Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
app-service | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/overview.md | A benefit of using an App Service Environment instead of a multitenant service i App Service Environment v3 differs from earlier versions in the following ways: - There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.-- You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. In this case, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see [Migrate App Service Environment to availability zone support](../../availability-zones/migrate-app-service-environment.md).+- You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. This is a deployment time only decision. Changing zone redundancy is not possible after it has been deployed. With zone redundant App Service Environment, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see [Migrate App Service Environment to availability zone support](../../availability-zones/migrate-app-service-environment.md). - You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant. - Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multitenant service, it's a lot faster. - Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts. App Service Environment v3 is available in the following regions: | Southeast Asia | ✅ | ✅ | | Spain Central | ✅ | ✅** | | Sweden Central | ✅ | ✅ |+| Sweden South | ✅ | | | Switzerland North | ✅ | ✅ | | Switzerland West | ✅ | | | UAE Central | ✅ | | App Service Environment v3 is available in the following regions: | US DoD Central | ✅ | | | US DoD East | ✅ | | | US Gov Arizona | ✅ | |-| US Gov Iowa | | | | US Gov Texas | ✅ | | | US Gov Virginia | ✅ |✅ | App Service Environment v3 is available in the following regions: | Region | Single zone support | Availability zone support | | -- | :--: | :-: |-| China East 2 | | | +| | App Service Environment v3 | App Service Environment v3 | | China East 3 | ✅ | |-| China North 2 | | | | China North 3 | ✅ | ✅ | ### In-region data residency An App Service Environment will only store customer data including app content, settings and secrets within the region where it's deployed. All data is guaranteed to remain in the region. For more information, see [Data residency in Azure](https://azure.microsoft.com/explore/global-infrastructure/data-residency/#overview). +## Pricing tiers ++The following sections list the regional pricing tiers (SKUs) availability for App Service Environment v3. ++> [!NOTE] +> Windows Container plans currently do not support memory intensive SKUs. +> + +### Azure Public: ++| Region | Standard | Large | Memory intensive | +| -- | :-: | :: | :: | +| | I1v2-I3v2 | I4v2-I6v2 | I1mv2-I5mv2 | +| Australia Central | ✅ | ✅ | ✅ | +| Australia Central 2 | ✅ | ✅ | ✅ | +| Australia East | ✅ | ✅ | ✅ | +| Australia Southeast | ✅ | ✅ | ✅ | +| Brazil South | ✅ | ✅ | | +| Brazil Southeast | ✅ | ✅ | ✅ | +| Canada Central | ✅ | ✅ | ✅ | +| Canada East | ✅ | ✅ | ✅ | +| Central India | ✅ | ✅ | ✅ | +| Central US | ✅ | ✅ * | | +| East Asia | ✅ | ✅ | ✅ | +| East US | ✅ | ✅ | | +| East US 2 | ✅ | ✅ | ✅ | +| France Central | ✅ | ✅ | ✅ | +| France South | ✅ | ✅ | ✅ | +| Germany North | ✅ | ✅ | ✅ | +| Germany West Central | ✅ | ✅ | ✅ | +| Israel Central | ✅ | ✅ | | +| Italy North | ✅ | ✅ | | +| Japan East | ✅ | ✅ | ✅ | +| Japan West | ✅ | ✅ | ✅ | +| Jio India Central | ✅ | ✅ | | +| Jio India West | ✅ | ✅ | | +| Korea Central | ✅ | ✅ | | +| Korea South | ✅ | ✅ | ✅ | +| Mexico Central | ✅ | ✅ | | +| North Central US | ✅ | ✅ | ✅ | +| North Europe | ✅ | ✅ | ✅ | +| Norway East | ✅ | ✅ | ✅ | +| Norway West | ✅ | ✅ | ✅ | +| Poland Central | ✅ | ✅ | | +| Qatar Central | ✅ | ✅ | | +| South Africa North | ✅ | ✅ | ✅ | +| South Africa West | ✅ | ✅ | ✅ | +| South Central US | ✅ | ✅ | ✅ | +| South India | ✅ | ✅ | | +| Southeast Asia | ✅ | ✅ | ✅ | +| Spain Central | ✅ | ✅ | | +| Sweden Central | ✅ | ✅ | ✅ | +| Sweden South | ✅ | ✅ | ✅ | +| Switzerland North | ✅ | ✅ | ✅ | +| Switzerland West | ✅ | ✅ | ✅ | +| UAE Central | ✅ | ✅ | | +| UAE North | ✅ | ✅ | ✅ | +| UK South | ✅ | ✅ | ✅ | +| UK West | ✅ | ✅ | ✅ | +| West Central US | ✅ | ✅ * | | +| West Europe | ✅ | ✅ * | | +| West India | ✅ | ✅ | ✅ | +| West US | ✅ | ✅ | | +| West US 2 | ✅ | ✅ | ✅ | +| West US 3 | ✅ | ✅ | ✅ | ++\* Windows Container does not support Large skus in this region. +\** Linux does not support Memory intensive skus in this region. ++### Azure Government: ++| Region | Standard | Large | Memory intensive | +| -- | :-: | :: | :: | +| | I1v2-I3v2 | I4v2-I6v2 | I1mv2-I5mv2 | +| US DoD Central | ✅ |✅ * | | +| US DoD East | ✅ |✅ * | | +| US Gov Arizona | ✅ |✅ * | | +| US Gov Texas | ✅ |✅ * | | +| US Gov Virginia | ✅ |✅ * | | ++### Microsoft Azure operated by 21Vianet: ++| Region | Standard | Large | Memory intensive | +| -- | :-: | :: | :: | +| | I1v2-I3v2 | I4v2-I6v2 | I1mv2-I5mv2 | +| China East 3 | ✅ | ✅ * | | +| China North 3 | ✅ | ✅ * | | + ## Next steps > [!div class="nextstepaction"] |
app-service | Manage Create Arc Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/manage-create-arc-environment.md | Azure Arc-enabled Kubernetes lets you make your on-premises or cloud Kubernetes If you don't have an Azure account, [sign up today](https://azure.microsoft.com/free/?utm_source=campaign&utm_campaign=vscode-tutorial-app-service-extension&mktingSource=vscode-tutorial-app-service-extension) for a free account. +Review the [requirements and limitations](overview-arc-integration.md) of the public preview. Of particular importance are the cluster requirements. + <!-- ## Prerequisites - Create a Kubernetes cluster in a supported Kubernetes distribution and connect it to Azure Arc in a supported region. See [Public preview limitations](overview-arc-integration.md#public-preview-limitations). az extension add --upgrade --yes --name appservice-kube ## Create a connected cluster > [!NOTE]-> This tutorial uses [Azure Kubernetes Service (AKS)](/azure/aks/) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps below will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) for general instructions on creating an Azure Arc-enabled Kubernetes cluster. +> This tutorial uses [Azure Kubernetes Service (AKS)](/azure/aks/) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) for general instructions on creating an Azure Arc-enabled Kubernetes cluster. 1. Create a cluster in Azure Kubernetes Service with a public IP address. Replace `<group-name>` with the resource group name you want. While a [Log Analytic workspace](/azure/azure-monitor/logs/quick-create-workspac ## Install the App Service extension -1. Set the following environment variables for the desired name of the [App Service extension](overview-arc-integration.md), the cluster namespace in which resources should be provisioned, and the name for the App Service Kubernetes environment. Choose a unique name for `<kube-environment-name>`, because it will be part of the domain name for app created in the App Service Kubernetes environment. +1. Set the following environment variables for the desired name of the [App Service extension](overview-arc-integration.md), the cluster namespace in which resources should be provisioned, and the name for the App Service Kubernetes environment. Choose a unique name for `<kube-environment-name>`, because it is part of the domain name for app created in the App Service Kubernetes environment. # [bash](#tab/bash) While a [Log Analytic workspace](/azure/azure-monitor/logs/quick-create-workspac | Parameter | Description | | - | - |- | `Microsoft.CustomLocation.ServiceAccount` | The service account that should be created for the custom location that will be created. It is recommended that this be set to the value `default`. | + | `Microsoft.CustomLocation.ServiceAccount` | The service account that should be created for the custom location that is created. It is recommended that this be set to the value `default`. | | `appsNamespace` | The namespace to provision the app definitions and pods. **Must** match that of the extension release namespace. |- | `clusterName` | The name of the App Service Kubernetes environment that will be created against this extension. | + | `clusterName` | The name of the App Service Kubernetes environment that is created against this extension. | | `keda.enabled` | Whether [KEDA](https://keda.sh/) should be installed on the Kubernetes cluster. Accepts `true` or `false`. |- | `buildService.storageClassName` | The [name of the storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class) for the build service to store build artifacts. A value like `default` specifies a class named `default`, and not [any class that is marked as default](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/). Default is a valid storage class for AKS and AKS HCI but it may not be for other distrubtions/platforms. | - | `buildService.storageAccessMode` | The [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use with the named storage class above. Accepts `ReadWriteOnce` or `ReadWriteMany`. | - | `customConfigMap` | The name of the config map that will be set by the App Service Kubernetes environment. Currently, it must be `<namespace>/kube-environment-config`, replacing `<namespace>` with the value of `appsNamespace` above. | + | `buildService.storageClassName` | The [name of the storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class) for the build service to store build artifacts. A value like `default` specifies a class named `default`, and not [any class that is marked as default](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/). Default is a valid storage class for AKS and AKS HCI but it may not be for other distrubtions/platforms. | + | `buildService.storageAccessMode` | The [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use with the named storage class. Accepts `ReadWriteOnce` or `ReadWriteMany`. | + | `customConfigMap` | The name of the config map that will be set by the App Service Kubernetes environment. Currently, it must be `<namespace>/kube-environment-config`, replacing `<namespace>` with the value of `appsNamespace`. | | `envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group` | The name of the resource group in which the Azure Kubernetes Service cluster resides. Valid and required only when the underlying cluster is Azure Kubernetes Service. | | `logProcessor.appLogs.destination` | Optional. Accepts `log-analytics` or `none`, choosing none disables platform logs. | | `logProcessor.appLogs.logAnalyticsConfig.customerId` | Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace ID. This parameter should be configured as a protected setting. | While a [Log Analytic workspace](/azure/azure-monitor/logs/quick-create-workspac az resource wait --ids $EXTENSION_ID --custom "properties.installState!='Pending'" --api-version "2020-07-01-preview" ``` -You can use `kubectl` to see the pods that have been created in your Kubernetes cluster: +You can use `kubectl` to see the pods created in your Kubernetes cluster: ```bash kubectl get pods -n $NAMESPACE |
app-service | Overview Arc Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-arc-integration.md | Title: 'App Service on Azure Arc' description: An introduction to App Service integration with Azure Arc for Azure operators. Previously updated : 12/05/2023- Last updated : 09/23/2024+ The following public preview limitations apply to App Service Kubernetes environ ||| | Supported Azure regions | East US, West Europe | | Cluster networking requirement | Must support `LoadBalancer` service type |+| Node OS requirement | **Linux** only. | | Cluster storage requirement | Must have cluster attached storage class available for use by the extension to support deployment and build of code-based apps where applicable | | Feature: Networking | [Not available (rely on cluster networking)](#are-all-networking-features-supported) | | Feature: Managed identities | [Not available](#are-managed-identities-supported) | Only one Kubernetes environment resource can be created in a custom location. In - [How much does it cost?](#how-much-does-it-cost) - [Are both Windows and Linux apps supported?](#are-both-windows-and-linux-apps-supported)+- [Can the extension be installed on Windows nodes?](#can-the-extension-be-installed-on-windows-nodes) - [Which built-in application stacks are supported?](#which-built-in-application-stacks-are-supported) - [Are all app deployment types supported?](#are-all-app-deployment-types-supported) - [Which App Service features are supported?](#which-app-service-features-are-supported) Only one Kubernetes environment resource can be created in a custom location. In - [Are there any scaling limits?](#are-there-any-scaling-limits) - [What logs are collected?](#what-logs-are-collected) - [What do I do if I see a provider registration error?](#what-do-i-do-if-i-see-a-provider-registration-error)-- [Can I deploy the Application services extension on an ARM64 based cluster?](#can-i-deploy-the-application-services-extension-on-an-arm64-based-cluster)+- [Can I deploy the Application services extension on an Arm64 based cluster?](#can-i-deploy-the-application-services-extension-on-an-arm64-based-cluster) - [Which Kubernetes distributions can I deploy the extension on?](#which-kubernetes-distributions-can-i-deploy-the-extension-on) ### How much does it cost? App Service on Azure Arc is free during the public preview. Only Linux-based apps are supported, both code and custom containers. Windows apps aren't supported. +### Can the extension be installed on Windows nodes? ++No, the extension cannot be installed on Windows nodes. The extension supports installation on **Linux** nodes **only**. + ### Which built-in application stacks are supported? All built-in Linux stacks are supported. By default, logs from system components are sent to the Azure team. Application ### What do I do if I see a provider registration error? -When creating a Kubernetes environment resource, some subscriptions might see a "No registered resource provider found" error. The error details might include a set of locations and api versions that are considered valid. If this error message is returned, the subscription must be re-registered with the Microsoft.Web provider, an operation that has no impact on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.Web --wait`. Then reattempt the Kubernetes environment command. +When creating a Kubernetes environment resource, some subscriptions might see a "No registered resource provider found" error. The error details might include a set of locations and API versions that are considered valid. If this error message is returned, the subscription must be re-registered with the Microsoft.Web provider, an operation that has no impact on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.Web --wait`. Then reattempt the Kubernetes environment command. -### Can I deploy the Application services extension on an ARM64 based cluster? +### Can I deploy the Application services extension on an Arm64 based cluster? -ARM64 based clusters aren't supported at this time. +Arm64 based clusters aren't supported at this time. ### Which Kubernetes distributions can I deploy the extension on? |
automation | Change Tracking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/change-tracking.md | Here are possible causes specific to this issue: Verify that the daemon for the Log Analytics agent for Linux (**omsagent**) is running on your machine. Run the following query in the Log Analytics workspace that's linked to your Automation account. ```loganalytics-Copy Heartbeat | summarize by Computer, Solutions ``` |
azure-functions | Durable Functions Storage Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-storage-providers.md | The key benefits of the Azure Storage provider include: * Lowest-cost serverless billing model - Azure Storage has a consumption-based pricing model based entirely on usage ([more information](durable-functions-billing.md#azure-storage-transactions)). * Best tooling support - Azure Storage offers cross-platform local emulation and integrates with Visual Studio, Visual Studio Code, and the Azure Functions Core Tools. * Most mature - Azure Storage was the original and most battle-tested storage backend for Durable Functions.-* Preview support for using identity instead of secrets for connecting to the storage provider. +* Support for using identity instead of secrets for connecting to the storage provider. The source code for the DTFx components of the Azure Storage storage provider can be found in the [Azure/durabletask](https://github.com/Azure/durabletask/tree/main/src/DurableTask.AzureStorage) GitHub repo. |
azure-resource-manager | Approve Just In Time Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/approve-just-in-time-access.md | Title: Approve just-in-time access description: Describes how consumers of Azure Managed Applications approve requests for just-in-time access to a managed application.- Last updated 06/24/2024- # Configure and approve just-in-time access for Azure Managed Applications |
azure-resource-manager | Concepts Built In Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/concepts-built-in-policy.md | Title: Deploy associations for managed application using Azure Policy description: Learn about deploying associations for a managed application using Azure Policy.- Last updated 06/24/2024- # Deploy associations for a managed application using Azure Policy |
azure-resource-manager | Create Storage Customer Managed Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-storage-customer-managed-key.md | Title: Create Azure Managed Application that deploys storage account encrypted w description: This article describes how to create an Azure Managed Application that deploys a storage account encrypted with a customer-managed key. + Last updated 06/24/2024 |
azure-resource-manager | Deploy Bicep Definition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-bicep-definition.md | Title: Use Bicep to deploy an Azure Managed Application definition description: Describes how to use Bicep to deploy an Azure Managed Application definition from your service catalog. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Use Bicep to deploy an Azure Managed Application definition To complete the tasks in this article, you need the following items: ## Get managed application definition -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To get the managed application's definition with Azure PowerShell, run the following commands. param appServicePlanName string @description('Globally unique across Azure. Maximum of 47 alphanumeric characters or hyphens.') param appServiceNamePrefix string -@maxLength(11) -@description('Use only lowercase letters and numbers and a maximum of 11 characters.') -param storageAccountNamePrefix string --@allowed([ - 'Premium_LRS' - 'Standard_LRS' - 'Standard_GRS' -]) -@description('The options are Premium_LRS, Standard_LRS, or Standard_GRS') -param storageAccountType string - @description('Resource ID for the managed application definition.') var appResourceId = resourceId('${definitionRG}', 'Microsoft.Solutions/applicationdefinitions', '${definitionName}') resource bicepServiceCatalogApp 'Microsoft.Solutions/applications@2021-07-01' = appServiceNamePrefix: { value: appServiceNamePrefix }- storageAccountNamePrefix: { - value: storageAccountNamePrefix - } - storageAccountType: { - value: storageAccountType - } } } } param managedAppName = 'sampleBicepManagedApp' param mrgName = 'placeholder for managed resource group name' param appServicePlanName = 'demoAppServicePlan' param appServiceNamePrefix = 'demoApp'-param storageAccountNamePrefix = 'demostg1234' -param storageAccountType = 'Standard_LRS' ``` You need to provide several parameters to deploy the managed application: You need to provide several parameters to deploy the managed application: | `mrgName` | Unique name for the managed resource group that contains the application's deployed resources. The resource group is created when you deploy the managed application. To create a managed resource group name, run the commands that follow this parameter list and use the `$mrgname` value to replace the placeholder in the parameters file. | | `appServicePlanName` | Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. | | `appServiceNamePrefix` | Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure. |-| `storageAccountNamePrefix` | Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. | -| `storageAccountType` | The options are Premium_LRS, Standard_LRS, and Standard_GRS. | You can run the following commands to create a name for the managed resource group. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $mrgprefix = 'mrg-sampleBicepManagedApplication-' The `$mrgprefix` and `$mrgtimestamp` variables are concatenated and stored in th Use Azure PowerShell or Azure CLI to create a resource group and deploy the managed application. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name bicepApplicationGroup -Location westus After the service catalog managed application is deployed, you have two new reso After the deployment is finished, you can check your managed application's status. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Run the following command to check the managed application's status. az managedapp show --name sampleBicepManagedApp --resource-group bicepApplicatio You can view the resources deployed to the managed resource group. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To display the managed resource group's resources, run the following command. You created the `$mrgname` variable when you created the parameters. When you're finished with the managed application, you can delete the resource g When you delete the _bicepApplicationGroup_ resource group, the managed application, managed resource group, and all the Azure resources are deleted. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group. |
azure-resource-manager | Deploy Service Catalog Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-service-catalog-quickstart.md | Title: Deploy a service catalog managed application description: Describes how to deploy a service catalog's managed application for an Azure Managed Application using Azure PowerShell, Azure CLI, or Azure portal. Previously updated : 06/24/2024 Last updated : 09/22/2024 The examples use the resource groups names created in the _quickstart to publish ### Get managed application definition -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To get the managed application's definition with Azure PowerShell, run the following commands. To get the managed application's definition from the Azure portal, use the follo ### Create resource group and parameters -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Create a resource group for the managed application deployment. For readability, the completed JSON string uses the backtick for line continuati ```powershell $params="{ `"appServicePlanName`": {`"value`":`"demoAppServicePlan`"}, `-`"appServiceNamePrefix`": {`"value`":`"demoApp`"}, ` -`"storageAccountNamePrefix`": {`"value`":`"demostg1234`"}, ` -`"storageAccountType`": {`"value`":`"Standard_LRS`"} }" +`"appServiceNamePrefix`": {`"value`":`"demoApp`"} }" ``` The parameters to create the managed resources: - `appServicePlanName`: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. - `appServiceNamePrefix`: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure.-- `storageAccountNamePrefix`: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix.-- `storageAccountType`: The options are Premium_LRS, Standard_LRS, and Standard_GRS. # [Azure CLI](#tab/azure-cli) For readability, the completed JSON string uses the backslash for line continuat ```azurecli params="{ \"appServicePlanName\": {\"value\":\"demoAppServicePlan\"}, \-\"appServiceNamePrefix\": {\"value\":\"demoApp\"}, \ -\"storageAccountNamePrefix\": {\"value\":\"demostg1234\"}, \ -\"storageAccountType\": {\"value\":\"Standard_LRS\"} }" +\"appServiceNamePrefix\": {\"value\":\"demoApp\"} }" ``` The parameters to create the managed resources: - `appServicePlanName`: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. - `appServiceNamePrefix`: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure.-- `storageAccountNamePrefix`: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix.-- `storageAccountType`: The options are Premium_LRS, Standard_LRS, and Standard_GRS. # [Portal](#tab/azure-portal) The parameters to create the managed resources: - **App Service plan name**: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. - **App Service name prefix**: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure. -1. Enter a prefix for the storage account name and select the storage account type. Select **Next**. -- :::image type="content" source="./media/deploy-service-catalog-quickstart/storage-settings.png" alt-text="Screenshot that shows the information needed to create a storage account."::: -- - **Storage account name prefix**: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix. - - **Storage account type**: Select **Change type** to choose a storage account type. The default is Standard_LRS. The other options are Premium_LRS, Standard_LRS, and Standard_GRS. - ### Deploy the managed application -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Run the following command to deploy the managed application. After the service catalog managed application is deployed, you have two new reso After the deployment is finished, you can check your managed application's status. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Run the following command to check the managed application's status. Select the managed application's name to get more information like the link to t You can view the resources deployed to the managed resource group. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To display the managed resource group's resources, run the following command. You created the `$mrgname` variable when you created the parameters. The role assignment gives the application's publisher access to manage the stora When you're finished with the managed application, you can delete the resource groups and that removes all the resources you created. For example, in this quickstart you created the resource groups _applicationGroup_ and a managed resource group with the prefix _mrg-sampleManagedApplication_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group. |
azure-resource-manager | Publish Bicep Definition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-bicep-definition.md | Title: Use Bicep to create and publish an Azure Managed Application definition description: Describes how to use Bicep to create and publish an Azure Managed Application definition in your service catalog. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Use Bicep to create and publish an Azure Managed Application definition param appServicePlanName string @maxLength(47) param appServiceNamePrefix string -@description('Storage account name prefix.') -@maxLength(11) -param storageAccountNamePrefix string --@description('Storage account type allowed values') -@allowed([ - 'Premium_LRS' - 'Standard_LRS' - 'Standard_GRS' -]) -param storageAccountType string --var appServicePlanSku = 'F1' +var appServicePlanSku = 'B1' var appServicePlanCapacity = 1 var appServiceName = '${appServiceNamePrefix}${uniqueString(resourceGroup().id)}'-var storageAccountName = '${storageAccountNamePrefix}${uniqueString(resourceGroup().id)}' -var appServiceStorageConnectionString = 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};Key=${storageAccount.listKeys().keys[0].value}' +var linuxFxVersion = 'DOTNETCORE|8.0' -resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = { +resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = { name: appServicePlanName location: location sku: { name: appServicePlanSku capacity: appServicePlanCapacity }+ kind: 'linux' + properties: { + zoneRedundant: false + reserved: true + } } -resource appServiceApp 'Microsoft.Web/sites@2023-12-01' = { +resource appService 'Microsoft.Web/sites@2023-01-01' = { name: appServiceName location: location properties: { serverFarmId: appServicePlan.id httpsOnly: true+ redundancyMode: 'None' siteConfig: {- appSettings: [ - { - name: 'AppServiceStorageConnectionString' - value: appServiceStorageConnectionString - } - ] + linuxFxVersion: linuxFxVersion + minTlsVersion: '1.2' + ftpsState: 'Disabled' } } } -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = { - name: storageAccountName - location: location - sku: { - name: storageAccountType - } - kind: 'StorageV2' - properties: { - accessTier: 'Hot' - allowSharedKeyAccess: false - minimumTlsVersion: 'TLS1_2' - } -} --output appServicePlan string = appServicePlan.name -output appServiceApp string = appServiceApp.properties.defaultHostName -output storageAccount string = storageAccount.properties.primaryEndpoints.blob +output appServicePlan string = appServicePlanName +output appServiceApp string = appService.properties.defaultHostName ``` ## Convert Bicep to JSON Use PowerShell or Azure CLI to build the _mainTemplate.json_ file. Go to the directory where you saved your Bicep file and run the `build` command. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```powershell bicep build mainTemplate.bicep After the Bicep file is converted to JSON, your _mainTemplate.json_ file should "metadata": { "_generator": { "name": "bicep",- "version": "0.27.1.19265", - "templateHash": "1262990362980206722" + "version": "0.30.3.12046", + "templateHash": "16466621031230437685" } }, "parameters": { After the Bicep file is converted to JSON, your _mainTemplate.json_ file should "metadata": { "description": "App Service name prefix." }- }, - "storageAccountNamePrefix": { - "type": "string", - "maxLength": 11, - "metadata": { - "description": "Storage account name prefix." - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ], - "metadata": { - "description": "Storage account type allowed values" - } } }, "variables": {- "appServicePlanSku": "F1", + "appServicePlanSku": "B1", "appServicePlanCapacity": 1, "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",- "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]" + "linuxFxVersion": "DOTNETCORE|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms",- "apiVersion": "2023-12-01", + "apiVersion": "2023-01-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[variables('appServicePlanSku')]", "capacity": "[variables('appServicePlanCapacity')]"+ }, + "kind": "linux", + "properties": { + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites",- "apiVersion": "2023-12-01", + "apiVersion": "2023-01-01", "name": "[variables('appServiceName')]", "location": "[parameters('location')]", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "httpsOnly": true,+ "redundancyMode": "None", "siteConfig": {- "appSettings": [ - { - "name": "AppServiceStorageConnectionString", - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" } }, "dependsOn": [- "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ]- }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-04-01", - "name": "[variables('storageAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "kind": "StorageV2", - "properties": { - "accessTier": "Hot", - "allowSharedKeyAccess": false, - "minimumTlsVersion": "TLS1_2" - } } ], "outputs": { After the Bicep file is converted to JSON, your _mainTemplate.json_ file should }, "appServiceApp": { "type": "string",- "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-12-01').defaultHostName]" - }, - "storageAccount": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').primaryEndpoints.blob]" + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" } } } After the Bicep file is converted to JSON, your _mainTemplate.json_ file should As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes. -In this example, the user interface prompts you to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure. +In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of _mainTemplate.json_ the `appServiceName` variables uses the `uniqueString` function to append a 13-character string to the name prefix so the name is globally unique across Azure. Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. Add the following JSON code to the file and save it. "visible": true } ]- }, - { - "name": "storageConfig", - "label": "Storage settings", - "subLabel": { - "preValidation": "Configure the storage settings", - "postValidation": "Completed" - }, - "elements": [ - { - "name": "storageAccounts", - "type": "Microsoft.Storage.MultiStorageAccountCombo", - "label": { - "prefix": "Storage account name prefix", - "type": "Storage account type" - }, - "toolTip": { - "prefix": "Enter maximum of 11 lowercase letters or numbers.", - "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS." - }, - "defaultValue": { - "type": "Standard_LRS" - }, - "constraints": { - "allowedTypes": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ] - }, - "visible": true - } - ] } ], "outputs": { "location": "[location()]", "appServicePlanName": "[steps('webAppSettings').appServicePlanName]",- "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]", - "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]", - "storageAccountType": "[steps('storageConfig').storageAccounts.type]" + "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]" } } } Add the two files to a package file named _app.zip_. The two files must be at th Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder `<pkgstorageaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) In Visual Studio Code, open a new PowerShell terminal and sign in to your Azure subscription. $pkgstorageaccount = New-AzStorageAccount @pkgstorageparms The `$pkgstorageparms` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values. -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md) and [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file. This example uses a security group, and your Microsoft Entra account should be a To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $principalid=(Get-AzADGroup -DisplayName <managedAppDemo>).Id principalid=$(az ad group show --group <managedAppDemo> --query id --output tsv) Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use the variable's value when you deploy the managed application definition. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $roleid=(Get-AzRoleDefinition -Name Owner).Id The following table describes the parameter values for the managed application d | Parameter | Value | | - | - | | `managedApplicationDefinitionName` | Name of the managed application definition. For this example, use _sampleBicepManagedApplication_.|-| `packageFileUri` | Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. The format is `https://yourStorageAccountName.blob.core.windows.net/appcontainer/app.zip`. | +| `packageFileUri` | Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. | | `principalId` | The publishers principal ID that needs permissions to manage resources in the managed resource group. Use your `principalid` variable's value. | | `roleId` | Role ID for permissions to the managed resource group. For example Owner, Contributor, Reader. Use your `roleid` variable's value. | When you deploy the managed application's definition, it becomes available in yo Create a resource group named _bicepDefinitionGroup_ and deploy the managed application definition. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name bicepDefinitionGroup -Location westus az deployment group create \ Run the following command to verify the definition is published in your service catalog. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell Get-AzManagedApplicationDefinition -ResourceGroupName bicepDefinitionGroup If you're going to deploy the definition, continue with the **Next steps** secti If you're finished with the managed application definition, you can delete the resource groups you created named _packageStorageGroup_ and _bicepDefinitionGroup_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group. |
azure-resource-manager | Publish Service Catalog App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-app.md | Title: Create and publish Azure Managed Application in service catalog description: Describes how to create and publish an Azure Managed Application in your service catalog using Azure PowerShell, Azure CLI, or Azure portal. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Create and publish an Azure Managed Application definition Every managed application definition includes a file named _mainTemplate.json_. Open Visual Studio Code, create a file with the case-sensitive name _mainTemplate.json_ and save it. -Add the following JSON and save the file. It defines the resources to deploy an App Service, App Service plan, and storage account for the application. This storage account isn't used to store the managed application definition. +Add the following JSON and save the file. It defines the resources to deploy an App Service and App Service plan. The template uses the App Service Basic plan (B1) that has pay-as-you-go costs. For more information, see [Azure App Service on Linux pricing](https://azure.microsoft.com/pricing/details/app-service/linux/). ```json { Add the following JSON and save the file. It defines the resources to deploy an "metadata": { "description": "App Service name prefix." }- }, - "storageAccountNamePrefix": { - "type": "string", - "maxLength": 11, - "metadata": { - "description": "Storage account name prefix." - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ], - "metadata": { - "description": "Storage account type allowed values" - } } }, "variables": {- "appServicePlanSku": "F1", + "appServicePlanSku": "B1", "appServicePlanCapacity": 1, "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",- "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]" + "linuxFxVersion": "DOTNETCORE|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms",- "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[variables('appServicePlanSku')]", "capacity": "[variables('appServicePlanCapacity')]"+ }, + "kind": "linux", + "properties": { + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites",- "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[variables('appServiceName')]", "location": "[parameters('location')]", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "httpsOnly": true,+ "redundancyMode": "None", "siteConfig": {- "appSettings": [ - { - "name": "AppServiceStorageConnectionString", - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').keys[0].value)]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" } }, "dependsOn": [- "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ]- }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-01-01", - "name": "[variables('storageAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "kind": "StorageV2", - "properties": { - "accessTier": "Hot", - "allowSharedKeyAccess": false, - "minimumTlsVersion": "TLS1_2" - } } ], "outputs": { Add the following JSON and save the file. It defines the resources to deploy an }, "appServiceApp": { "type": "string",- "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-09-01').defaultHostName]" - }, - "storageAccount": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" } } } Add the following JSON and save the file. It defines the resources to deploy an As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes. -In this example, the user interface prompts you to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure. +In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of _mainTemplate.json_ the `appServiceName` variables uses the `uniqueString` function to append a 13-character string to the name prefix so the name is globally unique across Azure. Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. Add the following JSON code to the file and save it. "visible": true } ]- }, - { - "name": "storageConfig", - "label": "Storage settings", - "subLabel": { - "preValidation": "Configure the storage settings", - "postValidation": "Completed" - }, - "elements": [ - { - "name": "storageAccounts", - "type": "Microsoft.Storage.MultiStorageAccountCombo", - "label": { - "prefix": "Storage account name prefix", - "type": "Storage account type" - }, - "toolTip": { - "prefix": "Enter maximum of 11 lowercase letters or numbers.", - "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS." - }, - "defaultValue": { - "type": "Standard_LRS" - }, - "constraints": { - "allowedTypes": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ] - }, - "visible": true - } - ] } ], "outputs": { "location": "[location()]", "appServicePlanName": "[steps('webAppSettings').appServicePlanName]",- "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]", - "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]", - "storageAccountType": "[steps('storageConfig').storageAccounts.type]" + "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]" } } } Add the two files to a package file named _app.zip_. The two files must be at th Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder `<pkgstorageaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) In Visual Studio Code, open a new PowerShell terminal and sign in to your Azure subscription. $pkgstorageaccount = New-AzStorageAccount @pkgstorageparms The `$pkgstorageparms` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values. -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md) and [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file. Create a storage account in a new resource group: - **Resource group**: Select **Create new** to create the _packageStorageGroup_ resource group. - **Storage account name**: Enter a unique storage account name. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers.- - **Region**: _West US3_ + - **Region**: _West US_ - **Performance**: _Standard_ - **Redundancy**: _Locally-redundant storage (LRS)_. In this section, you get identity information from Microsoft Entra ID, create a The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use this variable's value when you deploy the managed application definition. In the portal, the group ID and role ID are configured when you publish the mana ### Publish the managed application definition -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Create a resource group for your managed application definition. To publish a managed application definition from the Azure portal, use the follo - Create a new resource group named _appDefinitionGroup_. - **Instance details**: - **Name**: Enter a name like _instance-name_. The name isn't used in the definition but the form requires an entry.- - **Region**: _West US3_ + - **Region**: _West US_ - **Application details**: - **Name**: _sampleManagedApplication_ - **Display name**: _Sample managed application_ To publish a managed application definition from the Azure portal, use the follo - **Roles**: Select _Owner_. - **Select principals**: Select your group's name like _managedAppDemo_. - The **Lock level** on the managed resource group prevents the customer from performing undesirable operations on this resource group. Currently, `Read Only` is the only supported lock level. `Read Only` specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level. + The **Lock level** on the managed resource group prevents the customer from performing undesirable operations on this resource group. `Read Only` specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level. 1. After **Validation Passed** is displayed, select **Create**. If you're going to deploy the definition, continue with the **Next steps** secti If you're finished with the managed application definition, you can delete the resource groups you created named _packageStorageGroup_ and _appDefinitionGroup_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group. |
azure-resource-manager | Publish Service Catalog Bring Your Own Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-bring-your-own-storage.md | Title: Bring your own storage to create and publish an Azure Managed Application description: Describes how to bring your own storage to create and publish an Azure Managed Application definition in your service catalog. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Bring your own storage to create and publish an Azure Managed Application definition Add the following JSON and save the file. It defines the managed application's r "metadata": { "description": "App Service name prefix." }- }, - "storageAccountNamePrefix": { - "type": "string", - "maxLength": 11, - "metadata": { - "description": "Storage account name prefix." - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ], - "metadata": { - "description": "Storage account type allowed values" - } } }, "variables": {- "appServicePlanSku": "F1", + "appServicePlanSku": "B1", "appServicePlanCapacity": 1, "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",- "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]" + "linuxFxVersion": "DOTNETCORE|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms",- "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[variables('appServicePlanSku')]", "capacity": "[variables('appServicePlanCapacity')]"+ }, + "kind": "linux", + "properties": { + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites",- "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[variables('appServiceName')]", "location": "[parameters('location')]", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "httpsOnly": true,+ "redundancyMode": "None", "siteConfig": {- "appSettings": [ - { - "name": "AppServiceStorageConnectionString", - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').keys[0].value)]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" } }, "dependsOn": [- "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ]- }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-01-01", - "name": "[variables('storageAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "kind": "StorageV2", - "properties": { - "accessTier": "Hot", - "allowSharedKeyAccess": false, - "minimumTlsVersion": "TLS1_2" - } } ], "outputs": { Add the following JSON and save the file. It defines the managed application's r }, "appServiceApp": { "type": "string",- "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-09-01').defaultHostName]" - }, - "storageAccount": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" } } } Add the following JSON and save the file. It defines the managed application's r As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes. -In this example, the user interface prompts you to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure. +In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of _mainTemplate.json_ the `appServiceName` variables uses the `uniqueString` function to append a 13-character string to the name prefix so the name is globally unique across Azure. Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. Add the following JSON code to the file and save it. "visible": true } ]- }, - { - "name": "storageConfig", - "label": "Storage settings", - "subLabel": { - "preValidation": "Configure the storage settings", - "postValidation": "Completed" - }, - "elements": [ - { - "name": "storageAccounts", - "type": "Microsoft.Storage.MultiStorageAccountCombo", - "label": { - "prefix": "Storage account name prefix", - "type": "Storage account type" - }, - "toolTip": { - "prefix": "Enter maximum of 11 lowercase letters or numbers.", - "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS." - }, - "defaultValue": { - "type": "Standard_LRS" - }, - "constraints": { - "allowedTypes": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ] - }, - "visible": true - } - ] } ], "outputs": { "location": "[location()]", "appServicePlanName": "[steps('webAppSettings').appServicePlanName]",- "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]", - "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]", - "storageAccountType": "[steps('storageConfig').storageAccounts.type]" + "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]" } } } Add the two files to a package file named _app.zip_. The two files must be at th Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder `<pkgstorageaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name packageStorageGroup -Location westus $pkgstorageaccount = New-AzStorageAccount @pkgstorageparms The `$pkgstorageparms` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values. -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md) and [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file. Create the storage account for your managed application definition. The storage This example creates a new resource group named `byosDefinitionStorageGroup`. In the command, replace the placeholder `<byosaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name byosDefinitionStorageGroup -Location westus byosstorageid=$(az storage account show --resource-group $byosrg --name $byosstg Before you deploy your managed application definition to your storage account, assign the **Contributor** role to the **Appliance Resource Provider** user at the storage account scope. This assignment lets the identity write definition files to your storage account's container. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) You can use variables to set up the role assignment. This example uses the `$byosstorageid` variable you created in the previous step and creates the `$arpid` variable. This example uses a security group, and your Microsoft Entra account should be a To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $principalid=(Get-AzADGroup -DisplayName <managedAppDemo>).Id principalid=$(az ad group show --group <managedAppDemo> --query id --output tsv) Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use the variable's value when you deploy the managed application definition. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $roleid=(Get-AzRoleDefinition -Name Owner).Id The following table describes the parameter values for the managed application d | - | - | | `managedApplicationDefinitionName` | Name of the managed application definition. For this example, use _sampleByosManagedApplication_.| | `definitionStorageResourceID` | Resource ID for the storage account where the definition is stored. Use your `byosstorageid` variable's value. |-| `packageFileUri` | Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. The format is `https://yourStorageAccountName.blob.core.windows.net/appcontainer/app.zip`. | +| `packageFileUri` | Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. | | `principalId` | The publishers Principal ID that needs permissions to manage resources in the managed resource group. Use your `principalid` variable's value. | | `roleId` | Role ID for permissions to the managed resource group. For example Owner, Contributor, Reader. Use your `roleid` variable's value. | When you deploy the managed application's definition, it becomes available in yo Create a resource group named _byosAppDefinitionGroup_ and deploy the managed application definition to your storage account. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name byosAppDefinitionGroup -Location westus az deployment group create \ During deployment, the template's `storageAccountId` property uses your storage account's resource ID and creates a new container with the case-sensitive name `applicationdefinitions`. The files from the _.zip_ package you specified during the deployment are stored in the new container. -You can use the following commands to verify that the managed application definition files are saved in your storage account's container. In the command, replace the placeholder `<byosaccountname>` including the angle brackets (`<>`), with your unique storage account name. +You can use the following commands to verify that the managed application definition files are saved in your storage account's container. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell Get-AzStorageContainer -Name applicationdefinitions -Context $byosstoragecontext | After a successful deployment, to improve the storage account's security, disabl To review and update the storage account's shared access key settings, use the following commands: -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell (Get-AzStorageAccount -ResourceGroupName $byosstorageaccount.ResourceGroupName -Name $byosstorageaccount.StorageAccountName).AllowSharedKeyAccess If you're going to deploy the definition, continue with the **Next steps** secti If you're finished with the managed application definition, you can delete the resource groups you created named _packageStorageGroup_, _byosDefinitionStorageGroup_, and _byosAppDefinitionGroup_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group. |
azure-resource-manager | Reference Main Template Artifact | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/reference-main-template-artifact.md | Title: Template artifact reference description: Provides an example of the deployment template artifact for Azure Managed Applications. Previously updated : 06/21/2024 Last updated : 09/22/2024 # Reference: Deployment template artifact The following JSON shows an example of _mainTemplate.json_ file for Azure Manage ```json {- "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { "type": "string",- "defaultValue": "eastus", - "allowedValues": [ - "australiaeast", - "eastus", - "westeurope" - ], - "metadata": { - "description": "Location for the resources." - } - }, - "funcname": { - "type": "string", - "metadata": { - "description": "Name of the Azure Function that hosts the code. Must be globally unique" - }, - "defaultValue": "" + "defaultValue": "[resourceGroup().location]" },- "storageName": { + "appServicePlanName": { "type": "string",+ "maxLength": 40, "metadata": {- "description": "Name of the storage account that hosts the function. Must be globally unique. The field can contain only lowercase letters and numbers. Name must be between 3 and 24 characters" - }, - "defaultValue": "" + "description": "App Service plan name." + } },- "zipFileBlobUri": { + "appServiceNamePrefix": { "type": "string",- "defaultValue": "https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.customproviders/custom-rp-with-function/artifacts/functionzip/functionpackage.zip", + "maxLength": 47, "metadata": {- "description": "The Uri to the uploaded function zip file" + "description": "App Service name prefix." } } }, "variables": {- "customrpApiversion": "2018-09-01-preview", - "customProviderName": "public", - "serverFarmName": "functionPlan" + "appServicePlanSku": "B1", + "appServicePlanCapacity": 1, + "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]", + "linuxFxVersion": "DOTNETCORE|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms",- "apiVersion": "2016-09-01", - "name": "[variables('serverFarmName')]", + "apiVersion": "2023-01-01", + "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": {- "name": "Y1", - "tier": "Dynamic", - "size": "Y1", - "family": "Y", - "capacity": 0 + "name": "[variables('appServicePlanSku')]", + "capacity": "[variables('appServicePlanCapacity')]" },- "kind": "functionapp", + "kind": "linux", "properties": {- "name": "[variables('serverFarmName')]", - "perSiteScaling": false, - "reserved": false, - "targetWorkerCount": 0, - "targetWorkerSizeId": 0 + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites",- "kind": "functionapp", - "name": "[parameters('funcname')]", - "apiVersion": "2018-02-01", + "apiVersion": "2023-01-01", + "name": "[variables('appServiceName')]", "location": "[parameters('location')]",- "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageName'))]", - "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]" - ], - "identity": { - "type": "SystemAssigned" - }, "properties": {- "name": "[parameters('funcname')]", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", + "httpsOnly": true, + "redundancyMode": "None", "siteConfig": {- "appSettings": [ - { - "name": "AzureWebJobsDashboard", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2015-05-01-preview').key1)]" - }, - { - "name": "AzureWebJobsStorage", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2015-05-01-preview').key1)]" - }, - { - "name": "FUNCTIONS_EXTENSION_VERSION", - "value": "~2" - }, - { - "name": "AzureWebJobsSecretStorageType", - "value": "Files" - }, - { - "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2015-05-01-preview').key1)]" - }, - { - "name": "WEBSITE_CONTENTSHARE", - "value": "[concat(toLower(parameters('funcname')), 'b86e')]" - }, - { - "name": "WEBSITE_NODE_DEFAULT_VERSION", - "value": "6.5.0" - }, - { - "name": "WEBSITE_RUN_FROM_PACKAGE", - "value": "[parameters('zipFileBlobUri')]" - } - ] - }, - "clientAffinityEnabled": false, - "reserved": false, - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]" - } - }, - { - "type": "Microsoft.Storage/storageAccounts", - "name": "[parameters('storageName')]", - "apiVersion": "2018-02-01", - "kind": "StorageV2", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_LRS" - } - }, - { - "apiVersion": "[variables('customrpApiversion')]", - "type": "Microsoft.CustomProviders/resourceProviders", - "name": "[variables('customProviderName')]", - "location": "[parameters('location')]", - "properties": { - "actions": [ - { - "name": "ping", - "routingType": "Proxy", - "endpoint": "[listSecrets(resourceId('Microsoft.Web/sites/functions', parameters('funcname'), 'HttpTrigger1'), '2018-02-01').trigger_url]" - }, - { - "name": "users/contextAction", - "routingType": "Proxy", - "endpoint": "[listSecrets(resourceId('Microsoft.Web/sites/functions', parameters('funcname'), 'HttpTrigger1'), '2018-02-01').trigger_url]" - } - ], - "resourceTypes": [ - { - "name": "users", - "routingType": "Proxy,Cache", - "endpoint": "[listSecrets(resourceId('Microsoft.Web/sites/functions', parameters('funcname'), 'HttpTrigger1'), '2018-02-01').trigger_url]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" + } }, "dependsOn": [- "[concat('Microsoft.Web/sites/',parameters('funcname'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ] } ],- "outputs": {} + "outputs": { + "appServicePlan": { + "type": "string", + "value": "[parameters('appServicePlanName')]" + }, + "appServiceApp": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" + } + } } ``` ## Next steps -- [Tutorial: Create managed application with custom actions and resources](tutorial-create-managed-app-with-custom-provider.md) - [Reference: User interface elements artifact](reference-createuidefinition-artifact.md) - [Reference: View definition artifact](reference-view-definition-artifact.md) |
azure-resource-manager | Request Just In Time Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/request-just-in-time-access.md | Title: Request just-in-time access description: Describes how publishers of Azure Managed Applications request just-in-time access to a managed application.- Last updated 06/24/2024- # Enable and request just-in-time access for Azure Managed Applications |
cdn | Tier Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/tier-migration.md | Title: About Azure CDN from Microsoft (classic) to Azure Front Door migration (preview) + Title: About Azure CDN from Microsoft (classic) to Azure Front Door migration description: This article explains the migration process and changes expected when changing from Azure CDN from Microsoft (classic) to Azure Front Door Standard or Premium tier. Last updated 06/25/2024 -# About Azure CDN from Microsoft (classic) to Azure Front Door migration (preview) --> [!IMPORTANT] -> Azure CDN from Microsoft to Azure Front Door migration is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +# About Azure CDN from Microsoft (classic) to Azure Front Door migration Azure Front Door Standard and Premium tier were released in March 2022 as the next generation content delivery network service. The newer tiers combine the capabilities of Azure Front Door (classic), Microsoft CDN (classic), and Web Application Firewall (WAF). With features such as Private Link integration, enhanced rules engine and advanced diagnostics you have the ability to secure and accelerate your web applications to bring a better experience to your customers. |
communication-services | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/best-practices.md | This article provides information about best practices related to the Azure Comm [!INCLUDE [Native](includes/best-practices-native.md)] ::: zone-end -## Next steps -For more information, see the following articles: +## Related content - [Improve and manage call quality](./voice-video-calling/manage-call-quality.md)-- [Call Diagnostics](./voice-video-calling/call-diagnostics.md)+- [Use Call Diagnostics to diagnose call problems](./voice-video-calling/call-diagnostics.md) - [Add voice calling to your app](../quickstarts/voice-video-calling/getting-started-with-calling.md)-- [Use the UI Library for enhance calling experiences](./ui-library/ui-library-overview.md)+- [Use the UI Library for enhanced calling experiences](./ui-library/ui-library-overview.md) |
communication-services | Capabilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/guest/capabilities.md | This article describes which capabilities Azure Communication Services SDKs supp | Group of features | Capability | Supported | | -- | - | - | -| Core capabilities | Join Teams meeting via URL | ✔️ | -| | Join Teams meeting via meeting ID & passcode | ✔️ | +| Core capabilities | Join Teams for Work meeting [7] via URL | ✔️ | +| | Join Teams for Work meeting [7] via meeting ID & passcode | ✔️ | +| | Join Teams for Home meeting [7] | ❌ | | | Join [end-to-end encrypted Teams meeting](/microsoftteams/teams-end-to-end-encryption) | ❌ | | | Join channel Teams meeting | ✔️ [1]| | | Join Teams [webinars](/microsoftteams/plan-webinars) | ❌ | This article describes which capabilities Azure Communication Services SDKs supp 1. The Communication Services calling SDK doesn't receive a signal that a user is admitted and waiting for the meeting to start. The UI library doesn't support chat while waiting for the meeting to start. 1. The Communication Services chat SDK shows the real identity of attendees. 1. Functionality isn't available for users who aren't part of the organization.+1. If you are using Microsoft 365 work and school account then you use Teams for Work. If you schedule a meeting with this identity, the meeting's URL ends with `teams.microsoft.com`. If you are using personal account then you use Teams for Home. If you schedule a meeting with this identity, the meeting's URL ends with `teams.live.com`. Learn more about those accounts in our [documentation](https://support.microsoft.com/account-billing/what-s-the-difference-between-a-microsoft-account-and-a-work-or-school-account-72f10e1e-cab8-4950-a8da-7c45339575b0). ## Server capabilities |
communication-services | Troubleshooting Pstn Call Failures | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/telephony/troubleshooting-pstn-call-failures.md | Title: Troubleshooting PSTN call failures - Azure Communication Services -description: How to troubleshoot PSTN call failures by logging and viewing call codes. + Title: Troubleshoot PSTN call failures - Azure Communication Services +description: Learn how to troubleshoot PSTN call failures by logging and viewing call codes. Last updated 11/24/2023 -# Troubleshooting Azure Communication Services PSTN call failures +# Troubleshoot Azure Communication Services PSTN call failures -When troubleshooting Azure Communication Services PSTN call failures, we recommended that you [enable logging](../analytics/enable-logging.md). Then you can use `ResultCategories`, `ParticipantEndReason`, and `ParticipantEndSubCode` values to determine why an individual call ended and whether the system detected any failures. +When you're troubleshooting Azure Communication Services PSTN call failures, we recommend that you [enable logging](../analytics/enable-logging.md). Then you can use `ResultCategories`, `ParticipantEndReason`, and `ParticipantEndSubCode` values to determine why an individual call ended and whether the system detected any failures. -## Using ResultCategories to troubleshoot PSTN call failures +## Use ResultCategories to troubleshoot failures -The `ResultCategories` array is a property of the [Call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema) and contains a list of general reasons describing how the call ended. +The `ResultCategories` array is a property of the [call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema). It contains a list of general reasons that describe how the call ended: -General reasons that a call ended: +- `Success` +- `Failure` +- `UnexpectedClientError` +- `UnexpectedServerError` -- Success-- Failure-- UnexpectedClientError-- UnexpectedServerError+This information can help you determine why a call ended without generating a detailed error log. -This information can help developers determine why a call ended without generating a detailed error log. +## Use ParticipantEndReason and ParticipantEndSubCode to troubleshoot failures -If this level of detail isn't sufficient, then developers can use `ParticipantEndReason` and `ParticipantEndSubCode` to understand the reasons for call end in greater detail. For more information, see the next section. +If the level of detail in `ResultCategories` isn't sufficient when you're troubleshooting PSTN calls, you can use `ParticipantEndReason` and `ParticipantEndSubCode` to understand the reasons why a call ended in greater detail. `ParticipantEndReason` and `ParticipantEndSubCode` are also properties of the [call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema). -## Using ParticipantEndReason and ParticipantEndSubCode to troubleshoot PSTN call failures +### ParticipantEndReason -The `ParticipantEndReason` and `ParticipantEndSubCode` are properties of the [Call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema) and provide more details about why the call ended. +`ParticipantEndReason` is a three-digit code that shows the general call status. This code explains why the call ended and groups failures by category. For example, `ParticipantEndReason 404` means that caller or callee wasn't found. `ParticipantEndReason 500` means that a service error occurred. -When you're troubleshooting PSTN calls, use these two properties to understand why the call ended as follows: +This code is based on Session Initiation Protocol (SIP) response codes. For more information, see Wikipedia's [list of SIP response codes](https://en.wikipedia.org/wiki/List_of_SIP_response_codes). -- **`ParticipantEndReason`**: A three-digit code that shows the general call status. This code explains why the call ended, and groups failures by category. For example, `ParticipantEndReason 404` tells us that caller/callee wasn't found, `ParticipantEndReason 500` means that a service error occurred, and so on. This code is based on the SIP response codes. For more information, see Wikipedia's [List of SIP response codes](https://en.wikipedia.org/wiki/List_of_SIP_response_codes).+### ParticipantEndSubCode -- **`ParticipantEndSubCode`** : A more specific response code, usually six digits long, that explains in greater detail why there was a problem with the call.+`ParticipantEndSubCode` is a more specific response code that's usually six digits long. It explains in greater detail why there was a problem with the call. -## Understanding the ParticipantEndSubCode relationship +A key factor in troubleshooting Azure Communication Services PSTN calls is determining whether the final SIP response code for the call came from a Microsoft process or the user's/operator's session border controller (SBC). An easy way to determine where the code originated is to look at the `ParticipantEndSubCode` response. -A key factor in troubleshooting Azure Communication Services PSTN calls is determining whether the final response code for the call comes from a Microsoft process or the users/operators Session Border Controller (SBC). An easy way to determine where the code originated is to look at the `ParticipantEndSubCode` response. +If the `ParticipantEndSubCode` value starts with `560`, it indicates that the user's/operator's SBC generated the response code. In that case, you should check the SBC configuration. -If the `ParticipantEndSubCode` starts with **560**, it indicates that the response code is generated by the users/operators Session Border Controller (SBC), so developers should check their SBC configuration. +For example, if the `ParticipantEndSubCode` value is `560403`, it means that the SBC generated the final response code, and the code is `403`. In that case, you should start troubleshooting the calls by using the SBC logs. -- For example, if the `ParticipantEndSubCode` is **560403**, it means that the final response code is generated by the SBC, and the last three digits indicate SIP response code **403**. In this case, a developer should start troubleshooting the calls using the SBC logs.+For `ParticipantEndSubCode` responses that don't start with `560`, the Microsoft service generated the final response code. -For all other `ParticipantEndSubCode` responses that don't start with **560**, the final response code is generated by a Microsoft service. +## Related content -## Detailed information on individual error codes --For more information about common error codes and suggested actions, see [Troubleshooting call end response codes for Calling SDK, Call Automation SDK, and PSTN calls](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). --## Related articles --For more information, see [Troubleshooting in Azure Communication Services](../troubleshooting-info.md). +- For general troubleshooting information, see [Troubleshooting in Azure Communication Services](../troubleshooting-info.md). +- For detailed information about common error codes and suggested actions, see [Troubleshooting call end response codes for Calling SDK, Call Automation SDK, and PSTN calls](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). |
communication-services | Call Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/call-diagnostics.md | Title: Azure Communication Services Call Diagnostics- -description: Use Call Diagnostics to diagnose call issues with Azure Communication Services ++description: Learn how to use Call Diagnostics to diagnose call problems with Azure Communication Services. -Azure Communication Services offers call quality analytics and visualizations so you can investigate call metrics, events, and understand detected quality issues in your Communication Services calling solution. --Understanding your call quality and reliability is foundational to -delivering a great customer calling experience. There are various -issues that can affect the quality of your calls, such as poor internet -connectivity, software compatibility issues, and technical difficulties -with devices. These issues can be frustrating for all call participants, -whether they're a patient checking in for a doctorΓÇÖs call, or a student -taking a lesson with their teacher. As a developer, diagnosing and -fixing these issues can be time-consuming and frustrating. --Call Diagnostics acts as a detective for your calls. It helps developers -using Azure Communication Services investigate events that happened in a call to -identify likely causes of poor call quality and reliability. Just like a -real conversation, many things happen simultaneously in a call that may -or may not affect your communication. Call DiagnosticsΓÇÖ timeline makes -it easier to visualize what happened in a call by showing you rich data -visualizations of call events and providing insights into issues that -commonly affect calls. --## How to enable Call Diagnostics --Azure Communication Services collects call data in the form of metrics -and events. You must enable a Diagnostic Setting in Azure Monitor to -send these data to a Log Analytics workspace for Call Diagnostics to -analyze new call data. ----> [!IMPORTANT] -> Call Diagnostics canΓÇÖt query data from data that wasnΓÇÖt sent to a Log Analytics workspace. Diagnostic Settings will only begin collect data by single Azure Communications Services Resource ID once enabled. See our Frequently Asked Question on enabling Call Diagnostics [here](#frequently-asked-questions) +Azure Communication Services offers call quality analytics and visualizations in Call Diagnostics. You can use this feature to investigate call metrics, investigate events, and understand detected quality problems in your Communication Services calling solution. +Understanding call quality and reliability is foundational to delivering a great customer experience. Various problems can affect the quality of calls, such as poor internet connectivity, software incompatibilities, and technical difficulties with devices. These problems can be frustrating for all call participants, whether they're a patient checking in for a doctor's call or a student taking a lesson with a teacher. For a developer, diagnosing and fixing these problems can be time-consuming. -Since Call Diagnostics is an application layer on top of data for your -Azure Communications Service Resource, you can query these call data and -[build workbook reports on top of your data.](/azure/azure-monitor/logs/data-platform-logs#built-in-insights-and-custom-dashboards-workbooks-and-reports) +Call Diagnostics acts as a detective for calls. It helps developers who use Azure Communication Services to investigate events that happened in a call. The goal of the investigation is to identify likely causes of poor call quality and reliability. -You can access Call Diagnostics from any Azure Communication Services -Resource in your Azure portal. When you open your Azure Communications -Services Resource, just look for the ΓÇ£MonitoringΓÇ¥ section on the left -side of the screen and select "Call Diagnostics." +Just like a real conversation, many things happen simultaneously in a call that might or might not affect communication. The timeline in Call Diagnostics makes it easier to visualize what happened in a call. It shows you rich data visualizations of call events and provides insights into problems that commonly affect calls. -Once you have setup Call Diagnostics for your Azure Communication Services Resource, you can search for calls using valid callIDs that took place in that resource. Data can take several hours after call completion to appear in your resource and populate in Call Diagnostics. +## How to enable Call Diagnostics -**Call Diagnostics has four main sections:** +Azure Communication Services collects call data in the form of metrics and events. For Call Diagnostics to analyze new call data, you must enable a diagnostic setting in Azure Monitor. Azure Monitor then sends this data to a Log Analytics workspace. -- [Call Search](#call-search)+> [!IMPORTANT] +> Call Diagnostics can query only data that's sent to a Log Analytics workspace. Diagnostic settings begin collecting data by a single Azure Communications Services resource ID after you enable the diagnostic setting. -- [Call Overview](#call-overview)+Because Call Diagnostics is an application layer on top of data for your Azure Communications Services resource, you can query the call data and [build workbook reports on top of your data](/azure/azure-monitor/logs/data-platform-logs#built-in-insights-and-custom-dashboards-workbooks-and-reports). -- [Call Issues](#call-issues)+You can access Call Diagnostics from any Azure Communication Services resource in the Azure portal. After you open your Azure Communications Services resource, look for the **Monitoring** section on the service menu and select **Call Diagnostics**. -- [Call Timeline](#call-timeline)+After you set up Call Diagnostics for your Azure Communication Services resource, you can search for calls by using valid IDs for calls that took place in that resource. Data can take several hours after call completion to appear in your resource and populate in Call Diagnostics. -## Call Search +The following sections describe the main areas of the **Call Diagnostics** pane in the portal. -The search section lets you find individual calls, or filter calls to explore calls with issues. Clicking on a call takes you to a detail screen where you -see three sections, **Overview**, **Issues**, and **Timeline** for the -selected call. +## Call search -The search field allows you to search by callID. See our documentation to [access your client call ID.](../troubleshooting-info.md#access-your-client-call-id) +The portal lists all calls by default. The search box lets you find individual calls, or filter calls to explore calls that have problems. Selecting a call takes you to a detail pane that has three tabs: **Overview**, **Issues**, and **Timeline**. -![Screenshot of the Call Diagnostics Call Search showing recent calls for your Azure Communications Services Resource.](media/call-diagnostics-all-calls-3.png) +You can search by call ID in the search box. To find a call ID, see [Access your client call ID](../troubleshooting-info.md#access-your-client-call-id). +![Screenshot of a Call Diagnostics search that shows recent calls for an Azure Communications Services resource.](media/call-diagnostics-all-calls-3.png) > [!NOTE] > You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. -## Call Overview --Once you select a call from the Call Search page, your call details display in the Call Overview tab. You see a call summary highlighting -the participants in the call and key metrics for their call quality. You -can select a participant to drill into their call timeline details -directly or navigate to the Call Issues tab for further analysis. +## Call overview -![Screenshot of the Call Diagnostics Call Overview tab which which shows you an overview of the call you selected in the previous Call Search view.](media/call-diagnostics-call-overview-2.png) +After you select a call, its details appear on the **Overview** tab. This tab shows a call summary that highlights the participants and key metrics for their call quality. You can select a participant to drill into their call timeline details directly, or you can go to the **Issues** tab for further analysis. -> [!NOTE] -> You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. +![Screenshot of the Call Diagnostics Overview tab for a selected call.](media/call-diagnostics-call-overview-2.png) -## Call Issues +## Call issues -The Call Issues tab gives you a high-level analysis of any media quality -and reliability issues that were detected during the call. +The **Issues** tab gives you a high-level analysis of any media quality and reliability problems that Call Diagnostics detected during the call. -Call Issues highlights detected issues commonly known to affect userΓÇÖs call -quality such as poor network conditions, speaking while muted, or device -failures during a call. If you want to explore a detected issue, select -the highlighted item and you see a prepopulated view of the -related events in the Timeline tab. +This tab highlights detected problems commonly known to affect a user's call quality, such as poor network conditions, speaking while muted, or device failures. If you want to explore a detected problem, select the highlighted item. A prepopulated view of the related events appears on the **Timeline** tab. -![Screenshot of the Call Diagnostics Call Issues tab showing you the top issues detected in the call you selected.](media/call-diagnostics-call-issues-2.png) +![Screenshot of the Call Diagnostics Issues tab that shows the top problems detected in a selected call.](media/call-diagnostics-call-issues-2.png) -> [!NOTE] -> You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. +## Call timeline -## Call Timeline +When call problems are difficult to troubleshoot, you can explore the **Timeline** tab to see a detailed sequence of events that occurred during the call. -When call issues are difficult to troubleshoot, you can explore the -timeline tab to see a detailed sequence of events that occurred during -the call. +The timeline view is complex. It's designed for developers who need to explore details of a call and interpret detailed debugging data. In large calls, the timeline view can present an overwhelming amount of information. We recommend that you use filtering to narrow your search results and reduce complexity. -The timeline view is complex and designed for developers who need to explore details of a call and interpret detailed debugging data. In -large calls the timeline view can present an overwhelming amount of -information, we recommend relying on filtering to narrow your search -results and reduce complexity. +You can view detailed call logs for each participant within a call. Call information might not be present for various reasons, such as privacy constraints between calling resources. -You can view detailed call logs for each participant within a call. Call information may not be present due to various reasons such as privacy constraints between different calling resources. See frequently asked questions to learn more. --![Screenshot of the Call Diagnostics Call Timeline tab showing you the detailed events in a timeline view for the call you selected.](media/call-diagnostics-call-timeline-2.png) +![Screenshot of the Call Diagnostics Timeline tab that shows detailed events in a timeline view for a selected call.](media/call-diagnostics-call-timeline-2.png) ## Copilot in Azure for Call Diagnostics -Artificial Intelligence can help app developers across every step of the development lifecycle: designing, building, and operating. Developers with [Microsoft Copilot in Azure (preview)](/azure/copilot/overview) can use Copilot in Azure within Call Diagnostics to understand and resolve a variety of calling issues. For example, developers can ask Copilot in Azure questions, such as: +AI can help app developers across every step of the development lifecycle: designing, building, and operating. Developers can use [Microsoft Copilot in Azure (preview)](/azure/copilot/overview) within Call Diagnostics to understand and resolve a variety of calling problems. For example, developers can ask Copilot in Azure these questions: - How do I run network diagnostics in Azure Communication Services VoIP calls? - How can I optimize my calls for poor network conditions?-- What are the common causes of poor media streams in Azure Communication calls?-- The video on my call didnΓÇÖt work, how do I fix the subcode 41048?--![Screenshot of the Call Diagnostics Call Search showing recent calls for your Azure Communications Services Resource and the response from Copilot in Azure.](media/call-diagnostics-all-calls-copilot.png) --<!-- > [!NOTE] -> You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. --> ---<!-- # Common issues --Issue categories can include: --- Azure Communication Services issue--- Calling deployment issue--- Network issue--- User actions or inactions (e.g. not allowing device permissions),- driving through a tunnel. --To help you get started, you will find below the steps to triage common -issues using Call Diagnostics. --***ΓÇ£Other participants couldnΓÇÖt hear me on the callΓÇ¥*** --Dive into the audio section for the participant to see if there are any -issues detected. In the case below, we see that the microphone was muted -unexpectedly. In other cases, we might see errors with the deviceΓÇÖs set -up and permissions. --(**<u>TODO insert image)</u>** --***ΓÇ£My video was choppy and pixelatedΓÇ¥*** -Explore the video section for the participant to see if a poor network -connection in a call may have caused the issue. --(**<u>TODO insert image)</u>** --***ΓÇ£My call unexpectedly droppedΓÇ¥*** -**<u>TODO -</u>** Show how you might drill down to show the end-user -lost connection. --(**<u>TODO insert image)</u>** --***ΓÇ£Other participants couldnΓÇÖt see me on the callΓÇ¥*** -Show how you might drill down to show the status of the camera in the -call and any detected failures. --(**<u>TODO insert image)</u>** --## Call quality resources --Ensuring good call quality starts with your calling setup, please -explore our documentation to learn how you can use the UI Library to -benefit from our quality and reliability tools \<[link to manage call -quality](https://learn.microsoft.com/azure/communication-services/concepts/voice-video-calling/manage-call-quality)\>. --> --## Frequently asked questions: --- **How do I set up Call Diagnostics?**- - Follow instructions to add diagnostic settings for your resource here [Enable logs via Diagnostic Settings in Azure Monitor.](../analytics/enable-logging.md) We recommend you initially collect all logs and then determine which logs you want to retain and for how long after you have an understanding of the capabilities in Azure Monitor. When adding your diagnostic setting you are prompted to [select logs](../analytics/enable-logging.md#adding-a-diagnostic-setting), select "**allLogs**" to collect all logs. -- - Your data volume, retention, and Call Diagnostics query usage in Log Analytics within Azure Monitor is billed through existing Azure data meters. We recommend you monitor your data usage and retention policies for cost considerations as needed. See: [Controlling costs.](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs) -- - If you have multiple Azure Communications Services Resource IDs you must enable these settings for each resource ID and query call details for participants within their respective Azure Communications Services Resource ID. - - - If Azure Communication Services participants join from different Azure Communication Services Resources, how do they display in Call Diagnostics - - - Participants from other Azure Communication Services resources will have limited information in Call Diagnostics. The participants that belong to the resource you open Call Diagnostics will have all available insights shown. --- **What are the common call issues I might see and how can I fix them?**-- - Here are resources for common call issues. For an overview of troubleshooting strategies for more information on isolating call issues. Please see: [Overview of general troubleshooting strategies](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/overview.md) -- - If you see common error messages or descriptions. See: -[Understanding error messages and codes](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/understanding-error-codes.md) -- - If users are unable to join calls. See: -[Overview of call setup issues](../../resources/troubleshooting/voice-video-calling/call-setup-issues/overview.md) -- - If users have camera or microphone issues. For example, they canΓÇÖt hear someone. See: [Overview of device and permission issues](../../resources/troubleshooting/voice-video-calling/device-issues/overview.md) -- - If call participants have audio issues. For example, they sound like a robot or hear an echo. See: [Overview of audio issues](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md) -- - If call participants have video issues. For example, their video looks fuzzy, or cuts in and out. See: [Overview of video issues](../../resources/troubleshooting/voice-video-calling/video-issues/overview.md) --- **How do I use Copilot in Azure (preview) in Call Diagnostics?**-- - Your organization needs to manage access to [Microsoft Copilot in Azure (preview)](/azure/copilot/overview). Once your organization has access to Copilot in Azure (preview), the Call Diagnostics interface will include the option to 'Diagnose with Copilot' in the Search, Overview, and Issues tabs. - - Leverage Copilot in Azure for Call Diagnostics to improve call quality by detailing problems faced during Azure Communication Services calls. Giving Copilot in Azure detailed information from Call Diagnostics will help it enhance analysis, identify issues, and identify fixes. Be aware that Copilot in Azure currently lacks programmatic access to your call details. --<!-- 1. If Teams participants join a call, how will they display in Call - Diagnostics? -- 1. If a Teams participant organized the call through Microsoft - Teams, that participant will appear as a participant in Call - Diagnostics, however they'll have fewer call details populated. -- 2. If there were other Teams participants besides the Teams meeting - organizer, those participants won't appear in Call - Diagnostics. --> ---<!-- 1. My call had issues, but Call Diagnostics doesnΓÇÖt show any issues. -- a. Call Diagnostics relies on several common call issues to help diagnose calls. Issues can still occur outside of the existing telemetry or can be caused by unlisted call participants you arenΓÇÖt allowed to view due to privacy restrictions. --> --<!-- 1. What types of calls are visible in Call Diagnostics? -- a. Call types included. - 1. Includes call data for Web JS SDK, Native SKD, PSTN, Call Automation. -- 1. Includes some Call Automation Bot data edges -- a. Partial data. +- What are the common causes of poor media streams in Azure Communication Services calls? +- The video on my call didn't work. How do I fix the subcode 41048? - a. Different SDKs, privacy considerations may prevent you from receiving those data. --> +![Screenshot of a Call Diagnostics search that shows recent calls for an Azure Communications Services resource and a response from Copilot in Azure.](media/call-diagnostics-all-calls-copilot.png) +## Frequently asked questions +### How do I set up Call Diagnostics? +Follow instructions to add diagnostic settings for your resource in [Enable logs via Diagnostic Settings in Azure Monitor](../analytics/enable-logging.md). We recommend that you initially collect all logs. After you understand the capabilities in Azure Monitor, determine which logs you want to retain and for how long. When you add your diagnostic setting, you're prompted to [select logs](../analytics/enable-logging.md#adding-a-diagnostic-setting). To collect all logs, select **allLogs**. +Your data volume, retention, and Call Diagnostics query usage in Log Analytics within Azure Monitor is billed through existing Azure data meters. We recommend that you monitor your data usage and retention policies for cost considerations as needed. For more information, see [Controlling costs](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs). +If you have multiple Azure Communications Services resource IDs, you must enable these settings for each resource ID and query call details for participants within their respective resource IDs. +Participants who join from other Azure Communication Services resources have limited information in Call Diagnostics. The participants who belong to the resource when you open Call Diagnostics have all available insights shown. -## Next steps +### What are the common call problems I might see, and how can I fix them? -- Learn how to manage call quality, see: [Improve and manage call quality](manage-call-quality.md)+Here are resources for common call problems: +- For an overview of troubleshooting strategies and for more information on isolating call problems, see [Overview of general troubleshooting strategies](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/overview.md). -- Explore troubleshooting guidance, see: [Overview of general troubleshooting strategies](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md) +- For descriptions of common error messages, see [Understanding error messages and codes](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/understanding-error-codes.md). -- Continue to learn other quality best practices, see: [Best practices: Azure Communication Services calling SDKs](../best-practices.md)+- If users can't join calls, see [Overview of call setup issues](../../resources/troubleshooting/voice-video-calling/call-setup-issues/overview.md). -- Learn how to use the Log Analytics workspace, see: [Log Analytics Tutorial](/azure/azure-monitor/logs/log-analytics-tutorial)+- If users have camera or microphone problems (for example, they can't hear someone), see [Overview of device and permission issues](../../resources/troubleshooting/voice-video-calling/device-issues/overview.md). -- Create your own queries in Log Analytics, see: [Get Started Queries](/azure/azure-monitor/logs/get-started-queries)+- If call participants have audio problems (for example, they sound like a robot or hear an echo), see [Overview of audio issues](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md). -- Explore known call issues, see: [Known issues in the SDKs and APIs](../known-issues.md)+- If call participants have video problems (for example, their video looks fuzzy or cuts in and out), see [Overview of video issues](../../resources/troubleshooting/voice-video-calling/video-issues/overview.md). +### How do I use Copilot in Azure (preview) in Call Diagnostics? +Your organization manages access to [Microsoft Copilot in Azure (preview)](/azure/copilot/overview). After your organization has access to Copilot in Azure, the Call Diagnostics interface includes the **Diagnose with Copilot** option in the search area, on the **Overview** tab, and on the **Issues** tab. +Use Copilot in Azure for Call Diagnostics to improve call quality by detailing problems faced during Azure Communication Services calls. Giving Copilot in Azure detailed information from Call Diagnostics will help it enhance analysis, identify problems, and identify fixes. Be aware that Copilot in Azure currently lacks programmatic access to your call details. -<!-- added to the toc.yml file at row 583. +## Related content - - name: Monitor and manage call quality - items: - - name: Manage call quality - href: concepts/voice-video-calling/manage-call-quality.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - - name: End of Call Survey - href: concepts/voice-video-calling/end-of-call-survey-concept.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - --> +- Learn how to manage call quality: [Improve and manage call quality](manage-call-quality.md). +- Explore troubleshooting guidance: [Overview of audio issues](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md). +- Learn about other quality best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md). +- Learn how to use the Log Analytics workspace: [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial). +- Create your own queries in Log Analytics: [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries). +- Explore known call issues: [Known issues in the SDKs and APIs](../known-issues.md). |
communication-services | End Of Call Survey Concept | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/end-of-call-survey-concept.md | Title: Azure Communication Services End of Call Survey overview-+ description: Learn about the End of Call Survey. -The End of Call Survey provides you with a tool to understand how your end users perceive the overall quality and reliability of your Calling SDK solution. +The End of Call Survey is a tool that helps you understand how your users perceive the overall quality and reliability of your Calling SDK solution. ## Purpose of the End of Call Survey-ItΓÇÖs difficult to determine a customerΓÇÖs perceived calling experience and determine how well your calling solution is performing without gathering subjective feedback from customers. You can use the End of Call Survey to collect and analyze customers **subjective** opinions on their calling experience as opposed to relying only on **objective** measurements such as audio and video bitrate, jitter, and latency, which may not indicate if a customer had a poor calling experience. -After publishing survey data, you can view the survey results through Azure for analysis and improvements. Azure Communication Services uses these survey results to monitor and improve quality and reliability. +It's difficult to determine a customer's perceived calling experience and understand how well your calling solution is performing unless you gather feedback. You can use the End of Call Survey to collect and analyze customers' *subjective* opinions on their calling experience. Relying only on *objective* measurements, such as audio and video bitrate, jitter, and latency, might not indicate if a customer had a poor calling experience. +After you publish survey data, you can view the survey results through Azure for analysis and improvements. Azure Communication Services uses these survey results to monitor and improve quality and reliability. ## Survey structure -The survey is designed to answer two questions from a userΓÇÖs point of view. --- **Question 1:** How did the users perceive their overall call quality experience?--- **Question 2:** Did the user perceive any Audio, Video, or Screen Share issues in the call?--The API allows applications to gather data points that describe user perceived ratings of their Overall Call, Audio, Video, and Screen Share experiences. Microsoft analyzes survey API results according to the following goals. -+The survey is designed to answer two questions: +- How did the user perceive the overall experience of call quality? +- Did the user perceive any problems with audio, video, or screen sharing in the call? -### End of Call Survey API goals +The API enables applications to gather data points that describe user-perceived ratings of their overall call, audio, video, and screen-sharing experiences. Microsoft analyzes survey API results according to the following goals. --| API Rating Categories | Question Goal | +| API rating category | Question goal | | -- | -- |-| Overall Call | Responses indicate how a call participant perceived their overall call quality. | -| Audio | Responses indicate if the user perceived any Audio issues. | -| Video | Responses indicate if the user perceived any Video issues. | -| Screenshare | Responses indicate if the user perceived any Screen Share issues. | --+| Overall call | Responses indicate how a call participant perceived overall call quality. | +| Audio | Responses indicate if the user perceived any audio problems. | +| Video | Responses indicate if the user perceived any video problems. | +| Screen sharing | Responses indicate if the user perceived any screen-sharing problems. | ## Survey capabilities -- ### Default survey API configuration -| API Rating Categories | Cutoff Value* | Input Range | Comments | -| -- | -- | -- | -- | -| Overall Call | 2 | 1 - 5 | Surveys a calling participantΓÇÖs overall quality experience on a scale of 1-5. A response of 1 indicates an imperfect call experience and 5 indicates a perfect call. The cutoff value of 2 means that a customer response of 1 or 2 indicates a less than perfect call experience. | -| Audio | 2 | 1 - 5 | A response of 1 indicates an imperfect audio experience and 5 indicates no audio issues were experienced. | -| Video | 2 | 1 - 5 | A response of 1 indicates an imperfect video experience and 5 indicates no video issues were experienced. | -| Screenshare | 2 | 1 - 5 | A response of 1 indicates an imperfect screen share experience and 5 indicates no screen share issues were experienced. | -+| API rating category | Cutoff value | Input range | Comments | +| -- | -- | -- | -- | +| Overall call | 2 | 1 - 5 | Surveys a calling participant's overall quality experience on a scale of 1 to 5. A response of 1 indicates an imperfect call experience. A response of 5 indicates a perfect call. The cutoff value of 2 means that a response of 1 or 2 indicates a less-than-perfect call experience. | +| Audio | 2 | 1 - 5 | A response of 1 indicates an imperfect audio experience. A response of 5 indicates that the customer experienced no audio problems. | +| Video | 2 | 1 - 5 | A response of 1 indicates an imperfect video experience. A response of 5 indicates that the customer experienced no video problems. | +| Screen sharing | 2 | 1 - 5 | A response of 1 indicates an imperfect screen-sharing experience. A response of 5 indicates that the customer experienced no screen-sharing problems. | --> [!NOTE] ->A questionΓÇÖs indicated cutoff value in the API is the threshold that Microsoft uses when analyzing your survey data. When you customize the cutoff value or Input Range, Microsoft analyzes your survey data according to your customization. +> [!NOTE] +> A question's indicated cutoff value in the API is the threshold that Microsoft uses when analyzing your survey data. When you customize the cutoff value or input range, Microsoft analyzes your survey data according to your customizations. ### More survey tags-| Rating Categories | Optional Tags | ++| Rating category | Optional tags | | -- | -- |-| Overall Call | `CallCannotJoin` `CallCannotInvite` `HadToRejoin` `CallEndedUnexpectedly` `OtherIssues` | +| Overall call | `CallCannotJoin` `CallCannotInvite` `HadToRejoin` `CallEndedUnexpectedly` `OtherIssues` | | Audio | `NoLocalAudio` `NoRemoteAudio` `Echo` `AudioNoise` `LowVolume` `AudioStoppedUnexpectedly` `DistortedSpeech` `AudioInterruption` `OtherIssues` | | Video | `NoVideoReceived` `NoVideoSent` `LowQuality` `Freezes` `StoppedUnexpectedly` `DarkVideoReceived` `AudioVideoOutOfSync` `OtherIssues` |-| Screenshare | `NoContentLocal` `NoContentRemote` `CannotPresent` `LowQuality` `Freezes` `StoppedUnexpectedly` `LargeDelay` `OtherIssues` | ----### End of Call Survey customization -+| Screen sharing | `NoContentLocal` `NoContentRemote` `CannotPresent` `LowQuality` `Freezes` `StoppedUnexpectedly` `LargeDelay` `OtherIssues` | -You can choose to collect each of the four API values or only the ones you find most important. For example, you can choose to only ask customers about their overall call experience instead of asking them about their audio, video, and screen share experience. You can also -customize input ranges to suit your needs. The default input range is 1 -to 5 for Overall Call, Audio, Video, and Screenshare. However, each API value can be customized from a minimum of 0 to maximum of 100. +### End of Call Survey customization options -### Customization options +You can choose to collect all of the four API values or only the ones that you find most important. For example, you can choose to ask customers about only their overall call experience and not ask about their audio, video, and screen-sharing experience. +You can also customize input ranges to suit your needs. The default input range is 1 to 5 for overall call, audio, video, and screen sharing. However, you can customize each API value from a minimum of 0 to maximum of 100. -| API Rating Categories | Cutoff Value* | Input Range | +| API rating category | Cutoff value | Input range | | -- | -- | -- | -| Overall Call | 0 - 100 | 0 - 100 | -| Audio | 0 - 100 | 0 - 100 | -| Video | 0 - 100 | 0 - 100 | -| Screenshare | 0 - 100 | 0 - 100 | -- > [!NOTE] - > A questionΓÇÖs indicated cutoff value in the API is the threshold that Microsoft uses when analyzing your survey data. When you customize the cutoff value or Input Range, Microsoft analyzes your survey data according to your customization. --## Store and view survey data: --> [!IMPORTANT] -> You must enable a Diagnostic Setting in Azure Monitor to send the log data of your surveys to a Log Analytics workspace, Event Hubs, or an Azure storage account to receive and analyze your survey data. If you do not send survey data to one of these options your survey data will not be stored and will be lost. To enable these logs for your Communications Services see our guidance: [End of Call Survey Logs](../analytics/logs/end-of-call-survey-logs.md). --You cannot access your survey and it will not be stored unless you have enabled a Diagnostic Setting to capture your survey data. --## Next Steps --- Learn how to use the End of Call Survey, see our tutorial: [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md)+| Overall call | 0 - 100 | 0 - 100 | +| Audio | 0 - 100 | 0 - 100 | +| Video | 0 - 100 | 0 - 100 | +| Screen sharing | 0 - 100 | 0 - 100 | -- Analyze your survey data, see: [End of Call Survey Logs](../analytics/logs/end-of-call-survey-logs.md)+## Storage of survey data for viewing -- Learn how to use the Log Analytics workspace, see: [Log Analytics Tutorial](/azure/azure-monitor/logs/log-analytics-tutorial)+To send the log data of your surveys to a Log Analytics workspace, an Azure Event Hubs instance, or an Azure storage account for analysis, you must enable a diagnostic setting in Azure Monitor. If you don't enable a diagnostic setting to send survey data to one of these options, your survey data won't be stored and will be lost. -- Create your own queries in Log Analytics, see: [Get Started Queries](/azure/azure-monitor/logs/get-started-queries)+To enable logs for Communications Services, see [End of Call Survey logs](../analytics/logs/end-of-call-survey-logs.md). +## Related content +- Learn how to use the End of Call Survey: [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). +- Analyze your survey data: [End of Call Survey logs](../analytics/logs/end-of-call-survey-logs.md). +- Learn how to use the Log Analytics workspace: [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial). +- Create your own queries in Log Analytics: [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries). |
communication-services | Manage Call Quality | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/manage-call-quality.md | Title: Azure Communication Services Manage Calling Quality- -description: Learn how to improve and manage calling quality with Azure Communication Services. + Title: Azure Communication Services Manage Call Quality ++description: Learn how to improve and manage call quality with Azure Communication Services. -This article introduces key tools you can use to monitor, troubleshoot, -and improve call quality in Azure Communication Services. The following materials help you plan for the best end-user experience. Ensure you read our calling overview materials first to familiarize yourself. +This article introduces key tools that you can use to monitor, troubleshoot, and improve call quality in Azure Communication Services. The following materials help you plan for the best user experience. ++Before you read this article, become familiar with overview information about calling: -- Voice and Video Calling - [Azure Communication Services Calling SDK- overview](calling-sdk-features.md) +- Voice and video calling: [Azure Communication Services Calling SDK overview](calling-sdk-features.md) +- Phone calling: [Public Switched Telephone Network (PSTN) integration concepts](../telephony/telephony-concept.md) -- Phone Calling - [Public Switched Telephone Network (PSTN) integration- concepts](../telephony/telephony-concept.md) +## Prepare your network and prioritize important network traffic by using QoS -## Prepare your network and prioritize important network traffic using QoS +As your users start using Azure Communication Services for calls and meetings, they might experience a caller's voice breaking up or cutting in and out of a call or meeting. Shared video might freeze, or pixelate, or fail altogether. This problem is due to the IP packets that represent voice and video traffic encountering network congestion and arriving out of sequence or not at all. If it happens (or to prevent it from happening in the first place), use Quality of Service (QoS) by following the [network recommendations](network-requirements.md). -As your users start using Azure Communication Services for calls and meetings, they may experience a caller's voice breaking up or cutting in and out of a call or meeting. Shared video may freeze, or pixelate, or fail altogether. This is due to the IP packets that represent voice and video traffic encountering network congestion and arriving out of sequence or not at all. If this happens (or to prevent it from happening in the first place), use Quality of Service (QoS) by following our -[network recommendations](network-requirements.md). +With QoS, you prioritize delay-sensitive network traffic (for example, voice or video streams). You allow that traffic to "cut in line" in front of traffic that's less sensitive. An example of lower-priority traffic is downloading a new app. In that case, an extra second to download isn't a significant problem. -With QoS, you prioritize delay-sensitive network traffic (for example, voice or video streams), allowing it to "cut in line" in front of -traffic that is less sensitive (like downloading a new app, where an extra second to download isn't a significant deal). QoS identifies and marks all packets in real-time streams using Windows Group Policy Objects and a routing feature called Port-based Access Control Lists, which instructs your network to give voice, video, and screen sharing their own dedicated network bandwidth. +QoS identifies and marks all packets in real-time streams by using Windows Group Policy objects and a routing feature called Port-based Access Control Lists. That feature instructs your network to give voice, video, and screen sharing their own dedicated network bandwidth. -Ideally, you implement QoS on your internal network while getting ready to roll out your Azure Communication Services solution, but you can do it anytime. If you're small enough, you might not need QoS. +Ideally, you implement QoS on your internal network while getting ready to roll out your Azure Communication Services solution. But you can do it anytime. If your network is small enough, you might not need QoS. -For detailed guidance, see: [Network optimization](network-requirements.md#network-optimization). +For detailed guidance, see [Network optimization](network-requirements.md#network-optimization). ## Prepare your deployment for quality and reliability investigations -Quality has different definitions depending on the real-time -communication use case and perspective of the end users. There are many -variables that affect the perceived quality of a real-time calling -experience, an improvement in one variable may cause a negative changes -in another variable. For example, increasing the frame rate and -resolution of a video call increases network bandwidth utilization -and processing power. +Quality has different definitions, depending on the real-time communication use case and the perspective of the users. Many variables affect the perceived quality of a real-time calling experience. An improvement in one variable might cause a negative change in another variable. For example, increasing the frame rate and resolution of a video call increases network bandwidth utilization and processing power. -Therefore, you need to determine your customer’s use cases and -requirements before starting your development. For example, a customer -who needs to monitor dozens of security cameras feeds simultaneously may -not need the maximum resolution and frame rate that each video stream -can provide. In this scenario, you could utilize our [Video constraints](video-constraints.md) capability to limit the amount of bandwidth used by each video stream. +Determine your customer's use cases and requirements before you start your development. For example, a customer who needs to monitor dozens of security camera feeds simultaneously might not need the maximum resolution and frame rate that each video stream can provide. In this scenario, you could use the [Video Constraints API](video-constraints.md) capability to limit the amount of bandwidth that each video stream uses. -## Logs on native platforms +## Implement logging on native platforms -Implementing **logging** as per the [logs file retrieval tutorial](../../tutorials/log-file-retrieval-tutorial.md) is critical to gathering details for native development. Detailed logs help in diagnosing issues specific to device models or OS versions. We encourage to the developers that start configuring the Logs API to get details around the call lifetime. +Implementing logging as described in the [tutorial about retrieving log files](../../tutorials/log-file-retrieval-tutorial.md) is critical to gathering details for native development. Detailed logs help in diagnosing problems specific to device models or OS versions. We encourage developers who start configuring the Logs API to get details about the call lifetime. ## Implement existing quality and reliability capabilities before deployment -> [!Note] -> We recommend you use our easy to implement samples since they are already optimized to give your users the best call quality. Please see: [Samples](../../overview.md#samples) --If our calling samples don't meet your needs, or you decide to customize your solution please ensure you understand and implement the following capabilities in your custom calling scenarios. --Before you launch and scale your customized Azure Communication Services calling -solution, implement the following capabilities to support a high quality calling experience. These tools help prevent common quality and reliability calling issues from happening and diagnose issues if they occur. Keep in mind, some of these call data aren't created or stored unless you implement them. --The following sections detail the tools to implement at different phases of a call: --- **Before a call**-- **During a call**-- **After a call**--## Before a call --**Pre-call readiness** – By using the pre-call checks Azure Communication Services provides, - you can learn a user’s connection status before the call and take - proactive action on their behalf. For example, if you learn a user’s - connection is poor you can suggest they turn off their video before - joining the call to have a better audio connection. --<!-- This is not possible yet ... ~~You could also - have callers with poor network conditions join from [PSTN (Public - Switched Telephone Network) voice - calling](/azure/communication-services/concepts/telephony/telephony-concept).~~ --> ---<!-- TODO need to add a Permissions section. - filippos for input --- needs OS level permissions.--- needs device permission.--- needs to return true for both Audio and Video. If false then know issues. review the Blog post on this best practice . . . -->---### Network Diagnostic Tool --The Network Diagnostic Tool provides a hosted experience for - developers to validate call readiness during development. You can - check if a user’s device and network conditions are optimal for - connecting to the service to ensure a great call experience. The tool - performs diagnostics on the network, devices, and call quality. -- - By using the network diagnostic tool, you can encourage users to resolve reliability issues and improve their network connection before joining a call. -+We recommend that you use [these easy-to-implement calling samples](../../overview.md#samples), because they're already optimized to give your users the best call quality. +If the samples don't meet your needs and you decide to customize your Azure Communication Services calling solution, implement the following capabilities to support a high-quality calling experience. The tools for these capabilities help prevent common quality and reliability problems from happening and diagnose problems if they occur. Keep in mind that some call data isn't created or stored unless you implement these capabilities. -- For more information, please see: [Network Diagnostics Tool](../developer-tools/network-diagnostic.md).- <!- - Tool](https://azurecommdiagnostics.net/) --> +The following sections detail the tools to implement at the phases of a call: +- **Before a call**: Pre-call readiness. +- **During a call**: In-call communication. +- **After a call**: Monitoring and troubleshooting call quality and reliability. +### Before a call -#### Pre-Call Diagnostics API +By using the pre-call checks that Azure Communication Services provides, you can learn a user's connection status before the call and take proactive action on their behalf. For example, if you learn that a user's connection is poor, you can suggest that they turn off their video before joining the call to have a better audio connection. -Maybe you want to build your own Network Diagnostic Tool or to perform a deeper integration of this tool into your application. If so, you can use the Pre-Call diagnostic APIs that run the Network Diagnostic Tool for the calling SDK. The Pre-Call Diagnostics API lets you customize the experience in your user interface. You can then run the same series of tests that the Network Diagnostic Tool uses to ensure compatibility, connectivity, and device permissions with a test call. You can decide the best way to tell users how to correct issues before calls begin. You can also perform specific checks when troubleshooting quality and reliability issues. +#### Network Diagnostic tool - <!- - join their audio from [PSTN (Public Switched Telephone Network) - voice - calling](/en-us/azure/communication-services/concepts/telephony/telephony-concept) - before they join.~~ --> +The Network Diagnostic tool provides a hosted experience for developers to validate call readiness during development. You can check if a user's device and network conditions are optimal for connecting to the service, to help ensure a great call experience. The tool performs diagnostics on the network, devices, and call quality. - - For example, if a user's hardware test has an issue, you can notify the users - involved to manage expectations and change for future calls. +By using the Network Diagnostic tool, you can encourage users to resolve reliability problems and improve their network connection before they join a call. -- For more information, please see: [Pre-Call diagnostic](pre-call-diagnostics.md).+For more information, see [Network Diagnostic tool](../developer-tools/network-diagnostic.md). -<!-- NOTE - developers can run a separate browser test now, but there's no use case specific to just doing that check we should highlight here. +##### Pre-Call API for diagnostics -### Browser support +Maybe you want to build your own diagnostic tool or perform a deeper integration of the Network Diagnostic tool into your application. If so, you can use the Pre-Call API to run the diagnostic tool for the Calling SDK. -When user's use unsupported browsers it can be difficult to diagnose call issues after they occur. To optimize call quality check if an application is running a supported browser before user's join to - ensure they can properly support audio and video calling. +The Pre-Call API lets you customize the experience in your user interface. You can then run the same series of tests that the Network Diagnostic tool uses to ensure compatibility, connectivity, and device permissions with a test call. You can decide the best way to tell users how to correct problems before calls begin. You can also perform specific checks when troubleshooting quality and reliability problems. -- To learn more, see: [How to verify if your application is running in a web browser supported by Azure Communication Services](../../how-tos/calling-sdk/browser-support.md). -->+For example, if a user's hardware test has a problem, you can notify the user to manage expectations and changes for future calls. +For more information, see [Pre-Call diagnostic](pre-call-diagnostics.md). -### Conflicting call clients +#### Conflicting call clients -Because Azure Communication Services Voice and Video call run on web and mobile browsers your users may have multiple browser tabs running separate instances of the Azure - Communication Services calling SDK. This can happen for various reasons. Maybe the user forget to close their previous tab. Maybe the user couldn't join a call without a meeting organizer present and they re-attempt to open the meeting join url link, which opens a separate mobile browser tab. No matter how a user ends up with multiple call browser tabs at the same time, it causes disruptions to audio and video - behavior on the call they're trying to participate in, referred to as the target call. You should make sure there aren't multiple browser tabs open before a call starts, and also monitor during the whole call lifecycle. You can pro-actively notify customers to close their excess tabs, or help them join a call correctly with useful messaging if they're unable to join a call initially. +Because Azure Communication Services voice and video calls run on web and mobile browsers, your users might have multiple browser tabs running separate instances of the Azure Communication Services Calling SDK. This situation can happen for various reasons, like these examples: - of Azure Communication Services running in a browser, see: [How to detect if an application using Azure Communication Services' SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). +- The user forgot to close a previous tab. +- The user couldn't join a call without a meeting organizer present. The user reattempts to select the link for joining the meeting, which opens a separate mobile browser tab. -## During a call +Having multiple call browser tabs at the same time causes disruptions to audio and video behavior on the call that the user is trying to join (that is, the *target call*). You should make sure that multiple browser tabs aren't open before a call starts and (through monitoring) during the whole life cycle of the call. You can proactively notify customers to close their excess tabs, or help them join a call correctly with useful messaging if they initially can't join a call. -**In-call communication** – During a call, a user’s network conditions - can worsen or they may run into reliability and compatibility issues, all of which can result in a poor calling experience. This section helps you apply capabilities to manage issues in a call and communicate with your users. +To check if user has multiple instances of Azure Communication Services running in a browser, see [How to detect if an application using the Azure Communication Services SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). -### User Facing Diagnostics (UFDs) +### During a call -When a user is in a call, it's important to proactively notify them in real-time about issues on their call. User Facing Diagnostics (UFDs) provide real-time flags for issues to the user such as having their - microphone muted while talking or having a poor network quality. You can nudge or act on their behalf. In addition to messaging, you can consider proactive approaches to protect the limited bandwidth a user has. You can tailor your user interface messages to best suite your scenarios. If you find users - don’t consistently turn off their video upon receiving a notification - from you, then you can proactively turn a user’s video off to - prioritize their audio connection, or even hide video capability from - customer in your User Interface before they join a call. +During a call, a user's network conditions can worsen, or they might run into reliability and compatibility problems. Those situations can result in a poor calling experience. The following sections help you apply capabilities to manage problems in a call and communicate with your users. -**For example:** +#### User Facing Diagnostics -- If there's a network issue identified you can prompt users to- turn off their video, change networks, or move to a location with a better network condition or connection. -- If there's a device issue identified, you can nudge the user to switch- devices. +When a user is in a call, it's important to notify them in real time about problems on their call. The User Facing Diagnostics feature provides real-time flags for problems that affect the user, such as having their microphone muted while talking or having a poor network quality. +You can tailor your user interface messages to best suit your scenarios. For example: -- For more information, please see: [User Facing Diagnostics](user-facing-diagnostics.md).+- If a flag identifies a network problem, you can prompt users to turn off their video, change networks, or move to a location that has a better network condition or connection. +- If a flag identifies a device problem, you can nudge the user to switch devices. +In addition to messaging, you can act on users' behalf and consider proactive approaches to protect the limited bandwidth that a user has. If you find that users don't consistently turn off their video after receiving a notification from you, you can proactively turn off a user's video to prioritize their audio connection. You can even hide video capability from customers in your user interface before they join a call. -### Video constraints +For more information, see [User Facing Diagnostics](user-facing-diagnostics.md). -Video streams consume large amounts of network bandwidth, if you know your users have limited network bandwidth or poor network conditions you can reduce control the network usage of a user's video connection with video constraints. When you limit the amount of bandwidth a user's video stream can consume you can protect the bandwidth needed for good audio quality in poor network environments. +#### Video constraints -- To learn more, see: [Video constraints](video-constraints.md).+Video streams consume large amounts of network bandwidth. If you know that your users have limited network bandwidth or poor network conditions, you can control the network usage of a user's video connection by using video constraints. When you limit the amount of bandwidth that a user's video stream can consume, you can protect the bandwidth needed for good audio quality in poor network environments. +To learn more, see [Video constraints](video-constraints.md). -### Volume indicator +#### Volume indicator -Sometimes users can't hear each other; maybe the speaker is too quiet, the listener's device doesn't receive the audio packets, or there's an audio device issue blocking the sound. Users don't know when they're speaking too quietly, or when the other person can't hear them. You can use the input and output indicator to indicate if a user’s volume is low or absent and prompt a user to speak louder or investigate an audio device issue through your user interface. +Sometimes users can't hear each other. Maybe the speaker is too quiet, the listener's device doesn't receive the audio packets, or an audio device problem is blocking the sound. Users don't know when the other person can't hear them. You can use the input and output indicator to: -- For more information, please see: [Add volume indicator to your web calling](../../quickstarts/voice-video-calling/get-started-volume-indicator.md)+1. Indicate if a user's volume is low or absent. +1. Prompt the user to speak louder or investigate an audio device problem through your user interface. +For more information, see the [quickstart about adding a volume indicator to web calling](../../quickstarts/voice-video-calling/get-started-volume-indicator.md). -### Detailed media statistics +#### Media quality statistics +Because network conditions can change during a call, users can report poor audio and video quality even if they started the call without any problems. The *media quality statistics* feature gives you detailed quality metrics on each inbound and outbound audio, video, and screen-share stream. These detailed insights help you monitor calls in progress, show users their network quality status throughout a call, and debug individual calls. -Since network conditions can change during a call, users can report poor audio and video quality even if they started the call without issue. Our Media statistics give you detailed quality metrics on each inbound and outbound audio, video, and screen share stream. These detailed insights help you monitor calls in progress, show users their network quality status throughout a call, and debug individual calls. +The metrics in this feature help indicate problems on the Azure Communication Services Client SDK media streams for sending and receiving. As an example, you can actively monitor the outgoing video stream's `availableBitrate` value, notice a persistent drop below the recommended 1.5 Mbps, and notify the user that the video quality is degraded. -- These metrics help indicate issues on the Azure Communication Services client SDK send and receive media streams. As an example, you can actively monitor the outgoing video stream's `availableBitrate`, notice a persistent drop below the recommended 1.5 Mbps and notify the user their video quality is degraded. +Server log data gives you only a general summary of the call after it ends. The detailed media statistics provide low-level metrics throughout the call duration and afterward for deeper analysis. -- It's important to note that our Server Log data only give you an overall summary of the call after it ends. Our detailed Media Statistics provide low level metrics throughout the call duration for use in during the call and afterwards for deeper analysis. -- To learn more, see: [Media quality statistics](media-quality-sdk.md)+To learn more, see [Media quality statistics](media-quality-sdk.md). +#### Optimal Video Count API -### Optimal video count -During a group call with 2 or more participants a user's video quality can fluctuate due to changes in network conditions and their specific hardware limitations. By using the Optimal Video Count API, you can improve user call quality by understanding how many videos streams their local endpoint can render at a time without worsening quality. By implementing this feature, you can preserve the call quality and bandwidth of local endpoints that would otherwise attempt to render video poorly. The API exposes the property, optimalVideoCount, which dynamically changes in response to the network and hardware capabilities of a local endpoint. This information is available at runtime and updates throughout the call letting you adjust a user’s visual experience as network and hardware conditions change. +During a group call with two or more participants, a user's video quality can fluctuate due to changes in network conditions and their specific hardware limitations. By using the Optimal Video Count API, you can improve a user's call quality by understanding how many video streams their local endpoint can render at a time without worsening quality. -- To implement, visit web platform guidance [Manage Video](/azure/communication-services/how-tos/calling-sdk/manage-video?pivots=platform-web) and review the section titled Remote Video Quality. +By implementing this feature, you can preserve the call quality and bandwidth of local endpoints that would otherwise attempt to render video poorly. The API exposes the property `optimalVideoCount`, which dynamically changes in response to the network and hardware capabilities of a local endpoint. This information is available at runtime and gets updates throughout the call, so you can adjust a user's visual experience as network and hardware conditions change. -<!-- NOTE - cannot link the URL to a sub-header within a pivoted document --> -### End of Call Survey +To implement this feature, see the web platform guidance [Manage video during calls](/azure/communication-services/how-tos/calling-sdk/manage-video?pivots=platform-web#remote-video-quality). -Customer feedback is invaluable, the End of Call Survey provides you with a tool to understand how your end users perceive the overall quality and reliability of your JavaScript / Web SDK calling solution. The survey can be modified to various survey formats if already have a survey solution in place. After publishing survey data, you can view the survey results in Azure Monitor for analysis and improvements. Azure Communication Services also uses the survey API results to monitor and improve your quality and reliability. +### After a call -- To learn more, see: [End of Call Survey overview](end-of-call-survey-concept.md)-- To implement, see: [Tutorial: Use End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md)+Before you release and scale your Azure Communication Services calling solution, implement the following monitoring capabilities for quality and reliability to ensure that you're collecting available logs and metrics. The call data isn't stored until you implement the capabilities, so you can't monitor and debug your call quality and reliability without them. +For more information, see [Azure Communication Services Voice Calling and Video Calling logs](../analytics/logs/voice-and-video-logs.md). --## After a call -**Monitor and troubleshoot call quality and reliability** - Before you release and scale your Azure Communication Services calling solution, implement these quality and reliability monitoring capabilities -to ensure you collecting available logs and metrics. These call data aren't stored until you implement them so you won't be able to monitor and debug your call quality and reliability without them. --- For more information, see: [Azure Communication Services Voice Calling and Video Calling logs](../analytics/logs/voice-and-video-logs.md). --### Start collecting call logs +#### Start collecting call logs Review this documentation to start collecting call logs: [Enable logs via Diagnostic Settings in Azure Monitor.](../analytics/enable-logging.md) -- We recommend you choose the category group "allLogs" and choose the destination detail of “Send to Log Analytics workspace" in order to view and analyze the data in Azure Monitor.-- If you don't have a Log Analytics workspace to send your data to, you'll need to [create one.](/azure/azure-monitor/logs/quick-create-workspace)-- We recommend you monitor your data usage and retention policies for cost considerations as needed. See: [Controlling costs.](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs)---### Diagnose calls with Call Diagnostics -Call Diagnostics is an Azure Monitor experience that delivers tailored insight through specialized telemetry and diagnostic pages in the Azure portal. --Once you begin storing log data in your log analytics workspace, you can visualize your search for individual calls and visualize the data in Call Diagnostics. Within your Azure Monitor account you simply need to navigate to your Azure Communication Services resource and locate the Call Diagnostics blade in your side pane. -- See [Call Diagnostics](call-diagnostics.md) to learn how to best use this capability.--<!-- #### sdkVersion --- Allows you to monitor the deployment of client versions. See our guidance <u>on **Client Versions**</u> to learn how old client versions can impact quality -->--<!-- #### Call errors --- The `participantEndReason` is the reason a participant ends a connection. This data helps you identify common trends leading to unplanned call ends (when relevant). See our guidance on [Calling SDK error codes](../troubleshooting-info.md#calling-sdk-error-codes) -->---<!-- #### transportType --- A UDP connection is better than a TCP connection. See our guidance on **<u>UDP vs. TCP</u>** to learn how TCP connections can result in poor quality. -->--<!-- #### <span class="mark">DRAFT UIHint later – what is added quality value with Device, skd, custom tag?</span> --> ---<!-- #### Summarized Media Quality logs --- These three logs give you insight on the average media quality during the call.-- - `roundTripTimeAvg` -- - `jitterAvg` -- - `packetLossRateAvg` --> +To view and analyze the data in Azure Monitor, we recommend that you choose the category group **allLogs** and choose the destination detail of **Send to Log Analytics workspace**. If you don't have a Log Analytics workspace to send your data to, [create one](/azure/azure-monitor/logs/quick-create-workspace). +We recommend that you monitor your data usage and retention policies for cost considerations as needed. For more information, see [Controlling costs](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs). -### Examine call quality with Voice and Video Insights Preview +#### Diagnose calls by using Call Diagnostics -Once you have enabled logs, you can view call insights in your Azure Resource using visualization examples: [Voice and video Insights](../analytics/insights/voice-and-video-insights.md) +Call Diagnostics is an Azure Monitor experience that delivers tailored insights through specialized telemetry and diagnostic pages in the Azure portal. -- You can modify the existing workbooks or even create your own: [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-overview)+After you begin storing log data in your Log Analytics workspace, you can visualize your search for individual calls and visualize the data in Call Diagnostics. In your Azure Monitor account, go to your Azure Communication Services resource and locate **Call Diagnostics** on the service menu. To learn how to best use this capability, see [Call Diagnostics](call-diagnostics.md). -- For examples of deeper suggested analysis see our [Query call logs](../analytics/query-call-logs.md)+#### Examine call quality by using voice and video insights +After you enable logs, you can view call insights in your Azure resource by using the visualization examples in [Voice and video insights](../analytics/insights/voice-and-video-insights.md). -#### Analyze end user sentiment with the End of Call Survey -Once you enable diagnostic settings to capture your survey data you can use our sample [call log queries](../analytics/query-call-logs.md) in Azure Log Analytics to analyze your user's perceived quality experience. User feedback can show you call issues you didn't know you had and help you prioritize your quality improvements. +You can modify the existing workbooks or even create your own. For more information, see [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-overview). -### Analyze your call data directly from the client -By collecting call data such as Media Statistics, User Facing Diagnostics, and pre-call API information you can review calls with - poor quality to conduct root cause analysis when troubleshooting issues. For example, a user may have an hour long call and report poor audio at one point in the call. +For examples of deeper suggested analysis, see [Query call logs](../analytics/query-call-logs.md). -The call may have fired a User Facing Diagnostic indicating a severe problem with the incoming or outgoing media steam quality. By storing the [detailed media statistics](media-quality-sdk.md) from the call you can review when the UFD occurred to see if there were high levels of packet loss, jitter, or latency around this time indicating a poor network condition. You explore whether the network was impacted by an external client's unmanaged network, unnecessary network traffic due to improper Quality of Service (QoS) network prioritization policies, or an unnecessary Virtual Private Network (VPN) for example. +#### Analyze user sentiment by using the End of Call Survey -> [!NOTE] -> As a rule, we recommend prioritizing a user’s Audio connection bandwidth before their video connection and both audio and video before other network traffic. When a network is unable to support both audio and video, you can proactively disable a user’s video or nudge a user to disable their video. +Customer feedback is invaluable. The End of Call Survey helps you understand how your users perceive the overall quality and reliability of your JavaScript or Web SDK calling solution. -### Request support +You can modify the survey to various formats if you already have a survey solution in place. After you publish survey data, you can view the results in Azure Monitor for analysis and improvements. Azure Communication Services also uses the Survey API results to monitor and improve call quality and reliability. -If you encounter quality or reliability issues you're unable to resolve and need support, you can submit a request for technical support. The more information you can provide in your request the better (native logs are crucial to optimize the response time), however you can still submit requests with partial information to start your inquiry. See: [How to create Azure support requests](/azure/azure-portal/supportability/how-to-create-azure-support-request). +To implement the feature, see [Tutorial: Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). After you enable diagnostic settings to capture your survey data, you can use [sample call log queries](../analytics/query-call-logs.md) in Azure Log Analytics to analyze your user's perceived quality experience. User feedback can show you call problems you didn't know you had and help you prioritize your quality improvements. -- If you're notified of license requirements while attempting to request technical support, you may need to choose a paid Azure support plan that best aligns to your needs. See: [Compare Support Plans](https://azure.microsoft.com/support/plans).-- If you prefer not to purchase support you can leverage community support. See: [Community Support](https://azure.microsoft.com/support/community/).+To learn more, see [End of Call Survey overview](end-of-call-survey-concept.md). -<!-- Free Public support options -Azure Community Support | Microsoft Azure - This is a hub that allows you to search for a product/service and visit related sites such as: -Msdn forums (microsoft.com) -Newest Questions - Stack Overflow - Search for questions tagged 'azure-communication-services' -Server Fault - Q&A site for system & network admins -(General Feedback): Top (6645 ideas) – Customer Feedback for ACE Community Tooling (azure.com) - This is our Azure Feedback site for Feature requests -Microsoft Q&A supported products | Microsoft Docs - Home of technical questions and answers at Microsoft (Search for questions tagged 'azure-communication-services' & you can 'Follow' the tag) -New Issue · Azure/Communication (github.com) or New Issue · Azure/azure-sdk-for-media-services (github.com) - File an issue or search the known issues on our github repos --> +#### Analyze your call data directly from the client -### Other considerations -<!- - - [Azure logs and metrics for Teams external users](../interop/guest/monitor-logs-metrics.md) --> +By collecting call data such as media statistics, User Facing Diagnostics, and Pre-Call API information, you can review poor-quality calls to conduct root-cause analysis when you're troubleshooting problems. +For example, a user might have an hour-long call and report poor audio at one point in the call. The call might have fired a User Facing Diagnostic flag that indicated a severe problem with the quality of an incoming or outgoing media stream. +By storing the [detailed media statistics](media-quality-sdk.md) from the call, you can review when the User Facing Diagnostics flag occurred to see if high levels of packet loss, jitter, or latency around this time indicate a poor network condition. For example, you can explore whether the network was affected by an external client's unmanaged network, unnecessary network traffic due to improper QoS network prioritization policies, or an unnecessary virtual private network (VPN). +> [!NOTE] +> As a rule, we recommend prioritizing the bandwidth of a user's audio connection before their video connection. We recommend prioritizing both audio and video before other network traffic. When a network can't support both audio and video, you can proactively disable a user's video or nudge a user to disable their video. +#### Request support -- If you don't have access to your customer’s Azure portal to view data tied to their Azure Resource ID you can request to query their workspaces to improve quality on their behalf. - - [Create a log query across multiple workspaces and apps in Azure Monitor](/azure/azure-monitor/logs/cross-workspace-query) +If you encounter quality or reliability problems that you can't resolve, you can submit a request for technical support. The more information you can provide in your request, the better. (Native logs are crucial to optimize the response time.) However, you can still submit requests with partial information to start your inquiry. For more information, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). +If you're notified of license requirements while you're trying to request technical support, you might need to choose a paid Azure support plan that best aligns to your needs. See [Compare support plans](https://azure.microsoft.com/support/plans). -## Next steps +If you prefer not to purchase support, you can take advantage of community support. See [Azure Community Support](https://azure.microsoft.com/support/community/). -- Continue to learn other best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md)-- Explore known issues: [Known issues in the SDKs and APIs](../known-issues.md)-- Learn how to debug calls: [Call Diagnostics](call-diagnostics.md)-- Learn how to use the Log Analytics workspace: [Log Analytics Tutorial](/azure/azure-monitor/logs/log-analytics-tutorial)-- Create your own queries in Log Analytics: [Get Started Queries](/azure/azure-monitor/logs/get-started-queries)+#### Other considerations +If you don't have access to your customer's Azure portal to view data tied to their Azure resource ID, you can request to query their workspaces to improve quality on their behalf. For more information, see [Query data across Log Analytics workspaces, applications, and resources in Azure Monitor](/azure/azure-monitor/logs/cross-workspace-query). -<!-- Comment this out - add to the toc.yml file at row 583. +## Related content - - name: Monitor and manage call quality - items: - - name: Manage call quality - href: concepts/voice-video-calling/manage-call-quality.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - - name: End of Call Survey - href: concepts/voice-video-calling/end-of-call-survey-concept.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - --> +- Learn other best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md). +- Explore known issues: [Known issues in the SDKs and APIs](../known-issues.md). +- Learn how to debug calls: [Call Diagnostics](call-diagnostics.md). +- Learn how to use the Log Analytics workspace: [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial). +- Create your own queries: [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries). |
communication-services | Troubleshoot Web Voip Quality | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/troubleshoot-web-voip-quality.md | Title: Azure Communication Services troubleshooting VoIP call quality-+ description: Learn how to troubleshoot web VoIP call quality with Azure Communication Services. -# Troubleshooting VoIP call quality +# Troubleshoot VoIP call quality -This article describes how to troubleshoot and improve web VoIP call quality in Azure Communication Services. +This article describes how to troubleshoot and improve web Voice over Internet Protocol (VoIP) call quality in Azure Communication Services. -Voice and video calling experiences are an essential communication tool for businesses, organizations, and individuals in today's world. However, customers can experience quality issues. Quality in calls can be impacted based on four network parameters: bandwidth available, round-trip time (RTT), packet loss, and jitter. +Voice and video calling experiences are an essential communication tool for businesses, organizations, and individuals in today's world. However, customers can experience quality problems. Four network parameters can affect quality in calls: available bandwidth, round-trip time (RTT), packet loss, and jitter. -VoIP calling using Azure Communication Services is an efficient and reliable way to communicate. If quality issues arise, follow the troubleshooting steps in this article to ensure the best possible user experience. +If quality problems arise with VoIP calling in Azure Communication Services, follow the troubleshooting guidance in this article to ensure the best-possible user experience. -## Pre call check-up +## Network conditions that can cause quality problems -When using the internet at various locations, you experience different internet speeds. At home, internet speed and reliability can differ due to factors such as the type of internet connection, the quality of the router, and the number of devices connected to the network. In the office, internet speed and reliability can be impacted by the number of users on the network, the quality of the network infrastructure, and the type of internet connection. When you're using cellular data, internet speed and reliability can be affected by factors such as the strength of the cellular signal, the distance from the cell tower, and the number of users on the network. Additionally, some cellular plans have data caps or throttling, which can affect internet speed and reliability. +The following conditions can happen with audio during a call. -Overall, internet connections can vary depending on the location and the factors that affect the quality of the connection. It's important to test network ability. +### Choppy or robotic-sounding audio -To learn more about the network connection and settings of your machine, run a network diagnostic check at [Azure Communication Services Network Diagnostic Tool](https://azurecommdiagnostics.net/). The network diagnostic tool checks all the essential parameters to help you determine if the network connection at your local machine is compatible with Azure Communication Services. You can also run this test on mobile devices. For more information about network quality, bandwidth, configuration, and optimization, see [Network recommendations](network-requirements.md). +When call audio sounds choppy, sounds robotic, or cuts in and out, the reason might be by packet loss due to excessive jitter on the line. *Jitter* means that packets are received out of order. Several factors can cause it, including network traffic or the technologies used in the call. -Enable logging via diagnostic settings in Azure monitor. For more information, see [Enable logs via Diagnostic Settings in Azure Monitor](../analytics/enable-logging.md). +### One-way or missing audio -Once the logs are enabled, you can view call insights in your Azure resource. For more information, see [Voice an video Insights Preview](../analytics/insights/voice-and-video-insights.md). +When a caller can hear the other party, but the other party can't hear the caller, we refer to this condition as *one-way audio*. Several factors can cause missing audio streams, including errors in the connection or handshake, problems during a network handoff, or problems at the source or destination. -You can improve audio quality in poor network environments by using video constraints to reduce the number of bandwidth users video streams consume. For more information, see [Video constraints](video-constraints.md). +### Delayed audio -You can programmatically validate a clientΓÇÖs readiness to join an Azure Communication Services Call using the Pre-Call API. Access this API through the Calling SDK. The Pre-Call API provides multiple diagnostics including device, connection, and call quality. Pre-Call APIs are available only for Web (JavaScript). We welcome your feedback about other platforms you would like to see prioritized. For more information, see [Pre-Call diagnostic](pre-call-diagnostics.md). +When caller or callee reports excessive delays in the call audio, the reason can be excessive latency on the line. Several factors can cause audio latency, including delayed packet transmission or delivery somewhere along the line, or the technologies used in the call. -## Network issues that can cause quality problems +### Audio echo -### Choppy or robotic sounding call audio +When a caller or callee reports that they hear their own delayed audio being transmitted back to them, we refer to this condition as *audio echo*. The causes of echo can be positioning and volume levels of the speaker and/or microphone at one end of the line, or crosstalk on copper wire (landline) networks. -When call audio has robotic-sounds or choppy cuts in and out, it can be caused by packet loss due to excessive jitter on the line. Jitter is the term used when packets are received out-of-order and can be caused by several factors including network traffic, or the technologies used in the call. +### Audio volume problem -### One-way or missing call audio +When a caller or callee reports that the volume of a call is either too loud or too quiet, we typically classify this condition as an audio volume problem. The cause is often the hardware, including the positioning and volume levels of the speaker and/or microphone at one end of the line. If the input and output indicator shows that the user's volume is low, you can prompt the user to speak louder. -When a caller can hear the other party, but the other party can't hear the caller, we refer to this as one-way audio. Missing audio streams can be caused by several factors including errors in the connection/handshake, problems during a network handoff, or issues at the source or destination. +For more information, see [Access call volume level in your calling app](../../quickstarts/voice-video-calling/get-started-volume-indicator.md). -### Delayed call audio +### Static -When caller or callee reports excessive delays in the call audio, it can be caused by excessive latency on the line. Call audio latency can be caused by several factors including delayed packet transmission or delivery somewhere along the line, or the technologies used in the call. +When a caller or callee reports audio interference or background noise on a call, we typically classify this condition as an audio static problem. The cause can be the hardware in use, including the placement, positioning, and levels of the speaker and/or microphone at one end of the line. -### Call audio echoing +Also, make sure that the application you're using for web calling is hosted on the latest SDK. For more information, see [Azure Communication Services Calling Web (JavaScript) SDK - Release History](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md). -When a caller or callee reports that they hear their own delayed audio being transmitted back to them, we refer to this as *call audio echo*. Echo can be caused by positioning and volume levels of the speaker and microphone at one end of the line, or by crosstalk on copper wire (landline) networks. +## Pre-call checkups -### Volume indicator API +When you're using the internet at various locations, you experience different internet speeds. Factors like the following examples can affect internet speed and reliability: -When a caller or callee reports that the volume of a call is either too loud or too quiet, we typically classify this as a call audio volume issue. These call volume issues are often caused by the hardware, including the positioning and levels of the speaker and/or microphone at one end of the line. If the input and output indicator show that the userΓÇÖs volume is low, you can prompt the user to speak louder. +- At home: the type of internet connection, the quality of the router, and the number of devices connected to the network. +- In the office: the number of users on the network, the quality of the network infrastructure, and the type of internet connection. +- When you're using cellular data: the strength of the cellular signal, the distance from the cell tower, and the number of users on the network. Additionally, some cellular plans have data caps or throttling. -For more information, see [Accessing call volume level](../../quickstarts/voice-video-calling/get-started-volume-indicator.md). +Because of this variability, it's important to test the network connection and settings of your machine. You can run a network diagnostic check by using the [Azure Communication Services Network Diagnostic tool](https://azurecommdiagnostics.net/). This tool checks all the essential parameters to help you determine if the network connection at your local machine is compatible with Azure Communication Services. You can also run this tool on mobile devices. For more information about network quality, bandwidth, configuration, and optimization, see [Network recommendations](network-requirements.md). -### Call static +You can also take advantage of these features in Azure Communication -When a caller or callee reports audio interference or background noise on a call, we typically classify this as a call audio static issue. These audio quality issues can be caused by the hardware in use, including the placement, positioning, and levels of the speaker and/or microphone at one end of the line. +- Enable logging via [diagnostic settings in Azure Monitor](../analytics/enable-logging.md). You can then view [call insights in your Azure resource](../analytics/insights/voice-and-video-insights.md). -Also, make sure that the application you're using for web calling is hosted on the latest SDK. For more information, see [Azure Communication Services Calling Web (JavaScript) SDK - Release History](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md). +- Improve audio quality in poor network environments by using [video constraints](video-constraints.md) to reduce the bandwidth that users of video streams consume. ++- Programmatically validate a client's readiness to join an Azure Communication Services call by using the [Pre-Call API](pre-call-diagnostics.md). You access this API through the Calling SDK. It provides multiple diagnostics, including device, connection, and call quality. This feature is currently available only for the web (JavaScript). ++## Mid-call checkups -## Mid call check-ups +You can enable these Azure Communication Services features in web calling applications: -Developers can enable user facing diagnostics (UFD) in web calling applications. UFDs help the end customers see what is wrong with the call, such as an unreliable network connection or the microphone isn't responding. For more information about UFDs, see [User Facing Diagnostics](user-facing-diagnostics.md). +- [User Facing Diagnostics](user-facing-diagnostics.md): This feature helps users see what's wrong with a call, such as an unreliable network connection or a microphone that isn't responding. -You can enable media statistics on the web calling application to help debug and troubleshoot quality related issues on Azure Communication Services Web calling. Media statistics includes, round-trip time (RTT), bitrates, packet loss, jitter, and so on. Media statistics help engineers better understand the problem and the exact timing. For more information, see [Media quality statistics](media-quality-sdk.md). +- [Media quality statistics](media-quality-sdk.md): You can use this feature to debug and troubleshoot quality-related problems with Azure Communication Services calls. Media statistics include factors like RTT, bitrates, packet loss, and jitter. Media statistics help engineers better understand the problem and the exact timing. -Sometimes users have multiple browsers tabs with instances of Azure Communication Services running that can disrupt audio and video behavior on the target call. You can detect if a user has multiple instances running in a browser. For more information, see [How to detect if an application using Azure Communication Services' SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). +Sometimes users have instances of Azure Communication Services running on multiple browser tabs. This situation can disrupt audio and video behavior on the target call. You can detect if a user has multiple instances running in a browser. For more information, see [How to detect if an application using the Azure Communication Services SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). -## Post call check-ups +## Post-call checkups -You can check the log insights from the Azure portal for calling to determine the exact issue during the call. For more information, see [Query call logs](../analytics/query-call-logs.md). +You can check the log insights from the Azure portal to determine the exact problem during the call. For more information, see [Query call logs](../analytics/query-call-logs.md). -If you tried all the previous steps and still face quality issues, [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). If necessary, Microsoft can run a network check for your tenant to ensure call quality. +If you tried all the previous actions and still face quality problems, [create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). If necessary, Microsoft can run a network check for your tenant to help ensure call quality. -## End of call survey +## End of Call Survey -Enable End of Call surveys to give Azure Communication Services users the option to submit qualitative feedback about their call experience. +Enable the End of Call Survey feature to give Azure Communication Services users the option to submit qualitative feedback about their call experience. -For more information, see [End of Call Survey overview](end-of-call-survey-concept.md) and related tutorial [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). +For more information, see [End of Call Survey overview](end-of-call-survey-concept.md) and the related tutorial [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). -## Next steps +## Related content -For more information about using Call Quality Dashboard (CQD) to view interop call logs, see [Use CQD to manage call and meeting quality in Microsoft Teams](/microsoftteams/quality-of-experience-review-guide). +- For information about using Call Quality Dashboard (CQD) to view interoperability call logs, see [Use CQD to manage call and meeting quality in Microsoft Teams](/microsoftteams/quality-of-experience-review-guide). -For more information about Calling SDK error codes, see [Troubleshooting in Azure Communication Services](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). Use these codes to help determine why a call ended. +- For information about Calling SDK error codes, see [Troubleshooting in Azure Communication Services](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). Use these codes to help determine why a call ended. -To ensure smooth functioning of the application and provide better user experience, app developers should follow a checklist. For more information, see the [Checklist for advanced calling experiences in web browsers - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-communication-services/checklist-for-advanced-calling-experiences-in-web-browsers/ba-p/3266312). +- To ensure smooth functioning of the application and provide better user experience, app developers should follow a checklist. For more information, see the blog post [Checklist for advanced calling experiences in web browsers](https://techcommunity.microsoft.com/t5/azure-communication-services/checklist-for-advanced-calling-experiences-in-web-browsers/ba-p/3266312). -For more information about preparing your network or your customersΓÇÖ network, see [Network recommendations](network-requirements.md). - -For best practices regarding Azure Communication Services web calling, see [Best practices: Azure Communication Services calling SDKs](../best-practices.md). +- For more information about preparing your network or your customer's network, see [Network recommendations](network-requirements.md). +- For best practices regarding Azure Communication Services web calling, see [Best practices: Azure Communication Services calling SDKs](../best-practices.md). |
communication-services | Video Constraints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/video-constraints.md | Title: Azure Communication Services Video constraints- -description: Overview of Video Constraints + Title: Azure Communication Services Video Constraints ++description: Get an overview of the Video Constraints API. -# Video constraints +# Video Constraints -The Video constraints API is a powerful tool that enables developers to control the video quality from within their video calls. With this API, developers can set maximum video resolutions, frame rate, and bitrate used so that the call is optimized for the user's device and network conditions. The ACS video engine is optimized to allow the video quality to change dynamically based on devices ability and network quality. But there might be certain scenarios where you would want to have tighter control of the video quality that end users experience. For instance, there may be situations where the highest video quality isn't a priority, or you may want to limit the video bandwidth usage in the application. To support those use cases, you can use the Video Constraints API to have tighter control over video quality. +The Video Constraints API enables developers to control the video quality from within video calls. With this API, developers can set maximum video resolutions, frame rate, and bitrate so that the call is optimized for the user's device and network conditions. -Another benefit of the Video Constraints API is that it enables developers to optimize the video call for different devices. For example, if a user is using an older device with limited processing power, developers can set constraints on the video resolution to ensure that the video call runs smoothly on that device. +The Azure Communication Services video engine is optimized to allow the video quality to change dynamically based on a device's ability and the network quality. But there might be certain scenarios where the highest video quality isn't a priority, or you want to limit the video bandwidth usage in an application. To support those use cases, you can use the Video Constraints API to have tighter control over the video quality that users experience. ++Another benefit of the Video Constraints API is that it enables developers to optimize the video call for different devices. For example, if a user is using an older device with limited processing power, you can set constraints on the video resolution to ensure that the video call runs smoothly on that device. ## Supported constraints -| Platform | Supported Constraints | +| Platform | Supported constraints | | -- | -- |-| **Web** | **Incoming video**: resolution<br />**Outgoing video**: resolution, framerate, bitrate | -| **Android** | **Incoming video**: resolution<br />**Outgoing video**: resolution, framerate | -| **iOS** | **Incoming video**: resolution<br />**Outgoing video**: resolution, framerate | -| **Windows** | **Incoming video**: resolution<br />**Outgoing** video: resolution, framerate | --## Next steps -For more information, see the following articles: -- [Tutorial on how to enable video constraints](../../quickstarts/voice-video-calling/get-started-video-constraints.md)-- [Enable Media Quality Statistics in your application](./media-quality-sdk.md)-- Learn about [Calling SDK capabilities](../../quickstarts/voice-video-calling/getting-started-with-calling.md)+| **Web** | **Incoming video**: resolution<br />**Outgoing video**: resolution, frame rate, bitrate | +| **Android** | **Incoming video**: resolution<br />**Outgoing video**: resolution, frame rate | +| **iOS** | **Incoming video**: resolution<br />**Outgoing video**: resolution, frame rate | +| **Windows** | **Incoming video**: resolution<br />**Outgoing video**: resolution, frame rate | ++## Related content ++- [Quickstart: Set video constraints in your calling app](../../quickstarts/voice-video-calling/get-started-video-constraints.md) +- [Enable media quality statistics in your application](./media-quality-sdk.md) +- [Quickstart: Add voice calling to your app](../../quickstarts/voice-video-calling/getting-started-with-calling.md) |
container-apps | Azure Arc Enable Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/azure-arc-enable-cluster.md | This tutorial will show you how to enable Azure Container Apps on your Arc-enabl - If you don't have one, you [can create one for free](https://azure.microsoft.com/free/). - Install the [Azure CLI](/cli/azure/install-azure-cli). - Access to a public or private container registry, such as the [Azure Container Registry](/azure/container-registry/).+- Review the [requirements and limitations](azure-arc-overview.md) of the public preview. Of particular importance are the cluster requirements. ## Setup A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) pr ## Install the Container Apps extension +> [!IMPORTANT] +> If deploying onto **AKS-HCI** ensure that you have [setup HAProxy as your load balancer](/azure/aks/hybrid/configure-load-balancer) before attempting to install the extension. + 1. Set the following environment variables to the desired name of the [Container Apps extension](azure-arc-create-container-app.md), the cluster namespace in which resources should be provisioned, and the name for the Azure Container Apps connected environment. Choose a unique name for `<connected-environment-name>`. The connected environment name will be part of the domain name for app you'll create in the Azure Container Apps connected environment. # [Azure CLI](#tab/azure-cli) |
container-apps | Azure Arc Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/azure-arc-overview.md | The following public preview limitations apply to Azure Container Apps on Azure ||| | Supported Azure regions | East US, West Europe, East Asia | | Cluster networking requirement | Must support [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) service type |+| Node OS requirement | **Linux** only. | | Feature: Managed identities | [Not available](#are-managed-identities-supported) | | Feature: Pull images from ACR with managed identity | Not available (depends on managed identities) | | Logs | Log Analytics must be configured with cluster extension; not per-application | +> [!IMPORTANT] +> If deploying onto **AKS-HCI** ensure that you have [setup HAProxy as your load balancer](/azure/aks/hybrid/configure-load-balancer) before attempting to install the extension. + ## Resources created by the Container Apps extension When the Container Apps extension is installed on the Azure Arc-enabled Kubernetes cluster, several resources are created in the specified release namespace. These resources enable your cluster to be an extension of the `Microsoft.App` resource provider to support the management and operation of your apps. The following table describes the role of each revision created for you: - [Are there any scaling limits?](#are-there-any-scaling-limits) - [What logs are collected?](#what-logs-are-collected) - [What do I do if I see a provider registration error?](#what-do-i-do-if-i-see-a-provider-registration-error)+- [Can the extension be installed on Windows nodes?](#can-the-extension-be-installed-on-windows-nodes) - [Can I deploy the Container Apps extension on an Arm64 based cluster?](#can-i-deploy-the-container-apps-extension-on-an-arm64-based-cluster) ### How much does it cost? By default, logs from system components are sent to the Azure team. Application As you create an Azure Container Apps connected environment resource, some subscriptions might see the "No registered resource provider found" error. The error details might include a set of locations and API versions that are considered valid. If this error message is returned, the subscription must be re-registered with the `Microsoft.App` provider. Re-registering the provider has no effect on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.App --wait`. Then reattempt the connected environment command. +## Can the extension be installed on Windows nodes? ++No, the extension cannot be installed on Windows nodes. The extension supports installation on **Linux** nodes **only**. + ### Can I deploy the Container Apps extension on an Arm64 based cluster? Arm64 based clusters aren't supported at this time. |
container-apps | Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/containers.md | Azure Container Apps supports: - Any Linux-based x86-64 (`linux/amd64`) container image - Containers from any public or private container registry-- [Sidecar](#sidecar-containers) and [init](#init-containers) containers+- Optional [sidecar](#sidecar-containers) and [init](#init-containers) containers Features also include: -- Changes to the `template` configuration section trigger a new [container app revision](application-lifecycle-management.md).+- Apps use the `template` configuration section to define the container image and other settings. Changes to the `template` configuration section trigger a new [container app revision](application-lifecycle-management.md). - If a container crashes, it automatically restarts. Jobs features include: Azure Container Apps has the following limitations: - **Operating system**: Linux-based (`linux/amd64`) container images are required. +- **Maximum image size**: + - Consumption workload profile supports container images totaling up to 8GB for each app or job replica. + - Dedicated workload profiles support larger container images. Because a Dedicated workload profile can run multiple apps or jobs, multiple container images share the available disk space. The actual supported image size varies based on resources consumed by other apps and jobs. + ## Next steps > [!div class="nextstepaction"] |
container-apps | Hardware | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/hardware.md | - Title: Hardware reference in Azure Container Apps -description: Learn about hardware specifications in Container Apps ----- Previously updated : 08/30/2023---# Azure Container Apps hardware reference --Workload profiles in Azure Container Apps run on specialized hardware with specific restrictions. Use the following information to help you select the workload profile most appropriate for your application. --## Image size limit ---For more information on differences in hardware selection, see the [workload profiles overview](workload-profiles-overview.md). --## Next steps --> [!div class="nextstepaction"] -> [Quotas](quotas.md) |
container-apps | Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/metrics.md | The metrics explorer in the Azure portal allows you to visualize the data. You c Container Apps provides these basic metrics. -| Category | Title | Description | Metric ID | Unit | +| Title | Dimensions | Description | Metric ID | Unit | |--|--|--|--|--|-| Basic | CPU Usage | CPU consumed by the container app, in nano cores (1,000,000,000 nanocores = 1 core) | UsageNanoCores | `nanocores` | -| Basic | Memory Working Set Bytes | Container app working set memory used in bytes | `WorkingSetBytes` | bytes | -| Basic | Network In Bytes | Network received bytes | `RxBytes` | bytes | -| Basic | Network Out Bytes | Network transmitted bytes | `TxBytes` | bytes | -| Basic | Replica count | Number of active replicas | `Replicas` | n/a | -| Basic | Replica Restart Count | Restarts count of container app replicas | `RestartCount` | n/a | -| Basic | Requests | Requests processed | `Requests` | n/a | -| Basic | Reserved Cores | Number of reserved cores for container app revisions | `CoresQuotaUsed` | n/a | -| Basic | Resiliency Connection Timeouts | Total connection timeouts | `ResiliencyConnectTimeouts` | n/a | -| Basic | Resiliency Ejected Hosts | Number of currently ejected hosts | `ResiliencyEjectedHosts` | n/a | -| Basic | Resiliency Ejections Aborted | Number of ejections aborted due to the max ejection % | `ResiliencyEjectionsAborted` | n/a | -| Basic | Resiliency Request Retries | Total request retries | `ResiliencyRequestRetries` | n/a | -| Basic | Resiliency Request Timeouts | Total requests that timed out waiting for a response | `ResiliencyRequestTimeouts` | n/a | -| Basic | Resiliency Requests Pending Connection Pool | Total requests pending a connection pool connection | `ResiliencyRequestsPendingConnectionPool` | n/a | -| Basic | Total Reserved Cores | Total cores reserved for the container app | `TotalCoresQuotaUsed` | n/a | +| CPU Usage | Replica, Revision | CPU consumed by the container app, in nano cores (1,000,000,000 nanocores = 1 core) | `UsageNanoCores` | nanocores | +| Memory Working Set Bytes | Replica, Revision | Container app working set memory used in bytes | `WorkingSetBytes` | bytes | +| Network In Bytes | Replica, Revision | Network received bytes | `RxBytes` | bytes | +| Network Out Bytes | Replica, Revision | Network transmitted bytes | `TxBytes` | bytes | +| Replica count | Revision | Number of active replicas | `Replicas` | n/a | +| Replica Restart Count | Replica, Revision | Restarts count of container app replicas | `RestartCount` | n/a | +| Requests | Replica, Revision, Status Code, Status Code Category | Requests processed | `Requests` | n/a | +| Reserved Cores | Revision | Number of reserved cores for container app revisions | `CoresQuotaUsed` | n/a | +| Resiliency Connection Timeouts | Revision | Total connection timeouts | `ResiliencyConnectTimeouts` | n/a | +| Resiliency Ejected Hosts | Revision | Number of currently ejected hosts | `ResiliencyEjectedHosts` | n/a | +| Resiliency Ejections Aborted | Revision | Number of ejections aborted due to the max ejection % | `ResiliencyEjectionsAborted` | n/a | +| Resiliency Request Retries | Revision | Total request retries | `ResiliencyRequestRetries` | n/a | +| Resiliency Request Timeouts | Revision | Total requests that timed out waiting for a response | `ResiliencyRequestTimeouts` | n/a | +| Resiliency Requests Pending Connection Pool | Replica | Total requests pending a connection pool connection | `ResiliencyRequestsPendingConnectionPool` | n/a | +| Total Reserved Cores | None | Total cores reserved for the container app | `TotalCoresQuotaUsed` | n/a | The metrics namespace is `microsoft.app/containerapps`. |
data-factory | Connector Sharepoint Online List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-sharepoint-online-list.md | The following properties are supported for a SharePoint Online List linked servi | type | The type property must be set to:ΓÇ»**SharePointOnlineList**. | Yes | | siteUrl | The SharePoint Online site url, e.g. `https://contoso.sharepoint.com/sites/siteName`. | Yes | | servicePrincipalId | The Application (client) ID of the application registered in Microsoft Entra ID. | Yes |-| servicePrincipalCredentialType | Specify the credential type to use for service principal authentication. Allowed values are `ServicePrincipalKey` and `ServicePrincipalCert`. | No | -| ***For ServicePrincipalKey*** | | | -| servicePrincipalKey | The application's key. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [section](#grant-permission-for-using-service-principal-key) for more details including the permission settings. | No | +| servicePrincipalCredentialType | Specify the credential type to use for service principal authentication. Allowed values are `ServicePrincipalCert` and `ServicePrincipalKey`. | No | | ***For ServicePrincipalCert*** | | |-| servicePrincipalEmbeddedCert | Specify the base64 encoded certificate of your application registered in Microsoft Entra ID, and ensure the certificate content type is **PKCS #12**. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [article](/sharepoint/dev/solution-guidance/security-apponly-azuread) for permission settings.| No | +| servicePrincipalEmbeddedCert | Specify the base64 encoded certificate of your application registered in Microsoft Entra ID, and ensure the certificate content type is **PKCS #12**. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). You need to configure the permission settings referring this [article](/sharepoint/dev/solution-guidance/security-apponly-azuread).| No | | servicePrincipalEmbeddedCertPassword | Specify the password of your certificate if your certificate is secured with a password. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |+| ***For ServicePrincipalKey*** | | | +| servicePrincipalKey | The application's key. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [section](#grant-permission-for-using-service-principal-key) for more details including the permission settings.| No | | | | | | tenantId | The tenant ID under which your application resides. | Yes | | connectVia | The [Integration Runtime](concepts-integration-runtime.md) to use to connect to the data store. If not specified, the default Azure Integration Runtime is used. | No | +>[!Note] +>If you are using service principal key authentication, which is based on Azure ACS (Access Control Services), we recommend switching to the **service principal certificate authentication** due to the [ACS retirement plan](/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs). + **Example 1: Using service principal key authentication** ```json The following properties are supported for a SharePoint Online List linked servi } } ```+ ### Grant permission for using service principal key The SharePoint List Online connector uses service principal authentication to connect to SharePoint. Follow these steps to set it up: The SharePoint List Online connector uses service principal authentication to co ``` :::image type="content" source="media/connector-sharepoint-online-list/sharepoint-online-grant-permission-admin.png" alt-text="Grant SharePoint Online site permission to your registered application when you have site admin role.":::- + > [!NOTE] > In the context of configuring the SharePoint connector, the "App Domain" and "Redirect URL" refer to the SharePoint app that you have registered in Microsoft Entra ID to allow access to your SharePoint data. The "App Domain" is the domain where your SharePoint site is hosted. For example, if your SharePoint site is located at "https://contoso.sharepoint.com", then the "App Domain" would be "contoso.sharepoint.com". The "Redirect URL" is the URL that the SharePoint app will redirect to after the user has authenticated and granted permissions to the app. This URL should be a page on your SharePoint site that the app has permission to access. For example, you could use the URL of a page that displays a list of files in a library, or a page that displays the contents of a document. |
event-hubs | Apache Kafka Developer Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/apache-kafka-developer-guide.md | See the following quickstarts in the **azure-event-hubs-for-kafka** repo: | [Go](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/go) | <p>This quickstart will show how to create and connect to an Event Hubs Kafka endpoint using an example producer and consumer written in Go.</p><p>This sample is based on [Confluent's Apache Kafka Golang client](https://github.com/confluentinc/confluent-kafka-go), modified for use with Event Hubs for Kafka.</p>| | [Sarama kafka Go](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/go-sarama-client) | This quickstart will show how to create and connect to an Event Hubs Kafka endpoint using an example producer and consumer written in Go using the [Sarama Kafka client](https://github.com/Shopify/sarama) library. | | [Kafka](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/kafka-cli) | This quickstart will show how to create and connect to an Event Hubs Kafka endpoint using the CLI that comes bundled with the Apache Kafka distribution.| -| [Kafkacat](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/kafkacat) | kafkacat is a non-JVM command-line consumer and producer based on librdkafka, popular due to its speed and small footprint. This quickstart contains a sample configuration and several simple sample kafkacat commands. | +| [kcat](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/kafkacat) | kcat is a non-JVM command-line consumer and producer based on librdkafka, popular due to its speed and small footprint. This quickstart contains a sample configuration and several simple sample kafkacat commands. | ### Quickstarts in DOCS See the quickstart: [Data streaming with Event Hubs using the Kafka protocol](event-hubs-quickstart-kafka-enabled-event-hubs.md) in this content set, which provides step-by-step instructions on how to stream into Event Hubs. You learn how to use your producers and consumers to talk to Event Hubs with just a configuration change in your applications. |
expressroute | Expressroute Locations Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations-providers.md | The following table shows connectivity locations and the service providers for e | Location | Address | Zone | Local Azure regions | ER Direct | Service providers | |--|--|--|--|--|--| | **Abu Dhabi** | Etisalat KDC | 3 | UAE Central | ✓ | |-| **Amsterdam** | [Equinix AM5](https://www.equinix.com/locations/europe-colocation/netherlands-colocation/amsterdam-data-centers/am5/) | 1 | West Europe | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>Colt<br/>Deutsche Telekom AG<br/>Equinix<br/>euNetworks<br/>G├ëANT<br/>GlobalConnect<br/>InterCloud<br/>Interxion (Digital Realty)<br/>KPN<br/>IX Reach<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>Tata Communications<br/>Telecom Italia Sparkle<br/>Telefonica<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Zayo | +| **Amsterdam** | [Equinix AM5](https://www.equinix.com/locations/europe-colocation/netherlands-colocation/amsterdam-data-centers/am5/) | 1 | West Europe | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>Colt<br/>China Unicom Global<br/>Deutsche Telekom AG<br/>Equinix<br/>euNetworks<br/>G├ëANT<br/>GlobalConnect<br/>InterCloud<br/>Interxion (Digital Realty)<br/>KPN<br/>IX Reach<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>Tata Communications<br/>Telecom Italia Sparkle<br/>Telefonica<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Zayo | | **Amsterdam2** | [Interxion AMS8](https://www.interxion.com/Locations/amsterdam/schiphol/) | 1 | West Europe | ✓ | BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cinia<br/>Colt<br/>DE-CIX<br/>Equinix<br/>euNetworks<br/>G├ëANT<br/>Interxion (Digital Realty)<br/>Megaport<br/>NL-IX<br/>NOS<br/>NTT Global DataCenters EMEA<br/>Orange<br/>Vodafone | | **Atlanta** | [Equinix AT1](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/atlanta-data-centers/at1) | 1 | ✗ | ✓ | Equinix<br/>Megaport<br/>Momentum Telecom<br/>PacketFabric | | **Auckland** | [Vocus Group NZ Albany](https://www.vocus.co.nz/business/cloud-data-centres) | 2 | ✗ | ✓ | Devoli<br/>Kordia<br/>Megaport<br/>REANNZ<br/>Spark NZ<br/>Vocus Group NZ | The following table shows connectivity locations and the service providers for e | **Chennai** | Tata Communications | 2 | South India | ✓ | BSNL<br/>DE-CIX<br/>Global CloudXchange (GCX)<br/>Lightstorm<br/>SIFY<br/>Tata Communications<br/>VodafoneIdea | | **Chennai2** | Airtel | 2 | South India | ✓ | Airtel | | **Chicago** | [Equinix CH1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/chicago-data-centers/ch1/) | 1 | North Central US | ✓ | Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Colt<br/>Comcast<br/>Coresite<br/>Equinix<br/>InterCloud<br/>Internet2<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>PacketFabric<br/>PCCW Global Limited<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo |-| **Chicago2** | [CoreSite CH1](https://www.coresite.com/data-center/ch1-chicago-il) | 1 | North Central US | ✓ | CoreSite<br/>DE-CIX | +| **Chicago2** | [CoreSite CH1](https://www.coresite.com/data-center/ch1-chicago-il) | 1 | North Central US | ✓ | CoreSite<br/>DE-CIX<br/>Megaport<br/>Momentum Telecom | | **Copenhagen** | [Interxion CPH1](https://www.interxion.com/Locations/copenhagen/) | 1 | ✗ | ✓ | DE-CIX<br/>GlobalConnect<br/>Interxion (Digital Realty) | #### [D-I](#tab/d-h) The following table shows connectivity locations and the service providers for e | Location | Address | Zone | Local Azure regions | ER Direct | Service providers | |--|--|--|--|--|--| | **Dallas** | [Equinix DA3](https://www.equinix.com/locations/americas-colocation/united-states-colocation/dallas-data-centers/da3/)<br/>[Equinix DA6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/dallas-data-centers/da6) | 1 | ✗ | ✓ | Aryaka Networks<br/>AT&T Connectivity Plus<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>Cologix<br/>Cox Business Cloud Port<br/>Equinix<br/>GTT<br/>Intercloud<br/>Internet2<br/>Level 3 Communications<br/>MCM Telecom<br/>Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>Orange<br/>PacketFabric<br/>Telmex Uninet<br/>Telia Carrier<br/>Telefonica<br/>Transtelco<br/>Verizon<br/>Vodafone<br/>Zayo |-| **Dallas2** | [Digital Realty DFW10](https://www.digitalrealty.com/data-centers/americas/dallas/dfw10) | 1 | ✗ | ✓ | Digital Realty | -| **Denver** | [CoreSite DE1](https://www.coresite.com/data-centers/locations/denver/de1) | 1 | West Central US | ✓ | CoreSite<br/>Megaport<br/>PacketFabric<br/>Zayo | +| **Dallas2** | [Digital Realty DFW10](https://www.digitalrealty.com/data-centers/americas/dallas/dfw10) | 1 | ✗ | ✓ | Digital Realty<br/>Momentum Telecom | +| **Denver** | [CoreSite DE1](https://www.coresite.com/data-centers/locations/denver/de1) | 1 | West Central US | ✓ | CoreSite<br/>Megaport<br/>Momentum Telecom<br/>PacketFabric<br/>Zayo | | **Doha** | [MEEZA MV2](https://www.meeza.net/services/data-centre-services/) | 3 | Qatar Central | ✓ | Ooredoo Cloud Connect<br/>Vodafone | | **Doha2** | [Ooredoo](https://www.ooredoo.qa/) | 3 | Qatar Central | ✓ | Ooredoo Cloud Connect | | **Dubai** | [PCCS](http://www.pacificcontrols.net/cloudservices/) | 3 | UAE North | ✓ | Etisalat UAE | The following table shows connectivity locations and the service providers for e | Location | Address | Zone | Local Azure regions | ER Direct | Service providers | |--|--|--|--|--|--|-| **Jakarta** | [Telin](https://www.telin.net/) | 4 | ✗ | ✓ | NTT Communications<br/>Telin<br/>XL Axiata | +| **Jakarta** | [Telin](https://www.telin.net/) | 4 | ✗ | ✓ | DCI Indonesia<br/>DE-CIX<br/>NTT Communications<br/>NTT Indonesia<br/>Telin<br/>XL Axiata | | **Johannesburg** | [Teraco JB1](https://www.teraco.co.za/data-centre-locations/johannesburg/#jb1) | 3 | South Africa North | ✓ | BCX<br/>British Telecom<br/>Internet Solutions - Cloud Connect<br/>Liquid Telecom<br/>MTN Business<br/>MTN Global Connect<br/>Orange<br/>Teraco<br/>Vodacom | | **Kuala Lumpur** | [TIME dotCom Menara AIMS](https://www.time.com.my/enterprise/connectivity/direct-cloud) | 2 | ✗ | ✗ | DE-CIX<br/>TIME dotCom | | **Las Vegas** | [Switch LV](https://www.switch.com/las-vegas) | 1 | ✗ | ✓ | CenturyLink Cloud Connect<br/>Megaport<br/>PacketFabric |-| **London** | [Equinix LD5](https://www.equinix.com/locations/europe-colocation/united-kingdom-colocation/london-data-centers/ld5/) | 1 | UK South | ✓ | AT&T NetBond<br/>Bezeq International<br/>British Telecom<br/>CenturyLink<br/>Colt<br/>Equinix<br/>euNetworks<br/>Intelsat<br/>InterCloud<br/>Internet Solutions - Cloud Connect<br/>Interxion (Digital Realty)<br/>Jisc<br/>Level 3 Communications<br/>Megaport<br/>MTN<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>Tata Communications<br/>Telehouse - KDDI<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo | -| **London2** | [Telehouse North Two](https://www.telehouse.net/data-centres/emea/uk-data-centres/london-data-centres/north-two) | 1 | UK South | ✓ | BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Equinix<br/>Epsilon Global Communications<br/>GTT<br/>Interxion (Digital Realty)<br/>IX Reach<br/>JISC<br/>Megaport<br/>NTT Global DataCenters EMEA<br/>Ooredoo Cloud Connect<br/>Orange<br/>SES<br/>Sohonet<br/>Telehouse - KDDI<br/>Zayo<br/>Vodafone | -| **Los Angeles** | [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) | 1 | ✗ | ✓ | AT&T Dynamic Exchange<br/>CoreSite<br/>China Unicom Global<br/>Cloudflare<br/>Equinix*<br/>Megaport<br/>Neutrona Networks<br/>NTT<br/>Zayo</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* | +| **London** | [Equinix LD5](https://www.equinix.com/locations/europe-colocation/united-kingdom-colocation/london-data-centers/ld5/) | 1 | UK South | ✓ | AT&T NetBond<br/>Bezeq International<br/>British Telecom<br/>CenturyLink<br/>Colt<br/>Equinix<br/>euNetworks<br/>Intelsat<br/>InterCloud<br/>Internet Solutions - Cloud Connect<br/>Interxion (Digital Realty)<br/>Jisc<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>MTN<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>Tata Communications<br/>Telehouse - KDDI<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo | +| **London2** | [Telehouse North Two](https://www.telehouse.net/data-centres/emea/uk-data-centres/london-data-centres/north-two) | 1 | UK South | ✓ | BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Equinix<br/>Epsilon Global Communications<br/>GTT<br/>Interxion (Digital Realty)<br/>IX Reach<br/>JISC<br/>Megaport<br/>NTT Global DataCenters EMEA<br/>Ooredoo Cloud Connect<br/>Orange<br/>SES<br/>Sohonet<br/>Tata Communications<br/>Telehouse - KDDI<br/>Zayo<br/>Vodafone | +| **Los Angeles** | [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) | 1 | ✗ | ✓ | AT&T Dynamic Exchange<br/>CoreSite<br/>China Unicom Global<br/>Cloudflare<br/> Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>NTT<br/>Zayo</br></br> | | **Los Angeles2** | [Equinix LA1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/los-angeles-data-centers/la1/) | 1 | ✗ | ✓ | Crown Castle<br/>Equinix<br/>GTT<br/>PacketFabric |-| **Madrid** | [Interxion MAD1](https://www.interxion.com/es/donde-estamos/europa/madrid) | 1 | ✗ | ✓ | DE-CIX<br/>InterCloud<br/>Interxion (Digital Realty)<br/>Megaport<br/>Telefonica | -| **Madrid2** | [Equinix MD2](https://www.equinix.com/data-centers/europe-colocation/spain-colocation/madrid-data-centers/md2) | 1 | ✗ | ✓ | Equinix | +| **Madrid** | [Interxion MAD1](https://www.interxion.com/es/donde-estamos/europa/madrid) | 1 | ✗ | ✓ | DE-CIX<br/>GTT<br/>InterCloud<br/>Interxion (Digital Realty)<br/>Megaport<br/>Telefonica | +| **Madrid2** | [Equinix MD2](https://www.equinix.com/data-centers/europe-colocation/spain-colocation/madrid-data-centers/md2) | 1 | ✗ | ✓ | Equinix<br/>G├ëANT<br/>Intercloud | | **Marseille** | [Interxion MRS1](https://www.interxion.com/Locations/marseille/) | 1 | France South | ✗ | Colt<br/>DE-CIX<br/>GEANT<br/>Interxion (Digital Realty)<br/>Jaguar Network<br/>Ooredoo Cloud Connect | | **Melbourne** | [NextDC M1](https://www.nextdc.com/data-centres/m1-melbourne-data-centre) | 2 | Australia Southeast | ✓ | AARNet<br/>Devoli<br/>Equinix<br/>Megaport<br/>NETSG<br/>NEXTDC<br/>Optus<br/>Orange<br/>Telstra Corporation<br/>TPG Telecom | | **Miami** | [Equinix MI1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/miami-data-centers/mi1/) | 1 | ✗ | ✓ | AT&T Dynamic Exchange<br/>Claro<br/>C3ntro<br/>Equinix<br/>Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>PitChile | | **Milan** | [IRIDEOS](https://irideos.it/en/data-centers/) | 1 | Italy North | ✓ | Colt<br/>Equinix<br/>Fastweb<br/>IRIDEOS<br/>Noovle<br/>Retelit<br/>Vodafone | | **Milan2** | [DATA4](https://www.data4group.com/it/data-center-a-milano-italia/) | 1 | Italy North | ✓ | |-| **Minneapolis** | [Cologix MIN1](https://www.cologix.com/data-centers/minneapolis/min1/) and [Cologix MIN3](https://www.cologix.com/data-centers/minneapolis/min3/) | 1 | ✗ | ✓ | Cologix<br/>Megaport | +| **Minneapolis** | [Cologix MIN1](https://www.cologix.com/data-centers/minneapolis/min1/) and [Cologix MIN3](https://www.cologix.com/data-centers/minneapolis/min3/) | 1 | ✗ | ✓ | Cologix<br/>Megaport<br/>Zayo | | **Montreal** | [Cologix MTL3](https://www.cologix.com/data-centers/montreal/mtl3/)<br/>[Cologix MTL7](https://cologix.com/data-centers/montreal/mtl7/) | 1 | ✗ | ✓ | Bell Canada<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Fibrenoire<br/>Megaport<br/>RISQ<br/>Telus<br/>Zayo | | **Mumbai** | Tata Communications | 2 | West India | ✓ | BSNL<br/>British Telecom<br/>DE-CIX<br/>Global CloudXchange (GCX)<br/>InterCloud<br/>Lightstorm<br/>Reliance Jio<br/>Sify<br/>Tata Communications<br/>Verizon | | **Mumbai2** | Airtel | 2 | West India | ✓ | Airtel<br/>Equinix<br/>Sify<br/>Orange<br/>Vodafone Idea | The following table shows connectivity locations and the service providers for e | **Phoenix** | [EdgeConneX PHX01](https://www.cyrusone.com/data-centers/north-america/arizona/phx1-phx8-phoenix) | 1 | West US 3 | ✓ | AT&T NetBond<br/>Cox Business Cloud Port<br/>CenturyLink Cloud Connect<br/>DE-CIX<br/>Megaport<br/>Zayo | | **Phoenix2** | [PhoenixNAP](https://phoenixnap.com/) | 1 | West US 3 | ✓ | | | **Portland** | [EdgeConnex POR01](https://www.edgeconnex.com/locations/north-america/portland-or/) | 1 | West US 2 | ✓ | |-| **Pune** | [STT GDC Pune DC1](https://www.sttelemediagdc.in/our-data-centres-in-india) | 2 | Central India | ✓ | Airtel<br/>Lightstorm<br/>Tata Communications | +| **Pune** | [STT GDC Pune DC1](https://www.sttelemediagdc.in/our-data-centres-in-india) | 2 | Central India | ✓ | Airtel<br/>Lightstorm<br/>SIFY<br/>Tata Communications | | **Quebec City** | [Vantage](https://vantage-dc.com/data_centers/quebec-city-data-center-campus/) | 1 | Canada East | ✓ | Bell Canada<br/>Equinix<br/>Megaport<br/>RISQ<br/>Telus | | **Queretaro (Mexico)** | [KIO Networks QR01](https://www.kionetworks.com/es-mx/) | 4 | ✗ | ✓ | Cirion Technologies<br/>Equinix<br/>KIO<br/>MCM Telecom<br/>Megaport<br/>Transtelco | | **Quincy** | Sabey Datacenter - Building A | 1 | West US 2 | ✓ | | The following table shows connectivity locations and the service providers for e |--|--|--|--|--|--| | **Rio de Janeiro** | [Equinix-RJ2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/rio-de-janeiro-data-centers/rj2/) | 3 | Brazil Southeast | ✓ | Cirion Technologies<br/>Equinix | | **San Antonio** | [CyrusOne SA1](https://cyrusone.com/locations/texas/san-antonio-texas/) | 1 | South Central US | ✓ | CenturyLink Cloud Connect<br/>Megaport<br/>Zayo |-| **Santiago** | [EdgeConnex SCL](https://www.edgeconnex.com/locations/south-america/santiago/) | 3 | ✗ | ✓ | Cirion Technologies<br/>PitChile | +| **Santiago** | [EdgeConnex SCL](https://www.edgeconnex.com/locations/south-america/santiago/) | 3 | ✗ | ✓ | Cirion Technologies<br/>Equinix<br/>PitChile | | **Sao Paulo** | [Equinix SP2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/sao-paulo-data-centers/sp2/) | 3 | Brazil South | ✓ | Aryaka Networks<br/>Ascenty Data Centers<br/>British Telecom<br/>Equinix<br/>InterCloud<br/>Level 3 Communications<br/>Neutrona Networks<br/>Orange<br/>RedCLARA<br/>Tata Communications<br/>Telefonica<br/>UOLDIVEO | | **Sao Paulo2** | [TIVIT TSM](https://www.tivit.com/en/tivit/) | 3 | Brazil South | ✓ | Ascenty Data Centers<br/>Tivit | | **Seattle** | [Equinix SE2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/seattle-data-centers/se2/) | 1 | West US 2 | ✓ | Aryaka Networks<br/>CenturyLink Cloud Connect<br/>DE-CIX<br/>Digital Realty<br/>Equinix<br/>Level 3 Communications<br/>Megaport<br/>Pacific Northwest Gigapop<br/>PacketFabric<br/>Telus<br/>Zayo | | **Seoul** | [KINX Gasan IDC](https://www.kinx.net/?lang=en) | 2 | Korea Central | ✓ | KINX<br/>KT<br/>LG CNS<br/>LGUplus<br/>Equinix<br/>Sejong Telecom<br/>SK Telecom | | **Seoul2** | [KT IDC](https://www.kt-idc.com/eng/introduce/sub1_4_10.jsp#tab) | 2 | Korea Central | ✗ | KT |-| **Silicon Valley** | [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) | 1 | West US | ✓ | Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>China Unicom Global<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Digital Realty<br/>Equinix<br/>InterCloud<br/>Internet2<br/>IX Reach<br/>Packet<br/>PacketFabric<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>Orange<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo | -| **Silicon Valley2** | [Coresite SV7](https://www.coresite.com/data-centers/locations/silicon-valley/sv7) | 1 | West US | ✓ | Colt<br/>Coresite | -| **Singapore** | [Equinix SG1](https://www.equinix.com/data-centers/asia-pacific-colocation/singapore-colocation/singapore-data-center/sg1) | 2 | Southeast Asia | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>China Mobile International<br/>Epsilon Global Communications<br/>Equinix<br/>GTT<br/>InterCloud<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>SingTel<br/>Tata Communications<br/>Telstra Corporation<br/>Telefonica<br/>Verizon<br/>Vodafone | -| **Singapore2** | [Global Switch Tai Seng](https://www.globalswitch.com/locations/singapore-data-centres/) | 2 | Southeast Asia | ✓ | CenturyLink Cloud Connect<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Epsilon Global Communications<br/>Equinix<br/>Lightstorm<br/>Megaport<br/>PCCW Global Limited<br/>SingTel<br/>Telehouse - KDDI | +| **Silicon Valley** | [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) | 1 | West US | ✓ | Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>China Unicom Global<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Digital Realty<br/>Equinix<br/>InterCloud<br/>Internet2<br/>IX Reach<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>Orange<br/>Packet<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo | +| **Silicon Valley2** | [Coresite SV7](https://www.coresite.com/data-centers/locations/silicon-valley/sv7) | 1 | West US | ✓ | Colt<br/>Coresite<br/>Momentum Telecom | +| **Singapore** | [Equinix SG1](https://www.equinix.com/data-centers/asia-pacific-colocation/singapore-colocation/singapore-data-center/sg1) | 2 | Southeast Asia | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>China Mobile International<br/>China Telecom Global<br/>Epsilon Global Communications<br/>Equinix<br/>GTT<br/>IPC<br/>InterCloud<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>SingTel<br/>Tata Communications<br/>Telstra Corporation<br/>Telefonica<br/>Verizon<br/>Vodafone | +| **Singapore2** | [Global Switch Tai Seng](https://www.globalswitch.com/locations/singapore-data-centres/) | 2 | Southeast Asia | ✓ | CenturyLink Cloud Connect<br/>China Mobile International<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Digital Realty<br/>Epsilon Global Communications<br/>Equinix<br/>Lightstorm<br/>Megaport<br/>PCCW Global Limited<br/>SingTel<br/>Telehouse - KDDI | | **Stavanger** | [Green Mountain DC1](https://greenmountain.no/dc1-stavanger/) | 1 | Norway West | ✓ | GlobalConnect<br/>Megaport<br/>Telenor | | **Stockholm** | [Equinix SK1](https://www.equinix.com/locations/europe-colocation/sweden-colocation/stockholm-data-centers/sk1/) | 1 | Sweden Central | ✓ | Cinia<br/>Equinix<br/>GlobalConnect<br/>Interxion (Digital Realty)<br/>Megaport<br/>Telia Carrier | | **Sydney** | [Equinix SY2](https://www.equinix.com/locations/asia-colocation/australia-colocation/sydney-data-centers/sy2/) | 2 | Australia East | ✓ | AARNet<br/>AT&T NetBond<br/>British Telecom<br/>Cello<br/>Devoli<br/>Equinix<br/>GTT<br/>Kordia<br/>Megaport<br/>NEXTDC<br/>NTT Communications<br/>Optus<br/>Orange<br/>Spark NZ<br/>Telstra Corporation<br/>TPG Telecom<br/>Verizon<br/>Vocus Group NZ |-| **Sydney2** | [NextDC S1](https://www.nextdc.com/data-centres/s1-sydney-data-centre) | 2 | Australia East | ✓ | Megaport<br/>NETSG<br/>NextDC | +| **Sydney2** | [NextDC S1](https://www.nextdc.com/data-centres/s1-sydney-data-centre) | 2 | Australia East | ✓ | AARNet<br/>Megaport<br/>NETSG<br/>NextDC | #### [T-Z](#tab/t-z) The following table shows connectivity locations and the service providers for e | **Tel Aviv** | Bezeq International | 2 | Israel Central | ✓ | Bezeq International | | **Tel Aviv2** | SDS | 2 | Israel Central | ✓ | | | **Tokyo** | [Equinix TY4](https://www.equinix.com/locations/asia-colocation/japan-colocation/tokyo-data-centers/ty4/) | 2 | Japan East | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>BBIX<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Equinix<br/>Intercloud<br/>Internet Initiative Japan Inc. - IIJ<br/>Megaport<br/>NTT Communications<br/>NTT EAST<br/>Orange<br/>Softbank<br/>Telehouse - KDDI<br/>Verizon </br></br> |-| **Tokyo2** | [AT TOKYO](https://www.attokyo.com/) | 2 | Japan East | ✓ | AT TOKYO<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Equinix<br/>IX Reach<br/>Megaport<br/>PCCW Global Limited<br/>Tokai Communications | +| **Tokyo2** | [AT TOKYO](https://www.attokyo.com/) | 2 | Japan East | ✓ | AT TOKYO<br/>China Telecom Global<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Digital Realty<br/>Equinix<br/>IPC<br/>IX Reach<br/>Megaport<br/>PCCW Global Limited<br/>Tokai Communications | | **Tokyo3** | [NEC](https://www.nec.com/en/global/solutions/cloud/inzai_datacenter.html) | 2 | Japan East | ✓ | NEC<br/>SCSK | | **Toronto** | [Cologix TOR1](https://www.cologix.com/data-centers/toronto/tor1/) | 1 | Canada Central | ✓ | AT&T NetBond<br/>Bell Canada<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Equinix<br/>IX Reach Megaport<br/>Orange<br/>Telus<br/>Verizon<br/>Zayo | | **Toronto2** | [Allied REIT](https://www.alliedreit.com/property/905-king-st-w/) | 1 | Canada Central | ✓ | Fibrenoire<br/>Zayo | | **Vancouver** | [Cologix VAN1](https://www.cologix.com/data-centers/vancouver/van1/) | 1 | ✗ | ✓ | Bell Canada<br/>Cologix<br/>Megaport<br/>Telus<br/>Zayo | | **Warsaw** | [Equinix WA1](https://www.equinix.com/data-centers/europe-colocation/poland-colocation/warsaw-data-centers/wa1) | 1 | Poland Central | ✓ | Equinix<br/>Exatel<br/>Orange Poland<br/>T-mobile Poland |-| **Washington DC** | [Equinix DC2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/washington-dc-data-centers/dc2/)<br/>[Equinix DC6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/washington-dc-data-centers/dc6) | 1 | East US<br/>East US 2 | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Crown Castle<br/>Digital Realty<br/>Equinix<br/>IPC<br/>Internet2<br/>InterCloud<br/>IPC<br/>Iron Mountain<br/>IX Reach<br/>Level 3 Communications<br/>Lightpath<br/>Megaport<br/>Neutrona Networks<br/>NTT Communications<br/>Orange<br/>PacketFabric<br/>SES<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Telefonica<br/>Verizon<br/>Zayo | +| **Washington DC** | [Equinix DC2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/washington-dc-data-centers/dc2/)<br/>[Equinix DC6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/washington-dc-data-centers/dc6) | 1 | East US<br/>East US 2 | ✓ | Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Crown Castle<br/>Digital Realty<br/>Equinix<br/>IPC<br/>Internet2<br/>InterCloud<br/>IPC<br/>Iron Mountain<br/>IX Reach<br/>Level 3 Communications<br/>Lightpath<br/>Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>NTT Communications<br/>Orange<br/>PacketFabric<br/>SES<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Telefonica<br/>Verizon<br/>Zayo | | **Washington DC2** | [Coresite VA2](https://www.coresite.com/data-center/va2-reston-va) | 1 | East US<br/>East US 2 | ✗ | CenturyLink Cloud Connect<br/>Coresite<br/>Intelsat<br/>Megaport<br/>Momentum Telecom<br/>Viasat<br/>Zayo | | **Zurich** | [Interxion ZUR2](https://www.interxion.com/Locations/zurich/) | 1 | Switzerland North | ✓ | Colt<br/>Equinix<br/>Intercloud<br/>Interxion (Digital Realty)<br/>Megaport<br/>Swisscom<br/>Zayo | | **Zurich2** | [Equinix ZH5](https://www.equinix.com/data-centers/europe-colocation/switzerland-colocation/zurich-data-centers/zh5) | 1 | Switzerland North | ✓ | Equinix | |
expressroute | Expressroute Locations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations.md | The following table shows locations by service provider. If you want to view ava |Service provider | Microsoft Azure | Microsoft 365 | Locations | | | | | |-| **[AARNet](https://www.aarnet.edu.au/network-and-services/connectivity-services/azure-expressroute)** |✓ |✓ | Melbourne<br/>Sydney | +| **[AARNet](https://www.aarnet.edu.au/network-and-services/connectivity-services/azure-expressroute)** |✓ |✓ | Melbourne<br/>Sydney<br/>Sydney2 | | **[Airtel](https://www.airtel.in/business/#/)** | ✓ | ✓ | Chennai2<br/>Mumbai2<br/>Pune | | **[AIS](https://business.ais.co.th/solution/en/azure-expressroute.html)** | ✓ | ✓ | Bangkok | | **[Aryaka Networks](https://www.aryaka.com/)** | ✓ | ✓ | Amsterdam<br/>Chicago<br/>Dallas<br/>Hong Kong<br/>Sao Paulo<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC | The following table shows locations by service provider. If you want to view ava | **CDC** | ✓ | ✓ | Canberra<br/>Canberra2 | | **[CenturyLink Cloud Connect](https://www.centurylink.com/cloudconnect)** | ✓ | ✓ | Amsterdam2<br/>Chicago<br/>Dallas<br/>Dublin<br/>Frankfurt<br/>Hong Kong<br/>Las Vegas<br/>London<br/>London2<br/>Montreal<br/>New York<br/>Paris<br/>Phoenix<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Singapore2<br/>Tokyo<br/>Toronto<br/>Washington DC<br/>Washington DC2 | | **[Chief Telecom](https://www.chief.com.tw/)** |✓ |✓ | Hong Kong<br/>Taipei |-| **China Mobile International** |✓ |✓ | Hong Kong<br/>Hong Kong2<br/>Singapore | -| **China Telecom Global** |✓ |✓ | Hong Kong<br/>Hong Kong2 | -| **China Unicom Global** |✓ |✓ | Frankfurt<br/>Hong Kong<br/>Los Angeles<br/>Silicon Valley<br/>Singapore2<br/>Tokyo2 | +| **China Mobile International** |✓ |✓ | Hong Kong<br/>Hong Kong2<br/>Singapore<br/>Singapore2 | +| **China Telecom Global** |✓ |✓ | Hong Kong<br/>Hong Kong2<br/>Singapore<br/>Tokyo2 | +| **China Unicom Global** |✓ |✓ | Amsterdam<br/>Frankfurt<br/>Hong Kong<br/>Los Angeles<br/>Silicon Valley<br/>Singapore2<br/>Tokyo2 | | **Chunghwa Telecom** |✓ |✓ | Taipei | | **[Cinia](https://www.cinia.fi/)** |✓ |✓ | Amsterdam2<br/>Stockholm | | **[Cirion Technologies](https://lp.ciriontechnologies.com/cloud-connect-lp-latam?c_campaign=HOTSITE&c_tactic=&c_subtactic=&utm_source=SOLUCIONES-CTA&utm_medium=Organic&utm_content=&utm_term=&utm_campaign=HOTSITE-ESP)** | ✓ | ✓ | Queretaro<br/>Rio De Janeiro<br/>Santiago | The following table shows locations by service provider. If you want to view ava |Service provider | Microsoft Azure | Microsoft 365 | Locations | | | | | |-| **[DE-CIX](https://www.de-cix.net/en/services/directcloud/microsoft-azure)** | ✓ |✓ | Amsterdam2<br/>Chennai<br/>Chicago2<br/>Copenhagen<br/>Dallas<br/>Dubai2<br/>Frankfurt<br/>Frankfurt2<br/>Kuala Lumpur<br/>Madrid<br/>Marseille<br/>Mumbai<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Phoenix<br/>Seattle<br/>Singapore2<br/>Tokyo2 | +| **DCI Indonesia** |✓ |✓ | Jakarta | +| **[DE-CIX](https://www.de-cix.net/en/services/directcloud/microsoft-azure)** | ✓ |✓ | Amsterdam2<br/>Chennai<br/>Chicago2<br/>Copenhagen<br/>Dallas<br/>Dubai2<br/>Frankfurt<br/>Frankfurt2<br/>Jakarta<br/>Kuala Lumpur<br/>Madrid<br/>Marseille<br/>Mumbai<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Phoenix<br/>Seattle<br/>Singapore2<br/>Tokyo2 | | **[Devoli](https://devoli.com/expressroute)** | ✓ |✓ | Auckland<br/>Melbourne<br/>Sydney | | **[Deutsche Telekom AG IntraSelect](https://geschaeftskunden.telekom.de/vernetzung-digitalisierung/produkt/intraselect)** | ✓ |✓ | Frankfurt | | **[Deutsche Telekom AG](https://www.t-systems.com/de/en/cloud-services/solutions/public-cloud/azure-managed-cloud-services/cloud-connect-for-azure)** | ✓ |✓ | Amsterdam<br/>Frankfurt2<br/>Hong Kong2 |-| **[Digital Realty](https://www.digitalrealty.com/partners/microsoft-azure)** | ✓ | ✓ | Dallas2<br/>Seattle<br/>Silicon Valley<br/>Washington DC | +| **[Digital Realty](https://www.digitalrealty.com/partners/microsoft-azure)** | ✓ | ✓ | Dallas2<br/>Seattle<br/>Silicon Valley<br/>Singapore2<br/>Tokyo2<br/>Washington DC | | **du datamena** |✓ |✓ | Dubai2 | | **[eir evo](https://www.eirevo.ie/cloud-services/cloud-connectivity)** |✓ |✓ | Dublin | | **[Epsilon Global Communications](https://epsilontel.com/solutions/cloud-connect/)** | ✓ | ✓ | Hong Kong2<br/>London2<br/>Singapore<br/>Singapore2 |-| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Berlin<br/>Canberra2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>London<br/>London2<br/>Los Angeles*<br/>Los Angeles2<br/>Madrid2<br/>Melbourne<br/>Miami<br/>Milan<br/>Mumbai2<br/>New York<br/>Osaka<br/>Paris<br/>Paris2<br/>Perth<br/>Quebec City<br/>Queretaro (Mexico)<br/>Rio de Janeiro<br/>Sao Paulo<br/>Seattle<br/>Seoul<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stockholm<br/>Sydney<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Washington DC<br/>Warsaw<br/>Zurich</br>Zurich2</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* | +| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Berlin<br/>Canberra2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>London<br/>London2<br/>Los Angeles*<br/>Los Angeles2<br/>Madrid2<br/>Melbourne<br/>Miami<br/>Milan<br/>Mumbai2<br/>New York<br/>Osaka<br/>Paris<br/>Paris2<br/>Perth<br/>Quebec City<br/>Queretaro (Mexico)<br/>Rio de Janeiro<br/>Santiago<br/>Sao Paulo<br/>Seattle<br/>Seoul<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stockholm<br/>Sydney<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Washington DC<br/>Warsaw<br/>Zurich</br>Zurich2</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* | | **Etisalat UAE** |✓ |✓ | Dubai | | **[euNetworks](https://eunetworks.com/services/solutions/cloud-connect/microsoft-azure-expressroute/)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Dublin<br/>Frankfurt<br/>London<br/>Paris | | **Exatel** |✓ |✓ | Warsaw | The following table shows locations by service provider. If you want to view ava | **[Fastweb](https://www.fastweb.it/grandi-aziende/dati-voce/scheda-prodotto/fast-company/)** | ✓ |✓ | Milan | | **[Fibrenoire](https://fibrenoire.ca/en/services/cloudextn-2/)** | ✓ | ✓ | Montreal<br/>Quebec City<br/>Toronto2 | | **[GBI](https://www.gbiinc.com/microsoft-azure/)** | ✓ | ✓ | Dubai2<br/>Frankfurt |-| **[G├ëANT](https://www.geant.org/Networks)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Dublin<br/>Frankfurt<br/>Marseille | +| **[G├ëANT](https://www.geant.org/Networks)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Dublin<br/>Frankfurt<br/>Madrid2<br/>Marseille | | **[GlobalConnect](https://www.globalconnect.no/)** | ✓ | ✓ | Amsterdam<br/>Copenhagen<br/>Oslo<br/>Stavanger<br/>Stockholm | | **[GlobalConnect DK](https://www.globalconnect.no/)** | ✓ | ✓ | Amsterdam | -| **GTT** |✓ |✓ | Amsterdam<br/>Dallas<br/>Los Angeles2<br/>London2<br/>Singapore<br/>Sydney<br/>Washington DC | +| **GTT** |✓ |✓ | Amsterdam<br/>Dallas<br/>Los Angeles2<br/>London2<br/>Madrid<br/>Singapore<br/>Sydney<br/>Washington DC | | **[Global Cloud Xchange (GCX)](https://globalcloudxchange.com/cloud-platform/cloud-x-fusion/)** | ✓| ✓ | Chennai<br/>Mumbai | | **[iAdvantage](https://www.scx.sunevision.com/)** | ✓ | ✓ | Hong Kong2 | | **Intelsat** | ✓ | ✓ | London2<br/>Washington DC2 |-| **[InterCloud](https://www.intercloud.com/)** |✓ |✓ | Amsterdam<br/>Chicago<br/>Dallas<br/>Dublin2<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>London<br/>Madrid<br/>Mumbai<br/>New York<br/>Paris<br/>Paris2<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC<br/>Zurich | +| **[InterCloud](https://www.intercloud.com/)** |✓ |✓ | Amsterdam<br/>Chicago<br/>Dallas<br/>Dublin2<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>London<br/>Madrid<br/>Madrid2<br/>Mumbai<br/>New York<br/>Paris<br/>Paris2<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC<br/>Zurich | | **[Internet2](https://internet2.edu/services/cloud-connect/#service-cloud-connect)** | ✓ | ✓ | Chicago<br/>Dallas<br/>Silicon Valley<br/>Washington DC | | **[Internet Initiative Japan Inc. - IIJ](https://www.iij.ad.jp/en/news/pressrelease/2015/1216-2.html)** | ✓ | ✓ | Osaka<br/>Tokyo<br/>Tokyo2 | | **[Internet Solutions - Cloud Connect](https://www.is.co.za/solution/cloud-connect/)** | ✓ | ✓ | Cape Town<br/>Johannesburg<br/>London | | **[Interxion (Digital Realty)](https://www.digitalrealty.com/partners/microsoft-azure)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Copenhagen<br/>Dublin<br/>Dublin2<br/>Frankfurt<br/>London<br/>London2<br/>Madrid<br/>Marseille<br/>Paris<br/>Stockholm<br/>Zurich |-| **IPC** | ✓ |✓ | Washington DC | +| **IPC** | ✓ |✓ | Singapore<br/>Tokyo2<br/>Washington DC | | **[IRIDEOS](https://irideos.it/)** | ✓ | ✓ | Milan | | **Iron Mountain** | ✓ |✓ | Washington DC | | **[IX Reach](https://www.ixreach.com/partners/cloud-partners/microsoft-azure/)**| ✓ | ✓ | Amsterdam<br/>London2<br/>Silicon Valley<br/>Tokyo2<br/>Toronto<br/>Washington DC | The following table shows locations by service provider. If you want to view ava | **[Liquid Intelligent Technologies](https://liquidcloud.africa/connect/)** | ✓ | ✓ | Cape Town<br/>Johannesburg | | **[LGUplus](http://www.uplus.co.kr/)** |✓ |✓ | Seoul | | **[MCM Telecom](https://www.mcmtelecom.com/alianza-microsoft)** | ✓ | ✓ | Dallas<br/>Queretaro (Mexico)|-| **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Auckland<br/>Chicago<br/>Dallas<br/>Denver<br/>Dubai2<br/>Dublin<br/>Dublin2<br/>Frankfurt<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>Las Vegas<br/>London<br/>London2<br/>Los Angeles<br/>Madrid<br/>Melbourne<br/>Miami<br/>Minneapolis<br/>Montreal<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Paris<br/>Perth<br/>Phoenix<br/>Quebec City<br/>Queretaro (Mexico)<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stavanger<br/>Stockholm<br/>Sydney<br/>Sydney2<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich | -| **[Momentum Telecom](https://gomomentum.com/)** | ✓ | ✓ | Atlanta<br/>Chicago<br/>Dallas<br/>Miami<br/>New York<br/>Silicon Valley<br/>Washington DC2 | +| **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** | ✓ | ✓ | Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Auckland<br/>Chicago<br/>Chicago2<br/>Dallas<br/>Denver<br/>Dubai2<br/>Dublin<br/>Dublin2<br/>Frankfurt<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>Las Vegas<br/>London<br/>London2<br/>Los Angeles<br/>Madrid<br/>Melbourne<br/>Miami<br/>Minneapolis<br/>Montreal<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Paris<br/>Perth<br/>Phoenix<br/>Quebec City<br/>Queretaro (Mexico)<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stavanger<br/>Stockholm<br/>Sydney<br/>Sydney2<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich | +| **[Momentum Telecom](https://gomomentum.com/)** | ✓ | ✓ | Atlanta<br/>Chicago<br/>Chicago2<br/>Dallas<br/>Dallas2<br/>Denver<br/>London<br/>Los Angeles<br/>Miami<br/>New York<br/>Silicon Valley<br/>Silicon Valley2<br/>Washington DC<br/>Washington DC2 | | **[MTN](https://www.mtnbusiness.co.za/en/Cloud-Solutions/Pages/microsoft-express-route.aspx)** | ✓ | ✓ | London | | **MTN Global Connect** | ✓ | ✓ | Cape Town<br/>Johannesburg| The following table shows locations by service provider. If you want to view ava | **[NTT Communications - Flexible InterConnect](https://sdpf.ntt.com/)** |✓ |✓ | Jakarta<br/>Osaka<br/>Singapore2<br/>Tokyo<br/>Tokyo2 | | **[NTT EAST](https://business.ntt-east.co.jp/service/crossconnect/)** |✓ |✓ | Tokyo | | **[NTT Global DataCenters EMEA](https://hello.global.ntt/)** |✓ |✓ | Amsterdam2<br/>Berlin<br/>Frankfurt<br/>London2 |+| **NTT Indonesia** | ✓ | ✓ | Jakarta | | **[NTT SmartConnect](https://cloud.nttsmc.com/cxc/azure.html)** |✓ |✓ | Osaka | | **[Ooredoo Cloud Connect](https://www.ooredoo.com.kw/portal/en/b2bOffConnAzureExpressRoute)** |✓ |✓ | Doha<br/>Doha2<br/>London2<br/>Marseille | | **[Optus](https://www.optus.com.au/enterprise/networking/network-connectivity/express-link/)** |✓ |✓ | Melbourne<br/>Sydney | The following table shows locations by service provider. If you want to view ava | **SCSK** |✓ | ✓ | Tokyo3 | | **[Sejong Telecom](https://www.sejongtelecom.net/)** | ✓ | ✓ | Seoul | | **[SES](https://www.ses.com/networks/signature-solutions/signature-cloud/ses-and-azure-expressroute)** | ✓ | ✓ | London2<br/>Washington DC |-| **[SIFY](https://sifytechnologies.com/)** | ✓ | ✓ | Chennai<br/>Mumbai2 | +| **[SIFY](https://sifytechnologies.com/)** | ✓ | ✓ | Chennai<br/>Mumbai2<br/>Pune | | **[SingTel](https://www.singtel.com/about-us/news-releases/singtel-provide-secure-private-access-microsoft-azure-public-cloud)** |✓ |✓ | Hong Kong2<br/>Singapore<br/>Singapore2 | | **[SK Telecom](http://b2b.tworld.co.kr/bizts/solution/solutionTemplate.bs?solutionId=0085)** | ✓ | ✓ | Seoul | | **[Softbank](https://www.softbank.jp/biz/cloud/cloud_access/direct_access_for_az/)** |✓ |✓ | Osaka<br/>Tokyo<br/>Tokyo2 | The following table shows locations by service provider. If you want to view ava |Service provider | Microsoft Azure | Microsoft 365 | Locations | | | | | |-| **[Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/)** | ✓ | ✓ | Amsterdam<br/>Chennai<br/>Chicago<br/>Hong Kong<br/>London<br/>Mumbai<br/>Pune<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Washington DC | +| **[Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/)** | ✓ | ✓ | Amsterdam<br/>Chennai<br/>Chicago<br/>Hong Kong<br/>London<br/>London2<br/>Mumbai<br/>Pune<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Washington DC | | **[Telefonica](https://www.telefonica.com/es/)** | ✓ | ✓ | Amsterdam<br/>Dallas<br/>Frankfurt2<br/>Hong Kong<br/>Madrid<br/>Sao Paulo<br/>Singapore<br/>Washington DC | | **[Telehouse - KDDI](https://www.telehouse.net/solutions/cloud-services/cloud-link)** | ✓ | ✓ | London<br/>London2<br/>Singapore2 | | **Telenor** |✓ |✓ | Amsterdam<br/>London<br/>Oslo<br/>Stavanger | The following table shows locations by service provider. If you want to view ava | **[Vi (Vodafone Idea)](https://www.myvi.in/business/enterprise-solutions/connectivity/vpn-extended-connect)** | ✓ | ✓ | Chennai<br/>Mumbai2 | | **Vodafone Qatar** | ✓ | ✓ | Doha | | **XL Axiata** | ✓ | ✓ | Jakarta |-| **[Zayo](https://www.zayo.com/services/packet/cloudlink/)** | ✓ | ✓ | Amsterdam<br/>Chicago<br/>Dallas<br/>Denver<br/>Dublin<br/>Frankfurt<br/>Hong Kong<br/>London<br/>London2<br/>Los Angeles<br/>Montreal<br/>New York<br/>Paris<br/>Phoenix<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Toronto<br/>Toronto2<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich| +| **[Zayo](https://www.zayo.com/services/packet/cloudlink/)** | ✓ | ✓ | Amsterdam<br/>Chicago<br/>Dallas<br/>Denver<br/>Dublin<br/>Frankfurt<br/>Hong Kong<br/>London<br/>London2<br/>Los Angeles<br/>Minneapolis<br/>Montreal<br/>New York<br/>Paris<br/>Phoenix<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Toronto<br/>Toronto2<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich| |
governance | Australia Ism | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md | Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Azure Security Benchmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md | Title: Regulatory Compliance details for Microsoft cloud security benchmark description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[\[Preview\]: Azure Stack HCI systems should have encrypted volumes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee8ca833-1583-4d24-837e-96c2af9488a4) |Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. |Audit, Disabled, AuditIfNotExists |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stack%20HCI/DataAtRestEncryptedAtCluster_Audit.json) | |[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |Audit, Deny, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) | |[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) | |
governance | Built In Initiatives | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-initiatives.md | Title: List of built-in policy initiatives description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Azure Machine Configuration, and more. Previously updated : 09/09/2024 Last updated : 09/23/2024 |
governance | Built In Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-policies.md | Title: List of built-in policy definitions description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Azure Machine Configuration, and more. Previously updated : 09/09/2024 Last updated : 09/23/2024 The name of each built-in links to the policy definition in the Azure portal. Us [!INCLUDE [azure-policy-reference-policies-health-data-services-workspace](../../../../includes/policy/reference/bycat/policies-health-data-services-workspace.md)] +## Health Deidentification Service ++ ## Healthcare APIs [!INCLUDE [azure-policy-reference-policies-healthcare-apis](../../../../includes/policy/reference/bycat/policies-healthcare-apis.md)] |
governance | Canada Federal Pbmm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/canada-federal-pbmm.md | Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Cis Azure 1 1 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-1-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Cis Azure 1 3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-3-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Block untrusted and unsigned processes that run from USB](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d399cf3-8fc6-0efc-6ab0-1412f1198517) |CMA_0050 - Block untrusted and unsigned processes that run from USB |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0050.json) | |[Document security operations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c6bee3a-2180-2430-440d-db3c7a849870) |CMA_0202 - Document security operations |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0202.json) | |[Manage gateways](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F63f63e71-6c3f-9add-4c43-64de23e554a7) |CMA_0363 - Manage gateways |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0363.json) |-|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) | |[Perform a trend analysis on threats](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e81644-923d-33fc-6ebb-9733bc8d1a06) |CMA_0389 - Perform a trend analysis on threats |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0389.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | |[Review malware detections report weekly](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4a6f5cbd-6c6b-006f-2bb1-091af1441bce) |CMA_0475 - Review malware detections report weekly |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0475.json) | |
governance | Cis Azure 1 4 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-4-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.4.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Cis Azure 2 0 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-2-0-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 2.0.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 2.0.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Cmmc L3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cmmc-l3.md | Title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Fedramp High | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-high.md | Title: Regulatory Compliance details for FedRAMP High description: Details of the FedRAMP High Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Fedramp Moderate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-moderate.md | Title: Regulatory Compliance details for FedRAMP Moderate description: Details of the FedRAMP Moderate Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Gov Azure Security Benchmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-azure-security-benchmark.md | Title: Regulatory Compliance details for Microsoft cloud security benchmark (Azure Government) description: Details of the Microsoft cloud security benchmark (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. ||||| |[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |Audit, Deny, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/SQL/PostgreSQL_EnableByok_Audit.json) | |[Storage accounts should use customer-managed key for encryption](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) | |
governance | Gov Cis Azure 1 1 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-1-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Gov Cis Azure 1 3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-3-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Gov Cmmc L3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cmmc-l3.md | Title: Regulatory Compliance details for CMMC Level 3 (Azure Government) description: Details of the CMMC Level 3 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. ||||| |[An activity log alert should exist for specific Security operations](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) |This policy audits specific Security operations with no activity log alerts configured. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) | |[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Security Center standard pricing tier should be selected](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1181c5f-672a-477a-979a-7d58aa086233) |The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_Standard_pricing_tier.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) | |[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | initiative definition. ||||| |[An activity log alert should exist for specific Security operations](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) |This policy audits specific Security operations with no activity log alerts configured. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) | |[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Security Center standard pricing tier should be selected](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1181c5f-672a-477a-979a-7d58aa086233) |The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_Standard_pricing_tier.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) | |[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Microsoft Antimalware for Azure should be configured to automatically update protection signatures](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc43e4a30-77cb-48ab-a4dd-93f175c63b57) |This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AINE.json) | |[Microsoft IaaSAntimalware extension should be deployed on Windows servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9b597639-28e4-48eb-b506-56b05d366257) |This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AINE.json) | |
governance | Gov Fedramp High | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-high.md | Title: Regulatory Compliance details for FedRAMP High (Azure Government) description: Details of the FedRAMP High (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Gov Fedramp Moderate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-moderate.md | Title: Regulatory Compliance details for FedRAMP Moderate (Azure Government) description: Details of the FedRAMP Moderate (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Gov Irs 1075 Sept2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-irs-1075-sept2016.md | Title: Regulatory Compliance details for IRS 1075 September 2016 (Azure Government) description: Details of the IRS 1075 September 2016 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Gov Iso 27001 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-iso-27001.md | Title: Regulatory Compliance details for ISO 27001:2013 (Azure Government) description: Details of the ISO 27001:2013 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Gov Nist Sp 800 171 R2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md | Title: Regulatory Compliance details for NIST SP 800-171 R2 (Azure Government) description: Details of the NIST SP 800-171 R2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Gov Nist Sp 800 53 R4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 (Azure Government) description: Details of the NIST SP 800-53 Rev. 4 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Gov Nist Sp 800 53 R5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) description: Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Gov Soc 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-soc-2.md | Title: Regulatory Compliance details for System and Organization Controls (SOC) 2 (Azure Government) description: Details of the System and Organization Controls (SOC) 2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Automation account variables should be encrypted](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) | |[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |Audit, Deny, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[Control information flow](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) |CMA_0079 - Control information flow |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) | |
governance | Hipaa Hitrust 9 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/hipaa-hitrust-9-2.md | Title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Irs 1075 Sept2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/irs-1075-sept2016.md | Title: Regulatory Compliance details for IRS 1075 September 2016 description: Details of the IRS 1075 September 2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Iso 27001 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/iso-27001.md | Title: Regulatory Compliance details for ISO 27001:2013 description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Mcfs Baseline Confidential | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-confidential.md | Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Confidential Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Confidential Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Mcfs Baseline Global | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-global.md | Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Global Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Global Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Nist Sp 800 171 R2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-171-r2.md | Title: Regulatory Compliance details for NIST SP 800-171 R2 description: Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Nist Sp 800 53 R4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r4.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 description: Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Nist Sp 800 53 R5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r5.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 description: Details of the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) |Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) |Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) | |
governance | Nl Bio Cloud Theme | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nl-bio-cloud-theme.md | Title: Regulatory Compliance details for NL BIO Cloud Theme description: Details of the NL BIO Cloud Theme Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure Edge Hardware Center devices should have double encryption support enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a6b96f-576e-47a2-8511-119a212d344d) |Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Edge%20Hardware%20Center/DoubleEncryption_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea0dfaed-95fb-448c-934e-d6e713ce393d) |To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview](/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | initiative definition. |[Azure Edge Hardware Center devices should have double encryption support enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a6b96f-576e-47a2-8511-119a212d344d) |Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Edge%20Hardware%20Center/DoubleEncryption_Audit.json) | |[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) |Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) | |[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) |Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea0dfaed-95fb-448c-934e-d6e713ce393d) |To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview](/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json) | |[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) | |[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) |Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) | |
governance | Pci Dss 3 2 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-3-2-1.md | Title: Regulatory Compliance details for PCI DSS 3.2.1 description: Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Pci Dss 4 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-4-0.md | Title: Regulatory Compliance details for PCI DSS v4.0 description: Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Rbi Itf Banks 2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-banks-2016.md | Title: Regulatory Compliance details for Reserve Bank of India IT Framework for Banks v2016 description: Details of the Reserve Bank of India IT Framework for Banks v2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Azure Defender for open-source relational databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a9fbe0d-c5c4-4da8-87d8-f4fd77338835) |Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at [https://aka.ms/AzDforOpenSourceDBsDocu](https://aka.ms/AzDforOpenSourceDBsDocu). Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnOpenSourceRelationalDatabases_Audit.json) | |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | initiative definition. |[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](/azure/key-vault/general/network-security) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/FirewallEnabled_Audit.json) | |[Azure Key Vaults should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6abeaec-4d90-4a02-805f-6b26c4d3fbe9) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/akvprivatelink](https://aka.ms/akvprivatelink). |[parameters('audit_effect')] |[1.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Should_Use_PrivateEndpoint_Audit.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Recoverable_Audit.json) | |
governance | Rbi Itf Nbfc 2017 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-nbfc-2017.md | Title: Regulatory Compliance details for Reserve Bank of India - IT Framework for NBFC description: Details of the Reserve Bank of India - IT Framework for NBFC Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Rmit Malaysia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rmit-malaysia.md | Title: Regulatory Compliance details for RMIT Malaysia description: Details of the RMIT Malaysia Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Soc 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/soc-2.md | Title: Regulatory Compliance details for System and Organization Controls (SOC) 2 description: Details of the System and Organization Controls (SOC) 2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) | |[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |Audit, Deny, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | +|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | initiative definition. |[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) | |[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AzureLinuxBaseline_AINE.json) | |[Manage gateways](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F63f63e71-6c3f-9add-4c43-64de23e554a7) |CMA_0363 - Manage gateways |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0363.json) |-|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) | |[Only approved VM extensions should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0e996f8-39cf-4af9-9f45-83fbde810432) |This policy governs the virtual machine extensions that are not approved. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json) | |[Perform a trend analysis on threats](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e81644-923d-33fc-6ebb-9733bc8d1a06) |CMA_0389 - Perform a trend analysis on threats |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0389.json) | |[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) |CMA_0393 - Perform vulnerability scans |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) | |
governance | Spain Ens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/spain-ens.md | Title: Regulatory Compliance details for Spain ENS description: Details of the Spain ENS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. |[Configure Microsoft Defender for SQL to be enabled on Synapse workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F951c1558-50a5-4ca3-abb6-a93e3e2367a6) |Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_DINE.json) | |[Configure Microsoft Defender for Storage (Classic) to be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c30959-af11-47b3-9ed2-a26e03f427a3) |Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |DeployIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Azure_Defender_Storage_DINE.json) | |[Configure Microsoft Defender for Storage to be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcfdc5972-75b3-4418-8ae1-7f5c36839390) |Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_DINE.json) |-|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) |Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json) | -|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc859b78a-a128-4376-a838-e97ce6625d16) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. |DeployIfNotExists, Disabled |[1.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json) | -|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04754ef9-9ae3-4477-bf17-86ef50026304) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |DeployIfNotExists, Disabled |[1.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json) | -|[Configure the Microsoft Defender for SQL Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F242300d6-1bfc-4d64-8d01-cee583709ebd) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. |DeployIfNotExists, Disabled |[1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployDefaultWorkspace.json) | +|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) |Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). |DeployIfNotExists, Disabled |[1.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json) | +|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc859b78a-a128-4376-a838-e97ce6625d16) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. |DeployIfNotExists, Disabled |[1.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json) | +|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04754ef9-9ae3-4477-bf17-86ef50026304) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |DeployIfNotExists, Disabled |[1.8.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json) | +|[Configure the Microsoft Defender for SQL Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F242300d6-1bfc-4d64-8d01-cee583709ebd) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployDefaultWorkspace.json) | |[Control maintenance and repair activities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6ad009f-5c24-1dc0-a25e-74b60e4da45f) |CMA_0080 - Control maintenance and repair activities |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0080.json) | |[Deploy Defender for Storage (Classic) on storage accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F361c2074-3595-4e5d-8cab-4f21dffc835c) |This policy enables Defender for Storage (Classic) on storage accounts. |DeployIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAdvancedThreatProtection_DINE.json) | |[Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf9f6c70-eb74-4189-8d15-e4f11a7ebfd4) |Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ExportToEventHubAsTrustedService_DINE.json) | |
governance | Swift Csp Cscf 2021 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2021.md | Title: Regulatory Compliance details for SWIFT CSP-CSCF v2021 description: Details of the SWIFT CSP-CSCF v2021 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Swift Csp Cscf 2022 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2022.md | Title: Regulatory Compliance details for SWIFT CSP-CSCF v2022 description: Details of the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
governance | Ukofficial Uknhs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/ukofficial-uknhs.md | Title: Regulatory Compliance details for UK OFFICIAL and UK NHS description: Details of the UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 |
hdinsight-aks | Use Machine Learning Notebook On Spark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/spark/use-machine-learning-notebook-on-spark.md | The following tutorial notebook shows an example of training machine learning mo 1. Find your storage and container name in the portal JSON view :::image type="content" source="./media/use-machine-learning-notebook-on-spark/json-view.png" alt-text="Screenshot showing JSON view." lightbox="./media/use-machine-learning-notebook-on-spark/json-view.png":::- - :::image type="content" source="./media/use-machine-learning-notebook-on-spark/resource-json.png" alt-text="Screenshot showing resource JSON view." lightbox="./media/use-machine-learning-notebook-on-spark/resource-json.png"::: 1. Navigate into your primary HDI storage>container>base folder> upload the [CSV](https://github.com/Azure-Samples/hdinsight-aks/blob/main/spark/iris_csv.csv) |
hdinsight | Hdinsight Log Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-log-management.md | log4j.logger.alerts=DEBUG,alerts The next step is reviewing the job execution log files for the various services. Services could include Apache HBase, Apache Spark, and many others. A Hadoop cluster produces a large number of verbose logs, so determining which logs are useful (and which aren't) can be time-consuming. Understanding the logging system is important for targeted management of log files. The following image is an example log file. - ### Access the Hadoop log files HDInsight stores its log files both in the cluster file system and in Azure Storage. You can examine log files in the cluster by opening an [SSH](hdinsight-hadoop-linux-use-ssh-unix.md) connection to the cluster and browsing the file system, or by using the Hadoop YARN Status portal on the remote head node server. You can examine the log files in Azure Storage using any of the tools that can access and download data from Azure Storage. Examples are [AzCopy](../storage/common/storage-use-azcopy-v10.md), [CloudXplorer](https://clumsyleaf.com/products/cloudxplorer), and the Visual Studio Server Explorer. You can also use PowerShell and the Azure Storage Client libraries, or the Azure .NET SDKs, to access data in Azure blob storage. |
logic-apps | Create Single Tenant Workflows Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-single-tenant-workflows-azure-portal.md | Title: Create example Standard workflow in Azure portal -description: Learn to build your first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal. -+ Title: Create example Standard logic app workflow in Azure portal +description: Create your first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal. + ms.suite: integration Previously updated : 08/13/2024 Last updated : 09/23/2024 # Customer intent: As a developer, I want to create my first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal. Last updated 08/13/2024 [!INCLUDE [logic-apps-sku-standard](../../includes/logic-apps-sku-standard.md)] -This how-to guide shows how to create an example workflow that runs in single-tenant Azure Logic Apps. The workflow waits for an inbound web request and then sends a message to an email account. Specifically, you create a Standard logic app resource and workflow that contains the following items: +This how-to guide shows how to create an example automated workflow that waits for an inbound web request and then sends a message to an email account. More specifically, you create a [Standard logic app resource](logic-apps-overview.md#resource-environment-differences), which can include multiple [stateful and stateless workflows](single-tenant-overview-compare.md#stateful-stateless) that run in single-tenant Azure Logic Apps. - The **Request** trigger, which creates a callable endpoint that can handle inbound requests from any caller. - The **Office 365 Outlook** connector, which provides an action to send email. You can have multiple workflows in a Standard logic app. Workflows in the same l The operations in this example are from two connectors among [1000+ connectors](/connectors/connector-reference/connector-reference-logicapps-connectors) that you can use in a workflow. While this example is cloud-based, you can create workflows that integrate a vast range of apps, data, services, and systems across cloud, on-premises, and hybrid environments. -For more information, see the following documentation: --- [Single-tenant versus multitenant](single-tenant-overview-compare.md)-- [Create and deploy to different environments](logic-apps-overview.md#resource-environment-differences)+As you progress, you complete these high-level tasks: To create a Standard logic app workflow from a prebuilt template that follows a commonly used pattern, see [Create a Standard logic app workflow from a prebuilt template](create-single-tenant-workflows-templates.md). To create and manage a Standard logic app workflow using other tools, see [Create Standard workflows with Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md). With Visual Studio Code, you can develop, test, and run workflows in your *local* development environment. +For more information, see the following documentation: ++- [Single-tenant versus multitenant](single-tenant-overview-compare.md) +- [Create and deploy to different environments](logic-apps-overview.md#resource-environment-differences) + ## Prerequisites * An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). To create and manage a Standard logic app workflow using other tools, see [Creat * To deploy your Standard logic app resource to an [App Service Environment v3 (ASEv3) - Windows plan only](../app-service/environment/overview.md), you have to create this environment resource first. You can then select this environment as the deployment location when you create your logic app. For more information, see [Resources types and environments](single-tenant-overview-compare.md#resource-environment-differences) and [Create an App Service Environment](../app-service/environment/creation.md). +* To enable communication from your Standard logic app workflows to a private endpoint on a Premium integration account, you must have an existing Azure virtual network. Both your logic app, virtual network, and integration account must use the same Azure region. Both your logic app and integration account must exist inside the same virtual network. For more information, see [Create a virtual network](../virtual-network/quick-create-portal.md). + * If you enable [Application Insights](/azure/azure-monitor/app/app-insights-overview) on your logic app, you can optionally enable diagnostics logging and tracing. You can do so either when you create your logic app or after deployment. You need to have an Application Insights instance, but you can [create this resource in advance](/azure/azure-monitor/app/create-workspace-resource), when you create your logic app, or after deployment. ## Best practices and recommendations More workflows in your logic app raise the risk of longer load times, which nega 1. On the **Create Logic App** page, select **Standard (Workflow Service Plan)**. + | Plan type | Description | + |--|-| + | **Standard** | This logic app type is the default selection. Workflows run in single-tenant Azure Logic Apps and use the [Standard pricing model](logic-apps-pricing.md#standard-pricing). | + | **Consumption** | This logic app type and workflow runs in global, multitenant Azure Logic Apps and uses the [Consumption pricing model](logic-apps-pricing.md#consumption-pricing). | + 1. On the **Create Logic App** page, on the **Basics** tab, provide the following basic information about your logic app: | Property | Required | Value | Description | More workflows in your logic app raise the risk of longer load times, which nega | Property | Required | Value | Description | |-|-|-|-|- | **Storage type** | Yes | - **Azure Storage** <br>- **SQL (Preview) and Azure Storage** | The storage type that you want to use for workflow-related artifacts and data. <br><br>- To deploy only to Azure, select **Azure Storage**. <br><br>- To use SQL as primary storage and Azure Storage as secondary storage, select **SQL (Preview) and Azure Storage**, and see [Set up SQL database storage for Standard logic apps in single-tenant Azure Logic Apps](set-up-sql-db-storage-single-tenant-standard-workflows.md). <br><br>**Note**: If you're deploying to an Azure region, you still need an Azure storage account, which is used to complete the one-time hosting of the logic app's configuration on the Azure Logic Apps platform. The workflow's state, run history, and other runtime artifacts are stored in your SQL database. <br><br>For deployments to a custom location that's hosted on an Azure Arc cluster, you only need SQL as your storage provider. | + | **Storage type** | Yes | - **Azure Storage** <br>- **SQL and Azure Storage** | The storage type that you want to use for workflow-related artifacts and data. <br><br>- To deploy only to Azure, select **Azure Storage**. <br><br>- To use SQL as primary storage and Azure Storage as secondary storage, select **SQL and Azure Storage**, and review [Set up SQL database storage for Standard logic apps in single-tenant Azure Logic Apps](set-up-sql-db-storage-single-tenant-standard-workflows.md). <br><br>**Note**: If you're deploying to an Azure region, you still need an Azure storage account, which is used to complete the one-time hosting of the logic app's configuration on the Azure Logic Apps platform. The workflow's state, run history, and other runtime artifacts are stored in your SQL database. <br><br>For deployments to a custom location that is hosted on an Azure Arc cluster, you only need SQL as your storage provider. | | **Storage account** | Yes | <*Azure-storage-account-name*> | The [Azure Storage account](../storage/common/storage-account-overview.md) to use for storage transactions. <br><br>This resource name must be unique across regions and have 3-24 characters with only numbers and lowercase letters. Either select an existing account or create a new account. <br><br>This example creates a storage account named **mystorageacct**. | -1. On the **Networking** tab, you can leave the default options for this example. +1. On the **Networking** tab, you can leave the default options to follow the example. However, for specific, real-world scenarios, make sure to review and select the following appropriate options. You can also change this configuration after you deploy your logic app resource. For more information, see [Secure traffic between Standard logic apps and Azure virtual networks using private endpoints](secure-single-tenant-workflow-virtual-network-private-endpoint.md). - For your specific, real-world scenarios, make sure to review and select the appropriate options. You can also change this configuration after you deploy your logic app resource. For more information, see [Secure traffic between Standard logic apps and Azure virtual networks using private endpoints](secure-single-tenant-workflow-virtual-network-private-endpoint.md). + The following **Enable public access** setting applies to endpoints on your logic app and doesn't affect whether your logic app can communicate with Azure resources in the same virtual network, for example, a Premium integration account with a private endpoint. To access such Azure resources, your logic app must exist in the same virtual network as these resources. | Enable public access | Behavior | |-|-|- | **On** | Your logic app has a public endpoint with an inbound address that's open to the internet and can't access an Azure virtual network. | - | **Off** | Your logic app has no public endpoint, but has a private endpoint instead for communication within an Azure virtual network, and is isolated to that virtual network. The private endpoint can communicate with endpoints in the virtual network, but only from clients within that network. This configuration also means that logic app traffic can be governed by network security groups or affected by virtual network routes. | + | **On** | Your logic app has a public endpoint with an inbound address that's open to the internet. For clients that are outside an Azure virtual network, they can use this endpoint to access your logic app, but not the virtual network. | + | **Off** | Your logic app has no public endpoint, but has a private endpoint instead for communication within an Azure virtual network, and is isolated within that virtual network. The private endpoint can communicate with endpoints in the virtual network, but only from clients within that network. This configuration also means that logic app traffic can be governed by network security groups or affected by virtual network routes. | - To enable your logic app to access endpoints in a virtual network, make sure to select the appropriate option: + The following settings control Standard logic app access to endpoints in a virtual network: | Enable network injection | Behavior | |--|-|- | **On** | Your logic app workflows can privately and securely communicate with endpoints in the virtual network. | + | **On** | Your logic app workflows can privately and securely communicate with endpoints in the virtual network. <br><br>To enable communication between your logic app and a private endpoint on a Premium integration account, select this option, which also makes the **Virtual Network** section available. For **Virtual Network**, select the Azure virtual network to use. This choice makes the **Inbound access** and **Outbound access** sections available. | | **Off** | Your logic app workflows can't communicate with endpoints in the virtual network. | + The following sections appear after you select a virtual network when **Enable network injection** is set to **On**. ++ **Inbound access** ++ - **Enable private endpoints**: Applies to private endpoints on your Standard logic app and is available only when **Enable public access** is set to **Off**. ++ **Outbound access** ++ - **Enable VNet integration**: To enable communication between a Standard logic app and a private endpoint on a Premium integration account, select **On** and the subnet to use. + 1. If your creation and deployment settings support using [Application Insights](/azure/azure-monitor/app/app-insights-overview), you can optionally enable diagnostics logging and tracing for your logic app workflows by following these steps: 1. On the **Monitoring** tab, under **Application Insights**, set **Enable Application Insights** to **Yes**. If your logic app's creation and deployment settings support using [Application ## View connections -When you create connections in a workflow using [connectors managed by Microsoft](../connectors/managed.md), these connections are actually separate Azure resources with their own resource definitions and are hosted in global, multitenant Azure. Standard logic app workflows can also use [built-in service provider connectors](/azure/logic-apps/connectors/built-in/reference/) that natively run and are powered by the single-tenant Azure Logic Apps runtime. To view and manage these connections, see [View connections](manage-logic-apps-with-azure-portal.md?tabs=standard#view-connections). +When you create connections in a workflow using [connectors managed by Microsoft](../connectors/managed.md), these connections are separate Azure resources with their own resource definitions and are hosted in global, multitenant Azure. Standard logic app workflows can also use [built-in service provider connectors](/azure/logic-apps/connectors/built-in/reference/) that natively run and are powered by the single-tenant Azure Logic Apps runtime. To view and manage these connections, see [View connections](manage-logic-apps-with-azure-portal.md?tabs=standard#view-connections). <a name="restart-stop-start"></a> |
logic-apps | Create Integration Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/enterprise-integration/create-integration-account.md | Title: Create and manage integration accounts description: Create and manage integration accounts for building B2B enterprise integration workflows in Azure Logic Apps with the Enterprise Integration Pack.- ms.suite: integration You also need an integration account to electronically exchange B2B messages wit * [RosettaNet](../logic-apps-enterprise-integration-rosettanet.md) * [X12](../logic-apps-enterprise-integration-x12.md) -This guide shows how to complete the following tasks: --* Create an integration account. -* Set up storage access for a Premium integration account. -* Link your integration account to a logic app resource. -* Change the pricing tier for your integration account. -* Unlink your integration account from a logic app resource. -* Move an integration account to another Azure resource group or subscription. -* Delete an integration account. - If you're new to creating B2B enterprise integration workflows in Azure Logic Apps, see [B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack](../logic-apps-enterprise-integration-overview.md). ## Prerequisites * An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Make sure that you use the same Azure subscription for both your integration account and logic app resource. -* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist before you can link your integration account. +* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist if you need to link your integration account. - * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts. + * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts. To create an example Consumption logic app workflow, see [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps](../quickstart-create-example-consumption-workflow.md). - * For Standard logic app resources, this link is optional, based on your scenario: + * For Standard logic app resources, this link might be required or optional, based on your scenario: - * If you have an integration account with the artifacts that you need or want to use, you can link the integration account to each Standard logic app resource where you want to use the artifacts. + * If you have an integration account with the artifacts that you need or want to use, link the integration account to each Standard logic app resource where you want to use the artifacts. - * Some Azure-hosted integration account connectors, such as **AS2**, **EDIFACT**, and **X12**, let you create a connection to your integration account. If you're just using these connectors, you don't need the link. + * Some Azure-hosted integration account connectors don't require the link and let you create a connection to your integration account. For example, such as **AS2**, **EDIFACT**, and **X12** don't require the link, but the **AS2 (v2)** connector requires the link. * The built-in connectors named **Liquid** and **Flat File** let you select maps and schemas that you previously uploaded to your logic app resource or to a linked integration account. If you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option, which also means you don't have to upload maps and schemas to each logic app resource. Either way, you can use these artifacts across all child workflows within the *same logic app resource*. -* Basic knowledge about how to create logic app workflows. For more information, see the following documentation: + To create an example Standard logic app workflow, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md). ++* A [Premium integration account](#create-integration-account) supports using a [private endpoint](../../private-link/private-endpoint-overview.md) within an Azure virtual network to securely communicate with other Azure resources in the same network. Your integration account, virtual network, and Azure resources must also exist in the same Azure region. For more information, see [Create a virtual network](../../virtual-network/quick-create-portal.md) and the steps in this guide to set up your Premium integration account. - * [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps](../quickstart-create-example-consumption-workflow.md) + For example, a Standard logic app can access the private endpoint if they exist in the same virtual network. However, a Consumption logic app doesn't support virtual network integration and can't access the private endpoint. - * [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md) + - To create a Standard logic app with virtual network integration, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md). + + - To set up an existing Standard logic app with virtual network integration, see [Set up virtual network integration](../secure-single-tenant-workflow-virtual-network-private-endpoint.md#set-up-virtual-network-integration). ++<a name="create-integration-account"></a> ## Create integration account Your integration account uses an automatically created and enabled system-assign | Tier | Description | ||-|-| **Premium** (preview) | **Note:** This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). <br><br>For scenarios with the following criteria: <br><br>- Store and use unlimited artifacts, such as partners, agreements, schemas, maps, certificates, and so on. <br><br>- Bring and use your own storage, which contains the relevant runtime states for specific B2B actions and EDI standards. For example, these states include the MIC number for AS2 actions and the control numbers for X12 actions, if configured on your agreements. <br><br>To access this storage, your integration account uses its system-assigned managed identity, which is automatically created and enabled for your integration account. <br><br>You can also apply more governance and policies to data, such as customer-managed ("Bring Your Own") keys for data encryption. To store these keys, you'll need a key vault. <br><br>- Set up and use a key vault to store private certificates or customer-managed keys. To access these keys, your Premium integration account uses its system-assigned managed identity, not an Azure Logic Apps shared service principal. <br><br>Pricing follows [Standard integration account pricing](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>**Note**: During preview, your Azure bill uses the same meter name and ID as a Standard integration account, but changes when the Premium level becomes generally available. <br><br>**Limitations and known issues**: <br><br>- Currently doesn't support virtual networks. <br><br>- If you use a key vault to store private certificates, your integration account's managed identity might not work. For now, use the linked logic app's managed identity instead. <br><br>- Currently doesn't support the [Azure CLI for Azure Logic Apps](/cli/azure/service-page/logic%20apps). | +| **Premium** (preview) | **Note:** This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). <br><br>For scenarios with the following criteria: <br><br>- Store and use unlimited artifacts, such as partners, agreements, schemas, maps, certificates, and so on. <br><br>- Bring and use your own storage, which contains the relevant runtime states for specific B2B actions and EDI standards. For example, these states include the MIC number for AS2 actions and the control numbers for X12 actions, if configured on your agreements. <br><br>To access this storage, your integration account uses its system-assigned managed identity, which is automatically created and enabled for your integration account. <br><br>You can also apply more governance and policies to data, such as customer-managed ("Bring Your Own") keys for data encryption. To store these keys, you'll need a key vault. <br><br>- Set up and use a key vault to store private certificates or customer-managed keys. To access these keys, your Premium integration account uses its system-assigned managed identity, not an Azure Logic Apps shared service principal. <br><br>- Set up a private endpoint that creates a secure connection between your Premium integration account and Azure services in an Azure virtual network. <br><br>Pricing follows [Standard integration account pricing](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>**Note**: During preview, your Azure bill uses the same meter name and ID as a Standard integration account, but changes when the Premium level becomes generally available. <br><br>**Limitations and known issues**: <br><br>- If you use a key vault to store private certificates, your integration account's managed identity might not work. For now, use the linked logic app's managed identity instead. <br><br>- Currently doesn't support the [Azure CLI for Azure Logic Apps](/cli/azure/service-page/logic%20apps). | | **Standard** | For scenarios where you have more complex B2B relationships and increased numbers of entities that you must manage. <br><br>Supported by the Azure Logic Apps SLA. | | **Basic** | For scenarios where you want only message handling or to act as a small business partner that has a trading partner relationship with a larger business entity. <br><br>Supported by the Azure Logic Apps SLA. | | **Free** | For exploratory scenarios, not production scenarios. This tier has limits on region availability, throughput, and usage. For example, the Free tier is available only for public regions in Azure, for example, West US or Southeast Asia, but not for [Microsoft Azure operated by 21Vianet](/azure/chin). <br><br>**Note**: Not supported by the Azure Logic Apps SLA. | For this task, you can use the Azure portal, [Azure CLI](/cli/azure/resource#az- After deployment completes, Azure opens your integration account. -1. If you created a Premium integration account, make sure to [set up access to the associated Azure storage account](#set-up-access-storage-account). +1. If you created a Premium integration account, make sure to [set up access to the associated Azure storage account](#set-up-access-storage-account). You can also create a private connection between your Premium integration account and Azure services by [setting up a private endpoint for your integration account](#set-up-private-endpoint). ### [Azure CLI](#tab/azure-cli) To read artifacts and write any state information, your Premium integration acco For more information, see [Assign Azure role to system-assigned managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.yml) -1. Next, link your integration account to your logic app resource. +<a name="set-up-private-endpoint"></a> ++## Set up private endpoint for Premium integration account (Preview) ++> [!NOTE] +> +> This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ++To create a secure connection between your Premium integration account and Azure services, you can set up a [private endpoint](../../private-link/private-endpoint-overview.md) for your integration account. This endpoint is a network interface that uses a private IP address from your Azure virtual network. This way, traffic between your virtual network and Azure services stays on the Azure backbone network and never traverses the public internet. Private endpoints ensure a secure, private communication channel between your resources and Azure services by providing the following benefits: ++- Eliminates exposure to the public internet and reducing the risks from attacks. ++- Helps your organization meet data privacy and compliance requirements by keeping data within a controlled and secured environment. ++- Reduces latency and improve workflow performance by keeping traffic within the Azure backbone network. ++- Removes the need for complex network setups, such as virtual private networks or ExpressRoute. ++- Saves on costs by reducing extra network infrastructure and avoiding data egress charges through public endpoints. ++### Best practices for private endpoints ++- Carefully plan your virtual network and subnet architecture to accommodate private endpoints. Make sure to properly segment and secure your subnets. ++- Make sure that your domain name system settings are up-to-date and correctly configured to handle name resolution for private endpoints. ++- Control traffic flow to and from your private endpoints and enforce strict security policies by using network security groups. ++- Thoroughly test your integration account's connectivity and performance to make sure that everything works as expected with private endpoints before you deploy to production. ++- Regularly monitor network traffic to and from your private endpoints. Audit and analyze traffic patterns by using tools such as Azure Monitor and Azure Security Center. ++### Create a private endpoint ++Before you start, make sure that you have an [Azure virtual network](../../virtual-network/quick-create-portal.md) defined with the appropriate subnets and network security groups to manage and secure traffic. ++1. In the [Azure portal](https://portal.azure.com), in the search box, enter **private endpoint**,and then select **Private endpoints**. ++1. On the **Private endpoints** page, select **Create**. ++1. On the **Basics** tab, provide the following information: ++ | Property | Value | + |-|-| + | **Subscription** | <*Azure-subscription*> | + | **Resource group** | <*Azure-resource-group*> | + | **Name** | <*private-endpoint*> | + | **Network interface name** | <*private-endpoint*>**-nic** | + | **Region** | <*Azure-region*> | ++1. On the **Resource** tab, provide the following information: ++ | Property | Value | + |-|-| + | **Connection method** | - **Connect to an Azure resource in my directory**: Creates a private endpoint that is *automatically approved* and ready for immediate use. The endpoint's **Connection status** property is set to **Approved** after creation. <br><br>- **Connect to an Azure resource by resource ID or alias**: Create a private endpoint that is *manually approved* and requires data administrator approval before anyone can use. The endpoint's **Connection status** property is set to **Pending** after creation. <br><br>**Note**: If the endpoint is manually approved, the **DNS** tab is unavailable. | + | **Subscription** | <*Azure-subscription*> | + | **Resource type** | **Microsoft.Logic/integrationAccounts** | + | **Resource** | <*Premium-integration-account*> | + | **Target sub-resource** | **integrationAccount** | ++1. On the **Virtual Network** tab, specify the virual network and subnet where to you want to create the endpoint: ++ | Property | Value | + |-|-| + | **Virtual network** | <*virtual-network*> | + | **Subnet** | <*subnet-for-endpoint*> | ++ Your virtual network uses a network interface attached to the private endpoint. ++1. On the **DNS** tab, provide the following information to make sure your aps can resolve the private IP address for your integration account. You might have to set up a private DNS zone and link to your virtual network. ++ | Property | Value | + |-|-| + | **Subscription** | <*Azure-subscription*> | + | **Resource group** | <*Azure-resource-group-for-private-DNS-zone*> | ++1. When you're done, confirm all the provided information, and select **Create**. ++1. After you confirm that Azure created the private endpoint, check your connectivity and test your setup to make sure that the resources in your virtual network can securely connect to the your integration account through the private endpoint. ++### View pending endpoint connections ++For a private endpoint that requires approval, follow these steps: ++1. In the Azure portal, go to the **Private Link** page. ++1. On the left menu, select **Pending connections**. ++### Approve a pending private endpoint ++For a private endpoint that requires approval, follow these steps: ++1. In the Azure portal, go to the **Private Link** page. ++1. On the left menu, select **Pending connections**. ++1. Select the pending connection. On the toolbar, select **Approve**. Wait for the operation to finish. ++ The endpoint's **Connection status** property changes to **Approved**. ++<a name="call-integration-account-api"></a> ++### Enable Standard logic app calls through private endpoint on Premium integration account ++1. Choose one of the following options: ++ - To create a Standard logic app with virtual network integration, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md). + + - To set up an existing Standard logic app with virtual network integration, see [Set up virtual network integration](../secure-single-tenant-workflow-virtual-network-private-endpoint.md#set-up-virtual-network-integration). +++1. To make calls through the private endpoint, include an **HTTP** action in your Standard logic app workflow where you want to call the integration account. ++1. In the Azure portal, go to your Premium integration account. On the integration account menu, under **Settings**, select **Callback URL**, and copy the URL. ++1. In your workflow's **HTTP** action, on the **Parameters** tab, in the **URI** property, enter the callback URL using the following format: ++ **`https://{domain-name}-{integration-account-ID}.cy.integrationaccounts.microsoftazurelogicapps.net:443/integrationAccounts/{integration-account-ID}?api-version=2015-08-01-preview&sp={sp}&sv={sv}&sig={sig}`** ++ The following example shows sample values: ++ `https://prod-02-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.cy.integrationaccounts.microsoftazurelogicapps.net:443/integrationAccounts/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?api-version=2015-08-01-preview&sp={sp}&sv={sv}&sig={sig}` ++1. For the **HTTP** action's **Method** property, select **GET**. ++1. Finish setting up the **HTTP** action as necessary, and test your workflow. <a name="link-account"></a> |
logic-apps | Logic Apps Limits And Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-limits-and-config.md | For Azure Logic Apps to receive incoming communication through your firewall, yo | South Central US | 13.65.98.39, 13.84.41.46, 13.84.43.45, 40.84.138.132, 20.94.151.41, 20.88.209.113, 172.206.187.62, 172.206.187.92, 172.206.187.101, 172.206.187.135, 52.255.127.211, 52.255.127.201, 52.255.127.24, 52.255.127.243 | | South India | 52.172.9.47, 52.172.49.43, 52.172.51.140, 104.211.225.152, 104.211.221.215,104.211.205.148, 52.140.4.233, 52.172.100.99, 52.140.5.154, 52.140.1.153, 52.172.96.103, 52.140.2.150, 52.172.103.116, 52.172.99.31 | | Southeast Asia | 52.163.93.214, 52.187.65.81, 52.187.65.155, 104.215.181.6, 20.195.49.246, 20.198.130.155, 23.98.121.180, 4.144.200.166, 4.144.203.255, 4.144.203.73, 4.144.201.132, 20.247.196.3, 52.230.58.240, 20.247.197.6, 20.247.198.8, 20.247.195.123, 20.247.197.207, 20.247.197.108, 20.247.198.132 |+| Spain Central | 68.221.3.54, 68.221.3.29, 68.221.249.214, 68.221.249.187, 68.221.249.249, 68.221.249.208, 68.221.249.227, 68.221.250.1, 68.221.249.191 | | Sweden Central | 20.91.178.13, 20.240.10.125, 74.241.204.72, 74.241.204.55, 74.241.204.197, 74.241.206.0, 4.225.198.176, 4.225.198.50, 4.225.197.219, 4.225.198.33 | | Switzerland North | 51.103.128.52, 51.103.132.236, 51.103.134.138, 51.103.136.209, 20.203.230.170, 20.203.227.226, 4.226.35.171, 20.250.239.241, 20.250.238.113, 20.250.238.80, 20.250.233.38, 20.250.235.79, 20.250.235.177, 20.250.235.117 | | Switzerland West | 51.107.225.180, 51.107.225.167, 51.107.225.163, 51.107.239.66, 51.107.235.139,51.107.227.18, 20.199.218.139, 20.199.219.180, 20.199.216.255, 20.199.217.34, 20.208.231.200, 20.199.217.39, 20.199.216.16, 20.199.216.98 | This section lists the outbound IP addresses that Azure Logic Apps requires in y | South Central US | 104.210.144.48, 13.65.82.17, 13.66.52.232, 23.100.124.84, 70.37.54.122, 70.37.50.6, 23.100.127.172, 23.101.183.225, 20.94.150.220, 20.94.149.199, 20.88.209.97, 20.88.209.88, 172.206.187.57, 172.206.187.90, 172.206.187.98, 172.206.187.132, 52.255.124.118, 52.255.127.125, 52.255.126.229, 52.255.127.233 | | South India | 52.172.50.24, 52.172.55.231, 52.172.52.0, 104.211.229.115, 104.211.230.129, 104.211.230.126, 104.211.231.39, 104.211.227.229, 104.211.211.221, 104.211.210.192, 104.211.213.78, 104.211.218.202, 52.172.101.114, 52.172.101.181, 52.140.5.116, 52.172.98.23, 52.140.2.252, 52.140.0.225, 52.140.7.114, 52.172.101.204 | | Southeast Asia | 13.76.133.155, 52.163.228.93, 52.163.230.166, 13.76.4.194, 13.67.110.109, 13.67.91.135, 13.76.5.96, 13.67.107.128, 20.195.49.240, 20.195.49.29, 20.198.130.152, 20.198.128.124, 23.98.121.179, 23.98.121.115, 4.144.203.116, 4.144.203.254, 4.144.203.72, 4.144.204.223, 20.247.192.203, 20.247.192.18, 20.247.197.137, 20.247.197.3, 20.247.196.123, 20.247.197.249, 20.247.195.111, 20.247.195.8, 20.247.197.146, 20.247.197.100, 20.247.197.40, 20.247.198.128, 20.247.198.96 |+| Spain Central | 68.221.3.7, 68.221.1.175, 68.221.2.156, 68.221.2.37, 68.221.249.177, 68.221.249.251, 68.221.249.213, 68.221.249.186, 68.221.249.215, 68.221.249.210, 68.221.249.185, 68.221.249.203, 68.221.249.175, 68.221.249.229, 68.221.249.205, 68.221.249.184, 68.221.249.202, 68.221.249.209, 68.221.249.252, 68.221.250.2 | | Sweden Central | 20.91.178.11, 20.91.177.115, 20.240.10.91, 20.240.10.89, 74.241.204.65, 74.241.204.35, 74.241.204.193, 74.241.205.139, 4.225.198.80, 4.225.198.41, 74.241.203.136, 4.225.198.14 | | Switzerland North | 51.103.137.79, 51.103.135.51, 51.103.139.122, 51.103.134.69, 51.103.138.96, 51.103.138.28, 51.103.136.37, 51.103.136.210, 20.203.230.58, 20.203.229.127, 20.203.224.37, 20.203.225.242, 4.226.35.166, 20.250.239.202, 20.250.239.33, 20.250.239.55, 20.250.233.27, 20.250.235.76, 20.250.235.169, 20.250.235.96 | | Switzerland West | 51.107.239.66, 51.107.231.86, 51.107.239.112, 51.107.239.123, 51.107.225.190, 51.107.225.179, 51.107.225.186, 51.107.225.151, 51.107.239.83, 51.107.232.61, 51.107.234.254, 51.107.226.253, 20.199.193.249, 20.199.217.37, 20.199.219.154, 20.199.216.246, 20.199.219.21, 20.208.230.30, 20.199.216.63, 20.199.218.36, 20.199.216.44 | |
logic-apps | Secure Single Tenant Workflow Virtual Network Private Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint.md | Title: Secure traffic between Standard workflows and virtual networks description: Secure traffic between Standard logic app workflows and virtual networks in Azure using private endpoints.-++ ms.suite: integration Previously updated : 01/10/2024 Last updated : 08/09/2024 # Customer intent: As a developer, I want to connect to my Standard logic app workflows with virtual networks using private endpoints and virtual network integration. For more information, review the following documentation: The HTTP action fails, which is by design and expected because the workflow runs in the cloud and can't access your internal service. +<a name="set-up-virtual-network-integration"></a> + ### Set up virtual network integration 1. In the [Azure portal](https://portal.azure.com), on the logic app resource menu, under **Settings**, select **Networking**. |
managed-grafana | Concept Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/concept-role-based-access-control.md | Assign a role, such as **Grafana viewer**, to a user, group, service principal o ## Related content -* [Configure Grafana teams](how-to-sync-teams-with-azure-ad-groups.md) +* [Configure Grafana teams](how-to-sync-teams-with-entra-groups.md) * [Set up authentication and permissions](how-to-authentication-permissions.md) |
managed-grafana | Concept Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/concept-whats-new.md | Last updated 02/22/2024 ## September 2023 -* [Microsoft Entra groups](how-to-sync-teams-with-azure-ad-groups.md) is available in preview in Azure Managed Grafana. +* [Microsoft Entra groups](how-to-sync-teams-with-entra-groups.md) is available in preview in Azure Managed Grafana. * [Plugin management](how-to-manage-plugins.md) is available in preview. This feature lets you manage installed Grafana plugins directly within an Azure Managed Grafana workspace. |
managed-grafana | How To Sync Teams With Entra Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-sync-teams-with-entra-groups.md | + + Title: Configure Grafana Team Sync with Microsoft Entra groups +description: Learn how to configure Grafana Teams and allow access to Grafana folders and dashboards using Microsoft Entra groups in Azure Managed Grafana. +#customer intent: As a Grafana administrator, I want to use Microsoft Entra groups to set up Grafana teams and control access to specific folders and dashboards. ++++ Last updated : 06/7/2024+ ++# Configure Grafana teams with Microsoft Entra groups and Grafana Team Sync ++In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) to manage dashboard permissions in Azure Managed Grafana. ++In Azure Managed Grafana, you can use Azure's role-based access control (RBAC) roles for Grafana to define access rights. These permissions apply to all resources in your Grafana workspace by default, not per folder or dashboard. If you assign a user to the Grafana Editor role, that user can edit any dashboard in your Grafana workspace. However, with Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can adjust a user's default permission level for specific dashboards or dashboard folders. +++Microsoft Entra group sync helps you manage this. With it, you can create a *Grafana team* in a Grafana workspace, link it to a Microsoft Entra group, and then configure your dashboard permissions for that team. For example, you can allow a Grafana viewer to modify a dashboard, or prevent a Grafana editor from making changes. ++<a name='set-up-azure-ad-group-sync'></a> ++## Prerequisites ++Before you start, make sure you have: ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free). +- An Azure Managed Grafana instance. If needed, [create a new instance](quickstart-managed-grafana-portal.md). +- A Microsoft Entra group. If needed, [create a basic group and add members](/entra/fundamentals/how-to-manage-groups#create-a-basic-group-and-add-members). +- The Grafana Admin role is required to use Grafana Team Sync. ++## Assign a permission to a Microsoft Entra group ++The Microsoft Entra group must have a Grafana role to access the Grafana instance. ++1. In your Grafana workspace, open the **Access control (IAM)** menu select **Add** > **Add new role assignment**. ++ :::image type="content" source="media/azure-ad-group-sync/add-role-assignment.png" alt-text="Screenshot of the Azure portal. Adding a new role assignment."::: ++1. Assign a role, such as **Grafana viewer**, to the Microsoft Entra group. For more information about assigning a role, go to [Grant access](../role-based-access-control/quickstart-assign-role-user-portal.md#grant-access). ++### Create a Grafana team ++Set up a Microsoft Entra ID-backed Grafana team. ++1. In the Azure portal, open your Grafana instance and select **Configuration** under **Settings**. +1. Select the **Microsoft Entra Team Sync Settings** tab. +1. Select **Create new Grafana team**. ++ :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Microsoft Entra Team Sync."::: ++1. Enter a name for the Grafana team and select **Add**. ++ :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team."::: ++### Assign a Microsoft Entra group to a Grafana team ++1. In **Assign access to**, select the newly created Grafana team. +1. Select **+ Add a Microsoft Entra group**. ++1. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click **Select** to confirm. ++ :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting a Microsoft Entra group."::: ++1. Optionally repeat the previous three steps to add more Microsoft Entra groups to the Grafana team. ++### Assign access to a Grafana folder or dashboard ++1. In the Grafana UI, open a folder or a dashboard. +1. In the **Permissions** tab, select **Add a permission**. ++ :::image type="content" source="media/azure-ad-group-sync/add-permission.png" alt-text="Screenshot of the Azure portal, selecting Add a permission." lightbox="media/azure-ad-group-sync/add-permission.png"::: ++1. Under **Add permission for**, select **Team**, then select the team name, the **View**, **Edit** or **Admin** permission, and save. You can add permissions for a user, a team or a role. ++ :::image type="content" source="media/azure-ad-group-sync/add-permission-for-team.png" alt-text="Screenshot of the Grafana UI, adding a permission for a team in a Grafana folder."::: ++ > [!TIP] + > To check existing access permissions for a dashboard, open a dashboard and go to the **Permissions** tab. This page shows all permissions assigned for this dashboard and all inherited permissions. + > :::image type="content" source="media/azure-ad-group-sync/view-permissions.png" alt-text="Screenshot of the Grafana UI, showing permission for a Grafana dashboard."::: ++### Scope down access ++You can limit access by removing permissions to access one or more folders. ++For example, to disable access to a user who has the Grafana Viewer role on a Grafana instance, remove their access to a Grafana folder by following these steps: ++1. In the Grafana UI, go to a folder you want to hide from the user. +1. In the **Permissions** tab, select the **X** button to the right of the **Viewer** permission to remove this permission from this folder. +1. Repeat this step for all folders you want to hide from the user. ++ :::image type="content" source="media/azure-ad-group-sync/remove-permission.png" alt-text="Screenshot of the Grafana UI, removing the Viewer permission in a Grafana folder."::: ++<a name='remove-azure-ad-group-sync'></a> ++## Remove a Grafana team ++If you no longer need a Grafana team, follow these steps to delete it. Deleting a Grafana team also removes the link to the Microsoft Entra group. ++1. In the Azure portal, open your Azure Managed Grafana workspace. +1. Select **Administration > Teams**. +1. Select the **X** button to the right of a team you're deleting. ++ :::image type="content" source="media/azure-ad-group-sync/remove-azure-ad-group-sync.png" alt-text="Screenshot of the Grafana platform. Removing a Grafana team."::: ++1. Select **Delete** to confirm. ++## Next steps ++In this how-to guide, you learned how to set up Grafana teams backed by Microsoft Entra groups. To learn how to use teams to control access to dashboards in your workspace, see [Manage dashboard permissions](https://grafana.com/docs/grafana/latest/administration/user-management/manage-dashboard-permissions/). |
migrate | Tutorial Discover Hyper V | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-hyper-v.md | Hash value is: **Hash** | **Value** | -SHA256 | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] +SHA256 | [!INCLUDE [hyper-v-vhd.md](includes/hyper-v-vhd.md)] + ### Create an account to access servers Check that the zipped file is secure, before you deploy it. **Scenario*** | **Download** | **SHA256** | | - Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value](includes/security-hash-value.md)] + Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] ### 3. Create an appliance |
operator-nexus | Howto Cluster Runtime Upgrade With Pauserack Strategy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-cluster-runtime-upgrade-with-pauserack-strategy.md | + + Title: "Azure Operator Nexus: Runtime upgrade with PauseRack strategy" +description: Learn to execute a cluster runtime upgrade for Operator Nexus with a PauseRack strategy ++++ Last updated : 08/16/2024+# ++# Upgrading cluster runtime with a PauseRack strategy ++This how-to guide explains the steps to execute a cluster runtime upgrade with PauseRack strategy. Executing cluster runtime upgrade with PauseRack strategy will update a single rack in a cluster and then pause to wait for confirmation before moving to the next rack. All existing thresholds will still be honored. ++## Prerequisites ++> [!NOTE] +> Upgrades with the PauseRack strategy is available starting API version 2024-06-01-preview. ++1. The [Install Azure CLI][installation-instruction] must be installed. +2. The `networkcloud` CLI extension is required. If the `networkcloud` extension isn't installed, it can be installed following the steps listed [here](https://github.com/MicrosoftDocs/azure-docs-pr/blob/main/articles/operator-nexus/howto-install-cli-extensions.md). +3. Access to the Azure portal for the target cluster to be upgraded. +4. You must be logged in to the same subscription as your target cluster via `az login` +5. Target cluster must be in a running state, with all control plane nodes healthy and 80+% of compute nodes in a running and healthy state. ++## Procedure ++1. Enable PauseRack upgrade strategy on a Nexus cluster ++ ```azurecli + az networkcloud cluster update + --name $CLUSTER_NAME \ + --resource-group $RESOURCE_GROUP \ + --update-strategy strategy-type="PauseRack" wait-time-minutes=0 + ``` ++2. Confirm that the cluster resource JSON in the JSON View reflects the PauseRack upgrade strategy. ++ ```azurecli + az networkcloud cluster show --cluster-name "clusterName" --resource-group "resourceGroupName" + ``` ++ ``` + "updateStrategy": { + "maxUnavailable": 2, + "strategyType": "PauseAfterRack", + "thresholdType": "PercentSuccess", + "thresholdValue": 70, + "waitTimeMinutes": 15, + } + ``` ++3. Trigger runtime bundle upgrade as usual from Azure portal / CLI. For reference [Upgrading cluster runtime from Azure CLI](./howto-cluster-runtime-upgrade.md) ++4. Once Rack 1 completes, the runtime upgrade will be paused, awaiting user action to resume the upgrade for Rack 2. +++> [!NOTE] +> This message will be available in logs for programtic access, for more details follow [List of logs available for streaming in Azure Operator Nexus](list-logs-available.md) ++5. To resume the runtime upgrade, execute the following `az networkcloud` cli command. ++```shell +az networkcloud cluster continue-update-version \ + --subscription=$SUBSCRIPTION \ + --resource-group=$RESOURCE_GROUP \ + --cluster-name=$CLUSTER_NAME +``` ++6. Repeat step 5 for each rack until all racks have been upgraded to the latest runtime bundle. ++## Related content ++- [Upgrading cluster runtime from Azure CLI](./howto-cluster-runtime-upgrade.md) |
operator-nexus | Howto Cluster Runtime Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-cluster-runtime-upgrade.md | The output should be the target cluster's information and the cluster's detailed For more detailed insights on the upgrade progress, the individual BMM in each Rack can be checked for status. Example of this is provided in the reference section under [BareMetal Machine roles](./reference-near-edge-baremetal-machine-roles.md). ## Configure compute threshold parameters for runtime upgrade using cluster updateStrategy+ The following Azure CLI command is used to configure the compute threshold parameters for a runtime upgrade: ```azurecli-az networkcloud cluster update --name "<clusterName>" --resource-group "<resourceGroup>" --update-strategy strategy-type="Rack" threshold-type="PercentSuccess" threshold-value="<thresholdValue>" max-unavailable=<maxNodesOffline> wait-time-minutes=<waitTimeBetweenRacks> +az networkcloud cluster update / +--name "<clusterName>" / +--resource-group "<resourceGroup>" / +--update-strategy strategy-type="Rack" threshold-type="PercentSuccess" / +threshold-value="<thresholdValue>" max-unavailable=<maxNodesOffline> / +wait-time-minutes=<waitTimeBetweenRacks> ``` -Required arguments: -- strategy-type: Defines the update strategy. In this case, "Rack" means updates occur rack-by-rack. The default value is "Rack"+Required parameters: +- strategy-type: Defines the update strategy. In this case, "Rack" means updates occur rack-by-rack. The default value is "Rack". - threshold-type: Determines how the threshold should be evaluated, applied in the units defined by the strategy. The default value is "PercentSuccess". - threshold-value: The numeric threshold value used to evaluate an update. The default value is 80. -Optional arguments: +Optional parameters: - max-unavailable: The maximum number of worker nodes that can be offline, that is, upgraded rack at a time. The default value is 32767. - wait-time-minutes: The delay or waiting period before updating a rack. The default value is 15. An example usage of the command is as below:+ ```azurecli az networkcloud cluster update --name "cluster01" --resource-group "cluster01-rg" --update-strategy strategy-type="Rack" threshold-type="PercentSuccess" threshold-value=70 max-unavailable=16 wait-time-minutes=15 ```+ Upon successful execution of the command, the updateStrategy values specified will be applied to the cluster:-``` - "updateStrategy": { ++``` + "updateStrategy": { "maxUnavailable": 16, "strategyType": "Rack", "thresholdType": "PercentSuccess", "thresholdValue": 70, "waitTimeMinutes": 15,- }, + } ``` +> [!NOTE] +> When a threshold value below 100% is set, itΓÇÖs possible that any unhealthy nodes might not be upgraded, yet the ΓÇ£ClusterΓÇ¥ status could still indicate that upgrade was successful. For troubleshooting issues with bare metal machines, please refer to [Troubleshoot Azure Operator Nexus server problems](troubleshoot-reboot-reimage-replace.md) ++## Upgrade with PauseRack strategy ++Starting with API version 2024-06-01-preview, runtime upgrades can be triggered using a "PauseRack" strategy. When you execute a Cluster runtime upgrade with the PauseRack" strategy, it will update one rack at a time in the Cluster and then stop, awaiting confirmation before proceeding to the next rack. All existing thresholds will continue to be respected with the "PauseRack" strategy. To carry out a Cluster runtime upgrade using the "PauseRack" strategy follow the steps outlined in [Upgrading cluster runtime with a pause rack strategy](howto-cluster-runtime-upgrade-with-pauserack-strategy.md) + ## Frequently Asked Questions ### Identifying Cluster Upgrade Stalled/Stuck During a runtime upgrade, the cluster enters a state of `Upgrading`. In the even ### Impact on Nexus Kubernetes tenant workloads during cluster runtime upgrade -During a runtime upgrade, impacted Nexus Kubernetes cluster nodes are cordoned and drained before the Bare Metal Hosts (BMH) are upgraded. Cordoning the cluster node prevents new pods from being scheduled on it and draining the cluster node allows pods that are running tenant workloads a chance to shift to another available cluster node, which helps to reduce the impact on services. The draining mechanism's effectiveness is contingent on the available capacity within the Nexus Kubernetes cluster. If the cluster is nearing full capacity and lacks space for the pods to relocate, they transition into a Pending state following the draining process. +During a runtime upgrade, impacted Nexus Kubernetes Cluster nodes are cordoned and drained before the Bare Metal Hosts (BMH) are upgraded. Cordoning the Kubernetes Cluster node prevents new pods from being scheduled on it and draining the Kubernetes Cluster node allows pods that are running tenant workloads a chance to shift to another available Kubernetes Cluster node, which helps to reduce the impact on services. The draining mechanism's effectiveness is contingent on the available capacity within the Nexus Kubernetes Cluster. If the Kubernetes Cluster is nearing full capacity and lacks space for the pods to relocate, they transition into a Pending state following the draining process. Once the cordon and drain process of the tenant cluster node is completed, the upgrade of the BMH proceeds. Each tenant cluster node is allowed up to 10 minutes for the draining process to complete, after which the BMH upgrade will begin. This guarantees the BMH upgrade will make progress. BMHs are upgraded one rack at a time, and upgrades are performed in parallel within the same rack. The BMH upgrade does not wait for tenant resources to come online before continuing with the runtime upgrade of BMHs in the rack being upgraded. The benefit of this is that the maximum overall wait time for a rack upgrade is kept at 10 minutes regardless of how many nodes are available. This maximum wait time is specific to the cordon and drain procedure and is not applied to the overall upgrade procedure. Upon completion of each BMH upgrade, the Nexus Kubernetes cluster node starts, rejoins the cluster, and is uncordoned, allowing pods to be scheduled on the node once again. It's important to note that the Nexus Kubernetes cluster node won't be shut down after the cordon and drain process. The BMH is rebooted with the new image as soon as all the Nexus Kubernetes cluster nodes are cordoned and drained, after 10 minutes if the drain process isn't completed. Additionally, the cordon and drain is not initiated for power-off or restart actions of the BMH; it's exclusively activated only during a runtime upgrade. -It is important to note that following the runtime upgrade, there could be instance where a Nexus Kubernetes Cluster node remains cordoned. For such scenario, you can manually uncordon the node by executing the following commands via(./includes/kubernetes-cluster/cluster-connect.md) +It is important to note that following the runtime upgrade, there could be instance where a Nexus Kubernetes Cluster node remains cordoned. For such scenario, you can manually uncordon the node by executing the following command -``` -kubectl get nodes | grep SchedulingDisabled > -if [ $? -eq 0 ]; then -for node in $(kubectl get nodes | grep SchedulingDisabled | awk '{print $1}'); do - kubectl uncordon $node -done -fi -``` +```azurecli +az networkcloud baremetalmachine list -g $mrg --subscription $sub --query "sort_by([].{name:name,kubernetesNodeName:kubernetesNodeName,location:location,readyState:readyState,provisioningState:provisioningState,detailedStatus:detailedStatus,detailedStatusMessage:detailedStatusMessage,powerState:powerState,tags:tags.Status,machineRoles:join(', ', machineRoles),cordonStatus:cordonStatus,createdAt:systemData.createdAt}, &name)" +--output table +``` <!-- LINKS - External --> [installation-instruction]: https://aka.ms/azcli |
private-link | Private Endpoint Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/private-endpoint-overview.md | A private-link resource is the destination target of a specified private endpoin | Private-link resource name | Resource type | Sub-resources | | | - | - | | Application Gateway | Microsoft.Network/applicationgateways |Frontend IP Configuration name|+| Azure AI Search | Microsoft.Search/searchServices | searchService | | Azure AI services | Microsoft.CognitiveServices/accounts | account | | Azure API for FHIR (Fast Healthcare Interoperability Resources) | Microsoft.HealthcareApis/services | fhir | | Azure API Management | Microsoft.ApiManagement/service | Gateway | A private-link resource is the destination target of a specified private endpoin | Azure Batch | Microsoft.Batch/batchAccounts | batchAccount, nodeManagement | | Azure Cache for Redis | Microsoft.Cache/Redis | redisCache | | Azure Cache for Redis Enterprise | Microsoft.Cache/redisEnterprise | redisEnterprise |-| Azure AI Search | Microsoft.Search/searchServices | searchService | | Azure Container Registry | Microsoft.ContainerRegistry/registries | registry | | Azure Cosmos DB | Microsoft.AzureCosmosDB/databaseAccounts | SQL, MongoDB, Cassandra, Gremlin, Table |-| Azure Cosmos DB for PostgreSQL | Microsoft.DBforPostgreSQL/serverGroupsv2 | coordinator | | Azure Cosmos DB for MongoDB vCore | Microsoft.DocumentDb/mongoClusters | mongoCluster |+| Azure Cosmos DB for PostgreSQL | Microsoft.DBforPostgreSQL/serverGroupsv2 | coordinator | | Azure Data Explorer | Microsoft.Kusto/clusters | cluster | | Azure Data Factory | Microsoft.DataFactory/factories | dataFactory | | Azure Database for MariaDB | Microsoft.DBforMariaDB/servers | mariadbServer |+| Azure Database for MySQL - Flexible Server | Microsoft.DBforMySQL/flexibleServers | mysqlServer | | Azure Database for MySQL - Single Server | Microsoft.DBforMySQL/servers | mysqlServer |-| Azure Database for MySQL- Flexible Server | Microsoft.DBforMySQL/flexibleServers | mysqlServer | -| Azure Database for PostgreSQL - Single server | Microsoft.DBforPostgreSQL/servers | postgresqlServer | | Azure Database for PostgreSQL - Flexible server | Microsoft.DBforPostgreSQL/flexibleServers | postgresqlServer |+| Azure Database for PostgreSQL - Single server | Microsoft.DBforPostgreSQL/servers | postgresqlServer | | Azure Databricks | Microsoft.Databricks/workspaces | databricks_ui_api, browser_authentication | | Azure Device Provisioning Service | Microsoft.Devices/provisioningServices | iotDps | | Azure Digital Twins | Microsoft.DigitalTwins/digitalTwinsInstances | API | A private-link resource is the destination target of a specified private endpoin | Azure Virtual Desktop - host pools | Microsoft.DesktopVirtualization/hostpools | connection | | Azure Virtual Desktop - workspaces | Microsoft.DesktopVirtualization/workspaces | feed<br />global | | Device Update for IoT Hub | Microsoft.DeviceUpdate/accounts | DeviceUpdate |+| Integration Account (Premium) | Microsoft.Logic/integrationAccounts | integrationAccount | | Microsoft Purview | Microsoft.Purview/accounts | account | | Microsoft Purview | Microsoft.Purview/accounts | portal | | Power BI | Microsoft.PowerBI/privateLinkServicesForPowerBI | Power BI | |
reliability | Migrate Monitor Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/migrate-monitor-log-analytics.md | Title: Migrate Log Analytics workspaces to availability zone support -description: Learn how to migrate Log Analytics workspaces to availability zone support. + Title: Migrate Log Analytics Dedicated Cluster workspaces to availability zone support +description: Learn how to migrate Log Analytics Dedicated Cluster workspaces to availability zone support. Previously updated : 05/19/2024 Last updated : 09/19/2024 -# Migrate Log Analytics workspaces to availability zone support +# Migrate Log Analytics Dedicated Cluster workspaces to availability zone support -This guide describes how to migrate Log Analytics workspaces from non-availability zone support to availability support. +This guide describes how to migrate dedicated cluster Log Analytics Dedicated Cluster workspaces from non-availability zone support to availability support. > [!NOTE] > Application Insights resources can also use availability zones, but only if they are workspace-based and the workspace uses a dedicated cluster. Classic (non-workspace-based) Application Insights resources cannot use availability zones. This guide describes how to migrate Log Analytics workspaces from non-availabili ## Prerequisites -Make sure that the region to which you wish to move is a region that supports availability zones. To see which regions support availability zones, see [supported regions](/azure/azure-monitor/logs/availability-zones#supported-regions). +- This article applies to workspaces that use dedicated clusters. If your workspace isnΓÇÖt using a dedicated cluster, itΓÇÖs using a shared cluster, which is managed by the Log Analytics service. In regions that have availability zones, shared clusters use availability zones or are being migrated to use them. For more details, see [Log Analytics - Supported regions](/azure/azure-monitor/logs/availability-zones#supported-regions). ++- Make sure that the region to which you wish to move is a region that supports availability zones. To see which regions support availability zones, see [supported regions](/azure/azure-monitor/logs/availability-zones#supported-regions). ## Downtime requirements |
resource-mover | Common Questions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/common-questions.md | description: Get answers to common questions about Azure Resource Mover. - Previously updated : 03/29/2024+ Last updated : 09/23/2024 |
resource-mover | Support Matrix Move Region Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/support-matrix-move-region-sql.md | Title: Support for moving Azure SQL resources between regions with Azure Resourc description: Review support for moving Azure SQL resources between regions with Azure Resource Mover. - Previously updated : 03/29/2024+ Last updated : 09/18/2024 |
role-based-access-control | Built In Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles.md | The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > | Built-in role | Description | ID | > | | | |+> | <a name='azure-arc-vmware-vm-contributor'></a>[Azure Arc VMware VM Contributor](./built-in-roles/compute.md#azure-arc-vmware-vm-contributor) | Arc VMware VM Contributor has permissions to perform all VM actions. | b748a06d-6150-4f8a-aaa9-ce3940cd96cb | > | <a name='classic-virtual-machine-contributor'></a>[Classic Virtual Machine Contributor](./built-in-roles/compute.md#classic-virtual-machine-contributor) | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb | > | <a name='compute-gallery-artifacts-publisher'></a>[Compute Gallery Artifacts Publisher](./built-in-roles/compute.md#compute-gallery-artifacts-publisher) | This is the role for publishing gallery artifacts. | 85a2d0d9-2eba-4c9c-b355-11c2cc0788ab | > | <a name='compute-gallery-sharing-admin'></a>[Compute Gallery Sharing Admin](./built-in-roles/compute.md#compute-gallery-sharing-admin) | This role allows user to share gallery to another subscription/tenant or share it to the public. | 1ef6a3be-d0ac-425d-8c01-acb62866290b | The following table provides a brief description of each built-in role. Click th > | <a name='desktop-virtualization-contributor'></a>[Desktop Virtualization Contributor](./built-in-roles/compute.md#desktop-virtualization-contributor) | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 | > | <a name='desktop-virtualization-host-pool-contributor'></a>[Desktop Virtualization Host Pool Contributor](./built-in-roles/compute.md#desktop-virtualization-host-pool-contributor) | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc | > | <a name='desktop-virtualization-host-pool-reader'></a>[Desktop Virtualization Host Pool Reader](./built-in-roles/compute.md#desktop-virtualization-host-pool-reader) | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 |+> | <a name='desktop-virtualization-power-on-contributor'></a>[Desktop Virtualization Power On Contributor](./built-in-roles/compute.md#desktop-virtualization-power-on-contributor) | Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. | 489581de-a3bd-480d-9518-53dea7416b33 | +> | <a name='desktop-virtualization-power-on-off-contributor'></a>[Desktop Virtualization Power On Off Contributor](./built-in-roles/compute.md#desktop-virtualization-power-on-off-contributor) | Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. | 40c5ff49-9181-41f8-ae61-143b0e78555e | > | <a name='desktop-virtualization-reader'></a>[Desktop Virtualization Reader](./built-in-roles/compute.md#desktop-virtualization-reader) | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 | > | <a name='desktop-virtualization-session-host-operator'></a>[Desktop Virtualization Session Host Operator](./built-in-roles/compute.md#desktop-virtualization-session-host-operator) | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | > | <a name='desktop-virtualization-user'></a>[Desktop Virtualization User](./built-in-roles/compute.md#desktop-virtualization-user) | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | > | <a name='desktop-virtualization-user-session-operator'></a>[Desktop Virtualization User Session Operator](./built-in-roles/compute.md#desktop-virtualization-user-session-operator) | Operator of the Desktop Virtualization User Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 |+> | <a name='desktop-virtualization-virtual-machine-contributor'></a>[Desktop Virtualization Virtual Machine Contributor](./built-in-roles/compute.md#desktop-virtualization-virtual-machine-contributor) | This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. | a959dbd1-f747-45e3-8ba6-dd80f235f97c | > | <a name='desktop-virtualization-workspace-contributor'></a>[Desktop Virtualization Workspace Contributor](./built-in-roles/compute.md#desktop-virtualization-workspace-contributor) | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b | > | <a name='desktop-virtualization-workspace-reader'></a>[Desktop Virtualization Workspace Reader](./built-in-roles/compute.md#desktop-virtualization-workspace-reader) | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | > | <a name='disk-backup-reader'></a>[Disk Backup Reader](./built-in-roles/compute.md#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | The following table provides a brief description of each built-in role. Click th > | <a name='virtual-machine-data-access-administrator-preview'></a>[Virtual Machine Data Access Administrator (preview)](./built-in-roles/compute.md#virtual-machine-data-access-administrator-preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 | > | <a name='virtual-machine-local-user-login'></a>[Virtual Machine Local User Login](./built-in-roles/compute.md#virtual-machine-local-user-login) | View Virtual Machines in the portal and login as a local user configured on the arc server | 602da2ba-a5c2-41da-b01d-5360126ab525 | > | <a name='virtual-machine-user-login'></a>[Virtual Machine User Login](./built-in-roles/compute.md#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |+> | <a name='windows-365-network-interface-contributor'></a>[Windows 365 Network Interface Contributor](./built-in-roles/compute.md#windows-365-network-interface-contributor) | This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. | 1f135831-5bbe-4924-9016-264044c00788 | +> | <a name='windows-365-network-user'></a>[Windows 365 Network User](./built-in-roles/compute.md#windows-365-network-user) | This role is used by Windows 365 to read virtual networks and join the designated virtual networks. | 7eabc9a4-85f7-4f71-b8ab-75daaccc1033 | > | <a name='windows-admin-center-administrator-login'></a>[Windows Admin Center Administrator Login](./built-in-roles/compute.md#windows-admin-center-administrator-login) | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | a6333a3e-0164-44c3-b281-7a577aff287f | ## Networking The following table provides a brief description of each built-in role. Click th > | <a name='avere-contributor'></a>[Avere Contributor](./built-in-roles/storage.md#avere-contributor) | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a | > | <a name='avere-operator'></a>[Avere Operator](./built-in-roles/storage.md#avere-operator) | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | > | <a name='backup-contributor'></a>[Backup Contributor](./built-in-roles/storage.md#backup-contributor) | Lets you manage backup service, but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b |+> | <a name='backup-mua-admin'></a>[Backup MUA Admin](./built-in-roles/storage.md#backup-mua-admin) | Backup MultiUser-Authorization. Can create/delete ResourceGuard | c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8 | +> | <a name='backup-mua-operator'></a>[Backup MUA Operator](./built-in-roles/storage.md#backup-mua-operator) | Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard | f54b6d04-23c6-443e-b462-9c16ab7b4a52 | > | <a name='backup-operator'></a>[Backup Operator](./built-in-roles/storage.md#backup-operator) | Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb9324 | > | <a name='backup-reader'></a>[Backup Reader](./built-in-roles/storage.md#backup-reader) | Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912 | > | <a name='classic-storage-account-contributor'></a>[Classic Storage Account Contributor](./built-in-roles/storage.md#classic-storage-account-contributor) | Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | The following table provides a brief description of each built-in role. Click th > | <a name='data-box-reader'></a>[Data Box Reader](./built-in-roles/storage.md#data-box-reader) | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | > | <a name='data-lake-analytics-developer'></a>[Data Lake Analytics Developer](./built-in-roles/storage.md#data-lake-analytics-developer) | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c88 | > | <a name='defender-for-storage-data-scanner'></a>[Defender for Storage Data Scanner](./built-in-roles/storage.md#defender-for-storage-data-scanner) | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. | 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 |+> | <a name='elastic-san-network-admin'></a>[Elastic SAN Network Admin](./built-in-roles/storage.md#elastic-san-network-admin) | Allows access to create Private Endpoints on SAN resources, and to read SAN resources | fa6cecf6-5db3-4c43-8470-c540bcb4eafa | > | <a name='elastic-san-owner'></a>[Elastic SAN Owner](./built-in-roles/storage.md#elastic-san-owner) | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | 80dcbedb-47ef-405d-95bd-188a1b4ac406 | > | <a name='elastic-san-reader'></a>[Elastic SAN Reader](./built-in-roles/storage.md#elastic-san-reader) | Allows for control path read access to Azure Elastic SAN | af6a70f8-3c9f-4105-acf1-d719e9fca4ca | > | <a name='elastic-san-volume-group-owner'></a>[Elastic SAN Volume Group Owner](./built-in-roles/storage.md#elastic-san-volume-group-owner) | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | a8281131-f312-4f34-8d98-ae12be9f0d23 | The following table provides a brief description of each built-in role. Click th > | | | | > | <a name='azure-maps-data-contributor'></a>[Azure Maps Data Contributor](./built-in-roles/web-and-mobile.md#azure-maps-data-contributor) | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | > | <a name='azure-maps-data-reader'></a>[Azure Maps Data Reader](./built-in-roles/web-and-mobile.md#azure-maps-data-reader) | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa |+> | <a name='azure-maps-search-and-render-data-reader'></a>[Azure Maps Search and Render Data Reader](./built-in-roles/web-and-mobile.md#azure-maps-search-and-render-data-reader) | Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. | 6be48352-4f82-47c9-ad5e-0acacefdb005 | +> | <a name='azure-spring-apps-application-configuration-service-config-file-pattern-reader-role'></a>[Azure Spring Apps Application Configuration Service Config File Pattern Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-application-configuration-service-config-file-pattern-reader-role) | Read content of config file pattern for Application Configuration Service in Azure Spring Apps | 25211fc6-dc78-40b6-b205-e4ac934fd9fd | +> | <a name='azure-spring-apps-application-configuration-service-log-reader-role'></a>[Azure Spring Apps Application Configuration Service Log Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-application-configuration-service-log-reader-role) | Read real-time logs for Application Configuration Service in Azure Spring Apps | 6593e776-2a30-40f9-8a32-4fe28b77655d | +> | <a name='azure-spring-apps-connect-role'></a>[Azure Spring Apps Connect Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-connect-role) | Azure Spring Apps Connect Role | 80558df3-64f9-4c0f-b32d-e5094b036b0b | +> | <a name='azure-spring-apps-job-log-reader-role'></a>[Azure Spring Apps Job Log Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-job-log-reader-role) | Read real-time logs for jobs in Azure Spring Apps | b459aa1d-e3c8-436f-ae21-c0531140f43e | +> | <a name='azure-spring-apps-remote-debugging-role'></a>[Azure Spring Apps Remote Debugging Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-remote-debugging-role) | Azure Spring Apps Remote Debugging Role | a99b0159-1064-4c22-a57b-c9b3caa1c054 | +> | <a name='azure-spring-apps-spring-cloud-gateway-log-reader-role'></a>[Azure Spring Apps Spring Cloud Gateway Log Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-spring-cloud-gateway-log-reader-role) | Read real-time logs for Spring Cloud Gateway in Azure Spring Apps | 4301dc2a-25a9-44b0-ae63-3636cf7f2bd2 | > | <a name='azure-spring-cloud-config-server-contributor'></a>[Azure Spring Cloud Config Server Contributor](./built-in-roles/web-and-mobile.md#azure-spring-cloud-config-server-contributor) | Allow read, write and delete access to Azure Spring Cloud Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | > | <a name='azure-spring-cloud-config-server-reader'></a>[Azure Spring Cloud Config Server Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-config-server-reader) | Allow read access to Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 | > | <a name='azure-spring-cloud-data-reader'></a>[Azure Spring Cloud Data Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-data-reader) | Allow read access to Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c | The following table provides a brief description of each built-in role. Click th > | <a name='signalr-service-owner'></a>[SignalR Service Owner](./built-in-roles/web-and-mobile.md#signalr-service-owner) | Full access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | > | <a name='signalrweb-pubsub-contributor'></a>[SignalR/Web PubSub Contributor](./built-in-roles/web-and-mobile.md#signalrweb-pubsub-contributor) | Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | > | <a name='web-plan-contributor'></a>[Web Plan Contributor](./built-in-roles/web-and-mobile.md#web-plan-contributor) | Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b |+> | <a name='web-pubsub-service-owner'></a>[Web PubSub Service Owner](./built-in-roles/web-and-mobile.md#web-pubsub-service-owner) | Full access to Azure Web PubSub Service REST APIs | 12cf5a90-567b-43ae-8102-96cf46c7d9b4 | +> | <a name='web-pubsub-service-reader'></a>[Web PubSub Service Reader](./built-in-roles/web-and-mobile.md#web-pubsub-service-reader) | Read-only access to Azure Web PubSub Service REST APIs | bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf | > | <a name='website-contributor'></a>[Website Contributor](./built-in-roles/web-and-mobile.md#website-contributor) | Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. | de139f84-1756-47ae-9be6-808fbbe84772 | ## Containers The following table provides a brief description of each built-in role. Click th > | <a name='azure-kubernetes-service-rbac-cluster-admin'></a>[Azure Kubernetes Service RBAC Cluster Admin](./built-in-roles/containers.md#azure-kubernetes-service-rbac-cluster-admin) | Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | > | <a name='azure-kubernetes-service-rbac-reader'></a>[Azure Kubernetes Service RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-service-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db | > | <a name='azure-kubernetes-service-rbac-writer'></a>[Azure Kubernetes Service RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-service-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |+> | <a name='connected-cluster-managed-identity-checkaccess-reader'></a>[Connected Cluster Managed Identity CheckAccess Reader](./built-in-roles/containers.md#connected-cluster-managed-identity-checkaccess-reader) | Built-in role that allows a Connected Cluster managed identity to call the checkAccess API | 65a14201-8f6c-4c28-bec4-12619c5a9aaa | > | <a name='kubernetes-agentless-operator'></a>[Kubernetes Agentless Operator](./built-in-roles/containers.md#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 | > | <a name='kubernetes-clusterazure-arc-onboarding'></a>[Kubernetes Cluster - Azure Arc Onboarding](./built-in-roles/containers.md#kubernetes-clusterazure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | > | <a name='kubernetes-extension-contributor'></a>[Kubernetes Extension Contributor](./built-in-roles/containers.md#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 | The following table provides a brief description of each built-in role. Click th > | <a name='cosmosbackupoperator'></a>[CosmosBackupOperator](./built-in-roles/databases.md#cosmosbackupoperator) | Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cb | > | <a name='cosmosrestoreoperator'></a>[CosmosRestoreOperator](./built-in-roles/databases.md#cosmosrestoreoperator) | Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f | > | <a name='documentdb-account-contributor'></a>[DocumentDB Account Contributor](./built-in-roles/databases.md#documentdb-account-contributor) | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. | 5bd9cd88-fe45-4216-938b-f97437e15450 |+> | <a name='postgresql-flexible-server-long-term-retention-backup-role'></a>[PostgreSQL Flexible Server Long Term Retention Backup Role](./built-in-roles/databases.md#postgresql-flexible-server-long-term-retention-backup-role) | Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. | c088a766-074b-43ba-90d4-1fb21feae531 | > | <a name='redis-cache-contributor'></a>[Redis Cache Contributor](./built-in-roles/databases.md#redis-cache-contributor) | Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17 | > | <a name='sql-db-contributor'></a>[SQL DB Contributor](./built-in-roles/databases.md#sql-db-contributor) | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | > | <a name='sql-managed-instance-contributor'></a>[SQL Managed Instance Contributor](./built-in-roles/databases.md#sql-managed-instance-contributor) | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | The following table provides a brief description of each built-in role. Click th > | <a name='data-purger'></a>[Data Purger](./built-in-roles/analytics.md#data-purger) | Delete private data from a Log Analytics workspace. | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | > | <a name='hdinsight-cluster-operator'></a>[HDInsight Cluster Operator](./built-in-roles/analytics.md#hdinsight-cluster-operator) | Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a | > | <a name='hdinsight-domain-services-contributor'></a>[HDInsight Domain Services Contributor](./built-in-roles/analytics.md#hdinsight-domain-services-contributor) | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c |+> | <a name='hdinsight-on-aks-cluster-admin'></a>[HDInsight on AKS Cluster Admin](./built-in-roles/analytics.md#hdinsight-on-aks-cluster-admin) | Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. | fd036e6b-1266-47a0-b0bb-a05d04831731 | +> | <a name='hdinsight-on-aks-cluster-pool-admin'></a>[HDInsight on AKS Cluster Pool Admin](./built-in-roles/analytics.md#hdinsight-on-aks-cluster-pool-admin) | Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters | 7656b436-37d4-490a-a4ab-d39f838f0042 | > | <a name='log-analytics-contributor'></a>[Log Analytics Contributor](./built-in-roles/analytics.md#log-analytics-contributor) | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | > | <a name='log-analytics-reader'></a>[Log Analytics Reader](./built-in-roles/analytics.md#log-analytics-reader) | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a893 | > | <a name='schema-registry-contributor-preview'></a>[Schema Registry Contributor (Preview)](./built-in-roles/analytics.md#schema-registry-contributor-preview) | Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb25 | The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > | Built-in role | Description | ID | > | | | |+> | <a name='agfood-platform-sensor-partner-contributor'></a>[AgFood Platform Sensor Partner Contributor](./built-in-roles/ai-machine-learning.md#agfood-platform-sensor-partner-contributor) | Provides contribute access to manage sensor related entities in AgFood Platform Service | 6b77f0a0-0d89-41cc-acd1-579c22c17a67 | +> | <a name='agfood-platform-service-admin'></a>[AgFood Platform Service Admin](./built-in-roles/ai-machine-learning.md#agfood-platform-service-admin) | Provides admin access to AgFood Platform Service | f8da80de-1ff9-4747-ad80-a19b7f6079e3 | +> | <a name='agfood-platform-service-contributor'></a>[AgFood Platform Service Contributor](./built-in-roles/ai-machine-learning.md#agfood-platform-service-contributor) | Provides contribute access to AgFood Platform Service | 8508508a-4469-4e45-963b-2518ee0bb728 | +> | <a name='agfood-platform-service-reader'></a>[AgFood Platform Service Reader](./built-in-roles/ai-machine-learning.md#agfood-platform-service-reader) | Provides read access to AgFood Platform Service | 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba | > | <a name='azure-ai-developer'></a>[Azure AI Developer](./built-in-roles/ai-machine-learning.md#azure-ai-developer) | Can perform all actions within an Azure AI resource besides managing the resource itself. | 64702f94-c441-49e6-a78b-ef80e0188fee | > | <a name='azure-ai-enterprise-network-connection-approver'></a>[Azure AI Enterprise Network Connection Approver](./built-in-roles/ai-machine-learning.md#azure-ai-enterprise-network-connection-approver) | Can approve private endpoint connections to Azure AI common dependency resources | b556d68e-0be0-4f35-a333-ad7ee1ce17ea | > | <a name='azure-ai-inference-deployment-operator'></a>[Azure AI Inference Deployment Operator](./built-in-roles/ai-machine-learning.md#azure-ai-inference-deployment-operator) | Can perform all actions required to create a resource deployment within a resource group. | 3afb7f49-54cb-416e-8c09-6dc049efa503 | > | <a name='azureml-compute-operator'></a>[AzureML Compute Operator](./built-in-roles/ai-machine-learning.md#azureml-compute-operator) | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 | > | <a name='azureml-data-scientist'></a>[AzureML Data Scientist](./built-in-roles/ai-machine-learning.md#azureml-data-scientist) | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | f6c7c914-8db3-469d-8ca1-694a8f32e121 |+> | <a name='azureml-metrics-writer-preview'></a>[AzureML Metrics Writer (preview)](./built-in-roles/ai-machine-learning.md#azureml-metrics-writer-preview) | Lets you write metrics to AzureML workspace | 635dd51f-9968-44d3-b7fb-6d9a6bd613ae | +> | <a name='azureml-registry-user'></a>[AzureML Registry User](./built-in-roles/ai-machine-learning.md#azureml-registry-user) | Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. | 1823dd4f-9b8c-4ab6-ab4e-7397a3684615 | > | <a name='cognitive-services-contributor'></a>[Cognitive Services Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-contributor) | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | > | <a name='cognitive-services-custom-vision-contributor'></a>[Cognitive Services Custom Vision Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-contributor) | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | > | <a name='cognitive-services-custom-vision-deployment'></a>[Cognitive Services Custom Vision Deployment](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-deployment) | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f | The following table provides a brief description of each built-in role. Click th > | <a name='cognitive-services-custom-vision-trainer'></a>[Cognitive Services Custom Vision Trainer](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-trainer) | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | > | <a name='cognitive-services-data-reader-preview'></a>[Cognitive Services Data Reader (Preview)](./built-in-roles/ai-machine-learning.md#cognitive-services-data-reader-preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c | > | <a name='cognitive-services-face-recognizer'></a>[Cognitive Services Face Recognizer](./built-in-roles/ai-machine-learning.md#cognitive-services-face-recognizer) | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 |+> | <a name='cognitive-services-immersive-reader-user'></a>[Cognitive Services Immersive Reader User](./built-in-roles/ai-machine-learning.md#cognitive-services-immersive-reader-user) | Provides access to create Immersive Reader sessions and call APIs | b2de6794-95db-4659-8781-7e080d3f2b9d | +> | <a name='cognitive-services-language-owner'></a>[Cognitive Services Language Owner](./built-in-roles/ai-machine-learning.md#cognitive-services-language-owner) | Has access to all Read, Test, Write, Deploy and Delete functions under Language portal | f07febfe-79bc-46b1-8b37-790e26e6e498 | +> | <a name='cognitive-services-language-reader'></a>[Cognitive Services Language Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-language-reader) | Has access to Read and Test functions under Language portal | 7628b7b8-a8b2-4cdc-b46f-e9b35248918e | +> | <a name='cognitive-services-language-writer'></a>[Cognitive Services Language Writer](./built-in-roles/ai-machine-learning.md#cognitive-services-language-writer) | Has access to all Read, Test, and Write functions under Language Portal | f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 | +> | <a name='cognitive-services-luis-owner'></a>[Cognitive Services LUIS Owner](./built-in-roles/ai-machine-learning.md#cognitive-services-luis-owner) | Has access to all Read, Test, Write, Deploy and Delete functions under LUIS | f72c8140-2111-481c-87ff-72b910f6e3f8 | +> | <a name='cognitive-services-luis-reader'></a>[Cognitive Services LUIS Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-luis-reader) | Has access to Read and Test functions under LUIS. | 18e81cdc-4e98-4e29-a639-e7d10c5a6226 | +> | <a name='cognitive-services-luis-writer'></a>[Cognitive Services LUIS Writer](./built-in-roles/ai-machine-learning.md#cognitive-services-luis-writer) | Has access to all Read, Test, and Write functions under LUIS | 6322a993-d5c9-4bed-b113-e49bbea25b27 | > | <a name='cognitive-services-metrics-advisor-administrator'></a>[Cognitive Services Metrics Advisor Administrator](./built-in-roles/ai-machine-learning.md#cognitive-services-metrics-advisor-administrator) | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a |+> | <a name='cognitive-services-metrics-advisor-user'></a>[Cognitive Services Metrics Advisor User](./built-in-roles/ai-machine-learning.md#cognitive-services-metrics-advisor-user) | Access to the project. | 3b20f47b-3825-43cb-8114-4bd2201156a8 | > | <a name='cognitive-services-openai-contributor'></a>[Cognitive Services OpenAI Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-openai-contributor) | Full access including the ability to fine-tune, deploy and generate text | a001fd3d-188f-4b5d-821b-7da978bf7442 | > | <a name='cognitive-services-openai-user'></a>[Cognitive Services OpenAI User](./built-in-roles/ai-machine-learning.md#cognitive-services-openai-user) | Read access to view files, models, deployments. The ability to create completion and embedding calls. | 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd | > | <a name='cognitive-services-qna-maker-editor'></a>[Cognitive Services QnA Maker Editor](./built-in-roles/ai-machine-learning.md#cognitive-services-qna-maker-editor) | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 | > | <a name='cognitive-services-qna-maker-reader'></a>[Cognitive Services QnA Maker Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-qna-maker-reader) | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 |+> | <a name='cognitive-services-speech-contributor'></a>[Cognitive Services Speech Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-speech-contributor) | Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. | 0e75ca1e-0464-4b4d-8b93-68208a576181 | +> | <a name='cognitive-services-speech-user'></a>[Cognitive Services Speech User](./built-in-roles/ai-machine-learning.md#cognitive-services-speech-user) | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. | f2dc8367-1007-4938-bd23-fe263f013447 | > | <a name='cognitive-services-usages-reader'></a>[Cognitive Services Usages Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-usages-reader) | Minimal permission to view Cognitive Services usages. | bba48692-92b0-4667-a9ad-c31c7b334ac2 | > | <a name='cognitive-services-user'></a>[Cognitive Services User](./built-in-roles/ai-machine-learning.md#cognitive-services-user) | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 |+> | <a name='health-bot-admin'></a>[Health Bot Admin](./built-in-roles/ai-machine-learning.md#health-bot-admin) | Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. | f1082fec-a70f-419f-9230-885d2550fb38 | +> | <a name='health-bot-editor'></a>[Health Bot Editor](./built-in-roles/ai-machine-learning.md#health-bot-editor) | Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. | af854a69-80ce-4ff7-8447-f1118a2e0ca8 | +> | <a name='health-bot-reader'></a>[Health Bot Reader](./built-in-roles/ai-machine-learning.md#health-bot-reader) | Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). | eb5a76d5-50e7-4c33-a449-070e7c9c4cf2 | > | <a name='search-index-data-contributor'></a>[Search Index Data Contributor](./built-in-roles/ai-machine-learning.md#search-index-data-contributor) | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | > | <a name='search-index-data-reader'></a>[Search Index Data Reader](./built-in-roles/ai-machine-learning.md#search-index-data-reader) | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f | > | <a name='search-service-contributor'></a>[Search Service Contributor](./built-in-roles/ai-machine-learning.md#search-service-contributor) | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | The following table provides a brief description of each built-in role. Click th > | | | | > | <a name='azure-digital-twins-data-owner'></a>[Azure Digital Twins Data Owner](./built-in-roles/internet-of-things.md#azure-digital-twins-data-owner) | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe | > | <a name='azure-digital-twins-data-reader'></a>[Azure Digital Twins Data Reader](./built-in-roles/internet-of-things.md#azure-digital-twins-data-reader) | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 |+> | <a name='device-provisioning-service-data-contributor'></a>[Device Provisioning Service Data Contributor](./built-in-roles/internet-of-things.md#device-provisioning-service-data-contributor) | Allows for full access to Device Provisioning Service data-plane operations. | dfce44e4-17b7-4bd1-a6d1-04996ec95633 | +> | <a name='device-provisioning-service-data-reader'></a>[Device Provisioning Service Data Reader](./built-in-roles/internet-of-things.md#device-provisioning-service-data-reader) | Allows for full read access to Device Provisioning Service data-plane properties. | 10745317-c249-44a1-a5ce-3a4353c0bbd8 | > | <a name='device-update-administrator'></a>[Device Update Administrator](./built-in-roles/internet-of-things.md#device-update-administrator) | Gives you full access to management and content operations | 02ca0879-e8e4-47a5-a61e-5c618b76e64a | > | <a name='device-update-content-administrator'></a>[Device Update Content Administrator](./built-in-roles/internet-of-things.md#device-update-content-administrator) | Gives you full access to content operations | 0378884a-3af5-44ab-8323-f5b22f9f3c98 | > | <a name='device-update-content-reader'></a>[Device Update Content Reader](./built-in-roles/internet-of-things.md#device-update-content-reader) | Gives you read access to content operations, but does not allow making changes | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | > | <a name='device-update-deployments-administrator'></a>[Device Update Deployments Administrator](./built-in-roles/internet-of-things.md#device-update-deployments-administrator) | Gives you full access to management operations | e4237640-0e3d-4a46-8fda-70bc94856432 | > | <a name='device-update-deployments-reader'></a>[Device Update Deployments Reader](./built-in-roles/internet-of-things.md#device-update-deployments-reader) | Gives you read access to management operations, but does not allow making changes | 49e2f5d2-7741-4835-8efa-19e1fe35e47f | > | <a name='device-update-reader'></a>[Device Update Reader](./built-in-roles/internet-of-things.md#device-update-reader) | Gives you read access to management and content operations, but does not allow making changes | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f |+> | <a name='firmware-analysis-admin'></a>[Firmware Analysis Admin](./built-in-roles/internet-of-things.md#firmware-analysis-admin) | Upload and analyze firmware images in Defender for IoT | 9c1607d1-791d-4c68-885d-c7b7aaff7c8a | > | <a name='iot-hub-data-contributor'></a>[IoT Hub Data Contributor](./built-in-roles/internet-of-things.md#iot-hub-data-contributor) | Allows for full access to IoT Hub data plane operations. | 4fc6c259-987e-4a07-842e-c321cc9d413f | > | <a name='iot-hub-data-reader'></a>[IoT Hub Data Reader](./built-in-roles/internet-of-things.md#iot-hub-data-reader) | Allows for full read access to IoT Hub data-plane properties | b447c946-2db7-41ec-983d-d8bf3b1c77e3 | > | <a name='iot-hub-registry-contributor'></a>[IoT Hub Registry Contributor](./built-in-roles/internet-of-things.md#iot-hub-registry-contributor) | Allows for full access to IoT Hub device registry. | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > | Built-in role | Description | ID | > | | | |+> | <a name='api-management-developer-portal-content-editor'></a>[API Management Developer Portal Content Editor](./built-in-roles/integration.md#api-management-developer-portal-content-editor) | Can customize the developer portal, edit its content, and publish it. | c031e6a8-4391-4de0-8d69-4706a7ed3729 | > | <a name='api-management-service-contributor'></a>[API Management Service Contributor](./built-in-roles/integration.md#api-management-service-contributor) | Can manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c | > | <a name='api-management-service-operator-role'></a>[API Management Service Operator Role](./built-in-roles/integration.md#api-management-service-operator-role) | Can manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61 | > | <a name='api-management-service-reader-role'></a>[API Management Service Reader Role](./built-in-roles/integration.md#api-management-service-reader-role) | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d | The following table provides a brief description of each built-in role. Click th > | <a name='api-management-workspace-api-product-manager'></a>[API Management Workspace API Product Manager](./built-in-roles/integration.md#api-management-workspace-api-product-manager) | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | 73c2c328-d004-4c5e-938c-35c6f5679a1f | > | <a name='api-management-workspace-contributor'></a>[API Management Workspace Contributor](./built-in-roles/integration.md#api-management-workspace-contributor) | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 | > | <a name='api-management-workspace-reader'></a>[API Management Workspace Reader](./built-in-roles/integration.md#api-management-workspace-reader) | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 |+> | <a name='app-configuration-contributor'></a>[App Configuration Contributor](./built-in-roles/integration.md#app-configuration-contributor) | Grants permission for all management operations, except purge, for App Configuration resources. | fe86443c-f201-4fc4-9d2a-ac61149fbda0 | > | <a name='app-configuration-data-owner'></a>[App Configuration Data Owner](./built-in-roles/integration.md#app-configuration-data-owner) | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | > | <a name='app-configuration-data-reader'></a>[App Configuration Data Reader](./built-in-roles/integration.md#app-configuration-data-reader) | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 |+> | <a name='app-configuration-reader'></a>[App Configuration Reader](./built-in-roles/integration.md#app-configuration-reader) | Grants permission for read operations for App Configuration resources. | 175b81b9-6e0d-490a-85e4-0d422273c10c | > | <a name='azure-api-center-compliance-manager'></a>[Azure API Center Compliance Manager](./built-in-roles/integration.md#azure-api-center-compliance-manager) | Allows managing API compliance in Azure API Center service. | ede9aaa3-4627-494e-be13-4aa7c256148d | > | <a name='azure-api-center-data-reader'></a>[Azure API Center Data Reader](./built-in-roles/integration.md#azure-api-center-data-reader) | Allows for access to Azure API Center data plane read operations. | c7244dfb-f447-457d-b2ba-3999044d1706 | > | <a name='azure-api-center-service-contributor'></a>[Azure API Center Service Contributor](./built-in-roles/integration.md#azure-api-center-service-contributor) | Allows managing Azure API Center service. | dd24193f-ef65-44e5-8a7e-6fa6e03f7713 | The following table provides a brief description of each built-in role. Click th > | <a name='azure-relay-listener'></a>[Azure Relay Listener](./built-in-roles/integration.md#azure-relay-listener) | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d | > | <a name='azure-relay-owner'></a>[Azure Relay Owner](./built-in-roles/integration.md#azure-relay-owner) | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | > | <a name='azure-relay-sender'></a>[Azure Relay Sender](./built-in-roles/integration.md#azure-relay-sender) | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d |+> | <a name='azure-resource-notifications-system-topics-subscriber'></a>[Azure Resource Notifications System Topics Subscriber](./built-in-roles/integration.md#azure-resource-notifications-system-topics-subscriber) | Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications | 0b962ed2-6d56-471c-bd5f-3477d83a7ba4 | > | <a name='azure-service-bus-data-owner'></a>[Azure Service Bus Data Owner](./built-in-roles/integration.md#azure-service-bus-data-owner) | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 | > | <a name='azure-service-bus-data-receiver'></a>[Azure Service Bus Data Receiver](./built-in-roles/integration.md#azure-service-bus-data-receiver) | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | > | <a name='azure-service-bus-data-sender'></a>[Azure Service Bus Data Sender](./built-in-roles/integration.md#azure-service-bus-data-sender) | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | > | <a name='biztalk-contributor'></a>[BizTalk Contributor](./built-in-roles/integration.md#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |+> | <a name='chamber-admin'></a>[Chamber Admin](./built-in-roles/integration.md#chamber-admin) | Lets you manage everything under your Modeling and Simulation Workbench chamber. | 4e9b8407-af2e-495b-ae54-bb60a55b1b5a | +> | <a name='chamber-user'></a>[Chamber User](./built-in-roles/integration.md#chamber-user) | Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. | 4447db05-44ed-4da3-ae60-6cbece780e32 | > | <a name='deid-batch-data-owner'></a>[DeID Batch Data Owner](./built-in-roles/integration.md#deid-batch-data-owner) | Create and manage DeID batch jobs. This role is in preview and subject to change. | 8a90fa6b-6997-4a07-8a95-30633a7c97b9 | > | <a name='deid-batch-data-reader'></a>[DeID Batch Data Reader](./built-in-roles/integration.md#deid-batch-data-reader) | Read DeID batch jobs. This role is in preview and subject to change. | b73a14ee-91f5-41b7-bd81-920e12466be9 | > | <a name='deid-data-owner'></a>[DeID Data Owner](./built-in-roles/integration.md#deid-data-owner) | Full access to DeID data. This role is in preview and subject to change | 78e4b983-1a0b-472e-8b7d-8d770f7c5890 | > | <a name='deid-realtime-data-user'></a>[DeID Realtime Data User](./built-in-roles/integration.md#deid-realtime-data-user) | Execute requests against DeID realtime endpoint. This role is in preview and subject to change. | bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e |+> | <a name='dicom-data-owner'></a>[DICOM Data Owner](./built-in-roles/integration.md#dicom-data-owner) | Full access to DICOM data. | 58a3b984-7adf-4c20-983a-32417c86fbc8 | +> | <a name='dicom-data-reader'></a>[DICOM Data Reader](./built-in-roles/integration.md#dicom-data-reader) | Read and search DICOM data. | e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a | > | <a name='eventgrid-contributor'></a>[EventGrid Contributor](./built-in-roles/integration.md#eventgrid-contributor) | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de | > | <a name='eventgrid-data-sender'></a>[EventGrid Data Sender](./built-in-roles/integration.md#eventgrid-data-sender) | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 | > | <a name='eventgrid-eventsubscription-contributor'></a>[EventGrid EventSubscription Contributor](./built-in-roles/integration.md#eventgrid-eventsubscription-contributor) | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | > | <a name='eventgrid-eventsubscription-reader'></a>[EventGrid EventSubscription Reader](./built-in-roles/integration.md#eventgrid-eventsubscription-reader) | Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-045460748405 |+> | <a name='eventgrid-topicspaces-publisher'></a>[EventGrid TopicSpaces Publisher](./built-in-roles/integration.md#eventgrid-topicspaces-publisher) | Lets you publish messages on topicspaces. | a12b0b94-b317-4dcd-84a8-502ce99884c6 | +> | <a name='eventgrid-topicspaces-subscriber'></a>[EventGrid TopicSpaces Subscriber](./built-in-roles/integration.md#eventgrid-topicspaces-subscriber) | Lets you subscribe messages on topicspaces. | 4b0f2fd7-60b4-4eca-896f-4435034f8bf5 | > | <a name='fhir-data-contributor'></a>[FHIR Data Contributor](./built-in-roles/integration.md#fhir-data-contributor) | Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd |+> | <a name='fhir-data-converter'></a>[FHIR Data Converter](./built-in-roles/integration.md#fhir-data-converter) | Role allows user or principal to convert data from legacy format to FHIR | a1705bd2-3a8f-45a5-8683-466fcfd5cc24 | > | <a name='fhir-data-exporter'></a>[FHIR Data Exporter](./built-in-roles/integration.md#fhir-data-exporter) | Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e843 | > | <a name='fhir-data-importer'></a>[FHIR Data Importer](./built-in-roles/integration.md#fhir-data-importer) | Role allows user or principal to read and import FHIR Data | 4465e953-8ced-4406-a58e-0f6e3f3b530b | > | <a name='fhir-data-reader'></a>[FHIR Data Reader](./built-in-roles/integration.md#fhir-data-reader) | Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | > | <a name='fhir-data-writer'></a>[FHIR Data Writer](./built-in-roles/integration.md#fhir-data-writer) | Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba5294559913 |+> | <a name='fhir-smart-user'></a>[FHIR SMART User](./built-in-roles/integration.md#fhir-smart-user) | Role allows user to access FHIR Service according to SMART on FHIR specification | 4ba50f17-9666-485c-a643-ff00808643f0 | > | <a name='integration-service-environment-contributor'></a>[Integration Service Environment Contributor](./built-in-roles/integration.md#integration-service-environment-contributor) | Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | > | <a name='integration-service-environment-developer'></a>[Integration Service Environment Developer](./built-in-roles/integration.md#integration-service-environment-developer) | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | > | <a name='intelligent-systems-account-contributor'></a>[Intelligent Systems Account Contributor](./built-in-roles/integration.md#intelligent-systems-account-contributor) | Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e | The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > | Built-in role | Description | ID | > | | | |+> | <a name='deployment-environments-reader'></a>[Deployment Environments Reader](./built-in-roles/devops.md#deployment-environments-reader) | Provides read access to environment resources. | eb960402-bf75-4cc3-8d68-35b34f960f72 | +> | <a name='deployment-environments-user'></a>[Deployment Environments User](./built-in-roles/devops.md#deployment-environments-user) | Provides access to manage environment resources. | 18e40d4e-8d2e-438d-97e1-9528336e149c | +> | <a name='devcenter-dev-box-user'></a>[DevCenter Dev Box User](./built-in-roles/devops.md#devcenter-dev-box-user) | Provides access to create and manage dev boxes. | 45d50f46-0b78-4001-a660-4198cbe8cd05 | +> | <a name='devcenter-project-admin'></a>[DevCenter Project Admin](./built-in-roles/devops.md#devcenter-project-admin) | Provides access to manage project resources. | 331c37c6-af14-46d9-b9f4-e1909e1b95a0 | > | <a name='devtest-labs-user'></a>[DevTest Labs User](./built-in-roles/devops.md#devtest-labs-user) | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c64 | > | <a name='lab-assistant'></a>[Lab Assistant](./built-in-roles/devops.md#lab-assistant) | Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. | ce40b423-cede-4313-a93f-9b28290b72e1 | > | <a name='lab-contributor'></a>[Lab Contributor](./built-in-roles/devops.md#lab-contributor) | Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. | 5daaa2af-1fe8-407c-9122-bba179798270 | The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > | Built-in role | Description | ID | > | | | |+> | <a name='advisor-recommendations-contributor-assessments-and-reviews'></a>[Advisor Recommendations Contributor (Assessments and Reviews)](./built-in-roles/management-and-governance.md#advisor-recommendations-contributor-assessments-and-reviews) | View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). | 6b534d80-e337-47c4-864f-140f5c7f593d | +> | <a name='advisor-reviews-contributor'></a>[Advisor Reviews Contributor](./built-in-roles/management-and-governance.md#advisor-reviews-contributor) | View reviews for a workload and triage recommendations linked to them. | 8aac15f0-d885-4138-8afa-bfb5872f7d13 | +> | <a name='advisor-reviews-reader'></a>[Advisor Reviews Reader](./built-in-roles/management-and-governance.md#advisor-reviews-reader) | View reviews for a workload and recommendations linked to them. | c64499e0-74c3-47ad-921c-13865957895c | > | <a name='automation-contributor'></a>[Automation Contributor](./built-in-roles/management-and-governance.md#automation-contributor) | Manage Azure Automation resources and other resources using Azure Automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 | > | <a name='automation-job-operator'></a>[Automation Job Operator](./built-in-roles/management-and-governance.md#automation-job-operator) | Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f | > | <a name='automation-operator'></a>[Automation Operator](./built-in-roles/management-and-governance.md#automation-operator) | Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404 | > | <a name='automation-runbook-operator'></a>[Automation Runbook Operator](./built-in-roles/management-and-governance.md#automation-runbook-operator) | Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 |+> | <a name='azure-center-for-sap-solutions-administrator'></a>[Azure Center for SAP solutions administrator](./built-in-roles/management-and-governance.md#azure-center-for-sap-solutions-administrator) | This role provides read and write access to all capabilities of Azure Center for SAP solutions. | 7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 | +> | <a name='azure-center-for-sap-solutions-reader'></a>[Azure Center for SAP solutions reader](./built-in-roles/management-and-governance.md#azure-center-for-sap-solutions-reader) | This role provides read access to all capabilities of Azure Center for SAP solutions. | 05352d14-a920-4328-a0de-4cbe7430e26b | +> | <a name='azure-center-for-sap-solutions-service-role'></a>[Azure Center for SAP solutions service role](./built-in-roles/management-and-governance.md#azure-center-for-sap-solutions-service-role) | Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. | aabbc5dd-1af0-458b-a942-81af88f9c138 | > | <a name='azure-connected-machine-onboarding'></a>[Azure Connected Machine Onboarding](./built-in-roles/management-and-governance.md#azure-connected-machine-onboarding) | Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | > | <a name='azure-connected-machine-resource-administrator'></a>[Azure Connected Machine Resource Administrator](./built-in-roles/management-and-governance.md#azure-connected-machine-resource-administrator) | Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302 | > | <a name='azure-connected-machine-resource-manager'></a>[Azure Connected Machine Resource Manager](./built-in-roles/management-and-governance.md#azure-connected-machine-resource-manager) | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | f5819b54-e033-4d82-ac66-4fec3cbf3f4c |+> | <a name='azure-customer-lockbox-approver-for-subscription'></a>[Azure Customer Lockbox Approver for Subscription](./built-in-roles/management-and-governance.md#azure-customer-lockbox-approver-for-subscription) | Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. | 4dae6930-7baf-46f5-909e-0383bc931c46 | > | <a name='billing-reader'></a>[Billing Reader](./built-in-roles/management-and-governance.md#billing-reader) | Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | > | <a name='blueprint-contributor'></a>[Blueprint Contributor](./built-in-roles/management-and-governance.md#blueprint-contributor) | Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b4 | > | <a name='blueprint-operator'></a>[Blueprint Operator](./built-in-roles/management-and-governance.md#blueprint-operator) | Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090 | The following table provides a brief description of each built-in role. Click th > | <a name='reservations-administrator'></a>[Reservations Administrator](./built-in-roles/management-and-governance.md#reservations-administrator) | Lets one read and manage all the reservations in a tenant | a8889054-8d42-49c9-bc1c-52486c10e7cd | > | <a name='reservations-reader'></a>[Reservations Reader](./built-in-roles/management-and-governance.md#reservations-reader) | Lets one read all the reservations in a tenant | 582fc458-8989-419f-a480-75249bc5db7e | > | <a name='resource-policy-contributor'></a>[Resource Policy Contributor](./built-in-roles/management-and-governance.md#resource-policy-contributor) | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 |+> | <a name='savings-plan-purchaser'></a>[Savings plan Purchaser](./built-in-roles/management-and-governance.md#savings-plan-purchaser) | Lets you purchase savings plans | 3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74 | > | <a name='scheduled-patching-contributor'></a>[Scheduled Patching Contributor](./built-in-roles/management-and-governance.md#scheduled-patching-contributor) | Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments | cd08ab90-6b14-449c-ad9a-8f8e549482c6 | > | <a name='site-recovery-contributor'></a>[Site Recovery Contributor](./built-in-roles/management-and-governance.md#site-recovery-contributor) | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | > | <a name='site-recovery-operator'></a>[Site Recovery Operator](./built-in-roles/management-and-governance.md#site-recovery-operator) | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca | The following table provides a brief description of each built-in role. Click th > | <a name='azure-stack-hci-vm-contributor'></a>[Azure Stack HCI VM Contributor](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-vm-contributor) | Grants permissions to perform all VM actions | 874d1c73-6003-4e60-a13a-cb31ea190a85 | > | <a name='azure-stack-hci-vm-reader'></a>[Azure Stack HCI VM Reader](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-vm-reader) | Grants permissions to view VMs | 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 | > | <a name='azure-stack-registration-owner'></a>[Azure Stack Registration Owner](./built-in-roles/hybrid-multicloud.md#azure-stack-registration-owner) | Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a |+> | <a name='hybrid-server-resource-administrator'></a>[Hybrid Server Resource Administrator](./built-in-roles/hybrid-multicloud.md#hybrid-server-resource-administrator) | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | ## Next steps |
role-based-access-control | Ai Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/ai-machine-learning.md | +## AgFood Platform Sensor Partner Contributor ++Provides contribute access to manage sensor related entities in AgFood Platform Service ++[Learn more](/azure/data-manager-for-agri/how-to-set-up-sensors-customer) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/sensorPartnerScope/* | | +> | **NotDataActions** | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/sensorPartnerScope/sensors/delete | Deletes an existing AgFoodPlatform sensors resource restricted to caller's sensor partner scope. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides contribute access to manage sensor related entities in AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67", + "name": "6b77f0a0-0d89-41cc-acd1-579c22c17a67", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/*" + ], + "notDataActions": [ + "Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete" + ] + } + ], + "roleName": "AgFood Platform Sensor Partner Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AgFood Platform Service Admin ++Provides admin access to AgFood Platform Service ++[Learn more](/azure/data-manager-for-agri/quickstart-install-data-manager-for-agriculture) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/* | Create, update, read and delete any AgFood Platform resources. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides admin access to AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3", + "name": "f8da80de-1ff9-4747-ad80-a19b7f6079e3", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform/*" + ], + "notDataActions": [] + } + ], + "roleName": "AgFood Platform Service Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AgFood Platform Service Contributor ++Provides contribute access to AgFood Platform Service ++[Learn more](/azure/data-manager-for-agri/quickstart-install-data-manager-for-agriculture) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/action | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/read | Read any AgFood Platform resources. | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/write | Create and update any AgFood Platform resources. | +> | **NotDataActions** | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/farmers/write | Creates or Updates AgFoodPlatform farmers. | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/deletionJobs/*/write | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/parties/write | Creates or Updates AgFoodPlatform parties. | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/datasets/write | Creates or Updates AgFoodPlatform datasets. | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/datasetRecords/write | Creates or Updates AgFoodPlatform Dataset Records. | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/datasets/access/*/action | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides contribute access to AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728", + "name": "8508508a-4469-4e45-963b-2518ee0bb728", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform/*/action", + "Microsoft.AgFoodPlatform/*/read", + "Microsoft.AgFoodPlatform/*/write" + ], + "notDataActions": [ + "Microsoft.AgFoodPlatform/farmBeats/farmers/write", + "Microsoft.AgFoodPlatform/farmBeats/deletionJobs/*/write", + "Microsoft.AgFoodPlatform/farmBeats/parties/write", + "Microsoft.AgFoodPlatform/farmBeats/datasets/write", + "Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write", + "Microsoft.AgFoodPlatform/farmBeats/datasets/access/*/action" + ] + } + ], + "roleName": "AgFood Platform Service Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AgFood Platform Service Reader ++Provides read access to AgFood Platform Service ++[Learn more](/azure/data-manager-for-agri/quickstart-install-data-manager-for-agriculture) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/list/action | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/read | Read any AgFood Platform resources. | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/search/action | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/download/action | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/overlap/action | | +> | [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/*/checkConsent/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides read access to AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", + "name": "7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform/*/list/action", + "Microsoft.AgFoodPlatform/*/read", + "Microsoft.AgFoodPlatform/*/search/action", + "Microsoft.AgFoodPlatform/*/download/action", + "Microsoft.AgFoodPlatform/*/overlap/action", + "Microsoft.AgFoodPlatform/*/checkConsent/action" + ], + "notDataActions": [] + } + ], + "roleName": "AgFood Platform Service Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure AI Developer Can perform all actions within an Azure AI resource besides managing the resource itself. Can perform all actions within an Azure Machine Learning workspace, except for c } ``` +## AzureML Metrics Writer (preview) ++Lets you write metrics to AzureML workspace ++[Learn more](/azure/machine-learning/concept-endpoints-online-auth) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/metrics/*/write | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you write metrics to AzureML workspace", + "id": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae", + "name": "635dd51f-9968-44d3-b7fb-6d9a6bd613ae", + "permissions": [ + { + "actions": [ + "Microsoft.MachineLearningServices/workspaces/metrics/*/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AzureML Metrics Writer (preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AzureML Registry User ++Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. ++[Learn more](/azure/machine-learning/how-to-assign-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/registries/read | Gets the Machine Learning Services registry(ies) | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/registries/assets/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615", + "name": "1823dd4f-9b8c-4ab6-ab4e-7397a3684615", + "permissions": [ + { + "actions": [ + "Microsoft.MachineLearningServices/registries/read", + "Microsoft.MachineLearningServices/registries/assets/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AzureML Registry User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. Lets you perform detect, verify, identify, group, and find similar operations on } ``` -## Cognitive Services Metrics Advisor Administrator +## Cognitive Services Immersive Reader User -Full access to the project, including the system level configuration. +Provides access to create Immersive Reader sessions and call APIs -[Learn more](/azure/ai-services/metrics-advisor/how-tos/alerts) +[Learn more](/azure/ai-services/immersive-reader/security-how-to-update-role-assignment) > [!div class="mx-tableFixed"] > | Actions | Description | > | | |-> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | |-> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ImmersiveReader/getcontentmodelforreader/action | Creates an Immersive Reader session | > | **NotDataActions** | | > | *none* | | Full access to the project, including the system level configuration. "assignableScopes": [ "/" ],- "description": "Full access to the project, including the system level configuration.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", - "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", + "description": "Provides access to create Immersive Reader sessions and call APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d", + "name": "b2de6794-95db-4659-8781-7e080d3f2b9d", "permissions": [ {- "actions": [ - "Microsoft.CognitiveServices/*/read" - ], + "actions": [], "notActions": [], "dataActions": [- "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*" + "Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action" ], "notDataActions": [] } ],- "roleName": "Cognitive Services Metrics Advisor Administrator", + "roleName": "Cognitive Services Immersive Reader User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` -## Cognitive Services OpenAI Contributor +## Cognitive Services Language Owner -Full access including the ability to fine-tune, deploy and generate text +Has access to all Read, Test, Write, Deploy and Delete functions under Language portal -[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) +[Learn more](/azure/ai-services/language-service/concepts/role-based-access-control) > [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | |-> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/write | Writes deployments. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/delete | Deletes deployments. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/read | Reads commitment plans. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/write | Writes commitment plans. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/delete | Deletes commitment plans. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/listkeys/action | List keys | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | > | **NotActions** | | > | *none* | | > | **DataActions** | |-> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/* | | > | **NotDataActions** | |-> | *none* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnaMaker/* | | ```json { "assignableScopes": [ "/" ],- "description": "Full access including the ability to fine-tune, deploy and generate text", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", - "name": "a001fd3d-188f-4b5d-821b-7da978bf7442", + "description": "Has access to all Read, Test, Write, Deploy and Delete functions under Language portal", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498", + "name": "f07febfe-79bc-46b1-8b37-790e26e6e498", "permissions": [ { "actions": [ "Microsoft.CognitiveServices/*/read",- "Microsoft.CognitiveServices/accounts/deployments/write", - "Microsoft.CognitiveServices/accounts/deployments/delete", - "Microsoft.CognitiveServices/accounts/raiPolicies/read", - "Microsoft.CognitiveServices/accounts/raiPolicies/write", - "Microsoft.CognitiveServices/accounts/raiPolicies/delete", - "Microsoft.CognitiveServices/accounts/commitmentplans/read", - "Microsoft.CognitiveServices/accounts/commitmentplans/write", - "Microsoft.CognitiveServices/accounts/commitmentplans/delete", + "Microsoft.CognitiveServices/accounts/listkeys/action", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read" ], "notActions": [], "dataActions": [- "Microsoft.CognitiveServices/accounts/OpenAI/*" + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/*", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*", + "Microsoft.CognitiveServices/accounts/Language/*", + "Microsoft.CognitiveServices/accounts/TextAnalytics/*" ],- "notDataActions": [] + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*" + ] } ],- "roleName": "Cognitive Services OpenAI Contributor", + "roleName": "Cognitive Services Language Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` -## Cognitive Services OpenAI User +## Cognitive Services Language Reader -Read access to view files, models, deployments. The ability to create completion and embedding calls. +Has access to Read and Test functions under Language portal -[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) +[Learn more](/azure/ai-services/language-service/concepts/role-based-access-control) > [!div class="mx-tableFixed"] > | Actions | Description | Read access to view files, models, deployments. The ability to create completion > | **NotActions** | | > | *none* | | > | **DataActions** | |-> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/*/read | | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/search/action | Search for the most relevant documents using the current engine. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/generate/action | (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/audio/action | Return the transcript or translation for a given audio file. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/search/action | Search for the most relevant documents using the current engine. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/chat/completions/action | Creates a completion for the chat message | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/extensions/chat/completions/action | Creates a completion for the chat message with extensions | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/embeddings/action | Return the embeddings for a given prompt. | -> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action | Create image generations. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/projects/export/action | Triggers a job to export project data in JSON format. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/*/projects/export/action | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/query-text/action | Answer Text. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/query-dataverse/action | Query Dataverse. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-text/jobs/action | Submit a collection of text documents for analysis. Specify one or more unique tasks to be executed. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-text/action | Submit a collection of text documents for analysis. Specify a single unique task to be executed immediately. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-text/jobscancel/action | Cancel a long-running Text Analysis job. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-conversations/action | Analyzes the input conversation. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-conversations/jobscancel/action | Cancel a long-running analysis job on conversation. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-conversations/jobs/action | Submit a long conversation for analysis. Specify one or more unique tasks to be executed as a long-running operation. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/query-knowledgebases/action | Answer Knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/generate/action | Language generation. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/* | | > | **NotDataActions** | |-> | *none* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnaMaker/* | | ```json { "assignableScopes": [ "/" ],- "description": "Ability to view files, models, deployments. Readers can't make any changes They can inference and create images", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", + "description": "Has access to Read and Test functions under Language portal", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e", + "name": "7628b7b8-a8b2-4cdc-b46f-e9b35248918e", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action", + "Microsoft.CognitiveServices/accounts/Language/*/read", + "Microsoft.CognitiveServices/accounts/Language/*/projects/export/action", + "Microsoft.CognitiveServices/accounts/Language/query-text/action", + "Microsoft.CognitiveServices/accounts/Language/query-dataverse/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-text/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action", + "Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action", + "Microsoft.CognitiveServices/accounts/Language/generate/action", + "Microsoft.CognitiveServices/accounts/TextAnalytics/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*" + ] + } + ], + "roleName": "Cognitive Services Language Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Language Writer ++ Has access to all Read, Test, and Write functions under Language Portal ++[Learn more](/azure/ai-services/language-service/concepts/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/* | | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/projects/publish/action | Trigger publishing job. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/projects/deployments/write | Trigger job to create new deployment or replace an existing deployment. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnaMaker/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/*/projects/delete | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/*/projects/deployments/write | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/*/projects/deployments/delete | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/*/projects/deployments/swap/action | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": " Has access to all Read, Test, and Write functions under Language Portal", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", + "name": "f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/*", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*", + "Microsoft.CognitiveServices/accounts/Language/*", + "Microsoft.CognitiveServices/accounts/TextAnalytics/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*", + "Microsoft.CognitiveServices/accounts/Language/*/projects/delete", + "Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write", + "Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete", + "Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/action" + ] + } + ], + "roleName": "Cognitive Services Language Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services LUIS Owner ++ Has access to all Read, Test, Write, Deploy and Delete functions under LUIS ++[Learn more](/azure/ai-services/luis/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/listkeys/action | List keys | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": " Has access to all Read, Test, Write, Deploy and Delete functions under LUIS", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8", + "name": "f72c8140-2111-481c-87ff-72b910f6e3f8", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.CognitiveServices/accounts/listkeys/action", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services LUIS Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services LUIS Reader ++Has access to Read and Test functions under LUIS. ++[Learn more](/azure/ai-services/luis/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/testdatasets/write | Updates last test results of an exisiting batch test data set for a given application. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has access to Read and Test functions under LUIS.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226", + "name": "18e81cdc-4e98-4e29-a639-e7d10c5a6226", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/*/read", + "Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services LUIS Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services LUIS Writer ++Has access to all Read, Test, and Write functions under LUIS ++[Learn more](/azure/ai-services/luis/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/* | | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/delete | Deletes an application. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/move/action | Moves the app to a different LUIS authoring Azure resource. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/publish/action | Publishes a specific version of the application. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/settings/write | Updates the application settings | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/azureaccounts/action | Assigns an Azure account to the application. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/azureaccounts/delete | Gets the LUIS Azure accounts for the user using his Azure Resource Manager token. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has access to all Read, Test, and Write functions under LUIS", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27", + "name": "6322a993-d5c9-4bed-b113-e49bbea25b27", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/apps/delete", + "Microsoft.CognitiveServices/accounts/LUIS/apps/move/action", + "Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action", + "Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write", + "Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action", + "Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete" + ] + } + ], + "roleName": "Cognitive Services LUIS Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Metrics Advisor Administrator ++Full access to the project, including the system level configuration. ++[Learn more](/azure/ai-services/metrics-advisor/how-tos/alerts) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to the project, including the system level configuration.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", + "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Metrics Advisor Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Metrics Advisor User ++Access to the project. ++[Learn more](/dotnet/api/overview/azure/ai.metricsadvisor-readme) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* | | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/stats/* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Access to the project.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8", + "name": "3b20f47b-3825-43cb-8114-4bd2201156a8", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*" + ] + } + ], + "roleName": "Cognitive Services Metrics Advisor User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services OpenAI Contributor ++Full access including the ability to fine-tune, deploy and generate text ++[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/write | Writes deployments. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/delete | Deletes deployments. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/read | Reads commitment plans. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/write | Writes commitment plans. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/delete | Deletes commitment plans. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access including the ability to fine-tune, deploy and generate text", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", + "name": "a001fd3d-188f-4b5d-821b-7da978bf7442", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.CognitiveServices/accounts/deployments/write", + "Microsoft.CognitiveServices/accounts/deployments/delete", + "Microsoft.CognitiveServices/accounts/raiPolicies/read", + "Microsoft.CognitiveServices/accounts/raiPolicies/write", + "Microsoft.CognitiveServices/accounts/raiPolicies/delete", + "Microsoft.CognitiveServices/accounts/commitmentplans/read", + "Microsoft.CognitiveServices/accounts/commitmentplans/write", + "Microsoft.CognitiveServices/accounts/commitmentplans/delete", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/OpenAI/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services OpenAI Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services OpenAI User ++Read access to view files, models, deployments. The ability to create completion and embedding calls. ++[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/search/action | Search for the most relevant documents using the current engine. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/generate/action | (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/audio/action | Return the transcript or translation for a given audio file. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/search/action | Search for the most relevant documents using the current engine. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/chat/completions/action | Creates a completion for the chat message | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/extensions/chat/completions/action | Creates a completion for the chat message with extensions | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/embeddings/action | Return the embeddings for a given prompt. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action | Create image generations. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Ability to view files, models, deployments. Readers can't make any changes They can inference and create images", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", "name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", "permissions": [ { Let's you read and test a KB only. } ``` +## Cognitive Services Speech Contributor ++Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. ++[Learn more](/azure/ai-services/speech-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/AudioContentCreation/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/VideoTranslation/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomAvatar/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchAvatar/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchTextToSpeech/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181", + "name": "0e75ca1e-0464-4b4d-8b93-68208a576181", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/SpeechServices/*", + "Microsoft.CognitiveServices/accounts/CustomVoice/*", + "Microsoft.CognitiveServices/accounts/AudioContentCreation/*", + "Microsoft.CognitiveServices/accounts/VideoTranslation/*", + "Microsoft.CognitiveServices/accounts/CustomAvatar/*", + "Microsoft.CognitiveServices/accounts/BatchAvatar/*", + "Microsoft.CognitiveServices/accounts/BatchTextToSpeech/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Speech Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Speech User ++Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. ++[Learn more](/azure/ai-services/speech-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/*/transcriptions/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/*/transcriptions/write | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/*/transcriptions/delete | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/*/frontend/action | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/text-dependent/*/action | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/text-independent/*/action | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/evaluations/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/longaudiosynthesis/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/AudioContentCreation/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/VideoTranslation/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomAvatar/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchAvatar/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchTextToSpeech/* | | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/datasets/files/read | Gets the files of the dataset identified by the given ID. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/datasets/utterances/read | Gets utterances of the specified training set. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447", + "name": "f2dc8367-1007-4938-bd23-fe263f013447", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/SpeechServices/*/read", + "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read", + "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write", + "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete", + "Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action", + "Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action", + "Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action", + "Microsoft.CognitiveServices/accounts/CustomVoice/*/read", + "Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/*", + "Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*", + "Microsoft.CognitiveServices/accounts/AudioContentCreation/*", + "Microsoft.CognitiveServices/accounts/VideoTranslation/*", + "Microsoft.CognitiveServices/accounts/CustomAvatar/*/read", + "Microsoft.CognitiveServices/accounts/BatchAvatar/*", + "Microsoft.CognitiveServices/accounts/BatchTextToSpeech/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read", + "Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read" + ] + } + ], + "roleName": "Cognitive Services Speech User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Cognitive Services Usages Reader Minimal permission to view Cognitive Services usages. Lets you read and list keys of Cognitive Services. } ``` +## Health Bot Admin ++Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. ++[Learn more](/azure/health-bot/portal-users) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthBot](../permissions/ai-machine-learning.md#microsofthealthbot)/healthBots/Admin/Action | Sign in to the management portal, view and edit all of the bot resources, scenarios, configuration settings, instance keys & secrets. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f1082fec-a70f-419f-9230-885d2550fb38", + "name": "f1082fec-a70f-419f-9230-885d2550fb38", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthBot/healthBots/Admin/Action" + ], + "notDataActions": [] + } + ], + "roleName": "Health Bot Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Health Bot Editor ++Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. ++[Learn more](/azure/health-bot/portal-users) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthBot](../permissions/ai-machine-learning.md#microsofthealthbot)/healthBots/Editor/Action | Sign in to the management portal, view and edit all the bot resources, scenarios and configuration settings except for the bot instance keys & secrets and the end-user inputs. Read-only access to the bot skills and channels. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/af854a69-80ce-4ff7-8447-f1118a2e0ca8", + "name": "af854a69-80ce-4ff7-8447-f1118a2e0ca8", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthBot/healthBots/Editor/Action" + ], + "notDataActions": [] + } + ], + "roleName": "Health Bot Editor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Health Bot Reader ++Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). ++[Learn more](/azure/health-bot/portal-users) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthBot](../permissions/ai-machine-learning.md#microsofthealthbot)/healthBots/Reader/Action | Sign in to the management portal, with read-only access to resources, scenarios and configuration settings except for the bot instance keys & secrets and the end-user inputs. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs).", + "id": "/providers/Microsoft.Authorization/roleDefinitions/eb5a76d5-50e7-4c33-a449-070e7c9c4cf2", + "name": "eb5a76d5-50e7-4c33-a449-070e7c9c4cf2", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthBot/healthBots/Reader/Action" + ], + "notDataActions": [] + } + ], + "roleName": "Health Bot Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Search Index Data Contributor Grants full access to Azure Cognitive Search index data. |
role-based-access-control | Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/analytics.md | Can Read, Create, Modify and Delete Domain Services related operations needed fo } ``` +## HDInsight on AKS Cluster Admin ++Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. ++[Learn more](/azure/hdinsight-aks/hdinsight-on-aks-manage-authorization-profile) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/read | Get details about HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/write | Create or Update HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/delete | Delete a HDInsight on AKS cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/resize/action | Resize a HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/clusters/instanceviews/read | Get details about HDInsight on AKS Cluster Instance View | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/jobs/read | List HDInsight on AKS Cluster Jobs | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/runjob/action | Run HDInsight on AKS Cluster Job | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/clusters/serviceconfigs/read | Get details about HDInsight on AKS Cluster Service Configurations | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/availableupgrades/read | Get Avaliable Upgrades for HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/upgrade/action | Upgrade HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/rollback/action | Rollback HDInsight on AKS Cluster Upgrade | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/upgradehistories/read | Read HDInsight on AKS Cluster Upgrade Histories | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/libraries/read | Read HDInsight on AKS Cluster Libaries | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/managelibraries/action | Manage HDInsight on AKS Cluster Libaries | +> | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logs/read | Reading data from all your logs | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fd036e6b-1266-47a0-b0bb-a05d04831731", + "name": "fd036e6b-1266-47a0-b0bb-a05d04831731", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.HDInsight/clusterPools/clusters/read", + "Microsoft.HDInsight/clusterPools/clusters/write", + "Microsoft.HDInsight/clusterPools/clusters/delete", + "Microsoft.HDInsight/clusterPools/clusters/resize/action", + "Microsoft.HDInsight/clusterpools/clusters/instanceviews/read", + "Microsoft.HDInsight/clusterPools/clusters/jobs/read", + "Microsoft.HDInsight/clusterPools/clusters/runjob/action", + "Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read", + "Microsoft.HDInsight/clusterPools/clusters/availableupgrades/read", + "Microsoft.HDInsight/clusterPools/clusters/upgrade/action", + "Microsoft.HDInsight/clusterPools/clusters/rollback/action", + "Microsoft.HDInsight/clusterPools/clusters/upgradehistories/read", + "Microsoft.HDInsight/clusterPools/clusters/libraries/read", + "Microsoft.HDInsight/clusterPools/clusters/managelibraries/action", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/*/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/logs/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "HDInsight on AKS Cluster Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## HDInsight on AKS Cluster Pool Admin ++Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters ++[Learn more](/azure/hdinsight-aks/hdinsight-on-aks-manage-authorization-profile) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/read | Get details about HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/write | Create or Update HDInsight on AKS Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/delete | Delete a HDInsight on AKS Cluster Pool | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/read | Get details about HDInsight on AKS Cluster Pool | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/write | Create or Update HDInsight on AKS Cluster Pool | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/availableupgrades/read | Get Avaliable Upgrades for HDInsight on AKS Cluster Pool | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/upgrade/action | Upgrade HDInsight on AKS Cluster Pool | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/upgradehistories/read | Read HDInsight on AKS Cluster Pool Upgrade Histories | +> | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logs/read | Reading data from all your logs | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7656b436-37d4-490a-a4ab-d39f838f0042", + "name": "7656b436-37d4-490a-a4ab-d39f838f0042", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.HDInsight/clusterPools/clusters/read", + "Microsoft.HDInsight/clusterPools/clusters/write", + "Microsoft.HDInsight/clusterPools/delete", + "Microsoft.HDInsight/clusterPools/read", + "Microsoft.HDInsight/clusterPools/write", + "Microsoft.HDInsight/clusterpools/availableupgrades/read", + "Microsoft.HDInsight/clusterpools/upgrade/action", + "Microsoft.HDInsight/clusterPools/upgradehistories/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/*/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/logs/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "HDInsight on AKS Cluster Pool Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Log Analytics Contributor Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. |
role-based-access-control | Compute | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/compute.md | +## Azure Arc VMware VM Contributor ++Arc VMware VM Contributor has permissions to perform all VM actions. ++[Learn more](/azure/azure-arc/vmware-vsphere/setup-and-manage-self-service-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/virtualmachines/* | | +> | [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/virtualmachineinstances/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/delete | Deletes a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/cancel/action | Cancels a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/whatIf/action | Predicts template deployment changes. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Arc VMware VM Contributor has permissions to perform all VM actions.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb", + "name": "b748a06d-6150-4f8a-aaa9-ce3940cd96cb", + "permissions": [ + { + "actions": [ + "Microsoft.ConnectedVMwarevSphere/virtualmachines/*", + "Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/*", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/delete", + "Microsoft.Resources/deployments/cancel/action", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/whatIf/action", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/write", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/machines/delete", + "Microsoft.HybridCompute/machines/UpgradeExtensions/action", + "Microsoft.HybridCompute/machines/assessPatches/action", + "Microsoft.HybridCompute/machines/installPatches/action", + "Microsoft.HybridCompute/machines/extensions/read", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.HybridCompute/machines/extensions/delete", + "Microsoft.HybridCompute/operations/read", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read", + "Microsoft.HybridCompute/locations/updateCenterOperationResults/read", + "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read", + "Microsoft.HybridCompute/osType/agentVersions/read", + "Microsoft.HybridCompute/osType/agentVersions/latest/read", + "Microsoft.HybridCompute/machines/runcommands/read", + "Microsoft.HybridCompute/machines/runcommands/write", + "Microsoft.HybridCompute/machines/runcommands/delete", + "Microsoft.HybridCompute/machines/licenseProfiles/read", + "Microsoft.HybridCompute/machines/licenseProfiles/write", + "Microsoft.HybridCompute/machines/licenseProfiles/delete", + "Microsoft.HybridCompute/licenses/read", + "Microsoft.HybridCompute/licenses/write", + "Microsoft.HybridCompute/licenses/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Arc VMware VM Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. Reader of the Desktop Virtualization Host Pool. } ``` +## Desktop Virtualization Power On Contributor ++Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action | Starts the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/instanceView/read | Gets the detailed runtime status of the virtual machine and its resources | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/read | Gets/Lists virtual machine instance resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/start/action | Starts virtual machine instance resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/operations/read | Gets operations | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33", + "name": "489581de-a3bd-480d-9518-53dea7416b33", + "permissions": [ + { + "actions": [ + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/operations/read", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/start/action", + "Microsoft.AzureStackHCI/operations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Power On Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Power On Off Contributor ++Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/operations/read | Gets operations | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/read | Gets/Lists virtual machine instance resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/restart/action | Restarts virtual machine instance resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/start/action | Starts virtual machine instance resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/stop/action | Stops virtual machine instance resource | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/deallocate/action | Powers off the virtual machine and releases the compute resources | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/instanceView/read | Gets the detailed runtime status of the virtual machine and its resources | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/powerOff/action | Powers off the virtual machine. Note that the virtual machine will continue to be billed. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/restart/action | Restarts the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action | Starts the virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesCancelOperations/action | virtualMachinesCancelOperations: cancelOperations for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesExecuteDeallocate/action | virtualMachinesExecuteDeallocate: executeDeallocate for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesExecuteHibernate/action | virtualMachinesExecuteHibernate: executeHibernate for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesExecuteStart/action | virtualMachinesExecuteStart: executeStart for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesGetOperationErrors/action | | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesGetOperationStatus/action | virtualMachinesGetOperationStatus: getOperationStatus for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesSubmitDeallocate/action | virtualMachinesSubmitDeallocate: submitDeallocate for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesSubmitHibernate/action | virtualMachinesSubmitHibernate: submitHibernate for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesSubmitStart/action | virtualMachinesSubmitStart: submitStart for a virtual machine | +> | [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/register/action | Register the subscription for Microsoft.ComputeSchedule | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/delete | Delete hostpools/sessionhosts/usersessions | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/read | Read hostpools/sessionhosts/usersessions | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/sendMessage/action | Send message to user session | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/write | Write hostpools/sessionhosts | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/write | Write hostpools | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/eventtypes/values/read | Read Activity Log events | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e", + "name": "40c5ff49-9181-41f8-ae61-143b0e78555e", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.AzureStackHCI/operations/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/restart/action", + "Microsoft.AzureStackHCI/virtualMachineInstances/start/action", + "Microsoft.AzureStackHCI/virtualMachineInstances/stop/action", + "Microsoft.Compute/virtualMachines/deallocate/action", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Compute/virtualMachines/powerOff/action", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/restart/action", + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action", + "Microsoft.ComputeSchedule/register/action", + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/write", + "Microsoft.DesktopVirtualization/hostpools/write", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/operations/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/eventtypes/values/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Power On Off Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Desktop Virtualization Reader Reader of Desktop Virtualization. Operator of the Desktop Virtualization User Session. } ``` +## Desktop Virtualization Virtual Machine Contributor ++This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/write | Write hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/retrieveRegistrationToken/action | List registration tokens for host pool | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/write | Write hostpools/sessionhosts | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/delete | Delete hostpools/sessionhosts | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/read | Read hostpools/sessionhosts/usersessions | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/disconnect/action | Disconnects the user session form session host | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/sendMessage/action | Send message to user session | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionHostConfigurations/read | Read hostpools/sessionhostconfigurations | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/doNotUseInternalAPI/action | Internal operation that is not meant to be called by customers. This will be removed in a future version. Do not use it. | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/retryprovisioning/action | Action on retryprovisioning. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read | Get the properties of an availability set | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/write | Creates a new availability set or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/vmSizes/read | List available sizes for creating or updating a virtual machine in the availability set | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/delete | Deletes the Disk | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/read | Gets the properties of Gallery | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/images/read | Gets the properties of Gallery Image | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/images/versions/read | Gets the properties of Gallery Image Version | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/images/read | Get the properties of the Image | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/usages/read | Gets service limits and current usage quantities for the subscription's compute resources in a location | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/vmSizes/read | Lists available virtual machine sizes in a location | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/operations/read | Lists operations available on Microsoft.Compute resource provider | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/skus/read | Gets the list of Microsoft.Compute SKUs available for your Subscription | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/write | Creates a new virtual machine or updates an existing virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/delete | Deletes the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action | Starts the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/powerOff/action | Powers off the virtual machine. Note that the virtual machine will continue to be billed. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/restart/action | Restarts the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/deallocate/action | Powers off the virtual machine and releases the compute resources | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommand/action | Executes a predefined script on the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read | Get the properties of a virtual machine extension | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/write | Creates a new virtual machine extension or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/delete | Deletes the virtual machine extension | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommands/read | Get the properties of a virtual machine run command | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommands/write | Creates a new virtual machine run command or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/delete | Deletes a network interface | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/usages/read | Get the IP usages for each subnet of the virtual network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | +> | [Microsoft.Marketplace](../permissions/general.md#microsoftmarketplace)/offerTypes/publishers/offers/plans/agreements/read | Returns an Agreement. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/deploy/action | Enables access to secrets in a key vault when deploying Azure resources | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/scalingPlans/read | Read scalingplans | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/scalingPlans/write | Write scalingplans | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c", + "name": "a959dbd1-f747-45e3-8ba6-dd80f235f97c", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/write", + "Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/write", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action", + "Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read", + "Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action", + "Microsoft.Compute/availabilitySets/read", + "Microsoft.Compute/availabilitySets/write", + "Microsoft.Compute/availabilitySets/vmSizes/read", + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/delete", + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read", + "Microsoft.Compute/galleries/images/versions/read", + "Microsoft.Compute/images/read", + "Microsoft.Compute/locations/usages/read", + "Microsoft.Compute/locations/vmSizes/read", + "Microsoft.Compute/operations/read", + "Microsoft.Compute/skus/read", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/write", + "Microsoft.Compute/virtualMachines/delete", + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.Compute/virtualMachines/powerOff/action", + "Microsoft.Compute/virtualMachines/restart/action", + "Microsoft.Compute/virtualMachines/deallocate/action", + "Microsoft.Compute/virtualMachines/runCommand/action", + "Microsoft.Compute/virtualMachines/extensions/read", + "Microsoft.Compute/virtualMachines/extensions/write", + "Microsoft.Compute/virtualMachines/extensions/delete", + "Microsoft.Compute/virtualMachines/runCommands/read", + "Microsoft.Compute/virtualMachines/runCommands/write", + "Microsoft.Compute/virtualMachines/vmSizes/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/networkInterfaces/delete", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/usages/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read", + "Microsoft.KeyVault/vaults/deploy/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.DesktopVirtualization/scalingPlans/read", + "Microsoft.DesktopVirtualization/scalingPlans/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Virtual Machine Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. View Virtual Machines in the portal and login as a regular user. } ``` +## Windows 365 Network Interface Contributor ++This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. ++[Learn more](/windows-365/enterprise/role-based-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/delete | Deletes a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/operations/read | Gets operation resource that represents status of an asynchronous operation | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/operationResults/read | Gets operation result of an async POST or DELETE operation | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/usages/read | Gets the resources usage metrics | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/delete | Deletes a network interface | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/effectiveNetworkSecurityGroups/action | Get Network Security Groups configured On Network Interface Of The Vm | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/effectiveRouteTable/action | Get Route Table configured On Network Interface Of The Vm | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1f135831-5bbe-4924-9016-264044c00788", + "name": "1f135831-5bbe-4924-9016-264044c00788", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/delete", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Network/locations/operations/read", + "Microsoft.Network/locations/operationResults/read", + "Microsoft.Network/locations/usages/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/delete", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action", + "Microsoft.Network/networkInterfaces/effectiveRouteTable/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Windows 365 Network Interface Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Windows 365 Network User ++This role is used by Windows 365 to read virtual networks and join the designated virtual networks. ++[Learn more](/windows-365/enterprise/role-based-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/usages/read | Get the IP usages for each subnet of the virtual network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role is used by Windows 365 to read virtual networks and join the designated virtual networks.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7eabc9a4-85f7-4f71-b8ab-75daaccc1033", + "name": "7eabc9a4-85f7-4f71-b8ab-75daaccc1033", + "permissions": [ + { + "actions": [ + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/usages/read", + "Microsoft.Network/virtualNetworks/subnets/join/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Windows 365 Network User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Windows Admin Center Administrator Login Let's you manage the OS of your resource via Windows Admin Center as an administrator. Let's you manage the OS of your resource via Windows Admin Center as an administ > | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Write | Create or update extension resource of HCI cluster | > | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Delete | Delete extension resources of HCI cluster | > | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Operations/Read | Gets operations |-> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read | Read virtualmachines | -> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write | Write extension resource | -> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | Gets extension resource | +> | [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/VirtualMachines/Read | Read virtualmachines | +> | [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/VirtualMachines/Extensions/Write | Write extension resource | +> | [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/VirtualMachines/Extensions/Read | Gets extension resource | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/WACLoginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator | > | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/WACloginAsAdmin/Action | Manage OS of HCI resource via Windows Admin Center as an administrator |-> | Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | +> | [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/virtualmachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | > | **NotDataActions** | | > | *none* | | |
role-based-access-control | Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/containers.md | Allows read/write access to most objects in a namespace. This role does not allo } ``` +## Connected Cluster Managed Identity CheckAccess Reader ++Built-in role that allows a Connected Cluster managed identity to call the checkAccess API ++[Learn more](/azure/azure-arc/kubernetes/azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API", + "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa", + "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Connected Cluster Managed Identity CheckAccess Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Kubernetes Agentless Operator Grants Microsoft Defender for Cloud access to Azure Kubernetes Services |
role-based-access-control | Databases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/databases.md | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as Docume } ``` +## PostgreSQL Flexible Server Long Term Retention Backup Role ++Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. ++[Learn more](/azure/backup/backup-azure-database-postgresql-flex-overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/flexibleServers/ltrBackupOperations/read | Returns the list of PostgreSQL server long term backup operation tracking. | +> | [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/flexibleServers/ltrPreBackup/action | Checks if a server is ready for a long term backup | +> | [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/flexibleServers/startLtrBackup/action | Start long term backup for a server | +> | [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/locations/azureAsyncOperation/read | Return PostgreSQL Server Operation Results | +> | [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/locations/operationResults/read | Return PostgreSQL Server Operation Results | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c088a766-074b-43ba-90d4-1fb21feae531", + "name": "c088a766-074b-43ba-90d4-1fb21feae531", + "permissions": [ + { + "actions": [ + "Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read", + "Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action", + "Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action", + "Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read", + "Microsoft.DBforPostgreSQL/locations/operationResults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "PostgreSQL Flexible Server Long Term Retention Backup Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Redis Cache Contributor Lets you manage Redis caches, but not access to them. |
role-based-access-control | Devops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/devops.md | +## Deployment Environments Reader ++Provides read access to environment resources. ++[Learn more](/azure/deployment-environments/how-to-configure-deployment-environments-user) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/read | Gets a specific project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/read | Gets a machine pool | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/schedules/read | Gets a schedule resource. | +> | **DataActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminRead/action | Allows a project administrator to read all of the environments in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminActionRead/action | Allows an admin to read environment actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminOutputsRead/action | Allows an admin to read Output values from environment deployment. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides read access to environment resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/eb960402-bf75-4cc3-8d68-35b34f960f72", + "name": "eb960402-bf75-4cc3-8d68-35b34f960f72", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/read", + "Microsoft.DevCenter/projects/*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.DevCenter/projects/pools/read", + "Microsoft.DevCenter/projects/pools/schedules/read" + ], + "dataActions": [ + "Microsoft.DevCenter/projects/users/environments/adminRead/action", + "Microsoft.DevCenter/projects/users/environments/adminActionRead/action", + "Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action" + ], + "notDataActions": [] + } + ], + "roleName": "Deployment Environments Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Deployment Environments User ++Provides access to manage environment resources. ++[Learn more](/azure/deployment-environments/how-to-configure-deployment-environments-user) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/read | Gets a specific project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/read | Gets a machine pool | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/schedules/read | Gets a schedule resource. | +> | **DataActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userRead/action | Allows a user to read the environments they have access to in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userWrite/action | Allows a user to write the environments they have access to in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userDelete/action | Allows a user to delete the environments they have access to in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userActionManage/action | Allows a user to skip, delay etc. environment actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userOutputsRead/action | Allows a user to read Output values from environment deployment. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides access to manage environment resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c", + "name": "18e40d4e-8d2e-438d-97e1-9528336e149c", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/read", + "Microsoft.DevCenter/projects/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Authorization/*/read" + ], + "notActions": [ + "Microsoft.DevCenter/projects/pools/read", + "Microsoft.DevCenter/projects/pools/schedules/read" + ], + "dataActions": [ + "Microsoft.DevCenter/projects/users/environments/userRead/action", + "Microsoft.DevCenter/projects/users/environments/userWrite/action", + "Microsoft.DevCenter/projects/users/environments/userDelete/action", + "Microsoft.DevCenter/projects/users/environments/userActionManage/action", + "Microsoft.DevCenter/projects/users/environments/userOutputsRead/action" + ], + "notDataActions": [] + } + ], + "roleName": "Deployment Environments User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## DevCenter Dev Box User ++Provides access to create and manage dev boxes. ++[Learn more](/azure/dev-box/how-to-dev-box-user) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/read | Gets a specific project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStop/action | Allows a user to stop their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStart/action | Allows a user to start their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userGetRemoteConnection/action | Allows a user to get the RDP connection information for their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userRead/action | Allows a user to read their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userWrite/action | Allows a user to create and update their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userDelete/action | Allows a user to delete their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userUpcomingActionRead/action | Allows a user to read upcoming actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userUpcomingActionManage/action | Allows a user to skip or delay upcoming actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionRead/action | Allows a user to read dev box actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionManage/action | Allows a user to skip or delay dev box actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userCustomize/action | Allows a user to customize their own Dev Box resources. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides access to create and manage dev boxes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05", + "name": "45d50f46-0b78-4001-a660-4198cbe8cd05", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/read", + "Microsoft.DevCenter/projects/*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DevCenter/projects/users/devboxes/userStop/action", + "Microsoft.DevCenter/projects/users/devboxes/userStart/action", + "Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action", + "Microsoft.DevCenter/projects/users/devboxes/userRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userWrite/action", + "Microsoft.DevCenter/projects/users/devboxes/userDelete/action", + "Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionManage/action", + "Microsoft.DevCenter/projects/users/devboxes/userCustomize/action" + ], + "notDataActions": [] + } + ], + "roleName": "DevCenter Dev Box User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## DevCenter Project Admin ++Provides access to manage project resources. ++[Learn more](/azure/dev-box/how-to-project-admin) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/write | Partially updates a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/delete | Deletes a project resource. | +> | **DataActions** | | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminStart/action | Allows a user to start any Dev Box resource. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminStop/action | Allows a user to stop any Dev Box resource. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminRead/action | Allows a user read access to any Dev Box resource. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminWrite/action | Allows a user write access to any Dev Box resource. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminDelete/action | Allows a user to delete any Dev Box resource. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStop/action | Allows a user to stop their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStart/action | Allows a user to start their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userGetRemoteConnection/action | Allows a user to get the RDP connection information for their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userRead/action | Allows a user to read their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userWrite/action | Allows a user to create and update their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userDelete/action | Allows a user to delete their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionRead/action | Allows a user to read dev box actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionManage/action | Allows a user to skip or delay dev box actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userCustomize/action | Allows a user to customize their own Dev Box resources. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminRead/action | Allows a project administrator to read all of the environments in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userWrite/action | Allows a user to write the environments they have access to in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminWrite/action | Allows a project administrator to write all of the environments in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userDelete/action | Allows a user to delete the environments they have access to in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminDelete/action | Allows a project administrator to delete all of the environments in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminAction/action | Allows a project administrator to perform an action on all of the environments in a project. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminActionRead/action | Allows an admin to read environment actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminActionManage/action | Allows an admin to skip, delay etc. environment actions. | +> | [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminOutputsRead/action | Allows an admin to read Output values from environment deployment. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides access to manage project resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0", + "name": "331c37c6-af14-46d9-b9f4-e1909e1b95a0", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.DevCenter/projects/write", + "Microsoft.DevCenter/projects/delete" + ], + "dataActions": [ + "Microsoft.DevCenter/projects/users/devboxes/adminStart/action", + "Microsoft.DevCenter/projects/users/devboxes/adminStop/action", + "Microsoft.DevCenter/projects/users/devboxes/adminRead/action", + "Microsoft.DevCenter/projects/users/devboxes/adminWrite/action", + "Microsoft.DevCenter/projects/users/devboxes/adminDelete/action", + "Microsoft.DevCenter/projects/users/devboxes/userStop/action", + "Microsoft.DevCenter/projects/users/devboxes/userStart/action", + "Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action", + "Microsoft.DevCenter/projects/users/devboxes/userRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userWrite/action", + "Microsoft.DevCenter/projects/users/devboxes/userDelete/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionManage/action", + "Microsoft.DevCenter/projects/users/devboxes/userCustomize/action", + "Microsoft.DevCenter/projects/users/environments/adminRead/action", + "Microsoft.DevCenter/projects/users/environments/userWrite/action", + "Microsoft.DevCenter/projects/users/environments/adminWrite/action", + "Microsoft.DevCenter/projects/users/environments/userDelete/action", + "Microsoft.DevCenter/projects/users/environments/adminDelete/action", + "Microsoft.DevCenter/projects/users/environments/adminAction/action", + "Microsoft.DevCenter/projects/users/environments/adminActionRead/action", + "Microsoft.DevCenter/projects/users/environments/adminActionManage/action", + "Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action" + ], + "notDataActions": [] + } + ], + "roleName": "DevCenter Project Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. |
role-based-access-control | Hybrid Multicloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/hybrid-multicloud.md | Lets you manage Azure Stack registrations. } ``` +## Hybrid Server Resource Administrator ++Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. ++[Learn more](/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/* | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "name": "48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "permissions": [ + { + "actions": [ + "Microsoft.HybridCompute/machines/*", + "Microsoft.HybridCompute/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Hybrid Server Resource Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Next steps - [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/integration.md | +## API Management Developer Portal Content Editor ++Can customize the developer portal, edit its content, and publish it. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/portalRevisions/read | Lists a collection of developer portal revision entities. or Gets developer portal revision specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/portalRevisions/write | Creates a new developer portal revision. or Updates the description of specified portal revision or makes it current. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/read | Returns list of content types or Returns content type | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/delete | Removes content type. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/write | Creates new content type | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/contentItems/read | Returns list of content items or Returns content item details | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/contentItems/write | Creates new content item or Updates specified content item | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/contentItems/delete | Removes specified content item. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can customize the developer portal, edit its content, and publish it.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729", + "name": "c031e6a8-4391-4de0-8d69-4706a7ed3729", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/portalRevisions/read", + "Microsoft.ApiManagement/service/portalRevisions/write", + "Microsoft.ApiManagement/service/contentTypes/read", + "Microsoft.ApiManagement/service/contentTypes/delete", + "Microsoft.ApiManagement/service/contentTypes/write", + "Microsoft.ApiManagement/service/contentTypes/contentItems/read", + "Microsoft.ApiManagement/service/contentTypes/contentItems/write", + "Microsoft.ApiManagement/service/contentTypes/contentItems/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Developer Portal Content Editor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## API Management Service Contributor Can manage service and the APIs Has read-only access to entities in the workspace. This role should be assigned } ``` +## App Configuration Contributor ++Grants permission for all management operations, except purge, for App Configuration resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/locations/deletedConfigurationStores/purge/action | Purge the specified deleted configuration store. | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants permission for all management operations, except purge, for App Configuration resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fe86443c-f201-4fc4-9d2a-ac61149fbda0", + "name": "fe86443c-f201-4fc4-9d2a-ac61149fbda0", + "permissions": [ + { + "actions": [ + "Microsoft.AppConfiguration/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "App Configuration Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## App Configuration Data Owner Allows full access to App Configuration data. Allows read access to App Configuration data. } ``` +## App Configuration Reader ++Grants permission for read operations for App Configuration resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants permission for read operations for App Configuration resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/175b81b9-6e0d-490a-85e4-0d422273c10c", + "name": "175b81b9-6e0d-490a-85e4-0d422273c10c", + "permissions": [ + { + "actions": [ + "Microsoft.AppConfiguration/*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "App Configuration Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure API Center Compliance Manager Allows managing API compliance in Azure API Center service. Allows for send access to Azure Relay resources. } ``` +## Azure Resource Notifications System Topics Subscriber ++Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications ++[Learn more](/azure/event-grid/event-schema-resource-notifications) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToResources/action | Permission to perform creation and event subscription creation on a Resources system topic | +> | [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToHealthResources/action | Permission to perform creation and event subscription creation on a HealthResources system topic | +> | [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToMaintenanceResources/action | Permission to perform creation and event subscription creation on a MaintenanceResources system topic | +> | [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToComputeResources/action | Permission to perform creation and event subscription creation on a ComputeResources system topic | +> | [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToComputeScheduleResources/action | Permission to perform creation and event subscription creation on a ComputeScheduleResources system topic | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/systemTopics/eventSubscriptions/write | Create or update a SystemTopic eventSubscription | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0b962ed2-6d56-471c-bd5f-3477d83a7ba4", + "name": "0b962ed2-6d56-471c-bd5f-3477d83a7ba4", + "permissions": [ + { + "actions": [ + "Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action", + "Microsoft.EventGrid/eventSubscriptions/write", + "Microsoft.EventGrid/systemTopics/eventSubscriptions/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Resource Notifications System Topics Subscriber", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. Lets you manage BizTalk services, but not access to them. } ``` +## Chamber Admin ++Lets you manage everything under your Modeling and Simulation Workbench chamber. ++[Learn more](/azure/modeling-simulation-workbench/how-to-guide-manage-users) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/*/read | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/fileRequests/manage/action | manage fileRequests | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/connector/setCopyPaste/action | | +> | **DataActions** | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/upload/action | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/files/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage everything under your Modeling and Simulation Workbench chamber.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a", + "name": "4e9b8407-af2e-495b-ae54-bb60a55b1b5a", + "permissions": [ + { + "actions": [ + "Microsoft.ModSimWorkbench/*/read", + "Microsoft.ModSimWorkbench/workbenches/chambers/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action", + "Microsoft.ModSimWorkbench/workbenches/chambers/connector/setCopyPaste/action" + ], + "dataActions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/upload/action", + "Microsoft.ModSimWorkbench/workbenches/chambers/files/*" + ], + "notDataActions": [] + } + ], + "roleName": "Chamber Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Chamber User ++Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. ++[Learn more](/azure/modeling-simulation-workbench/how-to-guide-manage-users) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/*/read | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/workloads/* | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/getUploadUri/action | getUploadUri chambers | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/fileRequests/getDownloadUri/action | getDownloadUri fileRequests | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/upload/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32", + "name": "4447db05-44ed-4da3-ae60-6cbece780e32", + "permissions": [ + { + "actions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/*/read", + "Microsoft.ModSimWorkbench/workbenches/chambers/workloads/*", + "Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action", + "Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/action", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/upload/action" + ], + "notDataActions": [] + } + ], + "roleName": "Chamber User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## DeID Batch Data Owner Create and manage DeID batch jobs. This role is in preview and subject to change. Execute requests against DeID realtime endpoint. This role is in preview and sub } ``` +## DICOM Data Owner ++Full access to DICOM data. ++[Learn more](/azure/healthcare-apis/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/dicomservices/resources/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to DICOM data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8", + "name": "58a3b984-7adf-4c20-983a-32417c86fbc8", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/workspaces/dicomservices/resources/*" + ], + "notDataActions": [] + } + ], + "roleName": "DICOM Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## DICOM Data Reader ++Read and search DICOM data. ++[Learn more](/azure/healthcare-apis/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/dicomservices/resources/read | Read DICOM resources (includes searching and change feed). | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read and search DICOM data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", + "name": "e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/workspaces/dicomservices/resources/read" + ], + "notDataActions": [] + } + ], + "roleName": "DICOM Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## EventGrid Contributor Lets you manage EventGrid operations. Lets you read EventGrid event subscriptions. } ``` +## EventGrid TopicSpaces Publisher ++Lets you publish messages on topicspaces. ++[Learn more](/azure/event-grid/mqtt-client-microsoft-entra-token-and-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topicSpaces/publish/action | Publish to a topic space | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you publish messages on topicspaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a12b0b94-b317-4dcd-84a8-502ce99884c6", + "name": "a12b0b94-b317-4dcd-84a8-502ce99884c6", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.EventGrid/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/topicSpaces/publish/action" + ], + "notDataActions": [] + } + ], + "roleName": "EventGrid TopicSpaces Publisher", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## EventGrid TopicSpaces Subscriber ++Lets you subscribe messages on topicspaces. ++[Learn more](/azure/event-grid/mqtt-client-microsoft-entra-token-and-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topicSpaces/subscribe/action | Subscribe to a topic space | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you subscribe messages on topicspaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4b0f2fd7-60b4-4eca-896f-4435034f8bf5", + "name": "4b0f2fd7-60b4-4eca-896f-4435034f8bf5", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.EventGrid/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/topicSpaces/subscribe/action" + ], + "notDataActions": [] + } + ], + "roleName": "EventGrid TopicSpaces Subscriber", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## FHIR Data Contributor Role allows user or principal full access to FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > | Actions | Description | Role allows user or principal full access to FHIR Data } ``` +## FHIR Data Converter ++Role allows user or principal to convert data from legacy format to FHIR ++[Learn more](/azure/healthcare-apis/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/convertData/action | Data convert operation ($convert-data) | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/convertData/action | Data convert operation ($convert-data) | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal to convert data from legacy format to FHIR", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24", + "name": "a1705bd2-3a8f-45a5-8683-466fcfd5cc24", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/convertData/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR Data Converter", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## FHIR Data Exporter Role allows user or principal to read and export FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > | Actions | Description | Role allows user or principal to read and export FHIR Data Role allows user or principal to read and import FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/fhir/import-data) > [!div class="mx-tableFixed"] > | Actions | Description | Role allows user or principal to read and import FHIR Data Role allows user or principal to read FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > | Actions | Description | Role allows user or principal to read FHIR Data Role allows user or principal to read and write FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > | Actions | Description | Role allows user or principal to read and write FHIR Data } ``` +## FHIR SMART User ++Role allows user to access FHIR Service according to SMART on FHIR specification ++[Learn more](/azure/healthcare-apis/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user to access FHIR Service according to SMART on FHIR specification", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0", + "name": "4ba50f17-9666-485c-a643-ff00808643f0", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/read", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", + "Microsoft.HealthcareApis/services/fhir/resources/smart/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR SMART User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Integration Service Environment Contributor Lets you manage integration service environments, but not access to them. |
role-based-access-control | Internet Of Things | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/internet-of-things.md | Read-only role for Digital Twins data-plane properties } ``` +## Device Provisioning Service Data Contributor ++Allows for full access to Device Provisioning Service data-plane operations. ++[Learn more](/azure/iot-dps/concepts-control-access-dps-azure-ad) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/provisioningServices/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to Device Provisioning Service data-plane operations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633", + "name": "dfce44e4-17b7-4bd1-a6d1-04996ec95633", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/provisioningServices/*" + ], + "notDataActions": [] + } + ], + "roleName": "Device Provisioning Service Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Provisioning Service Data Reader ++Allows for full read access to Device Provisioning Service data-plane properties. ++[Learn more](/azure/iot-dps/concepts-control-access-dps-azure-ad) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/provisioningServices/*/read | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full read access to Device Provisioning Service data-plane properties.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8", + "name": "10745317-c249-44a1-a5ce-3a4353c0bbd8", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/provisioningServices/*/read" + ], + "notDataActions": [] + } + ], + "roleName": "Device Provisioning Service Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Device Update Administrator Gives you full access to management and content operations Gives you read access to management and content operations, but does not allow m } ``` +## Firmware Analysis Admin ++Upload and analyze firmware images in Defender for IoT ++[Learn more](/azure/defender-for-iot/device-builders/defender-iot-firmware-analysis-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.IoTFirmwareDefense](../permissions/internet-of-things.md#microsoftiotfirmwaredefense)/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Upload and analyze firmware images in Defender for IoT", + "id": "/providers/Microsoft.Authorization/roleDefinitions/9c1607d1-791d-4c68-885d-c7b7aaff7c8a", + "name": "9c1607d1-791d-4c68-885d-c7b7aaff7c8a", + "permissions": [ + { + "actions": [ + "Microsoft.IoTFirmwareDefense/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Firmware Analysis Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## IoT Hub Data Contributor Allows for full access to IoT Hub data plane operations. |
role-based-access-control | Management And Governance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/management-and-governance.md | +## Advisor Recommendations Contributor (Assessments and Reviews) ++View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). ++[Learn more](/azure/advisor/permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read | Reads recommendations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/write | Writes recommendations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/available/action | New recommendation is available in Microsoft Advisor | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started).", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6b534d80-e337-47c4-864f-140f5c7f593d", + "name": "6b534d80-e337-47c4-864f-140f5c7f593d", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/recommendations/read", + "Microsoft.Advisor/recommendations/write", + "Microsoft.Advisor/recommendations/available/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Advisor Recommendations Contributor (Assessments and Reviews)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Advisor Reviews Contributor ++View reviews for a workload and triage recommendations linked to them. ++[Learn more](/azure/advisor/permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/resiliencyReviews/read | Read resiliencyReviews | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/read | Read triageRecommendations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/approve/action | Approve triageRecommendations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/reject/action | Reject triageRecommendations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/reset/action | Reset triageRecommendations | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View reviews for a workload and triage recommendations linked to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8aac15f0-d885-4138-8afa-bfb5872f7d13", + "name": "8aac15f0-d885-4138-8afa-bfb5872f7d13", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/resiliencyReviews/read", + "Microsoft.Advisor/triageRecommendations/read", + "Microsoft.Advisor/triageRecommendations/approve/action", + "Microsoft.Advisor/triageRecommendations/reject/action", + "Microsoft.Advisor/triageRecommendations/reset/action", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Advisor Reviews Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Advisor Reviews Reader ++View reviews for a workload and recommendations linked to them. ++[Learn more](/azure/advisor/permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/resiliencyReviews/read | Read resiliencyReviews | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/read | Read triageRecommendations | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View reviews for a workload and recommendations linked to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c64499e0-74c3-47ad-921c-13865957895c", + "name": "c64499e0-74c3-47ad-921c-13865957895c", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/resiliencyReviews/read", + "Microsoft.Advisor/triageRecommendations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Advisor Reviews Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Automation Contributor Manage Azure Automation resources and other resources using Azure Automation. Read Runbook properties - to be able to create Jobs of the runbook. } ``` +## Azure Center for SAP solutions administrator ++This role provides read and write access to all capabilities of Azure Center for SAP solutions. ++[Learn more](/azure/sap/center-sap-solutions/manage-with-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/configurations/read | Get configurations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read | Reads recommendations | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapvirtualInstances/*/read | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances/*/write | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances/*/delete | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Locations/*/action | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Locations/*/read | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances/*/start/action | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances/*/stop/action | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/connectors/*/read | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/connectors/*/write | | +> | [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/connectors/*/delete | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/write | Creates or updates a resource group. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/* | | +> | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/virtualMachines/read | Gets references to all the virtual machines in a virtual network subnet | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/ipconfigurations/read | Gets a network interface ip configuration definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/loadBalancers/read | Gets all the load balancers that the network interface is part of | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the Network Interface | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/read | Gets a load balancer backend address pool definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/frontendIPConfigurations/read | Gets a load balancer frontend IP configuration definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/loadBalancingRules/read | Gets a load balancer load balancing rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/read | Gets a load balancer inbound nat rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Load Balancer | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/networkInterfaces/read | Gets references to all the network interfaces under a load balancer | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/outboundRules/read | Gets a load balancer outbound rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/virtualMachines/read | Gets references to all the virtual machines under a load balancer | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Load Balancer | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateEndpoints/read | Gets an private endpoint resource. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/join/action | Joins a route table. Not Alertable. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/read | Get file service properties | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read | List file shares | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read | Get the properties of an availability set | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys/read | Get the properties of an SSH public key | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys/write | Creates a new SSH public key or updates an existing SSH public key | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys/*/generateKeyPair/action | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read | Get the properties of a virtual machine extension | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/delete | Deletes the virtual machine extension | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permiss |