [this shell script](https://github.com/Azure-Samples/azure-container-storage-samples/blob/main/acstor-install.sh).
-
-1. Navigate to the directory where the file is saved using the `cd` command. For example, `cd C:\Users\Username\Downloads`.
-
-1. Run the following command to change the file permissions:
-
- ```bash
- chmod +x acstor-install.sh
- ```
-
-1. Run the installation script and specify the parameters.
-
- | **Flag** | **Parameter** | **Description** |
- |-|-|-|
- | -s  | --subscription | The subscription identifier. Defaults to the current subscription.|
- | -g | --resource-group | The resource group name.|
- | -c  | --cluster-name | The name of the cluster where Azure Container Storage is to be installed.|
- | -n  | --nodepool-name | The name of the nodepool. Defaults to the first nodepool in the cluster.|
- | -r  | --release-train | The release train for the installation. Defaults to stable.|
-
- For example:
-
- ```bash
- bash ./acstor-install.sh -g <resource-group-name> -s <subscription-id> -c <cluster-name> -n <nodepool-name> -r <release-train-name>
- ```
-
-Installation takes 10-15 minutes to complete. You can check if the installation completed correctly by running the following command and ensuring that `provisioningState` says **Succeeded**:
-
-```azurecli-interactive
-az k8s-extension list --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type managedClusters
-```
-
-Congratulations, you've successfully installed Azure Container Storage. You now have new storage classes that you can use for your Kubernetes workloads.
## Choose a data storage option
storage Analyze Files Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/analyze-files-metrics.md
For more information on how to write queries, see [Log Analytics tutorial](../..
- [Azure Files monitoring data reference](storage-files-monitoring-reference.md) - [Monitor Azure resources with Azure Monitor](../../azure-monitor/essentials/monitor-azure-resource.md) - [Understand Azure Files performance](understand-performance.md)
+- [Troubleshoot ClientOtherErrors](/troubleshoot/azure/azure-storage/files-client-other-errors?toc=/azure/storage/files/toc.json)
update-center Configure Wu Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-center/configure-wu-agent.md
The registry keys listed in [Configuring Automatic Updates by editing the regist
## Enable updates for other Microsoft products
-By default, the Windows Update client is configured to provide updates only for Windows operating system. If you enable the **Give me updates for other Microsoft products when I update Windows** setting, you also receive updates for other Microsoft products, including security patches for Microsoft SQL Server and other Microsoft software.
+By default, the Windows Update client is configured to provide updates only for Windows operating system. In Windows update, select **Check online for Windows updates**. It will check updates for other Microsoft products to enable the **Give me updates for other Microsoft products when I update Windows** to receive updates for other Microsoft products, including security patches for Microsoft SQL Server and other Microsoft software.
Use one of the following options to perform the settings change at scale:
Use one of the following options to perform the settings change at scale:
- For servers running Server 2016 or later which are not using Update Manager (preview) scheduled patching (that has the VM PatchSettings set to AutomaticByOS = Azure-Orchestrated) you can use Group Policy to control this by downloading and using the latest Group Policy [Administrative template files](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). +
+## Configure a Windows server for Microsoft updates
+
+The Windows update client on Windows servers can get their patches from either of the following Microsoft hosted patch repositories:
+- Windows update - hosts operating system patches.
+- Microsoft update - hosts operating system and other Microsoft patches. For example MS Office, SQL Server and so on.
+
+> [!NOTE]
+> For the application of patches, you can choose the update client at the time of installation, or later using Group policy or by directly editing the registry.
+> To get the non-operating system Microsoft patches or to install only the OS patches, we recommend you to change the patch repository as this is an operating system setting and not an option that you can configure within Update management center (preview).
+
+### Edit the registry
+
+If scheduled patching is configured on your machine using the Update management center (preview), the Auto update on the client is disabled. To edit the registry and configure the setting, see [First party updates on Windows](support-matrix.md#first-party-updates-on-windows).
+
+### Patching using group policy on Azure Update management
+
+If your machine is patched using Automation Update management, and has Automatic updates enabled on the client, you can use the group policy to have complete control. To patch using group policy, follow these steps:
+
+1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage end user experience**.
+1. Select **Configure Automatic Updates**.
+1. Select or deselect the **Install updates for other Microsoft products** option.
+
+ :::image type="content" source="./media/configure-wu-agent/configure-updates-group-policy-inline.png" alt-text="Screenshot of selection or deselection of install updates for other Microsoft products." lightbox="./media/configure-wu-agent/configure-updates-group-policy-expanded.png":::
++ ## Make WSUS configuration settings Update Manager (preview) supports WSUS settings. You can specify sources for scanning and downloading updates using instructions in [Specify intranet Microsoft Update service location](/windows/deployment/update/waas-wu-settings#specify-intranet-microsoft-update-service-location). By default, the Windows Update client is configured to download updates from Windows Update. When you specify a WSUS server as a source for your machines, the update deployment fails, if the updates aren't approved in WSUS.
update-center Guidance Migration Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-center/guidance-migration-azure.md
Last updated 08/23/2023
-# Guidance on migrating Azure VMs from Microsoft Configuration Manager to Azure
+# Guidance on migrating Azure VMs from Microsoft Configuration Manager to Azure Update Manager
**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
update-center View Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-center/view-updates.md
To check the updates on your machines at scale, follow these steps:
> [!NOTE] > In update Manager (preview), you can initiate a software updates compliance scan on the machine to get the current list of operating system (guest) updates including the security and critical updates. On Windows, the software update scan is performed by the Windows Update Agent. On Linux, the software update scan is performed using OVAL-compatible tools to test for the presence of vulnerabilities based on the OVAL Definitions for that platform, which is retrieved from a local or remote repository. + ## Next steps
virtual-desktop Troubleshoot Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-agent.md
To resolve this issue, start the RDAgent boot loader:
1. Select **Refresh**.
-1. If the service stops after you started and refreshed it, you may have a registration failure. For more information, see [INVALID_REGISTRATION_TOKEN](#error-invalid_registration_token).
+1. If the service stops after you started and refreshed it, you may have a registration failure. For more information, see [INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN](#error-invalid_registration_token-or-expired_machine_token).
-## Error: INVALID_REGISTRATION_TOKEN
+## Error: INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN
-On your session host VM, go to **Event Viewer** > **Windows Logs** > **Application**. If you see an event with ID 3277 with **INVALID_REGISTRATION_TOKEN** in the description, the registration token that has been used isn't recognized as valid.
+On your session host VM, go to **Event Viewer** > **Windows Logs** > **Application**. If you see an event with ID 3277 with **INVALID_REGISTRATION_TOKEN** or **EXPIRED_MACHINE_TOKEN** in the description, the registration token that has been used isn't recognized as valid.
To resolve this issue, create a valid registration token:
To resolve this issue:
1. Make sure [the agent can connect to the broker](#error-agent-cannot-connect-to-broker-with-invalid_form).
-1. Make sure [your VM has a valid registration token](#error-invalid_registration_token).
+1. Make sure [your VM has a valid registration token](#error-invalid_registration_token-or-expired_machine_token).
1. Make sure [the VM registration token hasn't expired](./faq.yml).
virtual-machines Ebdsv5 Ebsv5 Series https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ebdsv5-ebsv5-series.md
Ebdsv5-series sizes run on the Intel® Xeon® Platinum 8370C (Ice Lake) processo
| Standard_E112ibds_v5 | 112| 672 | 3800 | 64 | 450000/4000 | 260000/8000 | 260000/8000 |260000/6500 | 260000/6500| 8 | 40000 | ## Ebsv5 series
-Ebsv5-series sizes run on the Intel® Xeon® Platinum 8272CL (Ice Lake). These VMs are ideal for memory-intensive enterprise applications and applications that benefit from high remote storage performance but with no local SSD storage. Ebsv5-series VMs feature Intel® Hyper-Threading Technology. Remote Data disk storage is billed separately from VMs.
+Ebsv5-series sizes run on the Intel® Xeon® Platinum 8272CL (Cascade Lake). These VMs are ideal for memory-intensive enterprise applications and applications that benefit from high remote storage performance but with no local SSD storage. Ebsv5-series VMs feature Intel® Hyper-Threading Technology. Remote Data disk storage is billed separately from VMs.
- [Premium Storage](premium-storage-performance.md): Supported - [Premium Storage caching](premium-storage-performance.md): Supported