Docs update tracker

Updates from: 09/24/2024 01:07:50

Service	Microsoft Docs article	Related commit history on GitHub	Change details
app-service	Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/overview.md	A benefit of using an App Service Environment instead of a multitenant service i App Service Environment v3 differs from earlier versions in the following ways: - There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.-- You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. In this case, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see [Migrate App Service Environment to availability zone support](../../availability-zones/migrate-app-service-environment.md). +- You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. This is a deployment time only decision. Changing zone redundancy is not possible after it has been deployed. With zone redundant App Service Environment, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see [Migrate App Service Environment to availability zone support](../../availability-zones/migrate-app-service-environment.md). - You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant. - Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multitenant service, it's a lot faster. - Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts. App Service Environment v3 is available in the following regions: \| Southeast Asia \| Γ£à \| Γ£à \| \| Spain Central \| Γ£à \| Γ£à** \| \| Sweden Central \| Γ£à \| Γ£à \| +\| Sweden South \| Γ£à \| \| \| Switzerland North \| Γ£à \| Γ£à \| \| Switzerland West \| Γ£à \| \| \| UAE Central \| Γ£à \| \| App Service Environment v3 is available in the following regions: \| US DoD Central \| Γ£à \| \| \| US DoD East \| Γ£à \| \| \| US Gov Arizona \| Γ£à \| \| -\| US Gov Iowa \| \| \| \| US Gov Texas \| Γ£à \| \| \| US Gov Virginia \| Γ£à \|Γ£à \| App Service Environment v3 is available in the following regions: \| Region \| Single zone support \| Availability zone support \| \| -- \| :--: \| :-: \| -\| China East 2 \| \| \| +\| \| App Service Environment v3 \| App Service Environment v3 \| \| China East 3 \| Γ£à \| \| -\| China North 2 \| \| \| \| China North 3 \| Γ£à \| Γ£à \| ### In-region data residency An App Service Environment will only store customer data including app content, settings and secrets within the region where it's deployed. All data is guaranteed to remain in the region. For more information, see [Data residency in Azure](https://azure.microsoft.com/explore/global-infrastructure/data-residency/#overview). +## Pricing tiers + +The following sections list the regional pricing tiers (SKUs) availability for App Service Environment v3. + +> [!NOTE] +> Windows Container plans currently do not support memory intensive SKUs. +> + +### Azure Public: + +\| Region \| Standard \| Large \| Memory intensive \| +\| -- \| :-: \| :: \| :: \| +\| \| I1v2-I3v2 \| I4v2-I6v2 \| I1mv2-I5mv2 \| +\| Australia Central \| Γ£à \| Γ£à \| Γ£à \| +\| Australia Central 2 \| Γ£à \| Γ£à \| Γ£à \| +\| Australia East \| Γ£à \| Γ£à \| Γ£à \| +\| Australia Southeast \| Γ£à \| Γ£à \| Γ£à \| +\| Brazil South \| Γ£à \| Γ£à \| \| +\| Brazil Southeast \| Γ£à \| Γ£à \| Γ£à \| +\| Canada Central \| Γ£à \| Γ£à \| Γ£à \| +\| Canada East \| Γ£à \| Γ£à \| Γ£à \| +\| Central India \| Γ£à \| Γ£à \| Γ£à \| +\| Central US \| Γ£à \| Γ£à * \| \| +\| East Asia \| Γ£à \| Γ£à \| Γ£à \| +\| East US \| Γ£à \| Γ£à \| \| +\| East US 2 \| Γ£à \| Γ£à \| Γ£à \| +\| France Central \| Γ£à \| Γ£à \| Γ£à \| +\| France South \| Γ£à \| Γ£à \| Γ£à \| +\| Germany North \| Γ£à \| Γ£à \| Γ£à \| +\| Germany West Central \| Γ£à \| Γ£à \| Γ£à \| +\| Israel Central \| Γ£à \| Γ£à \| \| +\| Italy North \| Γ£à \| Γ£à \| \| +\| Japan East \| Γ£à \| Γ£à \| Γ£à \| +\| Japan West \| Γ£à \| Γ£à \| Γ£à \| +\| Jio India Central \| Γ£à \| Γ£à \| \| +\| Jio India West \| Γ£à \| Γ£à \| \| +\| Korea Central \| Γ£à \| Γ£à \| \| +\| Korea South \| Γ£à \| Γ£à \| Γ£à \| +\| Mexico Central \| Γ£à \| Γ£à \| \| +\| North Central US \| Γ£à \| Γ£à \| Γ£à \| +\| North Europe \| Γ£à \| Γ£à \| Γ£à \| +\| Norway East \| Γ£à \| Γ£à \| Γ£à \| +\| Norway West \| Γ£à \| Γ£à \| Γ£à \| +\| Poland Central \| Γ£à \| Γ£à \| \| +\| Qatar Central \| Γ£à \| Γ£à \| \| +\| South Africa North \| Γ£à \| Γ£à \| Γ£à \| +\| South Africa West \| Γ£à \| Γ£à \| Γ£à \| +\| South Central US \| Γ£à \| Γ£à \| Γ£à \| +\| South India \| Γ£à \| Γ£à \| \| +\| Southeast Asia \| Γ£à \| Γ£à \| Γ£à \| +\| Spain Central \| Γ£à \| Γ£à \| \| +\| Sweden Central \| Γ£à \| Γ£à \| Γ£à \| +\| Sweden South \| Γ£à \| Γ£à \| Γ£à \| +\| Switzerland North \| Γ£à \| Γ£à \| Γ£à \| +\| Switzerland West \| Γ£à \| Γ£à \| Γ£à \| +\| UAE Central \| Γ£à \| Γ£à \| \| +\| UAE North \| Γ£à \| Γ£à \| Γ£à \| +\| UK South \| Γ£à \| Γ£à \| Γ£à \| +\| UK West \| Γ£à \| Γ£à \| Γ£à \| +\| West Central US \| Γ£à \| Γ£à * \| \| +\| West Europe \| Γ£à \| Γ£à * \| \| +\| West India \| Γ£à \| Γ£à \| Γ£à \| +\| West US \| Γ£à \| Γ£à \| \| +\| West US 2 \| Γ£à \| Γ£à \| Γ£à \| +\| West US 3 \| Γ£à \| Γ£à \| Γ£à \| + +\* Windows Container does not support Large skus in this region. +\** Linux does not support Memory intensive skus in this region. + +### Azure Government: + +\| Region \| Standard \| Large \| Memory intensive \| +\| -- \| :-: \| :: \| :: \| +\| \| I1v2-I3v2 \| I4v2-I6v2 \| I1mv2-I5mv2 \| +\| US DoD Central \| Γ£à \|Γ£à * \| \| +\| US DoD East \| Γ£à \|Γ£à * \| \| +\| US Gov Arizona \| Γ£à \|Γ£à * \| \| +\| US Gov Texas \| Γ£à \|Γ£à * \| \| +\| US Gov Virginia \| Γ£à \|Γ£à * \| \| + +### Microsoft Azure operated by 21Vianet: + +\| Region \| Standard \| Large \| Memory intensive \| +\| -- \| :-: \| :: \| :: \| +\| \| I1v2-I3v2 \| I4v2-I6v2 \| I1mv2-I5mv2 \| +\| China East 3 \| Γ£à \| Γ£à * \| \| +\| China North 3 \| Γ£à \| Γ£à * \| \| + ## Next steps > [!div class="nextstepaction"]
app-service	Manage Create Arc Environment	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/manage-create-arc-environment.md	Previously updated : 03/24/2023 Last updated : 09/23/2024 # Set up an Azure Arc-enabled Kubernetes cluster to run App Service, Functions, and Logic Apps (Preview) Azure Arc-enabled Kubernetes lets you make your on-premises or cloud Kubernetes If you don't have an Azure account, [sign up today](https://azure.microsoft.com/free/?utm_source=campaign&utm_campaign=vscode-tutorial-app-service-extension&mktingSource=vscode-tutorial-app-service-extension) for a free account. +Review the [requirements and limitations](overview-arc-integration.md) of the public preview. Of particular importance are the cluster requirements. + <!-- ## Prerequisites - Create a Kubernetes cluster in a supported Kubernetes distribution and connect it to Azure Arc in a supported region. See [Public preview limitations](overview-arc-integration.md#public-preview-limitations). az extension add --upgrade --yes --name appservice-kube ## Create a connected cluster > [!NOTE] -> This tutorial uses [Azure Kubernetes Service (AKS)](/azure/aks/) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps below will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) for general instructions on creating an Azure Arc-enabled Kubernetes cluster. +> This tutorial uses [Azure Kubernetes Service (AKS)](/azure/aks/) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) for general instructions on creating an Azure Arc-enabled Kubernetes cluster. 1. Create a cluster in Azure Kubernetes Service with a public IP address. Replace `<group-name>` with the resource group name you want. While a [Log Analytic workspace](/azure/azure-monitor/logs/quick-create-workspac ## Install the App Service extension -1. Set the following environment variables for the desired name of the [App Service extension](overview-arc-integration.md), the cluster namespace in which resources should be provisioned, and the name for the App Service Kubernetes environment. Choose a unique name for `<kube-environment-name>`, because it will be part of the domain name for app created in the App Service Kubernetes environment. +1. Set the following environment variables for the desired name of the [App Service extension](overview-arc-integration.md), the cluster namespace in which resources should be provisioned, and the name for the App Service Kubernetes environment. Choose a unique name for `<kube-environment-name>`, because it is part of the domain name for app created in the App Service Kubernetes environment. # [bash](#tab/bash) While a [Log Analytic workspace](/azure/azure-monitor/logs/quick-create-workspac \| Parameter \| Description \| \| - \| - \| - \| `Microsoft.CustomLocation.ServiceAccount` \| The service account that should be created for the custom location that will be created. It is recommended that this be set to the value `default`. \| + \| `Microsoft.CustomLocation.ServiceAccount` \| The service account that should be created for the custom location that is created. It is recommended that this be set to the value `default`. \| \| `appsNamespace` \| The namespace to provision the app definitions and pods. Must match that of the extension release namespace. \| - \| `clusterName` \| The name of the App Service Kubernetes environment that will be created against this extension. \| + \| `clusterName` \| The name of the App Service Kubernetes environment that is created against this extension. \| \| `keda.enabled` \| Whether [KEDA](https://keda.sh/) should be installed on the Kubernetes cluster. Accepts `true` or `false`. \| - \| `buildService.storageClassName` \| The [name of the storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class) for the build service to store build artifacts. A value like `default` specifies a class named `default`, and not [any class that is marked as default](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/). Default is a valid storage class for AKS and AKS HCI but it may not be for other distrubtions/platforms. \| - \| `buildService.storageAccessMode` \| The [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use with the named storage class above. Accepts `ReadWriteOnce` or `ReadWriteMany`. \| - \| `customConfigMap` \| The name of the config map that will be set by the App Service Kubernetes environment. Currently, it must be `<namespace>/kube-environment-config`, replacing `<namespace>` with the value of `appsNamespace` above. \| + \| `buildService.storageClassName` \| The [name of the storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class) for the build service to store build artifacts. A value like `default` specifies a class named `default`, and not [any class that is marked as default](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/). Default is a valid storage class for AKS and AKS HCI but it may not be for other distrubtions/platforms. \| + \| `buildService.storageAccessMode` \| The [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use with the named storage class. Accepts `ReadWriteOnce` or `ReadWriteMany`. \| + \| `customConfigMap` \| The name of the config map that will be set by the App Service Kubernetes environment. Currently, it must be `<namespace>/kube-environment-config`, replacing `<namespace>` with the value of `appsNamespace`. \| \| `envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group` \| The name of the resource group in which the Azure Kubernetes Service cluster resides. Valid and required only when the underlying cluster is Azure Kubernetes Service. \| \| `logProcessor.appLogs.destination` \| Optional. Accepts `log-analytics` or `none`, choosing none disables platform logs. \| \| `logProcessor.appLogs.logAnalyticsConfig.customerId` \| Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace ID. This parameter should be configured as a protected setting. \| While a [Log Analytic workspace](/azure/azure-monitor/logs/quick-create-workspac az resource wait --ids $EXTENSION_ID --custom "properties.installState!='Pending'" --api-version "2020-07-01-preview" ``` -You can use `kubectl` to see the pods that have been created in your Kubernetes cluster: +You can use `kubectl` to see the pods created in your Kubernetes cluster: ```bash kubectl get pods -n $NAMESPACE
app-service	Overview Arc Integration	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-arc-integration.md	Title: 'App Service on Azure Arc' description: An introduction to App Service integration with Azure Arc for Azure operators. Previously updated : 12/05/2023- Last updated : 09/23/2024+ The following public preview limitations apply to App Service Kubernetes environ \|\|\| \| Supported Azure regions \| East US, West Europe \| \| Cluster networking requirement \| Must support `LoadBalancer` service type \| +\| Node OS requirement \| Linux only. \| \| Cluster storage requirement \| Must have cluster attached storage class available for use by the extension to support deployment and build of code-based apps where applicable \| \| Feature: Networking \| [Not available (rely on cluster networking)](#are-all-networking-features-supported) \| \| Feature: Managed identities \| [Not available](#are-managed-identities-supported) \| Only one Kubernetes environment resource can be created in a custom location. In - [How much does it cost?](#how-much-does-it-cost) - [Are both Windows and Linux apps supported?](#are-both-windows-and-linux-apps-supported) +- [Can the extension be installed on Windows nodes?](#can-the-extension-be-installed-on-windows-nodes) - [Which built-in application stacks are supported?](#which-built-in-application-stacks-are-supported) - [Are all app deployment types supported?](#are-all-app-deployment-types-supported) - [Which App Service features are supported?](#which-app-service-features-are-supported) Only one Kubernetes environment resource can be created in a custom location. In - [Are there any scaling limits?](#are-there-any-scaling-limits) - [What logs are collected?](#what-logs-are-collected) - [What do I do if I see a provider registration error?](#what-do-i-do-if-i-see-a-provider-registration-error)-- [Can I deploy the Application services extension on an ARM64 based cluster?](#can-i-deploy-the-application-services-extension-on-an-arm64-based-cluster) +- [Can I deploy the Application services extension on an Arm64 based cluster?](#can-i-deploy-the-application-services-extension-on-an-arm64-based-cluster) - [Which Kubernetes distributions can I deploy the extension on?](#which-kubernetes-distributions-can-i-deploy-the-extension-on) ### How much does it cost? App Service on Azure Arc is free during the public preview. Only Linux-based apps are supported, both code and custom containers. Windows apps aren't supported. +### Can the extension be installed on Windows nodes? + +No, the extension cannot be installed on Windows nodes. The extension supports installation on Linux nodes only. + ### Which built-in application stacks are supported? All built-in Linux stacks are supported. By default, logs from system components are sent to the Azure team. Application ### What do I do if I see a provider registration error? -When creating a Kubernetes environment resource, some subscriptions might see a "No registered resource provider found" error. The error details might include a set of locations and api versions that are considered valid. If this error message is returned, the subscription must be re-registered with the Microsoft.Web provider, an operation that has no impact on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.Web --wait`. Then reattempt the Kubernetes environment command. +When creating a Kubernetes environment resource, some subscriptions might see a "No registered resource provider found" error. The error details might include a set of locations and API versions that are considered valid. If this error message is returned, the subscription must be re-registered with the Microsoft.Web provider, an operation that has no impact on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.Web --wait`. Then reattempt the Kubernetes environment command. -### Can I deploy the Application services extension on an ARM64 based cluster? +### Can I deploy the Application services extension on an Arm64 based cluster? -ARM64 based clusters aren't supported at this time. +Arm64 based clusters aren't supported at this time. ### Which Kubernetes distributions can I deploy the extension on?
automation	Change Tracking	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/change-tracking.md	Here are possible causes specific to this issue: Verify that the daemon for the Log Analytics agent for Linux (omsagent) is running on your machine. Run the following query in the Log Analytics workspace that's linked to your Automation account. ```loganalytics -Copy Heartbeat \| summarize by Computer, Solutions ```
azure-functions	Durable Functions Storage Providers	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-storage-providers.md	The key benefits of the Azure Storage provider include: * Lowest-cost serverless billing model - Azure Storage has a consumption-based pricing model based entirely on usage ([more information](durable-functions-billing.md#azure-storage-transactions)). * Best tooling support - Azure Storage offers cross-platform local emulation and integrates with Visual Studio, Visual Studio Code, and the Azure Functions Core Tools. * Most mature - Azure Storage was the original and most battle-tested storage backend for Durable Functions. -* Preview support for using identity instead of secrets for connecting to the storage provider. +* Support for using identity instead of secrets for connecting to the storage provider. The source code for the DTFx components of the Azure Storage storage provider can be found in the [Azure/durabletask](https://github.com/Azure/durabletask/tree/main/src/DurableTask.AzureStorage) GitHub repo.
azure-resource-manager	Approve Just In Time Access	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/approve-just-in-time-access.md	Title: Approve just-in-time access description: Describes how consumers of Azure Managed Applications approve requests for just-in-time access to a managed application.- Last updated 06/24/2024- # Configure and approve just-in-time access for Azure Managed Applications
azure-resource-manager	Concepts Built In Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/concepts-built-in-policy.md	Title: Deploy associations for managed application using Azure Policy description: Learn about deploying associations for a managed application using Azure Policy.- Last updated 06/24/2024- # Deploy associations for a managed application using Azure Policy
azure-resource-manager	Create Storage Customer Managed Key	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-storage-customer-managed-key.md	Title: Create Azure Managed Application that deploys storage account encrypted w description: This article describes how to create an Azure Managed Application that deploys a storage account encrypted with a customer-managed key. + Last updated 06/24/2024
azure-resource-manager	Deploy Bicep Definition	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-bicep-definition.md	Title: Use Bicep to deploy an Azure Managed Application definition description: Describes how to use Bicep to deploy an Azure Managed Application definition from your service catalog. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Use Bicep to deploy an Azure Managed Application definition To complete the tasks in this article, you need the following items: ## Get managed application definition -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To get the managed application's definition with Azure PowerShell, run the following commands. param appServicePlanName string @description('Globally unique across Azure. Maximum of 47 alphanumeric characters or hyphens.') param appServiceNamePrefix string -@maxLength(11) -@description('Use only lowercase letters and numbers and a maximum of 11 characters.') -param storageAccountNamePrefix string - -@allowed([ - 'Premium_LRS' - 'Standard_LRS' - 'Standard_GRS' -]) -@description('The options are Premium_LRS, Standard_LRS, or Standard_GRS') -param storageAccountType string - @description('Resource ID for the managed application definition.') var appResourceId = resourceId('${definitionRG}', 'Microsoft.Solutions/applicationdefinitions', '${definitionName}') resource bicepServiceCatalogApp 'Microsoft.Solutions/applications@2021-07-01' = appServiceNamePrefix: { value: appServiceNamePrefix } - storageAccountNamePrefix: { - value: storageAccountNamePrefix - } - storageAccountType: { - value: storageAccountType - } } } } param managedAppName = 'sampleBicepManagedApp' param mrgName = 'placeholder for managed resource group name' param appServicePlanName = 'demoAppServicePlan' param appServiceNamePrefix = 'demoApp' -param storageAccountNamePrefix = 'demostg1234' -param storageAccountType = 'Standard_LRS' ``` You need to provide several parameters to deploy the managed application: You need to provide several parameters to deploy the managed application: \| `mrgName` \| Unique name for the managed resource group that contains the application's deployed resources. The resource group is created when you deploy the managed application. To create a managed resource group name, run the commands that follow this parameter list and use the `$mrgname` value to replace the placeholder in the parameters file. \| \| `appServicePlanName` \| Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. \| \| `appServiceNamePrefix` \| Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure. \| -\| `storageAccountNamePrefix` \| Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. \| -\| `storageAccountType` \| The options are Premium_LRS, Standard_LRS, and Standard_GRS. \| You can run the following commands to create a name for the managed resource group. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $mrgprefix = 'mrg-sampleBicepManagedApplication-' The `$mrgprefix` and `$mrgtimestamp` variables are concatenated and stored in th Use Azure PowerShell or Azure CLI to create a resource group and deploy the managed application. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name bicepApplicationGroup -Location westus After the service catalog managed application is deployed, you have two new reso After the deployment is finished, you can check your managed application's status. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Run the following command to check the managed application's status. az managedapp show --name sampleBicepManagedApp --resource-group bicepApplicatio You can view the resources deployed to the managed resource group. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To display the managed resource group's resources, run the following command. You created the `$mrgname` variable when you created the parameters. When you're finished with the managed application, you can delete the resource g When you delete the _bicepApplicationGroup_ resource group, the managed application, managed resource group, and all the Azure resources are deleted. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group.
azure-resource-manager	Deploy Service Catalog Quickstart	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-service-catalog-quickstart.md	Title: Deploy a service catalog managed application description: Describes how to deploy a service catalog's managed application for an Azure Managed Application using Azure PowerShell, Azure CLI, or Azure portal. Previously updated : 06/24/2024 Last updated : 09/22/2024 The examples use the resource groups names created in the _quickstart to publish ### Get managed application definition -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To get the managed application's definition with Azure PowerShell, run the following commands. To get the managed application's definition from the Azure portal, use the follo ### Create resource group and parameters -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Create a resource group for the managed application deployment. For readability, the completed JSON string uses the backtick for line continuati ```powershell $params="{ `"appServicePlanName`": {`"value`":`"demoAppServicePlan`"}, ` -`"appServiceNamePrefix`": {`"value`":`"demoApp`"}, ` -`"storageAccountNamePrefix`": {`"value`":`"demostg1234`"}, ` -`"storageAccountType`": {`"value`":`"Standard_LRS`"} }" +`"appServiceNamePrefix`": {`"value`":`"demoApp`"} }" ``` The parameters to create the managed resources: - `appServicePlanName`: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. - `appServiceNamePrefix`: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure.-- `storageAccountNamePrefix`: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix.-- `storageAccountType`: The options are Premium_LRS, Standard_LRS, and Standard_GRS. # [Azure CLI](#tab/azure-cli) For readability, the completed JSON string uses the backslash for line continuat ```azurecli params="{ \"appServicePlanName\": {\"value\":\"demoAppServicePlan\"}, \ -\"appServiceNamePrefix\": {\"value\":\"demoApp\"}, \ -\"storageAccountNamePrefix\": {\"value\":\"demostg1234\"}, \ -\"storageAccountType\": {\"value\":\"Standard_LRS\"} }" +\"appServiceNamePrefix\": {\"value\":\"demoApp\"} }" ``` The parameters to create the managed resources: - `appServicePlanName`: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. - `appServiceNamePrefix`: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure.-- `storageAccountNamePrefix`: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix.-- `storageAccountType`: The options are Premium_LRS, Standard_LRS, and Standard_GRS. # [Portal](#tab/azure-portal) The parameters to create the managed resources: - App Service plan name: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription. - App Service name prefix: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure. -1. Enter a prefix for the storage account name and select the storage account type. Select Next. - - :::image type="content" source="./media/deploy-service-catalog-quickstart/storage-settings.png" alt-text="Screenshot that shows the information needed to create a storage account."::: - - - Storage account name prefix: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix. - - Storage account type: Select Change type to choose a storage account type. The default is Standard_LRS. The other options are Premium_LRS, Standard_LRS, and Standard_GRS. - ### Deploy the managed application -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Run the following command to deploy the managed application. After the service catalog managed application is deployed, you have two new reso After the deployment is finished, you can check your managed application's status. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Run the following command to check the managed application's status. Select the managed application's name to get more information like the link to t You can view the resources deployed to the managed resource group. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) To display the managed resource group's resources, run the following command. You created the `$mrgname` variable when you created the parameters. The role assignment gives the application's publisher access to manage the stora When you're finished with the managed application, you can delete the resource groups and that removes all the resources you created. For example, in this quickstart you created the resource groups _applicationGroup_ and a managed resource group with the prefix _mrg-sampleManagedApplication_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group.
azure-resource-manager	Publish Bicep Definition	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-bicep-definition.md	Title: Use Bicep to create and publish an Azure Managed Application definition description: Describes how to use Bicep to create and publish an Azure Managed Application definition in your service catalog. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Use Bicep to create and publish an Azure Managed Application definition param appServicePlanName string @maxLength(47) param appServiceNamePrefix string -@description('Storage account name prefix.') -@maxLength(11) -param storageAccountNamePrefix string - -@description('Storage account type allowed values') -@allowed([ - 'Premium_LRS' - 'Standard_LRS' - 'Standard_GRS' -]) -param storageAccountType string - -var appServicePlanSku = 'F1' +var appServicePlanSku = 'B1' var appServicePlanCapacity = 1 var appServiceName = '${appServiceNamePrefix}${uniqueString(resourceGroup().id)}' -var storageAccountName = '${storageAccountNamePrefix}${uniqueString(resourceGroup().id)}' -var appServiceStorageConnectionString = 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};Key=${storageAccount.listKeys().keys[0].value}' +var linuxFxVersion = 'DOTNETCORE\|8.0' -resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = { +resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = { name: appServicePlanName location: location sku: { name: appServicePlanSku capacity: appServicePlanCapacity } + kind: 'linux' + properties: { + zoneRedundant: false + reserved: true + } } -resource appServiceApp 'Microsoft.Web/sites@2023-12-01' = { +resource appService 'Microsoft.Web/sites@2023-01-01' = { name: appServiceName location: location properties: { serverFarmId: appServicePlan.id httpsOnly: true + redundancyMode: 'None' siteConfig: { - appSettings: [ - { - name: 'AppServiceStorageConnectionString' - value: appServiceStorageConnectionString - } - ] + linuxFxVersion: linuxFxVersion + minTlsVersion: '1.2' + ftpsState: 'Disabled' } } } -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = { - name: storageAccountName - location: location - sku: { - name: storageAccountType - } - kind: 'StorageV2' - properties: { - accessTier: 'Hot' - allowSharedKeyAccess: false - minimumTlsVersion: 'TLS1_2' - } -} - -output appServicePlan string = appServicePlan.name -output appServiceApp string = appServiceApp.properties.defaultHostName -output storageAccount string = storageAccount.properties.primaryEndpoints.blob +output appServicePlan string = appServicePlanName +output appServiceApp string = appService.properties.defaultHostName ``` ## Convert Bicep to JSON Use PowerShell or Azure CLI to build the _mainTemplate.json_ file. Go to the directory where you saved your Bicep file and run the `build` command. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```powershell bicep build mainTemplate.bicep After the Bicep file is converted to JSON, your _mainTemplate.json_ file should "metadata": { "_generator": { "name": "bicep", - "version": "0.27.1.19265", - "templateHash": "1262990362980206722" + "version": "0.30.3.12046", + "templateHash": "16466621031230437685" } }, "parameters": { After the Bicep file is converted to JSON, your _mainTemplate.json_ file should "metadata": { "description": "App Service name prefix." } - }, - "storageAccountNamePrefix": { - "type": "string", - "maxLength": 11, - "metadata": { - "description": "Storage account name prefix." - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ], - "metadata": { - "description": "Storage account type allowed values" - } } }, "variables": { - "appServicePlanSku": "F1", + "appServicePlanSku": "B1", "appServicePlanCapacity": 1, "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]", - "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]" + "linuxFxVersion": "DOTNETCORE\|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms", - "apiVersion": "2023-12-01", + "apiVersion": "2023-01-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[variables('appServicePlanSku')]", "capacity": "[variables('appServicePlanCapacity')]" + }, + "kind": "linux", + "properties": { + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites", - "apiVersion": "2023-12-01", + "apiVersion": "2023-01-01", "name": "[variables('appServiceName')]", "location": "[parameters('location')]", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "httpsOnly": true, + "redundancyMode": "None", "siteConfig": { - "appSettings": [ - { - "name": "AppServiceStorageConnectionString", - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" } }, "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-04-01", - "name": "[variables('storageAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "kind": "StorageV2", - "properties": { - "accessTier": "Hot", - "allowSharedKeyAccess": false, - "minimumTlsVersion": "TLS1_2" - } } ], "outputs": { After the Bicep file is converted to JSON, your _mainTemplate.json_ file should }, "appServiceApp": { "type": "string", - "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-12-01').defaultHostName]" - }, - "storageAccount": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').primaryEndpoints.blob]" + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" } } } After the Bicep file is converted to JSON, your _mainTemplate.json_ file should As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes. -In this example, the user interface prompts you to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure. +In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of _mainTemplate.json_ the `appServiceName` variables uses the `uniqueString` function to append a 13-character string to the name prefix so the name is globally unique across Azure. Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. Add the following JSON code to the file and save it. "visible": true } ] - }, - { - "name": "storageConfig", - "label": "Storage settings", - "subLabel": { - "preValidation": "Configure the storage settings", - "postValidation": "Completed" - }, - "elements": [ - { - "name": "storageAccounts", - "type": "Microsoft.Storage.MultiStorageAccountCombo", - "label": { - "prefix": "Storage account name prefix", - "type": "Storage account type" - }, - "toolTip": { - "prefix": "Enter maximum of 11 lowercase letters or numbers.", - "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS." - }, - "defaultValue": { - "type": "Standard_LRS" - }, - "constraints": { - "allowedTypes": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ] - }, - "visible": true - } - ] } ], "outputs": { "location": "[location()]", "appServicePlanName": "[steps('webAppSettings').appServicePlanName]", - "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]", - "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]", - "storageAccountType": "[steps('storageConfig').storageAccounts.type]" + "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]" } } } Add the two files to a package file named _app.zip_. The two files must be at th Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder `<pkgstorageaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) In Visual Studio Code, open a new PowerShell terminal and sign in to your Azure subscription. $pkgstorageaccount = New-AzStorageAccount @pkgstorageparms The `$pkgstorageparms` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values. -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md) and [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file. This example uses a security group, and your Microsoft Entra account should be a To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $principalid=(Get-AzADGroup -DisplayName <managedAppDemo>).Id principalid=$(az ad group show --group <managedAppDemo> --query id --output tsv) Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use the variable's value when you deploy the managed application definition. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $roleid=(Get-AzRoleDefinition -Name Owner).Id The following table describes the parameter values for the managed application d \| Parameter \| Value \| \| - \| - \| \| `managedApplicationDefinitionName` \| Name of the managed application definition. For this example, use _sampleBicepManagedApplication_.\| -\| `packageFileUri` \| Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. The format is `https://yourStorageAccountName.blob.core.windows.net/appcontainer/app.zip`. \| +\| `packageFileUri` \| Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. \| \| `principalId` \| The publishers principal ID that needs permissions to manage resources in the managed resource group. Use your `principalid` variable's value. \| \| `roleId` \| Role ID for permissions to the managed resource group. For example Owner, Contributor, Reader. Use your `roleid` variable's value. \| When you deploy the managed application's definition, it becomes available in yo Create a resource group named _bicepDefinitionGroup_ and deploy the managed application definition. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name bicepDefinitionGroup -Location westus az deployment group create \ Run the following command to verify the definition is published in your service catalog. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell Get-AzManagedApplicationDefinition -ResourceGroupName bicepDefinitionGroup If you're going to deploy the definition, continue with the Next steps secti If you're finished with the managed application definition, you can delete the resource groups you created named _packageStorageGroup_ and _bicepDefinitionGroup_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group.
azure-resource-manager	Publish Service Catalog App	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-app.md	Title: Create and publish Azure Managed Application in service catalog description: Describes how to create and publish an Azure Managed Application in your service catalog using Azure PowerShell, Azure CLI, or Azure portal. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Create and publish an Azure Managed Application definition Every managed application definition includes a file named _mainTemplate.json_. Open Visual Studio Code, create a file with the case-sensitive name _mainTemplate.json_ and save it. -Add the following JSON and save the file. It defines the resources to deploy an App Service, App Service plan, and storage account for the application. This storage account isn't used to store the managed application definition. +Add the following JSON and save the file. It defines the resources to deploy an App Service and App Service plan. The template uses the App Service Basic plan (B1) that has pay-as-you-go costs. For more information, see [Azure App Service on Linux pricing](https://azure.microsoft.com/pricing/details/app-service/linux/). ```json { Add the following JSON and save the file. It defines the resources to deploy an "metadata": { "description": "App Service name prefix." } - }, - "storageAccountNamePrefix": { - "type": "string", - "maxLength": 11, - "metadata": { - "description": "Storage account name prefix." - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ], - "metadata": { - "description": "Storage account type allowed values" - } } }, "variables": { - "appServicePlanSku": "F1", + "appServicePlanSku": "B1", "appServicePlanCapacity": 1, "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]", - "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]" + "linuxFxVersion": "DOTNETCORE\|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms", - "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[variables('appServicePlanSku')]", "capacity": "[variables('appServicePlanCapacity')]" + }, + "kind": "linux", + "properties": { + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites", - "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[variables('appServiceName')]", "location": "[parameters('location')]", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "httpsOnly": true, + "redundancyMode": "None", "siteConfig": { - "appSettings": [ - { - "name": "AppServiceStorageConnectionString", - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').keys[0].value)]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" } }, "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-01-01", - "name": "[variables('storageAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "kind": "StorageV2", - "properties": { - "accessTier": "Hot", - "allowSharedKeyAccess": false, - "minimumTlsVersion": "TLS1_2" - } } ], "outputs": { Add the following JSON and save the file. It defines the resources to deploy an }, "appServiceApp": { "type": "string", - "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-09-01').defaultHostName]" - }, - "storageAccount": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" } } } Add the following JSON and save the file. It defines the resources to deploy an As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes. -In this example, the user interface prompts you to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure. +In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of _mainTemplate.json_ the `appServiceName` variables uses the `uniqueString` function to append a 13-character string to the name prefix so the name is globally unique across Azure. Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. Add the following JSON code to the file and save it. "visible": true } ] - }, - { - "name": "storageConfig", - "label": "Storage settings", - "subLabel": { - "preValidation": "Configure the storage settings", - "postValidation": "Completed" - }, - "elements": [ - { - "name": "storageAccounts", - "type": "Microsoft.Storage.MultiStorageAccountCombo", - "label": { - "prefix": "Storage account name prefix", - "type": "Storage account type" - }, - "toolTip": { - "prefix": "Enter maximum of 11 lowercase letters or numbers.", - "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS." - }, - "defaultValue": { - "type": "Standard_LRS" - }, - "constraints": { - "allowedTypes": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ] - }, - "visible": true - } - ] } ], "outputs": { "location": "[location()]", "appServicePlanName": "[steps('webAppSettings').appServicePlanName]", - "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]", - "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]", - "storageAccountType": "[steps('storageConfig').storageAccounts.type]" + "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]" } } } Add the two files to a package file named _app.zip_. The two files must be at th Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder `<pkgstorageaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) In Visual Studio Code, open a new PowerShell terminal and sign in to your Azure subscription. $pkgstorageaccount = New-AzStorageAccount @pkgstorageparms The `$pkgstorageparms` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values. -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md) and [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file. Create a storage account in a new resource group: - Resource group: Select Create new to create the _packageStorageGroup_ resource group. - Storage account name: Enter a unique storage account name. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. - - Region: _West US3_ + - Region: _West US_ - Performance: _Standard_ - Redundancy: _Locally-redundant storage (LRS)_. In this section, you get identity information from Microsoft Entra ID, create a The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use this variable's value when you deploy the managed application definition. In the portal, the group ID and role ID are configured when you publish the mana ### Publish the managed application definition -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) Create a resource group for your managed application definition. To publish a managed application definition from the Azure portal, use the follo - Create a new resource group named _appDefinitionGroup_. - Instance details: - Name: Enter a name like _instance-name_. The name isn't used in the definition but the form requires an entry. - - Region: _West US3_ + - Region: _West US_ - Application details: - Name: _sampleManagedApplication_ - Display name: _Sample managed application_ To publish a managed application definition from the Azure portal, use the follo - Roles: Select _Owner_. - Select principals: Select your group's name like _managedAppDemo_. - The Lock level on the managed resource group prevents the customer from performing undesirable operations on this resource group. Currently, `Read Only` is the only supported lock level. `Read Only` specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level. + The Lock level on the managed resource group prevents the customer from performing undesirable operations on this resource group. `Read Only` specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level. 1. After Validation Passed is displayed, select Create. If you're going to deploy the definition, continue with the Next steps secti If you're finished with the managed application definition, you can delete the resource groups you created named _packageStorageGroup_ and _appDefinitionGroup_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group.
azure-resource-manager	Publish Service Catalog Bring Your Own Storage	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-bring-your-own-storage.md	Title: Bring your own storage to create and publish an Azure Managed Application description: Describes how to bring your own storage to create and publish an Azure Managed Application definition in your service catalog. Previously updated : 06/24/2024 Last updated : 09/22/2024 # Quickstart: Bring your own storage to create and publish an Azure Managed Application definition Add the following JSON and save the file. It defines the managed application's r "metadata": { "description": "App Service name prefix." } - }, - "storageAccountNamePrefix": { - "type": "string", - "maxLength": 11, - "metadata": { - "description": "Storage account name prefix." - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ], - "metadata": { - "description": "Storage account type allowed values" - } } }, "variables": { - "appServicePlanSku": "F1", + "appServicePlanSku": "B1", "appServicePlanCapacity": 1, "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]", - "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]" + "linuxFxVersion": "DOTNETCORE\|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms", - "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[variables('appServicePlanSku')]", "capacity": "[variables('appServicePlanCapacity')]" + }, + "kind": "linux", + "properties": { + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites", - "apiVersion": "2022-09-01", + "apiVersion": "2023-01-01", "name": "[variables('appServiceName')]", "location": "[parameters('location')]", "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", "httpsOnly": true, + "redundancyMode": "None", "siteConfig": { - "appSettings": [ - { - "name": "AppServiceStorageConnectionString", - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').keys[0].value)]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" } }, "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-01-01", - "name": "[variables('storageAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "kind": "StorageV2", - "properties": { - "accessTier": "Hot", - "allowSharedKeyAccess": false, - "minimumTlsVersion": "TLS1_2" - } } ], "outputs": { Add the following JSON and save the file. It defines the managed application's r }, "appServiceApp": { "type": "string", - "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-09-01').defaultHostName]" - }, - "storageAccount": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" } } } Add the following JSON and save the file. It defines the managed application's r As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes. -In this example, the user interface prompts you to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure. +In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of _mainTemplate.json_ the `appServiceName` variables uses the `uniqueString` function to append a 13-character string to the name prefix so the name is globally unique across Azure. Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. Add the following JSON code to the file and save it. "visible": true } ] - }, - { - "name": "storageConfig", - "label": "Storage settings", - "subLabel": { - "preValidation": "Configure the storage settings", - "postValidation": "Completed" - }, - "elements": [ - { - "name": "storageAccounts", - "type": "Microsoft.Storage.MultiStorageAccountCombo", - "label": { - "prefix": "Storage account name prefix", - "type": "Storage account type" - }, - "toolTip": { - "prefix": "Enter maximum of 11 lowercase letters or numbers.", - "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS." - }, - "defaultValue": { - "type": "Standard_LRS" - }, - "constraints": { - "allowedTypes": [ - "Premium_LRS", - "Standard_LRS", - "Standard_GRS" - ] - }, - "visible": true - } - ] } ], "outputs": { "location": "[location()]", "appServicePlanName": "[steps('webAppSettings').appServicePlanName]", - "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]", - "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]", - "storageAccountType": "[steps('storageConfig').storageAccounts.type]" + "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]" } } } Add the two files to a package file named _app.zip_. The two files must be at th Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder `<pkgstorageaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name packageStorageGroup -Location westus $pkgstorageaccount = New-AzStorageAccount @pkgstorageparms The `$pkgstorageparms` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values. -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md) and [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file. Create the storage account for your managed application definition. The storage This example creates a new resource group named `byosDefinitionStorageGroup`. In the command, replace the placeholder `<byosaccountname>` including the angle brackets (`<>`), with your unique storage account name. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name byosDefinitionStorageGroup -Location westus byosstorageid=$(az storage account show --resource-group $byosrg --name $byosstg Before you deploy your managed application definition to your storage account, assign the Contributor role to the Appliance Resource Provider user at the storage account scope. This assignment lets the identity write definition files to your storage account's container. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) You can use variables to set up the role assignment. This example uses the `$byosstorageid` variable you created in the previous step and creates the `$arpid` variable. This example uses a security group, and your Microsoft Entra account should be a To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $principalid=(Get-AzADGroup -DisplayName <managedAppDemo>).Id principalid=$(az ad group show --group <managedAppDemo> --query id --output tsv) Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use the variable's value when you deploy the managed application definition. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell $roleid=(Get-AzRoleDefinition -Name Owner).Id The following table describes the parameter values for the managed application d \| - \| - \| \| `managedApplicationDefinitionName` \| Name of the managed application definition. For this example, use _sampleByosManagedApplication_.\| \| `definitionStorageResourceID` \| Resource ID for the storage account where the definition is stored. Use your `byosstorageid` variable's value. \| -\| `packageFileUri` \| Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. The format is `https://yourStorageAccountName.blob.core.windows.net/appcontainer/app.zip`. \| +\| `packageFileUri` \| Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. \| \| `principalId` \| The publishers Principal ID that needs permissions to manage resources in the managed resource group. Use your `principalid` variable's value. \| \| `roleId` \| Role ID for permissions to the managed resource group. For example Owner, Contributor, Reader. Use your `roleid` variable's value. \| When you deploy the managed application's definition, it becomes available in yo Create a resource group named _byosAppDefinitionGroup_ and deploy the managed application definition to your storage account. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell New-AzResourceGroup -Name byosAppDefinitionGroup -Location westus az deployment group create \ During deployment, the template's `storageAccountId` property uses your storage account's resource ID and creates a new container with the case-sensitive name `applicationdefinitions`. The files from the _.zip_ package you specified during the deployment are stored in the new container. -You can use the following commands to verify that the managed application definition files are saved in your storage account's container. In the command, replace the placeholder `<byosaccountname>` including the angle brackets (`<>`), with your unique storage account name. +You can use the following commands to verify that the managed application definition files are saved in your storage account's container. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell Get-AzStorageContainer -Name applicationdefinitions -Context $byosstoragecontext \| After a successful deployment, to improve the storage account's security, disabl To review and update the storage account's shared access key settings, use the following commands: -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell (Get-AzStorageAccount -ResourceGroupName $byosstorageaccount.ResourceGroupName -Name $byosstorageaccount.StorageAccountName).AllowSharedKeyAccess If you're going to deploy the definition, continue with the Next steps secti If you're finished with the managed application definition, you can delete the resource groups you created named _packageStorageGroup_, _byosDefinitionStorageGroup_, and _byosAppDefinitionGroup_. -# [PowerShell](#tab/azure-powershell) +# [Azure PowerShell](#tab/azure-powershell) The command prompts you to confirm that you want to remove the resource group.
azure-resource-manager	Reference Main Template Artifact	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/reference-main-template-artifact.md	Title: Template artifact reference description: Provides an example of the deployment template artifact for Azure Managed Applications. Previously updated : 06/21/2024 Last updated : 09/22/2024 # Reference: Deployment template artifact The following JSON shows an example of _mainTemplate.json_ file for Azure Manage ```json { - "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { "type": "string", - "defaultValue": "eastus", - "allowedValues": [ - "australiaeast", - "eastus", - "westeurope" - ], - "metadata": { - "description": "Location for the resources." - } - }, - "funcname": { - "type": "string", - "metadata": { - "description": "Name of the Azure Function that hosts the code. Must be globally unique" - }, - "defaultValue": "" + "defaultValue": "[resourceGroup().location]" }, - "storageName": { + "appServicePlanName": { "type": "string", + "maxLength": 40, "metadata": { - "description": "Name of the storage account that hosts the function. Must be globally unique. The field can contain only lowercase letters and numbers. Name must be between 3 and 24 characters" - }, - "defaultValue": "" + "description": "App Service plan name." + } }, - "zipFileBlobUri": { + "appServiceNamePrefix": { "type": "string", - "defaultValue": "https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.customproviders/custom-rp-with-function/artifacts/functionzip/functionpackage.zip", + "maxLength": 47, "metadata": { - "description": "The Uri to the uploaded function zip file" + "description": "App Service name prefix." } } }, "variables": { - "customrpApiversion": "2018-09-01-preview", - "customProviderName": "public", - "serverFarmName": "functionPlan" + "appServicePlanSku": "B1", + "appServicePlanCapacity": 1, + "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]", + "linuxFxVersion": "DOTNETCORE\|8.0" }, "resources": [ { "type": "Microsoft.Web/serverfarms", - "apiVersion": "2016-09-01", - "name": "[variables('serverFarmName')]", + "apiVersion": "2023-01-01", + "name": "[parameters('appServicePlanName')]", "location": "[parameters('location')]", "sku": { - "name": "Y1", - "tier": "Dynamic", - "size": "Y1", - "family": "Y", - "capacity": 0 + "name": "[variables('appServicePlanSku')]", + "capacity": "[variables('appServicePlanCapacity')]" }, - "kind": "functionapp", + "kind": "linux", "properties": { - "name": "[variables('serverFarmName')]", - "perSiteScaling": false, - "reserved": false, - "targetWorkerCount": 0, - "targetWorkerSizeId": 0 + "zoneRedundant": false, + "reserved": true } }, { "type": "Microsoft.Web/sites", - "kind": "functionapp", - "name": "[parameters('funcname')]", - "apiVersion": "2018-02-01", + "apiVersion": "2023-01-01", + "name": "[variables('appServiceName')]", "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageName'))]", - "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]" - ], - "identity": { - "type": "SystemAssigned" - }, "properties": { - "name": "[parameters('funcname')]", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", + "httpsOnly": true, + "redundancyMode": "None", "siteConfig": { - "appSettings": [ - { - "name": "AzureWebJobsDashboard", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2015-05-01-preview').key1)]" - }, - { - "name": "AzureWebJobsStorage", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2015-05-01-preview').key1)]" - }, - { - "name": "FUNCTIONS_EXTENSION_VERSION", - "value": "~2" - }, - { - "name": "AzureWebJobsSecretStorageType", - "value": "Files" - }, - { - "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2015-05-01-preview').key1)]" - }, - { - "name": "WEBSITE_CONTENTSHARE", - "value": "[concat(toLower(parameters('funcname')), 'b86e')]" - }, - { - "name": "WEBSITE_NODE_DEFAULT_VERSION", - "value": "6.5.0" - }, - { - "name": "WEBSITE_RUN_FROM_PACKAGE", - "value": "[parameters('zipFileBlobUri')]" - } - ] - }, - "clientAffinityEnabled": false, - "reserved": false, - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]" - } - }, - { - "type": "Microsoft.Storage/storageAccounts", - "name": "[parameters('storageName')]", - "apiVersion": "2018-02-01", - "kind": "StorageV2", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_LRS" - } - }, - { - "apiVersion": "[variables('customrpApiversion')]", - "type": "Microsoft.CustomProviders/resourceProviders", - "name": "[variables('customProviderName')]", - "location": "[parameters('location')]", - "properties": { - "actions": [ - { - "name": "ping", - "routingType": "Proxy", - "endpoint": "[listSecrets(resourceId('Microsoft.Web/sites/functions', parameters('funcname'), 'HttpTrigger1'), '2018-02-01').trigger_url]" - }, - { - "name": "users/contextAction", - "routingType": "Proxy", - "endpoint": "[listSecrets(resourceId('Microsoft.Web/sites/functions', parameters('funcname'), 'HttpTrigger1'), '2018-02-01').trigger_url]" - } - ], - "resourceTypes": [ - { - "name": "users", - "routingType": "Proxy,Cache", - "endpoint": "[listSecrets(resourceId('Microsoft.Web/sites/functions', parameters('funcname'), 'HttpTrigger1'), '2018-02-01').trigger_url]" - } - ] + "linuxFxVersion": "[variables('linuxFxVersion')]", + "minTlsVersion": "1.2", + "ftpsState": "Disabled" + } }, "dependsOn": [ - "[concat('Microsoft.Web/sites/',parameters('funcname'))]" + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" ] } ], - "outputs": {} + "outputs": { + "appServicePlan": { + "type": "string", + "value": "[parameters('appServicePlanName')]" + }, + "appServiceApp": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]" + } + } } ``` ## Next steps -- [Tutorial: Create managed application with custom actions and resources](tutorial-create-managed-app-with-custom-provider.md) - [Reference: User interface elements artifact](reference-createuidefinition-artifact.md) - [Reference: View definition artifact](reference-view-definition-artifact.md)
azure-resource-manager	Request Just In Time Access	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/request-just-in-time-access.md	Title: Request just-in-time access description: Describes how publishers of Azure Managed Applications request just-in-time access to a managed application.- Last updated 06/24/2024- # Enable and request just-in-time access for Azure Managed Applications
cdn	Tier Migration	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/tier-migration.md	Title: About Azure CDN from Microsoft (classic) to Azure Front Door migration (preview) + Title: About Azure CDN from Microsoft (classic) to Azure Front Door migration description: This article explains the migration process and changes expected when changing from Azure CDN from Microsoft (classic) to Azure Front Door Standard or Premium tier. Last updated 06/25/2024 -# About Azure CDN from Microsoft (classic) to Azure Front Door migration (preview) - -> [!IMPORTANT] -> Azure CDN from Microsoft to Azure Front Door migration is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +# About Azure CDN from Microsoft (classic) to Azure Front Door migration Azure Front Door Standard and Premium tier were released in March 2022 as the next generation content delivery network service. The newer tiers combine the capabilities of Azure Front Door (classic), Microsoft CDN (classic), and Web Application Firewall (WAF). With features such as Private Link integration, enhanced rules engine and advanced diagnostics you have the ability to secure and accelerate your web applications to bring a better experience to your customers.
communication-services	Best Practices	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/best-practices.md	This article provides information about best practices related to the Azure Comm [!INCLUDE [Native](includes/best-practices-native.md)] ::: zone-end -## Next steps -For more information, see the following articles: +## Related content - [Improve and manage call quality](./voice-video-calling/manage-call-quality.md)-- [Call Diagnostics](./voice-video-calling/call-diagnostics.md) +- [Use Call Diagnostics to diagnose call problems](./voice-video-calling/call-diagnostics.md) - [Add voice calling to your app](../quickstarts/voice-video-calling/getting-started-with-calling.md)-- [Use the UI Library for enhance calling experiences](./ui-library/ui-library-overview.md) +- [Use the UI Library for enhanced calling experiences](./ui-library/ui-library-overview.md)
communication-services	Capabilities	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/guest/capabilities.md	This article describes which capabilities Azure Communication Services SDKs supp \| Group of features \| Capability \| Supported \| \| -- \| - \| - \| -\| Core capabilities \| Join Teams meeting via URL \| Γ£ö∩╕Å \| -\| \| Join Teams meeting via meeting ID & passcode \| Γ£ö∩╕Å \| +\| Core capabilities \| Join Teams for Work meeting [7] via URL \| Γ£ö∩╕Å \| +\| \| Join Teams for Work meeting [7] via meeting ID & passcode \| Γ£ö∩╕Å \| +\| \| Join Teams for Home meeting [7] \| Γ¥î \| \| \| Join [end-to-end encrypted Teams meeting](/microsoftteams/teams-end-to-end-encryption) \| Γ¥î \| \| \| Join channel Teams meeting \| Γ£ö∩╕Å [1]\| \| \| Join Teams [webinars](/microsoftteams/plan-webinars) \| Γ¥î \| This article describes which capabilities Azure Communication Services SDKs supp 1. The Communication Services calling SDK doesn't receive a signal that a user is admitted and waiting for the meeting to start. The UI library doesn't support chat while waiting for the meeting to start. 1. The Communication Services chat SDK shows the real identity of attendees. 1. Functionality isn't available for users who aren't part of the organization. +1. If you are using Microsoft 365 work and school account then you use Teams for Work. If you schedule a meeting with this identity, the meeting's URL ends with `teams.microsoft.com`. If you are using personal account then you use Teams for Home. If you schedule a meeting with this identity, the meeting's URL ends with `teams.live.com`. Learn more about those accounts in our [documentation](https://support.microsoft.com/account-billing/what-s-the-difference-between-a-microsoft-account-and-a-work-or-school-account-72f10e1e-cab8-4950-a8da-7c45339575b0). ## Server capabilities
communication-services	Troubleshooting Pstn Call Failures	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/telephony/troubleshooting-pstn-call-failures.md	Title: Troubleshooting PSTN call failures - Azure Communication Services -description: How to troubleshoot PSTN call failures by logging and viewing call codes. + Title: Troubleshoot PSTN call failures - Azure Communication Services +description: Learn how to troubleshoot PSTN call failures by logging and viewing call codes. Last updated 11/24/2023 audience: ITPro -# Troubleshooting Azure Communication Services PSTN call failures +# Troubleshoot Azure Communication Services PSTN call failures -When troubleshooting Azure Communication Services PSTN call failures, we recommended that you [enable logging](../analytics/enable-logging.md). Then you can use `ResultCategories`, `ParticipantEndReason`, and `ParticipantEndSubCode` values to determine why an individual call ended and whether the system detected any failures. +When you're troubleshooting Azure Communication Services PSTN call failures, we recommend that you [enable logging](../analytics/enable-logging.md). Then you can use `ResultCategories`, `ParticipantEndReason`, and `ParticipantEndSubCode` values to determine why an individual call ended and whether the system detected any failures. -## Using ResultCategories to troubleshoot PSTN call failures +## Use ResultCategories to troubleshoot failures -The `ResultCategories` array is a property of the [Call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema) and contains a list of general reasons describing how the call ended. +The `ResultCategories` array is a property of the [call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema). It contains a list of general reasons that describe how the call ended: -General reasons that a call ended: +- `Success` +- `Failure` +- `UnexpectedClientError` +- `UnexpectedServerError` -- Success-- Failure-- UnexpectedClientError-- UnexpectedServerError +This information can help you determine why a call ended without generating a detailed error log. -This information can help developers determine why a call ended without generating a detailed error log. +## Use ParticipantEndReason and ParticipantEndSubCode to troubleshoot failures -If this level of detail isn't sufficient, then developers can use `ParticipantEndReason` and `ParticipantEndSubCode` to understand the reasons for call end in greater detail. For more information, see the next section. +If the level of detail in `ResultCategories` isn't sufficient when you're troubleshooting PSTN calls, you can use `ParticipantEndReason` and `ParticipantEndSubCode` to understand the reasons why a call ended in greater detail. `ParticipantEndReason` and `ParticipantEndSubCode` are also properties of the [call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema). -## Using ParticipantEndReason and ParticipantEndSubCode to troubleshoot PSTN call failures +### ParticipantEndReason -The `ParticipantEndReason` and `ParticipantEndSubCode` are properties of the [Call summary log schema](../analytics/logs/voice-and-video-logs.md#call-summary-log-schema) and provide more details about why the call ended. +`ParticipantEndReason` is a three-digit code that shows the general call status. This code explains why the call ended and groups failures by category. For example, `ParticipantEndReason 404` means that caller or callee wasn't found. `ParticipantEndReason 500` means that a service error occurred. -When you're troubleshooting PSTN calls, use these two properties to understand why the call ended as follows: +This code is based on Session Initiation Protocol (SIP) response codes. For more information, see Wikipedia's [list of SIP response codes](https://en.wikipedia.org/wiki/List_of_SIP_response_codes). -- `ParticipantEndReason`: A three-digit code that shows the general call status. This code explains why the call ended, and groups failures by category. For example, `ParticipantEndReason 404` tells us that caller/callee wasn't found, `ParticipantEndReason 500` means that a service error occurred, and so on. This code is based on the SIP response codes. For more information, see Wikipedia's [List of SIP response codes](https://en.wikipedia.org/wiki/List_of_SIP_response_codes). +### ParticipantEndSubCode -- `ParticipantEndSubCode` : A more specific response code, usually six digits long, that explains in greater detail why there was a problem with the call. +`ParticipantEndSubCode` is a more specific response code that's usually six digits long. It explains in greater detail why there was a problem with the call. -## Understanding the ParticipantEndSubCode relationship +A key factor in troubleshooting Azure Communication Services PSTN calls is determining whether the final SIP response code for the call came from a Microsoft process or the user's/operator's session border controller (SBC). An easy way to determine where the code originated is to look at the `ParticipantEndSubCode` response. -A key factor in troubleshooting Azure Communication Services PSTN calls is determining whether the final response code for the call comes from a Microsoft process or the users/operators Session Border Controller (SBC). An easy way to determine where the code originated is to look at the `ParticipantEndSubCode` response. +If the `ParticipantEndSubCode` value starts with `560`, it indicates that the user's/operator's SBC generated the response code. In that case, you should check the SBC configuration. -If the `ParticipantEndSubCode` starts with 560, it indicates that the response code is generated by the users/operators Session Border Controller (SBC), so developers should check their SBC configuration. +For example, if the `ParticipantEndSubCode` value is `560403`, it means that the SBC generated the final response code, and the code is `403`. In that case, you should start troubleshooting the calls by using the SBC logs. -- For example, if the `ParticipantEndSubCode` is 560403, it means that the final response code is generated by the SBC, and the last three digits indicate SIP response code 403. In this case, a developer should start troubleshooting the calls using the SBC logs. +For `ParticipantEndSubCode` responses that don't start with `560`, the Microsoft service generated the final response code. -For all other `ParticipantEndSubCode` responses that don't start with 560, the final response code is generated by a Microsoft service. +## Related content -## Detailed information on individual error codes - -For more information about common error codes and suggested actions, see [Troubleshooting call end response codes for Calling SDK, Call Automation SDK, and PSTN calls](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). - -## Related articles - -For more information, see [Troubleshooting in Azure Communication Services](../troubleshooting-info.md). +- For general troubleshooting information, see [Troubleshooting in Azure Communication Services](../troubleshooting-info.md). +- For detailed information about common error codes and suggested actions, see [Troubleshooting call end response codes for Calling SDK, Call Automation SDK, and PSTN calls](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md).
communication-services	Call Diagnostics	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/call-diagnostics.md	Title: Azure Communication Services Call Diagnostics- -description: Use Call Diagnostics to diagnose call issues with Azure Communication Services + +description: Learn how to use Call Diagnostics to diagnose call problems with Azure Communication Services. -- # Call Diagnostics -Azure Communication Services offers call quality analytics and visualizations so you can investigate call metrics, events, and understand detected quality issues in your Communication Services calling solution. - -Understanding your call quality and reliability is foundational to -delivering a great customer calling experience. There are various -issues that can affect the quality of your calls, such as poor internet -connectivity, software compatibility issues, and technical difficulties -with devices. These issues can be frustrating for all call participants, -whether they're a patient checking in for a doctorΓÇÖs call, or a student -taking a lesson with their teacher. As a developer, diagnosing and -fixing these issues can be time-consuming and frustrating. - -Call Diagnostics acts as a detective for your calls. It helps developers -using Azure Communication Services investigate events that happened in a call to -identify likely causes of poor call quality and reliability. Just like a -real conversation, many things happen simultaneously in a call that may -or may not affect your communication. Call DiagnosticsΓÇÖ timeline makes -it easier to visualize what happened in a call by showing you rich data -visualizations of call events and providing insights into issues that -commonly affect calls. - -## How to enable Call Diagnostics - -Azure Communication Services collects call data in the form of metrics -and events. You must enable a Diagnostic Setting in Azure Monitor to -send these data to a Log Analytics workspace for Call Diagnostics to -analyze new call data. --- -> [!IMPORTANT] -> Call Diagnostics canΓÇÖt query data from data that wasnΓÇÖt sent to a Log Analytics workspace. Diagnostic Settings will only begin collect data by single Azure Communications Services Resource ID once enabled. See our Frequently Asked Question on enabling Call Diagnostics [here](#frequently-asked-questions) +Azure Communication Services offers call quality analytics and visualizations in Call Diagnostics. You can use this feature to investigate call metrics, investigate events, and understand detected quality problems in your Communication Services calling solution. +Understanding call quality and reliability is foundational to delivering a great customer experience. Various problems can affect the quality of calls, such as poor internet connectivity, software incompatibilities, and technical difficulties with devices. These problems can be frustrating for all call participants, whether they're a patient checking in for a doctor's call or a student taking a lesson with a teacher. For a developer, diagnosing and fixing these problems can be time-consuming. -Since Call Diagnostics is an application layer on top of data for your -Azure Communications Service Resource, you can query these call data and -[build workbook reports on top of your data.](/azure/azure-monitor/logs/data-platform-logs#built-in-insights-and-custom-dashboards-workbooks-and-reports) +Call Diagnostics acts as a detective for calls. It helps developers who use Azure Communication Services to investigate events that happened in a call. The goal of the investigation is to identify likely causes of poor call quality and reliability. -You can access Call Diagnostics from any Azure Communication Services -Resource in your Azure portal. When you open your Azure Communications -Services Resource, just look for the ΓÇ£MonitoringΓÇ¥ section on the left -side of the screen and select "Call Diagnostics." +Just like a real conversation, many things happen simultaneously in a call that might or might not affect communication. The timeline in Call Diagnostics makes it easier to visualize what happened in a call. It shows you rich data visualizations of call events and provides insights into problems that commonly affect calls. -Once you have setup Call Diagnostics for your Azure Communication Services Resource, you can search for calls using valid callIDs that took place in that resource. Data can take several hours after call completion to appear in your resource and populate in Call Diagnostics. +## How to enable Call Diagnostics -Call Diagnostics has four main sections: +Azure Communication Services collects call data in the form of metrics and events. For Call Diagnostics to analyze new call data, you must enable a diagnostic setting in Azure Monitor. Azure Monitor then sends this data to a Log Analytics workspace. -- [Call Search](#call-search) +> [!IMPORTANT] +> Call Diagnostics can query only data that's sent to a Log Analytics workspace. Diagnostic settings begin collecting data by a single Azure Communications Services resource ID after you enable the diagnostic setting. -- [Call Overview](#call-overview) +Because Call Diagnostics is an application layer on top of data for your Azure Communications Services resource, you can query the call data and [build workbook reports on top of your data](/azure/azure-monitor/logs/data-platform-logs#built-in-insights-and-custom-dashboards-workbooks-and-reports). -- [Call Issues](#call-issues) +You can access Call Diagnostics from any Azure Communication Services resource in the Azure portal. After you open your Azure Communications Services resource, look for the Monitoring section on the service menu and select Call Diagnostics. -- [Call Timeline](#call-timeline) +After you set up Call Diagnostics for your Azure Communication Services resource, you can search for calls by using valid IDs for calls that took place in that resource. Data can take several hours after call completion to appear in your resource and populate in Call Diagnostics. -## Call Search +The following sections describe the main areas of the Call Diagnostics pane in the portal. -The search section lets you find individual calls, or filter calls to explore calls with issues. Clicking on a call takes you to a detail screen where you -see three sections, Overview, Issues, and Timeline for the -selected call. +## Call search -The search field allows you to search by callID. See our documentation to [access your client call ID.](../troubleshooting-info.md#access-your-client-call-id) +The portal lists all calls by default. The search box lets you find individual calls, or filter calls to explore calls that have problems. Selecting a call takes you to a detail pane that has three tabs: Overview, Issues, and Timeline. -![Screenshot of the Call Diagnostics Call Search showing recent calls for your Azure Communications Services Resource.](media/call-diagnostics-all-calls-3.png) +You can search by call ID in the search box. To find a call ID, see [Access your client call ID](../troubleshooting-info.md#access-your-client-call-id). +![Screenshot of a Call Diagnostics search that shows recent calls for an Azure Communications Services resource.](media/call-diagnostics-all-calls-3.png) > [!NOTE] > You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. -## Call Overview - -Once you select a call from the Call Search page, your call details display in the Call Overview tab. You see a call summary highlighting -the participants in the call and key metrics for their call quality. You -can select a participant to drill into their call timeline details -directly or navigate to the Call Issues tab for further analysis. +## Call overview -![Screenshot of the Call Diagnostics Call Overview tab which which shows you an overview of the call you selected in the previous Call Search view.](media/call-diagnostics-call-overview-2.png) +After you select a call, its details appear on the Overview tab. This tab shows a call summary that highlights the participants and key metrics for their call quality. You can select a participant to drill into their call timeline details directly, or you can go to the Issues tab for further analysis. -> [!NOTE] -> You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. +![Screenshot of the Call Diagnostics Overview tab for a selected call.](media/call-diagnostics-call-overview-2.png) -## Call Issues +## Call issues -The Call Issues tab gives you a high-level analysis of any media quality -and reliability issues that were detected during the call. +The Issues tab gives you a high-level analysis of any media quality and reliability problems that Call Diagnostics detected during the call. -Call Issues highlights detected issues commonly known to affect userΓÇÖs call -quality such as poor network conditions, speaking while muted, or device -failures during a call. If you want to explore a detected issue, select -the highlighted item and you see a prepopulated view of the -related events in the Timeline tab. +This tab highlights detected problems commonly known to affect a user's call quality, such as poor network conditions, speaking while muted, or device failures. If you want to explore a detected problem, select the highlighted item. A prepopulated view of the related events appears on the Timeline tab. -![Screenshot of the Call Diagnostics Call Issues tab showing you the top issues detected in the call you selected.](media/call-diagnostics-call-issues-2.png) +![Screenshot of the Call Diagnostics Issues tab that shows the top problems detected in a selected call.](media/call-diagnostics-call-issues-2.png) -> [!NOTE] -> You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. +## Call timeline -## Call Timeline +When call problems are difficult to troubleshoot, you can explore the Timeline tab to see a detailed sequence of events that occurred during the call. -When call issues are difficult to troubleshoot, you can explore the -timeline tab to see a detailed sequence of events that occurred during -the call. +The timeline view is complex. It's designed for developers who need to explore details of a call and interpret detailed debugging data. In large calls, the timeline view can present an overwhelming amount of information. We recommend that you use filtering to narrow your search results and reduce complexity. -The timeline view is complex and designed for developers who need to explore details of a call and interpret detailed debugging data. In -large calls the timeline view can present an overwhelming amount of -information, we recommend relying on filtering to narrow your search -results and reduce complexity. +You can view detailed call logs for each participant within a call. Call information might not be present for various reasons, such as privacy constraints between calling resources. -You can view detailed call logs for each participant within a call. Call information may not be present due to various reasons such as privacy constraints between different calling resources. See frequently asked questions to learn more. - -![Screenshot of the Call Diagnostics Call Timeline tab showing you the detailed events in a timeline view for the call you selected.](media/call-diagnostics-call-timeline-2.png) +![Screenshot of the Call Diagnostics Timeline tab that shows detailed events in a timeline view for a selected call.](media/call-diagnostics-call-timeline-2.png) ## Copilot in Azure for Call Diagnostics -Artificial Intelligence can help app developers across every step of the development lifecycle: designing, building, and operating. Developers with [Microsoft Copilot in Azure (preview)](/azure/copilot/overview) can use Copilot in Azure within Call Diagnostics to understand and resolve a variety of calling issues. For example, developers can ask Copilot in Azure questions, such as: +AI can help app developers across every step of the development lifecycle: designing, building, and operating. Developers can use [Microsoft Copilot in Azure (preview)](/azure/copilot/overview) within Call Diagnostics to understand and resolve a variety of calling problems. For example, developers can ask Copilot in Azure these questions: - How do I run network diagnostics in Azure Communication Services VoIP calls? - How can I optimize my calls for poor network conditions?-- What are the common causes of poor media streams in Azure Communication calls?-- The video on my call didnΓÇÖt work, how do I fix the subcode 41048?- -![Screenshot of the Call Diagnostics Call Search showing recent calls for your Azure Communications Services Resource and the response from Copilot in Azure.](media/call-diagnostics-all-calls-copilot.png) - -<!-- > [!NOTE] -> You can explore information icons and links within Call Diagnostics to learn functionality, definitions, and helpful tips. --> -- -<!-- # Common issues - -Issue categories can include: --- Azure Communication Services issue--- Calling deployment issue--- Network issue--- User actions or inactions (e.g. not allowing device permissions), - driving through a tunnel. - -To help you get started, you will find below the steps to triage common -issues using Call Diagnostics. - -*ΓÇ£Other participants couldnΓÇÖt hear me on the callΓÇ¥* - -Dive into the audio section for the participant to see if there are any -issues detected. In the case below, we see that the microphone was muted -unexpectedly. In other cases, we might see errors with the deviceΓÇÖs set -up and permissions. - -(<u>TODO insert image)</u> - -*ΓÇ£My video was choppy and pixelatedΓÇ¥* -Explore the video section for the participant to see if a poor network -connection in a call may have caused the issue. - -(<u>TODO insert image)</u> - -*ΓÇ£My call unexpectedly droppedΓÇ¥* -<u>TODO -</u> Show how you might drill down to show the end-user -lost connection. - -(<u>TODO insert image)</u> - -*ΓÇ£Other participants couldnΓÇÖt see me on the callΓÇ¥* -Show how you might drill down to show the status of the camera in the -call and any detected failures. - -(<u>TODO insert image)</u> - -## Call quality resources - -Ensuring good call quality starts with your calling setup, please -explore our documentation to learn how you can use the UI Library to -benefit from our quality and reliability tools \<[link to manage call -quality](https://learn.microsoft.com/azure/communication-services/concepts/voice-video-calling/manage-call-quality)\>. --> - -## Frequently asked questions: --- How do I set up Call Diagnostics? - - Follow instructions to add diagnostic settings for your resource here [Enable logs via Diagnostic Settings in Azure Monitor.](../analytics/enable-logging.md) We recommend you initially collect all logs and then determine which logs you want to retain and for how long after you have an understanding of the capabilities in Azure Monitor. When adding your diagnostic setting you are prompted to [select logs](../analytics/enable-logging.md#adding-a-diagnostic-setting), select "allLogs" to collect all logs. - - - Your data volume, retention, and Call Diagnostics query usage in Log Analytics within Azure Monitor is billed through existing Azure data meters. We recommend you monitor your data usage and retention policies for cost considerations as needed. See: [Controlling costs.](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs) - - - If you have multiple Azure Communications Services Resource IDs you must enable these settings for each resource ID and query call details for participants within their respective Azure Communications Services Resource ID. - - - If Azure Communication Services participants join from different Azure Communication Services Resources, how do they display in Call Diagnostics - - - Participants from other Azure Communication Services resources will have limited information in Call Diagnostics. The participants that belong to the resource you open Call Diagnostics will have all available insights shown. --- What are the common call issues I might see and how can I fix them?- - - Here are resources for common call issues. For an overview of troubleshooting strategies for more information on isolating call issues. Please see: [Overview of general troubleshooting strategies](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/overview.md) - - - If you see common error messages or descriptions. See: -[Understanding error messages and codes](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/understanding-error-codes.md) - - - If users are unable to join calls. See: -[Overview of call setup issues](../../resources/troubleshooting/voice-video-calling/call-setup-issues/overview.md) - - - If users have camera or microphone issues. For example, they canΓÇÖt hear someone. See: [Overview of device and permission issues](../../resources/troubleshooting/voice-video-calling/device-issues/overview.md) - - - If call participants have audio issues. For example, they sound like a robot or hear an echo. See: [Overview of audio issues](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md) - - - If call participants have video issues. For example, their video looks fuzzy, or cuts in and out. See: [Overview of video issues](../../resources/troubleshooting/voice-video-calling/video-issues/overview.md) --- How do I use Copilot in Azure (preview) in Call Diagnostics?- - - Your organization needs to manage access to [Microsoft Copilot in Azure (preview)](/azure/copilot/overview). Once your organization has access to Copilot in Azure (preview), the Call Diagnostics interface will include the option to 'Diagnose with Copilot' in the Search, Overview, and Issues tabs. - - Leverage Copilot in Azure for Call Diagnostics to improve call quality by detailing problems faced during Azure Communication Services calls. Giving Copilot in Azure detailed information from Call Diagnostics will help it enhance analysis, identify issues, and identify fixes. Be aware that Copilot in Azure currently lacks programmatic access to your call details. - -<!-- 1. If Teams participants join a call, how will they display in Call - Diagnostics? - - 1. If a Teams participant organized the call through Microsoft - Teams, that participant will appear as a participant in Call - Diagnostics, however they'll have fewer call details populated. - - 2. If there were other Teams participants besides the Teams meeting - organizer, those participants won't appear in Call - Diagnostics. --> -- -<!-- 1. My call had issues, but Call Diagnostics doesnΓÇÖt show any issues. - - a. Call Diagnostics relies on several common call issues to help diagnose calls. Issues can still occur outside of the existing telemetry or can be caused by unlisted call participants you arenΓÇÖt allowed to view due to privacy restrictions. --> - -<!-- 1. What types of calls are visible in Call Diagnostics? - - a. Call types included. - 1. Includes call data for Web JS SDK, Native SKD, PSTN, Call Automation. - - 1. Includes some Call Automation Bot data edges - - a. Partial data. +- What are the common causes of poor media streams in Azure Communication Services calls? +- The video on my call didn't work. How do I fix the subcode 41048? - a. Different SDKs, privacy considerations may prevent you from receiving those data. --> +![Screenshot of a Call Diagnostics search that shows recent calls for an Azure Communications Services resource and a response from Copilot in Azure.](media/call-diagnostics-all-calls-copilot.png) +## Frequently asked questions +### How do I set up Call Diagnostics? +Follow instructions to add diagnostic settings for your resource in [Enable logs via Diagnostic Settings in Azure Monitor](../analytics/enable-logging.md). We recommend that you initially collect all logs. After you understand the capabilities in Azure Monitor, determine which logs you want to retain and for how long. When you add your diagnostic setting, you're prompted to [select logs](../analytics/enable-logging.md#adding-a-diagnostic-setting). To collect all logs, select allLogs. +Your data volume, retention, and Call Diagnostics query usage in Log Analytics within Azure Monitor is billed through existing Azure data meters. We recommend that you monitor your data usage and retention policies for cost considerations as needed. For more information, see [Controlling costs](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs). +If you have multiple Azure Communications Services resource IDs, you must enable these settings for each resource ID and query call details for participants within their respective resource IDs. +Participants who join from other Azure Communication Services resources have limited information in Call Diagnostics. The participants who belong to the resource when you open Call Diagnostics have all available insights shown. -## Next steps +### What are the common call problems I might see, and how can I fix them? -- Learn how to manage call quality, see: [Improve and manage call quality](manage-call-quality.md) +Here are resources for common call problems: +- For an overview of troubleshooting strategies and for more information on isolating call problems, see [Overview of general troubleshooting strategies](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/overview.md). -- Explore troubleshooting guidance, see: [Overview of general troubleshooting strategies](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md) +- For descriptions of common error messages, see [Understanding error messages and codes](../../resources/troubleshooting/voice-video-calling/general-troubleshooting-strategies/understanding-error-codes.md). -- Continue to learn other quality best practices, see: [Best practices: Azure Communication Services calling SDKs](../best-practices.md) +- If users can't join calls, see [Overview of call setup issues](../../resources/troubleshooting/voice-video-calling/call-setup-issues/overview.md). -- Learn how to use the Log Analytics workspace, see: [Log Analytics Tutorial](/azure/azure-monitor/logs/log-analytics-tutorial) +- If users have camera or microphone problems (for example, they can't hear someone), see [Overview of device and permission issues](../../resources/troubleshooting/voice-video-calling/device-issues/overview.md). -- Create your own queries in Log Analytics, see: [Get Started Queries](/azure/azure-monitor/logs/get-started-queries) +- If call participants have audio problems (for example, they sound like a robot or hear an echo), see [Overview of audio issues](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md). -- Explore known call issues, see: [Known issues in the SDKs and APIs](../known-issues.md) +- If call participants have video problems (for example, their video looks fuzzy or cuts in and out), see [Overview of video issues](../../resources/troubleshooting/voice-video-calling/video-issues/overview.md). +### How do I use Copilot in Azure (preview) in Call Diagnostics? +Your organization manages access to [Microsoft Copilot in Azure (preview)](/azure/copilot/overview). After your organization has access to Copilot in Azure, the Call Diagnostics interface includes the Diagnose with Copilot option in the search area, on the Overview tab, and on the Issues tab. +Use Copilot in Azure for Call Diagnostics to improve call quality by detailing problems faced during Azure Communication Services calls. Giving Copilot in Azure detailed information from Call Diagnostics will help it enhance analysis, identify problems, and identify fixes. Be aware that Copilot in Azure currently lacks programmatic access to your call details. -<!-- added to the toc.yml file at row 583. +## Related content - - name: Monitor and manage call quality - items: - - name: Manage call quality - href: concepts/voice-video-calling/manage-call-quality.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - - name: End of Call Survey - href: concepts/voice-video-calling/end-of-call-survey-concept.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - --> +- Learn how to manage call quality: [Improve and manage call quality](manage-call-quality.md). +- Explore troubleshooting guidance: [Overview of audio issues](../../resources/troubleshooting/voice-video-calling/audio-issues/overview.md). +- Learn about other quality best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md). +- Learn how to use the Log Analytics workspace: [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial). +- Create your own queries in Log Analytics: [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries). +- Explore known call issues: [Known issues in the SDKs and APIs](../known-issues.md).
communication-services	End Of Call Survey Concept	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/end-of-call-survey-concept.md	Title: Azure Communication Services End of Call Survey overview-+ description: Learn about the End of Call Survey. -- # End of Call Survey overview -The End of Call Survey provides you with a tool to understand how your end users perceive the overall quality and reliability of your Calling SDK solution. +The End of Call Survey is a tool that helps you understand how your users perceive the overall quality and reliability of your Calling SDK solution. ## Purpose of the End of Call Survey -ItΓÇÖs difficult to determine a customerΓÇÖs perceived calling experience and determine how well your calling solution is performing without gathering subjective feedback from customers. You can use the End of Call Survey to collect and analyze customers subjective opinions on their calling experience as opposed to relying only on objective measurements such as audio and video bitrate, jitter, and latency, which may not indicate if a customer had a poor calling experience. -After publishing survey data, you can view the survey results through Azure for analysis and improvements. Azure Communication Services uses these survey results to monitor and improve quality and reliability. +It's difficult to determine a customer's perceived calling experience and understand how well your calling solution is performing unless you gather feedback. You can use the End of Call Survey to collect and analyze customers' subjective opinions on their calling experience. Relying only on objective measurements, such as audio and video bitrate, jitter, and latency, might not indicate if a customer had a poor calling experience. +After you publish survey data, you can view the survey results through Azure for analysis and improvements. Azure Communication Services uses these survey results to monitor and improve quality and reliability. ## Survey structure -The survey is designed to answer two questions from a userΓÇÖs point of view. --- Question 1: How did the users perceive their overall call quality experience?--- Question 2: Did the user perceive any Audio, Video, or Screen Share issues in the call?- -The API allows applications to gather data points that describe user perceived ratings of their Overall Call, Audio, Video, and Screen Share experiences. Microsoft analyzes survey API results according to the following goals. - +The survey is designed to answer two questions: +- How did the user perceive the overall experience of call quality? +- Did the user perceive any problems with audio, video, or screen sharing in the call? -### End of Call Survey API goals +The API enables applications to gather data points that describe user-perceived ratings of their overall call, audio, video, and screen-sharing experiences. Microsoft analyzes survey API results according to the following goals. - -\| API Rating Categories \| Question Goal \| +\| API rating category \| Question goal \| \| -- \| -- \| -\| Overall Call \| Responses indicate how a call participant perceived their overall call quality. \| -\| Audio \| Responses indicate if the user perceived any Audio issues. \| -\| Video \| Responses indicate if the user perceived any Video issues. \| -\| Screenshare \| Responses indicate if the user perceived any Screen Share issues. \| -- +\| Overall call \| Responses indicate how a call participant perceived overall call quality. \| +\| Audio \| Responses indicate if the user perceived any audio problems. \| +\| Video \| Responses indicate if the user perceived any video problems. \| +\| Screen sharing \| Responses indicate if the user perceived any screen-sharing problems. \| ## Survey capabilities -- ### Default survey API configuration -\| API Rating Categories \| Cutoff Value* \| Input Range \| Comments \| -\| -- \| -- \| -- \| -- \| -\| Overall Call \| 2 \| 1 - 5 \| Surveys a calling participantΓÇÖs overall quality experience on a scale of 1-5. A response of 1 indicates an imperfect call experience and 5 indicates a perfect call. The cutoff value of 2 means that a customer response of 1 or 2 indicates a less than perfect call experience. \| -\| Audio \| 2 \| 1 - 5 \| A response of 1 indicates an imperfect audio experience and 5 indicates no audio issues were experienced. \| -\| Video \| 2 \| 1 - 5 \| A response of 1 indicates an imperfect video experience and 5 indicates no video issues were experienced. \| -\| Screenshare \| 2 \| 1 - 5 \| A response of 1 indicates an imperfect screen share experience and 5 indicates no screen share issues were experienced. \| - +\| API rating category \| Cutoff value \| Input range \| Comments \| +\| -- \| -- \| -- \| -- \| +\| Overall call \| 2 \| 1 - 5 \| Surveys a calling participant's overall quality experience on a scale of 1 to 5. A response of 1 indicates an imperfect call experience. A response of 5 indicates a perfect call. The cutoff value of 2 means that a response of 1 or 2 indicates a less-than-perfect call experience. \| +\| Audio \| 2 \| 1 - 5 \| A response of 1 indicates an imperfect audio experience. A response of 5 indicates that the customer experienced no audio problems. \| +\| Video \| 2 \| 1 - 5 \| A response of 1 indicates an imperfect video experience. A response of 5 indicates that the customer experienced no video problems. \| +\| Screen sharing \| 2 \| 1 - 5 \| A response of 1 indicates an imperfect screen-sharing experience. A response of 5 indicates that the customer experienced no screen-sharing problems. \| - -> [!NOTE] ->A questionΓÇÖs indicated cutoff value in the API is the threshold that Microsoft uses when analyzing your survey data. When you customize the cutoff value or Input Range, Microsoft analyzes your survey data according to your customization. +> [!NOTE] +> A question's indicated cutoff value in the API is the threshold that Microsoft uses when analyzing your survey data. When you customize the cutoff value or input range, Microsoft analyzes your survey data according to your customizations. ### More survey tags -\| Rating Categories \| Optional Tags \| + +\| Rating category \| Optional tags \| \| -- \| -- \| -\| Overall Call \| `CallCannotJoin` `CallCannotInvite` `HadToRejoin` `CallEndedUnexpectedly` `OtherIssues` \| +\| Overall call \| `CallCannotJoin` `CallCannotInvite` `HadToRejoin` `CallEndedUnexpectedly` `OtherIssues` \| \| Audio \| `NoLocalAudio` `NoRemoteAudio` `Echo` `AudioNoise` `LowVolume` `AudioStoppedUnexpectedly` `DistortedSpeech` `AudioInterruption` `OtherIssues` \| \| Video \| `NoVideoReceived` `NoVideoSent` `LowQuality` `Freezes` `StoppedUnexpectedly` `DarkVideoReceived` `AudioVideoOutOfSync` `OtherIssues` \| -\| Screenshare \| `NoContentLocal` `NoContentRemote` `CannotPresent` `LowQuality` `Freezes` `StoppedUnexpectedly` `LargeDelay` `OtherIssues` \| --- -### End of Call Survey customization - +\| Screen sharing \| `NoContentLocal` `NoContentRemote` `CannotPresent` `LowQuality` `Freezes` `StoppedUnexpectedly` `LargeDelay` `OtherIssues` \| -You can choose to collect each of the four API values or only the ones you find most important. For example, you can choose to only ask customers about their overall call experience instead of asking them about their audio, video, and screen share experience. You can also -customize input ranges to suit your needs. The default input range is 1 -to 5 for Overall Call, Audio, Video, and Screenshare. However, each API value can be customized from a minimum of 0 to maximum of 100. +### End of Call Survey customization options -### Customization options +You can choose to collect all of the four API values or only the ones that you find most important. For example, you can choose to ask customers about only their overall call experience and not ask about their audio, video, and screen-sharing experience. +You can also customize input ranges to suit your needs. The default input range is 1 to 5 for overall call, audio, video, and screen sharing. However, you can customize each API value from a minimum of 0 to maximum of 100. -\| API Rating Categories \| Cutoff Value* \| Input Range \| +\| API rating category \| Cutoff value \| Input range \| \| -- \| -- \| -- \| -\| Overall Call \| 0 - 100 \| 0 - 100 \| -\| Audio \| 0 - 100 \| 0 - 100 \| -\| Video \| 0 - 100 \| 0 - 100 \| -\| Screenshare \| 0 - 100 \| 0 - 100 \| - - > [!NOTE] - > A questionΓÇÖs indicated cutoff value in the API is the threshold that Microsoft uses when analyzing your survey data. When you customize the cutoff value or Input Range, Microsoft analyzes your survey data according to your customization. - -## Store and view survey data: - -> [!IMPORTANT] -> You must enable a Diagnostic Setting in Azure Monitor to send the log data of your surveys to a Log Analytics workspace, Event Hubs, or an Azure storage account to receive and analyze your survey data. If you do not send survey data to one of these options your survey data will not be stored and will be lost. To enable these logs for your Communications Services see our guidance: [End of Call Survey Logs](../analytics/logs/end-of-call-survey-logs.md). - -You cannot access your survey and it will not be stored unless you have enabled a Diagnostic Setting to capture your survey data. - -## Next Steps --- Learn how to use the End of Call Survey, see our tutorial: [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md) +\| Overall call \| 0 - 100 \| 0 - 100 \| +\| Audio \| 0 - 100 \| 0 - 100 \| +\| Video \| 0 - 100 \| 0 - 100 \| +\| Screen sharing \| 0 - 100 \| 0 - 100 \| -- Analyze your survey data, see: [End of Call Survey Logs](../analytics/logs/end-of-call-survey-logs.md) +## Storage of survey data for viewing -- Learn how to use the Log Analytics workspace, see: [Log Analytics Tutorial](/azure/azure-monitor/logs/log-analytics-tutorial) +To send the log data of your surveys to a Log Analytics workspace, an Azure Event Hubs instance, or an Azure storage account for analysis, you must enable a diagnostic setting in Azure Monitor. If you don't enable a diagnostic setting to send survey data to one of these options, your survey data won't be stored and will be lost. -- Create your own queries in Log Analytics, see: [Get Started Queries](/azure/azure-monitor/logs/get-started-queries) +To enable logs for Communications Services, see [End of Call Survey logs](../analytics/logs/end-of-call-survey-logs.md). +## Related content +- Learn how to use the End of Call Survey: [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). +- Analyze your survey data: [End of Call Survey logs](../analytics/logs/end-of-call-survey-logs.md). +- Learn how to use the Log Analytics workspace: [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial). +- Create your own queries in Log Analytics: [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries).
communication-services	Manage Call Quality	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/manage-call-quality.md	Title: Azure Communication Services Manage Calling Quality- -description: Learn how to improve and manage calling quality with Azure Communication Services. + Title: Azure Communication Services Manage Call Quality + +description: Learn how to improve and manage call quality with Azure Communication Services. -- # Improve and manage call quality -This article introduces key tools you can use to monitor, troubleshoot, -and improve call quality in Azure Communication Services. The following materials help you plan for the best end-user experience. Ensure you read our calling overview materials first to familiarize yourself. +This article introduces key tools that you can use to monitor, troubleshoot, and improve call quality in Azure Communication Services. The following materials help you plan for the best user experience. + +Before you read this article, become familiar with overview information about calling: -- Voice and Video Calling - [Azure Communication Services Calling SDK - overview](calling-sdk-features.md) +- Voice and video calling: [Azure Communication Services Calling SDK overview](calling-sdk-features.md) +- Phone calling: [Public Switched Telephone Network (PSTN) integration concepts](../telephony/telephony-concept.md) -- Phone Calling - [Public Switched Telephone Network (PSTN) integration - concepts](../telephony/telephony-concept.md) +## Prepare your network and prioritize important network traffic by using QoS -## Prepare your network and prioritize important network traffic using QoS +As your users start using Azure Communication Services for calls and meetings, they might experience a caller's voice breaking up or cutting in and out of a call or meeting. Shared video might freeze, or pixelate, or fail altogether. This problem is due to the IP packets that represent voice and video traffic encountering network congestion and arriving out of sequence or not at all. If it happens (or to prevent it from happening in the first place), use Quality of Service (QoS) by following the [network recommendations](network-requirements.md). -As your users start using Azure Communication Services for calls and meetings, they may experience a caller's voice breaking up or cutting in and out of a call or meeting. Shared video may freeze, or pixelate, or fail altogether. This is due to the IP packets that represent voice and video traffic encountering network congestion and arriving out of sequence or not at all. If this happens (or to prevent it from happening in the first place), use Quality of Service (QoS) by following our -[network recommendations](network-requirements.md). +With QoS, you prioritize delay-sensitive network traffic (for example, voice or video streams). You allow that traffic to "cut in line" in front of traffic that's less sensitive. An example of lower-priority traffic is downloading a new app. In that case, an extra second to download isn't a significant problem. -With QoS, you prioritize delay-sensitive network traffic (for example, voice or video streams), allowing it to "cut in line" in front of -traffic that is less sensitive (like downloading a new app, where an extra second to download isn't a significant deal). QoS identifies and marks all packets in real-time streams using Windows Group Policy Objects and a routing feature called Port-based Access Control Lists, which instructs your network to give voice, video, and screen sharing their own dedicated network bandwidth. +QoS identifies and marks all packets in real-time streams by using Windows Group Policy objects and a routing feature called Port-based Access Control Lists. That feature instructs your network to give voice, video, and screen sharing their own dedicated network bandwidth. -Ideally, you implement QoS on your internal network while getting ready to roll out your Azure Communication Services solution, but you can do it anytime. If you're small enough, you might not need QoS. +Ideally, you implement QoS on your internal network while getting ready to roll out your Azure Communication Services solution. But you can do it anytime. If your network is small enough, you might not need QoS. -For detailed guidance, see: [Network optimization](network-requirements.md#network-optimization). +For detailed guidance, see [Network optimization](network-requirements.md#network-optimization). ## Prepare your deployment for quality and reliability investigations -Quality has different definitions depending on the real-time -communication use case and perspective of the end users. There are many -variables that affect the perceived quality of a real-time calling -experience, an improvement in one variable may cause a negative changes -in another variable. For example, increasing the frame rate and -resolution of a video call increases network bandwidth utilization -and processing power. +Quality has different definitions, depending on the real-time communication use case and the perspective of the users. Many variables affect the perceived quality of a real-time calling experience. An improvement in one variable might cause a negative change in another variable. For example, increasing the frame rate and resolution of a video call increases network bandwidth utilization and processing power. -Therefore, you need to determine your customerΓÇÖs use cases and -requirements before starting your development. For example, a customer -who needs to monitor dozens of security cameras feeds simultaneously may -not need the maximum resolution and frame rate that each video stream -can provide. In this scenario, you could utilize our [Video constraints](video-constraints.md) capability to limit the amount of bandwidth used by each video stream. +Determine your customer's use cases and requirements before you start your development. For example, a customer who needs to monitor dozens of security camera feeds simultaneously might not need the maximum resolution and frame rate that each video stream can provide. In this scenario, you could use the [Video Constraints API](video-constraints.md) capability to limit the amount of bandwidth that each video stream uses. -## Logs on native platforms +## Implement logging on native platforms -Implementing logging as per the [logs file retrieval tutorial](../../tutorials/log-file-retrieval-tutorial.md) is critical to gathering details for native development. Detailed logs help in diagnosing issues specific to device models or OS versions. We encourage to the developers that start configuring the Logs API to get details around the call lifetime. +Implementing logging as described in the [tutorial about retrieving log files](../../tutorials/log-file-retrieval-tutorial.md) is critical to gathering details for native development. Detailed logs help in diagnosing problems specific to device models or OS versions. We encourage developers who start configuring the Logs API to get details about the call lifetime. ## Implement existing quality and reliability capabilities before deployment -> [!Note] -> We recommend you use our easy to implement samples since they are already optimized to give your users the best call quality. Please see: [Samples](../../overview.md#samples) - -If our calling samples don't meet your needs, or you decide to customize your solution please ensure you understand and implement the following capabilities in your custom calling scenarios. - -Before you launch and scale your customized Azure Communication Services calling -solution, implement the following capabilities to support a high quality calling experience. These tools help prevent common quality and reliability calling issues from happening and diagnose issues if they occur. Keep in mind, some of these call data aren't created or stored unless you implement them. - -The following sections detail the tools to implement at different phases of a call: --- Before a call-- During a call-- After a call- -## Before a call - -Pre-call readiness ΓÇô By using the pre-call checks Azure Communication Services provides, - you can learn a userΓÇÖs connection status before the call and take - proactive action on their behalf. For example, if you learn a userΓÇÖs - connection is poor you can suggest they turn off their video before - joining the call to have a better audio connection. - -<!-- This is not possible yet ... ~~You could also - have callers with poor network conditions join from [PSTN (Public - Switched Telephone Network) voice - calling](/azure/communication-services/concepts/telephony/telephony-concept).~~ --> -- -<!-- TODO need to add a Permissions section. - filippos for input --- needs OS level permissions.--- needs device permission.--- needs to return true for both Audio and Video. If false then know issues. review the Blog post on this best practice . . . -->-- -### Network Diagnostic Tool - -The Network Diagnostic Tool provides a hosted experience for - developers to validate call readiness during development.┬áYou can - check if a userΓÇÖs device and network conditions are optimal for - connecting to the service to ensure a great call experience. The tool - performs diagnostics on the network, devices, and call quality. - - - By using the network diagnostic tool, you can encourage users to resolve reliability issues and improve their network connection before joining a call. - +We recommend that you use [these easy-to-implement calling samples](../../overview.md#samples), because they're already optimized to give your users the best call quality. +If the samples don't meet your needs and you decide to customize your Azure Communication Services calling solution, implement the following capabilities to support a high-quality calling experience. The tools for these capabilities help prevent common quality and reliability problems from happening and diagnose problems if they occur. Keep in mind that some call data isn't created or stored unless you implement these capabilities. -- For more information, please see: [Network Diagnostics Tool](../developer-tools/network-diagnostic.md). - <!- - Tool](https://azurecommdiagnostics.net/) --> +The following sections detail the tools to implement at the phases of a call: +- Before a call: Pre-call readiness. +- During a call: In-call communication. +- After a call: Monitoring and troubleshooting call quality and reliability. +### Before a call -#### Pre-Call Diagnostics API +By using the pre-call checks that Azure Communication Services provides, you can learn a user's connection status before the call and take proactive action on their behalf. For example, if you learn that a user's connection is poor, you can suggest that they turn off their video before joining the call to have a better audio connection. -Maybe you want to build your own Network Diagnostic Tool or to perform a deeper integration of this tool into your application. If so, you can use the Pre-Call diagnostic APIs that run the Network Diagnostic Tool for the calling SDK. The Pre-Call Diagnostics API lets you customize the experience in your user interface. You can then run the same series of tests that the Network Diagnostic Tool uses to ensure compatibility, connectivity, and device permissions with a test call. You can decide the best way to tell users how to correct issues before calls begin. You can also perform specific checks when troubleshooting quality and reliability issues. +#### Network Diagnostic tool - <!- - join their audio from [PSTN (Public Switched Telephone Network) - voice - calling](/en-us/azure/communication-services/concepts/telephony/telephony-concept) - before they join.~~ --> +The Network Diagnostic tool provides a hosted experience for developers to validate call readiness during development.┬áYou can check if a user's device and network conditions are optimal for connecting to the service, to help ensure a great call experience. The tool performs diagnostics on the network, devices, and call quality. - - For example, if a user's hardware test has an issue, you can notify the users - involved to manage expectations and change for future calls. +By using the Network Diagnostic tool, you can encourage users to resolve reliability problems and improve their network connection before they join a call. -- For more information, please see: [Pre-Call diagnostic](pre-call-diagnostics.md). +For more information, see [Network Diagnostic tool](../developer-tools/network-diagnostic.md). -<!-- NOTE - developers can run a separate browser test now, but there's no use case specific to just doing that check we should highlight here. +##### Pre-Call API for diagnostics -### Browser support +Maybe you want to build your own diagnostic tool or perform a deeper integration of the Network Diagnostic tool into your application. If so, you can use the Pre-Call API to run the diagnostic tool for the Calling SDK. -When user's use unsupported browsers it can be difficult to diagnose call issues after they occur. To optimize call quality check if an application is running a supported browser before user's join to - ensure they can properly support audio and video calling. +The Pre-Call API lets you customize the experience in your user interface. You can then run the same series of tests that the Network Diagnostic tool uses to ensure compatibility, connectivity, and device permissions with a test call. You can decide the best way to tell users how to correct problems before calls begin. You can also perform specific checks when troubleshooting quality and reliability problems. -- To learn more, see: [How to verify if your application is running in a web browser supported by Azure Communication Services](../../how-tos/calling-sdk/browser-support.md). --> +For example, if a user's hardware test has a problem, you can notify the user to manage expectations and changes for future calls. +For more information, see [Pre-Call diagnostic](pre-call-diagnostics.md). -### Conflicting call clients +#### Conflicting call clients -Because Azure Communication Services Voice and Video call run on web and mobile browsers your users may have multiple browser tabs running separate instances of the Azure - Communication Services calling SDK. This can happen for various reasons. Maybe the user forget to close their previous tab. Maybe the user couldn't join a call without a meeting organizer present and they re-attempt to open the meeting join url link, which opens a separate mobile browser tab. No matter how a user ends up with multiple call browser tabs at the same time, it causes disruptions to audio and video - behavior on the call they're trying to participate in, referred to as the target call. You should make sure there aren't multiple browser tabs open before a call starts, and also monitor during the whole call lifecycle. You can pro-actively notify customers to close their excess tabs, or help them join a call correctly with useful messaging if they're unable to join a call initially. +Because Azure Communication Services voice and video calls run on web and mobile browsers, your users might have multiple browser tabs running separate instances of the Azure Communication Services Calling SDK. This situation can happen for various reasons, like these examples: - of Azure Communication Services running in a browser, see: [How to detect if an application using Azure Communication Services' SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). +- The user forgot to close a previous tab. +- The user couldn't join a call without a meeting organizer present. The user reattempts to select the link for joining the meeting, which opens a separate mobile browser tab. -## During a call +Having multiple call browser tabs at the same time causes disruptions to audio and video behavior on the call that the user is trying to join (that is, the target call). You should make sure that multiple browser tabs aren't open before a call starts and (through monitoring) during the whole life cycle of the call. You can proactively notify customers to close their excess tabs, or help them join a call correctly with useful messaging if they initially can't join a call. -In-call communication ΓÇô During a call, a userΓÇÖs network conditions - can worsen or they may run into reliability and compatibility issues, all of which can result in a poor calling experience. This section helps you apply capabilities to manage issues in a call and communicate with your users. +To check if user has multiple instances of Azure Communication Services running in a browser, see [How to detect if an application using the Azure Communication Services SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). -### User Facing Diagnostics (UFDs) +### During a call -When a user is in a call, it's important to proactively notify them in real-time about issues on their call. User Facing Diagnostics (UFDs) provide real-time flags for issues to the user such as having their - microphone muted while talking or having a poor network quality.┬áYou can nudge or act on their behalf. In addition to messaging, you can consider proactive approaches to protect the limited bandwidth a user has. You can tailor your user interface messages to best suite your scenarios. If you find users - donΓÇÖt consistently turn off their video upon receiving a notification - from you, then you can proactively turn a userΓÇÖs video off to - prioritize their audio connection, or even hide video capability from - customer in your User Interface before they join a call. +During a call, a user's network conditions can worsen, or they might run into reliability and compatibility problems. Those situations can result in a poor calling experience. The following sections help you apply capabilities to manage problems in a call and communicate with your users. -For example: +#### User Facing Diagnostics -- If there's a network issue identified you can prompt users to - turn off their video, change networks, or move to a location with a better network condition or connection. -- If there's a device issue identified, you can nudge the user to switch - devices. +When a user is in a call, it's important to notify them in real time about problems on their call. The User Facing Diagnostics feature provides real-time flags for problems that affect the user, such as having their microphone muted while talking or having a poor network quality. +You can tailor your user interface messages to best suit your scenarios. For example: -- For more information, please see: [User Facing Diagnostics](user-facing-diagnostics.md). +- If a flag identifies a network problem, you can prompt users to turn off their video, change networks, or move to a location that has a better network condition or connection. +- If a flag identifies a device problem, you can nudge the user to switch devices. +In addition to messaging, you can act on users' behalf and consider proactive approaches to protect the limited bandwidth that a user has. If you find that users don't consistently turn off their video after receiving a notification from you, you can proactively turn off a user's video to prioritize their audio connection. You can even hide video capability from customers in your user interface before they join a call. -### Video constraints +For more information, see [User Facing Diagnostics](user-facing-diagnostics.md). -Video streams consume large amounts of network bandwidth, if you know your users have limited network bandwidth or poor network conditions you can reduce control the network usage of a user's video connection with video constraints. When you limit the amount of bandwidth a user's video stream can consume you can protect the bandwidth needed for good audio quality in poor network environments. +#### Video constraints -- To learn more, see: [Video constraints](video-constraints.md). +Video streams consume large amounts of network bandwidth. If you know that your users have limited network bandwidth or poor network conditions, you can control the network usage of a user's video connection by using video constraints. When you limit the amount of bandwidth that a user's video stream can consume, you can protect the bandwidth needed for good audio quality in poor network environments. +To learn more, see [Video constraints](video-constraints.md). -### Volume indicator +#### Volume indicator -Sometimes users can't hear each other; maybe the speaker is too quiet, the listener's device doesn't receive the audio packets, or there's an audio device issue blocking the sound. Users don't know when they're speaking too quietly, or when the other person can't hear them. You can use the input and output indicator to indicate if a userΓÇÖs volume is low or absent and prompt a user to speak louder or investigate an audio device issue through your user interface. +Sometimes users can't hear each other. Maybe the speaker is too quiet, the listener's device doesn't receive the audio packets, or an audio device problem is blocking the sound. Users don't know when the other person can't hear them. You can use the input and output indicator to: -- For more information, please see: [Add volume indicator to your web calling](../../quickstarts/voice-video-calling/get-started-volume-indicator.md) +1. Indicate if a user's volume is low or absent. +1. Prompt the user to speak louder or investigate an audio device problem through your user interface. +For more information, see the [quickstart about adding a volume indicator to web calling](../../quickstarts/voice-video-calling/get-started-volume-indicator.md). -### Detailed media statistics +#### Media quality statistics +Because network conditions can change during a call, users can report poor audio and video quality even if they started the call without any problems. The media quality statistics feature gives you detailed quality metrics on each inbound and outbound audio, video, and screen-share stream. These detailed insights help you monitor calls in progress, show users their network quality status throughout a call, and debug individual calls. -Since network conditions can change during a call, users can report poor audio and video quality even if they started the call without issue. Our Media statistics give you detailed quality metrics on each inbound and outbound audio, video, and screen share stream. These detailed insights help you monitor calls in progress, show users their network quality status throughout a call, and debug individual calls. +The metrics in this feature help indicate problems on the Azure Communication Services Client SDK media streams for sending and receiving. As an example, you can actively monitor the outgoing video stream's `availableBitrate` value, notice a persistent drop below the recommended 1.5 Mbps, and notify the user that the video quality is degraded. -- These metrics help indicate issues on the Azure Communication Services client SDK send and receive media streams. As an example, you can actively monitor the outgoing video stream's `availableBitrate`, notice a persistent drop below the recommended 1.5 Mbps and notify the user their video quality is degraded. +Server log data gives you only a general summary of the call after it ends. The detailed media statistics provide low-level metrics throughout the call duration and afterward for deeper analysis. -- It's important to note that our Server Log data only give you an overall summary of the call after it ends. Our detailed Media Statistics provide low level metrics throughout the call duration for use in during the call and afterwards for deeper analysis. -- To learn more, see: [Media quality statistics](media-quality-sdk.md) +To learn more, see [Media quality statistics](media-quality-sdk.md). +#### Optimal Video Count API -### Optimal video count -During a group call with 2 or more participants a user's video quality can fluctuate due to changes in network conditions and their specific hardware limitations. By using the Optimal Video Count API, you can improve user call quality by understanding how many videos streams their local endpoint can render at a time without worsening quality. By implementing this feature, you can preserve the call quality and bandwidth of local endpoints that would otherwise attempt to render video poorly. The API exposes the property, optimalVideoCount, which dynamically changes in response to the network and hardware capabilities of a local endpoint. This information is available at runtime and updates throughout the call letting you adjust a userΓÇÖs visual experience as network and hardware conditions change. +During a group call with two or more participants, a user's video quality can fluctuate due to changes in network conditions and their specific hardware limitations. By using the Optimal Video Count API, you can improve a user's call quality by understanding how many video streams their local endpoint can render at a time without worsening quality. -- To implement, visit web platform guidance [Manage Video](/azure/communication-services/how-tos/calling-sdk/manage-video?pivots=platform-web) and review the section titled Remote Video Quality. +By implementing this feature, you can preserve the call quality and bandwidth of local endpoints that would otherwise attempt to render video poorly. The API exposes the property `optimalVideoCount`, which dynamically changes in response to the network and hardware capabilities of a local endpoint. This information is available at runtime and gets updates throughout the call, so you can adjust a user's visual experience as network and hardware conditions change. -<!-- NOTE - cannot link the URL to a sub-header within a pivoted document --> -### End of Call Survey +To implement this feature, see the web platform guidance [Manage video during calls](/azure/communication-services/how-tos/calling-sdk/manage-video?pivots=platform-web#remote-video-quality). -Customer feedback is invaluable, the End of Call Survey provides you with a tool to understand how your end users perceive the overall quality and reliability of your JavaScript / Web SDK calling solution. The survey can be modified to various survey formats if already have a survey solution in place. After publishing survey data, you can view the survey results in Azure Monitor for analysis and improvements. Azure Communication Services also uses the survey API results to monitor and improve your quality and reliability. +### After a call -- To learn more, see: [End of Call Survey overview](end-of-call-survey-concept.md)-- To implement, see: [Tutorial: Use End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md) +Before you release and scale your Azure Communication Services calling solution, implement the following monitoring capabilities for quality and reliability to ensure that you're collecting available logs and metrics. The call data isn't stored until you implement the capabilities, so you can't monitor and debug your call quality and reliability without them. +For more information, see [Azure Communication Services Voice Calling and Video Calling logs](../analytics/logs/voice-and-video-logs.md). - -## After a call -Monitor and troubleshoot call quality and reliability - Before you release and scale your Azure Communication Services calling solution, implement these quality and reliability monitoring capabilities -to ensure you collecting available logs and metrics. These call data aren't stored until you implement them so you won't be able to monitor and debug your call quality and reliability without them. --- For more information, see: [Azure Communication Services Voice Calling and Video Calling logs](../analytics/logs/voice-and-video-logs.md). - -### Start collecting call logs +#### Start collecting call logs Review this documentation to start collecting call logs: [Enable logs via Diagnostic Settings in Azure Monitor.](../analytics/enable-logging.md) -- We recommend you choose the category group "allLogs" and choose the destination detail of ΓÇ£Send to Log Analytics workspace" in order to view and analyze the data in Azure Monitor.-- If you don't have a Log Analytics workspace to send your data to, you'll need to [create one.](/azure/azure-monitor/logs/quick-create-workspace)-- We recommend you monitor your data usage and retention policies for cost considerations as needed. See: [Controlling costs.](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs)-- -### Diagnose calls with Call Diagnostics -Call Diagnostics is an Azure Monitor experience that delivers tailored insight through specialized telemetry and diagnostic pages in the Azure portal. - -Once you begin storing log data in your log analytics workspace, you can visualize your search for individual calls and visualize the data in Call Diagnostics. Within your Azure Monitor account you simply need to navigate to your Azure Communication Services resource and locate the Call Diagnostics blade in your side pane. -- See [Call Diagnostics](call-diagnostics.md) to learn how to best use this capability.- -<!-- #### sdkVersion --- Allows you to monitor the deployment of client versions. See our guidance <u>on Client Versions</u> to learn how old client versions can impact quality -->- -<!-- #### Call errors --- The `participantEndReason` is the reason a participant ends a connection. This data helps you identify common trends leading to unplanned call ends (when relevant). See our guidance on [Calling SDK error codes](../troubleshooting-info.md#calling-sdk-error-codes) -->-- -<!-- #### transportType --- A UDP connection is better than a TCP connection. See our guidance on <u>UDP vs. TCP</u> to learn how TCP connections can result in poor quality. -->- -<!-- #### <span class="mark">DRAFT UIHint later ΓÇô what is added quality value with Device, skd, custom tag?</span> --> -- -<!-- #### Summarized Media Quality logs --- These three logs give you insight on the average media quality during the call.- - - `roundTripTimeAvg` - - - `jitterAvg` - - - `packetLossRateAvg` --> +To view and analyze the data in Azure Monitor, we recommend that you choose the category group allLogs and choose the destination detail of Send to Log Analytics workspace. If you don't have a Log Analytics workspace to send your data to, [create one](/azure/azure-monitor/logs/quick-create-workspace). +We recommend that you monitor your data usage and retention policies for cost considerations as needed. For more information, see [Controlling costs](/azure/azure-monitor/essentials/diagnostic-settings#controlling-costs). -### Examine call quality with Voice and Video Insights Preview +#### Diagnose calls by using Call Diagnostics -Once you have enabled logs, you can view call insights in your Azure Resource using visualization examples: [Voice and video Insights](../analytics/insights/voice-and-video-insights.md) +Call Diagnostics is an Azure Monitor experience that delivers tailored insights through specialized telemetry and diagnostic pages in the Azure portal. -- You can modify the existing workbooks or even create your own: [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-overview) +After you begin storing log data in your Log Analytics workspace, you can visualize your search for individual calls and visualize the data in Call Diagnostics. In your Azure Monitor account, go to your Azure Communication Services resource and locate Call Diagnostics on the service menu. To learn how to best use this capability, see [Call Diagnostics](call-diagnostics.md). -- For examples of deeper suggested analysis see our [Query call logs](../analytics/query-call-logs.md) +#### Examine call quality by using voice and video insights +After you enable logs, you can view call insights in your Azure resource by using the visualization examples in [Voice and video insights](../analytics/insights/voice-and-video-insights.md). -#### Analyze end user sentiment with the End of Call Survey -Once you enable diagnostic settings to capture your survey data you can use our sample [call log queries](../analytics/query-call-logs.md) in Azure Log Analytics to analyze your user's perceived quality experience. User feedback can show you call issues you didn't know you had and help you prioritize your quality improvements. +You can modify the existing workbooks or even create your own. For more information, see [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-overview). -### Analyze your call data directly from the client -By collecting call data such as Media Statistics, User Facing Diagnostics, and pre-call API information you can review calls with - poor quality to conduct root cause analysis when troubleshooting issues. For example, a user may have an hour long call and report poor audio at one point in the call. +For examples of deeper suggested analysis, see [Query call logs](../analytics/query-call-logs.md). -The call may have fired a User Facing Diagnostic indicating a severe problem with the incoming or outgoing media steam quality. By storing the [detailed media statistics](media-quality-sdk.md) from the call you can review when the UFD occurred to see if there were high levels of packet loss, jitter, or latency around this time indicating a poor network condition. You explore whether the network was impacted by an external client's unmanaged network, unnecessary network traffic due to improper Quality of Service (QoS) network prioritization policies, or an unnecessary Virtual Private Network (VPN) for example. +#### Analyze user sentiment by using the End of Call Survey -> [!NOTE] -> As a rule, we recommend prioritizing a userΓÇÖs Audio connection bandwidth before their video connection and both audio and video before other network traffic. When a network is unable to support both audio and video, you can proactively disable a userΓÇÖs video or nudge a user to disable their video. +Customer feedback is invaluable. The End of Call Survey helps you understand how your users perceive the overall quality and reliability of your JavaScript or Web SDK calling solution. -### Request support +You can modify the survey to various formats if you already have a survey solution in place. After you publish survey data, you can view the results in Azure Monitor for analysis and improvements. Azure Communication Services also uses the Survey API results to monitor and improve call quality and reliability. -If you encounter quality or reliability issues you're unable to resolve and need support, you can submit a request for technical support. The more information you can provide in your request the better (native logs are crucial to optimize the response time), however you can still submit requests with partial information to start your inquiry. See: [How to create Azure support requests](/azure/azure-portal/supportability/how-to-create-azure-support-request). +To implement the feature, see [Tutorial: Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). After you enable diagnostic settings to capture your survey data, you can use [sample call log queries](../analytics/query-call-logs.md) in Azure Log Analytics to analyze your user's perceived quality experience. User feedback can show you call problems you didn't know you had and help you prioritize your quality improvements. -- If you're notified of license requirements while attempting to request technical support, you may need to choose a paid Azure support plan that best aligns to your needs. See: [Compare Support Plans](https://azure.microsoft.com/support/plans).-- If you prefer not to purchase support you can leverage community support. See: [Community Support](https://azure.microsoft.com/support/community/). +To learn more, see [End of Call Survey overview](end-of-call-survey-concept.md). -<!-- Free Public support options -Azure Community Support \| Microsoft Azure - This is a hub that allows you to search for a product/service and visit related sites such as: -Msdn forums (microsoft.com) -Newest Questions - Stack Overflow - Search for questions tagged 'azure-communication-services' -Server Fault - Q&A site for system & network admins -(General Feedback): Top (6645 ideas) ΓÇô Customer Feedback for ACE Community Tooling (azure.com) - This is our Azure Feedback site for Feature requests -Microsoft Q&A supported products \| Microsoft Docs - Home of technical questions and answers at Microsoft (Search for questions tagged 'azure-communication-services' & you can 'Follow' the tag) -New Issue ┬╖ Azure/Communication (github.com) or New Issue ┬╖ Azure/azure-sdk-for-media-services (github.com) - File an issue or search the known issues on our github repos --> +#### Analyze your call data directly from the client -### Other considerations -<!- - - [Azure logs and metrics for Teams external users](../interop/guest/monitor-logs-metrics.md) --> +By collecting call data such as media statistics, User Facing Diagnostics, and Pre-Call API information, you can review poor-quality calls to conduct root-cause analysis when you're troubleshooting problems. +For example, a user might have an hour-long call and report poor audio at one point in the call. The call might have fired a User Facing Diagnostic flag that indicated a severe problem with the quality of an incoming or outgoing media stream. +By storing the [detailed media statistics](media-quality-sdk.md) from the call, you can review when the User Facing Diagnostics flag occurred to see if high levels of packet loss, jitter, or latency around this time indicate a poor network condition. For example, you can explore whether the network was affected by an external client's unmanaged network, unnecessary network traffic due to improper QoS network prioritization policies, or an unnecessary virtual private network (VPN). +> [!NOTE] +> As a rule, we recommend prioritizing the bandwidth of a user's audio connection before their video connection. We recommend prioritizing both audio and video before other network traffic. When a network can't support both audio and video, you can proactively disable a user's video or nudge a user to disable their video. +#### Request support -- If you don't have access to your customerΓÇÖs Azure portal to view data tied to their Azure Resource ID you can request to query their workspaces to improve quality on their behalf. - - [Create a log query across multiple workspaces and apps in Azure Monitor](/azure/azure-monitor/logs/cross-workspace-query) +If you encounter quality or reliability problems that you can't resolve, you can submit a request for technical support. The more information you can provide in your request, the better. (Native logs are crucial to optimize the response time.) However, you can still submit requests with partial information to start your inquiry. For more information, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). +If you're notified of license requirements while you're trying to request technical support, you might need to choose a paid Azure support plan that best aligns to your needs. See [Compare support plans](https://azure.microsoft.com/support/plans). -## Next steps +If you prefer not to purchase support, you can take advantage of community support. See [Azure Community Support](https://azure.microsoft.com/support/community/). -- Continue to learn other best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md)-- Explore known issues: [Known issues in the SDKs and APIs](../known-issues.md)-- Learn how to debug calls: [Call Diagnostics](call-diagnostics.md)-- Learn how to use the Log Analytics workspace: [Log Analytics Tutorial](/azure/azure-monitor/logs/log-analytics-tutorial)-- Create your own queries in Log Analytics: [Get Started Queries](/azure/azure-monitor/logs/get-started-queries) +#### Other considerations +If you don't have access to your customer's Azure portal to view data tied to their Azure resource ID, you can request to query their workspaces to improve quality on their behalf. For more information, see [Query data across Log Analytics workspaces, applications, and resources in Azure Monitor](/azure/azure-monitor/logs/cross-workspace-query). -<!-- Comment this out - add to the toc.yml file at row 583. +## Related content - - name: Monitor and manage call quality - items: - - name: Manage call quality - href: concepts/voice-video-calling/manage-call-quality.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - - name: End of Call Survey - href: concepts/voice-video-calling/end-of-call-survey-concept.md - displayName: diagnostics, Survey, feedback, quality, reliability, users, end, call, quick - --> +- Learn other best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md). +- Explore known issues: [Known issues in the SDKs and APIs](../known-issues.md). +- Learn how to debug calls: [Call Diagnostics](call-diagnostics.md). +- Learn how to use the Log Analytics workspace: [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial). +- Create your own queries: [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries).
communication-services	Troubleshoot Web Voip Quality	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/troubleshoot-web-voip-quality.md	Title: Azure Communication Services troubleshooting VoIP call quality-+ description: Learn how to troubleshoot web VoIP call quality with Azure Communication Services. -# Troubleshooting VoIP call quality +# Troubleshoot VoIP call quality -This article describes how to troubleshoot and improve web VoIP call quality in Azure Communication Services. +This article describes how to troubleshoot and improve web Voice over Internet Protocol (VoIP) call quality in Azure Communication Services. -Voice and video calling experiences are an essential communication tool for businesses, organizations, and individuals in today's world. However, customers can experience quality issues. Quality in calls can be impacted based on four network parameters: bandwidth available, round-trip time (RTT), packet loss, and jitter. +Voice and video calling experiences are an essential communication tool for businesses, organizations, and individuals in today's world. However, customers can experience quality problems. Four network parameters can affect quality in calls: available bandwidth, round-trip time (RTT), packet loss, and jitter. -VoIP calling using Azure Communication Services is an efficient and reliable way to communicate. If quality issues arise, follow the troubleshooting steps in this article to ensure the best possible user experience. +If quality problems arise with VoIP calling in Azure Communication Services, follow the troubleshooting guidance in this article to ensure the best-possible user experience. -## Pre call check-up +## Network conditions that can cause quality problems -When using the internet at various locations, you experience different internet speeds. At home, internet speed and reliability can differ due to factors such as the type of internet connection, the quality of the router, and the number of devices connected to the network. In the office, internet speed and reliability can be impacted by the number of users on the network, the quality of the network infrastructure, and the type of internet connection. When you're using cellular data, internet speed and reliability can be affected by factors such as the strength of the cellular signal, the distance from the cell tower, and the number of users on the network. Additionally, some cellular plans have data caps or throttling, which can affect internet speed and reliability. +The following conditions can happen with audio during a call. -Overall, internet connections can vary depending on the location and the factors that affect the quality of the connection. It's important to test network ability. +### Choppy or robotic-sounding audio -To learn more about the network connection and settings of your machine, run a network diagnostic check at [Azure Communication Services Network Diagnostic Tool](https://azurecommdiagnostics.net/). The network diagnostic tool checks all the essential parameters to help you determine if the network connection at your local machine is compatible with Azure Communication Services. You can also run this test on mobile devices. For more information about network quality, bandwidth, configuration, and optimization, see [Network recommendations](network-requirements.md). +When call audio sounds choppy, sounds robotic, or cuts in and out, the reason might be by packet loss due to excessive jitter on the line. Jitter means that packets are received out of order. Several factors can cause it, including network traffic or the technologies used in the call. -Enable logging via diagnostic settings in Azure monitor. For more information, see [Enable logs via Diagnostic Settings in Azure Monitor](../analytics/enable-logging.md). +### One-way or missing audio -Once the logs are enabled, you can view call insights in your Azure resource. For more information, see [Voice an video Insights Preview](../analytics/insights/voice-and-video-insights.md). +When a caller can hear the other party, but the other party can't hear the caller, we refer to this condition as one-way audio. Several factors can cause missing audio streams, including errors in the connection or handshake, problems during a network handoff, or problems at the source or destination. -You can improve audio quality in poor network environments by using video constraints to reduce the number of bandwidth users video streams consume. For more information, see [Video constraints](video-constraints.md). +### Delayed audio -You can programmatically validate a clientΓÇÖs readiness to join an Azure Communication Services Call using the Pre-Call API. Access this API through the Calling SDK. The Pre-Call API provides multiple diagnostics including device, connection, and call quality. Pre-Call APIs are available only for Web (JavaScript). We welcome your feedback about other platforms you would like to see prioritized. For more information, see [Pre-Call diagnostic](pre-call-diagnostics.md). +When caller or callee reports excessive delays in the call audio, the reason can be excessive latency on the line. Several factors can cause audio latency, including delayed packet transmission or delivery somewhere along the line, or the technologies used in the call. -## Network issues that can cause quality problems +### Audio echo -### Choppy or robotic sounding call audio +When a caller or callee reports that they hear their own delayed audio being transmitted back to them, we refer to this condition as audio echo. The causes of echo can be positioning and volume levels of the speaker and/or microphone at one end of the line, or crosstalk on copper wire (landline) networks. -When call audio has robotic-sounds or choppy cuts in and out, it can be caused by packet loss due to excessive jitter on the line. Jitter is the term used when packets are received out-of-order and can be caused by several factors including network traffic, or the technologies used in the call. +### Audio volume problem -### One-way or missing call audio +When a caller or callee reports that the volume of a call is either too loud or too quiet, we typically classify this condition as an audio volume problem. The cause is often the hardware, including the positioning and volume levels of the speaker and/or microphone at one end of the line. If the input and output indicator shows that the user's volume is low, you can prompt the user to speak louder. -When a caller can hear the other party, but the other party can't hear the caller, we refer to this as one-way audio. Missing audio streams can be caused by several factors including errors in the connection/handshake, problems during a network handoff, or issues at the source or destination. +For more information, see [Access call volume level in your calling app](../../quickstarts/voice-video-calling/get-started-volume-indicator.md). -### Delayed call audio +### Static -When caller or callee reports excessive delays in the call audio, it can be caused by excessive latency on the line. Call audio latency can be caused by several factors including delayed packet transmission or delivery somewhere along the line, or the technologies used in the call. +When a caller or callee reports audio interference or background noise on a call, we typically classify this condition as an audio static problem. The cause can be the hardware in use, including the placement, positioning, and levels of the speaker and/or microphone at one end of the line. -### Call audio echoing +Also, make sure that the application you're using for web calling is hosted on the latest SDK. For more information, see [Azure Communication Services Calling Web (JavaScript) SDK - Release History](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md). -When a caller or callee reports that they hear their own delayed audio being transmitted back to them, we refer to this as call audio echo. Echo can be caused by positioning and volume levels of the speaker and microphone at one end of the line, or by crosstalk on copper wire (landline) networks. +## Pre-call checkups -### Volume indicator API +When you're using the internet at various locations, you experience different internet speeds. Factors like the following examples can affect internet speed and reliability: -When a caller or callee reports that the volume of a call is either too loud or too quiet, we typically classify this as a call audio volume issue. These call volume issues are often caused by the hardware, including the positioning and levels of the speaker and/or microphone at one end of the line. If the input and output indicator show that the userΓÇÖs volume is low, you can prompt the user to speak louder. +- At home: the type of internet connection, the quality of the router, and the number of devices connected to the network. +- In the office: the number of users on the network, the quality of the network infrastructure, and the type of internet connection. +- When you're using cellular data: the strength of the cellular signal, the distance from the cell tower, and the number of users on the network. Additionally, some cellular plans have data caps or throttling. -For more information, see [Accessing call volume level](../../quickstarts/voice-video-calling/get-started-volume-indicator.md). +Because of this variability, it's important to test the network connection and settings of your machine. You can run a network diagnostic check by using the [Azure Communication Services Network Diagnostic tool](https://azurecommdiagnostics.net/). This tool checks all the essential parameters to help you determine if the network connection at your local machine is compatible with Azure Communication Services. You can also run this tool on mobile devices. For more information about network quality, bandwidth, configuration, and optimization, see [Network recommendations](network-requirements.md). -### Call static +You can also take advantage of these features in Azure Communication -When a caller or callee reports audio interference or background noise on a call, we typically classify this as a call audio static issue. These audio quality issues can be caused by the hardware in use, including the placement, positioning, and levels of the speaker and/or microphone at one end of the line. +- Enable logging via [diagnostic settings in Azure Monitor](../analytics/enable-logging.md). You can then view [call insights in your Azure resource](../analytics/insights/voice-and-video-insights.md). -Also, make sure that the application you're using for web calling is hosted on the latest SDK. For more information, see [Azure Communication Services Calling Web (JavaScript) SDK - Release History](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md). +- Improve audio quality in poor network environments by using [video constraints](video-constraints.md) to reduce the bandwidth that users of video streams consume. + +- Programmatically validate a client's readiness to join an Azure Communication Services call by using the [Pre-Call API](pre-call-diagnostics.md). You access this API through the Calling SDK. It provides multiple diagnostics, including device, connection, and call quality. This feature is currently available only for the web (JavaScript). + +## Mid-call checkups -## Mid call check-ups +You can enable these Azure Communication Services features in web calling applications: -Developers can enable user facing diagnostics (UFD) in web calling applications. UFDs help the end customers see what is wrong with the call, such as an unreliable network connection or the microphone isn't responding. For more information about UFDs, see [User Facing Diagnostics](user-facing-diagnostics.md). +- [User Facing Diagnostics](user-facing-diagnostics.md): This feature helps users see what's wrong with a call, such as an unreliable network connection or a microphone that isn't responding. -You can enable media statistics on the web calling application to help debug and troubleshoot quality related issues on Azure Communication Services Web calling. Media statistics includes, round-trip time (RTT), bitrates, packet loss, jitter, and so on. Media statistics help engineers better understand the problem and the exact timing. For more information, see [Media quality statistics](media-quality-sdk.md). +- [Media quality statistics](media-quality-sdk.md): You can use this feature to debug and troubleshoot quality-related problems with Azure Communication Services calls. Media statistics include factors like RTT, bitrates, packet loss, and jitter. Media statistics help engineers better understand the problem and the exact timing. -Sometimes users have multiple browsers tabs with instances of Azure Communication Services running that can disrupt audio and video behavior on the target call. You can detect if a user has multiple instances running in a browser. For more information, see [How to detect if an application using Azure Communication Services' SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). +Sometimes users have instances of Azure Communication Services running on multiple browser tabs. This situation can disrupt audio and video behavior on the target call. You can detect if a user has multiple instances running in a browser. For more information, see [How to detect if an application using the Azure Communication Services SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md). -## Post call check-ups +## Post-call checkups -You can check the log insights from the Azure portal for calling to determine the exact issue during the call. For more information, see [Query call logs](../analytics/query-call-logs.md). +You can check the log insights from the Azure portal to determine the exact problem during the call. For more information, see [Query call logs](../analytics/query-call-logs.md). -If you tried all the previous steps and still face quality issues, [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). If necessary, Microsoft can run a network check for your tenant to ensure call quality. +If you tried all the previous actions and still face quality problems, [create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). If necessary, Microsoft can run a network check for your tenant to help ensure call quality. -## End of call survey +## End of Call Survey -Enable End of Call surveys to give Azure Communication Services users the option to submit qualitative feedback about their call experience. +Enable the End of Call Survey feature to give Azure Communication Services users the option to submit qualitative feedback about their call experience. -For more information, see [End of Call Survey overview](end-of-call-survey-concept.md) and related tutorial [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). +For more information, see [End of Call Survey overview](end-of-call-survey-concept.md) and the related tutorial [Use the End of Call Survey to collect user feedback](../../tutorials/end-of-call-survey-tutorial.md). -## Next steps +## Related content -For more information about using Call Quality Dashboard (CQD) to view interop call logs, see [Use CQD to manage call and meeting quality in Microsoft Teams](/microsoftteams/quality-of-experience-review-guide). +- For information about using Call Quality Dashboard (CQD) to view interoperability call logs, see [Use CQD to manage call and meeting quality in Microsoft Teams](/microsoftteams/quality-of-experience-review-guide). -For more information about Calling SDK error codes, see [Troubleshooting in Azure Communication Services](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). Use these codes to help determine why a call ended. +- For information about Calling SDK error codes, see [Troubleshooting in Azure Communication Services](../../resources/troubleshooting/voice-video-calling/troubleshooting-codes.md). Use these codes to help determine why a call ended. -To ensure smooth functioning of the application and provide better user experience, app developers should follow a checklist. For more information, see the [Checklist for advanced calling experiences in web browsers - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-communication-services/checklist-for-advanced-calling-experiences-in-web-browsers/ba-p/3266312). +- To ensure smooth functioning of the application and provide better user experience, app developers should follow a checklist. For more information, see the blog post [Checklist for advanced calling experiences in web browsers](https://techcommunity.microsoft.com/t5/azure-communication-services/checklist-for-advanced-calling-experiences-in-web-browsers/ba-p/3266312). -For more information about preparing your network or your customersΓÇÖ network, see [Network recommendations](network-requirements.md). - -For best practices regarding Azure Communication Services web calling, see [Best practices: Azure Communication Services calling SDKs](../best-practices.md). +- For more information about preparing your network or your customer's network, see [Network recommendations](network-requirements.md). +- For best practices regarding Azure Communication Services web calling, see [Best practices: Azure Communication Services calling SDKs](../best-practices.md).
communication-services	Video Constraints	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/video-constraints.md	Title: Azure Communication Services Video constraints- -description: Overview of Video Constraints + Title: Azure Communication Services Video Constraints + +description: Get an overview of the Video Constraints API. -# Video constraints +# Video Constraints -The Video constraints API is a powerful tool that enables developers to control the video quality from within their video calls. With this API, developers can set maximum video resolutions, frame rate, and bitrate used so that the call is optimized for the user's device and network conditions. The ACS video engine is optimized to allow the video quality to change dynamically based on devices ability and network quality. But there might be certain scenarios where you would want to have tighter control of the video quality that end users experience. For instance, there may be situations where the highest video quality isn't a priority, or you may want to limit the video bandwidth usage in the application. To support those use cases, you can use the Video Constraints API to have tighter control over video quality. +The Video Constraints API enables developers to control the video quality from within video calls. With this API, developers can set maximum video resolutions, frame rate, and bitrate so that the call is optimized for the user's device and network conditions. -Another benefit of the Video Constraints API is that it enables developers to optimize the video call for different devices. For example, if a user is using an older device with limited processing power, developers can set constraints on the video resolution to ensure that the video call runs smoothly on that device. +The Azure Communication Services video engine is optimized to allow the video quality to change dynamically based on a device's ability and the network quality. But there might be certain scenarios where the highest video quality isn't a priority, or you want to limit the video bandwidth usage in an application. To support those use cases, you can use the Video Constraints API to have tighter control over the video quality that users experience. + +Another benefit of the Video Constraints API is that it enables developers to optimize the video call for different devices. For example, if a user is using an older device with limited processing power, you can set constraints on the video resolution to ensure that the video call runs smoothly on that device. ## Supported constraints -\| Platform \| Supported Constraints \| +\| Platform \| Supported constraints \| \| -- \| -- \| -\| Web \| Incoming video: resolution<br />Outgoing video: resolution, framerate, bitrate \| -\| Android \| Incoming video: resolution<br />Outgoing video: resolution, framerate \| -\| iOS \| Incoming video: resolution<br />Outgoing video: resolution, framerate \| -\| Windows \| Incoming video: resolution<br />Outgoing video: resolution, framerate \| - -## Next steps -For more information, see the following articles: -- [Tutorial on how to enable video constraints](../../quickstarts/voice-video-calling/get-started-video-constraints.md)-- [Enable Media Quality Statistics in your application](./media-quality-sdk.md)-- Learn about [Calling SDK capabilities](../../quickstarts/voice-video-calling/getting-started-with-calling.md) +\| Web \| Incoming video: resolution<br />Outgoing video: resolution, frame rate, bitrate \| +\| Android \| Incoming video: resolution<br />Outgoing video: resolution, frame rate \| +\| iOS \| Incoming video: resolution<br />Outgoing video: resolution, frame rate \| +\| Windows \| Incoming video: resolution<br />Outgoing video: resolution, frame rate \| + +## Related content + +- [Quickstart: Set video constraints in your calling app](../../quickstarts/voice-video-calling/get-started-video-constraints.md) +- [Enable media quality statistics in your application](./media-quality-sdk.md) +- [Quickstart: Add voice calling to your app](../../quickstarts/voice-video-calling/getting-started-with-calling.md)
container-apps	Azure Arc Enable Cluster	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/azure-arc-enable-cluster.md	This tutorial will show you how to enable Azure Container Apps on your Arc-enabl - If you don't have one, you [can create one for free](https://azure.microsoft.com/free/). - Install the [Azure CLI](/cli/azure/install-azure-cli). - Access to a public or private container registry, such as the [Azure Container Registry](/azure/container-registry/). +- Review the [requirements and limitations](azure-arc-overview.md) of the public preview. Of particular importance are the cluster requirements. ## Setup A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) pr ## Install the Container Apps extension +> [!IMPORTANT] +> If deploying onto AKS-HCI ensure that you have [setup HAProxy as your load balancer](/azure/aks/hybrid/configure-load-balancer) before attempting to install the extension. + 1. Set the following environment variables to the desired name of the [Container Apps extension](azure-arc-create-container-app.md), the cluster namespace in which resources should be provisioned, and the name for the Azure Container Apps connected environment. Choose a unique name for `<connected-environment-name>`. The connected environment name will be part of the domain name for app you'll create in the Azure Container Apps connected environment. # [Azure CLI](#tab/azure-cli)
container-apps	Azure Arc Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/azure-arc-overview.md	Previously updated : 07/18/2024 Last updated : 09/23/2024 The following public preview limitations apply to Azure Container Apps on Azure \|\|\| \| Supported Azure regions \| East US, West Europe, East Asia \| \| Cluster networking requirement \| Must support [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) service type \| +\| Node OS requirement \| Linux only. \| \| Feature: Managed identities \| [Not available](#are-managed-identities-supported) \| \| Feature: Pull images from ACR with managed identity \| Not available (depends on managed identities) \| \| Logs \| Log Analytics must be configured with cluster extension; not per-application \| +> [!IMPORTANT] +> If deploying onto AKS-HCI ensure that you have [setup HAProxy as your load balancer](/azure/aks/hybrid/configure-load-balancer) before attempting to install the extension. + ## Resources created by the Container Apps extension When the Container Apps extension is installed on the Azure Arc-enabled Kubernetes cluster, several resources are created in the specified release namespace. These resources enable your cluster to be an extension of the `Microsoft.App` resource provider to support the management and operation of your apps. The following table describes the role of each revision created for you: - [Are there any scaling limits?](#are-there-any-scaling-limits) - [What logs are collected?](#what-logs-are-collected) - [What do I do if I see a provider registration error?](#what-do-i-do-if-i-see-a-provider-registration-error) +- [Can the extension be installed on Windows nodes?](#can-the-extension-be-installed-on-windows-nodes) - [Can I deploy the Container Apps extension on an Arm64 based cluster?](#can-i-deploy-the-container-apps-extension-on-an-arm64-based-cluster) ### How much does it cost? By default, logs from system components are sent to the Azure team. Application As you create an Azure Container Apps connected environment resource, some subscriptions might see the "No registered resource provider found" error. The error details might include a set of locations and API versions that are considered valid. If this error message is returned, the subscription must be re-registered with the `Microsoft.App` provider. Re-registering the provider has no effect on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.App --wait`. Then reattempt the connected environment command. +## Can the extension be installed on Windows nodes? + +No, the extension cannot be installed on Windows nodes. The extension supports installation on Linux nodes only. + ### Can I deploy the Container Apps extension on an Arm64 based cluster? Arm64 based clusters aren't supported at this time.
container-apps	Containers	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/containers.md	Previously updated : 08/29/2023 Last updated : 09/19/2024 Azure Container Apps supports: - Any Linux-based x86-64 (`linux/amd64`) container image - Containers from any public or private container registry-- [Sidecar](#sidecar-containers) and [init](#init-containers) containers +- Optional [sidecar](#sidecar-containers) and [init](#init-containers) containers Features also include: -- Changes to the `template` configuration section trigger a new [container app revision](application-lifecycle-management.md). +- Apps use the `template` configuration section to define the container image and other settings. Changes to the `template` configuration section trigger a new [container app revision](application-lifecycle-management.md). - If a container crashes, it automatically restarts. Jobs features include: Azure Container Apps has the following limitations: - Operating system: Linux-based (`linux/amd64`) container images are required. +- Maximum image size: + - Consumption workload profile supports container images totaling up to 8GB for each app or job replica. + - Dedicated workload profiles support larger container images. Because a Dedicated workload profile can run multiple apps or jobs, multiple container images share the available disk space. The actual supported image size varies based on resources consumed by other apps and jobs. + ## Next steps > [!div class="nextstepaction"]
container-apps	Hardware	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/hardware.md	- Title: Hardware reference in Azure Container Apps -description: Learn about hardware specifications in Container Apps ----- Previously updated : 08/30/2023-- -# Azure Container Apps hardware reference - -Workload profiles in Azure Container Apps run on specialized hardware with specific restrictions. Use the following information to help you select the workload profile most appropriate for your application. - -## Image size limit -- -For more information on differences in hardware selection, see the [workload profiles overview](workload-profiles-overview.md). - -## Next steps - -> [!div class="nextstepaction"] -> [Quotas](quotas.md)
container-apps	Metrics	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/metrics.md	Previously updated : 04/30/2024 Last updated : 09/23/2024 The metrics explorer in the Azure portal allows you to visualize the data. You c Container Apps provides these basic metrics. -\| Category \| Title \| Description \| Metric ID \| Unit \| +\| Title \| Dimensions \| Description \| Metric ID \| Unit \| \|--\|--\|--\|--\|--\| -\| Basic \| CPU Usage \| CPU consumed by the container app, in nano cores (1,000,000,000 nanocores = 1 core) \| UsageNanoCores \| `nanocores` \| -\| Basic \| Memory Working Set Bytes \| Container app working set memory used in bytes \| `WorkingSetBytes` \| bytes \| -\| Basic \| Network In Bytes \| Network received bytes \| `RxBytes` \| bytes \| -\| Basic \| Network Out Bytes \| Network transmitted bytes \| `TxBytes` \| bytes \| -\| Basic \| Replica count \| Number of active replicas \| `Replicas` \| n/a \| -\| Basic \| Replica Restart Count \| Restarts count of container app replicas \| `RestartCount` \| n/a \| -\| Basic \| Requests \| Requests processed \| `Requests` \| n/a \| -\| Basic \| Reserved Cores \| Number of reserved cores for container app revisions \| `CoresQuotaUsed` \| n/a \| -\| Basic \| Resiliency Connection Timeouts \| Total connection timeouts \| `ResiliencyConnectTimeouts` \| n/a \| -\| Basic \| Resiliency Ejected Hosts \| Number of currently ejected hosts \| `ResiliencyEjectedHosts` \| n/a \| -\| Basic \| Resiliency Ejections Aborted \| Number of ejections aborted due to the max ejection % \| `ResiliencyEjectionsAborted` \| n/a \| -\| Basic \| Resiliency Request Retries \| Total request retries \| `ResiliencyRequestRetries` \| n/a \| -\| Basic \| Resiliency Request Timeouts \| Total requests that timed out waiting for a response \| `ResiliencyRequestTimeouts` \| n/a \| -\| Basic \| Resiliency Requests Pending Connection Pool \| Total requests pending a connection pool connection \| `ResiliencyRequestsPendingConnectionPool` \| n/a \| -\| Basic \| Total Reserved Cores \| Total cores reserved for the container app \| `TotalCoresQuotaUsed` \| n/a \| +\| CPU Usage \| Replica, Revision \| CPU consumed by the container app, in nano cores (1,000,000,000 nanocores = 1 core) \| `UsageNanoCores` \| nanocores \| +\| Memory Working Set Bytes \| Replica, Revision \| Container app working set memory used in bytes \| `WorkingSetBytes` \| bytes \| +\| Network In Bytes \| Replica, Revision \| Network received bytes \| `RxBytes` \| bytes \| +\| Network Out Bytes \| Replica, Revision \| Network transmitted bytes \| `TxBytes` \| bytes \| +\| Replica count \| Revision \| Number of active replicas \| `Replicas` \| n/a \| +\| Replica Restart Count \| Replica, Revision \| Restarts count of container app replicas \| `RestartCount` \| n/a \| +\| Requests \| Replica, Revision, Status Code, Status Code Category \| Requests processed \| `Requests` \| n/a \| +\| Reserved Cores \| Revision \| Number of reserved cores for container app revisions \| `CoresQuotaUsed` \| n/a \| +\| Resiliency Connection Timeouts \| Revision \| Total connection timeouts \| `ResiliencyConnectTimeouts` \| n/a \| +\| Resiliency Ejected Hosts \| Revision \| Number of currently ejected hosts \| `ResiliencyEjectedHosts` \| n/a \| +\| Resiliency Ejections Aborted \| Revision \| Number of ejections aborted due to the max ejection % \| `ResiliencyEjectionsAborted` \| n/a \| +\| Resiliency Request Retries \| Revision \| Total request retries \| `ResiliencyRequestRetries` \| n/a \| +\| Resiliency Request Timeouts \| Revision \| Total requests that timed out waiting for a response \| `ResiliencyRequestTimeouts` \| n/a \| +\| Resiliency Requests Pending Connection Pool \| Replica \| Total requests pending a connection pool connection \| `ResiliencyRequestsPendingConnectionPool` \| n/a \| +\| Total Reserved Cores \| None \| Total cores reserved for the container app \| `TotalCoresQuotaUsed` \| n/a \| The metrics namespace is `microsoft.app/containerapps`.
data-factory	Connector Sharepoint Online List	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-sharepoint-online-list.md	Previously updated : 08/29/2024 Last updated : 09/14/2024 # Copy data from SharePoint Online List by using Azure Data Factory or Azure Synapse Analytics The following properties are supported for a SharePoint Online List linked servi \| type \| The type property must be set to:ΓÇ»SharePointOnlineList. \| Yes \| \| siteUrl \| The SharePoint Online site url, e.g. `https://contoso.sharepoint.com/sites/siteName`. \| Yes \| \| servicePrincipalId \| The Application (client) ID of the application registered in Microsoft Entra ID. \| Yes \| -\| servicePrincipalCredentialType \| Specify the credential type to use for service principal authentication. Allowed values are `ServicePrincipalKey` and `ServicePrincipalCert`. \| No \| -\| *For ServicePrincipalKey* \| \| \| -\| servicePrincipalKey \| The application's key. Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [section](#grant-permission-for-using-service-principal-key) for more details including the permission settings. \| No \| +\| servicePrincipalCredentialType \| Specify the credential type to use for service principal authentication. Allowed values are `ServicePrincipalCert` and `ServicePrincipalKey`. \| No \| \| *For ServicePrincipalCert* \| \| \| -\| servicePrincipalEmbeddedCert \| Specify the base64 encoded certificate of your application registered in Microsoft Entra ID, and ensure the certificate content type is PKCS #12. Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [article](/sharepoint/dev/solution-guidance/security-apponly-azuread) for permission settings.\| No \| +\| servicePrincipalEmbeddedCert \| Specify the base64 encoded certificate of your application registered in Microsoft Entra ID, and ensure the certificate content type is PKCS #12. Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). You need to configure the permission settings referring this [article](/sharepoint/dev/solution-guidance/security-apponly-azuread).\| No \| \| servicePrincipalEmbeddedCertPassword \| Specify the password of your certificate if your certificate is secured with a password. Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). \| No \| +\| *For ServicePrincipalKey* \| \| \| +\| servicePrincipalKey \| The application's key. Mark this field as a SecureString to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [section](#grant-permission-for-using-service-principal-key) for more details including the permission settings.\| No \| \| \| \| \| \| tenantId \| The tenant ID under which your application resides. \| Yes \| \| connectVia \| The [Integration Runtime](concepts-integration-runtime.md) to use to connect to the data store. If not specified, the default Azure Integration Runtime is used. \| No \| +>[!Note] +>If you are using service principal key authentication, which is based on Azure ACS (Access Control Services), we recommend switching to the service principal certificate authentication due to the [ACS retirement plan](/sharepoint/dev/sp-add-ins/retirement-announcement-for-azure-acs). + Example 1: Using service principal key authentication ```json The following properties are supported for a SharePoint Online List linked servi } } ```+ ### Grant permission for using service principal key The SharePoint List Online connector uses service principal authentication to connect to SharePoint. Follow these steps to set it up: The SharePoint List Online connector uses service principal authentication to co ``` :::image type="content" source="media/connector-sharepoint-online-list/sharepoint-online-grant-permission-admin.png" alt-text="Grant SharePoint Online site permission to your registered application when you have site admin role."::: - + > [!NOTE] > In the context of configuring the SharePoint connector, the "App Domain" and "Redirect URL" refer to the SharePoint app that you have registered in Microsoft Entra ID to allow access to your SharePoint data. The "App Domain" is the domain where your SharePoint site is hosted. For example, if your SharePoint site is located at "https://contoso.sharepoint.com", then the "App Domain" would be "contoso.sharepoint.com". The "Redirect URL" is the URL that the SharePoint app will redirect to after the user has authenticated and granted permissions to the app. This URL should be a page on your SharePoint site that the app has permission to access. For example, you could use the URL of a page that displays a list of files in a library, or a page that displays the contents of a document.
event-hubs	Apache Kafka Developer Guide	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/apache-kafka-developer-guide.md	See the following quickstarts in the azure-event-hubs-for-kafka repo: \| [Go](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/go) \| <p>This quickstart will show how to create and connect to an Event Hubs Kafka endpoint using an example producer and consumer written in Go.</p><p>This sample is based on [Confluent's Apache Kafka Golang client](https://github.com/confluentinc/confluent-kafka-go), modified for use with Event Hubs for Kafka.</p>\| \| [Sarama kafka Go](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/go-sarama-client) \| This quickstart will show how to create and connect to an Event Hubs Kafka endpoint using an example producer and consumer written in Go using the [Sarama Kafka client](https://github.com/Shopify/sarama) library. \| \| [Kafka](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/kafka-cli) \| This quickstart will show how to create and connect to an Event Hubs Kafka endpoint using the CLI that comes bundled with the Apache Kafka distribution.\| -\| [Kafkacat](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/kafkacat) \| kafkacat is a non-JVM command-line consumer and producer based on librdkafka, popular due to its speed and small footprint. This quickstart contains a sample configuration and several simple sample kafkacat commands. \| +\| [kcat](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/quickstart/kafkacat) \| kcat is a non-JVM command-line consumer and producer based on librdkafka, popular due to its speed and small footprint. This quickstart contains a sample configuration and several simple sample kafkacat commands. \| ### Quickstarts in DOCS See the quickstart: [Data streaming with Event Hubs using the Kafka protocol](event-hubs-quickstart-kafka-enabled-event-hubs.md) in this content set, which provides step-by-step instructions on how to stream into Event Hubs. You learn how to use your producers and consumers to talk to Event Hubs with just a configuration change in your applications.
expressroute	Expressroute Locations Providers	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations-providers.md	Previously updated : 08/19/2024 Last updated : 09/22/2024 The following table shows connectivity locations and the service providers for e \| Location \| Address \| Zone \| Local Azure regions \| ER Direct \| Service providers \| \|--\|--\|--\|--\|--\|--\| \| Abu Dhabi \| Etisalat KDC \| 3 \| UAE Central \| &check; \| \| -\| Amsterdam \| [Equinix AM5](https://www.equinix.com/locations/europe-colocation/netherlands-colocation/amsterdam-data-centers/am5/) \| 1 \| West Europe \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>Colt<br/>Deutsche Telekom AG<br/>Equinix<br/>euNetworks<br/>G├ëANT<br/>GlobalConnect<br/>InterCloud<br/>Interxion (Digital Realty)<br/>KPN<br/>IX Reach<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>Tata Communications<br/>Telecom Italia Sparkle<br/>Telefonica<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Zayo \| +\| Amsterdam \| [Equinix AM5](https://www.equinix.com/locations/europe-colocation/netherlands-colocation/amsterdam-data-centers/am5/) \| 1 \| West Europe \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>Colt<br/>China Unicom Global<br/>Deutsche Telekom AG<br/>Equinix<br/>euNetworks<br/>G├ëANT<br/>GlobalConnect<br/>InterCloud<br/>Interxion (Digital Realty)<br/>KPN<br/>IX Reach<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>Tata Communications<br/>Telecom Italia Sparkle<br/>Telefonica<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Zayo \| \| Amsterdam2 \| [Interxion AMS8](https://www.interxion.com/Locations/amsterdam/schiphol/) \| 1 \| West Europe \| &check; \| BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cinia<br/>Colt<br/>DE-CIX<br/>Equinix<br/>euNetworks<br/>G├ëANT<br/>Interxion (Digital Realty)<br/>Megaport<br/>NL-IX<br/>NOS<br/>NTT Global DataCenters EMEA<br/>Orange<br/>Vodafone \| \| Atlanta \| [Equinix AT1](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/atlanta-data-centers/at1) \| 1 \| &cross; \| &check; \| Equinix<br/>Megaport<br/>Momentum Telecom<br/>PacketFabric \| \| Auckland \| [Vocus Group NZ Albany](https://www.vocus.co.nz/business/cloud-data-centres) \| 2 \| &cross; \| &check; \| Devoli<br/>Kordia<br/>Megaport<br/>REANNZ<br/>Spark NZ<br/>Vocus Group NZ \| The following table shows connectivity locations and the service providers for e \| Chennai \| Tata Communications \| 2 \| South India \| &check; \| BSNL<br/>DE-CIX<br/>Global CloudXchange (GCX)<br/>Lightstorm<br/>SIFY<br/>Tata Communications<br/>VodafoneIdea \| \| Chennai2 \| Airtel \| 2 \| South India \| &check; \| Airtel \| \| Chicago \| [Equinix CH1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/chicago-data-centers/ch1/) \| 1 \| North Central US \| &check; \| Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Colt<br/>Comcast<br/>Coresite<br/>Equinix<br/>InterCloud<br/>Internet2<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>PacketFabric<br/>PCCW Global Limited<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo \| -\| Chicago2 \| [CoreSite CH1](https://www.coresite.com/data-center/ch1-chicago-il) \| 1 \| North Central US \| &check; \| CoreSite<br/>DE-CIX \| +\| Chicago2 \| [CoreSite CH1](https://www.coresite.com/data-center/ch1-chicago-il) \| 1 \| North Central US \| &check; \| CoreSite<br/>DE-CIX<br/>Megaport<br/>Momentum Telecom \| \| Copenhagen \| [Interxion CPH1](https://www.interxion.com/Locations/copenhagen/) \| 1 \| &cross; \| &check; \| DE-CIX<br/>GlobalConnect<br/>Interxion (Digital Realty) \| #### [D-I](#tab/d-h) The following table shows connectivity locations and the service providers for e \| Location \| Address \| Zone \| Local Azure regions \| ER Direct \| Service providers \| \|--\|--\|--\|--\|--\|--\| \| Dallas \| [Equinix DA3](https://www.equinix.com/locations/americas-colocation/united-states-colocation/dallas-data-centers/da3/)<br/>[Equinix DA6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/dallas-data-centers/da6) \| 1 \| &cross; \| &check; \| Aryaka Networks<br/>AT&T Connectivity Plus<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>Cologix<br/>Cox Business Cloud Port<br/>Equinix<br/>GTT<br/>Intercloud<br/>Internet2<br/>Level 3 Communications<br/>MCM Telecom<br/>Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>Orange<br/>PacketFabric<br/>Telmex Uninet<br/>Telia Carrier<br/>Telefonica<br/>Transtelco<br/>Verizon<br/>Vodafone<br/>Zayo \| -\| Dallas2 \| [Digital Realty DFW10](https://www.digitalrealty.com/data-centers/americas/dallas/dfw10) \| 1 \| &cross; \| &check; \| Digital Realty \| -\| Denver \| [CoreSite DE1](https://www.coresite.com/data-centers/locations/denver/de1) \| 1 \| West Central US \| &check; \| CoreSite<br/>Megaport<br/>PacketFabric<br/>Zayo \| +\| Dallas2 \| [Digital Realty DFW10](https://www.digitalrealty.com/data-centers/americas/dallas/dfw10) \| 1 \| &cross; \| &check; \| Digital Realty<br/>Momentum Telecom \| +\| Denver \| [CoreSite DE1](https://www.coresite.com/data-centers/locations/denver/de1) \| 1 \| West Central US \| &check; \| CoreSite<br/>Megaport<br/>Momentum Telecom<br/>PacketFabric<br/>Zayo \| \| Doha \| [MEEZA MV2](https://www.meeza.net/services/data-centre-services/) \| 3 \| Qatar Central \| &check; \| Ooredoo Cloud Connect<br/>Vodafone \| \| Doha2 \| [Ooredoo](https://www.ooredoo.qa/) \| 3 \| Qatar Central \| &check; \| Ooredoo Cloud Connect \| \| Dubai \| [PCCS](http://www.pacificcontrols.net/cloudservices/) \| 3 \| UAE North \| &check; \| Etisalat UAE \| The following table shows connectivity locations and the service providers for e \| Location \| Address \| Zone \| Local Azure regions \| ER Direct \| Service providers \| \|--\|--\|--\|--\|--\|--\| -\| Jakarta \| [Telin](https://www.telin.net/) \| 4 \| &cross; \| &check; \| NTT Communications<br/>Telin<br/>XL Axiata \| +\| Jakarta \| [Telin](https://www.telin.net/) \| 4 \| &cross; \| &check; \| DCI Indonesia<br/>DE-CIX<br/>NTT Communications<br/>NTT Indonesia<br/>Telin<br/>XL Axiata \| \| Johannesburg \| [Teraco JB1](https://www.teraco.co.za/data-centre-locations/johannesburg/#jb1) \| 3 \| South Africa North \| &check; \| BCX<br/>British Telecom<br/>Internet Solutions - Cloud Connect<br/>Liquid Telecom<br/>MTN Business<br/>MTN Global Connect<br/>Orange<br/>Teraco<br/>Vodacom \| \| Kuala Lumpur \| [TIME dotCom Menara AIMS](https://www.time.com.my/enterprise/connectivity/direct-cloud) \| 2 \| &cross; \| &cross; \| DE-CIX<br/>TIME dotCom \| \| Las Vegas \| [Switch LV](https://www.switch.com/las-vegas) \| 1 \| &cross; \| &check; \| CenturyLink Cloud Connect<br/>Megaport<br/>PacketFabric \| -\| London \| [Equinix LD5](https://www.equinix.com/locations/europe-colocation/united-kingdom-colocation/london-data-centers/ld5/) \| 1 \| UK South \| &check; \| AT&T NetBond<br/>Bezeq International<br/>British Telecom<br/>CenturyLink<br/>Colt<br/>Equinix<br/>euNetworks<br/>Intelsat<br/>InterCloud<br/>Internet Solutions - Cloud Connect<br/>Interxion (Digital Realty)<br/>Jisc<br/>Level 3 Communications<br/>Megaport<br/>MTN<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>Tata Communications<br/>Telehouse - KDDI<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo \| -\| London2 \| [Telehouse North Two](https://www.telehouse.net/data-centres/emea/uk-data-centres/london-data-centres/north-two) \| 1 \| UK South \| &check; \| BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Equinix<br/>Epsilon Global Communications<br/>GTT<br/>Interxion (Digital Realty)<br/>IX Reach<br/>JISC<br/>Megaport<br/>NTT Global DataCenters EMEA<br/>Ooredoo Cloud Connect<br/>Orange<br/>SES<br/>Sohonet<br/>Telehouse - KDDI<br/>Zayo<br/>Vodafone \| -\| Los Angeles \| [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) \| 1 \| &cross; \| &check; \| AT&T Dynamic Exchange<br/>CoreSite<br/>China Unicom Global<br/>Cloudflare<br/>Equinix<br/>Megaport<br/>Neutrona Networks<br/>NTT<br/>Zayo</br></br> New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2. \| +\| London \| [Equinix LD5](https://www.equinix.com/locations/europe-colocation/united-kingdom-colocation/london-data-centers/ld5/) \| 1 \| UK South \| &check; \| AT&T NetBond<br/>Bezeq International<br/>British Telecom<br/>CenturyLink<br/>Colt<br/>Equinix<br/>euNetworks<br/>Intelsat<br/>InterCloud<br/>Internet Solutions - Cloud Connect<br/>Interxion (Digital Realty)<br/>Jisc<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>MTN<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>Tata Communications<br/>Telehouse - KDDI<br/>Telenor<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo \| +\| London2 \| [Telehouse North Two](https://www.telehouse.net/data-centres/emea/uk-data-centres/london-data-centres/north-two) \| 1 \| UK South \| &check; \| BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Equinix<br/>Epsilon Global Communications<br/>GTT<br/>Interxion (Digital Realty)<br/>IX Reach<br/>JISC<br/>Megaport<br/>NTT Global DataCenters EMEA<br/>Ooredoo Cloud Connect<br/>Orange<br/>SES<br/>Sohonet<br/>Tata Communications<br/>Telehouse - KDDI<br/>Zayo<br/>Vodafone \| +\| Los Angeles \| [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) \| 1 \| &cross; \| &check; \| AT&T Dynamic Exchange<br/>CoreSite<br/>China Unicom Global<br/>Cloudflare<br/> Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>NTT<br/>Zayo</br></br> \| \| Los Angeles2 \| [Equinix LA1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/los-angeles-data-centers/la1/) \| 1 \| &cross; \| &check; \| Crown Castle<br/>Equinix<br/>GTT<br/>PacketFabric \| -\| Madrid \| [Interxion MAD1](https://www.interxion.com/es/donde-estamos/europa/madrid) \| 1 \| &cross; \| &check; \| DE-CIX<br/>InterCloud<br/>Interxion (Digital Realty)<br/>Megaport<br/>Telefonica \| -\| Madrid2 \| [Equinix MD2](https://www.equinix.com/data-centers/europe-colocation/spain-colocation/madrid-data-centers/md2) \| 1 \| &cross; \| &check; \| Equinix \| +\| Madrid \| [Interxion MAD1](https://www.interxion.com/es/donde-estamos/europa/madrid) \| 1 \| &cross; \| &check; \| DE-CIX<br/>GTT<br/>InterCloud<br/>Interxion (Digital Realty)<br/>Megaport<br/>Telefonica \| +\| Madrid2 \| [Equinix MD2](https://www.equinix.com/data-centers/europe-colocation/spain-colocation/madrid-data-centers/md2) \| 1 \| &cross; \| &check; \| Equinix<br/>G├ëANT<br/>Intercloud \| \| Marseille \| [Interxion MRS1](https://www.interxion.com/Locations/marseille/) \| 1 \| France South \| &cross; \| Colt<br/>DE-CIX<br/>GEANT<br/>Interxion (Digital Realty)<br/>Jaguar Network<br/>Ooredoo Cloud Connect \| \| Melbourne \| [NextDC M1](https://www.nextdc.com/data-centres/m1-melbourne-data-centre) \| 2 \| Australia Southeast \| &check; \| AARNet<br/>Devoli<br/>Equinix<br/>Megaport<br/>NETSG<br/>NEXTDC<br/>Optus<br/>Orange<br/>Telstra Corporation<br/>TPG Telecom \| \| Miami \| [Equinix MI1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/miami-data-centers/mi1/) \| 1 \| &cross; \| &check; \| AT&T Dynamic Exchange<br/>Claro<br/>C3ntro<br/>Equinix<br/>Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>PitChile \| \| Milan \| [IRIDEOS](https://irideos.it/en/data-centers/) \| 1 \| Italy North \| &check; \| Colt<br/>Equinix<br/>Fastweb<br/>IRIDEOS<br/>Noovle<br/>Retelit<br/>Vodafone \| \| Milan2 \| [DATA4](https://www.data4group.com/it/data-center-a-milano-italia/) \| 1 \| Italy North \| &check; \| \| -\| Minneapolis \| [Cologix MIN1](https://www.cologix.com/data-centers/minneapolis/min1/) and [Cologix MIN3](https://www.cologix.com/data-centers/minneapolis/min3/) \| 1 \| &cross; \| &check; \| Cologix<br/>Megaport \| +\| Minneapolis \| [Cologix MIN1](https://www.cologix.com/data-centers/minneapolis/min1/) and [Cologix MIN3](https://www.cologix.com/data-centers/minneapolis/min3/) \| 1 \| &cross; \| &check; \| Cologix<br/>Megaport<br/>Zayo \| \| Montreal \| [Cologix MTL3](https://www.cologix.com/data-centers/montreal/mtl3/)<br/>[Cologix MTL7](https://cologix.com/data-centers/montreal/mtl7/) \| 1 \| &cross; \| &check; \| Bell Canada<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Fibrenoire<br/>Megaport<br/>RISQ<br/>Telus<br/>Zayo \| \| Mumbai \| Tata Communications \| 2 \| West India \| &check; \| BSNL<br/>British Telecom<br/>DE-CIX<br/>Global CloudXchange (GCX)<br/>InterCloud<br/>Lightstorm<br/>Reliance Jio<br/>Sify<br/>Tata Communications<br/>Verizon \| \| Mumbai2 \| Airtel \| 2 \| West India \| &check; \| Airtel<br/>Equinix<br/>Sify<br/>Orange<br/>Vodafone Idea \| The following table shows connectivity locations and the service providers for e \| Phoenix \| [EdgeConneX PHX01](https://www.cyrusone.com/data-centers/north-america/arizona/phx1-phx8-phoenix) \| 1 \| West US 3 \| &check; \| AT&T NetBond<br/>Cox Business Cloud Port<br/>CenturyLink Cloud Connect<br/>DE-CIX<br/>Megaport<br/>Zayo \| \| Phoenix2 \| [PhoenixNAP](https://phoenixnap.com/) \| 1 \| West US 3 \| &check; \| \| \| Portland \| [EdgeConnex POR01](https://www.edgeconnex.com/locations/north-america/portland-or/) \| 1 \| West US 2 \| &check; \| \| -\| Pune \| [STT GDC Pune DC1](https://www.sttelemediagdc.in/our-data-centres-in-india) \| 2 \| Central India \| &check; \| Airtel<br/>Lightstorm<br/>Tata Communications \| +\| Pune \| [STT GDC Pune DC1](https://www.sttelemediagdc.in/our-data-centres-in-india) \| 2 \| Central India \| &check; \| Airtel<br/>Lightstorm<br/>SIFY<br/>Tata Communications \| \| Quebec City \| [Vantage](https://vantage-dc.com/data_centers/quebec-city-data-center-campus/) \| 1 \| Canada East \| &check; \| Bell Canada<br/>Equinix<br/>Megaport<br/>RISQ<br/>Telus \| \| Queretaro (Mexico) \| [KIO Networks QR01](https://www.kionetworks.com/es-mx/) \| 4 \| &cross; \| &check; \| Cirion Technologies<br/>Equinix<br/>KIO<br/>MCM Telecom<br/>Megaport<br/>Transtelco \| \| Quincy \| Sabey Datacenter - Building A \| 1 \| West US 2 \| &check; \| \| The following table shows connectivity locations and the service providers for e \|--\|--\|--\|--\|--\|--\| \| Rio de Janeiro \| [Equinix-RJ2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/rio-de-janeiro-data-centers/rj2/) \| 3 \| Brazil Southeast \| &check; \| Cirion Technologies<br/>Equinix \| \| San Antonio \| [CyrusOne SA1](https://cyrusone.com/locations/texas/san-antonio-texas/) \| 1 \| South Central US \| &check; \| CenturyLink Cloud Connect<br/>Megaport<br/>Zayo \| -\| Santiago \| [EdgeConnex SCL](https://www.edgeconnex.com/locations/south-america/santiago/) \| 3 \| &cross; \| &check; \| Cirion Technologies<br/>PitChile \| +\| Santiago \| [EdgeConnex SCL](https://www.edgeconnex.com/locations/south-america/santiago/) \| 3 \| &cross; \| &check; \| Cirion Technologies<br/>Equinix<br/>PitChile \| \| Sao Paulo \| [Equinix SP2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/sao-paulo-data-centers/sp2/) \| 3 \| Brazil South \| &check; \| Aryaka Networks<br/>Ascenty Data Centers<br/>British Telecom<br/>Equinix<br/>InterCloud<br/>Level 3 Communications<br/>Neutrona Networks<br/>Orange<br/>RedCLARA<br/>Tata Communications<br/>Telefonica<br/>UOLDIVEO \| \| Sao Paulo2 \| [TIVIT TSM](https://www.tivit.com/en/tivit/) \| 3 \| Brazil South \| &check; \| Ascenty Data Centers<br/>Tivit \| \| Seattle \| [Equinix SE2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/seattle-data-centers/se2/) \| 1 \| West US 2 \| &check; \| Aryaka Networks<br/>CenturyLink Cloud Connect<br/>DE-CIX<br/>Digital Realty<br/>Equinix<br/>Level 3 Communications<br/>Megaport<br/>Pacific Northwest Gigapop<br/>PacketFabric<br/>Telus<br/>Zayo \| \| Seoul \| [KINX Gasan IDC](https://www.kinx.net/?lang=en) \| 2 \| Korea Central \| &check; \| KINX<br/>KT<br/>LG CNS<br/>LGUplus<br/>Equinix<br/>Sejong Telecom<br/>SK Telecom \| \| Seoul2 \| [KT IDC](https://www.kt-idc.com/eng/introduce/sub1_4_10.jsp#tab) \| 2 \| Korea Central \| &cross; \| KT \| -\| Silicon Valley \| [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) \| 1 \| West US \| &check; \| Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>China Unicom Global<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Digital Realty<br/>Equinix<br/>InterCloud<br/>Internet2<br/>IX Reach<br/>Packet<br/>PacketFabric<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>Orange<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo \| -\| Silicon Valley2 \| [Coresite SV7](https://www.coresite.com/data-centers/locations/silicon-valley/sv7) \| 1 \| West US \| &check; \| Colt<br/>Coresite \| -\| Singapore \| [Equinix SG1](https://www.equinix.com/data-centers/asia-pacific-colocation/singapore-colocation/singapore-data-center/sg1) \| 2 \| Southeast Asia \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>China Mobile International<br/>Epsilon Global Communications<br/>Equinix<br/>GTT<br/>InterCloud<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>SingTel<br/>Tata Communications<br/>Telstra Corporation<br/>Telefonica<br/>Verizon<br/>Vodafone \| -\| Singapore2 \| [Global Switch Tai Seng](https://www.globalswitch.com/locations/singapore-data-centres/) \| 2 \| Southeast Asia \| &check; \| CenturyLink Cloud Connect<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Epsilon Global Communications<br/>Equinix<br/>Lightstorm<br/>Megaport<br/>PCCW Global Limited<br/>SingTel<br/>Telehouse - KDDI \| +\| Silicon Valley \| [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) \| 1 \| West US \| &check; \| Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>China Unicom Global<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Digital Realty<br/>Equinix<br/>InterCloud<br/>Internet2<br/>IX Reach<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>Orange<br/>Packet<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo \| +\| Silicon Valley2 \| [Coresite SV7](https://www.coresite.com/data-centers/locations/silicon-valley/sv7) \| 1 \| West US \| &check; \| Colt<br/>Coresite<br/>Momentum Telecom \| +\| Singapore \| [Equinix SG1](https://www.equinix.com/data-centers/asia-pacific-colocation/singapore-colocation/singapore-data-center/sg1) \| 2 \| Southeast Asia \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>China Mobile International<br/>China Telecom Global<br/>Epsilon Global Communications<br/>Equinix<br/>GTT<br/>IPC<br/>InterCloud<br/>Level 3 Communications<br/>Megaport<br/>NTT Communications<br/>Orange<br/>PCCW Global Limited<br/>SingTel<br/>Tata Communications<br/>Telstra Corporation<br/>Telefonica<br/>Verizon<br/>Vodafone \| +\| Singapore2 \| [Global Switch Tai Seng](https://www.globalswitch.com/locations/singapore-data-centres/) \| 2 \| Southeast Asia \| &check; \| CenturyLink Cloud Connect<br/>China Mobile International<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Digital Realty<br/>Epsilon Global Communications<br/>Equinix<br/>Lightstorm<br/>Megaport<br/>PCCW Global Limited<br/>SingTel<br/>Telehouse - KDDI \| \| Stavanger \| [Green Mountain DC1](https://greenmountain.no/dc1-stavanger/) \| 1 \| Norway West \| &check; \| GlobalConnect<br/>Megaport<br/>Telenor \| \| Stockholm \| [Equinix SK1](https://www.equinix.com/locations/europe-colocation/sweden-colocation/stockholm-data-centers/sk1/) \| 1 \| Sweden Central \| &check; \| Cinia<br/>Equinix<br/>GlobalConnect<br/>Interxion (Digital Realty)<br/>Megaport<br/>Telia Carrier \| \| Sydney \| [Equinix SY2](https://www.equinix.com/locations/asia-colocation/australia-colocation/sydney-data-centers/sy2/) \| 2 \| Australia East \| &check; \| AARNet<br/>AT&T NetBond<br/>British Telecom<br/>Cello<br/>Devoli<br/>Equinix<br/>GTT<br/>Kordia<br/>Megaport<br/>NEXTDC<br/>NTT Communications<br/>Optus<br/>Orange<br/>Spark NZ<br/>Telstra Corporation<br/>TPG Telecom<br/>Verizon<br/>Vocus Group NZ \| -\| Sydney2 \| [NextDC S1](https://www.nextdc.com/data-centres/s1-sydney-data-centre) \| 2 \| Australia East \| &check; \| Megaport<br/>NETSG<br/>NextDC \| +\| Sydney2 \| [NextDC S1](https://www.nextdc.com/data-centres/s1-sydney-data-centre) \| 2 \| Australia East \| &check; \| AARNet<br/>Megaport<br/>NETSG<br/>NextDC \| #### [T-Z](#tab/t-z) The following table shows connectivity locations and the service providers for e \| Tel Aviv \| Bezeq International \| 2 \| Israel Central \| &check; \| Bezeq International \| \| Tel Aviv2 \| SDS \| 2 \| Israel Central \| &check; \| \| \| Tokyo \| [Equinix TY4](https://www.equinix.com/locations/asia-colocation/japan-colocation/tokyo-data-centers/ty4/) \| 2 \| Japan East \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>BBIX<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Equinix<br/>Intercloud<br/>Internet Initiative Japan Inc. - IIJ<br/>Megaport<br/>NTT Communications<br/>NTT EAST<br/>Orange<br/>Softbank<br/>Telehouse - KDDI<br/>Verizon </br></br> \| -\| Tokyo2 \| [AT TOKYO](https://www.attokyo.com/) \| 2 \| Japan East \| &check; \| AT TOKYO<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Equinix<br/>IX Reach<br/>Megaport<br/>PCCW Global Limited<br/>Tokai Communications \| +\| Tokyo2 \| [AT TOKYO](https://www.attokyo.com/) \| 2 \| Japan East \| &check; \| AT TOKYO<br/>China Telecom Global<br/>China Unicom Global<br/>Colt<br/>DE-CIX<br/>Digital Realty<br/>Equinix<br/>IPC<br/>IX Reach<br/>Megaport<br/>PCCW Global Limited<br/>Tokai Communications \| \| Tokyo3 \| [NEC](https://www.nec.com/en/global/solutions/cloud/inzai_datacenter.html) \| 2 \| Japan East \| &check; \| NEC<br/>SCSK \| \| Toronto \| [Cologix TOR1](https://www.cologix.com/data-centers/toronto/tor1/) \| 1 \| Canada Central \| &check; \| AT&T NetBond<br/>Bell Canada<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Equinix<br/>IX Reach Megaport<br/>Orange<br/>Telus<br/>Verizon<br/>Zayo \| \| Toronto2 \| [Allied REIT](https://www.alliedreit.com/property/905-king-st-w/) \| 1 \| Canada Central \| &check; \| Fibrenoire<br/>Zayo \| \| Vancouver \| [Cologix VAN1](https://www.cologix.com/data-centers/vancouver/van1/) \| 1 \| &cross; \| &check; \| Bell Canada<br/>Cologix<br/>Megaport<br/>Telus<br/>Zayo \| \| Warsaw \| [Equinix WA1](https://www.equinix.com/data-centers/europe-colocation/poland-colocation/warsaw-data-centers/wa1) \| 1 \| Poland Central \| &check; \| Equinix<br/>Exatel<br/>Orange Poland<br/>T-mobile Poland \| -\| Washington DC \| [Equinix DC2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/washington-dc-data-centers/dc2/)<br/>[Equinix DC6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/washington-dc-data-centers/dc6) \| 1 \| East US<br/>East US 2 \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Crown Castle<br/>Digital Realty<br/>Equinix<br/>IPC<br/>Internet2<br/>InterCloud<br/>IPC<br/>Iron Mountain<br/>IX Reach<br/>Level 3 Communications<br/>Lightpath<br/>Megaport<br/>Neutrona Networks<br/>NTT Communications<br/>Orange<br/>PacketFabric<br/>SES<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Telefonica<br/>Verizon<br/>Zayo \| +\| Washington DC \| [Equinix DC2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/washington-dc-data-centers/dc2/)<br/>[Equinix DC6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/washington-dc-data-centers/dc6) \| 1 \| East US<br/>East US 2 \| &check; \| Aryaka Networks<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Crown Castle<br/>Digital Realty<br/>Equinix<br/>IPC<br/>Internet2<br/>InterCloud<br/>IPC<br/>Iron Mountain<br/>IX Reach<br/>Level 3 Communications<br/>Lightpath<br/>Megaport<br/>Momentum Telecom<br/>Neutrona Networks<br/>NTT Communications<br/>Orange<br/>PacketFabric<br/>SES<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Telefonica<br/>Verizon<br/>Zayo \| \| Washington DC2 \| [Coresite VA2](https://www.coresite.com/data-center/va2-reston-va) \| 1 \| East US<br/>East US 2 \| &cross; \| CenturyLink Cloud Connect<br/>Coresite<br/>Intelsat<br/>Megaport<br/>Momentum Telecom<br/>Viasat<br/>Zayo \| \| Zurich \| [Interxion ZUR2](https://www.interxion.com/Locations/zurich/) \| 1 \| Switzerland North \| &check; \| Colt<br/>Equinix<br/>Intercloud<br/>Interxion (Digital Realty)<br/>Megaport<br/>Swisscom<br/>Zayo \| \| Zurich2 \| [Equinix ZH5](https://www.equinix.com/data-centers/europe-colocation/switzerland-colocation/zurich-data-centers/zh5) \| 1 \| Switzerland North \| &check; \| Equinix \|
expressroute	Expressroute Locations	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations.md	Previously updated : 07/31/2024 Last updated : 09/22/2024 The following table shows locations by service provider. If you want to view ava \|Service provider \| Microsoft Azure \| Microsoft 365 \| Locations \| \| \| \| \| \| -\| [AARNet](https://www.aarnet.edu.au/network-and-services/connectivity-services/azure-expressroute) \|&check; \|&check; \| Melbourne<br/>Sydney \| +\| [AARNet](https://www.aarnet.edu.au/network-and-services/connectivity-services/azure-expressroute) \|&check; \|&check; \| Melbourne<br/>Sydney<br/>Sydney2 \| \| [Airtel](https://www.airtel.in/business/#/) \| &check; \| &check; \| Chennai2<br/>Mumbai2<br/>Pune \| \| [AIS](https://business.ais.co.th/solution/en/azure-expressroute.html) \| &check; \| &check; \| Bangkok \| \| [Aryaka Networks](https://www.aryaka.com/) \| &check; \| &check; \| Amsterdam<br/>Chicago<br/>Dallas<br/>Hong Kong<br/>Sao Paulo<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC \| The following table shows locations by service provider. If you want to view ava \| CDC \| &check; \| &check; \| Canberra<br/>Canberra2 \| \| [CenturyLink Cloud Connect](https://www.centurylink.com/cloudconnect) \| &check; \| &check; \| Amsterdam2<br/>Chicago<br/>Dallas<br/>Dublin<br/>Frankfurt<br/>Hong Kong<br/>Las Vegas<br/>London<br/>London2<br/>Montreal<br/>New York<br/>Paris<br/>Phoenix<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Singapore2<br/>Tokyo<br/>Toronto<br/>Washington DC<br/>Washington DC2 \| \| [Chief Telecom](https://www.chief.com.tw/) \|&check; \|&check; \| Hong Kong<br/>Taipei \| -\| China Mobile International \|&check; \|&check; \| Hong Kong<br/>Hong Kong2<br/>Singapore \| -\| China Telecom Global \|&check; \|&check; \| Hong Kong<br/>Hong Kong2 \| -\| China Unicom Global \|&check; \|&check; \| Frankfurt<br/>Hong Kong<br/>Los Angeles<br/>Silicon Valley<br/>Singapore2<br/>Tokyo2 \| +\| China Mobile International \|&check; \|&check; \| Hong Kong<br/>Hong Kong2<br/>Singapore<br/>Singapore2 \| +\| China Telecom Global \|&check; \|&check; \| Hong Kong<br/>Hong Kong2<br/>Singapore<br/>Tokyo2 \| +\| China Unicom Global \|&check; \|&check; \| Amsterdam<br/>Frankfurt<br/>Hong Kong<br/>Los Angeles<br/>Silicon Valley<br/>Singapore2<br/>Tokyo2 \| \| Chunghwa Telecom \|&check; \|&check; \| Taipei \| \| [Cinia](https://www.cinia.fi/) \|&check; \|&check; \| Amsterdam2<br/>Stockholm \| \| [Cirion Technologies](https://lp.ciriontechnologies.com/cloud-connect-lp-latam?c_campaign=HOTSITE&c_tactic=&c_subtactic=&utm_source=SOLUCIONES-CTA&utm_medium=Organic&utm_content=&utm_term=&utm_campaign=HOTSITE-ESP) \| &check; \| &check; \| Queretaro<br/>Rio De Janeiro<br/>Santiago \| The following table shows locations by service provider. If you want to view ava \|Service provider \| Microsoft Azure \| Microsoft 365 \| Locations \| \| \| \| \| \| -\| [DE-CIX](https://www.de-cix.net/en/services/directcloud/microsoft-azure) \| &check; \|&check; \| Amsterdam2<br/>Chennai<br/>Chicago2<br/>Copenhagen<br/>Dallas<br/>Dubai2<br/>Frankfurt<br/>Frankfurt2<br/>Kuala Lumpur<br/>Madrid<br/>Marseille<br/>Mumbai<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Phoenix<br/>Seattle<br/>Singapore2<br/>Tokyo2 \| +\| DCI Indonesia \|&check; \|&check; \| Jakarta \| +\| [DE-CIX](https://www.de-cix.net/en/services/directcloud/microsoft-azure) \| &check; \|&check; \| Amsterdam2<br/>Chennai<br/>Chicago2<br/>Copenhagen<br/>Dallas<br/>Dubai2<br/>Frankfurt<br/>Frankfurt2<br/>Jakarta<br/>Kuala Lumpur<br/>Madrid<br/>Marseille<br/>Mumbai<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Phoenix<br/>Seattle<br/>Singapore2<br/>Tokyo2 \| \| [Devoli](https://devoli.com/expressroute) \| &check; \|&check; \| Auckland<br/>Melbourne<br/>Sydney \| \| [Deutsche Telekom AG IntraSelect](https://geschaeftskunden.telekom.de/vernetzung-digitalisierung/produkt/intraselect) \| &check; \|&check; \| Frankfurt \| \| [Deutsche Telekom AG](https://www.t-systems.com/de/en/cloud-services/solutions/public-cloud/azure-managed-cloud-services/cloud-connect-for-azure) \| &check; \|&check; \| Amsterdam<br/>Frankfurt2<br/>Hong Kong2 \| -\| [Digital Realty](https://www.digitalrealty.com/partners/microsoft-azure) \| &check; \| &check; \| Dallas2<br/>Seattle<br/>Silicon Valley<br/>Washington DC \| +\| [Digital Realty](https://www.digitalrealty.com/partners/microsoft-azure) \| &check; \| &check; \| Dallas2<br/>Seattle<br/>Silicon Valley<br/>Singapore2<br/>Tokyo2<br/>Washington DC \| \| du datamena \|&check; \|&check; \| Dubai2 \| \| [eir evo](https://www.eirevo.ie/cloud-services/cloud-connectivity) \|&check; \|&check; \| Dublin \| \| [Epsilon Global Communications](https://epsilontel.com/solutions/cloud-connect/) \| &check; \| &check; \| Hong Kong2<br/>London2<br/>Singapore<br/>Singapore2 \| -\| [Equinix](https://www.equinix.com/partners/microsoft-azure/) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Berlin<br/>Canberra2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>London<br/>London2<br/>Los Angeles<br/>Los Angeles2<br/>Madrid2<br/>Melbourne<br/>Miami<br/>Milan<br/>Mumbai2<br/>New York<br/>Osaka<br/>Paris<br/>Paris2<br/>Perth<br/>Quebec City<br/>Queretaro (Mexico)<br/>Rio de Janeiro<br/>Sao Paulo<br/>Seattle<br/>Seoul<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stockholm<br/>Sydney<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Washington DC<br/>Warsaw<br/>Zurich</br>Zurich2</br></br> New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2. \| +\| [Equinix](https://www.equinix.com/partners/microsoft-azure/) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Berlin<br/>Canberra2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>London<br/>London2<br/>Los Angeles<br/>Los Angeles2<br/>Madrid2<br/>Melbourne<br/>Miami<br/>Milan<br/>Mumbai2<br/>New York<br/>Osaka<br/>Paris<br/>Paris2<br/>Perth<br/>Quebec City<br/>Queretaro (Mexico)<br/>Rio de Janeiro<br/>Santiago<br/>Sao Paulo<br/>Seattle<br/>Seoul<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stockholm<br/>Sydney<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Washington DC<br/>Warsaw<br/>Zurich</br>Zurich2</br></br> New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2. \| \| Etisalat UAE \|&check; \|&check; \| Dubai \| \| [euNetworks](https://eunetworks.com/services/solutions/cloud-connect/microsoft-azure-expressroute/) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Dublin<br/>Frankfurt<br/>London<br/>Paris \| \| Exatel \|&check; \|&check; \| Warsaw \| The following table shows locations by service provider. If you want to view ava \| [Fastweb](https://www.fastweb.it/grandi-aziende/dati-voce/scheda-prodotto/fast-company/) \| &check; \|&check; \| Milan \| \| [Fibrenoire](https://fibrenoire.ca/en/services/cloudextn-2/) \| &check; \| &check; \| Montreal<br/>Quebec City<br/>Toronto2 \| \| [GBI](https://www.gbiinc.com/microsoft-azure/) \| &check; \| &check; \| Dubai2<br/>Frankfurt \| -\| [G├ëANT](https://www.geant.org/Networks) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Dublin<br/>Frankfurt<br/>Marseille \| +\| [G├ëANT](https://www.geant.org/Networks) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Dublin<br/>Frankfurt<br/>Madrid2<br/>Marseille \| \| [GlobalConnect](https://www.globalconnect.no/) \| &check; \| &check; \| Amsterdam<br/>Copenhagen<br/>Oslo<br/>Stavanger<br/>Stockholm \| \| [GlobalConnect DK](https://www.globalconnect.no/) \| &check; \| &check; \| Amsterdam \| -\| GTT \|&check; \|&check; \| Amsterdam<br/>Dallas<br/>Los Angeles2<br/>London2<br/>Singapore<br/>Sydney<br/>Washington DC \| +\| GTT \|&check; \|&check; \| Amsterdam<br/>Dallas<br/>Los Angeles2<br/>London2<br/>Madrid<br/>Singapore<br/>Sydney<br/>Washington DC \| \| [Global Cloud Xchange (GCX)](https://globalcloudxchange.com/cloud-platform/cloud-x-fusion/) \| &check;\| &check; \| Chennai<br/>Mumbai \| \| [iAdvantage](https://www.scx.sunevision.com/) \| &check; \| &check; \| Hong Kong2 \| \| Intelsat \| &check; \| &check; \| London2<br/>Washington DC2 \| -\| [InterCloud](https://www.intercloud.com/) \|&check; \|&check; \| Amsterdam<br/>Chicago<br/>Dallas<br/>Dublin2<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>London<br/>Madrid<br/>Mumbai<br/>New York<br/>Paris<br/>Paris2<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC<br/>Zurich \| +\| [InterCloud](https://www.intercloud.com/) \|&check; \|&check; \| Amsterdam<br/>Chicago<br/>Dallas<br/>Dublin2<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>London<br/>Madrid<br/>Madrid2<br/>Mumbai<br/>New York<br/>Paris<br/>Paris2<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC<br/>Zurich \| \| [Internet2](https://internet2.edu/services/cloud-connect/#service-cloud-connect) \| &check; \| &check; \| Chicago<br/>Dallas<br/>Silicon Valley<br/>Washington DC \| \| [Internet Initiative Japan Inc. - IIJ](https://www.iij.ad.jp/en/news/pressrelease/2015/1216-2.html) \| &check; \| &check; \| Osaka<br/>Tokyo<br/>Tokyo2 \| \| [Internet Solutions - Cloud Connect](https://www.is.co.za/solution/cloud-connect/) \| &check; \| &check; \| Cape Town<br/>Johannesburg<br/>London \| \| [Interxion (Digital Realty)](https://www.digitalrealty.com/partners/microsoft-azure) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Copenhagen<br/>Dublin<br/>Dublin2<br/>Frankfurt<br/>London<br/>London2<br/>Madrid<br/>Marseille<br/>Paris<br/>Stockholm<br/>Zurich \| -\| IPC \| &check; \|&check; \| Washington DC \| +\| IPC \| &check; \|&check; \| Singapore<br/>Tokyo2<br/>Washington DC \| \| [IRIDEOS](https://irideos.it/) \| &check; \| &check; \| Milan \| \| Iron Mountain \| &check; \|&check; \| Washington DC \| \| [IX Reach](https://www.ixreach.com/partners/cloud-partners/microsoft-azure/)\| &check; \| &check; \| Amsterdam<br/>London2<br/>Silicon Valley<br/>Tokyo2<br/>Toronto<br/>Washington DC \| The following table shows locations by service provider. If you want to view ava \| [Liquid Intelligent Technologies](https://liquidcloud.africa/connect/) \| &check; \| &check; \| Cape Town<br/>Johannesburg \| \| [LGUplus](http://www.uplus.co.kr/) \|&check; \|&check; \| Seoul \| \| [MCM Telecom](https://www.mcmtelecom.com/alianza-microsoft) \| &check; \| &check; \| Dallas<br/>Queretaro (Mexico)\| -\| [Megaport](https://www.megaport.com/services/microsoft-expressroute/) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Auckland<br/>Chicago<br/>Dallas<br/>Denver<br/>Dubai2<br/>Dublin<br/>Dublin2<br/>Frankfurt<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>Las Vegas<br/>London<br/>London2<br/>Los Angeles<br/>Madrid<br/>Melbourne<br/>Miami<br/>Minneapolis<br/>Montreal<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Paris<br/>Perth<br/>Phoenix<br/>Quebec City<br/>Queretaro (Mexico)<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stavanger<br/>Stockholm<br/>Sydney<br/>Sydney2<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich \| -\| [Momentum Telecom](https://gomomentum.com/) \| &check; \| &check; \| Atlanta<br/>Chicago<br/>Dallas<br/>Miami<br/>New York<br/>Silicon Valley<br/>Washington DC2 \| +\| [Megaport](https://www.megaport.com/services/microsoft-expressroute/) \| &check; \| &check; \| Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Auckland<br/>Chicago<br/>Chicago2<br/>Dallas<br/>Denver<br/>Dubai2<br/>Dublin<br/>Dublin2<br/>Frankfurt<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>Las Vegas<br/>London<br/>London2<br/>Los Angeles<br/>Madrid<br/>Melbourne<br/>Miami<br/>Minneapolis<br/>Montreal<br/>Munich<br/>New York<br/>Osaka<br/>Oslo<br/>Paris<br/>Perth<br/>Phoenix<br/>Quebec City<br/>Queretaro (Mexico)<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stavanger<br/>Stockholm<br/>Sydney<br/>Sydney2<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich \| +\| [Momentum Telecom](https://gomomentum.com/) \| &check; \| &check; \| Atlanta<br/>Chicago<br/>Chicago2<br/>Dallas<br/>Dallas2<br/>Denver<br/>London<br/>Los Angeles<br/>Miami<br/>New York<br/>Silicon Valley<br/>Silicon Valley2<br/>Washington DC<br/>Washington DC2 \| \| [MTN](https://www.mtnbusiness.co.za/en/Cloud-Solutions/Pages/microsoft-express-route.aspx) \| &check; \| &check; \| London \| \| MTN Global Connect \| &check; \| &check; \| Cape Town<br/>Johannesburg\| The following table shows locations by service provider. If you want to view ava \| [NTT Communications - Flexible InterConnect](https://sdpf.ntt.com/) \|&check; \|&check; \| Jakarta<br/>Osaka<br/>Singapore2<br/>Tokyo<br/>Tokyo2 \| \| [NTT EAST](https://business.ntt-east.co.jp/service/crossconnect/) \|&check; \|&check; \| Tokyo \| \| [NTT Global DataCenters EMEA](https://hello.global.ntt/) \|&check; \|&check; \| Amsterdam2<br/>Berlin<br/>Frankfurt<br/>London2 \| +\| NTT Indonesia \| &check; \| &check; \| Jakarta \| \| [NTT SmartConnect](https://cloud.nttsmc.com/cxc/azure.html) \|&check; \|&check; \| Osaka \| \| [Ooredoo Cloud Connect](https://www.ooredoo.com.kw/portal/en/b2bOffConnAzureExpressRoute) \|&check; \|&check; \| Doha<br/>Doha2<br/>London2<br/>Marseille \| \| [Optus](https://www.optus.com.au/enterprise/networking/network-connectivity/express-link/) \|&check; \|&check; \| Melbourne<br/>Sydney \| The following table shows locations by service provider. If you want to view ava \| SCSK \|&check; \| &check; \| Tokyo3 \| \| [Sejong Telecom](https://www.sejongtelecom.net/) \| &check; \| &check; \| Seoul \| \| [SES](https://www.ses.com/networks/signature-solutions/signature-cloud/ses-and-azure-expressroute) \| &check; \| &check; \| London2<br/>Washington DC \| -\| [SIFY](https://sifytechnologies.com/) \| &check; \| &check; \| Chennai<br/>Mumbai2 \| +\| [SIFY](https://sifytechnologies.com/) \| &check; \| &check; \| Chennai<br/>Mumbai2<br/>Pune \| \| [SingTel](https://www.singtel.com/about-us/news-releases/singtel-provide-secure-private-access-microsoft-azure-public-cloud) \|&check; \|&check; \| Hong Kong2<br/>Singapore<br/>Singapore2 \| \| [SK Telecom](http://b2b.tworld.co.kr/bizts/solution/solutionTemplate.bs?solutionId=0085) \| &check; \| &check; \| Seoul \| \| [Softbank](https://www.softbank.jp/biz/cloud/cloud_access/direct_access_for_az/) \|&check; \|&check; \| Osaka<br/>Tokyo<br/>Tokyo2 \| The following table shows locations by service provider. If you want to view ava \|Service provider \| Microsoft Azure \| Microsoft 365 \| Locations \| \| \| \| \| \| -\| [Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/) \| &check; \| &check; \| Amsterdam<br/>Chennai<br/>Chicago<br/>Hong Kong<br/>London<br/>Mumbai<br/>Pune<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Washington DC \| +\| [Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/) \| &check; \| &check; \| Amsterdam<br/>Chennai<br/>Chicago<br/>Hong Kong<br/>London<br/>London2<br/>Mumbai<br/>Pune<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Washington DC \| \| [Telefonica](https://www.telefonica.com/es/) \| &check; \| &check; \| Amsterdam<br/>Dallas<br/>Frankfurt2<br/>Hong Kong<br/>Madrid<br/>Sao Paulo<br/>Singapore<br/>Washington DC \| \| [Telehouse - KDDI](https://www.telehouse.net/solutions/cloud-services/cloud-link) \| &check; \| &check; \| London<br/>London2<br/>Singapore2 \| \| Telenor \|&check; \|&check; \| Amsterdam<br/>London<br/>Oslo<br/>Stavanger \| The following table shows locations by service provider. If you want to view ava \| [Vi (Vodafone Idea)](https://www.myvi.in/business/enterprise-solutions/connectivity/vpn-extended-connect) \| &check; \| &check; \| Chennai<br/>Mumbai2 \| \| Vodafone Qatar \| &check; \| &check; \| Doha \| \| XL Axiata \| &check; \| &check; \| Jakarta \| -\| [Zayo](https://www.zayo.com/services/packet/cloudlink/) \| &check; \| &check; \| Amsterdam<br/>Chicago<br/>Dallas<br/>Denver<br/>Dublin<br/>Frankfurt<br/>Hong Kong<br/>London<br/>London2<br/>Los Angeles<br/>Montreal<br/>New York<br/>Paris<br/>Phoenix<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Toronto<br/>Toronto2<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich\| +\| [Zayo](https://www.zayo.com/services/packet/cloudlink/) \| &check; \| &check; \| Amsterdam<br/>Chicago<br/>Dallas<br/>Denver<br/>Dublin<br/>Frankfurt<br/>Hong Kong<br/>London<br/>London2<br/>Los Angeles<br/>Minneapolis<br/>Montreal<br/>New York<br/>Paris<br/>Phoenix<br/>San Antonio<br/>Seattle<br/>Silicon Valley<br/>Toronto<br/>Toronto2<br/>Vancouver<br/>Washington DC<br/>Washington DC2<br/>Zurich\|
governance	Australia Ism	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md	Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Azure Security Benchmark	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md	Title: Regulatory Compliance details for Microsoft cloud security benchmark description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[\[Preview\]: Azure Stack HCI systems should have encrypted volumes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee8ca833-1583-4d24-837e-96c2af9488a4) \|Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. \|Audit, Disabled, AuditIfNotExists \|[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stack%20HCI/DataAtRestEncryptedAtCluster_Audit.json) \| \|[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) \|Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. \|Audit, Deny, Disabled \|[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) \| \|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) \|Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) \|Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). \|Audit, Deny, Disabled \|[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) \| \|[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) \|Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. \|AuditIfNotExists, Disabled \|[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) \| \|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) \|Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. \|AuditIfNotExists, Disabled \|[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) \|
governance	Built In Initiatives	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-initiatives.md	Title: List of built-in policy initiatives description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Azure Machine Configuration, and more. Previously updated : 09/09/2024 Last updated : 09/23/2024
governance	Built In Policies	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-policies.md	Title: List of built-in policy definitions description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Azure Machine Configuration, and more. Previously updated : 09/09/2024 Last updated : 09/23/2024 The name of each built-in links to the policy definition in the Azure portal. Us [!INCLUDE [azure-policy-reference-policies-health-data-services-workspace](../../../../includes/policy/reference/bycat/policies-health-data-services-workspace.md)] +## Health Deidentification Service ++ ## Healthcare APIs [!INCLUDE [azure-policy-reference-policies-healthcare-apis](../../../../includes/policy/reference/bycat/policies-healthcare-apis.md)]
governance	Canada Federal Pbmm	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/canada-federal-pbmm.md	Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Cis Azure 1 1 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-1-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Cis Azure 1 3 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-3-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Block untrusted and unsigned processes that run from USB](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d399cf3-8fc6-0efc-6ab0-1412f1198517) \|CMA_0050 - Block untrusted and unsigned processes that run from USB \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0050.json) \| \|[Document security operations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c6bee3a-2180-2430-440d-db3c7a849870) \|CMA_0202 - Document security operations \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0202.json) \| \|[Manage gateways](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F63f63e71-6c3f-9add-4c43-64de23e554a7) \|CMA_0363 - Manage gateways \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0363.json) \| -\|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| \|[Perform a trend analysis on threats](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e81644-923d-33fc-6ebb-9733bc8d1a06) \|CMA_0389 - Perform a trend analysis on threats \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0389.json) \| \|[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) \|CMA_0393 - Perform vulnerability scans \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) \| \|[Review malware detections report weekly](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4a6f5cbd-6c6b-006f-2bb1-091af1441bce) \|CMA_0475 - Review malware detections report weekly \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0475.json) \|
governance	Cis Azure 1 4 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-4-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.4.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Cis Azure 2 0 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-2-0-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 2.0.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 2.0.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Cmmc L3	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cmmc-l3.md	Title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Fedramp High	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-high.md	Title: Regulatory Compliance details for FedRAMP High description: Details of the FedRAMP High Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Fedramp Moderate	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-moderate.md	Title: Regulatory Compliance details for FedRAMP Moderate description: Details of the FedRAMP Moderate Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Gov Azure Security Benchmark	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-azure-security-benchmark.md	Title: Regulatory Compliance details for Microsoft cloud security benchmark (Azure Government) description: Details of the Microsoft cloud security benchmark (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|\|\|\|\| \|[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) \|Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. \|Audit, Deny, Disabled \|[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) \| \|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) \|Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Container registries should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) \|Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). \|Audit, Deny, Disabled \|[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) \| \|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) \|Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. \|AuditIfNotExists, Disabled \|[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/SQL/PostgreSQL_EnableByok_Audit.json) \| \|[Storage accounts should use customer-managed key for encryption](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) \|Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. \|Audit, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) \|
governance	Gov Cis Azure 1 1 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-1-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Gov Cis Azure 1 3 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-3-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Gov Cmmc L3	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cmmc-l3.md	Title: Regulatory Compliance details for CMMC Level 3 (Azure Government) description: Details of the CMMC Level 3 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|\|\|\|\| \|[An activity log alert should exist for specific Security operations](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) \|This policy audits specific Security operations with no activity log alerts configured. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) \|Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) \| \|[Security Center standard pricing tier should be selected](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1181c5f-672a-477a-979a-7d58aa086233) \|The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center \|Audit, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_Standard_pricing_tier.json) \| \|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| \|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| initiative definition. \|\|\|\|\| \|[An activity log alert should exist for specific Security operations](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) \|This policy audits specific Security operations with no activity log alerts configured. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) \|Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) \| \|[Security Center standard pricing tier should be selected](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1181c5f-672a-477a-979a-7d58aa086233) \|The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center \|Audit, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_Standard_pricing_tier.json) \| \|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| \|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) \|Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) \| \|[Microsoft Antimalware for Azure should be configured to automatically update protection signatures](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc43e4a30-77cb-48ab-a4dd-93f175c63b57) \|This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AINE.json) \| \|[Microsoft IaaSAntimalware extension should be deployed on Windows servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9b597639-28e4-48eb-b506-56b05d366257) \|This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. \|AuditIfNotExists, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AINE.json) \|
governance	Gov Fedramp High	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-high.md	Title: Regulatory Compliance details for FedRAMP High (Azure Government) description: Details of the FedRAMP High (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Gov Fedramp Moderate	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-moderate.md	Title: Regulatory Compliance details for FedRAMP Moderate (Azure Government) description: Details of the FedRAMP Moderate (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Gov Irs 1075 Sept2016	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-irs-1075-sept2016.md	Title: Regulatory Compliance details for IRS 1075 September 2016 (Azure Government) description: Details of the IRS 1075 September 2016 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Gov Iso 27001	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-iso-27001.md	Title: Regulatory Compliance details for ISO 27001:2013 (Azure Government) description: Details of the ISO 27001:2013 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Gov Nist Sp 800 171 R2	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md	Title: Regulatory Compliance details for NIST SP 800-171 R2 (Azure Government) description: Details of the NIST SP 800-171 R2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Gov Nist Sp 800 53 R4	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md	Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 (Azure Government) description: Details of the NIST SP 800-53 Rev. 4 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Gov Nist Sp 800 53 R5	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md	Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) description: Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Gov Soc 2	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-soc-2.md	Title: Regulatory Compliance details for System and Organization Controls (SOC) 2 (Azure Government) description: Details of the System and Organization Controls (SOC) 2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Automation account variables should be encrypted](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) \|It is important to enable encryption of Automation account variable assets when storing sensitive data \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) \| \|[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) \|Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. \|Audit, Deny, Disabled \|[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) \| \|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) \|Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) \|Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) \| \|[Container registries should be encrypted with a customer-managed key](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) \|Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). \|Audit, Deny, Disabled \|[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) \| \|[Control information flow](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) \|CMA_0079 - Control information flow \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) \|
governance	Hipaa Hitrust 9 2	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/hipaa-hitrust-9-2.md	Title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Irs 1075 Sept2016	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/irs-1075-sept2016.md	Title: Regulatory Compliance details for IRS 1075 September 2016 description: Details of the IRS 1075 September 2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Iso 27001	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/iso-27001.md	Title: Regulatory Compliance details for ISO 27001:2013 description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Mcfs Baseline Confidential	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-confidential.md	Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Confidential Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Confidential Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Mcfs Baseline Global	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-global.md	Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Global Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Global Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Nist Sp 800 171 R2	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-171-r2.md	Title: Regulatory Compliance details for NIST SP 800-171 R2 description: Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Nist Sp 800 53 R4	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r4.md	Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 description: Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Nist Sp 800 53 R5	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r5.md	Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 description: Details of the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure data factories should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ec52d6d-beb7-40c4-9a9e-fe753254690e) \|Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/adf-cmk](https://aka.ms/adf-cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/CustomerManagedKey_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| \|[Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7d52b2d-e161-4dfa-a82b-55e564167385) \|Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceCMK_Audit.json) \|
governance	Nl Bio Cloud Theme	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nl-bio-cloud-theme.md	Title: Regulatory Compliance details for NL BIO Cloud Theme description: Details of the NL BIO Cloud Theme Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure Edge Hardware Center devices should have double encryption support enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a6b96f-576e-47a2-8511-119a212d344d) \|Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Edge%20Hardware%20Center/DoubleEncryption_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea0dfaed-95fb-448c-934e-d6e713ce393d) \|To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview](/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \| initiative definition. \|[Azure Edge Hardware Center devices should have double encryption support enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a6b96f-576e-47a2-8511-119a212d344d) \|Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Edge%20Hardware%20Center/DoubleEncryption_Audit.json) \| \|[Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64d314f6-6062-4780-a861-c23e8951bee5) \|Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/hdi.cmk](https://aka.ms/hdi.cmk). \|Audit, Deny, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/CMK_Audit.json) \| \|[Azure HDInsight clusters should use encryption at host to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) \|Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/HDInsight/EncryptionAtHost_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea0dfaed-95fb-448c-934e-d6e713ce393d) \|To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview](/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json) \| \|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) \|Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](/azure/azure-monitor/platform/customer-managed-keys). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) \| \|[Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F87ba29ef-1ab3-4d82-b763-87fcd4f531f7) \|Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/CMK_Audit.json) \|
governance	Pci Dss 3 2 1	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-3-2-1.md	Title: Regulatory Compliance details for PCI DSS 3.2.1 description: Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Pci Dss 4 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-4-0.md	Title: Regulatory Compliance details for PCI DSS v4.0 description: Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Rbi Itf Banks 2016	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-banks-2016.md	Title: Regulatory Compliance details for Reserve Bank of India IT Framework for Banks v2016 description: Details of the Reserve Bank of India IT Framework for Banks v2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Azure Defender for open-source relational databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a9fbe0d-c5c4-4da8-87d8-f4fd77338835) \|Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at [https://aka.ms/AzDforOpenSourceDBsDocu](https://aka.ms/AzDforOpenSourceDBsDocu). Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnOpenSourceRelationalDatabases_Audit.json) \| \|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) \|Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. \|AuditIfNotExists, Disabled \|[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) \| \|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) \|Audit each SQL Managed Instance without advanced data security. \|AuditIfNotExists, Disabled \|[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) \|Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. \|Audit, Deny, Disabled \|[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) \| \|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) \|Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). \|Audit, Deny, Disabled \|[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) \| \|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) \|Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. \|Audit, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) \| initiative definition. \|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) \|Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. \|AuditIfNotExists, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) \| \|[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) \|Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](/azure/key-vault/general/network-security) \|Audit, Deny, Disabled \|[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/FirewallEnabled_Audit.json) \| \|[Azure Key Vaults should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6abeaec-4d90-4a02-805f-6b26c4d3fbe9) \|Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/akvprivatelink](https://aka.ms/akvprivatelink). \|[parameters('audit_effect')] \|[1.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Should_Use_PrivateEndpoint_Audit.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) \|Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. \|audit, Audit, deny, Deny, disabled, Disabled \|[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) \| \|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) \|Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). \|Audit, Deny, Disabled \|[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) \| \|[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) \|Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. \|Audit, Deny, Disabled \|[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Recoverable_Audit.json) \|
governance	Rbi Itf Nbfc 2017	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-nbfc-2017.md	Title: Regulatory Compliance details for Reserve Bank of India - IT Framework for NBFC description: Details of the Reserve Bank of India - IT Framework for NBFC Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Rmit Malaysia	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rmit-malaysia.md	Title: Regulatory Compliance details for RMIT Malaysia description: Details of the RMIT Malaysia Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Soc 2	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/soc-2.md	Title: Regulatory Compliance details for System and Organization Controls (SOC) 2 description: Details of the System and Organization Controls (SOC) 2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) \|It is important to enable encryption of Automation account variable assets when storing sensitive data \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) \| \|[Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) \|Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. \|Audit, Deny, Disabled \|[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) \| \|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) \|Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). \|audit, Audit, deny, Deny, disabled, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) \| -\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| +\|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) \|Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) \| \|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) \|Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) \| \|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) \|Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. \|audit, Audit, deny, Deny, disabled, Disabled \|[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) \| \|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) \|Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). \|Audit, Deny, Disabled \|[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) \| initiative definition. \|[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) \|Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). \|audit, Audit, deny, Deny, disabled, Disabled \|[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) \| \|[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. \|AuditIfNotExists, Disabled \|[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AzureLinuxBaseline_AINE.json) \| \|[Manage gateways](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F63f63e71-6c3f-9add-4c43-64de23e554a7) \|CMA_0363 - Manage gateways \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0363.json) \| -\|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| \|[Only approved VM extensions should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0e996f8-39cf-4af9-9f45-83fbde810432) \|This policy governs the virtual machine extensions that are not approved. \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json) \| \|[Perform a trend analysis on threats](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e81644-923d-33fc-6ebb-9733bc8d1a06) \|CMA_0389 - Perform a trend analysis on threats \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0389.json) \| \|[Perform vulnerability scans](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) \|CMA_0393 - Perform vulnerability scans \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0393.json) \|
governance	Spain Ens	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/spain-ens.md	Title: Regulatory Compliance details for Spain ENS description: Details of the Spain ENS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024 initiative definition. \|[Configure Microsoft Defender for SQL to be enabled on Synapse workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F951c1558-50a5-4ca3-abb6-a93e3e2367a6) \|Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. \|DeployIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_DINE.json) \| \|[Configure Microsoft Defender for Storage (Classic) to be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c30959-af11-47b3-9ed2-a26e03f427a3) \|Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. \|DeployIfNotExists, Disabled \|[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Azure_Defender_Storage_DINE.json) \| \|[Configure Microsoft Defender for Storage to be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcfdc5972-75b3-4418-8ae1-7f5c36839390) \|Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. \|DeployIfNotExists, Disabled \|[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_DINE.json) \| -\|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) \|Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). \|DeployIfNotExists, Disabled \|[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json) \| -\|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc859b78a-a128-4376-a838-e97ce6625d16) \|Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. \|DeployIfNotExists, Disabled \|[1.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json) \| -\|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04754ef9-9ae3-4477-bf17-86ef50026304) \|Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. \|DeployIfNotExists, Disabled \|[1.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json) \| -\|[Configure the Microsoft Defender for SQL Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F242300d6-1bfc-4d64-8d01-cee583709ebd) \|Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. \|DeployIfNotExists, Disabled \|[1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployDefaultWorkspace.json) \| +\|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) \|Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). \|DeployIfNotExists, Disabled \|[1.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json) \| +\|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc859b78a-a128-4376-a838-e97ce6625d16) \|Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. \|DeployIfNotExists, Disabled \|[1.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json) \| +\|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04754ef9-9ae3-4477-bf17-86ef50026304) \|Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. \|DeployIfNotExists, Disabled \|[1.8.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json) \| +\|[Configure the Microsoft Defender for SQL Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F242300d6-1bfc-4d64-8d01-cee583709ebd) \|Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. \|DeployIfNotExists, Disabled \|[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployDefaultWorkspace.json) \| \|[Control maintenance and repair activities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6ad009f-5c24-1dc0-a25e-74b60e4da45f) \|CMA_0080 - Control maintenance and repair activities \|Manual, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0080.json) \| \|[Deploy Defender for Storage (Classic) on storage accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F361c2074-3595-4e5d-8cab-4f21dffc835c) \|This policy enables Defender for Storage (Classic) on storage accounts. \|DeployIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAdvancedThreatProtection_DINE.json) \| \|[Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf9f6c70-eb74-4189-8d15-e4f11a7ebfd4) \|Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. \|DeployIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ExportToEventHubAsTrustedService_DINE.json) \|
governance	Swift Csp Cscf 2021	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2021.md	Title: Regulatory Compliance details for SWIFT CSP-CSCF v2021 description: Details of the SWIFT CSP-CSCF v2021 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Swift Csp Cscf 2022	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2022.md	Title: Regulatory Compliance details for SWIFT CSP-CSCF v2022 description: Details of the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
governance	Ukofficial Uknhs	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/ukofficial-uknhs.md	Title: Regulatory Compliance details for UK OFFICIAL and UK NHS description: Details of the UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 09/12/2024 Last updated : 09/23/2024
hdinsight-aks	Use Machine Learning Notebook On Spark	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/spark/use-machine-learning-notebook-on-spark.md	The following tutorial notebook shows an example of training machine learning mo 1. Find your storage and container name in the portal JSON view :::image type="content" source="./media/use-machine-learning-notebook-on-spark/json-view.png" alt-text="Screenshot showing JSON view." lightbox="./media/use-machine-learning-notebook-on-spark/json-view.png"::: - - :::image type="content" source="./media/use-machine-learning-notebook-on-spark/resource-json.png" alt-text="Screenshot showing resource JSON view." lightbox="./media/use-machine-learning-notebook-on-spark/resource-json.png"::: 1. Navigate into your primary HDI storage>container>base folder> upload the [CSV](https://github.com/Azure-Samples/hdinsight-aks/blob/main/spark/iris_csv.csv)
hdinsight	Hdinsight Log Management	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-log-management.md	log4j.logger.alerts=DEBUG,alerts The next step is reviewing the job execution log files for the various services. Services could include Apache HBase, Apache Spark, and many others. A Hadoop cluster produces a large number of verbose logs, so determining which logs are useful (and which aren't) can be time-consuming. Understanding the logging system is important for targeted management of log files. The following image is an example log file. - ### Access the Hadoop log files HDInsight stores its log files both in the cluster file system and in Azure Storage. You can examine log files in the cluster by opening an [SSH](hdinsight-hadoop-linux-use-ssh-unix.md) connection to the cluster and browsing the file system, or by using the Hadoop YARN Status portal on the remote head node server. You can examine the log files in Azure Storage using any of the tools that can access and download data from Azure Storage. Examples are [AzCopy](../storage/common/storage-use-azcopy-v10.md), [CloudXplorer](https://clumsyleaf.com/products/cloudxplorer), and the Visual Studio Server Explorer. You can also use PowerShell and the Azure Storage Client libraries, or the Azure .NET SDKs, to access data in Azure blob storage.
logic-apps	Create Single Tenant Workflows Azure Portal	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-single-tenant-workflows-azure-portal.md	Title: Create example Standard workflow in Azure portal -description: Learn to build your first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal. - + Title: Create example Standard logic app workflow in Azure portal +description: Create your first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal. + ms.suite: integration Previously updated : 08/13/2024 Last updated : 09/23/2024 # Customer intent: As a developer, I want to create my first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal. Last updated 08/13/2024 [!INCLUDE [logic-apps-sku-standard](../../includes/logic-apps-sku-standard.md)] -This how-to guide shows how to create an example workflow that runs in single-tenant Azure Logic Apps. The workflow waits for an inbound web request and then sends a message to an email account. Specifically, you create a Standard logic app resource and workflow that contains the following items: +This how-to guide shows how to create an example automated workflow that waits for an inbound web request and then sends a message to an email account. More specifically, you create a [Standard logic app resource](logic-apps-overview.md#resource-environment-differences), which can include multiple [stateful and stateless workflows](single-tenant-overview-compare.md#stateful-stateless) that run in single-tenant Azure Logic Apps. - The Request trigger, which creates a callable endpoint that can handle inbound requests from any caller. - The Office 365 Outlook connector, which provides an action to send email. You can have multiple workflows in a Standard logic app. Workflows in the same l The operations in this example are from two connectors among [1000+ connectors](/connectors/connector-reference/connector-reference-logicapps-connectors) that you can use in a workflow. While this example is cloud-based, you can create workflows that integrate a vast range of apps, data, services, and systems across cloud, on-premises, and hybrid environments. -For more information, see the following documentation: --- [Single-tenant versus multitenant](single-tenant-overview-compare.md)-- [Create and deploy to different environments](logic-apps-overview.md#resource-environment-differences) +As you progress, you complete these high-level tasks: To create a Standard logic app workflow from a prebuilt template that follows a commonly used pattern, see [Create a Standard logic app workflow from a prebuilt template](create-single-tenant-workflows-templates.md). To create and manage a Standard logic app workflow using other tools, see [Create Standard workflows with Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md). With Visual Studio Code, you can develop, test, and run workflows in your local development environment. +For more information, see the following documentation: + +- [Single-tenant versus multitenant](single-tenant-overview-compare.md) +- [Create and deploy to different environments](logic-apps-overview.md#resource-environment-differences) + ## Prerequisites * An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). To create and manage a Standard logic app workflow using other tools, see [Creat * To deploy your Standard logic app resource to an [App Service Environment v3 (ASEv3) - Windows plan only](../app-service/environment/overview.md), you have to create this environment resource first. You can then select this environment as the deployment location when you create your logic app. For more information, see [Resources types and environments](single-tenant-overview-compare.md#resource-environment-differences) and [Create an App Service Environment](../app-service/environment/creation.md). +* To enable communication from your Standard logic app workflows to a private endpoint on a Premium integration account, you must have an existing Azure virtual network. Both your logic app, virtual network, and integration account must use the same Azure region. Both your logic app and integration account must exist inside the same virtual network. For more information, see [Create a virtual network](../virtual-network/quick-create-portal.md). + * If you enable [Application Insights](/azure/azure-monitor/app/app-insights-overview) on your logic app, you can optionally enable diagnostics logging and tracing. You can do so either when you create your logic app or after deployment. You need to have an Application Insights instance, but you can [create this resource in advance](/azure/azure-monitor/app/create-workspace-resource), when you create your logic app, or after deployment. ## Best practices and recommendations More workflows in your logic app raise the risk of longer load times, which nega 1. On the Create Logic App page, select Standard (Workflow Service Plan). + \| Plan type \| Description \| + \|--\|-\| + \| Standard \| This logic app type is the default selection. Workflows run in single-tenant Azure Logic Apps and use the [Standard pricing model](logic-apps-pricing.md#standard-pricing). \| + \| Consumption \| This logic app type and workflow runs in global, multitenant Azure Logic Apps and uses the [Consumption pricing model](logic-apps-pricing.md#consumption-pricing). \| + 1. On the Create Logic App page, on the Basics tab, provide the following basic information about your logic app: \| Property \| Required \| Value \| Description \| More workflows in your logic app raise the risk of longer load times, which nega \| Property \| Required \| Value \| Description \| \|-\|-\|-\|-\| - \| Storage type \| Yes \| - Azure Storage <br>- SQL (Preview) and Azure Storage \| The storage type that you want to use for workflow-related artifacts and data. <br><br>- To deploy only to Azure, select Azure Storage. <br><br>- To use SQL as primary storage and Azure Storage as secondary storage, select SQL (Preview) and Azure Storage, and see [Set up SQL database storage for Standard logic apps in single-tenant Azure Logic Apps](set-up-sql-db-storage-single-tenant-standard-workflows.md). <br><br>Note: If you're deploying to an Azure region, you still need an Azure storage account, which is used to complete the one-time hosting of the logic app's configuration on the Azure Logic Apps platform. The workflow's state, run history, and other runtime artifacts are stored in your SQL database. <br><br>For deployments to a custom location that's hosted on an Azure Arc cluster, you only need SQL as your storage provider. \| + \| Storage type \| Yes \| - Azure Storage <br>- SQL and Azure Storage \| The storage type that you want to use for workflow-related artifacts and data. <br><br>- To deploy only to Azure, select Azure Storage. <br><br>- To use SQL as primary storage and Azure Storage as secondary storage, select SQL and Azure Storage, and review [Set up SQL database storage for Standard logic apps in single-tenant Azure Logic Apps](set-up-sql-db-storage-single-tenant-standard-workflows.md). <br><br>Note: If you're deploying to an Azure region, you still need an Azure storage account, which is used to complete the one-time hosting of the logic app's configuration on the Azure Logic Apps platform. The workflow's state, run history, and other runtime artifacts are stored in your SQL database. <br><br>For deployments to a custom location that is hosted on an Azure Arc cluster, you only need SQL as your storage provider. \| \| Storage account \| Yes \| <Azure-storage-account-name> \| The [Azure Storage account](../storage/common/storage-account-overview.md) to use for storage transactions. <br><br>This resource name must be unique across regions and have 3-24 characters with only numbers and lowercase letters. Either select an existing account or create a new account. <br><br>This example creates a storage account named mystorageacct. \| -1. On the Networking tab, you can leave the default options for this example. +1. On the Networking tab, you can leave the default options to follow the example. However, for specific, real-world scenarios, make sure to review and select the following appropriate options. You can also change this configuration after you deploy your logic app resource. For more information, see [Secure traffic between Standard logic apps and Azure virtual networks using private endpoints](secure-single-tenant-workflow-virtual-network-private-endpoint.md). - For your specific, real-world scenarios, make sure to review and select the appropriate options. You can also change this configuration after you deploy your logic app resource. For more information, see [Secure traffic between Standard logic apps and Azure virtual networks using private endpoints](secure-single-tenant-workflow-virtual-network-private-endpoint.md). + The following Enable public access setting applies to endpoints on your logic app and doesn't affect whether your logic app can communicate with Azure resources in the same virtual network, for example, a Premium integration account with a private endpoint. To access such Azure resources, your logic app must exist in the same virtual network as these resources. \| Enable public access \| Behavior \| \|-\|-\| - \| On \| Your logic app has a public endpoint with an inbound address that's open to the internet and can't access an Azure virtual network. \| - \| Off \| Your logic app has no public endpoint, but has a private endpoint instead for communication within an Azure virtual network, and is isolated to that virtual network. The private endpoint can communicate with endpoints in the virtual network, but only from clients within that network. This configuration also means that logic app traffic can be governed by network security groups or affected by virtual network routes. \| + \| On \| Your logic app has a public endpoint with an inbound address that's open to the internet. For clients that are outside an Azure virtual network, they can use this endpoint to access your logic app, but not the virtual network. \| + \| Off \| Your logic app has no public endpoint, but has a private endpoint instead for communication within an Azure virtual network, and is isolated within that virtual network. The private endpoint can communicate with endpoints in the virtual network, but only from clients within that network. This configuration also means that logic app traffic can be governed by network security groups or affected by virtual network routes. \| - To enable your logic app to access endpoints in a virtual network, make sure to select the appropriate option: + The following settings control Standard logic app access to endpoints in a virtual network: \| Enable network injection \| Behavior \| \|--\|-\| - \| On \| Your logic app workflows can privately and securely communicate with endpoints in the virtual network. \| + \| On \| Your logic app workflows can privately and securely communicate with endpoints in the virtual network. <br><br>To enable communication between your logic app and a private endpoint on a Premium integration account, select this option, which also makes the Virtual Network section available. For Virtual Network, select the Azure virtual network to use. This choice makes the Inbound access and Outbound access sections available. \| \| Off \| Your logic app workflows can't communicate with endpoints in the virtual network. \| + The following sections appear after you select a virtual network when Enable network injection is set to On. + + Inbound access + + - Enable private endpoints: Applies to private endpoints on your Standard logic app and is available only when Enable public access is set to Off. + + Outbound access + + - Enable VNet integration: To enable communication between a Standard logic app and a private endpoint on a Premium integration account, select On and the subnet to use. + 1. If your creation and deployment settings support using [Application Insights](/azure/azure-monitor/app/app-insights-overview), you can optionally enable diagnostics logging and tracing for your logic app workflows by following these steps: 1. On the Monitoring tab, under Application Insights, set Enable Application Insights to Yes. If your logic app's creation and deployment settings support using [Application ## View connections -When you create connections in a workflow using [connectors managed by Microsoft](../connectors/managed.md), these connections are actually separate Azure resources with their own resource definitions and are hosted in global, multitenant Azure. Standard logic app workflows can also use [built-in service provider connectors](/azure/logic-apps/connectors/built-in/reference/) that natively run and are powered by the single-tenant Azure Logic Apps runtime. To view and manage these connections, see [View connections](manage-logic-apps-with-azure-portal.md?tabs=standard#view-connections). +When you create connections in a workflow using [connectors managed by Microsoft](../connectors/managed.md), these connections are separate Azure resources with their own resource definitions and are hosted in global, multitenant Azure. Standard logic app workflows can also use [built-in service provider connectors](/azure/logic-apps/connectors/built-in/reference/) that natively run and are powered by the single-tenant Azure Logic Apps runtime. To view and manage these connections, see [View connections](manage-logic-apps-with-azure-portal.md?tabs=standard#view-connections). <a name="restart-stop-start"></a>
logic-apps	Create Integration Account	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/enterprise-integration/create-integration-account.md	Title: Create and manage integration accounts description: Create and manage integration accounts for building B2B enterprise integration workflows in Azure Logic Apps with the Enterprise Integration Pack.- ms.suite: integration Previously updated : 01/10/2024 Last updated : 08/09/2024 # Create and manage integration accounts for B2B workflows in Azure Logic Apps with the Enterprise Integration Pack You also need an integration account to electronically exchange B2B messages wit * [RosettaNet](../logic-apps-enterprise-integration-rosettanet.md) * [X12](../logic-apps-enterprise-integration-x12.md) -This guide shows how to complete the following tasks: - -* Create an integration account. -* Set up storage access for a Premium integration account. -* Link your integration account to a logic app resource. -* Change the pricing tier for your integration account. -* Unlink your integration account from a logic app resource. -* Move an integration account to another Azure resource group or subscription. -* Delete an integration account. - If you're new to creating B2B enterprise integration workflows in Azure Logic Apps, see [B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack](../logic-apps-enterprise-integration-overview.md). ## Prerequisites * An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Make sure that you use the same Azure subscription for both your integration account and logic app resource. -* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist before you can link your integration account. +* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist if you need to link your integration account. - * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts. + * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts. To create an example Consumption logic app workflow, see [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps](../quickstart-create-example-consumption-workflow.md). - * For Standard logic app resources, this link is optional, based on your scenario: + * For Standard logic app resources, this link might be required or optional, based on your scenario: - * If you have an integration account with the artifacts that you need or want to use, you can link the integration account to each Standard logic app resource where you want to use the artifacts. + * If you have an integration account with the artifacts that you need or want to use, link the integration account to each Standard logic app resource where you want to use the artifacts. - * Some Azure-hosted integration account connectors, such as AS2, EDIFACT, and X12, let you create a connection to your integration account. If you're just using these connectors, you don't need the link. + * Some Azure-hosted integration account connectors don't require the link and let you create a connection to your integration account. For example, such as AS2, EDIFACT, and X12 don't require the link, but the AS2 (v2) connector requires the link. * The built-in connectors named Liquid and Flat File let you select maps and schemas that you previously uploaded to your logic app resource or to a linked integration account. If you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option, which also means you don't have to upload maps and schemas to each logic app resource. Either way, you can use these artifacts across all child workflows within the same logic app resource. -* Basic knowledge about how to create logic app workflows. For more information, see the following documentation: + To create an example Standard logic app workflow, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md). + +* A [Premium integration account](#create-integration-account) supports using a [private endpoint](../../private-link/private-endpoint-overview.md) within an Azure virtual network to securely communicate with other Azure resources in the same network. Your integration account, virtual network, and Azure resources must also exist in the same Azure region. For more information, see [Create a virtual network](../../virtual-network/quick-create-portal.md) and the steps in this guide to set up your Premium integration account. - * [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps](../quickstart-create-example-consumption-workflow.md) + For example, a Standard logic app can access the private endpoint if they exist in the same virtual network. However, a Consumption logic app doesn't support virtual network integration and can't access the private endpoint. - * [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md) + - To create a Standard logic app with virtual network integration, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md). + + - To set up an existing Standard logic app with virtual network integration, see [Set up virtual network integration](../secure-single-tenant-workflow-virtual-network-private-endpoint.md#set-up-virtual-network-integration). + +<a name="create-integration-account"></a> ## Create integration account Your integration account uses an automatically created and enabled system-assign \| Tier \| Description \| \|\|-\| -\| Premium (preview) \| Note: This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). <br><br>For scenarios with the following criteria: <br><br>- Store and use unlimited artifacts, such as partners, agreements, schemas, maps, certificates, and so on. <br><br>- Bring and use your own storage, which contains the relevant runtime states for specific B2B actions and EDI standards. For example, these states include the MIC number for AS2 actions and the control numbers for X12 actions, if configured on your agreements. <br><br>To access this storage, your integration account uses its system-assigned managed identity, which is automatically created and enabled for your integration account. <br><br>You can also apply more governance and policies to data, such as customer-managed ("Bring Your Own") keys for data encryption. To store these keys, you'll need a key vault. <br><br>- Set up and use a key vault to store private certificates or customer-managed keys. To access these keys, your Premium integration account uses its system-assigned managed identity, not an Azure Logic Apps shared service principal. <br><br>Pricing follows [Standard integration account pricing](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>Note: During preview, your Azure bill uses the same meter name and ID as a Standard integration account, but changes when the Premium level becomes generally available. <br><br>Limitations and known issues: <br><br>- Currently doesn't support virtual networks. <br><br>- If you use a key vault to store private certificates, your integration account's managed identity might not work. For now, use the linked logic app's managed identity instead. <br><br>- Currently doesn't support the [Azure CLI for Azure Logic Apps](/cli/azure/service-page/logic%20apps). \| +\| Premium (preview) \| Note: This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). <br><br>For scenarios with the following criteria: <br><br>- Store and use unlimited artifacts, such as partners, agreements, schemas, maps, certificates, and so on. <br><br>- Bring and use your own storage, which contains the relevant runtime states for specific B2B actions and EDI standards. For example, these states include the MIC number for AS2 actions and the control numbers for X12 actions, if configured on your agreements. <br><br>To access this storage, your integration account uses its system-assigned managed identity, which is automatically created and enabled for your integration account. <br><br>You can also apply more governance and policies to data, such as customer-managed ("Bring Your Own") keys for data encryption. To store these keys, you'll need a key vault. <br><br>- Set up and use a key vault to store private certificates or customer-managed keys. To access these keys, your Premium integration account uses its system-assigned managed identity, not an Azure Logic Apps shared service principal. <br><br>- Set up a private endpoint that creates a secure connection between your Premium integration account and Azure services in an Azure virtual network. <br><br>Pricing follows [Standard integration account pricing](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>Note: During preview, your Azure bill uses the same meter name and ID as a Standard integration account, but changes when the Premium level becomes generally available. <br><br>Limitations and known issues: <br><br>- If you use a key vault to store private certificates, your integration account's managed identity might not work. For now, use the linked logic app's managed identity instead. <br><br>- Currently doesn't support the [Azure CLI for Azure Logic Apps](/cli/azure/service-page/logic%20apps). \| \| Standard \| For scenarios where you have more complex B2B relationships and increased numbers of entities that you must manage. <br><br>Supported by the Azure Logic Apps SLA. \| \| Basic \| For scenarios where you want only message handling or to act as a small business partner that has a trading partner relationship with a larger business entity. <br><br>Supported by the Azure Logic Apps SLA. \| \| Free \| For exploratory scenarios, not production scenarios. This tier has limits on region availability, throughput, and usage. For example, the Free tier is available only for public regions in Azure, for example, West US or Southeast Asia, but not for [Microsoft Azure operated by 21Vianet](/azure/chin). <br><br>Note: Not supported by the Azure Logic Apps SLA. \| For this task, you can use the Azure portal, [Azure CLI](/cli/azure/resource#az- After deployment completes, Azure opens your integration account. -1. If you created a Premium integration account, make sure to [set up access to the associated Azure storage account](#set-up-access-storage-account). +1. If you created a Premium integration account, make sure to [set up access to the associated Azure storage account](#set-up-access-storage-account). You can also create a private connection between your Premium integration account and Azure services by [setting up a private endpoint for your integration account](#set-up-private-endpoint). ### [Azure CLI](#tab/azure-cli) To read artifacts and write any state information, your Premium integration acco For more information, see [Assign Azure role to system-assigned managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.yml) -1. Next, link your integration account to your logic app resource. +<a name="set-up-private-endpoint"></a> + +## Set up private endpoint for Premium integration account (Preview) + +> [!NOTE] +> +> This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). + +To create a secure connection between your Premium integration account and Azure services, you can set up a [private endpoint](../../private-link/private-endpoint-overview.md) for your integration account. This endpoint is a network interface that uses a private IP address from your Azure virtual network. This way, traffic between your virtual network and Azure services stays on the Azure backbone network and never traverses the public internet. Private endpoints ensure a secure, private communication channel between your resources and Azure services by providing the following benefits: + +- Eliminates exposure to the public internet and reducing the risks from attacks. + +- Helps your organization meet data privacy and compliance requirements by keeping data within a controlled and secured environment. + +- Reduces latency and improve workflow performance by keeping traffic within the Azure backbone network. + +- Removes the need for complex network setups, such as virtual private networks or ExpressRoute. + +- Saves on costs by reducing extra network infrastructure and avoiding data egress charges through public endpoints. + +### Best practices for private endpoints + +- Carefully plan your virtual network and subnet architecture to accommodate private endpoints. Make sure to properly segment and secure your subnets. + +- Make sure that your domain name system settings are up-to-date and correctly configured to handle name resolution for private endpoints. + +- Control traffic flow to and from your private endpoints and enforce strict security policies by using network security groups. + +- Thoroughly test your integration account's connectivity and performance to make sure that everything works as expected with private endpoints before you deploy to production. + +- Regularly monitor network traffic to and from your private endpoints. Audit and analyze traffic patterns by using tools such as Azure Monitor and Azure Security Center. + +### Create a private endpoint + +Before you start, make sure that you have an [Azure virtual network](../../virtual-network/quick-create-portal.md) defined with the appropriate subnets and network security groups to manage and secure traffic. + +1. In the [Azure portal](https://portal.azure.com), in the search box, enter private endpoint,and then select Private endpoints. + +1. On the Private endpoints page, select Create. + +1. On the Basics tab, provide the following information: + + \| Property \| Value \| + \|-\|-\| + \| Subscription \| <Azure-subscription> \| + \| Resource group \| <Azure-resource-group> \| + \| Name \| <private-endpoint> \| + \| Network interface name \| <private-endpoint>-nic \| + \| Region \| <Azure-region> \| + +1. On the Resource tab, provide the following information: + + \| Property \| Value \| + \|-\|-\| + \| Connection method \| - Connect to an Azure resource in my directory: Creates a private endpoint that is automatically approved and ready for immediate use. The endpoint's Connection status property is set to Approved after creation. <br><br>- Connect to an Azure resource by resource ID or alias: Create a private endpoint that is manually approved and requires data administrator approval before anyone can use. The endpoint's Connection status property is set to Pending after creation. <br><br>Note: If the endpoint is manually approved, the DNS tab is unavailable. \| + \| Subscription \| <Azure-subscription> \| + \| Resource type \| Microsoft.Logic/integrationAccounts \| + \| Resource \| <Premium-integration-account> \| + \| Target sub-resource \| integrationAccount \| + +1. On the Virtual Network tab, specify the virual network and subnet where to you want to create the endpoint: + + \| Property \| Value \| + \|-\|-\| + \| Virtual network \| <virtual-network> \| + \| Subnet \| <subnet-for-endpoint> \| + + Your virtual network uses a network interface attached to the private endpoint. + +1. On the DNS tab, provide the following information to make sure your aps can resolve the private IP address for your integration account. You might have to set up a private DNS zone and link to your virtual network. + + \| Property \| Value \| + \|-\|-\| + \| Subscription \| <Azure-subscription> \| + \| Resource group \| <Azure-resource-group-for-private-DNS-zone> \| + +1. When you're done, confirm all the provided information, and select Create. + +1. After you confirm that Azure created the private endpoint, check your connectivity and test your setup to make sure that the resources in your virtual network can securely connect to the your integration account through the private endpoint. + +### View pending endpoint connections + +For a private endpoint that requires approval, follow these steps: + +1. In the Azure portal, go to the Private Link page. + +1. On the left menu, select Pending connections. + +### Approve a pending private endpoint + +For a private endpoint that requires approval, follow these steps: + +1. In the Azure portal, go to the Private Link page. + +1. On the left menu, select Pending connections. + +1. Select the pending connection. On the toolbar, select Approve. Wait for the operation to finish. + + The endpoint's Connection status property changes to Approved. + +<a name="call-integration-account-api"></a> + +### Enable Standard logic app calls through private endpoint on Premium integration account + +1. Choose one of the following options: + + - To create a Standard logic app with virtual network integration, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md). + + - To set up an existing Standard logic app with virtual network integration, see [Set up virtual network integration](../secure-single-tenant-workflow-virtual-network-private-endpoint.md#set-up-virtual-network-integration). ++ +1. To make calls through the private endpoint, include an HTTP action in your Standard logic app workflow where you want to call the integration account. + +1. In the Azure portal, go to your Premium integration account. On the integration account menu, under Settings, select Callback URL, and copy the URL. + +1. In your workflow's HTTP action, on the Parameters tab, in the URI property, enter the callback URL using the following format: + + `https://{domain-name}-{integration-account-ID}.cy.integrationaccounts.microsoftazurelogicapps.net:443/integrationAccounts/{integration-account-ID}?api-version=2015-08-01-preview&sp={sp}&sv={sv}&sig={sig}` + + The following example shows sample values: + + `https://prod-02-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.cy.integrationaccounts.microsoftazurelogicapps.net:443/integrationAccounts/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?api-version=2015-08-01-preview&sp={sp}&sv={sv}&sig={sig}` + +1. For the HTTP action's Method property, select GET. + +1. Finish setting up the HTTP action as necessary, and test your workflow. <a name="link-account"></a>
logic-apps	Logic Apps Limits And Config	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-limits-and-config.md	For Azure Logic Apps to receive incoming communication through your firewall, yo \| South Central US \| 13.65.98.39, 13.84.41.46, 13.84.43.45, 40.84.138.132, 20.94.151.41, 20.88.209.113, 172.206.187.62, 172.206.187.92, 172.206.187.101, 172.206.187.135, 52.255.127.211, 52.255.127.201, 52.255.127.24, 52.255.127.243 \| \| South India \| 52.172.9.47, 52.172.49.43, 52.172.51.140, 104.211.225.152, 104.211.221.215,104.211.205.148, 52.140.4.233, 52.172.100.99, 52.140.5.154, 52.140.1.153, 52.172.96.103, 52.140.2.150, 52.172.103.116, 52.172.99.31 \| \| Southeast Asia \| 52.163.93.214, 52.187.65.81, 52.187.65.155, 104.215.181.6, 20.195.49.246, 20.198.130.155, 23.98.121.180, 4.144.200.166, 4.144.203.255, 4.144.203.73, 4.144.201.132, 20.247.196.3, 52.230.58.240, 20.247.197.6, 20.247.198.8, 20.247.195.123, 20.247.197.207, 20.247.197.108, 20.247.198.132 \| +\| Spain Central \| 68.221.3.54, 68.221.3.29, 68.221.249.214, 68.221.249.187, 68.221.249.249, 68.221.249.208, 68.221.249.227, 68.221.250.1, 68.221.249.191 \| \| Sweden Central \| 20.91.178.13, 20.240.10.125, 74.241.204.72, 74.241.204.55, 74.241.204.197, 74.241.206.0, 4.225.198.176, 4.225.198.50, 4.225.197.219, 4.225.198.33 \| \| Switzerland North \| 51.103.128.52, 51.103.132.236, 51.103.134.138, 51.103.136.209, 20.203.230.170, 20.203.227.226, 4.226.35.171, 20.250.239.241, 20.250.238.113, 20.250.238.80, 20.250.233.38, 20.250.235.79, 20.250.235.177, 20.250.235.117 \| \| Switzerland West \| 51.107.225.180, 51.107.225.167, 51.107.225.163, 51.107.239.66, 51.107.235.139,51.107.227.18, 20.199.218.139, 20.199.219.180, 20.199.216.255, 20.199.217.34, 20.208.231.200, 20.199.217.39, 20.199.216.16, 20.199.216.98 \| This section lists the outbound IP addresses that Azure Logic Apps requires in y \| South Central US \| 104.210.144.48, 13.65.82.17, 13.66.52.232, 23.100.124.84, 70.37.54.122, 70.37.50.6, 23.100.127.172, 23.101.183.225, 20.94.150.220, 20.94.149.199, 20.88.209.97, 20.88.209.88, 172.206.187.57, 172.206.187.90, 172.206.187.98, 172.206.187.132, 52.255.124.118, 52.255.127.125, 52.255.126.229, 52.255.127.233 \| \| South India \| 52.172.50.24, 52.172.55.231, 52.172.52.0, 104.211.229.115, 104.211.230.129, 104.211.230.126, 104.211.231.39, 104.211.227.229, 104.211.211.221, 104.211.210.192, 104.211.213.78, 104.211.218.202, 52.172.101.114, 52.172.101.181, 52.140.5.116, 52.172.98.23, 52.140.2.252, 52.140.0.225, 52.140.7.114, 52.172.101.204 \| \| Southeast Asia \| 13.76.133.155, 52.163.228.93, 52.163.230.166, 13.76.4.194, 13.67.110.109, 13.67.91.135, 13.76.5.96, 13.67.107.128, 20.195.49.240, 20.195.49.29, 20.198.130.152, 20.198.128.124, 23.98.121.179, 23.98.121.115, 4.144.203.116, 4.144.203.254, 4.144.203.72, 4.144.204.223, 20.247.192.203, 20.247.192.18, 20.247.197.137, 20.247.197.3, 20.247.196.123, 20.247.197.249, 20.247.195.111, 20.247.195.8, 20.247.197.146, 20.247.197.100, 20.247.197.40, 20.247.198.128, 20.247.198.96 \| +\| Spain Central \| 68.221.3.7, 68.221.1.175, 68.221.2.156, 68.221.2.37, 68.221.249.177, 68.221.249.251, 68.221.249.213, 68.221.249.186, 68.221.249.215, 68.221.249.210, 68.221.249.185, 68.221.249.203, 68.221.249.175, 68.221.249.229, 68.221.249.205, 68.221.249.184, 68.221.249.202, 68.221.249.209, 68.221.249.252, 68.221.250.2 \| \| Sweden Central \| 20.91.178.11, 20.91.177.115, 20.240.10.91, 20.240.10.89, 74.241.204.65, 74.241.204.35, 74.241.204.193, 74.241.205.139, 4.225.198.80, 4.225.198.41, 74.241.203.136, 4.225.198.14 \| \| Switzerland North \| 51.103.137.79, 51.103.135.51, 51.103.139.122, 51.103.134.69, 51.103.138.96, 51.103.138.28, 51.103.136.37, 51.103.136.210, 20.203.230.58, 20.203.229.127, 20.203.224.37, 20.203.225.242, 4.226.35.166, 20.250.239.202, 20.250.239.33, 20.250.239.55, 20.250.233.27, 20.250.235.76, 20.250.235.169, 20.250.235.96 \| \| Switzerland West \| 51.107.239.66, 51.107.231.86, 51.107.239.112, 51.107.239.123, 51.107.225.190, 51.107.225.179, 51.107.225.186, 51.107.225.151, 51.107.239.83, 51.107.232.61, 51.107.234.254, 51.107.226.253, 20.199.193.249, 20.199.217.37, 20.199.219.154, 20.199.216.246, 20.199.219.21, 20.208.230.30, 20.199.216.63, 20.199.218.36, 20.199.216.44 \|
logic-apps	Secure Single Tenant Workflow Virtual Network Private Endpoint	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint.md	Title: Secure traffic between Standard workflows and virtual networks description: Secure traffic between Standard logic app workflows and virtual networks in Azure using private endpoints.-++ ms.suite: integration Previously updated : 01/10/2024 Last updated : 08/09/2024 # Customer intent: As a developer, I want to connect to my Standard logic app workflows with virtual networks using private endpoints and virtual network integration. For more information, review the following documentation: The HTTP action fails, which is by design and expected because the workflow runs in the cloud and can't access your internal service. +<a name="set-up-virtual-network-integration"></a> + ### Set up virtual network integration 1. In the [Azure portal](https://portal.azure.com), on the logic app resource menu, under Settings, select Networking.
managed-grafana	Concept Role Based Access Control	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/concept-role-based-access-control.md	Assign a role, such as Grafana viewer, to a user, group, service principal o ## Related content -* [Configure Grafana teams](how-to-sync-teams-with-azure-ad-groups.md) +* [Configure Grafana teams](how-to-sync-teams-with-entra-groups.md) * [Set up authentication and permissions](how-to-authentication-permissions.md)
managed-grafana	Concept Whats New	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/concept-whats-new.md	Last updated 02/22/2024 ## September 2023 -* [Microsoft Entra groups](how-to-sync-teams-with-azure-ad-groups.md) is available in preview in Azure Managed Grafana. +* [Microsoft Entra groups](how-to-sync-teams-with-entra-groups.md) is available in preview in Azure Managed Grafana. * [Plugin management](how-to-manage-plugins.md) is available in preview. This feature lets you manage installed Grafana plugins directly within an Azure Managed Grafana workspace.
managed-grafana	How To Sync Teams With Entra Groups	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-sync-teams-with-entra-groups.md	+ + Title: Configure Grafana Team Sync with Microsoft Entra groups +description: Learn how to configure Grafana Teams and allow access to Grafana folders and dashboards using Microsoft Entra groups in Azure Managed Grafana. +#customer intent: As a Grafana administrator, I want to use Microsoft Entra groups to set up Grafana teams and control access to specific folders and dashboards. ++++ Last updated : 06/7/2024 + + +# Configure Grafana teams with Microsoft Entra groups and Grafana Team Sync + +In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) to manage dashboard permissions in Azure Managed Grafana. + +In Azure Managed Grafana, you can use Azure's role-based access control (RBAC) roles for Grafana to define access rights. These permissions apply to all resources in your Grafana workspace by default, not per folder or dashboard. If you assign a user to the Grafana Editor role, that user can edit any dashboard in your Grafana workspace. However, with Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can adjust a user's default permission level for specific dashboards or dashboard folders. ++ +Microsoft Entra group sync helps you manage this. With it, you can create a Grafana team in a Grafana workspace, link it to a Microsoft Entra group, and then configure your dashboard permissions for that team. For example, you can allow a Grafana viewer to modify a dashboard, or prevent a Grafana editor from making changes. + +<a name='set-up-azure-ad-group-sync'></a> + +## Prerequisites + +Before you start, make sure you have: + +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free). +- An Azure Managed Grafana instance. If needed, [create a new instance](quickstart-managed-grafana-portal.md). +- A Microsoft Entra group. If needed, [create a basic group and add members](/entra/fundamentals/how-to-manage-groups#create-a-basic-group-and-add-members). +- The Grafana Admin role is required to use Grafana Team Sync. + +## Assign a permission to a Microsoft Entra group + +The Microsoft Entra group must have a Grafana role to access the Grafana instance. + +1. In your Grafana workspace, open the Access control (IAM) menu select Add > Add new role assignment. + + :::image type="content" source="media/azure-ad-group-sync/add-role-assignment.png" alt-text="Screenshot of the Azure portal. Adding a new role assignment."::: + +1. Assign a role, such as Grafana viewer, to the Microsoft Entra group. For more information about assigning a role, go to [Grant access](../role-based-access-control/quickstart-assign-role-user-portal.md#grant-access). + +### Create a Grafana team + +Set up a Microsoft Entra ID-backed Grafana team. + +1. In the Azure portal, open your Grafana instance and select Configuration under Settings. +1. Select the Microsoft Entra Team Sync Settings tab. +1. Select Create new Grafana team. + + :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Microsoft Entra Team Sync."::: + +1. Enter a name for the Grafana team and select Add. + + :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team."::: + +### Assign a Microsoft Entra group to a Grafana team + +1. In Assign access to, select the newly created Grafana team. +1. Select + Add a Microsoft Entra group. + +1. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click Select to confirm. + + :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting a Microsoft Entra group."::: + +1. Optionally repeat the previous three steps to add more Microsoft Entra groups to the Grafana team. + +### Assign access to a Grafana folder or dashboard + +1. In the Grafana UI, open a folder or a dashboard. +1. In the Permissions tab, select Add a permission. + + :::image type="content" source="media/azure-ad-group-sync/add-permission.png" alt-text="Screenshot of the Azure portal, selecting Add a permission." lightbox="media/azure-ad-group-sync/add-permission.png"::: + +1. Under Add permission for, select Team, then select the team name, the View, Edit or Admin permission, and save. You can add permissions for a user, a team or a role. + + :::image type="content" source="media/azure-ad-group-sync/add-permission-for-team.png" alt-text="Screenshot of the Grafana UI, adding a permission for a team in a Grafana folder."::: + + > [!TIP] + > To check existing access permissions for a dashboard, open a dashboard and go to the Permissions tab. This page shows all permissions assigned for this dashboard and all inherited permissions. + > :::image type="content" source="media/azure-ad-group-sync/view-permissions.png" alt-text="Screenshot of the Grafana UI, showing permission for a Grafana dashboard."::: + +### Scope down access + +You can limit access by removing permissions to access one or more folders. + +For example, to disable access to a user who has the Grafana Viewer role on a Grafana instance, remove their access to a Grafana folder by following these steps: + +1. In the Grafana UI, go to a folder you want to hide from the user. +1. In the Permissions tab, select the X button to the right of the Viewer permission to remove this permission from this folder. +1. Repeat this step for all folders you want to hide from the user. + + :::image type="content" source="media/azure-ad-group-sync/remove-permission.png" alt-text="Screenshot of the Grafana UI, removing the Viewer permission in a Grafana folder."::: + +<a name='remove-azure-ad-group-sync'></a> + +## Remove a Grafana team + +If you no longer need a Grafana team, follow these steps to delete it. Deleting a Grafana team also removes the link to the Microsoft Entra group. + +1. In the Azure portal, open your Azure Managed Grafana workspace. +1. Select Administration > Teams. +1. Select the X button to the right of a team you're deleting. + + :::image type="content" source="media/azure-ad-group-sync/remove-azure-ad-group-sync.png" alt-text="Screenshot of the Grafana platform. Removing a Grafana team."::: + +1. Select Delete to confirm. + +## Next steps + +In this how-to guide, you learned how to set up Grafana teams backed by Microsoft Entra groups. To learn how to use teams to control access to dashboards in your workspace, see [Manage dashboard permissions](https://grafana.com/docs/grafana/latest/administration/user-management/manage-dashboard-permissions/).
migrate	Tutorial Discover Hyper V	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-hyper-v.md	Hash value is: Hash \| Value \| -SHA256 \| [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] +SHA256 \| [!INCLUDE [hyper-v-vhd.md](includes/hyper-v-vhd.md)] + ### Create an account to access servers Check that the zipped file is secure, before you deploy it. Scenario* \| Download \| SHA256 \| \| - Hyper-V (85.8 MB) \| [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) \| [!INCLUDE [security-hash-value](includes/security-hash-value.md)] + Hyper-V (85.8 MB) \| [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) \| [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] ### 3. Create an appliance
operator-nexus	Howto Cluster Runtime Upgrade With Pauserack Strategy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-cluster-runtime-upgrade-with-pauserack-strategy.md	+ + Title: "Azure Operator Nexus: Runtime upgrade with PauseRack strategy" +description: Learn to execute a cluster runtime upgrade for Operator Nexus with a PauseRack strategy ++++ Last updated : 08/16/2024 +# + +# Upgrading cluster runtime with a PauseRack strategy + +This how-to guide explains the steps to execute a cluster runtime upgrade with PauseRack strategy. Executing cluster runtime upgrade with PauseRack strategy will update a single rack in a cluster and then pause to wait for confirmation before moving to the next rack. All existing thresholds will still be honored. + +## Prerequisites + +> [!NOTE] +> Upgrades with the PauseRack strategy is available starting API version 2024-06-01-preview. + +1. The [Install Azure CLI][installation-instruction] must be installed. +2. The `networkcloud` CLI extension is required. If the `networkcloud` extension isn't installed, it can be installed following the steps listed [here](https://github.com/MicrosoftDocs/azure-docs-pr/blob/main/articles/operator-nexus/howto-install-cli-extensions.md). +3. Access to the Azure portal for the target cluster to be upgraded. +4. You must be logged in to the same subscription as your target cluster via `az login` +5. Target cluster must be in a running state, with all control plane nodes healthy and 80+% of compute nodes in a running and healthy state. + +## Procedure + +1. Enable PauseRack upgrade strategy on a Nexus cluster + + ```azurecli + az networkcloud cluster update + --name $CLUSTER_NAME \ + --resource-group $RESOURCE_GROUP \ + --update-strategy strategy-type="PauseRack" wait-time-minutes=0 + ``` + +2. Confirm that the cluster resource JSON in the JSON View reflects the PauseRack upgrade strategy. + + ```azurecli + az networkcloud cluster show --cluster-name "clusterName" --resource-group "resourceGroupName" + ``` + + ``` + "updateStrategy": { + "maxUnavailable": 2, + "strategyType": "PauseAfterRack", + "thresholdType": "PercentSuccess", + "thresholdValue": 70, + "waitTimeMinutes": 15, + } + ``` + +3. Trigger runtime bundle upgrade as usual from Azure portal / CLI. For reference [Upgrading cluster runtime from Azure CLI](./howto-cluster-runtime-upgrade.md) + +4. Once Rack 1 completes, the runtime upgrade will be paused, awaiting user action to resume the upgrade for Rack 2. ++ +> [!NOTE] +> This message will be available in logs for programtic access, for more details follow [List of logs available for streaming in Azure Operator Nexus](list-logs-available.md) + +5. To resume the runtime upgrade, execute the following `az networkcloud` cli command. + +```shell +az networkcloud cluster continue-update-version \ + --subscription=$SUBSCRIPTION \ + --resource-group=$RESOURCE_GROUP \ + --cluster-name=$CLUSTER_NAME +``` + +6. Repeat step 5 for each rack until all racks have been upgraded to the latest runtime bundle. + +## Related content + +- [Upgrading cluster runtime from Azure CLI](./howto-cluster-runtime-upgrade.md)
operator-nexus	Howto Cluster Runtime Upgrade	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-cluster-runtime-upgrade.md	The output should be the target cluster's information and the cluster's detailed For more detailed insights on the upgrade progress, the individual BMM in each Rack can be checked for status. Example of this is provided in the reference section under [BareMetal Machine roles](./reference-near-edge-baremetal-machine-roles.md). ## Configure compute threshold parameters for runtime upgrade using cluster updateStrategy+ The following Azure CLI command is used to configure the compute threshold parameters for a runtime upgrade: ```azurecli -az networkcloud cluster update --name "<clusterName>" --resource-group "<resourceGroup>" --update-strategy strategy-type="Rack" threshold-type="PercentSuccess" threshold-value="<thresholdValue>" max-unavailable=<maxNodesOffline> wait-time-minutes=<waitTimeBetweenRacks> +az networkcloud cluster update / +--name "<clusterName>" / +--resource-group "<resourceGroup>" / +--update-strategy strategy-type="Rack" threshold-type="PercentSuccess" / +threshold-value="<thresholdValue>" max-unavailable=<maxNodesOffline> / +wait-time-minutes=<waitTimeBetweenRacks> ``` -Required arguments: -- strategy-type: Defines the update strategy. In this case, "Rack" means updates occur rack-by-rack. The default value is "Rack" +Required parameters: +- strategy-type: Defines the update strategy. In this case, "Rack" means updates occur rack-by-rack. The default value is "Rack". - threshold-type: Determines how the threshold should be evaluated, applied in the units defined by the strategy. The default value is "PercentSuccess". - threshold-value: The numeric threshold value used to evaluate an update. The default value is 80. -Optional arguments: +Optional parameters: - max-unavailable: The maximum number of worker nodes that can be offline, that is, upgraded rack at a time. The default value is 32767. - wait-time-minutes: The delay or waiting period before updating a rack. The default value is 15. An example usage of the command is as below:+ ```azurecli az networkcloud cluster update --name "cluster01" --resource-group "cluster01-rg" --update-strategy strategy-type="Rack" threshold-type="PercentSuccess" threshold-value=70 max-unavailable=16 wait-time-minutes=15 ```+ Upon successful execution of the command, the updateStrategy values specified will be applied to the cluster: -``` - "updateStrategy": { + +``` + "updateStrategy": { "maxUnavailable": 16, "strategyType": "Rack", "thresholdType": "PercentSuccess", "thresholdValue": 70, "waitTimeMinutes": 15, - }, + } ``` +> [!NOTE] +> When a threshold value below 100% is set, itΓÇÖs possible that any unhealthy nodes might not be upgraded, yet the ΓÇ£ClusterΓÇ¥ status could still indicate that upgrade was successful. For troubleshooting issues with bare metal machines, please refer to [Troubleshoot Azure Operator Nexus server problems](troubleshoot-reboot-reimage-replace.md) + +## Upgrade with PauseRack strategy + +Starting with API version 2024-06-01-preview, runtime upgrades can be triggered using a "PauseRack" strategy. When you execute a Cluster runtime upgrade with the PauseRack" strategy, it will update one rack at a time in the Cluster and then stop, awaiting confirmation before proceeding to the next rack. All existing thresholds will continue to be respected with the "PauseRack" strategy. To carry out a Cluster runtime upgrade using the "PauseRack" strategy follow the steps outlined in [Upgrading cluster runtime with a pause rack strategy](howto-cluster-runtime-upgrade-with-pauserack-strategy.md) + ## Frequently Asked Questions ### Identifying Cluster Upgrade Stalled/Stuck During a runtime upgrade, the cluster enters a state of `Upgrading`. In the even ### Impact on Nexus Kubernetes tenant workloads during cluster runtime upgrade -During a runtime upgrade, impacted Nexus Kubernetes cluster nodes are cordoned and drained before the Bare Metal Hosts (BMH) are upgraded. Cordoning the cluster node prevents new pods from being scheduled on it and draining the cluster node allows pods that are running tenant workloads a chance to shift to another available cluster node, which helps to reduce the impact on services. The draining mechanism's effectiveness is contingent on the available capacity within the Nexus Kubernetes cluster. If the cluster is nearing full capacity and lacks space for the pods to relocate, they transition into a Pending state following the draining process. +During a runtime upgrade, impacted Nexus Kubernetes Cluster nodes are cordoned and drained before the Bare Metal Hosts (BMH) are upgraded. Cordoning the Kubernetes Cluster node prevents new pods from being scheduled on it and draining the Kubernetes Cluster node allows pods that are running tenant workloads a chance to shift to another available Kubernetes Cluster node, which helps to reduce the impact on services. The draining mechanism's effectiveness is contingent on the available capacity within the Nexus Kubernetes Cluster. If the Kubernetes Cluster is nearing full capacity and lacks space for the pods to relocate, they transition into a Pending state following the draining process. Once the cordon and drain process of the tenant cluster node is completed, the upgrade of the BMH proceeds. Each tenant cluster node is allowed up to 10 minutes for the draining process to complete, after which the BMH upgrade will begin. This guarantees the BMH upgrade will make progress. BMHs are upgraded one rack at a time, and upgrades are performed in parallel within the same rack. The BMH upgrade does not wait for tenant resources to come online before continuing with the runtime upgrade of BMHs in the rack being upgraded. The benefit of this is that the maximum overall wait time for a rack upgrade is kept at 10 minutes regardless of how many nodes are available. This maximum wait time is specific to the cordon and drain procedure and is not applied to the overall upgrade procedure. Upon completion of each BMH upgrade, the Nexus Kubernetes cluster node starts, rejoins the cluster, and is uncordoned, allowing pods to be scheduled on the node once again. It's important to note that the Nexus Kubernetes cluster node won't be shut down after the cordon and drain process. The BMH is rebooted with the new image as soon as all the Nexus Kubernetes cluster nodes are cordoned and drained, after 10 minutes if the drain process isn't completed. Additionally, the cordon and drain is not initiated for power-off or restart actions of the BMH; it's exclusively activated only during a runtime upgrade. -It is important to note that following the runtime upgrade, there could be instance where a Nexus Kubernetes Cluster node remains cordoned. For such scenario, you can manually uncordon the node by executing the following commands via(./includes/kubernetes-cluster/cluster-connect.md) +It is important to note that following the runtime upgrade, there could be instance where a Nexus Kubernetes Cluster node remains cordoned. For such scenario, you can manually uncordon the node by executing the following command -``` -kubectl get nodes \| grep SchedulingDisabled > -if [ $? -eq 0 ]; then -for node in $(kubectl get nodes \| grep SchedulingDisabled \| awk '{print $1}'); do - kubectl uncordon $node -done -fi -``` +```azurecli +az networkcloud baremetalmachine list -g $mrg --subscription $sub --query "sort_by([].{name:name,kubernetesNodeName:kubernetesNodeName,location:location,readyState:readyState,provisioningState:provisioningState,detailedStatus:detailedStatus,detailedStatusMessage:detailedStatusMessage,powerState:powerState,tags:tags.Status,machineRoles:join(', ', machineRoles),cordonStatus:cordonStatus,createdAt:systemData.createdAt}, &name)" +--output table +``` <!-- LINKS - External --> [installation-instruction]: https://aka.ms/azcli
private-link	Private Endpoint Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/private-endpoint-overview.md	A private-link resource is the destination target of a specified private endpoin \| Private-link resource name \| Resource type \| Sub-resources \| \| \| - \| - \| \| Application Gateway \| Microsoft.Network/applicationgateways \|Frontend IP Configuration name\| +\| Azure AI Search \| Microsoft.Search/searchServices \| searchService \| \| Azure AI services \| Microsoft.CognitiveServices/accounts \| account \| \| Azure API for FHIR (Fast Healthcare Interoperability Resources) \| Microsoft.HealthcareApis/services \| fhir \| \| Azure API Management \| Microsoft.ApiManagement/service \| Gateway \| A private-link resource is the destination target of a specified private endpoin \| Azure Batch \| Microsoft.Batch/batchAccounts \| batchAccount, nodeManagement \| \| Azure Cache for Redis \| Microsoft.Cache/Redis \| redisCache \| \| Azure Cache for Redis Enterprise \| Microsoft.Cache/redisEnterprise \| redisEnterprise \| -\| Azure AI Search \| Microsoft.Search/searchServices \| searchService \| \| Azure Container Registry \| Microsoft.ContainerRegistry/registries \| registry \| \| Azure Cosmos DB \| Microsoft.AzureCosmosDB/databaseAccounts \| SQL, MongoDB, Cassandra, Gremlin, Table \| -\| Azure Cosmos DB for PostgreSQL \| Microsoft.DBforPostgreSQL/serverGroupsv2 \| coordinator \| \| Azure Cosmos DB for MongoDB vCore \| Microsoft.DocumentDb/mongoClusters \| mongoCluster \| +\| Azure Cosmos DB for PostgreSQL \| Microsoft.DBforPostgreSQL/serverGroupsv2 \| coordinator \| \| Azure Data Explorer \| Microsoft.Kusto/clusters \| cluster \| \| Azure Data Factory \| Microsoft.DataFactory/factories \| dataFactory \| \| Azure Database for MariaDB \| Microsoft.DBforMariaDB/servers \| mariadbServer \| +\| Azure Database for MySQL - Flexible Server \| Microsoft.DBforMySQL/flexibleServers \| mysqlServer \| \| Azure Database for MySQL - Single Server \| Microsoft.DBforMySQL/servers \| mysqlServer \| -\| Azure Database for MySQL- Flexible Server \| Microsoft.DBforMySQL/flexibleServers \| mysqlServer \| -\| Azure Database for PostgreSQL - Single server \| Microsoft.DBforPostgreSQL/servers \| postgresqlServer \| \| Azure Database for PostgreSQL - Flexible server \| Microsoft.DBforPostgreSQL/flexibleServers \| postgresqlServer \| +\| Azure Database for PostgreSQL - Single server \| Microsoft.DBforPostgreSQL/servers \| postgresqlServer \| \| Azure Databricks \| Microsoft.Databricks/workspaces \| databricks_ui_api, browser_authentication \| \| Azure Device Provisioning Service \| Microsoft.Devices/provisioningServices \| iotDps \| \| Azure Digital Twins \| Microsoft.DigitalTwins/digitalTwinsInstances \| API \| A private-link resource is the destination target of a specified private endpoin \| Azure Virtual Desktop - host pools \| Microsoft.DesktopVirtualization/hostpools \| connection \| \| Azure Virtual Desktop - workspaces \| Microsoft.DesktopVirtualization/workspaces \| feed<br />global \| \| Device Update for IoT Hub \| Microsoft.DeviceUpdate/accounts \| DeviceUpdate \| +\| Integration Account (Premium) \| Microsoft.Logic/integrationAccounts \| integrationAccount \| \| Microsoft Purview \| Microsoft.Purview/accounts \| account \| \| Microsoft Purview \| Microsoft.Purview/accounts \| portal \| \| Power BI \| Microsoft.PowerBI/privateLinkServicesForPowerBI \| Power BI \|
reliability	Migrate Monitor Log Analytics	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/migrate-monitor-log-analytics.md	Title: Migrate Log Analytics workspaces to availability zone support -description: Learn how to migrate Log Analytics workspaces to availability zone support. + Title: Migrate Log Analytics Dedicated Cluster workspaces to availability zone support +description: Learn how to migrate Log Analytics Dedicated Cluster workspaces to availability zone support. Previously updated : 05/19/2024 Last updated : 09/19/2024 -# Migrate Log Analytics workspaces to availability zone support +# Migrate Log Analytics Dedicated Cluster workspaces to availability zone support -This guide describes how to migrate Log Analytics workspaces from non-availability zone support to availability support. +This guide describes how to migrate dedicated cluster Log Analytics Dedicated Cluster workspaces from non-availability zone support to availability support. > [!NOTE] > Application Insights resources can also use availability zones, but only if they are workspace-based and the workspace uses a dedicated cluster. Classic (non-workspace-based) Application Insights resources cannot use availability zones. This guide describes how to migrate Log Analytics workspaces from non-availabili ## Prerequisites -Make sure that the region to which you wish to move is a region that supports availability zones. To see which regions support availability zones, see [supported regions](/azure/azure-monitor/logs/availability-zones#supported-regions). +- This article applies to workspaces that use dedicated clusters. If your workspace isnΓÇÖt using a dedicated cluster, itΓÇÖs using a shared cluster, which is managed by the Log Analytics service. In regions that have availability zones, shared clusters use availability zones or are being migrated to use them. For more details, see [Log Analytics - Supported regions](/azure/azure-monitor/logs/availability-zones#supported-regions). + +- Make sure that the region to which you wish to move is a region that supports availability zones. To see which regions support availability zones, see [supported regions](/azure/azure-monitor/logs/availability-zones#supported-regions). ## Downtime requirements
resource-mover	Common Questions	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/common-questions.md	description: Get answers to common questions about Azure Resource Mover. - Previously updated : 03/29/2024+ Last updated : 09/23/2024
resource-mover	Support Matrix Move Region Sql	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/support-matrix-move-region-sql.md	Title: Support for moving Azure SQL resources between regions with Azure Resourc description: Review support for moving Azure SQL resources between regions with Azure Resource Mover. - Previously updated : 03/29/2024+ Last updated : 09/18/2024
role-based-access-control	Built In Roles	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles.md	The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > \| Built-in role \| Description \| ID \| > \| \| \| \| +> \| <a name='azure-arc-vmware-vm-contributor'></a>[Azure Arc VMware VM Contributor](./built-in-roles/compute.md#azure-arc-vmware-vm-contributor) \| Arc VMware VM Contributor has permissions to perform all VM actions. \| b748a06d-6150-4f8a-aaa9-ce3940cd96cb \| > \| <a name='classic-virtual-machine-contributor'></a>[Classic Virtual Machine Contributor](./built-in-roles/compute.md#classic-virtual-machine-contributor) \| Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. \| d73bb868-a0df-4d4d-bd69-98a00b01fccb \| > \| <a name='compute-gallery-artifacts-publisher'></a>[Compute Gallery Artifacts Publisher](./built-in-roles/compute.md#compute-gallery-artifacts-publisher) \| This is the role for publishing gallery artifacts. \| 85a2d0d9-2eba-4c9c-b355-11c2cc0788ab \| > \| <a name='compute-gallery-sharing-admin'></a>[Compute Gallery Sharing Admin](./built-in-roles/compute.md#compute-gallery-sharing-admin) \| This role allows user to share gallery to another subscription/tenant or share it to the public. \| 1ef6a3be-d0ac-425d-8c01-acb62866290b \| The following table provides a brief description of each built-in role. Click th > \| <a name='desktop-virtualization-contributor'></a>[Desktop Virtualization Contributor](./built-in-roles/compute.md#desktop-virtualization-contributor) \| Contributor of Desktop Virtualization. \| 082f0a83-3be5-4ba1-904c-961cca79b387 \| > \| <a name='desktop-virtualization-host-pool-contributor'></a>[Desktop Virtualization Host Pool Contributor](./built-in-roles/compute.md#desktop-virtualization-host-pool-contributor) \| Contributor of the Desktop Virtualization Host Pool. \| e307426c-f9b6-4e81-87de-d99efb3c32bc \| > \| <a name='desktop-virtualization-host-pool-reader'></a>[Desktop Virtualization Host Pool Reader](./built-in-roles/compute.md#desktop-virtualization-host-pool-reader) \| Reader of the Desktop Virtualization Host Pool. \| ceadfde2-b300-400a-ab7b-6143895aa822 \| +> \| <a name='desktop-virtualization-power-on-contributor'></a>[Desktop Virtualization Power On Contributor](./built-in-roles/compute.md#desktop-virtualization-power-on-contributor) \| Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. \| 489581de-a3bd-480d-9518-53dea7416b33 \| +> \| <a name='desktop-virtualization-power-on-off-contributor'></a>[Desktop Virtualization Power On Off Contributor](./built-in-roles/compute.md#desktop-virtualization-power-on-off-contributor) \| Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. \| 40c5ff49-9181-41f8-ae61-143b0e78555e \| > \| <a name='desktop-virtualization-reader'></a>[Desktop Virtualization Reader](./built-in-roles/compute.md#desktop-virtualization-reader) \| Reader of Desktop Virtualization. \| 49a72310-ab8d-41df-bbb0-79b649203868 \| > \| <a name='desktop-virtualization-session-host-operator'></a>[Desktop Virtualization Session Host Operator](./built-in-roles/compute.md#desktop-virtualization-session-host-operator) \| Operator of the Desktop Virtualization Session Host. \| 2ad6aaab-ead9-4eaa-8ac5-da422f562408 \| > \| <a name='desktop-virtualization-user'></a>[Desktop Virtualization User](./built-in-roles/compute.md#desktop-virtualization-user) \| Allows user to use the applications in an application group. \| 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 \| > \| <a name='desktop-virtualization-user-session-operator'></a>[Desktop Virtualization User Session Operator](./built-in-roles/compute.md#desktop-virtualization-user-session-operator) \| Operator of the Desktop Virtualization User Session. \| ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 \| +> \| <a name='desktop-virtualization-virtual-machine-contributor'></a>[Desktop Virtualization Virtual Machine Contributor](./built-in-roles/compute.md#desktop-virtualization-virtual-machine-contributor) \| This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. \| a959dbd1-f747-45e3-8ba6-dd80f235f97c \| > \| <a name='desktop-virtualization-workspace-contributor'></a>[Desktop Virtualization Workspace Contributor](./built-in-roles/compute.md#desktop-virtualization-workspace-contributor) \| Contributor of the Desktop Virtualization Workspace. \| 21efdde3-836f-432b-bf3d-3e8e734d4b2b \| > \| <a name='desktop-virtualization-workspace-reader'></a>[Desktop Virtualization Workspace Reader](./built-in-roles/compute.md#desktop-virtualization-workspace-reader) \| Reader of the Desktop Virtualization Workspace. \| 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d \| > \| <a name='disk-backup-reader'></a>[Disk Backup Reader](./built-in-roles/compute.md#disk-backup-reader) \| Provides permission to backup vault to perform disk backup. \| 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 \| The following table provides a brief description of each built-in role. Click th > \| <a name='virtual-machine-data-access-administrator-preview'></a>[Virtual Machine Data Access Administrator (preview)](./built-in-roles/compute.md#virtual-machine-data-access-administrator-preview) \| Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. \| 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 \| > \| <a name='virtual-machine-local-user-login'></a>[Virtual Machine Local User Login](./built-in-roles/compute.md#virtual-machine-local-user-login) \| View Virtual Machines in the portal and login as a local user configured on the arc server \| 602da2ba-a5c2-41da-b01d-5360126ab525 \| > \| <a name='virtual-machine-user-login'></a>[Virtual Machine User Login](./built-in-roles/compute.md#virtual-machine-user-login) \| View Virtual Machines in the portal and login as a regular user. \| fb879df8-f326-4884-b1cf-06f3ad86be52 \| +> \| <a name='windows-365-network-interface-contributor'></a>[Windows 365 Network Interface Contributor](./built-in-roles/compute.md#windows-365-network-interface-contributor) \| This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. \| 1f135831-5bbe-4924-9016-264044c00788 \| +> \| <a name='windows-365-network-user'></a>[Windows 365 Network User](./built-in-roles/compute.md#windows-365-network-user) \| This role is used by Windows 365 to read virtual networks and join the designated virtual networks. \| 7eabc9a4-85f7-4f71-b8ab-75daaccc1033 \| > \| <a name='windows-admin-center-administrator-login'></a>[Windows Admin Center Administrator Login](./built-in-roles/compute.md#windows-admin-center-administrator-login) \| Let's you manage the OS of your resource via Windows Admin Center as an administrator. \| a6333a3e-0164-44c3-b281-7a577aff287f \| ## Networking The following table provides a brief description of each built-in role. Click th > \| <a name='avere-contributor'></a>[Avere Contributor](./built-in-roles/storage.md#avere-contributor) \| Can create and manage an Avere vFXT cluster. \| 4f8fab4f-1852-4a58-a46a-8eaf358af14a \| > \| <a name='avere-operator'></a>[Avere Operator](./built-in-roles/storage.md#avere-operator) \| Used by the Avere vFXT cluster to manage the cluster \| c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 \| > \| <a name='backup-contributor'></a>[Backup Contributor](./built-in-roles/storage.md#backup-contributor) \| Lets you manage backup service, but can't create vaults and give access to others \| 5e467623-bb1f-42f4-a55d-6e525e11384b \| +> \| <a name='backup-mua-admin'></a>[Backup MUA Admin](./built-in-roles/storage.md#backup-mua-admin) \| Backup MultiUser-Authorization. Can create/delete ResourceGuard \| c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8 \| +> \| <a name='backup-mua-operator'></a>[Backup MUA Operator](./built-in-roles/storage.md#backup-mua-operator) \| Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard \| f54b6d04-23c6-443e-b462-9c16ab7b4a52 \| > \| <a name='backup-operator'></a>[Backup Operator](./built-in-roles/storage.md#backup-operator) \| Lets you manage backup services, except removal of backup, vault creation and giving access to others \| 00c29273-979b-4161-815c-10b084fb9324 \| > \| <a name='backup-reader'></a>[Backup Reader](./built-in-roles/storage.md#backup-reader) \| Can view backup services, but can't make changes \| a795c7a0-d4a2-40c1-ae25-d81f01202912 \| > \| <a name='classic-storage-account-contributor'></a>[Classic Storage Account Contributor](./built-in-roles/storage.md#classic-storage-account-contributor) \| Lets you manage classic storage accounts, but not access to them. \| 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 \| The following table provides a brief description of each built-in role. Click th > \| <a name='data-box-reader'></a>[Data Box Reader](./built-in-roles/storage.md#data-box-reader) \| Lets you manage Data Box Service except creating order or editing order details and giving access to others. \| 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 \| > \| <a name='data-lake-analytics-developer'></a>[Data Lake Analytics Developer](./built-in-roles/storage.md#data-lake-analytics-developer) \| Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. \| 47b7735b-770e-4598-a7da-8b91488b4c88 \| > \| <a name='defender-for-storage-data-scanner'></a>[Defender for Storage Data Scanner](./built-in-roles/storage.md#defender-for-storage-data-scanner) \| Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. \| 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 \| +> \| <a name='elastic-san-network-admin'></a>[Elastic SAN Network Admin](./built-in-roles/storage.md#elastic-san-network-admin) \| Allows access to create Private Endpoints on SAN resources, and to read SAN resources \| fa6cecf6-5db3-4c43-8470-c540bcb4eafa \| > \| <a name='elastic-san-owner'></a>[Elastic SAN Owner](./built-in-roles/storage.md#elastic-san-owner) \| Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access \| 80dcbedb-47ef-405d-95bd-188a1b4ac406 \| > \| <a name='elastic-san-reader'></a>[Elastic SAN Reader](./built-in-roles/storage.md#elastic-san-reader) \| Allows for control path read access to Azure Elastic SAN \| af6a70f8-3c9f-4105-acf1-d719e9fca4ca \| > \| <a name='elastic-san-volume-group-owner'></a>[Elastic SAN Volume Group Owner](./built-in-roles/storage.md#elastic-san-volume-group-owner) \| Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access \| a8281131-f312-4f34-8d98-ae12be9f0d23 \| The following table provides a brief description of each built-in role. Click th > \| \| \| \| > \| <a name='azure-maps-data-contributor'></a>[Azure Maps Data Contributor](./built-in-roles/web-and-mobile.md#azure-maps-data-contributor) \| Grants access to read, write, and delete access to map related data from an Azure maps account. \| 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 \| > \| <a name='azure-maps-data-reader'></a>[Azure Maps Data Reader](./built-in-roles/web-and-mobile.md#azure-maps-data-reader) \| Grants access to read map related data from an Azure maps account. \| 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa \| +> \| <a name='azure-maps-search-and-render-data-reader'></a>[Azure Maps Search and Render Data Reader](./built-in-roles/web-and-mobile.md#azure-maps-search-and-render-data-reader) \| Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. \| 6be48352-4f82-47c9-ad5e-0acacefdb005 \| +> \| <a name='azure-spring-apps-application-configuration-service-config-file-pattern-reader-role'></a>[Azure Spring Apps Application Configuration Service Config File Pattern Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-application-configuration-service-config-file-pattern-reader-role) \| Read content of config file pattern for Application Configuration Service in Azure Spring Apps \| 25211fc6-dc78-40b6-b205-e4ac934fd9fd \| +> \| <a name='azure-spring-apps-application-configuration-service-log-reader-role'></a>[Azure Spring Apps Application Configuration Service Log Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-application-configuration-service-log-reader-role) \| Read real-time logs for Application Configuration Service in Azure Spring Apps \| 6593e776-2a30-40f9-8a32-4fe28b77655d \| +> \| <a name='azure-spring-apps-connect-role'></a>[Azure Spring Apps Connect Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-connect-role) \| Azure Spring Apps Connect Role \| 80558df3-64f9-4c0f-b32d-e5094b036b0b \| +> \| <a name='azure-spring-apps-job-log-reader-role'></a>[Azure Spring Apps Job Log Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-job-log-reader-role) \| Read real-time logs for jobs in Azure Spring Apps \| b459aa1d-e3c8-436f-ae21-c0531140f43e \| +> \| <a name='azure-spring-apps-remote-debugging-role'></a>[Azure Spring Apps Remote Debugging Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-remote-debugging-role) \| Azure Spring Apps Remote Debugging Role \| a99b0159-1064-4c22-a57b-c9b3caa1c054 \| +> \| <a name='azure-spring-apps-spring-cloud-gateway-log-reader-role'></a>[Azure Spring Apps Spring Cloud Gateway Log Reader Role](./built-in-roles/web-and-mobile.md#azure-spring-apps-spring-cloud-gateway-log-reader-role) \| Read real-time logs for Spring Cloud Gateway in Azure Spring Apps \| 4301dc2a-25a9-44b0-ae63-3636cf7f2bd2 \| > \| <a name='azure-spring-cloud-config-server-contributor'></a>[Azure Spring Cloud Config Server Contributor](./built-in-roles/web-and-mobile.md#azure-spring-cloud-config-server-contributor) \| Allow read, write and delete access to Azure Spring Cloud Config Server \| a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b \| > \| <a name='azure-spring-cloud-config-server-reader'></a>[Azure Spring Cloud Config Server Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-config-server-reader) \| Allow read access to Azure Spring Cloud Config Server \| d04c6db6-4947-4782-9e91-30a88feb7be7 \| > \| <a name='azure-spring-cloud-data-reader'></a>[Azure Spring Cloud Data Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-data-reader) \| Allow read access to Azure Spring Cloud Data \| b5537268-8956-4941-a8f0-646150406f0c \| The following table provides a brief description of each built-in role. Click th > \| <a name='signalr-service-owner'></a>[SignalR Service Owner](./built-in-roles/web-and-mobile.md#signalr-service-owner) \| Full access to Azure SignalR Service REST APIs \| 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 \| > \| <a name='signalrweb-pubsub-contributor'></a>[SignalR/Web PubSub Contributor](./built-in-roles/web-and-mobile.md#signalrweb-pubsub-contributor) \| Create, Read, Update, and Delete SignalR service resources \| 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 \| > \| <a name='web-plan-contributor'></a>[Web Plan Contributor](./built-in-roles/web-and-mobile.md#web-plan-contributor) \| Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. \| 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b \| +> \| <a name='web-pubsub-service-owner'></a>[Web PubSub Service Owner](./built-in-roles/web-and-mobile.md#web-pubsub-service-owner) \| Full access to Azure Web PubSub Service REST APIs \| 12cf5a90-567b-43ae-8102-96cf46c7d9b4 \| +> \| <a name='web-pubsub-service-reader'></a>[Web PubSub Service Reader](./built-in-roles/web-and-mobile.md#web-pubsub-service-reader) \| Read-only access to Azure Web PubSub Service REST APIs \| bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf \| > \| <a name='website-contributor'></a>[Website Contributor](./built-in-roles/web-and-mobile.md#website-contributor) \| Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. \| de139f84-1756-47ae-9be6-808fbbe84772 \| ## Containers The following table provides a brief description of each built-in role. Click th > \| <a name='azure-kubernetes-service-rbac-cluster-admin'></a>[Azure Kubernetes Service RBAC Cluster Admin](./built-in-roles/containers.md#azure-kubernetes-service-rbac-cluster-admin) \| Lets you manage all resources in the cluster. \| b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b \| > \| <a name='azure-kubernetes-service-rbac-reader'></a>[Azure Kubernetes Service RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-service-rbac-reader) \| Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. \| 7f6c6a51-bcf8-42ba-9220-52d62157d7db \| > \| <a name='azure-kubernetes-service-rbac-writer'></a>[Azure Kubernetes Service RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-service-rbac-writer) \| Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. \| a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb \| +> \| <a name='connected-cluster-managed-identity-checkaccess-reader'></a>[Connected Cluster Managed Identity CheckAccess Reader](./built-in-roles/containers.md#connected-cluster-managed-identity-checkaccess-reader) \| Built-in role that allows a Connected Cluster managed identity to call the checkAccess API \| 65a14201-8f6c-4c28-bec4-12619c5a9aaa \| > \| <a name='kubernetes-agentless-operator'></a>[Kubernetes Agentless Operator](./built-in-roles/containers.md#kubernetes-agentless-operator) \| Grants Microsoft Defender for Cloud access to Azure Kubernetes Services \| d5a2ae44-610b-4500-93be-660a0c5f5ca6 \| > \| <a name='kubernetes-clusterazure-arc-onboarding'></a>[Kubernetes Cluster - Azure Arc Onboarding](./built-in-roles/containers.md#kubernetes-clusterazure-arc-onboarding) \| Role definition to authorize any user/service to create connectedClusters resource \| 34e09817-6cbe-4d01-b1a2-e0eac5743d41 \| > \| <a name='kubernetes-extension-contributor'></a>[Kubernetes Extension Contributor](./built-in-roles/containers.md#kubernetes-extension-contributor) \| Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations \| 85cb6faf-e071-4c9b-8136-154b5a04f717 \| The following table provides a brief description of each built-in role. Click th > \| <a name='cosmosbackupoperator'></a>[CosmosBackupOperator](./built-in-roles/databases.md#cosmosbackupoperator) \| Can submit restore request for a Cosmos DB database or a container for an account \| db7b14f2-5adf-42da-9f96-f2ee17bab5cb \| > \| <a name='cosmosrestoreoperator'></a>[CosmosRestoreOperator](./built-in-roles/databases.md#cosmosrestoreoperator) \| Can perform restore action for Cosmos DB database account with continuous backup mode \| 5432c526-bc82-444a-b7ba-57c5b0b5b34f \| > \| <a name='documentdb-account-contributor'></a>[DocumentDB Account Contributor](./built-in-roles/databases.md#documentdb-account-contributor) \| Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. \| 5bd9cd88-fe45-4216-938b-f97437e15450 \| +> \| <a name='postgresql-flexible-server-long-term-retention-backup-role'></a>[PostgreSQL Flexible Server Long Term Retention Backup Role](./built-in-roles/databases.md#postgresql-flexible-server-long-term-retention-backup-role) \| Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. \| c088a766-074b-43ba-90d4-1fb21feae531 \| > \| <a name='redis-cache-contributor'></a>[Redis Cache Contributor](./built-in-roles/databases.md#redis-cache-contributor) \| Lets you manage Redis caches, but not access to them. \| e0f68234-74aa-48ed-b826-c38b57376e17 \| > \| <a name='sql-db-contributor'></a>[SQL DB Contributor](./built-in-roles/databases.md#sql-db-contributor) \| Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. \| 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec \| > \| <a name='sql-managed-instance-contributor'></a>[SQL Managed Instance Contributor](./built-in-roles/databases.md#sql-managed-instance-contributor) \| Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. \| 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d \| The following table provides a brief description of each built-in role. Click th > \| <a name='data-purger'></a>[Data Purger](./built-in-roles/analytics.md#data-purger) \| Delete private data from a Log Analytics workspace. \| 150f5e0c-0603-4f03-8c7f-cf70034c4e90 \| > \| <a name='hdinsight-cluster-operator'></a>[HDInsight Cluster Operator](./built-in-roles/analytics.md#hdinsight-cluster-operator) \| Lets you read and modify HDInsight cluster configurations. \| 61ed4efc-fab3-44fd-b111-e24485cc132a \| > \| <a name='hdinsight-domain-services-contributor'></a>[HDInsight Domain Services Contributor](./built-in-roles/analytics.md#hdinsight-domain-services-contributor) \| Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package \| 8d8d5a11-05d3-4bda-a417-a08778121c7c \| +> \| <a name='hdinsight-on-aks-cluster-admin'></a>[HDInsight on AKS Cluster Admin](./built-in-roles/analytics.md#hdinsight-on-aks-cluster-admin) \| Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. \| fd036e6b-1266-47a0-b0bb-a05d04831731 \| +> \| <a name='hdinsight-on-aks-cluster-pool-admin'></a>[HDInsight on AKS Cluster Pool Admin](./built-in-roles/analytics.md#hdinsight-on-aks-cluster-pool-admin) \| Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters \| 7656b436-37d4-490a-a4ab-d39f838f0042 \| > \| <a name='log-analytics-contributor'></a>[Log Analytics Contributor](./built-in-roles/analytics.md#log-analytics-contributor) \| Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. \| 92aaf0da-9dab-42b6-94a3-d43ce8d16293 \| > \| <a name='log-analytics-reader'></a>[Log Analytics Reader](./built-in-roles/analytics.md#log-analytics-reader) \| Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. \| 73c42c96-874c-492b-b04d-ab87d138a893 \| > \| <a name='schema-registry-contributor-preview'></a>[Schema Registry Contributor (Preview)](./built-in-roles/analytics.md#schema-registry-contributor-preview) \| Read, write, and delete Schema Registry groups and schemas. \| 5dffeca3-4936-4216-b2bc-10343a5abb25 \| The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > \| Built-in role \| Description \| ID \| > \| \| \| \| +> \| <a name='agfood-platform-sensor-partner-contributor'></a>[AgFood Platform Sensor Partner Contributor](./built-in-roles/ai-machine-learning.md#agfood-platform-sensor-partner-contributor) \| Provides contribute access to manage sensor related entities in AgFood Platform Service \| 6b77f0a0-0d89-41cc-acd1-579c22c17a67 \| +> \| <a name='agfood-platform-service-admin'></a>[AgFood Platform Service Admin](./built-in-roles/ai-machine-learning.md#agfood-platform-service-admin) \| Provides admin access to AgFood Platform Service \| f8da80de-1ff9-4747-ad80-a19b7f6079e3 \| +> \| <a name='agfood-platform-service-contributor'></a>[AgFood Platform Service Contributor](./built-in-roles/ai-machine-learning.md#agfood-platform-service-contributor) \| Provides contribute access to AgFood Platform Service \| 8508508a-4469-4e45-963b-2518ee0bb728 \| +> \| <a name='agfood-platform-service-reader'></a>[AgFood Platform Service Reader](./built-in-roles/ai-machine-learning.md#agfood-platform-service-reader) \| Provides read access to AgFood Platform Service \| 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba \| > \| <a name='azure-ai-developer'></a>[Azure AI Developer](./built-in-roles/ai-machine-learning.md#azure-ai-developer) \| Can perform all actions within an Azure AI resource besides managing the resource itself. \| 64702f94-c441-49e6-a78b-ef80e0188fee \| > \| <a name='azure-ai-enterprise-network-connection-approver'></a>[Azure AI Enterprise Network Connection Approver](./built-in-roles/ai-machine-learning.md#azure-ai-enterprise-network-connection-approver) \| Can approve private endpoint connections to Azure AI common dependency resources \| b556d68e-0be0-4f35-a333-ad7ee1ce17ea \| > \| <a name='azure-ai-inference-deployment-operator'></a>[Azure AI Inference Deployment Operator](./built-in-roles/ai-machine-learning.md#azure-ai-inference-deployment-operator) \| Can perform all actions required to create a resource deployment within a resource group. \| 3afb7f49-54cb-416e-8c09-6dc049efa503 \| > \| <a name='azureml-compute-operator'></a>[AzureML Compute Operator](./built-in-roles/ai-machine-learning.md#azureml-compute-operator) \| Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). \| e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 \| > \| <a name='azureml-data-scientist'></a>[AzureML Data Scientist](./built-in-roles/ai-machine-learning.md#azureml-data-scientist) \| Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. \| f6c7c914-8db3-469d-8ca1-694a8f32e121 \| +> \| <a name='azureml-metrics-writer-preview'></a>[AzureML Metrics Writer (preview)](./built-in-roles/ai-machine-learning.md#azureml-metrics-writer-preview) \| Lets you write metrics to AzureML workspace \| 635dd51f-9968-44d3-b7fb-6d9a6bd613ae \| +> \| <a name='azureml-registry-user'></a>[AzureML Registry User](./built-in-roles/ai-machine-learning.md#azureml-registry-user) \| Can perform all actions on Machine Learning Services Registry assets┬áas well as get Registry resources. \| 1823dd4f-9b8c-4ab6-ab4e-7397a3684615 \| > \| <a name='cognitive-services-contributor'></a>[Cognitive Services Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-contributor) \| Lets you create, read, update, delete and manage keys of Cognitive Services. \| 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 \| > \| <a name='cognitive-services-custom-vision-contributor'></a>[Cognitive Services Custom Vision Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-contributor) \| Full access to the project, including the ability to view, create, edit, or delete projects. \| c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 \| > \| <a name='cognitive-services-custom-vision-deployment'></a>[Cognitive Services Custom Vision Deployment](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-deployment) \| Publish, unpublish or export models. Deployment can view the project but can't update. \| 5c4089e1-6d96-4d2f-b296-c1bc7137275f \| The following table provides a brief description of each built-in role. Click th > \| <a name='cognitive-services-custom-vision-trainer'></a>[Cognitive Services Custom Vision Trainer](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-trainer) \| View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. \| 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b \| > \| <a name='cognitive-services-data-reader-preview'></a>[Cognitive Services Data Reader (Preview)](./built-in-roles/ai-machine-learning.md#cognitive-services-data-reader-preview) \| Lets you read Cognitive Services data. \| b59867f0-fa02-499b-be73-45a86b5b3e1c \| > \| <a name='cognitive-services-face-recognizer'></a>[Cognitive Services Face Recognizer](./built-in-roles/ai-machine-learning.md#cognitive-services-face-recognizer) \| Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. \| 9894cab4-e18a-44aa-828b-cb588cd6f2d7 \| +> \| <a name='cognitive-services-immersive-reader-user'></a>[Cognitive Services Immersive Reader User](./built-in-roles/ai-machine-learning.md#cognitive-services-immersive-reader-user) \| Provides access to create Immersive Reader sessions and call APIs \| b2de6794-95db-4659-8781-7e080d3f2b9d \| +> \| <a name='cognitive-services-language-owner'></a>[Cognitive Services Language Owner](./built-in-roles/ai-machine-learning.md#cognitive-services-language-owner) \| Has access to all Read, Test, Write, Deploy and Delete functions under Language portal \| f07febfe-79bc-46b1-8b37-790e26e6e498 \| +> \| <a name='cognitive-services-language-reader'></a>[Cognitive Services Language Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-language-reader) \| Has access to Read and Test functions under Language portal \| 7628b7b8-a8b2-4cdc-b46f-e9b35248918e \| +> \| <a name='cognitive-services-language-writer'></a>[Cognitive Services Language Writer](./built-in-roles/ai-machine-learning.md#cognitive-services-language-writer) \| Has access to all Read, Test, and Write functions under Language Portal \| f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 \| +> \| <a name='cognitive-services-luis-owner'></a>[Cognitive Services LUIS Owner](./built-in-roles/ai-machine-learning.md#cognitive-services-luis-owner) \| Has access to all Read, Test, Write, Deploy and Delete functions under LUIS \| f72c8140-2111-481c-87ff-72b910f6e3f8 \| +> \| <a name='cognitive-services-luis-reader'></a>[Cognitive Services LUIS Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-luis-reader) \| Has access to Read and Test functions under LUIS. \| 18e81cdc-4e98-4e29-a639-e7d10c5a6226 \| +> \| <a name='cognitive-services-luis-writer'></a>[Cognitive Services LUIS Writer](./built-in-roles/ai-machine-learning.md#cognitive-services-luis-writer) \| Has access to all Read, Test, and Write functions under LUIS \| 6322a993-d5c9-4bed-b113-e49bbea25b27 \| > \| <a name='cognitive-services-metrics-advisor-administrator'></a>[Cognitive Services Metrics Advisor Administrator](./built-in-roles/ai-machine-learning.md#cognitive-services-metrics-advisor-administrator) \| Full access to the project, including the system level configuration. \| cb43c632-a144-4ec5-977c-e80c4affc34a \| +> \| <a name='cognitive-services-metrics-advisor-user'></a>[Cognitive Services Metrics Advisor User](./built-in-roles/ai-machine-learning.md#cognitive-services-metrics-advisor-user) \| Access to the project. \| 3b20f47b-3825-43cb-8114-4bd2201156a8 \| > \| <a name='cognitive-services-openai-contributor'></a>[Cognitive Services OpenAI Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-openai-contributor) \| Full access including the ability to fine-tune, deploy and generate text \| a001fd3d-188f-4b5d-821b-7da978bf7442 \| > \| <a name='cognitive-services-openai-user'></a>[Cognitive Services OpenAI User](./built-in-roles/ai-machine-learning.md#cognitive-services-openai-user) \| Read access to view files, models, deployments. The ability to create completion and embedding calls. \| 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd \| > \| <a name='cognitive-services-qna-maker-editor'></a>[Cognitive Services QnA Maker Editor](./built-in-roles/ai-machine-learning.md#cognitive-services-qna-maker-editor) \| Let's you create, edit, import and export a KB. You cannot publish or delete a KB. \| f4cc2bf9-21be-47a1-bdf1-5c5804381025 \| > \| <a name='cognitive-services-qna-maker-reader'></a>[Cognitive Services QnA Maker Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-qna-maker-reader) \| Let's you read and test a KB only. \| 466ccd10-b268-4a11-b098-b4849f024126 \| +> \| <a name='cognitive-services-speech-contributor'></a>[Cognitive Services Speech Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-speech-contributor) \| Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. \| 0e75ca1e-0464-4b4d-8b93-68208a576181 \| +> \| <a name='cognitive-services-speech-user'></a>[Cognitive Services Speech User](./built-in-roles/ai-machine-learning.md#cognitive-services-speech-user) \| Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. \| f2dc8367-1007-4938-bd23-fe263f013447 \| > \| <a name='cognitive-services-usages-reader'></a>[Cognitive Services Usages Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-usages-reader) \| Minimal permission to view Cognitive Services usages. \| bba48692-92b0-4667-a9ad-c31c7b334ac2 \| > \| <a name='cognitive-services-user'></a>[Cognitive Services User](./built-in-roles/ai-machine-learning.md#cognitive-services-user) \| Lets you read and list keys of Cognitive Services. \| a97b65f3-24c7-4388-baec-2e87135dc908 \| +> \| <a name='health-bot-admin'></a>[Health Bot Admin](./built-in-roles/ai-machine-learning.md#health-bot-admin) \| Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. \| f1082fec-a70f-419f-9230-885d2550fb38 \| +> \| <a name='health-bot-editor'></a>[Health Bot Editor](./built-in-roles/ai-machine-learning.md#health-bot-editor) \| Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. \| af854a69-80ce-4ff7-8447-f1118a2e0ca8 \| +> \| <a name='health-bot-reader'></a>[Health Bot Reader](./built-in-roles/ai-machine-learning.md#health-bot-reader) \| Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). \| eb5a76d5-50e7-4c33-a449-070e7c9c4cf2 \| > \| <a name='search-index-data-contributor'></a>[Search Index Data Contributor](./built-in-roles/ai-machine-learning.md#search-index-data-contributor) \| Grants full access to Azure Cognitive Search index data. \| 8ebe5a00-799e-43f5-93ac-243d3dce84a7 \| > \| <a name='search-index-data-reader'></a>[Search Index Data Reader](./built-in-roles/ai-machine-learning.md#search-index-data-reader) \| Grants read access to Azure Cognitive Search index data. \| 1407120a-92aa-4202-b7e9-c0e197c71c8f \| > \| <a name='search-service-contributor'></a>[Search Service Contributor](./built-in-roles/ai-machine-learning.md#search-service-contributor) \| Lets you manage Search services, but not access to them. \| 7ca78c08-252a-4471-8644-bb5ff32d4ba0 \| The following table provides a brief description of each built-in role. Click th > \| \| \| \| > \| <a name='azure-digital-twins-data-owner'></a>[Azure Digital Twins Data Owner](./built-in-roles/internet-of-things.md#azure-digital-twins-data-owner) \| Full access role for Digital Twins data-plane \| bcd981a7-7f74-457b-83e1-cceb9e632ffe \| > \| <a name='azure-digital-twins-data-reader'></a>[Azure Digital Twins Data Reader](./built-in-roles/internet-of-things.md#azure-digital-twins-data-reader) \| Read-only role for Digital Twins data-plane properties \| d57506d4-4c8d-48b1-8587-93c323f6a5a3 \| +> \| <a name='device-provisioning-service-data-contributor'></a>[Device Provisioning Service Data Contributor](./built-in-roles/internet-of-things.md#device-provisioning-service-data-contributor) \| Allows for full access to Device Provisioning Service data-plane operations. \| dfce44e4-17b7-4bd1-a6d1-04996ec95633 \| +> \| <a name='device-provisioning-service-data-reader'></a>[Device Provisioning Service Data Reader](./built-in-roles/internet-of-things.md#device-provisioning-service-data-reader) \| Allows for full read access to Device Provisioning Service data-plane properties. \| 10745317-c249-44a1-a5ce-3a4353c0bbd8 \| > \| <a name='device-update-administrator'></a>[Device Update Administrator](./built-in-roles/internet-of-things.md#device-update-administrator) \| Gives you full access to management and content operations \| 02ca0879-e8e4-47a5-a61e-5c618b76e64a \| > \| <a name='device-update-content-administrator'></a>[Device Update Content Administrator](./built-in-roles/internet-of-things.md#device-update-content-administrator) \| Gives you full access to content operations \| 0378884a-3af5-44ab-8323-f5b22f9f3c98 \| > \| <a name='device-update-content-reader'></a>[Device Update Content Reader](./built-in-roles/internet-of-things.md#device-update-content-reader) \| Gives you read access to content operations, but does not allow making changes \| d1ee9a80-8b14-47f0-bdc2-f4a351625a7b \| > \| <a name='device-update-deployments-administrator'></a>[Device Update Deployments Administrator](./built-in-roles/internet-of-things.md#device-update-deployments-administrator) \| Gives you full access to management operations \| e4237640-0e3d-4a46-8fda-70bc94856432 \| > \| <a name='device-update-deployments-reader'></a>[Device Update Deployments Reader](./built-in-roles/internet-of-things.md#device-update-deployments-reader) \| Gives you read access to management operations, but does not allow making changes \| 49e2f5d2-7741-4835-8efa-19e1fe35e47f \| > \| <a name='device-update-reader'></a>[Device Update Reader](./built-in-roles/internet-of-things.md#device-update-reader) \| Gives you read access to management and content operations, but does not allow making changes \| e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f \| +> \| <a name='firmware-analysis-admin'></a>[Firmware Analysis Admin](./built-in-roles/internet-of-things.md#firmware-analysis-admin) \| Upload and analyze firmware images in Defender for IoT \| 9c1607d1-791d-4c68-885d-c7b7aaff7c8a \| > \| <a name='iot-hub-data-contributor'></a>[IoT Hub Data Contributor](./built-in-roles/internet-of-things.md#iot-hub-data-contributor) \| Allows for full access to IoT Hub data plane operations. \| 4fc6c259-987e-4a07-842e-c321cc9d413f \| > \| <a name='iot-hub-data-reader'></a>[IoT Hub Data Reader](./built-in-roles/internet-of-things.md#iot-hub-data-reader) \| Allows for full read access to IoT Hub data-plane properties \| b447c946-2db7-41ec-983d-d8bf3b1c77e3 \| > \| <a name='iot-hub-registry-contributor'></a>[IoT Hub Registry Contributor](./built-in-roles/internet-of-things.md#iot-hub-registry-contributor) \| Allows for full access to IoT Hub device registry. \| 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 \| The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > \| Built-in role \| Description \| ID \| > \| \| \| \| +> \| <a name='api-management-developer-portal-content-editor'></a>[API Management Developer Portal Content Editor](./built-in-roles/integration.md#api-management-developer-portal-content-editor) \| Can customize the developer portal, edit its content, and publish it. \| c031e6a8-4391-4de0-8d69-4706a7ed3729 \| > \| <a name='api-management-service-contributor'></a>[API Management Service Contributor](./built-in-roles/integration.md#api-management-service-contributor) \| Can manage service and the APIs \| 312a565d-c81f-4fd8-895a-4e21e48d571c \| > \| <a name='api-management-service-operator-role'></a>[API Management Service Operator Role](./built-in-roles/integration.md#api-management-service-operator-role) \| Can manage service but not the APIs \| e022efe7-f5ba-4159-bbe4-b44f577e9b61 \| > \| <a name='api-management-service-reader-role'></a>[API Management Service Reader Role](./built-in-roles/integration.md#api-management-service-reader-role) \| Read-only access to service and APIs \| 71522526-b88f-4d52-b57f-d31fc3546d0d \| The following table provides a brief description of each built-in role. Click th > \| <a name='api-management-workspace-api-product-manager'></a>[API Management Workspace API Product Manager](./built-in-roles/integration.md#api-management-workspace-api-product-manager) \| Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. \| 73c2c328-d004-4c5e-938c-35c6f5679a1f \| > \| <a name='api-management-workspace-contributor'></a>[API Management Workspace Contributor](./built-in-roles/integration.md#api-management-workspace-contributor) \| Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. \| 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 \| > \| <a name='api-management-workspace-reader'></a>[API Management Workspace Reader](./built-in-roles/integration.md#api-management-workspace-reader) \| Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. \| ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 \| +> \| <a name='app-configuration-contributor'></a>[App Configuration Contributor](./built-in-roles/integration.md#app-configuration-contributor) \| Grants permission for all management operations, except purge, for App Configuration resources. \| fe86443c-f201-4fc4-9d2a-ac61149fbda0 \| > \| <a name='app-configuration-data-owner'></a>[App Configuration Data Owner](./built-in-roles/integration.md#app-configuration-data-owner) \| Allows full access to App Configuration data. \| 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b \| > \| <a name='app-configuration-data-reader'></a>[App Configuration Data Reader](./built-in-roles/integration.md#app-configuration-data-reader) \| Allows read access to App Configuration data. \| 516239f1-63e1-4d78-a4de-a74fb236a071 \| +> \| <a name='app-configuration-reader'></a>[App Configuration Reader](./built-in-roles/integration.md#app-configuration-reader) \| Grants permission for read operations for App Configuration resources. \| 175b81b9-6e0d-490a-85e4-0d422273c10c \| > \| <a name='azure-api-center-compliance-manager'></a>[Azure API Center Compliance Manager](./built-in-roles/integration.md#azure-api-center-compliance-manager) \| Allows managing API compliance in Azure API Center service. \| ede9aaa3-4627-494e-be13-4aa7c256148d \| > \| <a name='azure-api-center-data-reader'></a>[Azure API Center Data Reader](./built-in-roles/integration.md#azure-api-center-data-reader) \| Allows for access to Azure API Center data plane read operations. \| c7244dfb-f447-457d-b2ba-3999044d1706 \| > \| <a name='azure-api-center-service-contributor'></a>[Azure API Center Service Contributor](./built-in-roles/integration.md#azure-api-center-service-contributor) \| Allows managing Azure API Center service. \| dd24193f-ef65-44e5-8a7e-6fa6e03f7713 \| The following table provides a brief description of each built-in role. Click th > \| <a name='azure-relay-listener'></a>[Azure Relay Listener](./built-in-roles/integration.md#azure-relay-listener) \| Allows for listen access to Azure Relay resources. \| 26e0b698-aa6d-4085-9386-aadae190014d \| > \| <a name='azure-relay-owner'></a>[Azure Relay Owner](./built-in-roles/integration.md#azure-relay-owner) \| Allows for full access to Azure Relay resources. \| 2787bf04-f1f5-4bfe-8383-c8a24483ee38 \| > \| <a name='azure-relay-sender'></a>[Azure Relay Sender](./built-in-roles/integration.md#azure-relay-sender) \| Allows for send access to Azure Relay resources. \| 26baccc8-eea7-41f1-98f4-1762cc7f685d \| +> \| <a name='azure-resource-notifications-system-topics-subscriber'></a>[Azure Resource Notifications System Topics Subscriber](./built-in-roles/integration.md#azure-resource-notifications-system-topics-subscriber) \| Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications \| 0b962ed2-6d56-471c-bd5f-3477d83a7ba4 \| > \| <a name='azure-service-bus-data-owner'></a>[Azure Service Bus Data Owner](./built-in-roles/integration.md#azure-service-bus-data-owner) \| Allows for full access to Azure Service Bus resources. \| 090c5cfd-751d-490a-894a-3ce6f1109419 \| > \| <a name='azure-service-bus-data-receiver'></a>[Azure Service Bus Data Receiver](./built-in-roles/integration.md#azure-service-bus-data-receiver) \| Allows for receive access to Azure Service Bus resources. \| 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 \| > \| <a name='azure-service-bus-data-sender'></a>[Azure Service Bus Data Sender](./built-in-roles/integration.md#azure-service-bus-data-sender) \| Allows for send access to Azure Service Bus resources. \| 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 \| > \| <a name='biztalk-contributor'></a>[BizTalk Contributor](./built-in-roles/integration.md#biztalk-contributor) \| Lets you manage BizTalk services, but not access to them. \| 5e3c6656-6cfa-4708-81fe-0de47ac73342 \| +> \| <a name='chamber-admin'></a>[Chamber Admin](./built-in-roles/integration.md#chamber-admin) \| Lets you manage everything under your Modeling and Simulation Workbench chamber. \| 4e9b8407-af2e-495b-ae54-bb60a55b1b5a \| +> \| <a name='chamber-user'></a>[Chamber User](./built-in-roles/integration.md#chamber-user) \| Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. \| 4447db05-44ed-4da3-ae60-6cbece780e32 \| > \| <a name='deid-batch-data-owner'></a>[DeID Batch Data Owner](./built-in-roles/integration.md#deid-batch-data-owner) \| Create and manage DeID batch jobs. This role is in preview and subject to change. \| 8a90fa6b-6997-4a07-8a95-30633a7c97b9 \| > \| <a name='deid-batch-data-reader'></a>[DeID Batch Data Reader](./built-in-roles/integration.md#deid-batch-data-reader) \| Read DeID batch jobs. This role is in preview and subject to change. \| b73a14ee-91f5-41b7-bd81-920e12466be9 \| > \| <a name='deid-data-owner'></a>[DeID Data Owner](./built-in-roles/integration.md#deid-data-owner) \| Full access to DeID data. This role is in preview and subject to change \| 78e4b983-1a0b-472e-8b7d-8d770f7c5890 \| > \| <a name='deid-realtime-data-user'></a>[DeID Realtime Data User](./built-in-roles/integration.md#deid-realtime-data-user) \| Execute requests against DeID realtime endpoint. This role is in preview and subject to change. \| bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e \| +> \| <a name='dicom-data-owner'></a>[DICOM Data Owner](./built-in-roles/integration.md#dicom-data-owner) \| Full access to DICOM data. \| 58a3b984-7adf-4c20-983a-32417c86fbc8 \| +> \| <a name='dicom-data-reader'></a>[DICOM Data Reader](./built-in-roles/integration.md#dicom-data-reader) \| Read and search DICOM data. \| e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a \| > \| <a name='eventgrid-contributor'></a>[EventGrid Contributor](./built-in-roles/integration.md#eventgrid-contributor) \| Lets you manage EventGrid operations. \| 1e241071-0855-49ea-94dc-649edcd759de \| > \| <a name='eventgrid-data-sender'></a>[EventGrid Data Sender](./built-in-roles/integration.md#eventgrid-data-sender) \| Allows send access to event grid events. \| d5a91429-5739-47e2-a06b-3470a27159e7 \| > \| <a name='eventgrid-eventsubscription-contributor'></a>[EventGrid EventSubscription Contributor](./built-in-roles/integration.md#eventgrid-eventsubscription-contributor) \| Lets you manage EventGrid event subscription operations. \| 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 \| > \| <a name='eventgrid-eventsubscription-reader'></a>[EventGrid EventSubscription Reader](./built-in-roles/integration.md#eventgrid-eventsubscription-reader) \| Lets you read EventGrid event subscriptions. \| 2414bbcf-6497-4faf-8c65-045460748405 \| +> \| <a name='eventgrid-topicspaces-publisher'></a>[EventGrid TopicSpaces Publisher](./built-in-roles/integration.md#eventgrid-topicspaces-publisher) \| Lets you publish messages on topicspaces. \| a12b0b94-b317-4dcd-84a8-502ce99884c6 \| +> \| <a name='eventgrid-topicspaces-subscriber'></a>[EventGrid TopicSpaces Subscriber](./built-in-roles/integration.md#eventgrid-topicspaces-subscriber) \| Lets you subscribe messages on topicspaces. \| 4b0f2fd7-60b4-4eca-896f-4435034f8bf5 \| > \| <a name='fhir-data-contributor'></a>[FHIR Data Contributor](./built-in-roles/integration.md#fhir-data-contributor) \| Role allows user or principal full access to FHIR Data \| 5a1fc7df-4bf1-4951-a576-89034ee01acd \| +> \| <a name='fhir-data-converter'></a>[FHIR Data Converter](./built-in-roles/integration.md#fhir-data-converter) \| Role allows user or principal to convert data from legacy format to FHIR \| a1705bd2-3a8f-45a5-8683-466fcfd5cc24 \| > \| <a name='fhir-data-exporter'></a>[FHIR Data Exporter](./built-in-roles/integration.md#fhir-data-exporter) \| Role allows user or principal to read and export FHIR Data \| 3db33094-8700-4567-8da5-1501d4e7e843 \| > \| <a name='fhir-data-importer'></a>[FHIR Data Importer](./built-in-roles/integration.md#fhir-data-importer) \| Role allows user or principal to read and import FHIR Data \| 4465e953-8ced-4406-a58e-0f6e3f3b530b \| > \| <a name='fhir-data-reader'></a>[FHIR Data Reader](./built-in-roles/integration.md#fhir-data-reader) \| Role allows user or principal to read FHIR Data \| 4c8d0bbc-75d3-4935-991f-5f3c56d81508 \| > \| <a name='fhir-data-writer'></a>[FHIR Data Writer](./built-in-roles/integration.md#fhir-data-writer) \| Role allows user or principal to read and write FHIR Data \| 3f88fce4-5892-4214-ae73-ba5294559913 \| +> \| <a name='fhir-smart-user'></a>[FHIR SMART User](./built-in-roles/integration.md#fhir-smart-user) \| Role allows user to access FHIR Service according to SMART on FHIR specification \| 4ba50f17-9666-485c-a643-ff00808643f0 \| > \| <a name='integration-service-environment-contributor'></a>[Integration Service Environment Contributor](./built-in-roles/integration.md#integration-service-environment-contributor) \| Lets you manage integration service environments, but not access to them. \| a41e2c5b-bd99-4a07-88f4-9bf657a760b8 \| > \| <a name='integration-service-environment-developer'></a>[Integration Service Environment Developer](./built-in-roles/integration.md#integration-service-environment-developer) \| Allows developers to create and update workflows, integration accounts and API connections in integration service environments. \| c7aa55d3-1abb-444a-a5ca-5e51e485d6ec \| > \| <a name='intelligent-systems-account-contributor'></a>[Intelligent Systems Account Contributor](./built-in-roles/integration.md#intelligent-systems-account-contributor) \| Lets you manage Intelligent Systems accounts, but not access to them. \| 03a6d094-3444-4b3d-88af-7477090a9e5e \| The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > \| Built-in role \| Description \| ID \| > \| \| \| \| +> \| <a name='deployment-environments-reader'></a>[Deployment Environments Reader](./built-in-roles/devops.md#deployment-environments-reader) \| Provides read access to environment resources. \| eb960402-bf75-4cc3-8d68-35b34f960f72 \| +> \| <a name='deployment-environments-user'></a>[Deployment Environments User](./built-in-roles/devops.md#deployment-environments-user) \| Provides access to manage environment resources. \| 18e40d4e-8d2e-438d-97e1-9528336e149c \| +> \| <a name='devcenter-dev-box-user'></a>[DevCenter Dev Box User](./built-in-roles/devops.md#devcenter-dev-box-user) \| Provides access to create and manage dev boxes. \| 45d50f46-0b78-4001-a660-4198cbe8cd05 \| +> \| <a name='devcenter-project-admin'></a>[DevCenter Project Admin](./built-in-roles/devops.md#devcenter-project-admin) \| Provides access to manage project resources. \| 331c37c6-af14-46d9-b9f4-e1909e1b95a0 \| > \| <a name='devtest-labs-user'></a>[DevTest Labs User](./built-in-roles/devops.md#devtest-labs-user) \| Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. \| 76283e04-6283-4c54-8f91-bcf1374a3c64 \| > \| <a name='lab-assistant'></a>[Lab Assistant](./built-in-roles/devops.md#lab-assistant) \| Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. \| ce40b423-cede-4313-a93f-9b28290b72e1 \| > \| <a name='lab-contributor'></a>[Lab Contributor](./built-in-roles/devops.md#lab-contributor) \| Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. \| 5daaa2af-1fe8-407c-9122-bba179798270 \| The following table provides a brief description of each built-in role. Click th > [!div class="mx-tableFixed"] > \| Built-in role \| Description \| ID \| > \| \| \| \| +> \| <a name='advisor-recommendations-contributor-assessments-and-reviews'></a>[Advisor Recommendations Contributor (Assessments and Reviews)](./built-in-roles/management-and-governance.md#advisor-recommendations-contributor-assessments-and-reviews) \| View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). \| 6b534d80-e337-47c4-864f-140f5c7f593d \| +> \| <a name='advisor-reviews-contributor'></a>[Advisor Reviews Contributor](./built-in-roles/management-and-governance.md#advisor-reviews-contributor) \| View reviews for a workload and triage recommendations linked to them. \| 8aac15f0-d885-4138-8afa-bfb5872f7d13 \| +> \| <a name='advisor-reviews-reader'></a>[Advisor Reviews Reader](./built-in-roles/management-and-governance.md#advisor-reviews-reader) \| View reviews for a workload and recommendations linked to them. \| c64499e0-74c3-47ad-921c-13865957895c \| > \| <a name='automation-contributor'></a>[Automation Contributor](./built-in-roles/management-and-governance.md#automation-contributor) \| Manage Azure Automation resources and other resources using Azure Automation. \| f353d9bd-d4a6-484e-a77a-8050b599b867 \| > \| <a name='automation-job-operator'></a>[Automation Job Operator](./built-in-roles/management-and-governance.md#automation-job-operator) \| Create and Manage Jobs using Automation Runbooks. \| 4fe576fe-1146-4730-92eb-48519fa6bf9f \| > \| <a name='automation-operator'></a>[Automation Operator](./built-in-roles/management-and-governance.md#automation-operator) \| Automation Operators are able to start, stop, suspend, and resume jobs \| d3881f73-407a-4167-8283-e981cbba0404 \| > \| <a name='automation-runbook-operator'></a>[Automation Runbook Operator](./built-in-roles/management-and-governance.md#automation-runbook-operator) \| Read Runbook properties - to be able to create Jobs of the runbook. \| 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 \| +> \| <a name='azure-center-for-sap-solutions-administrator'></a>[Azure Center for SAP solutions administrator](./built-in-roles/management-and-governance.md#azure-center-for-sap-solutions-administrator) \| This role provides read and write access to all capabilities of Azure Center for SAP solutions. \| 7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 \| +> \| <a name='azure-center-for-sap-solutions-reader'></a>[Azure Center for SAP solutions reader](./built-in-roles/management-and-governance.md#azure-center-for-sap-solutions-reader) \| This role provides read access to all capabilities of Azure Center for SAP solutions. \| 05352d14-a920-4328-a0de-4cbe7430e26b \| +> \| <a name='azure-center-for-sap-solutions-service-role'></a>[Azure Center for SAP solutions service role](./built-in-roles/management-and-governance.md#azure-center-for-sap-solutions-service-role) \| Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. \| aabbc5dd-1af0-458b-a942-81af88f9c138 \| > \| <a name='azure-connected-machine-onboarding'></a>[Azure Connected Machine Onboarding](./built-in-roles/management-and-governance.md#azure-connected-machine-onboarding) \| Can onboard Azure Connected Machines. \| b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 \| > \| <a name='azure-connected-machine-resource-administrator'></a>[Azure Connected Machine Resource Administrator](./built-in-roles/management-and-governance.md#azure-connected-machine-resource-administrator) \| Can read, write, delete and re-onboard Azure Connected Machines. \| cd570a14-e51a-42ad-bac8-bafd67325302 \| > \| <a name='azure-connected-machine-resource-manager'></a>[Azure Connected Machine Resource Manager](./built-in-roles/management-and-governance.md#azure-connected-machine-resource-manager) \| Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group \| f5819b54-e033-4d82-ac66-4fec3cbf3f4c \| +> \| <a name='azure-customer-lockbox-approver-for-subscription'></a>[Azure Customer Lockbox Approver for Subscription](./built-in-roles/management-and-governance.md#azure-customer-lockbox-approver-for-subscription) \| Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. \| 4dae6930-7baf-46f5-909e-0383bc931c46 \| > \| <a name='billing-reader'></a>[Billing Reader](./built-in-roles/management-and-governance.md#billing-reader) \| Allows read access to billing data \| fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 \| > \| <a name='blueprint-contributor'></a>[Blueprint Contributor](./built-in-roles/management-and-governance.md#blueprint-contributor) \| Can manage blueprint definitions, but not assign them. \| 41077137-e803-4205-871c-5a86e6a753b4 \| > \| <a name='blueprint-operator'></a>[Blueprint Operator](./built-in-roles/management-and-governance.md#blueprint-operator) \| Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. \| 437d2ced-4a38-4302-8479-ed2bcb43d090 \| The following table provides a brief description of each built-in role. Click th > \| <a name='reservations-administrator'></a>[Reservations Administrator](./built-in-roles/management-and-governance.md#reservations-administrator) \| Lets one read and manage all the reservations in a tenant \| a8889054-8d42-49c9-bc1c-52486c10e7cd \| > \| <a name='reservations-reader'></a>[Reservations Reader](./built-in-roles/management-and-governance.md#reservations-reader) \| Lets one read all the reservations in a tenant \| 582fc458-8989-419f-a480-75249bc5db7e \| > \| <a name='resource-policy-contributor'></a>[Resource Policy Contributor](./built-in-roles/management-and-governance.md#resource-policy-contributor) \| Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. \| 36243c78-bf99-498c-9df9-86d9f8d28608 \| +> \| <a name='savings-plan-purchaser'></a>[Savings plan Purchaser](./built-in-roles/management-and-governance.md#savings-plan-purchaser) \| Lets you purchase savings plans \| 3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74 \| > \| <a name='scheduled-patching-contributor'></a>[Scheduled Patching Contributor](./built-in-roles/management-and-governance.md#scheduled-patching-contributor) \| Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments \| cd08ab90-6b14-449c-ad9a-8f8e549482c6 \| > \| <a name='site-recovery-contributor'></a>[Site Recovery Contributor](./built-in-roles/management-and-governance.md#site-recovery-contributor) \| Lets you manage Site Recovery service except vault creation and role assignment \| 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 \| > \| <a name='site-recovery-operator'></a>[Site Recovery Operator](./built-in-roles/management-and-governance.md#site-recovery-operator) \| Lets you failover and failback but not perform other Site Recovery management operations \| 494ae006-db33-4328-bf46-533a6560a3ca \| The following table provides a brief description of each built-in role. Click th > \| <a name='azure-stack-hci-vm-contributor'></a>[Azure Stack HCI VM Contributor](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-vm-contributor) \| Grants permissions to perform all VM actions \| 874d1c73-6003-4e60-a13a-cb31ea190a85 \| > \| <a name='azure-stack-hci-vm-reader'></a>[Azure Stack HCI VM Reader](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-vm-reader) \| Grants permissions to view VMs \| 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 \| > \| <a name='azure-stack-registration-owner'></a>[Azure Stack Registration Owner](./built-in-roles/hybrid-multicloud.md#azure-stack-registration-owner) \| Lets you manage Azure Stack registrations. \| 6f12a6df-dd06-4f3e-bcb1-ce8be600526a \| +> \| <a name='hybrid-server-resource-administrator'></a>[Hybrid Server Resource Administrator](./built-in-roles/hybrid-multicloud.md#hybrid-server-resource-administrator) \| Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. \| 48b40c6e-82e0-4eb3-90d5-19e40f49b624 \| ## Next steps
role-based-access-control	Ai Machine Learning	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/ai-machine-learning.md	This article lists the Azure built-in roles in the AI + machine learning category. +## AgFood Platform Sensor Partner Contributor + +Provides contribute access to manage sensor related entities in AgFood Platform Service + +[Learn more](/azure/data-manager-for-agri/how-to-set-up-sensors-customer) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/sensorPartnerScope/* \| \| +> \| NotDataActions \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/sensorPartnerScope/sensors/delete \| Deletes an existing AgFoodPlatform sensors resource restricted to caller's sensor partner scope. \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides contribute access to manage sensor related entities in AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67", + "name": "6b77f0a0-0d89-41cc-acd1-579c22c17a67", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/" + ], + "notDataActions": [ + "Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete" + ] + } + ], + "roleName": "AgFood Platform Sensor Partner Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## AgFood Platform Service Admin + +Provides admin access to AgFood Platform Service + +[Learn more](/azure/data-manager-for-agri/quickstart-install-data-manager-for-agriculture) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none* \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/* \| Create, update, read and delete any AgFood Platform resources. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides admin access to AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3", + "name": "f8da80de-1ff9-4747-ad80-a19b7f6079e3", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform/" + ], + "notDataActions": [] + } + ], + "roleName": "AgFood Platform Service Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## AgFood Platform Service Contributor + +Provides contribute access to AgFood Platform Service + +[Learn more](/azure/data-manager-for-agri/quickstart-install-data-manager-for-agriculture) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none* \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//action \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//read \| Read any AgFood Platform resources. \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//write \| Create and update any AgFood Platform resources. \| +> \| NotDataActions* \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/farmers/write \| Creates or Updates AgFoodPlatform farmers. \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/deletionJobs//write \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/parties/write \| Creates or Updates AgFoodPlatform parties. \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/datasets/write \| Creates or Updates AgFoodPlatform datasets. \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/datasetRecords/write \| Creates or Updates AgFoodPlatform Dataset Records. \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)/farmBeats/datasets/access//action \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides contribute access to AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728", + "name": "8508508a-4469-4e45-963b-2518ee0bb728", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform//action", + "Microsoft.AgFoodPlatform//read", + "Microsoft.AgFoodPlatform//write" + ], + "notDataActions": [ + "Microsoft.AgFoodPlatform/farmBeats/farmers/write", + "Microsoft.AgFoodPlatform/farmBeats/deletionJobs//write", + "Microsoft.AgFoodPlatform/farmBeats/parties/write", + "Microsoft.AgFoodPlatform/farmBeats/datasets/write", + "Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write", + "Microsoft.AgFoodPlatform/farmBeats/datasets/access//action" + ] + } + ], + "roleName": "AgFood Platform Service Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## AgFood Platform Service Reader + +Provides read access to AgFood Platform Service + +[Learn more](/azure/data-manager-for-agri/quickstart-install-data-manager-for-agriculture) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none* \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//list/action \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//read \| Read any AgFood Platform resources. \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//search/action \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//download/action \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//overlap/action \| \| +> \| [Microsoft.AgFoodPlatform](../permissions/ai-machine-learning.md#microsoftagfoodplatform)//checkConsent/action \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides read access to AgFood Platform Service", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", + "name": "7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AgFoodPlatform//list/action", + "Microsoft.AgFoodPlatform//read", + "Microsoft.AgFoodPlatform//search/action", + "Microsoft.AgFoodPlatform//download/action", + "Microsoft.AgFoodPlatform//overlap/action", + "Microsoft.AgFoodPlatform//checkConsent/action" + ], + "notDataActions": [] + } + ], + "roleName": "AgFood Platform Service Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure AI Developer Can perform all actions within an Azure AI resource besides managing the resource itself. Can perform all actions within an Azure Machine Learning workspace, except for c } ``` +## AzureML Metrics Writer (preview) + +Lets you write metrics to AzureML workspace + +[Learn more](/azure/machine-learning/concept-endpoints-online-auth) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/metrics//write \| \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you write metrics to AzureML workspace", + "id": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae", + "name": "635dd51f-9968-44d3-b7fb-6d9a6bd613ae", + "permissions": [ + { + "actions": [ + "Microsoft.MachineLearningServices/workspaces/metrics//write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AzureML Metrics Writer (preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## AzureML Registry User + +Can perform all actions on Machine Learning Services Registry assets┬áas well as get Registry resources. + +[Learn more](/azure/machine-learning/how-to-assign-roles) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/registries/read \| Gets the Machine Learning Services registry(ies) \| +> \| [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/registries/assets/ \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can perform all actions on Machine Learning Services Registry assets┬áas well as get Registry resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615", + "name": "1823dd4f-9b8c-4ab6-ab4e-7397a3684615", + "permissions": [ + { + "actions": [ + "Microsoft.MachineLearningServices/registries/read", + "Microsoft.MachineLearningServices/registries/assets/" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AzureML Registry User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. Lets you perform detect, verify, identify, group, and find similar operations on } ``` -## Cognitive Services Metrics Advisor Administrator +## Cognitive Services Immersive Reader User -Full access to the project, including the system level configuration. +Provides access to create Immersive Reader sessions and call APIs -[Learn more](/azure/ai-services/metrics-advisor/how-tos/alerts) +[Learn more](/azure/ai-services/immersive-reader/security-how-to-update-role-assignment) > [!div class="mx-tableFixed"] > \| Actions \| Description \| > \| \| \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| none \| \| > \| NotActions \| \| > \| none \| \| > \| DataActions \| \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ImmersiveReader/getcontentmodelforreader/action \| Creates an Immersive Reader session \| > \| NotDataActions \| \| > \| none \| \| Full access to the project, including the system level configuration. "assignableScopes": [ "/" ], - "description": "Full access to the project, including the system level configuration.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", - "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", + "description": "Provides access to create Immersive Reader sessions and call APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d", + "name": "b2de6794-95db-4659-8781-7e080d3f2b9d", "permissions": [ { - "actions": [ - "Microsoft.CognitiveServices//read" - ], + "actions": [], "notActions": [], "dataActions": [ - "Microsoft.CognitiveServices/accounts/MetricsAdvisor/" + "Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action" ], "notDataActions": [] } ], - "roleName": "Cognitive Services Metrics Advisor Administrator", + "roleName": "Cognitive Services Immersive Reader User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` -## Cognitive Services OpenAI Contributor +## Cognitive Services Language Owner -Full access including the ability to fine-tune, deploy and generate text +Has access to all Read, Test, Write, Deploy and Delete functions under Language portal -[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) +[Learn more](/azure/ai-services/language-service/concepts/role-based-access-control) > [!div class="mx-tableFixed"] > \| Actions \| Description \| > \| \| \| > \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/write \| Writes deployments. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/delete \| Deletes deployments. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/read \| Gets all applicable policies under the account including default policies. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/write \| Create or update a custom Responsible AI policy. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/delete \| Deletes a custom Responsible AI policy that's not referenced by an existing deployment. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/read \| Reads commitment plans. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/write \| Writes commitment plans. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/delete \| Deletes commitment plans. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/listkeys/action \| List keys \| > \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| > \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| > \| NotActions* \| \| > \| none \| \| > \| DataActions \| \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/* \| \| > \| NotDataActions \| \| -> \| none \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnaMaker/* \| \| ```json { "assignableScopes": [ "/" ], - "description": "Full access including the ability to fine-tune, deploy and generate text", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", - "name": "a001fd3d-188f-4b5d-821b-7da978bf7442", + "description": "Has access to all Read, Test, Write, Deploy and Delete functions under Language portal", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498", + "name": "f07febfe-79bc-46b1-8b37-790e26e6e498", "permissions": [ { "actions": [ "Microsoft.CognitiveServices//read", - "Microsoft.CognitiveServices/accounts/deployments/write", - "Microsoft.CognitiveServices/accounts/deployments/delete", - "Microsoft.CognitiveServices/accounts/raiPolicies/read", - "Microsoft.CognitiveServices/accounts/raiPolicies/write", - "Microsoft.CognitiveServices/accounts/raiPolicies/delete", - "Microsoft.CognitiveServices/accounts/commitmentplans/read", - "Microsoft.CognitiveServices/accounts/commitmentplans/write", - "Microsoft.CognitiveServices/accounts/commitmentplans/delete", + "Microsoft.CognitiveServices/accounts/listkeys/action", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read" ], "notActions": [], "dataActions": [ - "Microsoft.CognitiveServices/accounts/OpenAI/" + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/", + "Microsoft.CognitiveServices/accounts/Language/", + "Microsoft.CognitiveServices/accounts/TextAnalytics/" ], - "notDataActions": [] + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/" + ] } ], - "roleName": "Cognitive Services OpenAI Contributor", + "roleName": "Cognitive Services Language Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` -## Cognitive Services OpenAI User +## Cognitive Services Language Reader -Read access to view files, models, deployments. The ability to create completion and embedding calls. +Has access to Read and Test functions under Language portal -[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) +[Learn more](/azure/ai-services/language-service/concepts/role-based-access-control) > [!div class="mx-tableFixed"] > \| Actions \| Description \| Read access to view files, models, deployments. The ability to create completion > \| NotActions* \| \| > \| none \| \| > \| DataActions \| \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI//read \| \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/completions/action \| Create a completion from a chosen model \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/search/action \| Search for the most relevant documents using the current engine. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/generate/action \| (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/audio/action \| Return the transcript or translation for a given audio file. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/search/action \| Search for the most relevant documents using the current engine. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/completions/action \| Create a completion from a chosen model. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/chat/completions/action \| Creates a completion for the chat message \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/extensions/chat/completions/action \| Creates a completion for the chat message with extensions \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/embeddings/action \| Return the embeddings for a given prompt. \| -> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action \| Create image generations. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/projects/export/action \| Triggers a job to export project data in JSON format. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language//projects/export/action \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/query-text/action \| Answer Text. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/query-dataverse/action \| Query Dataverse. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-text/jobs/action \| Submit a collection of text documents for analysis. Specify one or more unique tasks to be executed. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-text/action \| Submit a collection of text documents for analysis. Specify a single unique task to be executed immediately. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-text/jobscancel/action \| Cancel a long-running Text Analysis job. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-conversations/action \| Analyzes the input conversation. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-conversations/jobscancel/action \| Cancel a long-running analysis job on conversation. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/analyze-conversations/jobs/action \| Submit a long conversation for analysis. Specify one or more unique tasks to be executed as a long-running operation. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/query-knowledgebases/action \| Answer Knowledgebase. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/generate/action \| Language generation. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/ \| \| > \| NotDataActions \| \| -> \| none \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnaMaker/* \| \| ```json { "assignableScopes": [ "/" ], - "description": "Ability to view files, models, deployments. Readers can't make any changes They can inference and create images", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", + "description": "Has access to Read and Test functions under Language portal", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e", + "name": "7628b7b8-a8b2-4cdc-b46f-e9b35248918e", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LanguageAuthoring//read", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding//read", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action", + "Microsoft.CognitiveServices/accounts/Language//read", + "Microsoft.CognitiveServices/accounts/Language//projects/export/action", + "Microsoft.CognitiveServices/accounts/Language/query-text/action", + "Microsoft.CognitiveServices/accounts/Language/query-dataverse/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-text/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action", + "Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action", + "Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action", + "Microsoft.CognitiveServices/accounts/Language/generate/action", + "Microsoft.CognitiveServices/accounts/TextAnalytics/" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/" + ] + } + ], + "roleName": "Cognitive Services Language Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services Language Writer + + Has access to all Read, Test, and Write functions under Language Portal + +[Learn more](/azure/ai-services/language-service/concepts/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/* \| \| +> \| NotDataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LanguageAuthoring/projects/publish/action \| Trigger publishing job. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/ConversationalLanguageUnderstanding/projects/deployments/write \| Trigger job to create new deployment or replace an existing deployment. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnaMaker/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language//projects/delete \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language//projects/deployments/write \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language//projects/deployments/delete \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Language//projects/deployments/swap/action \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": " Has access to all Read, Test, and Write functions under Language Portal", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", + "name": "f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/", + "Microsoft.CognitiveServices/accounts/Language/", + "Microsoft.CognitiveServices/accounts/TextAnalytics/" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action", + "Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/", + "Microsoft.CognitiveServices/accounts/Language//projects/delete", + "Microsoft.CognitiveServices/accounts/Language//projects/deployments/write", + "Microsoft.CognitiveServices/accounts/Language//projects/deployments/delete", + "Microsoft.CognitiveServices/accounts/Language//projects/deployments/swap/action" + ] + } + ], + "roleName": "Cognitive Services Language Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services LUIS Owner + + Has access to all Read, Test, Write, Deploy and Delete functions under LUIS + +[Learn more](/azure/ai-services/luis/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/listkeys/action \| List keys \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": " Has access to all Read, Test, Write, Deploy and Delete functions under LUIS", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8", + "name": "f72c8140-2111-481c-87ff-72b910f6e3f8", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.CognitiveServices/accounts/listkeys/action", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services LUIS Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services LUIS Reader + +Has access to Read and Test functions under LUIS. + +[Learn more](/azure/ai-services/luis/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/testdatasets/write \| Updates last test results of an exisiting batch test data set for a given application. \| +> \| NotDataActions* \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has access to Read and Test functions under LUIS.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226", + "name": "18e81cdc-4e98-4e29-a639-e7d10c5a6226", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS//read", + "Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services LUIS Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services LUIS Writer + +Has access to all Read, Test, and Write functions under LUIS + +[Learn more](/azure/ai-services/luis/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/* \| \| +> \| NotDataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/delete \| Deletes an application. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/move/action \| Moves the app to a different LUIS authoring Azure resource. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/publish/action \| Publishes a specific version of the application. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/settings/write \| Updates the application settings \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/azureaccounts/action \| Assigns an Azure account to the application. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/LUIS/apps/azureaccounts/delete \| Gets the LUIS Azure accounts for the user using his Azure Resource Manager token. \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has access to all Read, Test, and Write functions under LUIS", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27", + "name": "6322a993-d5c9-4bed-b113-e49bbea25b27", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/LUIS/apps/delete", + "Microsoft.CognitiveServices/accounts/LUIS/apps/move/action", + "Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action", + "Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write", + "Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action", + "Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete" + ] + } + ], + "roleName": "Cognitive Services LUIS Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services Metrics Advisor Administrator + +Full access to the project, including the system level configuration. + +[Learn more](/azure/ai-services/metrics-advisor/how-tos/alerts) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to the project, including the system level configuration.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", + "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Metrics Advisor Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services Metrics Advisor User + +Access to the project. + +[Learn more](/dotnet/api/overview/azure/ai.metricsadvisor-readme) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* \| \| +> \| NotDataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/stats/* \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Access to the project.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8", + "name": "3b20f47b-3825-43cb-8114-4bd2201156a8", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/" + ] + } + ], + "roleName": "Cognitive Services Metrics Advisor User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services OpenAI Contributor + +Full access including the ability to fine-tune, deploy and generate text + +[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/write \| Writes deployments. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/delete \| Deletes deployments. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/read \| Gets all applicable policies under the account including default policies. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/write \| Create or update a custom Responsible AI policy. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/delete \| Deletes a custom Responsible AI policy that's not referenced by an existing deployment. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/read \| Reads commitment plans. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/write \| Writes commitment plans. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/delete \| Deletes commitment plans. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access including the ability to fine-tune, deploy and generate text", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", + "name": "a001fd3d-188f-4b5d-821b-7da978bf7442", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.CognitiveServices/accounts/deployments/write", + "Microsoft.CognitiveServices/accounts/deployments/delete", + "Microsoft.CognitiveServices/accounts/raiPolicies/read", + "Microsoft.CognitiveServices/accounts/raiPolicies/write", + "Microsoft.CognitiveServices/accounts/raiPolicies/delete", + "Microsoft.CognitiveServices/accounts/commitmentplans/read", + "Microsoft.CognitiveServices/accounts/commitmentplans/write", + "Microsoft.CognitiveServices/accounts/commitmentplans/delete", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/OpenAI/" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services OpenAI Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services OpenAI User + +Read access to view files, models, deployments. The ability to create completion and embedding calls. + +[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/completions/action \| Create a completion from a chosen model \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/search/action \| Search for the most relevant documents using the current engine. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/generate/action \| (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/audio/action \| Return the transcript or translation for a given audio file. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/search/action \| Search for the most relevant documents using the current engine. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/completions/action \| Create a completion from a chosen model. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/chat/completions/action \| Creates a completion for the chat message \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/extensions/chat/completions/action \| Creates a completion for the chat message with extensions \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/embeddings/action \| Return the embeddings for a given prompt. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action \| Create image generations. \| +> \| NotDataActions* \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Ability to view files, models, deployments. Readers can't make any changes They can inference and create images", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", "name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", "permissions": [ { Let's you read and test a KB only. } ``` +## Cognitive Services Speech Contributor + +Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. + +[Learn more](/azure/ai-services/speech-service/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/AudioContentCreation/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/VideoTranslation/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomAvatar/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchAvatar/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchTextToSpeech/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181", + "name": "0e75ca1e-0464-4b4d-8b93-68208a576181", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/SpeechServices/", + "Microsoft.CognitiveServices/accounts/CustomVoice/", + "Microsoft.CognitiveServices/accounts/AudioContentCreation/", + "Microsoft.CognitiveServices/accounts/VideoTranslation/", + "Microsoft.CognitiveServices/accounts/CustomAvatar/", + "Microsoft.CognitiveServices/accounts/BatchAvatar/", + "Microsoft.CognitiveServices/accounts/BatchTextToSpeech/" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Speech Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Cognitive Services Speech User + +Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. + +[Learn more](/azure/ai-services/speech-service/role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read \| Get information about a role definition. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices//transcriptions/read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices//transcriptions/write \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices//transcriptions/delete \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices//frontend/action \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/text-dependent//action \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/text-independent//action \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/evaluations/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/longaudiosynthesis/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/AudioContentCreation/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/VideoTranslation/* \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomAvatar//read \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchAvatar/ \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/BatchTextToSpeech/* \| \| +> \| NotDataActions \| \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/datasets/files/read \| Gets the files of the dataset identified by the given ID. \| +> \| [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVoice/datasets/utterances/read \| Gets utterances of the specified training set. \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447", + "name": "f2dc8367-1007-4938-bd23-fe263f013447", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices//read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/SpeechServices//read", + "Microsoft.CognitiveServices/accounts/SpeechServices//transcriptions/read", + "Microsoft.CognitiveServices/accounts/SpeechServices//transcriptions/write", + "Microsoft.CognitiveServices/accounts/SpeechServices//transcriptions/delete", + "Microsoft.CognitiveServices/accounts/SpeechServices//frontend/action", + "Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent//action", + "Microsoft.CognitiveServices/accounts/SpeechServices/text-independent//action", + "Microsoft.CognitiveServices/accounts/CustomVoice//read", + "Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/", + "Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/", + "Microsoft.CognitiveServices/accounts/AudioContentCreation/", + "Microsoft.CognitiveServices/accounts/VideoTranslation/", + "Microsoft.CognitiveServices/accounts/CustomAvatar//read", + "Microsoft.CognitiveServices/accounts/BatchAvatar/", + "Microsoft.CognitiveServices/accounts/BatchTextToSpeech/" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read", + "Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read" + ] + } + ], + "roleName": "Cognitive Services Speech User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Cognitive Services Usages Reader Minimal permission to view Cognitive Services usages. Lets you read and list keys of Cognitive Services. } ``` +## Health Bot Admin + +Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. + +[Learn more](/azure/health-bot/portal-users) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthBot](../permissions/ai-machine-learning.md#microsofthealthbot)/healthBots/Admin/Action \| Sign in to the management portal, view and edit all of the bot resources, scenarios, configuration settings, instance keys & secrets. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f1082fec-a70f-419f-9230-885d2550fb38", + "name": "f1082fec-a70f-419f-9230-885d2550fb38", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthBot/healthBots/Admin/Action" + ], + "notDataActions": [] + } + ], + "roleName": "Health Bot Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Health Bot Editor + +Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. + +[Learn more](/azure/health-bot/portal-users) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthBot](../permissions/ai-machine-learning.md#microsofthealthbot)/healthBots/Editor/Action \| Sign in to the management portal, view and edit all the bot resources, scenarios and configuration settings except for the bot instance keys & secrets and the end-user inputs. Read-only access to the bot skills and channels. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/af854a69-80ce-4ff7-8447-f1118a2e0ca8", + "name": "af854a69-80ce-4ff7-8447-f1118a2e0ca8", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthBot/healthBots/Editor/Action" + ], + "notDataActions": [] + } + ], + "roleName": "Health Bot Editor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Health Bot Reader + +Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). + +[Learn more](/azure/health-bot/portal-users) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthBot](../permissions/ai-machine-learning.md#microsofthealthbot)/healthBots/Reader/Action \| Sign in to the management portal, with read-only access to resources, scenarios and configuration settings except for the bot instance keys & secrets and the end-user inputs. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs).", + "id": "/providers/Microsoft.Authorization/roleDefinitions/eb5a76d5-50e7-4c33-a449-070e7c9c4cf2", + "name": "eb5a76d5-50e7-4c33-a449-070e7c9c4cf2", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthBot/healthBots/Reader/Action" + ], + "notDataActions": [] + } + ], + "roleName": "Health Bot Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Search Index Data Contributor Grants full access to Azure Cognitive Search index data.
role-based-access-control	Analytics	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/analytics.md	Can Read, Create, Modify and Delete Domain Services related operations needed fo } ``` +## HDInsight on AKS Cluster Admin + +Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. + +[Learn more](/azure/hdinsight-aks/hdinsight-on-aks-manage-authorization-profile) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/read \| Get details about HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/write \| Create or Update HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/delete \| Delete a HDInsight on AKS cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/resize/action \| Resize a HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/clusters/instanceviews/read \| Get details about HDInsight on AKS Cluster Instance View \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/jobs/read \| List HDInsight on AKS Cluster Jobs \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/runjob/action \| Run HDInsight on AKS Cluster Job \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/clusters/serviceconfigs/read \| Get details about HDInsight on AKS Cluster Service Configurations \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/availableupgrades/read \| Get Avaliable Upgrades for HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/upgrade/action \| Upgrade HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/rollback/action \| Rollback HDInsight on AKS Cluster Upgrade \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/upgradehistories/read \| Read HDInsight on AKS Cluster Upgrade Histories \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/libraries/read \| Read HDInsight on AKS Cluster Libaries \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/managelibraries/action \| Manage HDInsight on AKS Cluster Libaries \| +> \| [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read \| Gets the availability statuses for all resources in the specified scope \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments//read \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action \| Validates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write \| Creates or updates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action \| Export template for a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read \| Get the subscription operation results. \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write \| Create or update a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete \| Delete a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read \| Read a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action \| Classic metric alert activated \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action \| Classic metric alert resolved \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action \| Classic metric alert rule throttled \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read \| Read a classic metric alert incident \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read \| Read metrics \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logs/read \| Reading data from all your logs \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fd036e6b-1266-47a0-b0bb-a05d04831731", + "name": "fd036e6b-1266-47a0-b0bb-a05d04831731", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization//read", + "Microsoft.HDInsight/clusterPools/clusters/read", + "Microsoft.HDInsight/clusterPools/clusters/write", + "Microsoft.HDInsight/clusterPools/clusters/delete", + "Microsoft.HDInsight/clusterPools/clusters/resize/action", + "Microsoft.HDInsight/clusterpools/clusters/instanceviews/read", + "Microsoft.HDInsight/clusterPools/clusters/jobs/read", + "Microsoft.HDInsight/clusterPools/clusters/runjob/action", + "Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read", + "Microsoft.HDInsight/clusterPools/clusters/availableupgrades/read", + "Microsoft.HDInsight/clusterPools/clusters/upgrade/action", + "Microsoft.HDInsight/clusterPools/clusters/rollback/action", + "Microsoft.HDInsight/clusterPools/clusters/upgradehistories/read", + "Microsoft.HDInsight/clusterPools/clusters/libraries/read", + "Microsoft.HDInsight/clusterPools/clusters/managelibraries/action", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments//read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/logs/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "HDInsight on AKS Cluster Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## HDInsight on AKS Cluster Pool Admin + +Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters + +[Learn more](/azure/hdinsight-aks/hdinsight-on-aks-manage-authorization-profile) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/read \| Get details about HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/clusters/write \| Create or Update HDInsight on AKS Cluster \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/delete \| Delete a HDInsight on AKS Cluster Pool \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/read \| Get details about HDInsight on AKS Cluster Pool \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/write \| Create or Update HDInsight on AKS Cluster Pool \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/availableupgrades/read \| Get Avaliable Upgrades for HDInsight on AKS Cluster Pool \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterpools/upgrade/action \| Upgrade HDInsight on AKS Cluster Pool \| +> \| [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusterPools/upgradehistories/read \| Read HDInsight on AKS Cluster Pool Upgrade Histories \| +> \| [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read \| Gets the availability statuses for all resources in the specified scope \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action \| Validates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments//read \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write \| Creates or updates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action \| Export template for a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action \| Validates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read \| Get the subscription operation results. \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write \| Create or update a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete \| Delete a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read \| Read a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action \| Classic metric alert activated \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action \| Classic metric alert resolved \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action \| Classic metric alert rule throttled \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read \| Read a classic metric alert incident \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read \| Read metrics \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logs/read \| Reading data from all your logs \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7656b436-37d4-490a-a4ab-d39f838f0042", + "name": "7656b436-37d4-490a-a4ab-d39f838f0042", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization//read", + "Microsoft.HDInsight/clusterPools/clusters/read", + "Microsoft.HDInsight/clusterPools/clusters/write", + "Microsoft.HDInsight/clusterPools/delete", + "Microsoft.HDInsight/clusterPools/read", + "Microsoft.HDInsight/clusterPools/write", + "Microsoft.HDInsight/clusterpools/availableupgrades/read", + "Microsoft.HDInsight/clusterpools/upgrade/action", + "Microsoft.HDInsight/clusterPools/upgradehistories/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments//read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/logs/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "HDInsight on AKS Cluster Pool Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Log Analytics Contributor Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.
role-based-access-control	Compute	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/compute.md	This article lists the Azure built-in roles in the Compute category. +## Azure Arc VMware VM Contributor + +Arc VMware VM Contributor has permissions to perform all VM actions. + +[Learn more](/azure/azure-arc/vmware-vsphere/setup-and-manage-self-service-access) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/virtualmachines/* \| \| +> \| [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/virtualmachineinstances/* \| \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write \| Create or update a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete \| Delete a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read \| Read a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action \| Classic metric alert activated \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action \| Classic metric alert resolved \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action \| Classic metric alert rule throttled \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read \| Read a classic metric alert incident \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write \| Creates or updates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/delete \| Deletes a deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/cancel/action \| Cancels a deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action \| Validates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/whatIf/action \| Predicts template deployment changes. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action \| Export template for a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read \| Gets or lists deployment operation statuses. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/write \| Creates or updates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read \| Gets or lists deployment operation statuses. \| +> \| [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read \| Gets the availability statuses for all resources in the specified scope \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read \| Get the subscription operation results. \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read \| Read any Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write \| Writes an Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/delete \| Deletes an Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/UpgradeExtensions/action \| Upgrades Extensions on Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/assessPatches/action \| Assesses any Azure Arc machines to get missing software patches \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/installPatches/action \| Installs patches on any Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/read \| Reads any Azure Arc extensions \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write \| Installs or Updates an Azure Arc extensions \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/delete \| Deletes an Azure Arc extensions \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read \| Read all Operations for Azure Arc for Servers \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read \| Reads the status of an operation on Microsoft.HybridCompute Resource Provider \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read \| Reads the status of an operation on Microsoft.HybridCompute Resource Provider \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/read \| Reads any Azure Arc patchAssessmentResults \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read \| Reads any Azure Arc patchAssessmentResults/softwarePatches \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/read \| Reads any Azure Arc patchInstallationResults \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read \| Reads any Azure Arc patchInstallationResults/softwarePatches \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/updateCenterOperationResults/read \| Reads the status of an update center operation on machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read \| Read any Azure Arc machines's Hybrid Identity Metadata \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/read \| Read all Azure Connected Machine Agent versions available \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/latest/read \| Read the latest Azure Connected Machine Agent version \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/read \| Reads any Azure Arc runcommands \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/write \| Installs or Updates an Azure Arc runcommands \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/delete \| Deletes an Azure Arc runcommands \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/read \| Reads any Azure Arc licenseProfiles \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/write \| Installs or Updates an Azure Arc licenseProfiles \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/delete \| Deletes an Azure Arc licenseProfiles \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/read \| Reads any Azure Arc licenses \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/write \| Installs or Updates an Azure Arc licenses \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/delete \| Deletes an Azure Arc licenses \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Arc VMware VM Contributor has permissions to perform all VM actions.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb", + "name": "b748a06d-6150-4f8a-aaa9-ce3940cd96cb", + "permissions": [ + { + "actions": [ + "Microsoft.ConnectedVMwarevSphere/virtualmachines/", + "Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/delete", + "Microsoft.Resources/deployments/cancel/action", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/whatIf/action", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/write", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/machines/delete", + "Microsoft.HybridCompute/machines/UpgradeExtensions/action", + "Microsoft.HybridCompute/machines/assessPatches/action", + "Microsoft.HybridCompute/machines/installPatches/action", + "Microsoft.HybridCompute/machines/extensions/read", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.HybridCompute/machines/extensions/delete", + "Microsoft.HybridCompute/operations/read", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read", + "Microsoft.HybridCompute/locations/updateCenterOperationResults/read", + "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read", + "Microsoft.HybridCompute/osType/agentVersions/read", + "Microsoft.HybridCompute/osType/agentVersions/latest/read", + "Microsoft.HybridCompute/machines/runcommands/read", + "Microsoft.HybridCompute/machines/runcommands/write", + "Microsoft.HybridCompute/machines/runcommands/delete", + "Microsoft.HybridCompute/machines/licenseProfiles/read", + "Microsoft.HybridCompute/machines/licenseProfiles/write", + "Microsoft.HybridCompute/machines/licenseProfiles/delete", + "Microsoft.HybridCompute/licenses/read", + "Microsoft.HybridCompute/licenses/write", + "Microsoft.HybridCompute/licenses/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Arc VMware VM Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. Reader of the Desktop Virtualization Host Pool. } ``` +## Desktop Virtualization Power On Contributor + +Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. + +[Learn more](/azure/virtual-desktop/rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action \| Starts the virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read \| Get the properties of a virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/instanceView/read \| Gets the detailed runtime status of the virtual machine and its resources \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* \| Create and manage a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read \| Read any Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read \| Read all Operations for Azure Arc for Servers \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read \| Reads the status of an operation on Microsoft.HybridCompute Resource Provider \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read \| Reads the status of an operation on Microsoft.HybridCompute Resource Provider \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/read \| Gets/Lists virtual machine instance resource \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/start/action \| Starts virtual machine instance resource \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/operations/read \| Gets operations \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33", + "name": "489581de-a3bd-480d-9518-53dea7416b33", + "permissions": [ + { + "actions": [ + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Authorization//read", + "Microsoft.Insights/alertRules/", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/operations/read", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/start/action", + "Microsoft.AzureStackHCI/operations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Power On Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Desktop Virtualization Power On Off Contributor + +Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. + +[Learn more](/azure/virtual-desktop/rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/operations/read \| Gets operations \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/read \| Gets/Lists virtual machine instance resource \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/restart/action \| Restarts virtual machine instance resource \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/start/action \| Starts virtual machine instance resource \| +> \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/stop/action \| Stops virtual machine instance resource \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/deallocate/action \| Powers off the virtual machine and releases the compute resources \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/instanceView/read \| Gets the detailed runtime status of the virtual machine and its resources \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/powerOff/action \| Powers off the virtual machine. Note that the virtual machine will continue to be billed. \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read \| Get the properties of a virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/restart/action \| Restarts the virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action \| Starts the virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesCancelOperations/action \| virtualMachinesCancelOperations: cancelOperations for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesExecuteDeallocate/action \| virtualMachinesExecuteDeallocate: executeDeallocate for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesExecuteHibernate/action \| virtualMachinesExecuteHibernate: executeHibernate for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesExecuteStart/action \| virtualMachinesExecuteStart: executeStart for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesGetOperationErrors/action \| \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesGetOperationStatus/action \| virtualMachinesGetOperationStatus: getOperationStatus for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesSubmitDeallocate/action \| virtualMachinesSubmitDeallocate: submitDeallocate for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesSubmitHibernate/action \| virtualMachinesSubmitHibernate: submitHibernate for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/locations/virtualMachinesSubmitStart/action \| virtualMachinesSubmitStart: submitStart for a virtual machine \| +> \| [Microsoft.ComputeSchedule](../permissions/compute.md#microsoftcomputeschedule)/register/action \| Register the subscription for Microsoft.ComputeSchedule \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read \| Read hostpools \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read \| Read hostpools/sessionhosts \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/delete \| Delete hostpools/sessionhosts/usersessions \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/read \| Read hostpools/sessionhosts/usersessions \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/sendMessage/action \| Send message to user session \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/write \| Write hostpools/sessionhosts \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/write \| Write hostpools \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read \| Reads the status of an operation on Microsoft.HybridCompute Resource Provider \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read \| Reads the status of an operation on Microsoft.HybridCompute Resource Provider \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read \| Read any Azure Arc machines \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read \| Read all Operations for Azure Arc for Servers \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* \| Create and manage a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/eventtypes/values/read \| Read Activity Log events \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e", + "name": "40c5ff49-9181-41f8-ae61-143b0e78555e", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization//read", + "Microsoft.AzureStackHCI/operations/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/read", + "Microsoft.AzureStackHCI/virtualMachineInstances/restart/action", + "Microsoft.AzureStackHCI/virtualMachineInstances/start/action", + "Microsoft.AzureStackHCI/virtualMachineInstances/stop/action", + "Microsoft.Compute/virtualMachines/deallocate/action", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Compute/virtualMachines/powerOff/action", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/restart/action", + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action", + "Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action", + "Microsoft.ComputeSchedule/register/action", + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/write", + "Microsoft.DesktopVirtualization/hostpools/write", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/operations/read", + "Microsoft.Insights/alertRules/", + "Microsoft.Insights/eventtypes/values/read", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Power On Off Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Desktop Virtualization Reader Reader of Desktop Virtualization. Operator of the Desktop Virtualization User Session. } ``` +## Desktop Virtualization Virtual Machine Contributor + +This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. + +[Learn more](/azure/virtual-desktop/rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read \| Read hostpools \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/write \| Write hostpools \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/retrieveRegistrationToken/action \| List registration tokens for host pool \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read \| Read hostpools/sessionhosts \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/write \| Write hostpools/sessionhosts \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/delete \| Delete hostpools/sessionhosts \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/read \| Read hostpools/sessionhosts/usersessions \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/disconnect/action \| Disconnects the user session form session host \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/sendMessage/action \| Send message to user session \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionHostConfigurations/read \| Read hostpools/sessionhostconfigurations \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/doNotUseInternalAPI/action \| Internal operation that is not meant to be called by customers. This will be removed in a future version. Do not use it. \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/retryprovisioning/action \| Action on retryprovisioning. \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read \| Get the properties of an availability set \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/write \| Creates a new availability set or updates an existing one \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/vmSizes/read \| List available sizes for creating or updating a virtual machine in the availability set \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read \| Get the properties of a Disk \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write \| Creates a new Disk or updates an existing one \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/delete \| Deletes the Disk \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/read \| Gets the properties of Gallery \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/images/read \| Gets the properties of Gallery Image \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/images/versions/read \| Gets the properties of Gallery Image Version \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/images/read \| Get the properties of the Image \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/usages/read \| Gets service limits and current usage quantities for the subscription's compute resources in a location \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/vmSizes/read \| Lists available virtual machine sizes in a location \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/operations/read \| Lists operations available on Microsoft.Compute resource provider \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/skus/read \| Gets the list of Microsoft.Compute SKUs available for your Subscription \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read \| Get the properties of a virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/write \| Creates a new virtual machine or updates an existing virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/delete \| Deletes the virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action \| Starts the virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/powerOff/action \| Powers off the virtual machine. Note that the virtual machine will continue to be billed. \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/restart/action \| Restarts the virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/deallocate/action \| Powers off the virtual machine and releases the compute resources \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommand/action \| Executes a predefined script on the virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read \| Get the properties of a virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/write \| Creates a new virtual machine extension or updates an existing one \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/delete \| Deletes the virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommands/read \| Get the properties of a virtual machine run command \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommands/write \| Creates a new virtual machine run command or updates an existing one \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/vmSizes/read \| Lists available sizes the virtual machine can be updated to \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read \| Gets a network security group definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write \| Creates a network interface or updates an existing network interface. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read \| Gets a network interface definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action \| Joins a Virtual Machine to a network interface. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/delete \| Deletes a network interface \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read \| Gets a virtual network subnet definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action \| Joins a virtual network. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/usages/read \| Get the IP usages for each subnet of the virtual network \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read \| Get the virtual network definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read \| Gets a network security group definition \| +> \| [Microsoft.Marketplace](../permissions/general.md#microsoftmarketplace)/offerTypes/publishers/offers/plans/agreements/read \| Returns an Agreement. \| +> \| [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/deploy/action \| Enables access to secrets in a key vault when deploying Azure resources \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read \| Returns the list of storage accounts or gets the properties for the specified storage account. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* \| Create and manage a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/scalingPlans/read \| Read scalingplans \| +> \| [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/scalingPlans/write \| Write scalingplans \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c", + "name": "a959dbd1-f747-45e3-8ba6-dd80f235f97c", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/write", + "Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/write", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action", + "Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read", + "Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action", + "Microsoft.Compute/availabilitySets/read", + "Microsoft.Compute/availabilitySets/write", + "Microsoft.Compute/availabilitySets/vmSizes/read", + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/delete", + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read", + "Microsoft.Compute/galleries/images/versions/read", + "Microsoft.Compute/images/read", + "Microsoft.Compute/locations/usages/read", + "Microsoft.Compute/locations/vmSizes/read", + "Microsoft.Compute/operations/read", + "Microsoft.Compute/skus/read", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/write", + "Microsoft.Compute/virtualMachines/delete", + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.Compute/virtualMachines/powerOff/action", + "Microsoft.Compute/virtualMachines/restart/action", + "Microsoft.Compute/virtualMachines/deallocate/action", + "Microsoft.Compute/virtualMachines/runCommand/action", + "Microsoft.Compute/virtualMachines/extensions/read", + "Microsoft.Compute/virtualMachines/extensions/write", + "Microsoft.Compute/virtualMachines/extensions/delete", + "Microsoft.Compute/virtualMachines/runCommands/read", + "Microsoft.Compute/virtualMachines/runCommands/write", + "Microsoft.Compute/virtualMachines/vmSizes/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/networkInterfaces/delete", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/usages/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read", + "Microsoft.KeyVault/vaults/deploy/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Authorization//read", + "Microsoft.Insights/alertRules/", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.DesktopVirtualization/scalingPlans/read", + "Microsoft.DesktopVirtualization/scalingPlans/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Virtual Machine Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. View Virtual Machines in the portal and login as a regular user. } ``` +## Windows 365 Network Interface Contributor + +This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. + +[Learn more](/windows-365/enterprise/role-based-access) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write \| Creates or updates an deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/delete \| Deletes a deployment. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read \| Gets or lists deployment operation statuses. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/operations/read \| Gets operation resource that represents status of an asynchronous operation \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/operationResults/read \| Gets operation result of an async POST or DELETE operation \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/usages/read \| Gets the resources usage metrics \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write \| Creates a network interface or updates an existing network interface. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read \| Gets a network interface definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/delete \| Deletes a network interface \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action \| Joins a Virtual Machine to a network interface. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/effectiveNetworkSecurityGroups/action \| Get Network Security Groups configured On Network Interface Of The Vm \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/effectiveRouteTable/action \| Get Route Table configured On Network Interface Of The Vm \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1f135831-5bbe-4924-9016-264044c00788", + "name": "1f135831-5bbe-4924-9016-264044c00788", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/delete", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Network/locations/operations/read", + "Microsoft.Network/locations/operationResults/read", + "Microsoft.Network/locations/usages/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/delete", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action", + "Microsoft.Network/networkInterfaces/effectiveRouteTable/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Windows 365 Network Interface Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Windows 365 Network User + +This role is used by Windows 365 to read virtual networks and join the designated virtual networks. + +[Learn more](/windows-365/enterprise/role-based-access) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read \| Get the virtual network definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read \| Gets a virtual network subnet definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/usages/read \| Get the IP usages for each subnet of the virtual network \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action \| Joins a virtual network. Not Alertable. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role is used by Windows 365 to read virtual networks and join the designated virtual networks.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7eabc9a4-85f7-4f71-b8ab-75daaccc1033", + "name": "7eabc9a4-85f7-4f71-b8ab-75daaccc1033", + "permissions": [ + { + "actions": [ + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/usages/read", + "Microsoft.Network/virtualNetworks/subnets/join/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Windows 365 Network User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Windows Admin Center Administrator Login Let's you manage the OS of your resource via Windows Admin Center as an administrator. Let's you manage the OS of your resource via Windows Admin Center as an administ > \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Write \| Create or update extension resource of HCI cluster \| > \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Delete \| Delete extension resources of HCI cluster \| > \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Operations/Read \| Gets operations \| -> \| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read \| Read virtualmachines \| -> \| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write \| Write extension resource \| -> \| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read \| Gets extension resource \| +> \| [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/VirtualMachines/Read \| Read virtualmachines \| +> \| [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/VirtualMachines/Extensions/Write \| Write extension resource \| +> \| [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/VirtualMachines/Extensions/Read \| Gets extension resource \| > \| NotActions \| \| > \| none \| \| > \| DataActions \| \| > \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/WACLoginAsAdmin/action \| Lets you manage the OS of your resource via Windows Admin Center as an administrator. \| > \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/WACloginAsAdmin/action \| Lets you manage the OS of your resource via Windows Admin Center as an administrator \| > \| [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/WACloginAsAdmin/Action \| Manage OS of HCI resource via Windows Admin Center as an administrator \| -> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action \| Lets you manage the OS of your resource via Windows Admin Center as an administrator. \| +> \| [Microsoft.ConnectedVMwarevSphere](../permissions/compute.md#microsoftconnectedvmwarevsphere)/virtualmachines/WACloginAsAdmin/action \| Lets you manage the OS of your resource via Windows Admin Center as an administrator. \| > \| NotDataActions \| \| > \| none \| \|
role-based-access-control	Containers	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/containers.md	Allows read/write access to most objects in a namespace. This role does not allo } ``` +## Connected Cluster Managed Identity CheckAccess Reader + +Built-in role that allows a Connected Cluster managed identity to call the checkAccess API + +[Learn more](/azure/azure-arc/kubernetes/azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API", + "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa", + "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Connected Cluster Managed Identity CheckAccess Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Kubernetes Agentless Operator Grants Microsoft Defender for Cloud access to Azure Kubernetes Services
role-based-access-control	Databases	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/databases.md	Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as Docume } ``` +## PostgreSQL Flexible Server Long Term Retention Backup Role + +Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. + +[Learn more](/azure/backup/backup-azure-database-postgresql-flex-overview) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/flexibleServers/ltrBackupOperations/read \| Returns the list of PostgreSQL server long term backup operation tracking. \| +> \| [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/flexibleServers/ltrPreBackup/action \| Checks if a server is ready for a long term backup \| +> \| [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/flexibleServers/startLtrBackup/action \| Start long term backup for a server \| +> \| [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/locations/azureAsyncOperation/read \| Return PostgreSQL Server Operation Results \| +> \| [Microsoft.DBforPostgreSQL](../permissions/databases.md#microsoftdbforpostgresql)/locations/operationResults/read \| Return PostgreSQL Server Operation Results \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c088a766-074b-43ba-90d4-1fb21feae531", + "name": "c088a766-074b-43ba-90d4-1fb21feae531", + "permissions": [ + { + "actions": [ + "Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read", + "Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action", + "Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action", + "Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read", + "Microsoft.DBforPostgreSQL/locations/operationResults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "PostgreSQL Flexible Server Long Term Retention Backup Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Redis Cache Contributor Lets you manage Redis caches, but not access to them.
role-based-access-control	Devops	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/devops.md	This article lists the Azure built-in roles in the DevOps category. +## Deployment Environments Reader + +Provides read access to environment resources. + +[Learn more](/azure/deployment-environments/how-to-configure-deployment-environments-user) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/read \| Gets a specific project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/read \| Gets a machine pool \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/schedules/read \| Gets a schedule resource. \| +> \| DataActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminRead/action \| Allows a project administrator to read all of the environments in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminActionRead/action \| Allows an admin to read environment actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminOutputsRead/action \| Allows an admin to read Output values from environment deployment. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides read access to environment resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/eb960402-bf75-4cc3-8d68-35b34f960f72", + "name": "eb960402-bf75-4cc3-8d68-35b34f960f72", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/read", + "Microsoft.DevCenter/projects//read", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.DevCenter/projects/pools/read", + "Microsoft.DevCenter/projects/pools/schedules/read" + ], + "dataActions": [ + "Microsoft.DevCenter/projects/users/environments/adminRead/action", + "Microsoft.DevCenter/projects/users/environments/adminActionRead/action", + "Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action" + ], + "notDataActions": [] + } + ], + "roleName": "Deployment Environments Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Deployment Environments User + +Provides access to manage environment resources. + +[Learn more](/azure/deployment-environments/how-to-configure-deployment-environments-user) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/read \| Gets a specific project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects//read \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| NotActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/read \| Gets a machine pool \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/pools/schedules/read \| Gets a schedule resource. \| +> \| DataActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userRead/action \| Allows a user to read the environments they have access to in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userWrite/action \| Allows a user to write the environments they have access to in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userDelete/action \| Allows a user to delete the environments they have access to in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userActionManage/action \| Allows a user to skip, delay etc. environment actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userOutputsRead/action \| Allows a user to read Output values from environment deployment. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides access to manage environment resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c", + "name": "18e40d4e-8d2e-438d-97e1-9528336e149c", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/read", + "Microsoft.DevCenter/projects//read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Authorization//read" + ], + "notActions": [ + "Microsoft.DevCenter/projects/pools/read", + "Microsoft.DevCenter/projects/pools/schedules/read" + ], + "dataActions": [ + "Microsoft.DevCenter/projects/users/environments/userRead/action", + "Microsoft.DevCenter/projects/users/environments/userWrite/action", + "Microsoft.DevCenter/projects/users/environments/userDelete/action", + "Microsoft.DevCenter/projects/users/environments/userActionManage/action", + "Microsoft.DevCenter/projects/users/environments/userOutputsRead/action" + ], + "notDataActions": [] + } + ], + "roleName": "Deployment Environments User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## DevCenter Dev Box User + +Provides access to create and manage dev boxes. + +[Learn more](/azure/dev-box/how-to-dev-box-user) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/read \| Gets a specific project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStop/action \| Allows a user to stop their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStart/action \| Allows a user to start their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userGetRemoteConnection/action \| Allows a user to get the RDP connection information for their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userRead/action \| Allows a user to read their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userWrite/action \| Allows a user to create and update their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userDelete/action \| Allows a user to delete their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userUpcomingActionRead/action \| Allows a user to read upcoming actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userUpcomingActionManage/action \| Allows a user to skip or delay upcoming actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionRead/action \| Allows a user to read dev box actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionManage/action \| Allows a user to skip or delay dev box actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userCustomize/action \| Allows a user to customize their own Dev Box resources. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides access to create and manage dev boxes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05", + "name": "45d50f46-0b78-4001-a660-4198cbe8cd05", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/read", + "Microsoft.DevCenter/projects//read", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DevCenter/projects/users/devboxes/userStop/action", + "Microsoft.DevCenter/projects/users/devboxes/userStart/action", + "Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action", + "Microsoft.DevCenter/projects/users/devboxes/userRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userWrite/action", + "Microsoft.DevCenter/projects/users/devboxes/userDelete/action", + "Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionManage/action", + "Microsoft.DevCenter/projects/users/devboxes/userCustomize/action" + ], + "notDataActions": [] + } + ], + "roleName": "DevCenter Dev Box User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## DevCenter Project Admin + +Provides access to manage project resources. + +[Learn more](/azure/dev-box/how-to-project-admin) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/* \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/ \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/write \| Partially updates a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/delete \| Deletes a project resource. \| +> \| DataActions \| \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminStart/action \| Allows a user to start any Dev Box resource. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminStop/action \| Allows a user to stop any Dev Box resource. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminRead/action \| Allows a user read access to any Dev Box resource. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminWrite/action \| Allows a user write access to any Dev Box resource. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/adminDelete/action \| Allows a user to delete any Dev Box resource. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStop/action \| Allows a user to stop their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userStart/action \| Allows a user to start their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userGetRemoteConnection/action \| Allows a user to get the RDP connection information for their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userRead/action \| Allows a user to read their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userWrite/action \| Allows a user to create and update their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userDelete/action \| Allows a user to delete their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionRead/action \| Allows a user to read dev box actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userActionManage/action \| Allows a user to skip or delay dev box actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/devboxes/userCustomize/action \| Allows a user to customize their own Dev Box resources. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminRead/action \| Allows a project administrator to read all of the environments in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userWrite/action \| Allows a user to write the environments they have access to in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminWrite/action \| Allows a project administrator to write all of the environments in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/userDelete/action \| Allows a user to delete the environments they have access to in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminDelete/action \| Allows a project administrator to delete all of the environments in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminAction/action \| Allows a project administrator to perform an action on all of the environments in a project. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminActionRead/action \| Allows an admin to read environment actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminActionManage/action \| Allows an admin to skip, delay etc. environment actions. \| +> \| [Microsoft.DevCenter](../permissions/devops.md#microsoftdevcenter)/projects/users/environments/adminOutputsRead/action \| Allows an admin to read Output values from environment deployment. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides access to manage project resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0", + "name": "331c37c6-af14-46d9-b9f4-e1909e1b95a0", + "permissions": [ + { + "actions": [ + "Microsoft.DevCenter/projects/", + "Microsoft.Authorization//read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.DevCenter/projects/write", + "Microsoft.DevCenter/projects/delete" + ], + "dataActions": [ + "Microsoft.DevCenter/projects/users/devboxes/adminStart/action", + "Microsoft.DevCenter/projects/users/devboxes/adminStop/action", + "Microsoft.DevCenter/projects/users/devboxes/adminRead/action", + "Microsoft.DevCenter/projects/users/devboxes/adminWrite/action", + "Microsoft.DevCenter/projects/users/devboxes/adminDelete/action", + "Microsoft.DevCenter/projects/users/devboxes/userStop/action", + "Microsoft.DevCenter/projects/users/devboxes/userStart/action", + "Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action", + "Microsoft.DevCenter/projects/users/devboxes/userRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userWrite/action", + "Microsoft.DevCenter/projects/users/devboxes/userDelete/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionRead/action", + "Microsoft.DevCenter/projects/users/devboxes/userActionManage/action", + "Microsoft.DevCenter/projects/users/devboxes/userCustomize/action", + "Microsoft.DevCenter/projects/users/environments/adminRead/action", + "Microsoft.DevCenter/projects/users/environments/userWrite/action", + "Microsoft.DevCenter/projects/users/environments/adminWrite/action", + "Microsoft.DevCenter/projects/users/environments/userDelete/action", + "Microsoft.DevCenter/projects/users/environments/adminDelete/action", + "Microsoft.DevCenter/projects/users/environments/adminAction/action", + "Microsoft.DevCenter/projects/users/environments/adminActionRead/action", + "Microsoft.DevCenter/projects/users/environments/adminActionManage/action", + "Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action" + ], + "notDataActions": [] + } + ], + "roleName": "DevCenter Project Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.
role-based-access-control	Hybrid Multicloud	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/hybrid-multicloud.md	Lets you manage Azure Stack registrations. } ``` +## Hybrid Server Resource Administrator + +Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. + +[Learn more](/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/* \| \| +> \| [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)//read \| \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "name": "48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "permissions": [ + { + "actions": [ + "Microsoft.HybridCompute/machines/", + "Microsoft.HybridCompute//read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Hybrid Server Resource Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Next steps - [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)
role-based-access-control	Integration	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/integration.md	This article lists the Azure built-in roles in the Integration category. +## API Management Developer Portal Content Editor + +Can customize the developer portal, edit its content, and publish it. + +[Learn more](/azure/api-management/api-management-role-based-access-control) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/portalRevisions/read \| Lists a collection of developer portal revision entities. or Gets developer portal revision specified by its identifier. \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/portalRevisions/write \| Creates a new developer portal revision. or Updates the description of specified portal revision or makes it current. \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/read \| Returns list of content types or Returns content type \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/delete \| Removes content type. \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/write \| Creates new content type \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/contentItems/read \| Returns list of content items or Returns content item details \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/contentItems/write \| Creates new content item or Updates specified content item \| +> \| [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/contentTypes/contentItems/delete \| Removes specified content item. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can customize the developer portal, edit its content, and publish it.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729", + "name": "c031e6a8-4391-4de0-8d69-4706a7ed3729", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/portalRevisions/read", + "Microsoft.ApiManagement/service/portalRevisions/write", + "Microsoft.ApiManagement/service/contentTypes/read", + "Microsoft.ApiManagement/service/contentTypes/delete", + "Microsoft.ApiManagement/service/contentTypes/write", + "Microsoft.ApiManagement/service/contentTypes/contentItems/read", + "Microsoft.ApiManagement/service/contentTypes/contentItems/write", + "Microsoft.ApiManagement/service/contentTypes/contentItems/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Developer Portal Content Editor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## API Management Service Contributor Can manage service and the APIs Has read-only access to entities in the workspace. This role should be assigned } ``` +## App Configuration Contributor + +Grants permission for all management operations, except purge, for App Configuration resources. + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/* \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/ \| Create and manage a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/locations/deletedConfigurationStores/purge/action \| Purge the specified deleted configuration store. \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants permission for all management operations, except purge, for App Configuration resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fe86443c-f201-4fc4-9d2a-ac61149fbda0", + "name": "fe86443c-f201-4fc4-9d2a-ac61149fbda0", + "permissions": [ + { + "actions": [ + "Microsoft.AppConfiguration/", + "Microsoft.Authorization//read", + "Microsoft.Insights/alertRules/", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "App Configuration Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## App Configuration Data Owner Allows full access to App Configuration data. Allows read access to App Configuration data. } ``` +## App Configuration Reader + +Grants permission for read operations for App Configuration resources. + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read \| Read a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants permission for read operations for App Configuration resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/175b81b9-6e0d-490a-85e4-0d422273c10c", + "name": "175b81b9-6e0d-490a-85e4-0d422273c10c", + "permissions": [ + { + "actions": [ + "Microsoft.AppConfiguration//read", + "Microsoft.Authorization//read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "App Configuration Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure API Center Compliance Manager Allows managing API compliance in Azure API Center service. Allows for send access to Azure Relay resources. } ``` +## Azure Resource Notifications System Topics Subscriber + +Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications + +[Learn more](/azure/event-grid/event-schema-resource-notifications) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToResources/action \| Permission to perform creation and event subscription creation on a Resources system topic \| +> \| [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToHealthResources/action \| Permission to perform creation and event subscription creation on a HealthResources system topic \| +> \| [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToMaintenanceResources/action \| Permission to perform creation and event subscription creation on a MaintenanceResources system topic \| +> \| [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToComputeResources/action \| Permission to perform creation and event subscription creation on a ComputeResources system topic \| +> \| [Microsoft.ResourceNotifications](../permissions/integration.md#microsoftresourcenotifications)/systemTopics/subscribeToComputeScheduleResources/action \| Permission to perform creation and event subscription creation on a ComputeScheduleResources system topic \| +> \| [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/write \| Create or update an eventSubscription \| +> \| [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/systemTopics/eventSubscriptions/write \| Create or update a SystemTopic eventSubscription \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0b962ed2-6d56-471c-bd5f-3477d83a7ba4", + "name": "0b962ed2-6d56-471c-bd5f-3477d83a7ba4", + "permissions": [ + { + "actions": [ + "Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action", + "Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action", + "Microsoft.EventGrid/eventSubscriptions/write", + "Microsoft.EventGrid/systemTopics/eventSubscriptions/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Resource Notifications System Topics Subscriber", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. Lets you manage BizTalk services, but not access to them. } ``` +## Chamber Admin + +Lets you manage everything under your Modeling and Simulation Workbench chamber. + +[Learn more](/azure/modeling-simulation-workbench/how-to-guide-manage-users) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)//read \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/ \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/ \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/fileRequests/manage/action \| manage fileRequests \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/connector/setCopyPaste/action \| \| +> \| DataActions \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/upload/action \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/files/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage everything under your Modeling and Simulation Workbench chamber.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a", + "name": "4e9b8407-af2e-495b-ae54-bb60a55b1b5a", + "permissions": [ + { + "actions": [ + "Microsoft.ModSimWorkbench//read", + "Microsoft.ModSimWorkbench/workbenches/chambers/", + "Microsoft.Authorization//read", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action", + "Microsoft.ModSimWorkbench/workbenches/chambers/connector/setCopyPaste/action" + ], + "dataActions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/upload/action", + "Microsoft.ModSimWorkbench/workbenches/chambers/files/" + ], + "notDataActions": [] + } + ], + "roleName": "Chamber Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Chamber User + +Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. + +[Learn more](/azure/modeling-simulation-workbench/how-to-guide-manage-users) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers//read \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/workloads/* \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/getUploadUri/action \| getUploadUri chambers \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/fileRequests/getDownloadUri/action \| getDownloadUri fileRequests \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/ \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.ModSimWorkbench](../permissions/integration.md#microsoftmodsimworkbench)/workbenches/chambers/upload/action \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32", + "name": "4447db05-44ed-4da3-ae60-6cbece780e32", + "permissions": [ + { + "actions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers//read", + "Microsoft.ModSimWorkbench/workbenches/chambers/workloads/", + "Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action", + "Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/action", + "Microsoft.Authorization//read", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ModSimWorkbench/workbenches/chambers/upload/action" + ], + "notDataActions": [] + } + ], + "roleName": "Chamber User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## DeID Batch Data Owner Create and manage DeID batch jobs. This role is in preview and subject to change. Execute requests against DeID realtime endpoint. This role is in preview and sub } ``` +## DICOM Data Owner + +Full access to DICOM data. + +[Learn more](/azure/healthcare-apis/configure-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/dicomservices/resources/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to DICOM data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8", + "name": "58a3b984-7adf-4c20-983a-32417c86fbc8", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/workspaces/dicomservices/resources/" + ], + "notDataActions": [] + } + ], + "roleName": "DICOM Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## DICOM Data Reader + +Read and search DICOM data. + +[Learn more](/azure/healthcare-apis/configure-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none* \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/dicomservices/resources/read \| Read DICOM resources (includes searching and change feed). \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read and search DICOM data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", + "name": "e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/workspaces/dicomservices/resources/read" + ], + "notDataActions": [] + } + ], + "roleName": "DICOM Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## EventGrid Contributor Lets you manage EventGrid operations. Lets you read EventGrid event subscriptions. } ``` +## EventGrid TopicSpaces Publisher + +Lets you publish messages on topicspaces. + +[Learn more](/azure/event-grid/mqtt-client-microsoft-entra-token-and-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)//read \| \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* \| Create and manage a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topicSpaces/publish/action \| Publish to a topic space \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you publish messages on topicspaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a12b0b94-b317-4dcd-84a8-502ce99884c6", + "name": "a12b0b94-b317-4dcd-84a8-502ce99884c6", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization//read", + "Microsoft.EventGrid//read", + "Microsoft.Insights/alertRules/", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/topicSpaces/publish/action" + ], + "notDataActions": [] + } + ], + "roleName": "EventGrid TopicSpaces Publisher", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## EventGrid TopicSpaces Subscriber + +Lets you subscribe messages on topicspaces. + +[Learn more](/azure/event-grid/mqtt-client-microsoft-entra-token-and-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)//read \| \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* \| Create and manage a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topicSpaces/subscribe/action \| Subscribe to a topic space \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you subscribe messages on topicspaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4b0f2fd7-60b4-4eca-896f-4435034f8bf5", + "name": "4b0f2fd7-60b4-4eca-896f-4435034f8bf5", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization//read", + "Microsoft.EventGrid//read", + "Microsoft.Insights/alertRules/", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/topicSpaces/subscribe/action" + ], + "notDataActions": [] + } + ], + "roleName": "EventGrid TopicSpaces Subscriber", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## FHIR Data Contributor Role allows user or principal full access to FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > \| Actions \| Description \| Role allows user or principal full access to FHIR Data } ``` +## FHIR Data Converter + +Role allows user or principal to convert data from legacy format to FHIR + +[Learn more](/azure/healthcare-apis/configure-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/convertData/action \| Data convert operation ($convert-data) \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/convertData/action \| Data convert operation ($convert-data) \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal to convert data from legacy format to FHIR", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24", + "name": "a1705bd2-3a8f-45a5-8683-466fcfd5cc24", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/convertData/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR Data Converter", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## FHIR Data Exporter Role allows user or principal to read and export FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > \| Actions \| Description \| Role allows user or principal to read and export FHIR Data Role allows user or principal to read and import FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/fhir/import-data) > [!div class="mx-tableFixed"] > \| Actions \| Description \| Role allows user or principal to read and import FHIR Data Role allows user or principal to read FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > \| Actions \| Description \| Role allows user or principal to read FHIR Data Role allows user or principal to read and write FHIR Data -[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) +[Learn more](/azure/healthcare-apis/configure-azure-rbac) > [!div class="mx-tableFixed"] > \| Actions \| Description \| Role allows user or principal to read and write FHIR Data } ``` +## FHIR SMART User + +Role allows user to access FHIR Service according to SMART on FHIR specification + +[Learn more](/azure/healthcare-apis/configure-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/read \| Read FHIR resources (includes searching and versioned history). \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read \| Read FHIR resources (includes searching and versioned history). \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/smart/action \| Allows user to access FHIR Service according to SMART on FHIR specification. \| +> \| [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/smart/action \| Allows user to access FHIR Service according to SMART on FHIR specification. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user to access FHIR Service according to SMART on FHIR specification", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0", + "name": "4ba50f17-9666-485c-a643-ff00808643f0", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/read", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", + "Microsoft.HealthcareApis/services/fhir/resources/smart/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR SMART User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Integration Service Environment Contributor Lets you manage integration service environments, but not access to them.
role-based-access-control	Internet Of Things	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/internet-of-things.md	Read-only role for Digital Twins data-plane properties } ``` +## Device Provisioning Service Data Contributor + +Allows for full access to Device Provisioning Service data-plane operations. + +[Learn more](/azure/iot-dps/concepts-control-access-dps-azure-ad) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/provisioningServices/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to Device Provisioning Service data-plane operations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633", + "name": "dfce44e4-17b7-4bd1-a6d1-04996ec95633", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/provisioningServices/" + ], + "notDataActions": [] + } + ], + "roleName": "Device Provisioning Service Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Device Provisioning Service Data Reader + +Allows for full read access to Device Provisioning Service data-plane properties. + +[Learn more](/azure/iot-dps/concepts-control-access-dps-azure-ad) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none* \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/provisioningServices//read \| \| +> \| NotDataActions* \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full read access to Device Provisioning Service data-plane properties.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8", + "name": "10745317-c249-44a1-a5ce-3a4353c0bbd8", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/provisioningServices//read" + ], + "notDataActions": [] + } + ], + "roleName": "Device Provisioning Service Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Device Update Administrator Gives you full access to management and content operations Gives you read access to management and content operations, but does not allow m } ``` +## Firmware Analysis Admin + +Upload and analyze firmware images in Defender for IoT + +[Learn more](/azure/defender-for-iot/device-builders/defender-iot-firmware-analysis-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.IoTFirmwareDefense](../permissions/internet-of-things.md#microsoftiotfirmwaredefense)/ \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/ \| Create and manage a deployment \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Upload and analyze firmware images in Defender for IoT", + "id": "/providers/Microsoft.Authorization/roleDefinitions/9c1607d1-791d-4c68-885d-c7b7aaff7c8a", + "name": "9c1607d1-791d-4c68-885d-c7b7aaff7c8a", + "permissions": [ + { + "actions": [ + "Microsoft.IoTFirmwareDefense/", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Firmware Analysis Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## IoT Hub Data Contributor Allows for full access to IoT Hub data plane operations.
role-based-access-control	Management And Governance	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/management-and-governance.md	This article lists the Azure built-in roles in the Management and governance category. +## Advisor Recommendations Contributor (Assessments and Reviews) + +View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). + +[Learn more](/azure/advisor/permissions) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read \| Reads recommendations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/write \| Writes recommendations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/available/action \| New recommendation is available in Microsoft Advisor \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started).", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6b534d80-e337-47c4-864f-140f5c7f593d", + "name": "6b534d80-e337-47c4-864f-140f5c7f593d", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/recommendations/read", + "Microsoft.Advisor/recommendations/write", + "Microsoft.Advisor/recommendations/available/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Advisor Recommendations Contributor (Assessments and Reviews)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Advisor Reviews Contributor + +View reviews for a workload and triage recommendations linked to them. + +[Learn more](/azure/advisor/permissions) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/resiliencyReviews/read \| Read resiliencyReviews \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/read \| Read triageRecommendations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/approve/action \| Approve triageRecommendations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/reject/action \| Reject triageRecommendations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/reset/action \| Reset triageRecommendations \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/ \| Create and manage a classic metric alert \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "View reviews for a workload and triage recommendations linked to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8aac15f0-d885-4138-8afa-bfb5872f7d13", + "name": "8aac15f0-d885-4138-8afa-bfb5872f7d13", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/resiliencyReviews/read", + "Microsoft.Advisor/triageRecommendations/read", + "Microsoft.Advisor/triageRecommendations/approve/action", + "Microsoft.Advisor/triageRecommendations/reject/action", + "Microsoft.Advisor/triageRecommendations/reset/action", + "Microsoft.Authorization//read", + "Microsoft.Insights/alertRules/", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Advisor Reviews Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Advisor Reviews Reader + +View reviews for a workload and recommendations linked to them. + +[Learn more](/azure/advisor/permissions) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/resiliencyReviews/read \| Read resiliencyReviews \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/triageRecommendations/read \| Read triageRecommendations \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "View reviews for a workload and recommendations linked to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c64499e0-74c3-47ad-921c-13865957895c", + "name": "c64499e0-74c3-47ad-921c-13865957895c", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/resiliencyReviews/read", + "Microsoft.Advisor/triageRecommendations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Advisor Reviews Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Automation Contributor Manage Azure Automation resources and other resources using Azure Automation. Read Runbook properties - to be able to create Jobs of the runbook. } ``` +## Azure Center for SAP solutions administrator + +This role provides read and write access to all capabilities of Azure Center for SAP solutions. + +[Learn more](/azure/sap/center-sap-solutions/manage-with-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/configurations/read \| Get configurations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read \| Reads recommendations \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapvirtualInstances//read \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances//write \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances//delete \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Locations//action \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Locations//read \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances//start/action \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapVirtualInstances//stop/action \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/connectors//read \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/connectors//write \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/connectors//delete \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* \| Create and manage a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read \| Read metrics \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read \| Read metric definitions \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/write \| Creates or updates a resource group. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/ \| \| +> \| [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read \| Gets the availability statuses for all resources in the specified scope \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read \| Get the virtual network definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read \| Gets available metrics for the PingMesh \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read \| Gets a virtual network subnet definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/write \| Creates a virtual network subnet or updates an existing virtual network subnet \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/virtualMachines/read \| Gets references to all the virtual machines in a virtual network subnet \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read \| Gets a network interface definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/ipconfigurations/read \| Gets a network interface ip configuration definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/loadBalancers/read \| Gets all the load balancers that the network interface is part of \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read \| Gets available metrics for the Network Interface \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read \| Gets a load balancer definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/read \| Gets a load balancer backend address pool definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/frontendIPConfigurations/read \| Gets a load balancer frontend IP configuration definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/loadBalancingRules/read \| Gets a load balancer load balancing rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/read \| Gets a load balancer inbound nat rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/logDefinitions/read \| Gets the events for Load Balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/networkInterfaces/read \| Gets references to all the network interfaces under a load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/outboundRules/read \| Gets a load balancer outbound rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/virtualMachines/read \| Gets references to all the virtual machines under a load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read \| Gets the available metrics for Load Balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateEndpoints/read \| Gets an private endpoint resource. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action \| Joins a network security group. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/join/action \| Joins a route table. Not Alertable. \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read \| Returns the list of storage accounts or gets the properties for the specified storage account. \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read \| Returns blob service properties or statistics \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read \| Returns list of containers \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/read \| Get file service properties \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read \| List file shares \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read \| Get the properties of a virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read \| Get the properties of an availability set \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys/read \| Get the properties of an SSH public key \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys/write \| Creates a new SSH public key or updates an existing SSH public key \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys//generateKeyPair/action \| \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read \| Get the properties of a virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/delete \| Deletes the virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read \| Get the properties of a Disk \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read \| Returns a blob or a list of blobs \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role provides read and write access to all capabilities of Azure Center for SAP solutions.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", + "name": "7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/configurations/read", + "Microsoft.Advisor/recommendations/read", + "Microsoft.Workloads/sapvirtualInstances//read", + "Microsoft.Workloads/sapVirtualInstances//write", + "Microsoft.Workloads/sapVirtualInstances//delete", + "Microsoft.Workloads/Locations//action", + "Microsoft.Workloads/Locations//read", + "Microsoft.Workloads/sapVirtualInstances//start/action", + "Microsoft.Workloads/sapVirtualInstances//stop/action", + "Microsoft.Workloads/connectors//read", + "Microsoft.Workloads/connectors//write", + "Microsoft.Workloads/connectors//delete", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/alertRules/", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/write", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/write", + "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/ipconfigurations/read", + "Microsoft.Network/networkInterfaces/loadBalancers/read", + "Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/loadBalancers/backendAddressPools/read", + "Microsoft.Network/loadBalancers/frontendIPConfigurations/read", + "Microsoft.Network/loadBalancers/loadBalancingRules/read", + "Microsoft.Network/loadBalancers/inboundNatRules/read", + "Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read", + "Microsoft.Network/loadBalancers/networkInterfaces/read", + "Microsoft.Network/loadBalancers/outboundRules/read", + "Microsoft.Network/loadBalancers/virtualMachines/read", + "Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/privateEndpoints/read", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Network/routeTables/join/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/blobServices/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/fileServices/read", + "Microsoft.Storage/storageAccounts/fileServices/shares/read", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/availabilitySets/read", + "Microsoft.Compute/sshPublicKeys/read", + "Microsoft.Compute/sshPublicKeys/write", + "Microsoft.Compute/sshPublicKeys//generateKeyPair/action", + "Microsoft.Compute/virtualMachines/extensions/read", + "Microsoft.Compute/virtualMachines/extensions/delete", + "Microsoft.Compute/disks/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Center for SAP solutions administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Center for SAP solutions reader + +This role provides read access to all capabilities of Azure Center for SAP solutions. + +[Learn more](/azure/sap/center-sap-solutions/manage-with-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/configurations/read \| Get configurations \| +> \| [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read \| Reads recommendations \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/sapvirtualInstances//read \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Locations//read \| \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Operations/read \| read Operations \| +> \| [Microsoft.Workloads](../permissions/management-and-governance.md#microsoftworkloads)/Locations/OperationStatuses/read \| read OperationStatuses \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read \| Read a classic metric alert \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read \| Read metrics \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read \| Read metric definitions \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read \| Gets or lists deployments. \| +> \| [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read \| Gets the availability statuses for all resources in the specified scope \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read \| Get the virtual network definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read \| Gets available metrics for the PingMesh \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read \| Gets a virtual network subnet definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/virtualMachines/read \| Gets references to all the virtual machines in a virtual network subnet \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read \| Gets a network interface definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/ipconfigurations/read \| Gets a network interface ip configuration definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/loadBalancers/read \| Gets all the load balancers that the network interface is part of \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read \| Gets available metrics for the Network Interface \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read \| Gets a load balancer definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/read \| Gets a load balancer backend address pool definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/frontendIPConfigurations/read \| Gets a load balancer frontend IP configuration definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/loadBalancingRules/read \| Gets a load balancer load balancing rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/read \| Gets a load balancer inbound nat rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/logDefinitions/read \| Gets the events for Load Balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/networkInterfaces/read \| Gets references to all the network interfaces under a load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/outboundRules/read \| Gets a load balancer outbound rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/virtualMachines/read \| Gets references to all the virtual machines under a load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read \| Gets the available metrics for Load Balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateEndpoints/read \| Gets an private endpoint resource. \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read \| Returns the list of storage accounts or gets the properties for the specified storage account. \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read \| Returns blob service properties or statistics \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read \| Returns list of containers \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/read \| Get file service properties \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read \| List file shares \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read \| Get the properties of a virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read \| Get the properties of an availability set \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read \| Get the properties of a virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read \| Get the properties of a Disk \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role provides read access to all capabilities of Azure Center for SAP solutions.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b", + "name": "05352d14-a920-4328-a0de-4cbe7430e26b", + "permissions": [ + { + "actions": [ + "Microsoft.Advisor/configurations/read", + "Microsoft.Advisor/recommendations/read", + "Microsoft.Workloads/sapvirtualInstances//read", + "Microsoft.Workloads/Locations//read", + "Microsoft.Workloads/Operations/read", + "Microsoft.Workloads/Locations/OperationStatuses/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/ipconfigurations/read", + "Microsoft.Network/networkInterfaces/loadBalancers/read", + "Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/loadBalancers/backendAddressPools/read", + "Microsoft.Network/loadBalancers/frontendIPConfigurations/read", + "Microsoft.Network/loadBalancers/loadBalancingRules/read", + "Microsoft.Network/loadBalancers/inboundNatRules/read", + "Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read", + "Microsoft.Network/loadBalancers/networkInterfaces/read", + "Microsoft.Network/loadBalancers/outboundRules/read", + "Microsoft.Network/loadBalancers/virtualMachines/read", + "Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/privateEndpoints/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/blobServices/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/fileServices/read", + "Microsoft.Storage/storageAccounts/fileServices/shares/read", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/availabilitySets/read", + "Microsoft.Compute/virtualMachines/extensions/read", + "Microsoft.Compute/disks/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Center for SAP solutions reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Center for SAP solutions service role + +Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. + +[Learn more](/azure/sap/center-sap-solutions/manage-with-azure-rbac) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/write \| Creates or updates a resource group. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/ \| Create and manage a deployment \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/* \| \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read \| Gets a load balancer definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/write \| Creates a load balancer or updates an existing load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/read \| Gets a load balancer backend address pool definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/write \| Creates a load balancer backend address pool or updates an existing load balancer backend address pool \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/frontendIPConfigurations/read \| Gets a load balancer frontend IP configuration definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/loadBalancingRules/read \| Gets a load balancer load balancing rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/read \| Gets a load balancer inbound nat rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/logDefinitions/read \| Gets the events for Load Balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/networkInterfaces/read \| Gets references to all the network interfaces under a load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/outboundRules/read \| Gets a load balancer outbound rule definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/virtualMachines/read \| Gets references to all the virtual machines under a load balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read \| Gets the available metrics for Load Balancer \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read \| Gets a network interface definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write \| Creates a network interface or updates an existing network interface. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/ipconfigurations/read \| Gets a network interface ip configuration definition. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/loadBalancers/read \| Gets all the load balancers that the network interface is part of \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read \| Get the virtual network definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/checkIpAddressAvailability/read \| Check if IP Address is available at the specified virtual network \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read \| Gets a virtual network subnet definition \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/virtualMachines/read \| Gets references to all the virtual machines in a virtual network subnet \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/virtualMachines/read \| Gets references to all the virtual machines in a virtual network \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/ipconfigurations/join/action \| Joins a Network Interface IP Configuration. Not alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateEndpoints/read \| Gets an private endpoint resource. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateEndpoints/write \| Creates a new private endpoint, or updates an existing private endpoint. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action \| Joins a Virtual Machine to a network interface. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action \| Joins a load balancer backend address pool. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/frontendIPConfigurations/join/action \| Joins a Load Balancer Frontend IP Configuration. Not alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action \| Joins a virtual network. Not Alertable. \| +> \| [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinLoadBalancer/action \| Joins a load balancer to virtual network subnets \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read \| Returns the list of storage accounts or gets the properties for the specified storage account. \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/write \| Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/PrivateEndpointConnectionsApproval/action \| Approve Private Endpoint Connections \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read \| Returns blob service properties or statistics \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read \| Returns list of containers \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/read \| Get file service properties \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/write \| Put file service properties \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read \| List file shares \| +> \| [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/write \| Create or update file share \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read \| Get the properties of a virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/write \| Creates a new virtual machine or updates an existing virtual machine \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/instanceView/read \| Gets the detailed runtime status of the virtual machine and its resources \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read \| Get the properties of an availability set \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/write \| Creates a new availability set or updates an existing one \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/skus/read \| Gets the list of Microsoft.Compute SKUs available for your Subscription \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/sshPublicKeys/read \| Get the properties of an SSH public key \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read \| Get the properties of a virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/write \| Creates a new virtual machine extension or updates an existing one \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/delete \| Deletes the virtual machine extension \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read \| Get the properties of a Disk \| +> \| [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write \| Creates a new Disk or updates an existing one \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138", + "name": "aabbc5dd-1af0-458b-a942-81af88f9c138", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/subscriptions/resourceGroups/write", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/loadBalancers/write", + "Microsoft.Network/loadBalancers/backendAddressPools/read", + "Microsoft.Network/loadBalancers/backendAddressPools/write", + "Microsoft.Network/loadBalancers/frontendIPConfigurations/read", + "Microsoft.Network/loadBalancers/loadBalancingRules/read", + "Microsoft.Network/loadBalancers/inboundNatRules/read", + "Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read", + "Microsoft.Network/loadBalancers/networkInterfaces/read", + "Microsoft.Network/loadBalancers/outboundRules/read", + "Microsoft.Network/loadBalancers/virtualMachines/read", + "Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/networkInterfaces/ipconfigurations/read", + "Microsoft.Network/networkInterfaces/loadBalancers/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read", + "Microsoft.Network/virtualNetworks/virtualMachines/read", + "Microsoft.Network/networkInterfaces/ipconfigurations/join/action", + "Microsoft.Network/privateEndpoints/read", + "Microsoft.Network/privateEndpoints/write", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/loadBalancers/backendAddressPools/join/action", + "Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/write", + "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action", + "Microsoft.Storage/storageAccounts/blobServices/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/fileServices/read", + "Microsoft.Storage/storageAccounts/fileServices/write", + "Microsoft.Storage/storageAccounts/fileServices/shares/read", + "Microsoft.Storage/storageAccounts/fileServices/shares/write", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/write", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Compute/availabilitySets/read", + "Microsoft.Compute/availabilitySets/write", + "Microsoft.Compute/skus/read", + "Microsoft.Compute/sshPublicKeys/read", + "Microsoft.Compute/virtualMachines/extensions/read", + "Microsoft.Compute/virtualMachines/extensions/write", + "Microsoft.Compute/virtualMachines/extensions/delete", + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Center for SAP solutions service role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure Connected Machine Onboarding Can onboard Azure Connected Machines. Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid co } ``` +## Azure Customer Lockbox Approver for Subscription + +Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. + +[Learn more](/azure/security/fundamentals/customer-lockbox-overview) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.CustomerLockbox](../permissions/management-and-governance.md#microsoftcustomerlockbox)/requests/UpdateApproval/action \| Update Approval Microsoft.CustomerLockbox \| +> \| [Microsoft.CustomerLockbox](../permissions/management-and-governance.md#microsoftcustomerlockbox)/requests/read \| Read Lockbox Request \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/eventtypes/values/read \| Read Activity Log events \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4dae6930-7baf-46f5-909e-0383bc931c46", + "name": "4dae6930-7baf-46f5-909e-0383bc931c46", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/subscriptions/read", + "Microsoft.CustomerLockbox/requests/UpdateApproval/action", + "Microsoft.CustomerLockbox/requests/read", + "Microsoft.Authorization//read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/eventtypes/values/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Customer Lockbox Approver for Subscription", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Billing Reader Allows read access to billing data Users with rights to create/modify resource policy, create support ticket and re } ``` +## Savings plan Purchaser + +Lets you purchase savings plans + +[Learn more](/azure/cost-management-billing/savings-plan/permission-view-manage) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Capacity](../permissions/general.md#microsoftcapacity)/register/action \| Registers the Capacity resource provider and enables the creation of Capacity resources. \| +> \| [Microsoft.Capacity](../permissions/general.md#microsoftcapacity)/catalogs/read \| Read catalog of Reservation \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read \| Get information about a role assignment. \| +> \| [Microsoft.BillingBenefits](../permissions/management-and-governance.md#microsoftbillingbenefits)/savingsPlanOrders/write \| Create a savings plan orders \| +> \| [Microsoft.BIllingBenefits](../permissions/management-and-governance.md#microsoftbillingbenefits)/register/action \| Registers the BillingBenefits resource provider and enables the creation of BillingBenefits resources. \| +> \| [Microsoft.Support](../permissions/general.md#microsoftsupport)/supporttickets/write \| Allows creating and updating a support ticket \| +> \| [Microsoft.Billing](../permissions/management-and-governance.md#microsoftbilling)/billingProperty/read \| Gets the billing properties for a subscription \| +> \| [Microsoft.CostManagement](../permissions/management-and-governance.md#microsoftcostmanagement)/benefitRecommendations/read \| List single or shared recommendations for Microsoft benefits. \| +> \| NotActions* \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you purchase savings plans", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74", + "name": "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Capacity/register/action", + "Microsoft.Capacity/catalogs/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.BillingBenefits/savingsPlanOrders/write", + "Microsoft.BIllingBenefits/register/action", + "Microsoft.Support/supporttickets/write", + "Microsoft.Billing/billingProperty/read", + "Microsoft.CostManagement/benefitRecommendations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Savings plan Purchaser", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Scheduled Patching Contributor Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments
role-based-access-control	Security	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/security.md	View and update permissions for Microsoft Defender for Cloud. Same permissions a > \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| > \| [Microsoft.Security](../permissions/security.md#microsoftsecurity)/* \| Create and manage security components and policies \| > \| [Microsoft.IoTSecurity](../permissions/internet-of-things.md#microsoftiotsecurity)/* \| \| -> \| Microsoft.IoTFirmwareDefense/* \| \| +> \| [Microsoft.IoTFirmwareDefense](../permissions/internet-of-things.md#microsoftiotfirmwaredefense)/* \| \| > \| [Microsoft.Support](../permissions/general.md#microsoftsupport)/* \| Create and update a support ticket \| > \| NotActions \| \| > \| none \| \|
role-based-access-control	Storage	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/storage.md	Lets you manage backup service, but can't create vaults and give access to other } ``` +## Backup MUA Admin + +Backup MultiUser-Authorization. Can create/delete ResourceGuard + +[Learn more](/azure/backup/multi-user-authorization-concept) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)//read \| \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)//resourceGuards/write \| \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/write \| Update ResouceGuard operation updates an Azure resource of type 'ResourceGuard' \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/delete \| The Delete ResourceGuard operation deletes the specified Azure resource of type 'ResourceGuard' \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/read \| Gets list of ResourceGuards in a Resource Group \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationResults/read \| Returns Backup Operation Result for Backup Vault. \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationStatus/read \| Returns Backup Operation Status for Backup Vault. \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/getBackupStatus/action \| Check Backup Status for Recovery Services Vaults \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/checkFeatureSupport/action \| Validates if a feature is supported \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/operationStatus/read \| Returns Backup Operation Status for Backup Vault. \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/features/read \| Gets the features of a subscription. \| +> \| [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/read \| Gets the feature of a subscription in a given resource provider. \| +> \| [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read \| Gets the availability statuses for all resources in the specified scope \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read \| Gets or lists deployment operations. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read \| Get the subscription operation results. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read \| Gets the list of subscriptions. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/ \| \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read \| Gets or lists resource groups. \| +> \| [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* \| Create and manage a deployment \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/read \| Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/write \| Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/delete \| The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/unlockDelete/action \| Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/providers/resourceGuards/read \| Gets list of ResourceGuards in a Subscription \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read \| Gets ResourceGuard default operation request info \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard ", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8", + "name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8", + "permissions": [ + { + "actions": [ + "Microsoft.DataProtection//read", + "Microsoft.DataProtection//resourceGuards/write", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read", + "Microsoft.DataProtection/locations/operationResults/read", + "Microsoft.DataProtection/locations/operationStatus/read", + "Microsoft.DataProtection/locations/getBackupStatus/action", + "Microsoft.DataProtection/locations/checkFeatureSupport/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read", + "Microsoft.Authorization//read", + "Microsoft.Features/features/read", + "Microsoft.Features/providers/features/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/", + "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read", + "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write", + "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete", + "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action", + "Microsoft.DataProtection/subscriptions/providers/resourceGuards/read", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Backup MUA Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Backup MUA Operator + +Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard + +[Learn more](/azure/backup/multi-user-authorization-concept) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)//action \| \| +> \| [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)//read \| \| +> \| [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)//read \| Read roles and role assignments \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-443e-b462-9c16ab7b4a52", + "name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52", + "permissions": [ + { + "actions": [ + "Microsoft.DataProtection//action", + "Microsoft.DataProtection//read", + "Microsoft.Authorization//read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Backup MUA Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others Grants access to read blobs and update index tags. This role is used by the data } ``` +## Elastic SAN Network Admin + +Allows access to create Private Endpoints on SAN resources, and to read SAN resources + +[Learn more](/azure/storage/elastic-san/elastic-san-networking) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans//read \| \| +> \| [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/PrivateEndpointConnectionsApproval/action \| \| +> \| [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/privateEndpointConnections/write \| \| +> \| [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/privateEndpointConnections/delete \| \| +> \| [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/locations/asyncoperations/read \| Polls the status of an asynchronous operation. \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| none \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-4c43-8470-c540bcb4eafa", + "name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa", + "permissions": [ + { + "actions": [ + "Microsoft.ElasticSan/elasticSans/*/read", + "Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action", + "Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write", + "Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete", + "Microsoft.ElasticSan/locations/asyncoperations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Elastic SAN Network Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Elastic SAN Owner Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access
role-based-access-control	Web And Mobile	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/web-and-mobile.md	Grants access to read map related data from an Azure maps account. } ``` +## Azure Maps Search and Render Data Reader + +Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. + +[Learn more](/azure/azure-maps/azure-maps-authentication) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/services/render/read \| Allows reading of data for Render services. \| +> \| [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/services/search/read \| Allows reading of data for Search services. \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005", + "name": "6be48352-4f82-47c9-ad5e-0acacefdb005", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Maps/accounts/services/render/read", + "Microsoft.Maps/accounts/services/search/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Maps Search and Render Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Spring Apps Application Configuration Service Config File Pattern Reader Role + +Read content of config file pattern for Application Configuration Service in Azure Spring Apps + +[Learn more](/azure/spring-apps/enterprise/how-to-enterprise-application-configuration-service) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/read \| Get Azure Spring Apps service instance(s) \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/configurationServices/read \| Get the Application Configuration Services for a specific Azure Spring Apps service instance \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/ApplicationConfigurationService/read \| Read the configuration content (for example, application-prod.yaml) pulled by Application Configuration Service for a specific Azure Spring Apps service instance \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read content of config file pattern for Application Configuration Service in Azure Spring Apps", + "id": "/providers/Microsoft.Authorization/roleDefinitions/25211fc6-dc78-40b6-b205-e4ac934fd9fd", + "name": "25211fc6-dc78-40b6-b205-e4ac934fd9fd", + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/configurationServices/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Apps Application Configuration Service Config File Pattern Reader Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Spring Apps Application Configuration Service Log Reader Role + +Read real-time logs for Application Configuration Service in Azure Spring Apps + +[Learn more](/azure/spring-apps/enterprise/how-to-managed-component-log-streaming) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/read \| Get Azure Spring Apps service instance(s) \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/configurationServices/read \| Get the Application Configuration Services for a specific Azure Spring Apps service instance \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/ApplicationConfigurationService/logstream/action \| Read the streaming log of all subcomponents in Application Configuration Service from a specific Azure Spring Apps service instance \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read real-time logs for Application Configuration Service in Azure Spring Apps", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6593e776-2a30-40f9-8a32-4fe28b77655d", + "name": "6593e776-2a30-40f9-8a32-4fe28b77655d", + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/configurationServices/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Apps Application Configuration Service Log Reader Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Spring Apps Connect Role + +Azure Spring Apps Connect Role + +[Learn more](/azure/spring-apps/enterprise/how-to-connect-to-app-instance-for-troubleshooting) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/apps/deployments/connect/action \| Connect to an instance for a specific application \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Azure Spring Apps Connect Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b", + "name": "80558df3-64f9-4c0f-b32d-e5094b036b0b", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/apps/deployments/connect/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Apps Connect Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Spring Apps Job Log Reader Role + +Read real-time logs for jobs in Azure Spring Apps + +[Learn more](/azure/spring-apps/enterprise/how-to-job-log-streaming) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/read \| Get Azure Spring Apps service instance(s) \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/jobs/read \| Get the job for a specific Azure Spring Apps service instance \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/jobs/executions/read \| Get the job execution for a specific Azure Spring Apps service instance \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/jobs/executions/logstream/action \| Get the streaming log of job executions for a specific Azure Spring Apps service instance \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/jobs/executions/listInstances/action \| List instances of a specific job execution for a specific Azure Spring Apps service instance \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read real-time logs for jobs in Azure Spring Apps", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b459aa1d-e3c8-436f-ae21-c0531140f43e", + "name": "b459aa1d-e3c8-436f-ae21-c0531140f43e", + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/jobs/read", + "Microsoft.AppPlatform/Spring/jobs/executions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/jobs/executions/logstream/action", + "Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Apps Job Log Reader Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Spring Apps Remote Debugging Role + +Azure Spring Apps Remote Debugging Role + +[Learn more](/azure/spring-apps/enterprise/how-to-remote-debugging-app-instance) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/apps/deployments/remotedebugging/action \| Remote debugging app instance for a specific application \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Azure Spring Apps Remote Debugging Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054", + "name": "a99b0159-1064-4c22-a57b-c9b3caa1c054", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Apps Remote Debugging Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Azure Spring Apps Spring Cloud Gateway Log Reader Role + +Read real-time logs for Spring Cloud Gateway in Azure Spring Apps + +[Learn more](/azure/spring-apps/enterprise/how-to-managed-component-log-streaming) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/read \| Get Azure Spring Apps service instance(s) \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/gateways/read \| Get the Spring Cloud Gateways for a specific Azure Spring Apps service instance \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.AppPlatform](../permissions/compute.md#microsoftappplatform)/Spring/SpringCloudGateway/logstream/action \| Read the streaming log of Spring Cloud Gateway from a specific Azure Spring Apps service instance \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read real-time logs for Spring Cloud Gateway in Azure Spring Apps", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4301dc2a-25a9-44b0-ae63-3636cf7f2bd2", + "name": "4301dc2a-25a9-44b0-ae63-3636cf7f2bd2", + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/gateways/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Apps Spring Cloud Gateway Log Reader Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Azure Spring Cloud Config Server Contributor Allow read, write and delete access to Azure Spring Cloud Config Server Manage the web plans for websites. Does not allow you to assign roles in Azure R } ``` +## Web PubSub Service Owner + +Full access to Azure Web PubSub Service REST APIs + +[Learn more](/azure/azure-web-pubsub/howto-authorize-from-application) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/WebPubSub/* \| \| +> \| NotDataActions \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to Azure Web PubSub Service REST APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4", + "name": "12cf5a90-567b-43ae-8102-96cf46c7d9b4", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.SignalRService/WebPubSub/" + ], + "notDataActions": [] + } + ], + "roleName": "Web PubSub Service Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + +## Web PubSub Service Reader + +Read-only access to Azure Web PubSub Service REST APIs + +[Learn more](/azure/azure-web-pubsub/concept-azure-ad-authorization) + +> [!div class="mx-tableFixed"] +> \| Actions \| Description \| +> \| \| \| +> \| none* \| \| +> \| NotActions \| \| +> \| none \| \| +> \| DataActions \| \| +> \| [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/WebPubSub//read \| \| +> \| NotDataActions* \| \| +> \| none \| \| + +```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read-only access to Azure Web PubSub Service REST APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", + "name": "bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.SignalRService/WebPubSub/*/read" + ], + "notDataActions": [] + } + ], + "roleName": "Web PubSub Service Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` + ## Website Contributor Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC.
role-based-access-control	Classic Administrators	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/classic-administrators.md	Previously updated : 09/02/2024 Last updated : 09/23/2024 # Azure classic subscription administrators > [!IMPORTANT] -> As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. +> As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. If you still have active Co-Administrator or Service Administrator role assignments, convert these role assignments to Azure RBAC immediately. Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). If you're still using the classic deployment model, you'll need to migrate your resources from classic deployment to Resource Manager deployment. For more information, see [Azure Resource Manager vs. classic deployment](../azure-resource-manager/management/deployment-models.md). -If you still have active Co-Administrator or Service Administrator role assignments, convert these roles to Azure RBAC immediately. This article describes the retirement of the Co-Administrator and Service Administrator roles and how to convert these role assignments. +This article describes the retirement of the Co-Administrator and Service Administrator roles and how to convert these role assignments. ## Frequently asked questions What happens to classic administrator role assignments after August 31, 2024? -- Co-Administrator and Service Administrator roles are retired and no longer supported. You should convert these roles to Azure RBAC immediately. +- Co-Administrator and Service Administrator roles are retired and no longer supported. You should convert these role assignments to Azure RBAC immediately. How do I know what subscriptions have classic administrators?
role-based-access-control	Ai Machine Learning	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/ai-machine-learning.md	This article lists the permissions for the Azure resource providers in the AI + machine learning category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +## Microsoft.AgFoodPlatform + +Azure service: [Microsoft Azure Data Manager for Agriculture](/azure/data-manager-for-agri/overview-azure-data-manager-for-agriculture) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.AgFoodPlatform/register/action \| Registers the subscription for the AgFoodPlatform Resource Provider. \| +> \| Microsoft.AgFoodPlatform/unregister/action \| Unregisters the subscription for the AgFoodPlatform Resource Provider. \| +> \| Microsoft.AgFoodPlatform/checkNameAvailability/action \| Checks that resource name is valid and is not in use. \| +> \| Microsoft.AgFoodPlatform/farmBeats/read \| Gets or Lists existing AgFoodPlatform FarmBeats resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/write \| Creates or Updates AgFoodPlatform FarmBeats. \| +> \| Microsoft.AgFoodPlatform/farmBeats/delete \| Deletes an existing AgFoodPlatform FarmBeats resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/dataConnectors/read \| Gets or Lists existing AgFoodPlatform DataConnectors resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/dataConnectors/write \| Creates or Updates AgFoodPlatform DataConnectors. \| +> \| Microsoft.AgFoodPlatform/farmBeats/dataConnectors/delete \| Deletes an existing AgFoodPlatform DataConnectors resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/eventGridFilters/read \| Gets or Lists existing AgFoodPlatform Event Grid filters resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/eventGridFilters/write \| Creates or Updates AgFoodPlatform Event Grid filters. \| +> \| Microsoft.AgFoodPlatform/farmBeats/eventGridFilters/delete \| Deletes an existing AgFoodPlatform Event Grid filters resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/extensions/read \| Gets or Lists existing AgFoodPlatform Extensions resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/extensions/write \| Creates or Updates AgFoodPlatform Extensions. \| +> \| Microsoft.AgFoodPlatform/farmBeats/extensions/delete \| Deletes an existing AgFoodPlatform Extensions resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnectionProxies/read \| Gets or Lists existing AgFoodPlatform Private endpoint connection proxies resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnectionProxies/write \| Creates or Updates AgFoodPlatform Private endpoint connection proxies. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnectionProxies/delete \| Deletes an existing AgFoodPlatform Private endpoint connection proxies resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnectionProxies/validate/action \| Validates AgFoodPlatform Private endpoint connection proxy resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnectionProxies/operationResults/read \| Gets the result for a private endpoint connection proxy resource long running operation. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnections/read \| Gets or Lists existing AgFoodPlatform Private endpoint connections resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnections/write \| Creates or Updates AgFoodPlatform Private endpoint connections. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateEndpointConnections/delete \| Deletes an existing AgFoodPlatform Private endpoint connections resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/privateLinkResources/read \| Gets or Lists existing AgFoodPlatform Private link resources resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/solutions/read \| Gets or Lists existing AgFoodPlatform add-ons resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/solutions/write \| Creates or Updates AgFoodPlatform add-ons. \| +> \| Microsoft.AgFoodPlatform/farmBeats/solutions/delete \| Deletes an existing AgFoodPlatform add-ons resource. \| +> \| Microsoft.AgFoodPlatform/farmBeatsExtensionDefinitions/read \| Gets or Lists existing AgFoodPlatform FarmBeatsExtensionDefinitions resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeatsSolutionDefinitions/read \| Gets or Lists existing AgFoodPlatform FarmBeatsSolutionDefinitions resource(s). \| +> \| Microsoft.AgFoodPlatform/locations/operationResults/read \| Returns result of async operation in Microsoft AgFoodPlatform resource provider. \| +> \| Microsoft.AgFoodPlatform/operations/read \| List all operations in Microsoft AgFoodPlatform resource provider. \| +> \| DataAction \| Description \| +> \| Microsoft.AgFoodPlatform/farmBeats/applicationData/list/action \| List(s) existing AgFoodPlatform application operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/applicationData/search/action \| Searches existing AgFoodPlatform application operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/boundaries/list/action \| List(s) existing AgFoodPlatform boundary resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/boundaries/search/action \| Searches existing AgFoodPlatform boundary resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/chemicalProducts/read \| Gets or Lists existing AgFoodPlatform Chemical Products resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/chemicalProducts/write \| Creates or Updates AgFoodPlatform Chemical Products. \| +> \| Microsoft.AgFoodPlatform/farmBeats/chemicalProducts/list/action \| Deletes an existing AgFoodPlatform Chemical Products resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/chemicalProducts/delete \| List(s) existing AgFoodPlatform Chemical Product resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropProducts/read \| Gets or Lists existing AgFoodPlatform cropProducts resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropProducts/write \| Creates or Updates AgFoodPlatform cropProducts. \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropProducts/delete \| Deletes an existing AgFoodPlatform cropProducts resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropProducts/list/action \| List(s) existing AgFoodPlatform Crop Product. resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/crops/read \| Gets or Lists existing AgFoodPlatform crops resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/crops/write \| Creates or Updates AgFoodPlatform crops. \| +> \| Microsoft.AgFoodPlatform/farmBeats/crops/delete \| Deletes an existing AgFoodPlatform crops resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/crops/list/action \| List(s) existing AgFoodPlatform crop resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropVarieties/read \| Gets or Lists existing AgFoodPlatform crop varieties resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropVarieties/write \| Creates or Updates AgFoodPlatform crop varieties. \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropVarieties/delete \| Deletes an existing AgFoodPlatform crop varieties resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/cropVarieties/list/action \| List(s) existing AgFoodPlatform crop variety resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasetRecords/read \| Gets or Lists existing AgFoodPlatform Dataset Records resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write \| Creates or Updates AgFoodPlatform Dataset Records. \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasetRecords/delete \| Deletes an existing AgFoodPlatform Dataset Records resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasetRecords/list/action \| List(s) existing AgFoodPlatform dataset record resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/read \| Gets or Lists existing AgFoodPlatform datasets resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/write \| Creates or Updates AgFoodPlatform datasets. \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/delete \| Deletes an existing AgFoodPlatform datasets resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/list/action \| List(s) existing AgFoodPlatform dataset resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/publish/action \| List(s) existing AgFoodPlatform DatasetAccess resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/access/list/action \| Gets or Lists existing AgFoodPlatform DatasetAccesses resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/access/grant/action \| Creates or Updates AgFoodPlatform DatasetAccesses. \| +> \| Microsoft.AgFoodPlatform/farmBeats/datasets/access/remove/action \| Deletes an existing AgFoodPlatform DatasetAccesses resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/applicationDataCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform applicationDataCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/applicationDataCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform applicationDataCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/boundariesCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform boundariesCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/boundariesCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform boundariesCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/farmersCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform farmersCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/farmersCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform farmersCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/farmsCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform farmsCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/farmsCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform farmsCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/fieldsCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform fieldsCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/fieldsCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform fieldsCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/harvestDataCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform harvestDataCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/harvestDataCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform harvestDataCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/insightsCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform insightsCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/insightsCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform insightsCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/managementZonesCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform managementZonesCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/managementZonesCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform managementZonesCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/oauthProvidersCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform oauthProvidersCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/oauthProvidersCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform oauthProvidersCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/oauthTokensRemoveJobs/read \| Gets or Lists existing AgFoodPlatform oauth tokens resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/oauthTokensRemoveJobs/write \| Creates or Updates AgFoodPlatform oauth tokens. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/partiesCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform partiesCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/partiesCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform partiesCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/plantingDataCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform plantingDataCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/plantingDataCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform plantingDataCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/plantTissueAnalysesCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform plantTissueAnalysesCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/plantTissueAnalysesCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform plantTissueAnalysesCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/prescriptionMapsCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform prescriptionMapsCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/prescriptionMapsCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform prescriptionMapsCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/prescriptionsCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform prescriptionsCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/prescriptionsCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform prescriptionsCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/seaonalFieldsCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform seaonalFieldsCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/seaonalFieldsCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform seaonalFieldsCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/tillageDataCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform tillageDataCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/tillageDataCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform tillageDataCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/weatherDataDeletionJobs/read \| Gets or Lists existing AgFoodPlatform weatherDataDeletionJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/weatherDataDeletionJobs/write \| Creates or Updates AgFoodPlatform weatherDataDeletionJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/zonesCascadeDeleteJobs/read \| Gets or Lists existing AgFoodPlatform zonesCascadeDeleteJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/deletionJobs/zonesCascadeDeleteJobs/write \| Creates or Updates AgFoodPlatform zonesCascadeDeleteJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmEquipments/read \| Gets or Lists existing AgFoodPlatform Farm Equipments resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmEquipments/write \| Creates or Updates AgFoodPlatform Farm Equipments. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmEquipments/list/action \| Deletes an existing AgFoodPlatform Farm Equipments resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmEquipments/delete \| List(s) existing AgFoodPlatform Farm Equipment resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/read \| Gets or Lists existing AgFoodPlatform farmers resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/write \| Creates or Updates AgFoodPlatform farmers. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/delete \| Deletes an existing AgFoodPlatform farmers resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/list/action \| List(s) existing AgFoodPlatform farmer resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/applicationData/read \| Gets or Lists existing AgFoodPlatform application operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/applicationData/write \| Creates or Updates AgFoodPlatform application operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/applicationData/delete \| Deletes an existing AgFoodPlatform application operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/applicationData/list/action \| List(s) existing AgFoodPlatform application operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/attachments/read \| Gets or Lists existing AgFoodPlatform attachments resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/attachments/write \| Creates or Updates AgFoodPlatform attachments. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/attachments/delete \| Deletes an existing AgFoodPlatform attachments resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/attachments/list/action \| List(s) existing AgFoodPlatform attachment resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/attachments/download/action \| boundaries Download \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/boundaries/read \| Gets or Lists existing AgFoodPlatform boundaries resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/boundaries/write \| Creates or Updates AgFoodPlatform boundaries. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/boundaries/delete \| Deletes an existing AgFoodPlatform boundaries resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/boundaries/list/action \| List(s) existing AgFoodPlatform boundary resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/boundaries/search/action \| Searches existing AgFoodPlatform boundary resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/boundaries/overlap/action \| Boundary Overlap. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/farms/read \| Gets or Lists existing AgFoodPlatform farms resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/farms/write \| Creates or Updates AgFoodPlatform farms. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/farms/delete \| Deletes an existing AgFoodPlatform farms resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/farms/list/action \| List(s) existing AgFoodPlatform farm resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/fields/read \| Gets or Lists existing AgFoodPlatform fields resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/fields/write \| Creates or Updates AgFoodPlatform fields. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/fields/delete \| Deletes an existing AgFoodPlatform fields resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/fields/list/action \| List(s) existing AgFoodPlatform field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/harvestData/read \| Gets or Lists existing AgFoodPlatform harvest operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/harvestData/write \| Creates or Updates AgFoodPlatform harvest operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/harvestData/delete \| Deletes an existing AgFoodPlatform harvest operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/harvestData/list/action \| List(s) existing AgFoodPlatform harvest operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insightAttachments/read \| Gets or Lists existing AgFoodPlatform insight attachments resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insightAttachments/write \| Creates or Updates AgFoodPlatform insight attachments. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insightAttachments/delete \| Deletes an existing AgFoodPlatform insight attachments resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insightAttachments/list/action \| List(s) existing AgFoodPlatform insight attachment resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insightAttachments/download/action \| insights Download \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insights/read \| Gets or Lists existing AgFoodPlatform insights resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insights/write \| Creates or Updates AgFoodPlatform insights. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insights/delete \| Deletes an existing AgFoodPlatform insights resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/models/resourceTypes/resources/insights/list/action \| List(s) existing AgFoodPlatform insight resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/nutrientAnalyses/read \| Gets or Lists existing AgFoodPlatform nutrient analyses resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/nutrientAnalyses/write \| Creates or Updates AgFoodPlatform nutrient analyses. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/nutrientAnalyses/delete \| Deletes an existing AgFoodPlatform nutrient analyses resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/nutrientAnalyses/list/action \| List(s) existing AgFoodPlatform nutrient analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantingData/read \| Gets or Lists existing AgFoodPlatform planting operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantingData/write \| Creates or Updates AgFoodPlatform planting operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantingData/delete \| Deletes an existing AgFoodPlatform planting operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantingData/list/action \| List(s) existing AgFoodPlatform planting operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantTissueAnalyses/read \| Gets or Lists existing AgFoodPlatform plant tissue analyses resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantTissueAnalyses/write \| Creates or Updates AgFoodPlatform plant tissue analyses. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantTissueAnalyses/delete \| Deletes an existing AgFoodPlatform plant tissue analyses resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/plantTissueAnalyses/list/action \| List(s) existing AgFoodPlatform plant tissue analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptionMaps/read \| Gets or Lists existing AgFoodPlatform prescription maps resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptionMaps/write \| Creates or Updates AgFoodPlatform prescription maps. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptionMaps/delete \| Deletes an existing AgFoodPlatform prescription maps resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptionMaps/list/action \| List(s) existing AgFoodPlatform prescription map resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptions/read \| Gets or Lists existing AgFoodPlatform prescriptions resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptions/write \| Creates or Updates AgFoodPlatform prescriptions. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptions/delete \| Deletes an existing AgFoodPlatform prescriptions resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/prescriptions/list/action \| List(s) existing AgFoodPlatform prescription resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/seasonalFields/read \| Gets or Lists existing AgFoodPlatform seasonal fields resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/seasonalFields/write \| Creates or Updates AgFoodPlatform seasonal fields. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/seasonalFields/delete \| Deletes an existing AgFoodPlatform seasonal fields resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/seasonalFields/list/action \| List(s) existing AgFoodPlatform seasonal field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/tillageData/read \| Gets or Lists existing AgFoodPlatform tillage operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/tillageData/write \| Creates or Updates AgFoodPlatform tillage operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/tillageData/delete \| Deletes an existing AgFoodPlatform tillage operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/tillageData/list/action \| List(s) existing AgFoodPlatform tillage operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/zones/read \| Gets or Lists existing AgFoodPlatform zones resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/zones/write \| Creates or Updates AgFoodPlatform zones. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/zones/delete \| Deletes an existing AgFoodPlatform zones resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/farmers/zones/list/action \| List(s) existing AgFoodPlatform zone resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/farms/list/action \| List(s) existing AgFoodPlatform farm resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/fields/list/action \| List(s) existing AgFoodPlatform field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/fields/search/action \| Searches existing AgFoodPlatform field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/harvestData/list/action \| List(s) existing AgFoodPlatform harvest operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/harvestData/search/action \| Searches existing AgFoodPlatform harvest operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/biomassModelJobs/read \| Gets or Lists existing AgFoodPlatform biomassModelJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/biomassModelJobs/write \| Creates or Updates AgFoodPlatform biomassModelJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/farmOperationDataIngestionJobs/read \| Gets or Lists existing AgFoodPlatform farmOperationDataIngestionJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/farmOperationDataIngestionJobs/write \| Creates or Updates AgFoodPlatform farmOperationDataIngestionJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/imageProcessingRasterizeJobs/read \| Gets or Lists existing AgFoodPlatform imageProcessingRasterizeJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/imageProcessingRasterizeJobs/write \| Creates or Updates AgFoodPlatform imageProcessingRasterizeJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/read \| Gets or Lists existing AgFoodPlatform satelliteDataIngestionJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/write \| Creates or Updates AgFoodPlatform satelliteDataIngestionJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/sensorPlacementModelJobs/read \| Gets or Lists existing AgFoodPlatform sensorPlacementModelJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/sensorPlacementModelJobs/write \| Creates or Updates AgFoodPlatform sensorPlacementModelJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/soilMoistureModelJobs/read \| Gets or Lists existing AgFoodPlatform soilMoistureModelJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/soilMoistureModelJobs/write \| Creates or Updates AgFoodPlatform soilMoistureModelJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/solutions/read \| Gets or Lists existing AgFoodPlatform add-ons resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/solutions/write \| Creates or Updates AgFoodPlatform add-ons. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/solutions/cancel/action \| Cancels an existing AgFoodPlatform add-on. \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/weatherDataIngestionJobs/read \| Gets or Lists existing AgFoodPlatform weatherDataIngestionJobs resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/weatherDataIngestionJobs/write \| Creates or Updates AgFoodPlatform weatherDataIngestionJobs. \| +> \| Microsoft.AgFoodPlatform/farmBeats/nutrientAnalyses/list/action \| List(s) existing AgFoodPlatform nutrient analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthProviders/read \| Gets or Lists existing AgFoodPlatform oauth providers resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthProviders/write \| Creates or Updates AgFoodPlatform oauth providers. \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthProviders/delete \| Deletes an existing AgFoodPlatform oauth providers resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthProviders/list/action \| List(s) existing AgFoodPlatform oauth provider resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthTokens/read \| Gets or Lists existing AgFoodPlatform oauth tokens resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthTokens/write \| Creates or Updates AgFoodPlatform oauth tokens. \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthTokens/delete \| Deletes an existing AgFoodPlatform oauth tokens resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/oauthTokens/list/action \| List(s) existing AgFoodPlatform oauth token resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/read \| Gets or Lists existing AgFoodPlatform parties resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/write \| Creates or Updates AgFoodPlatform parties. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/delete \| Deletes an existing AgFoodPlatform parties resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/list/action \| List(s) existing AgFoodPlatform Party resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/overlap/action \| Searches existing AgFoodPlatform Party resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/applicationData/read \| Gets or Lists existing AgFoodPlatform application operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/applicationData/write \| Creates or Updates AgFoodPlatform application operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/applicationData/delete \| Deletes an existing AgFoodPlatform application operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/applicationData/list/action \| List(s) existing AgFoodPlatform application operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/attachments/read \| Gets or Lists existing AgFoodPlatform attachments resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/attachments/write \| Creates or Updates AgFoodPlatform attachments. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/attachments/delete \| Deletes an existing AgFoodPlatform attachments resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/attachments/list/action \| List(s) existing AgFoodPlatform attachment resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/attachments/download/action \| boundaries Download \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read \| Gets or Lists existing AgFoodPlatform boundaries resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write \| Creates or Updates AgFoodPlatform boundaries. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/delete \| Deletes an existing AgFoodPlatform boundaries resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/list/action \| List(s) existing AgFoodPlatform boundary resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/search/action \| Searches existing AgFoodPlatform boundary resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/overlap/action \| Boundary Overlap. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/farms/read \| Gets or Lists existing AgFoodPlatform farms resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/farms/write \| Creates or Updates AgFoodPlatform farms. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/farms/delete \| Deletes an existing AgFoodPlatform farms resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/farms/list/action \| List(s) existing AgFoodPlatform farm resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/fields/read \| Gets or Lists existing AgFoodPlatform fields resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/fields/write \| Creates or Updates AgFoodPlatform fields. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/fields/delete \| Deletes an existing AgFoodPlatform fields resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/fields/list/action \| List(s) existing AgFoodPlatform field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/harvestData/read \| Gets or Lists existing AgFoodPlatform harvest operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/harvestData/write \| Creates or Updates AgFoodPlatform harvest operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/harvestData/delete \| Deletes an existing AgFoodPlatform harvest operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/harvestData/list/action \| List(s) existing AgFoodPlatform harvest operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/read \| Gets or Lists existing AgFoodPlatform insight attachments resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/write \| Creates or Updates AgFoodPlatform insight attachments. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/delete \| Deletes an existing AgFoodPlatform insight attachments resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/list/action \| List(s) existing AgFoodPlatform insight attachment resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/download/action \| insights Download \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/read \| Gets or Lists existing AgFoodPlatform insights resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/write \| Creates or Updates AgFoodPlatform insights. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/delete \| Deletes an existing AgFoodPlatform insights resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/list/action \| List(s) existing AgFoodPlatform insight resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/nutrientAnalyses/read \| Gets or Lists existing AgFoodPlatform nutrient analyses resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/nutrientAnalyses/write \| Creates or Updates AgFoodPlatform nutrient analyses. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/nutrientAnalyses/delete \| Deletes an existing AgFoodPlatform nutrient analyses resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/nutrientAnalyses/list/action \| List(s) existing AgFoodPlatform nutrient analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantingData/read \| Gets or Lists existing AgFoodPlatform planting operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantingData/write \| Creates or Updates AgFoodPlatform planting operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantingData/delete \| Deletes an existing AgFoodPlatform planting operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantingData/list/action \| List(s) existing AgFoodPlatform planting operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantTissueAnalyses/read \| Gets or Lists existing AgFoodPlatform plant tissue analyses resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantTissueAnalyses/write \| Creates or Updates AgFoodPlatform plant tissue analyses. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantTissueAnalyses/delete \| Deletes an existing AgFoodPlatform plant tissue analyses resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/plantTissueAnalyses/list/action \| List(s) existing AgFoodPlatform plant tissue analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptionMaps/read \| Gets or Lists existing AgFoodPlatform prescription maps resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptionMaps/write \| Creates or Updates AgFoodPlatform prescription maps. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptionMaps/delete \| Deletes an existing AgFoodPlatform prescription maps resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptionMaps/list/action \| List(s) existing AgFoodPlatform prescription map resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptions/read \| Gets or Lists existing AgFoodPlatform prescriptions resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptions/write \| Creates or Updates AgFoodPlatform prescriptions. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptions/delete \| Deletes an existing AgFoodPlatform prescriptions resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/prescriptions/list/action \| List(s) existing AgFoodPlatform prescription resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/seasonalFields/read \| Gets or Lists existing AgFoodPlatform seasonal fields resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/seasonalFields/write \| Creates or Updates AgFoodPlatform seasonal fields. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/seasonalFields/delete \| Deletes an existing AgFoodPlatform seasonal fields resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/seasonalFields/list/action \| List(s) existing AgFoodPlatform seasonal field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/tillageData/read \| Gets or Lists existing AgFoodPlatform tillage operations data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/tillageData/write \| Creates or Updates AgFoodPlatform tillage operations data. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/tillageData/delete \| Deletes an existing AgFoodPlatform tillage operations data resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/tillageData/list/action \| List(s) existing AgFoodPlatform tillage operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/zones/read \| Gets or Lists existing AgFoodPlatform zones resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/zones/write \| Creates or Updates AgFoodPlatform zones. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/zones/delete \| Deletes an existing AgFoodPlatform zones resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/parties/zones/list/action \| List(s) existing AgFoodPlatform zone resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/plantingData/list/action \| List(s) existing AgFoodPlatform planting operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/plantingData/search/action \| Searches existing AgFoodPlatform planting operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/plantTissueAnalyses/list/action \| List(s) existing AgFoodPlatform plant tissue analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/plantTissueAnalyses/search/action \| Searches existing AgFoodPlatform plant tissue analysis resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/prescriptionMaps/list/action \| List(s) existing AgFoodPlatform prescription map resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/prescriptions/list/action \| List(s) existing AgFoodPlatform prescription resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/prescriptions/search/action \| Searches existing AgFoodPlatform prescription resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/scenes/read \| Gets or Lists existing AgFoodPlatform scenes resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/scenes/write \| Creates or Updates AgFoodPlatform scenes. \| +> \| Microsoft.AgFoodPlatform/farmBeats/scenes/delete \| Deletes an existing AgFoodPlatform scenes resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/scenes/list/action \| List(s) existing AgFoodPlatform scene resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/scenes/download/action \| scenes Download \| +> \| Microsoft.AgFoodPlatform/farmBeats/seasonalFields/list/action \| List(s) existing AgFoodPlatform seasonal field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/seasonalFields/search/action \| Searches existing AgFoodPlatform seasonal field resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/seasons/read \| Gets or Lists existing AgFoodPlatform seasons resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/seasons/write \| Creates or Updates AgFoodPlatform seasons. \| +> \| Microsoft.AgFoodPlatform/farmBeats/seasons/delete \| Deletes an existing AgFoodPlatform seasons resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/seasons/list/action \| List(s) existing AgFoodPlatform season resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorData/list/action \| Gets or Lists existing AgFoodPlatform sensor data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorMappings/read \| Gets or Lists existing AgFoodPlatform sensor mappings resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorMappings/write \| Creates or Updates AgFoodPlatform sensor mappings. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorMappings/delete \| Deletes an existing AgFoodPlatform sensor mappings resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorMappings/list/action \| List(s) existing AgFoodPlatform sensor mapping resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/deviceDataModels/read \| Gets or Lists existing AgFoodPlatform device data models resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/deviceDataModels/write \| Creates or Updates AgFoodPlatform device data models. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/deviceDataModels/delete \| Deletes an existing AgFoodPlatform device data models resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/deviceDataModels/list/action \| List(s) existing AgFoodPlatform device data model resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/devices/read \| Gets or Lists existing AgFoodPlatform devices resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/devices/write \| Creates or Updates AgFoodPlatform devices. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/devices/delete \| Deletes an existing AgFoodPlatform devices resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/devices/list/action \| List(s) existing AgFoodPlatform device resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/integrations/read \| Gets or Lists existing AgFoodPlatform sensor partner integrations resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/integrations/write \| Creates or Updates AgFoodPlatform sensor partner integrations. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/integrations/delete \| Deletes an existing AgFoodPlatform sensor partner integrations resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/integrations/list/action \| List(s) existing AgFoodPlatform sensor partner integration resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/integrations/checkConsent/action \| Check consent \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/integrations/generateConsent/action \| Generate consent \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensorDataModels/read \| Gets or Lists existing AgFoodPlatform sensor data models resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensorDataModels/write \| Creates or Updates AgFoodPlatform sensor data models. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensorDataModels/delete \| Deletes an existing AgFoodPlatform sensor data models resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensorDataModels/list/action \| List(s) existing AgFoodPlatform sensor data model resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensors/read \| Gets or Lists existing AgFoodPlatform sensors resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensors/write \| Creates or Updates AgFoodPlatform sensors. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensors/delete \| Deletes an existing AgFoodPlatform sensors resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensors/list/action \| List(s) existing AgFoodPlatform sensor resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensors/connectionStrings/read \| Gets or Lists existing AgFoodPlatform ConnnectionStrings for Sensor Partners resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartners/sensors/connectionStrings/write \| Creates or Updates AgFoodPlatform ConnnectionStrings for Sensor Partners. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/deviceDataModels/read \| Get or List AgFoodPlatform device data models resource(s) restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/deviceDataModels/write \| Creates or Updates AgFoodPlatform device data models restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/deviceDataModels/delete \| Deletes an existing AgFoodPlatform device data models resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/deviceDataModels/list/action \| Lists an existing AgFoodPlatform device data models resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/devices/read \| Get or List AgFoodPlatform devices resource(s) restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/devices/write \| Creates or Updates AgFoodPlatform devices restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/devices/delete \| Deletes an existing AgFoodPlatform devices resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/devices/list/action \| Lists an existing AgFoodPlatform devices resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorDataModels/read \| Get or List AgFoodPlatform sensor data models resource(s) restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorDataModels/write \| Creates or Updates AgFoodPlatform sensor data models restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorDataModels/delete \| Deletes an existing AgFoodPlatform sensor data models resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorDataModels/list/action \| Lists an existing AgFoodPlatform sensor data models resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorPartnerIntegrationConsentLinkModels/read \| Get or List AgFoodPlatform sensor partner integration consent links resource(s) restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/read \| Get or List AgFoodPlatform sensors resource(s) restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/write \| Creates or Updates AgFoodPlatform sensors restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete \| Deletes an existing AgFoodPlatform sensors resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/list/action \| Lists an existing AgFoodPlatform sensors resource restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorsconnectionStrings/read \| Get or List AgFoodPlatform ConnnectionString for Sensor Partners resource(s) restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensorsconnectionStrings/write \| Creates or Updates AgFoodPlatform ConnnectionString for Sensor Partners restricted to caller's sensor partner scope. \| +> \| Microsoft.AgFoodPlatform/farmBeats/stacFeatures/read \| Gets or Lists existing AgFoodPlatform stacFeatures resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/stacFeatures/search/action \| Searches existing AgFoodPlatform Stac Feature resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/tillageData/list/action \| List(s) existing AgFoodPlatform tillage operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/tillageData/search/action \| Searches existing AgFoodPlatform tillage operation data resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/weather/read \| Gets or Lists existing AgFoodPlatform weather resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/weather/write \| Creates or Updates AgFoodPlatform weather. \| +> \| Microsoft.AgFoodPlatform/farmBeats/weather/delete \| Deletes an existing AgFoodPlatform weather resource. \| +> \| Microsoft.AgFoodPlatform/farmBeats/weather/list/action \| List(s) existing AgFoodPlatform weather resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/zones/list/action \| List(s) existing AgFoodPlatform zone resource(s). \| +> \| Microsoft.AgFoodPlatform/farmBeats/zones/search/action \| Searches existing AgFoodPlatform zone resource(s). \| +> \| Microsoft.AgFoodPlatform/farmers/farmers/managementZones/read \| Gets or Lists existing AgFoodPlatform management zones resource(s). \| +> \| Microsoft.AgFoodPlatform/farmers/farmers/managementZones/write \| Creates or Updates AgFoodPlatform management zones. \| +> \| Microsoft.AgFoodPlatform/farmers/farmers/managementZones/delete \| Deletes an existing AgFoodPlatform management zones resource. \| +> \| Microsoft.AgFoodPlatform/farmers/farmers/managementZones/list/action \| List(s) existing AgFoodPlatform management zone resource(s). \| +> \| Microsoft.AgFoodPlatform/farmers/managementZones/list/action \| List(s) existing AgFoodPlatform management zone resource(s). \| +> \| Microsoft.AgFoodPlatform/farmers/parties/managementZones/read \| Gets or Lists existing AgFoodPlatform management zones resource(s). \| +> \| Microsoft.AgFoodPlatform/farmers/parties/managementZones/write \| Creates or Updates AgFoodPlatform management zones. \| +> \| Microsoft.AgFoodPlatform/farmers/parties/managementZones/delete \| Deletes an existing AgFoodPlatform management zones resource. \| +> \| Microsoft.AgFoodPlatform/farmers/parties/managementZones/list/action \| List(s) existing AgFoodPlatform management zone resource(s). \| + ## Microsoft.BotService Intelligent, serverless bot service that scales on demand. Azure service: [Cognitive Services](/azure/cognitive-services/) > \| Microsoft.CognitiveServices/accounts/VisualSearch/search/action \| Returns a list of tags relevant to the provided image \| > \| Microsoft.CognitiveServices/accounts/WebSearch/search/action \| Get web, image, news, & videos results for a given query. \| +## Microsoft.HealthBot + +Azure service: [Azure AI Health Bot](/azure/health-bot/overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.HealthBot/healthBots/Action \| Writes healthBots \| +> \| Microsoft.HealthBot/healthBots/Read \| Read healthBots \| +> \| Microsoft.HealthBot/healthBots/Write \| Writes healthBots \| +> \| Microsoft.HealthBot/healthBots/Delete \| Deletes healthBots \| +> \| DataAction \| Description \| +> \| Microsoft.HealthBot/healthBots/Reader/Action \| Sign in to the management portal, with read-only access to resources, scenarios and configuration settings except for the bot instance keys & secrets and the end-user inputs. \| +> \| Microsoft.HealthBot/healthBots/Editor/Action \| Sign in to the management portal, view and edit all the bot resources, scenarios and configuration settings except for the bot instance keys & secrets and the end-user inputs. Read-only access to the bot skills and channels. \| +> \| Microsoft.HealthBot/healthBots/Admin/Action \| Sign in to the management portal, view and edit all of the bot resources, scenarios, configuration settings, instance keys & secrets. \| + ## Microsoft.MachineLearningServices Enterprise-grade machine learning service to build and deploy models faster.
role-based-access-control	Compute	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/compute.md	Azure service: [Virtual Machines](/azure/virtual-machines/), [Virtual Machine Sc > \| Microsoft.Compute/virtualMachines/loginAsAdmin/action \| Log in to a virtual machine with Windows administrator or Linux root user privileges \| > \| Microsoft.Compute/virtualMachines/WACloginAsAdmin/action \| Lets you manage the OS of your resource via Windows Admin Center as an administrator \| +## Microsoft.ComputeSchedule + +Azure service: [Azure Virtual Desktop](/azure/virtual-desktop/overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.ComputeSchedule/register/action \| Register the subscription for Microsoft.ComputeSchedule \| +> \| Microsoft.ComputeSchedule/unregister/action \| Unregister the subscription for Microsoft.ComputeSchedule \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action \| virtualMachinesCancelOperations: cancelOperations for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action \| virtualMachinesExecuteDeallocate: executeDeallocate for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action \| virtualMachinesExecuteHibernate: executeHibernate for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action \| virtualMachinesExecuteStart: executeStart for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action \| virtualMachinesGetOperationStatus: getOperationStatus for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action \| virtualMachinesSubmitDeallocate: submitDeallocate for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action \| virtualMachinesSubmitHibernate: submitHibernate for a virtual machine \| +> \| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action \| virtualMachinesSubmitStart: submitStart for a virtual machine \| +> \| Microsoft.ComputeSchedule/Operations/read \| read Operations \| + +## microsoft.connectedvmwarevsphere + +Azure service: [Azure Arc-enabled VMware vSphere](/azure/azure-arc/vmware-vsphere/) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| microsoft.connectedvmwarevsphere/unregister/action \| unregister RP. \| +> \| microsoft.connectedvmwarevsphere/register/action \| register RP. \| +> \| Microsoft.ConnectedVMwarevSphere/clusters/Read \| Read clusters \| +> \| Microsoft.ConnectedVMwarevSphere/clusters/Write \| Writes clusters \| +> \| Microsoft.ConnectedVMwarevSphere/clusters/Delete \| Deletes clusters \| +> \| Microsoft.ConnectedVMwarevSphere/clusters/deploy/action \| Deploys on cluster \| +> \| Microsoft.ConnectedVMwarevSphere/datastores/Read \| Read datastores \| +> \| Microsoft.ConnectedVMwarevSphere/datastores/Write \| Writes datastores \| +> \| Microsoft.ConnectedVMwarevSphere/datastores/Delete \| Deletes datastores \| +> \| Microsoft.ConnectedVMwarevSphere/datastores/AllocateSpace/action \| Allocates on datastores \| +> \| Microsoft.ConnectedVMwarevSphere/hosts/Read \| Read hosts \| +> \| Microsoft.ConnectedVMwarevSphere/hosts/Write \| Writes hosts \| +> \| Microsoft.ConnectedVMwarevSphere/hosts/Delete \| Deletes hosts \| +> \| Microsoft.ConnectedVMwarevSphere/hosts/deploy/action \| Deploys on host \| +> \| microsoft.connectedvmwarevsphere/locations/operationstatuses/read \| Read operationstatus. \| +> \| microsoft.connectedvmwarevsphere/locations/operationstatuses/write \| Write operationstatus. \| +> \| Microsoft.ConnectedVMwarevSphere/locations/updateCenterOperationResults/read \| Reads the status of an update center operation on virtual machines \| +> \| Microsoft.ConnectedVMwarevSphere/locations/upgradeExtensionsOperationResults/read \| Reads the status of an upgrade extensions operation on virtual machines \| +> \| microsoft.connectedvmwarevsphere/operations/read \| Read operations. \| +> \| Microsoft.ConnectedVMwarevSphere/resourcepools/Read \| Read resourcepools \| +> \| Microsoft.ConnectedVMwarevSphere/resourcepools/Write \| Writes resourcepools \| +> \| Microsoft.ConnectedVMwarevSphere/resourcepools/Delete \| Deletes resourcepools \| +> \| Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action \| eploys on resource pool \| +> \| microsoft.connectedvmwarevsphere/skus/read \| Get skus. \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/Read \| Read vcenters \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/Write \| Writes vcenters \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/Delete \| Deletes vcenters \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/inventoryitems/Delete \| Deletes vcenter inventoryitems \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/inventoryitems/Read \| Read vcenter inventoryitems \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/inventoryitems/Write \| Writes vcenters inventoryitems \| +> \| Microsoft.ConnectedVMwarevSphere/vcenters/inventoryitems/onboard/action \| Project vcenters inventoryitems \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/Read \| Read virtualmachineinstances \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/Write \| Writes virtualmachineinstances \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/Delete \| Deletes virtualmachineinstances \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/Read \| Read virtualmachines \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/Write \| Writes virtualmachines \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/Delete \| Deletes virtualmachines \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/start/action \| Start VM. \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/restart/action \| Restart VM. \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/stop/action \| Stop VM. \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/installPatches/action \| Install patches on Azure Arc VMware machines \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/assessPatches/action \| Assess patches on Azure Arc VMware machines \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/upgradeExtensions/action \| Upgrade extensions on Azure Arc VMware machines \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/extensions/Delete \| Delete extension resource \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/extensions/Read \| Gets extension resource \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/extensions/Write \| Write extension resource \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/guestagents/Delete \| Delete guestagent resource \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/guestagents/Read \| Gets guestagent resource \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/guestagents/Write \| Write guestagent resource \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/hybridIdentityMetadata/Delete \| Deletes hybridIdentityMetadata \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/hybridIdentityMetadata/Read \| Gets hybridIdentityMetadata \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/hybridIdentityMetadata/Write \| Write hybridIdentityMetadata \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read \| Read virtualmachinetemplates \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Write \| Writes virtualmachinetemplates \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Delete \| Deletes virtualmachinetemplates \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action \| Cloness virtualmachinetemplates \| +> \| Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read \| Read virtualnetworks \| +> \| Microsoft.ConnectedVMwarevSphere/virtualnetworks/Write \| Writes virtualnetworks \| +> \| Microsoft.ConnectedVMwarevSphere/virtualnetworks/Delete \| Deletes virtualnetworks \| +> \| Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action \| Deletes virtualnetworks \| +> \| DataAction \| Description \| +> \| Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action \| Lets you manage the OS of your resource via Windows Admin Center as an administrator. \| + ## Microsoft.DesktopVirtualization The best virtual desktop experience, delivered on Azure.
role-based-access-control	Devops	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/devops.md	Azure service: [Azure Chaos Studio](/azure/chaos-studio/) > \| Microsoft.Chaos/targets/capabilities/delete \| Deletes a Capability resource that extends a Target resource. \| > \| Microsoft.Chaos/targets/capabilities/read \| Gets all Capabilities that extend a Target resource. \| +## Microsoft.DevCenter + +Azure service: [Azure Deployment Environments](/azure/deployment-environments/overview-what-is-azure-deployment-environments) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.DevCenter/checkNameAvailability/action \| action checkNameAvailability \| +> \| Microsoft.DevCenter/checkScopedNameAvailability/action \| Check the availability of name for resource \| +> \| Microsoft.DevCenter/register/action \| Register the subscription for Microsoft.DevCenter \| +> \| Microsoft.DevCenter/unregister/action \| Unregister the subscription for Microsoft.DevCenter \| +> \| Microsoft.DevCenter/devcenters/read \| Lists all devcenters in a subscription. \| +> \| Microsoft.DevCenter/devcenters/read \| Lists all devcenters in a resource group. \| +> \| Microsoft.DevCenter/devcenters/read \| Gets a devcenter. \| +> \| Microsoft.DevCenter/devcenters/write \| Creates or updates a devcenter resource \| +> \| Microsoft.DevCenter/devcenters/delete \| Deletes a devcenter \| +> \| Microsoft.DevCenter/devcenters/write \| Partially updates a devcenter. \| +> \| Microsoft.DevCenter/devcenters/attachednetworks/read \| Lists the attached NetworkConnections for a DevCenter. \| +> \| Microsoft.DevCenter/devcenters/attachednetworks/read \| Gets an attached NetworkConnection. \| +> \| Microsoft.DevCenter/devcenters/attachednetworks/write \| Creates or updates an attached NetworkConnection. \| +> \| Microsoft.DevCenter/devcenters/attachednetworks/delete \| Un-attach a NetworkConnection. \| +> \| Microsoft.DevCenter/devcenters/catalogs/read \| Lists catalogs for a devcenter. \| +> \| Microsoft.DevCenter/devcenters/catalogs/read \| Gets a catalog \| +> \| Microsoft.DevCenter/devcenters/catalogs/write \| Creates or updates a catalog. \| +> \| Microsoft.DevCenter/devcenters/catalogs/delete \| Deletes a catalog resource. \| +> \| Microsoft.DevCenter/devcenters/catalogs/write \| Partially updates a catalog. \| +> \| Microsoft.DevCenter/devcenters/catalogs/getSyncErrorDetails/action \| Gets catalog synchronization error details \| +> \| Microsoft.DevCenter/devcenters/catalogs/sync/action \| Syncs templates for a template source. \| +> \| Microsoft.DevCenter/devcenters/catalogs/connect/action \| Connects a catalog to enable syncing. \| +> \| Microsoft.DevCenter/devcenters/catalogs/environmentDefinitions/read \| List environment definitions in the catalog. \| +> \| Microsoft.DevCenter/devcenters/catalogs/environmentDefinitions/read \| Gets an environment definition from the catalog. \| +> \| Microsoft.DevCenter/devcenters/catalogs/environmentDefinitions/getErrorDetails/action \| Gets Environment Definition error details \| +> \| Microsoft.DevCenter/devcenters/devboxdefinitions/read \| List Dev Box definitions for a devcenter. \| +> \| Microsoft.DevCenter/devcenters/devboxdefinitions/read \| Gets a Dev Box definition \| +> \| Microsoft.DevCenter/devcenters/devboxdefinitions/write \| Creates or updates a Dev Box definition. \| +> \| Microsoft.DevCenter/devcenters/devboxdefinitions/delete \| Deletes a Dev Box definition \| +> \| Microsoft.DevCenter/devcenters/devboxdefinitions/write \| Partially updates a Dev Box definition. \| +> \| Microsoft.DevCenter/devcenters/environmentTypes/read \| Lists environment types for the devcenter. \| +> \| Microsoft.DevCenter/devcenters/environmentTypes/read \| Gets an environment type. \| +> \| Microsoft.DevCenter/devcenters/environmentTypes/write \| Creates or updates an environment type. \| +> \| Microsoft.DevCenter/devcenters/environmentTypes/delete \| Deletes an environment type. \| +> \| Microsoft.DevCenter/devcenters/environmentTypes/write \| Partially updates an environment type. \| +> \| Microsoft.DevCenter/devcenters/galleries/read \| Lists galleries for a devcenter. \| +> \| Microsoft.DevCenter/devcenters/galleries/read \| Gets a gallery \| +> \| Microsoft.DevCenter/devcenters/galleries/write \| Creates or updates a gallery. \| +> \| Microsoft.DevCenter/devcenters/galleries/delete \| Deletes a gallery resource. \| +> \| Microsoft.DevCenter/devcenters/galleries/images/read \| Lists images for a gallery. \| +> \| Microsoft.DevCenter/devcenters/galleries/images/read \| Gets a gallery image. \| +> \| Microsoft.DevCenter/devcenters/galleries/images/versions/read \| Lists versions for an image. \| +> \| Microsoft.DevCenter/devcenters/galleries/images/versions/read \| Gets an image version. \| +> \| Microsoft.DevCenter/devcenters/images/read \| Lists images for a devcenter. \| +> \| Microsoft.DevCenter/Locations/OperationStatuses/read \| read OperationStatuses \| +> \| Microsoft.DevCenter/Locations/OperationStatuses/write \| write OperationStatuses \| +> \| Microsoft.DevCenter/locations/usages/read \| Lists the current usages and limits in this location for the provided subscription. \| +> \| Microsoft.DevCenter/networkConnections/read \| Lists network connections in a subscription \| +> \| Microsoft.DevCenter/networkConnections/read \| Lists network connections in a resource group \| +> \| Microsoft.DevCenter/networkConnections/read \| Gets a network connection resource \| +> \| Microsoft.DevCenter/networkConnections/write \| Creates or updates a Network Connections resource \| +> \| Microsoft.DevCenter/networkConnections/delete \| Deletes a Network Connections resource \| +> \| Microsoft.DevCenter/networkConnections/write \| Partially updates a Network Connection \| +> \| Microsoft.DevCenter/networkConnections/runHealthChecks/action \| Triggers a new health check run. The execution and health check result can be tracked via the network Connection health check details \| +> \| Microsoft.DevCenter/networkConnections/DevCenterJoin/action \| Allow a DevCenter to attach this NetworkConnection. \| +> \| Microsoft.DevCenter/networkConnections/healthChecks/read \| Lists health check status details \| +> \| Microsoft.DevCenter/networkConnections/healthChecks/read \| Gets health check status details. \| +> \| Microsoft.DevCenter/networkConnections/outboundNetworkDependenciesEndpoints/read \| Lists the endpoints that agents may call as part of Dev Box service administration. These FQDNs should be allowed for outbound access in order for the Dev Box service to function. \| +> \| Microsoft.DevCenter/operations/read \| read operations \| +> \| Microsoft.DevCenter/projects/read \| Lists all projects in the subscription. \| +> \| Microsoft.DevCenter/projects/read \| Lists all projects in the resource group. \| +> \| Microsoft.DevCenter/projects/read \| Gets a specific project. \| +> \| Microsoft.DevCenter/projects/write \| Creates or updates a project. \| +> \| Microsoft.DevCenter/projects/delete \| Deletes a project resource. \| +> \| Microsoft.DevCenter/projects/write \| Partially updates a project. \| +> \| Microsoft.DevCenter/projects/allowedEnvironmentTypes/read \| Lists allowed environment types for a project. \| +> \| Microsoft.DevCenter/projects/allowedEnvironmentTypes/read \| Gets an allowed environment type. \| +> \| Microsoft.DevCenter/projects/attachednetworks/read \| Lists the attached NetworkConnections for a Project. \| +> \| Microsoft.DevCenter/projects/attachednetworks/read \| Gets an attached NetworkConnection. \| +> \| Microsoft.DevCenter/projects/catalogs/read \| Lists the catalogs associated with a project. \| +> \| Microsoft.DevCenter/projects/catalogs/read \| Gets an associated project catalog. \| +> \| Microsoft.DevCenter/projects/catalogs/write \| Creates or updates a project catalog. \| +> \| Microsoft.DevCenter/projects/catalogs/delete \| Deletes a project catalog resource. \| +> \| Microsoft.DevCenter/projects/catalogs/write \| Partially updates a project catalog. \| +> \| Microsoft.DevCenter/projects/catalogs/getSyncErrorDetails/action \| Gets project catalog synchronization error details \| +> \| Microsoft.DevCenter/projects/catalogs/sync/action \| Syncs templates for a template source. \| +> \| Microsoft.DevCenter/projects/catalogs/connect/action \| Connects a project catalog to enable syncing. \| +> \| Microsoft.DevCenter/projects/catalogs/environmentDefinitions/read \| Lists the environment definitions in this project catalog. \| +> \| Microsoft.DevCenter/projects/catalogs/environmentDefinitions/read \| Gets an environment definition from the catalog. \| +> \| Microsoft.DevCenter/projects/catalogs/environmentDefinitions/getErrorDetails/action \| Gets Environment Definition error details \| +> \| Microsoft.DevCenter/projects/devboxdefinitions/read \| List Dev Box definitions configured for a project. \| +> \| Microsoft.DevCenter/projects/devboxdefinitions/read \| Gets a Dev Box definition configured for a project \| +> \| Microsoft.DevCenter/projects/environmentTypes/read \| Lists environment types for a project. \| +> \| Microsoft.DevCenter/projects/environmentTypes/read \| Gets a project environment type. \| +> \| Microsoft.DevCenter/projects/environmentTypes/write \| Creates or updates a project environment type. \| +> \| Microsoft.DevCenter/projects/environmentTypes/delete \| Deletes a project environment type. \| +> \| Microsoft.DevCenter/projects/environmentTypes/write \| Partially updates a project environment type. \| +> \| Microsoft.DevCenter/projects/pools/read \| Lists pools for a project \| +> \| Microsoft.DevCenter/projects/pools/read \| Gets a machine pool \| +> \| Microsoft.DevCenter/projects/pools/write \| Creates or updates a machine pool \| +> \| Microsoft.DevCenter/projects/pools/delete \| Deletes a machine pool \| +> \| Microsoft.DevCenter/projects/pools/write \| Partially updates a machine pool \| +> \| Microsoft.DevCenter/projects/pools/runHealthChecks/action \| Triggers a refresh of the pool status. \| +> \| Microsoft.DevCenter/projects/pools/schedules/read \| Lists schedules for a pool \| +> \| Microsoft.DevCenter/projects/pools/schedules/read \| Gets a schedule resource. \| +> \| Microsoft.DevCenter/projects/pools/schedules/write \| Creates or updates a Schedule. \| +> \| Microsoft.DevCenter/projects/pools/schedules/delete \| Deletes a Scheduled. \| +> \| Microsoft.DevCenter/projects/pools/schedules/write \| Partially updates a Scheduled. \| +> \| Microsoft.DevCenter/registeredSubscriptions/read \| read registeredSubscriptions \| +> \| Microsoft.DevCenter/RegisteredSubscriptions/read \| Reads registered subscriptions \| +> \| DataAction \| Description \| +> \| Microsoft.DevCenter/projects/users/devboxes/adminStart/action \| Allows a user to start any Dev Box resource. \| +> \| Microsoft.DevCenter/projects/users/devboxes/adminStop/action \| Allows a user to stop any Dev Box resource. \| +> \| Microsoft.DevCenter/projects/users/devboxes/adminRead/action \| Allows a user read access to any Dev Box resource. \| +> \| Microsoft.DevCenter/projects/users/devboxes/adminWrite/action \| Allows a user write access to any Dev Box resource. \| +> \| Microsoft.DevCenter/projects/users/devboxes/adminDelete/action \| Allows a user to delete any Dev Box resource. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userStop/action \| Allows a user to stop their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userStart/action \| Allows a user to start their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action \| Allows a user to get the RDP connection information for their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userRead/action \| Allows a user to read their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userWrite/action \| Allows a user to create and update their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userDelete/action \| Allows a user to delete their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action \| Allows a user to read upcoming actions. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action \| Allows a user to skip or delay upcoming actions. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userActionRead/action \| Allows a user to read dev box actions. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userActionManage/action \| Allows a user to skip or delay dev box actions. \| +> \| Microsoft.DevCenter/projects/users/devboxes/userCustomize/action \| Allows a user to customize their own Dev Box resources. \| +> \| Microsoft.DevCenter/projects/users/environments/userRead/action \| Allows a user to read the environments they have access to in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/adminRead/action \| Allows a project administrator to read all of the environments in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/userWrite/action \| Allows a user to write the environments they have access to in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/adminWrite/action \| Allows a project administrator to write all of the environments in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/userDelete/action \| Allows a user to delete the environments they have access to in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/adminDelete/action \| Allows a project administrator to delete all of the environments in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/userAction/action \| Allows a user to perform an action on the environments they have access to in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/adminAction/action \| Allows a project administrator to perform an action on all of the environments in a project. \| +> \| Microsoft.DevCenter/projects/users/environments/userActionRead/action \| Allows a user to read environment actions. \| +> \| Microsoft.DevCenter/projects/users/environments/adminActionRead/action \| Allows an admin to read environment actions. \| +> \| Microsoft.DevCenter/projects/users/environments/userActionManage/action \| Allows a user to skip, delay etc. environment actions. \| +> \| Microsoft.DevCenter/projects/users/environments/adminActionManage/action \| Allows an admin to skip, delay etc. environment actions. \| +> \| Microsoft.DevCenter/projects/users/environments/userOutputsRead/action \| Allows a user to read Output values from environment deployment. \| +> \| Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action \| Allows an admin to read Output values from environment deployment. \| + ## Microsoft.DevTestLab Quickly create environments using reusable templates and artifacts.
role-based-access-control	Integration	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/integration.md	Azure service: [Logic Apps](/azure/logic-apps/) > \| Microsoft.Logic/workflows/versions/read \| Reads the workflow version. \| > \| Microsoft.Logic/workflows/versions/triggers/listCallbackUrl/action \| Gets the callback URL for trigger. \| +## Microsoft.ModSimWorkbench + +Azure service: [Azure Modeling and Simulation Workbench](/azure/modeling-simulation-workbench/modeling-simulation-workbench-overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.ModSimWorkbench/register/action \| Register the subscription for Microsoft.ModSimWorkbench \| +> \| Microsoft.ModSimWorkbench/unregister/action \| Unregister the subscription for Microsoft.ModSimWorkbench \| +> \| Microsoft.ModSimWorkbench/Locations/operationStatuses/read \| read operationStatuses \| +> \| Microsoft.ModSimWorkbench/Locations/operationStatuses/write \| write operationStatuses \| +> \| Microsoft.ModSimWorkbench/Operations/read \| read Operations \| +> \| Microsoft.ModSimWorkbench/workbenches/read \| read workbenches \| +> \| Microsoft.ModSimWorkbench/workbenches/read \| read workbenches \| +> \| Microsoft.ModSimWorkbench/workbenches/read \| read workbenches \| +> \| Microsoft.ModSimWorkbench/workbenches/write \| write workbenches \| +> \| Microsoft.ModSimWorkbench/workbenches/delete \| delete workbenches \| +> \| Microsoft.ModSimWorkbench/workbenches/write \| write workbenches \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action \| getUploadUri chambers \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/start/action \| start chambers \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/stop/action \| stop chambers \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/restart/action \| restart chambers \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/licenseUpdate/action \| licenseUpdate chambers \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/licenseRestart/action \| licenseRestart chambers \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/read \| Gets information about the specified Chamber. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/write \| Creates or updates the specified Chamber. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/delete \| Deletes the specified Chamber. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/write \| Updates the specified Chamber. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/read \| Lists all Chambers. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/start/action \| start connectors \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/stop/action \| stop connectors \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/restart/action \| restart connectors \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/read \| Gets information about the specified connector. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/write \| Creates or updates the specified connector. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/delete \| Deletes the specified connector. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/write \| Updates the specified connector. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/read \| Lists all connectors. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/connectors/licenseAdd/action \| Add license to an ModSim Workbench connector. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/read \| read fileRequests \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action \| manage fileRequests \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/action \| getDownloadUri fileRequests \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/read \| Get ModSim Workbench chamber data pipeline file request resource collection. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/files/read \| read files \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/files/read \| Lists all files. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/storages/read \| Gets information about the specified storage. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/storages/write \| Creates or updates the specified storage. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/storages/delete \| Deletes the specified storage. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/storages/write \| Updates the specified storage. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/storages/read \| Lists all storages. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/start/action \| start workloads \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/stop/action \| stop workloads \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/restart/action \| restart workloads \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/read \| Gets information about the specified workload. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/write \| Creates or updates the specified workload. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/delete \| Deletes the specified workload. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/write \| Updates the specified workload. \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/workloads/read \| Lists all workloads. \| +> \| DataAction \| Description \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/files/manage/action \| manage files \| +> \| Microsoft.ModSimWorkbench/workbenches/chambers/files/downloadRequest/action \| downloadRequest files \| + ## Microsoft.NotificationHubs Send push notifications to any platform from any back end. Azure service: [Azure Relay](/azure/azure-relay/relay-what-is-it) > \| Microsoft.Relay/namespaces/messages/send/action \| Send messages \| > \| Microsoft.Relay/namespaces/messages/listen/action \| Receive messages \| +## Microsoft.ResourceNotifications + +Azure service: [Azure Event Grid](/azure/event-grid/overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.ResourceNotifications/eventGridFilters/read \| Creates/Updates the specified event grid filters \| +> \| Microsoft.ResourceNotifications/eventGridFilters/write \| Creates/Updates the specified event grid filters \| +> \| Microsoft.ResourceNotifications/eventGridFilters/delete \| Deletes the specified event grid filters \| +> \| Microsoft.ResourceNotifications/operations/read \| Gets the list of supported operations \| +> \| Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action \| Permission to perform creation and event subscription creation on a Resources system topic \| +> \| Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action \| Permission to perform creation and event subscription creation on a HealthResources system topic \| +> \| Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action \| Permission to perform creation and event subscription creation on a MaintenanceResources system topic \| +> \| Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action \| Permission to perform creation and event subscription creation on a ComputeResources system topic \| +> \| Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action \| Permission to perform creation and event subscription creation on a ComputeScheduleResources system topic \| +> \| Microsoft.ResourceNotifications/systemTopics/subscribeToContainerServiceEventResources/action \| Permission to perform creation and event subscription creation on a ContainerServiceEventResources system topic \| + ## Microsoft.ServiceBus Connect across private and public cloud environments.
role-based-access-control	Internet Of Things	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/internet-of-things.md	This article lists the permissions for the Azure resource providers in the Internet of Things category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +## Microsoft.AzureSphere + +Azure service: [Azure Sphere](/azure-sphere/product-overview/what-is-azure-sphere) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.AzureSphere/register/action \| Register the subscription for Microsoft.AzureSphere \| +> \| Microsoft.AzureSphere/unregister/action \| Unregister the subscription for Microsoft.AzureSphere \| +> \| Microsoft.AzureSphere/catalogs/countDevices/action \| Counts devices in catalog. \| +> \| Microsoft.AzureSphere/catalogs/listDeployments/action \| Lists deployments for catalog. \| +> \| Microsoft.AzureSphere/catalogs/listDeviceGroups/action \| List the device groups for the catalog. \| +> \| Microsoft.AzureSphere/catalogs/listDeviceInsights/action \| Lists device insights for catalog. \| +> \| Microsoft.AzureSphere/catalogs/listDevices/action \| Lists devices for catalog. \| +> \| Microsoft.AzureSphere/catalogs/read \| List Catalog resources by subscription ID \| +> \| Microsoft.AzureSphere/catalogs/read \| List Catalog resources by resource group \| +> \| Microsoft.AzureSphere/catalogs/read \| Get a Catalog \| +> \| Microsoft.AzureSphere/catalogs/write \| Create a Catalog \| +> \| Microsoft.AzureSphere/catalogs/delete \| Delete a Catalog \| +> \| Microsoft.AzureSphere/catalogs/write \| Update a Catalog \| +> \| Microsoft.AzureSphere/catalogs/uploadImage/action \| Creates an image. Use this action when the image ID is unknown. \| +> \| Microsoft.AzureSphere/catalogs/certificates/read \| List Certificate resources by Catalog \| +> \| Microsoft.AzureSphere/catalogs/certificates/read \| Get a Certificate \| +> \| Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action \| Retrieves cert chain. \| +> \| Microsoft.AzureSphere/catalogs/certificates/retrieveProofOfPossessionNonce/action \| Gets the proof of possession nonce. \| +> \| Microsoft.AzureSphere/catalogs/images/read \| List Image resources by Catalog \| +> \| Microsoft.AzureSphere/catalogs/images/read \| Get a Image \| +> \| Microsoft.AzureSphere/catalogs/images/write \| Create a Image \| +> \| Microsoft.AzureSphere/catalogs/images/delete \| Delete a Image \| +> \| Microsoft.AzureSphere/catalogs/products/read \| List Product resources by Catalog \| +> \| Microsoft.AzureSphere/catalogs/products/read \| Get a Product. '.default' and '.unassigned' are system defined values and cannot be used for product name. \| +> \| Microsoft.AzureSphere/catalogs/products/write \| Create a Product. '.default' and '.unassigned' are system defined values and cannot be used for product name. \| +> \| Microsoft.AzureSphere/catalogs/products/delete \| Delete a Product. '.default' and '.unassigned' are system defined values and cannot be used for product name' \| +> \| Microsoft.AzureSphere/catalogs/products/write \| Update a Product. '.default' and '.unassigned' are system defined values and cannot be used for product name. \| +> \| Microsoft.AzureSphere/catalogs/products/countDevices/action \| Counts devices in product. '.default' and '.unassigned' are system defined values and cannot be used for product name. \| +> \| Microsoft.AzureSphere/catalogs/products/generateDefaultDeviceGroups/action \| Generates default device groups for the product. '.default' and '.unassigned' are system defined values and cannot be used for product name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/read \| List DeviceGroup resources by Product. '.default' and '.unassigned' are system defined values and cannot be used for product name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/read \| Get a DeviceGroup. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/write \| Create a DeviceGroup. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/delete \| Delete a DeviceGroup. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/write \| Update a DeviceGroup. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/claimDevices/action \| Bulk claims the devices. Use '.unassigned' or '.default' for the device group and product names when bulk claiming devices to a catalog only. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action \| Counts devices in device group. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/deployments/read \| List Deployment resources by DeviceGroup. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/deployments/read \| Get a Deployment. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/deployments/write \| Create a Deployment. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/deployments/delete \| Delete a Deployment. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/devices/read \| List Device resources by DeviceGroup. '.default' and '.unassigned' are system defined values and cannot be used for product or device group name. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/devices/read \| Get a Device. Use '.unassigned' or '.default' for the device group and product names when a device does not belong to a device group and product. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/devices/write \| Create a Device. Use '.unassigned' or '.default' for the device group and product names to claim a device to the catalog only. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/devices/delete \| Delete a Device \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/devices/write \| Update a Device. Use '.unassigned' or '.default' for the device group and product names to move a device to the catalog level. \| +> \| Microsoft.AzureSphere/catalogs/products/deviceGroups/devices/generateCapabilityImage/action \| Generates the capability image for the device. Use '.unassigned' or '.default' for the device group and product names to generate the image for a device that does not belong to a specific device group and product. \| +> \| Microsoft.AzureSphere/locations/operationStatuses/read \| read operationStatuses \| +> \| Microsoft.AzureSphere/locations/operationStatuses/write \| write operationStatuses \| +> \| Microsoft.AzureSphere/operations/read \| read operations \| + ## Microsoft.Devices Ensure that your users are accessing your resources from devices that meet your standards for security and compliance. Azure service: [IoT Central](/azure/iot-central/) > \| Microsoft.IoTCentral/locations/operationStatuses/read \| Get async operation status for IoT Central \| > \| Microsoft.IoTCentral/operations/read \| Get/List all the available operations for IoT Central \| +## Microsoft.IoTFirmwareDefense + +Azure service: [Microsoft Defender for IoT](/azure/defender-for-iot/device-builders/overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.IoTFirmwareDefense/register/action \| Register the subscription for Microsoft.IoTFirmwareDefense \| +> \| Microsoft.IoTFirmwareDefense/unregister/action \| Unregister the subscription for Microsoft.IoTFirmwareDefense \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/read \| Get firmware group. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/write \| The operation to create or update a firmwareGroups resource. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/delete \| The operation to delete a firmware group. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/write \| The operation to update a firmware groups. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/generateUploadUrl/action \| The operation to get a url for file upload. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/read \| Lists all of firmwareGroups in the specified subscription. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/read \| Get firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/write \| The operation to create a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/delete \| The operation to delete a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/write \| The operation to update firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/read \| Lists all of firmwares inside firmware group. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/getUploadUrl/action \| The operation to a url for file upload. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateDownloadUrl/action \| The operation to a url for file download. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateFilesystemDownloadUrl/action \| The operation to a url for tar file download. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateSummary/action \| The operation to get a scan summary. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateComponentList/action \| The operation to list all components result for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateComponentDetails/action \| The operation to get component details for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateBinaryHardeningList/action \| The operation to list all binary hardening result for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateBinaryHardeningSummary/action \| The operation to list the binary hardening summary percentages for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateBinaryHardeningDetails/action \| The operation to get binary hardening details for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generatePasswordHashList/action \| The operation to list all password hashes for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateCveList/action \| The operation to list all cve results for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/firmwareGroups/firmwares/generateCveSummary/action \| The operation to provide a high level summary of the CVEs reported for the firmware image. \| +> \| Microsoft.IoTFirmwareDefense/locations/operationStatuses/read \| read operationStatuses \| +> \| Microsoft.IoTFirmwareDefense/locations/operationStatuses/write \| write operationStatuses \| +> \| Microsoft.IoTFirmwareDefense/operations/read \| read operations \| +> \| Microsoft.IoTFirmwareDefense/workspaces/read \| Lists all of the firmware analysis workspaces in the specified subscription. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/read \| Lists all of the firmware analysis workspaces in the specified resource group. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/read \| Get firmware analysis workspace. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/write \| The operation to create or update a firmware analysis workspace. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/delete \| The operation to delete a firmware analysis workspace. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/write \| The operation to update a firmware analysis workspaces. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/generateUploadUrl/action \| The operation to get a url for file upload. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateDownloadUrl/action \| The operation to a url for file download. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateFilesystemDownloadUrl/action \| The operation to a url for tar file download. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateSummary/action \| The operation to get a scan summary. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateComponentList/action \| The operation to list all components result for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateComponentDetails/action \| The operation to get component details for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateBinaryHardeningList/action \| The operation to list all binary hardening result for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateBinaryHardeningSummary/action \| The operation to list the binary hardening summary percentages for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateBinaryHardeningDetails/action \| The operation to get binary hardening details for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generatePasswordHashList/action \| The operation to list all password hashes for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateCveList/action \| The operation to list all cve results for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateCveSummary/action \| The operation to provide a high level summary of the CVEs reported for the firmware image. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateCryptoCertificateSummary/action \| The operation to provide a high level summary of the discovered cryptographic certificates reported for the firmware image. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateCryptoKeySummary/action \| The operation to provide a high level summary of the discovered cryptographic keys reported for the firmware image. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateCryptoCertificateList/action \| The operation to list all crypto certificates for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateCryptoKeyList/action \| The operation to list all crypto keys for a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/read \| Lists all of firmwares inside a workspace. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/read \| Get firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/write \| The operation to create a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/delete \| The operation to delete a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/write \| The operation to update firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateDownloadUrl/action \| The operation to a url for file download. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/generateFilesystemDownloadUrl/action \| The operation to a url for tar file download. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/binaryHardeningResults/read \| Lists binary hardening analysis results of a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/cryptoCertificates/read \| Lists cryptographic certificate analysis results found in a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/cryptoKeys/read \| Lists cryptographic key analysis results found in a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/cves/read \| Lists CVE analysis results of a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/passwordHashes/read \| Lists password hash analysis results of a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/sbomComponents/read \| Lists SBOM analysis results of a firmware. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/summaries/read \| Lists analysis result summary names of a firmware. To fetch the full summary data, get that summary by name. \| +> \| Microsoft.IoTFirmwareDefense/workspaces/firmwares/summaries/read \| Get an analysis result summary of a firmware by name. \| + ## Microsoft.IoTSecurity Azure service: [IoT security](/azure/iot/iot-security-architecture)
role-based-access-control	Management And Governance	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/management-and-governance.md	Azure service: [Cost Management + Billing](/azure/cost-management-billing/) > \| Microsoft.Billing/promotions/read \| List or get promotions \| > \| Microsoft.Billing/validateAddress/write \| \| +## Microsoft.BillingBenefits + +Azure service: [Azure savings plans](/azure/cost-management-billing/savings-plan/savings-plan-compute-overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.BillingBenefits/savingsPlanOrders/action \| Update a Savings plan order \| +> \| Microsoft.BillingBenefits/register/action \| Registers the BillingBenefits resource provider and enables the creation of BillingBenefits resources. \| +> \| Microsoft.BillingBenefits/credits/read \| Read all Credits \| +> \| Microsoft.BillingBenefits/credits/write \| Create or update a Credit \| +> \| Microsoft.BillingBenefits/credits/delete \| Delete a Credit \| +> \| Microsoft.BillingBenefits/credits/cancel/action \| Cancel a Credit \| +> \| Microsoft.BillingBenefits/credits/sources/read \| Read all Sources \| +> \| Microsoft.BillingBenefits/credits/sources/write \| Create or update a Source \| +> \| Microsoft.BillingBenefits/credits/sources/delete \| Delete a Source \| +> \| Microsoft.BillingBenefits/maccs/read \| Read all MACCs \| +> \| Microsoft.BillingBenefits/maccs/write \| Create a MACC \| +> \| Microsoft.BillingBenefits/maccs/delete \| Delete a MACC \| +> \| Microsoft.BillingBenefits/maccs/cancel/action \| Cancel a MACC \| +> \| Microsoft.BillingBenefits/maccs/chargeShortfall/action \| Charge shortfall on MACC \| +> \| Microsoft.BillingBenefits/maccs/contributors/read \| Get all Contributors \| +> \| Microsoft.BillingBenefits/savingsPlanOrderAliases/read \| Read all savings plan order aliases \| +> \| Microsoft.BillingBenefits/savingsPlanOrderAliases/write \| Create a Savings plan order alias \| +> \| Microsoft.BillingBenefits/savingsPlanOrders/read \| Read all savings plan orders \| +> \| Microsoft.BillingBenefits/savingsPlanOrders/write \| Create a savings plan orders \| +> \| Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read \| Read All SavingsPlans \| +> \| Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write \| Patch an existing Savings plan \| + ## Microsoft.Blueprint Enabling quick, repeatable creation of governed environments. Azure service: [Cost Management](/azure/cost-management-billing/) > \| Microsoft.CostManagement/views/delete \| Delete saved views. \| > \| Microsoft.CostManagement/views/write \| Update view. \| +## Microsoft.CustomerLockbox + +Interface for customers to review and approve or reject customer data access requests. + +Azure service: [Customer Lockbox for Microsoft Azure](/azure/security/fundamentals/customer-lockbox-overview) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.CustomerLockbox/register/action \| Register Provider Microsoft.CustomerLockbox \| +> \| Microsoft.CustomerLockbox/operations/read \| Read Lockbox Operations \| +> \| Microsoft.CustomerLockbox/requests/UpdateApproval/action \| Update Approval Microsoft.CustomerLockbox \| +> \| Microsoft.CustomerLockbox/requests/read \| Read Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/CreateLockboxRequest/action \| Create Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/ApproveLockboxRequest/action \| Approve Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/DenyLockboxRequest/action \| Deny Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/ExpireLockboxRequest/action \| Expire Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/CancelLockboxRequest/action \| Cancel Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/AutoApproveLockboxRequest/action \| AutoApprove Lockbox Request \| +> \| Microsoft.CustomerLockbox/requests/activitylog/AutoDenyLockboxRequest/action \| AutoDeny Lockbox Request \| + ## Microsoft.Features Azure service: [Azure Resource Manager](/azure/azure-resource-manager/) Azure service: [Azure Managed Applications](/azure/azure-resource-manager/manage > \| Microsoft.Solutions/locations/operationstatuses/write \| write operationstatuses \| > \| Microsoft.Solutions/operations/read \| read operations \| +## Microsoft.Workloads + +Azure service: [SAP on Azure](/azure/sap/) + +> [!div class="mx-tableFixed"] +> \| Action \| Description \| +> \| \| \| +> \| Microsoft.Workloads/register/action \| Register the subscription for Microsoft.Workloads \| +> \| Microsoft.Workloads/unregister/action \| Unregister the subscription for Microsoft.Workloads \| +> \| Microsoft.Workloads/connectors/read \| Gets a connector resource \| +> \| Microsoft.Workloads/connectors/write \| Creates a connector resource \| +> \| Microsoft.Workloads/connectors/delete \| Deletes a connector resource and its child resources, which are the associated connection resources. All the child resources have to be deleted before deleting the connector resource. \| +> \| Microsoft.Workloads/connectors/write \| Updates a connector resource \| +> \| Microsoft.Workloads/connectors/read \| Gets all connector resources in a Resource Group. \| +> \| Microsoft.Workloads/connectors/read \| Gets all connector resources in a Subscription. \| +> \| Microsoft.Workloads/connectors/acssBackups/read \| Gets the backup connection resource of virtual instance for SAP. \| +> \| Microsoft.Workloads/connectors/acssBackups/write \| Creates the backup connection resource of virtual instance for SAP. \| +> \| Microsoft.Workloads/connectors/acssBackups/delete \| Deletes the backup connection resource of virtual instance for SAP. \| +> \| Microsoft.Workloads/connectors/acssBackups/write \| Updates the backup connection resource of virtual instance for SAP. <br><br>This can be used to update tags on the resource. \| +> \| Microsoft.Workloads/connectors/acssBackups/read \| Lists the backup connection resources of virtual instance for SAP under the given connector resource. \| +> \| Microsoft.Workloads/connectors/sapVirtualInstanceMonitors/read \| Gets the monitor connection resource of virtual instance for SAP. \| +> \| Microsoft.Workloads/connectors/sapVirtualInstanceMonitors/write \| Creates the monitor connection resource of virtual instance for SAP. \| +> \| Microsoft.Workloads/connectors/sapVirtualInstanceMonitors/delete \| Deletes the monitor connection resource of virtual instance for SAP. \| +> \| Microsoft.Workloads/connectors/sapVirtualInstanceMonitors/write \| Updates the monitor connection resource of virtual instance for SAP. <br><br>This can be used to update tags on the resource. \| +> \| Microsoft.Workloads/connectors/sapVirtualInstanceMonitors/read \| Lists the monitor connection resources of virtual instance for SAP under the given connector resource. \| +> \| Microsoft.Workloads/insights/read \| Gets properties of Workloads Insights instance for the specified subscription, resource group and instance name. \| +> \| Microsoft.Workloads/insights/read \| Gets a list of Workloads Insight instances in the specified subscription and resource group. The operations returns various properties of each instance. \| +> \| Microsoft.Workloads/insights/read \| Gets a list of Workloads Insight instances in the specified subscription. The operations returns various properties of each instance. \| +> \| Microsoft.Workloads/insights/write \| Creates a Workloads Insights instance for the specified subscription, resource group, and instance name. \| +> \| Microsoft.Workloads/insights/delete \| Deletes a Workloads Insights instance for the specified subscription, resource group and instance name. \| +> \| Microsoft.Workloads/insights/write \| Patches the Workload Insights instance for the specified subscription, resource group, and instance name. \| +> \| Microsoft.Workloads/Locations/OperationStatuses/read \| read OperationStatuses \| +> \| Microsoft.Workloads/Locations/OperationStatuses/write \| write OperationStatuses \| +> \| Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getSizingRecommendations/action \| Get SAP sizing recommendations. \| +> \| Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getSapSupportedSku/action \| Get SAP supported SKUs. \| +> \| Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getDiskConfigurations/action \| Get SAP Disk Configurations. \| +> \| Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getAvailabilityZoneDetails/action \| Get SAP Availability Zone Details. \| +> \| Microsoft.Workloads/monitors/read \| Gets a list of SAP monitors in the specified subscription. The operations returns various properties of each SAP monitor. \| +> \| Microsoft.Workloads/monitors/read \| Gets a list of SAP monitors in the specified resource group. \| +> \| Microsoft.Workloads/monitors/read \| Gets properties of a SAP monitor for the specified subscription, resource group, and resource name. \| +> \| Microsoft.Workloads/monitors/write \| Creates a SAP monitor for the specified subscription, resource group, and resource name. \| +> \| Microsoft.Workloads/monitors/delete \| Deletes a SAP monitor with the specified subscription, resource group, and monitor name. \| +> \| Microsoft.Workloads/monitors/write \| Patches the Tags field of a SAP monitor for the specified subscription, resource group, and monitor name. \| +> \| Microsoft.Workloads/monitors/alerts/read \| Gets a list of alert instances in the specified SAP monitor. The operations returns various properties of each provider instances. \| +> \| Microsoft.Workloads/monitors/alerts/read \| Gets properties of a alert for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/alerts/write \| Creates a alert for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/alerts/delete \| Deletes a alert for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/alertTemplates/read \| Gets properties of an alert template for the specified subscription, resource group, SAP monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/alertTemplates/read \| Gets properties of a alert for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/providerInstances/read \| Gets a list of provider instances in the specified SAP monitor. The operations returns various properties of each provider instances. \| +> \| Microsoft.Workloads/monitors/providerInstances/read \| Gets properties of a provider instance for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/providerInstances/write \| Creates a provider instance for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/providerInstances/delete \| Deletes a provider instance for the specified subscription, resource group, Monitor name, and resource name. \| +> \| Microsoft.Workloads/monitors/sapLandscapeMonitor/read \| Gets a list of properties of a SAP Landscape monitor configuration for the specified subscription, resource group, and resource name. \| +> \| Microsoft.Workloads/monitors/sapLandscapeMonitor/read \| Gets properties of a SAP Landscape monitor configuration for the specified subscription, resource group, and resource name. \| +> \| Microsoft.Workloads/monitors/sapLandscapeMonitor/write \| Creates a SAP Landscape monitor configuration for the specified subscription, resource group, and resource name. \| +> \| Microsoft.Workloads/monitors/sapLandscapeMonitor/delete \| Deletes a SAP Landscape monitor configuration with the specified subscription, resource group, and monitor name. \| +> \| Microsoft.Workloads/Operations/read \| read Operations \| +> \| Microsoft.Workloads/phpWorkloads/read \| Lists phpWorkload resources in a subscription \| +> \| Microsoft.Workloads/phpWorkloads/read \| Lists phpWorkload resources in a resource group \| +> \| Microsoft.Workloads/phpWorkloads/read \| Gets a phpWorkload resource \| +> \| Microsoft.Workloads/phpWorkloads/write \| Create or updated phpWorkloads resource \| +> \| Microsoft.Workloads/phpWorkloads/delete \| Delete phpWorkloads resource \| +> \| Microsoft.Workloads/phpWorkloads/write \| Update PHP workload resource. \| +> \| Microsoft.Workloads/phpWorkloads/wordpressInstances/read \| Lists WordpressInstances resources under a phpWorkload resource \| +> \| Microsoft.Workloads/phpWorkloads/wordpressInstances/read \| Gets a WordpressInstances resource \| +> \| Microsoft.Workloads/phpWorkloads/wordpressInstances/write \| Create or updated WordpressInstances resource \| +> \| Microsoft.Workloads/phpWorkloads/wordpressInstances/delete \| Delete WordpressInstances resource \| +> \| Microsoft.Workloads/RegisteredSubscriptions/read \| Reads registered subscriptions \| +> \| Microsoft.Workloads/sapDiscoverySites/read \| Gets a SAP Migration discovery site resource. \| +> \| Microsoft.Workloads/sapDiscoverySites/write \| Creates a discovery site for SAP Migration. \| +> \| Microsoft.Workloads/sapDiscoverySites/delete \| Deletes a SAP Migration discovery site resource and its child resources, that is the associated SAP Instances and Server Instances. \| +> \| Microsoft.Workloads/sapDiscoverySites/write \| SAPDiscoverySites_Update. \| +> \| Microsoft.Workloads/sapDiscoverySites/read \| Gets all SAP Migration discovery site resources in a Resource Group. \| +> \| Microsoft.Workloads/sapDiscoverySites/read \| Gets all SAP Migration discovery site resources in a Subscription. \| +> \| Microsoft.Workloads/sapDiscoverySites/importEntities/action \| Import a SAP Migration discovery site resource and it's child resources, that is the SAP instances and Server instances. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/read \| Gets the SAP Instance resource. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/write \| Creates the SAP Instance resource. <br><br>This will be used by service only. PUT operation on this resource by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/delete \| Deletes the SAP Instance resource. <br><br>This will be used by service only. Delete operation on this resource by end user will return a Bad Request error. You can delete the parent resource, which is the SAP Migration discovery site resource, using the delete operation on it. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/write \| Updates the SAP Instance resource. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/read \| Lists the SAP Instance resources for the given SAP Migration discovery site resource. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/serverInstances/read \| Gets the Server Instance resource. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/serverInstances/write \| Creates the Server Instance resource. <br><br>This will be used by service only. PUT operation on this resource by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/serverInstances/delete \| Deletes the Server Instance resource. <br><br>This will be used by service only. Delete operation on this resource by end user will return a Bad Request error. You can delete the parent resource, which is the SAP Migration discovery site resource, using the delete operation on it. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/serverInstances/write \| Updates the Server Instance resource. This operation on a resource by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapDiscoverySites/sapInstances/serverInstances/read \| Lists the Server Instance resources for the given SAP Instance resource. \| +> \| Microsoft.Workloads/sapVirtualInstances/read \| Gets an SAP Virtual Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/write \| Creates an SAP Virtual Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/delete \| Deletes an SAP Virtual Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/write \| Updates an SAP Virtual Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/read \| Gets all SAP Virtual Instances in a resource group. \| +> \| Microsoft.Workloads/sapVirtualInstances/read \| Gets all SAP Virtual Instances in the subscription. \| +> \| Microsoft.Workloads/sapVirtualInstances/start/action \| Starts the SAP System. \| +> \| Microsoft.Workloads/sapVirtualInstances/stop/action \| Stops the SAP System. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/read \| Gets the SAP Application Server Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/write \| Puts the SAP Application Server Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/delete \| Deletes the SAP Application Server Instance. <br><br>This operation will be used by service only. Delete by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/write \| Puts the SAP Application Server Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/read \| Lists the SAP Application server Instances in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/start/action \| Starts the SAP Application server Instance in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/applicationInstances/stop/action \| Stops the SAP Application server Instance in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/read \| Gets the SAP Central Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/write \| Puts the SAP Central Instance. <br><br>This will be used by service only. PUT by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/delete \| Deletes the SAP Central Instance. <br><br>This will be used by service only. Delete by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/write \| Updates the SAP Central Instance. <br><br>This can be used to update tags. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/read \| Lists the SAP Central Instances in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/start/action \| Starts the SAP Central server Instance in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/centralInstances/stop/action \| Stops the SAP Central server Instance in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/read \| Gets the SAP Database Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/write \| Puts the SAP Database Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/delete \| Deletes the SAP Database Instance. <br><br>This will be used by service only. Delete by end user will return a Bad Request error. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/write \| Puts the SAP Database Instance. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/read \| Lists the SAP Database Instances in an SVI. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/start/action \| Starts the database instance of the SAP system. \| +> \| Microsoft.Workloads/sapVirtualInstances/databaseInstances/stop/action \| Stops the database instance of the SAP system. \| +> \| Microsoft.Workloads/skus/read \| Gets the list of Microsoft.Workloads SKUs available for your Subscription \| + ## Next steps - [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types)
role-based-access-control	Rbac And Directory Admin Roles	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/rbac-and-directory-admin-roles.md	Several Microsoft Entra roles span Microsoft Entra ID and Microsoft 365, such as ## Classic subscription administrator roles > [!IMPORTANT] -> As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. +> As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. If you still have active Co-Administrator or Service Administrator role assignments, convert these role assignments to Azure RBAC immediately. > > For more information, see [Azure classic subscription administrators](classic-administrators.md).
role-based-access-control	Resource Provider Operations	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/resource-provider-operations.md	Click the resource provider name in the following list to see the list of permis > \| [Microsoft.Batch](./permissions/compute.md#microsoftbatch) \| Cloud-scale job scheduling and compute management. \| [Batch](/azure/batch/) \| > \| [Microsoft.ClassicCompute](./permissions/compute.md#microsoftclassiccompute) \| \| Classic deployment model virtual machine \| > \| [Microsoft.Compute](./permissions/compute.md#microsoftcompute) \| Access cloud compute capacity and scale on demand (such as virtual machines) and only pay for the resources you use. \| [Virtual Machines](/azure/virtual-machines/)<br/>[Virtual Machine Scale Sets](/azure/virtual-machine-scale-sets/) \| +> \| [Microsoft.ComputeSchedule](./permissions/compute.md#microsoftcomputeschedule) \| \| [Azure Virtual Desktop](/azure/virtual-desktop/overview) \| +> \| [microsoft.connectedvmwarevsphere](./permissions/compute.md#microsoftconnectedvmwarevsphere) \| \| [Azure Arc-enabled VMware vSphere](/azure/azure-arc/vmware-vsphere/) \| > \| [Microsoft.DesktopVirtualization](./permissions/compute.md#microsoftdesktopvirtualization) \| The best virtual desktop experience, delivered on Azure. \| [Azure Virtual Desktop](/azure/virtual-desktop/) \| > \| [Microsoft.ServiceFabric](./permissions/compute.md#microsoftservicefabric) \| Develop microservices and orchestrate containers on Windows or Linux. \| [Service Fabric](/azure/service-fabric/) \| Click the resource provider name in the following list to see the list of permis > [!div class="mx-tableFixed"] > \| Resource provider \| Description \| Azure service \| > \| \| \| \| +> \| [Microsoft.AgFoodPlatform](./permissions/ai-machine-learning.md#microsoftagfoodplatform) \| \| [Microsoft Azure Data Manager for Agriculture](/azure/data-manager-for-agri/overview-azure-data-manager-for-agriculture) \| > \| [Microsoft.BotService](./permissions/ai-machine-learning.md#microsoftbotservice) \| Intelligent, serverless bot service that scales on demand. \| [Azure Bot Service](/azure/bot-service/) \| > \| [Microsoft.CognitiveServices](./permissions/ai-machine-learning.md#microsoftcognitiveservices) \| Add smart API capabilities to enable contextual interactions. \| [Cognitive Services](/azure/cognitive-services/) \| +> \| [Microsoft.HealthBot](./permissions/ai-machine-learning.md#microsofthealthbot) \| \| [Azure AI Health Bot](/azure/health-bot/overview) \| > \| [Microsoft.MachineLearningServices](./permissions/ai-machine-learning.md#microsoftmachinelearningservices) \| Enterprise-grade machine learning service to build and deploy models faster. \| [Machine Learning](/azure/machine-learning/) \| > \| [Microsoft.Search](./permissions/ai-machine-learning.md#microsoftsearch) \| Leverage search services and get comprehensive results. \| [Azure AI Search](/azure/search/) \| Click the resource provider name in the following list to see the list of permis > [!div class="mx-tableFixed"] > \| Resource provider \| Description \| Azure service \| > \| \| \| \| +> \| [Microsoft.AzureSphere](./permissions/internet-of-things.md#microsoftazuresphere) \| \| [Azure Sphere](/azure-sphere/product-overview/what-is-azure-sphere) \| > \| [Microsoft.Devices](./permissions/internet-of-things.md#microsoftdevices) \| Ensure that your users are accessing your resources from devices that meet your standards for security and compliance. \| [IoT Hub](/azure/iot-hub/)<br/>[IoT Hub Device Provisioning Service](/azure/iot-dps/) \| > \| [Microsoft.DeviceUpdate](./permissions/internet-of-things.md#microsoftdeviceupdate) \| \| [Device Update for IoT Hub](/azure/iot-hub-device-update/) \| > \| [Microsoft.DigitalTwins](./permissions/internet-of-things.md#microsoftdigitaltwins) \| \| [Azure Digital Twins](/azure/digital-twins/) \| > \| [Microsoft.IoTCentral](./permissions/internet-of-things.md#microsoftiotcentral) \| Experience the simplicity of SaaS for IoT, with no cloud expertise required. \| [IoT Central](/azure/iot-central/) \| +> \| [Microsoft.IoTFirmwareDefense](./permissions/internet-of-things.md#microsoftiotfirmwaredefense) \| \| [Microsoft Defender for IoT](/azure/defender-for-iot/device-builders/overview) \| > \| [Microsoft.IoTSecurity](./permissions/internet-of-things.md#microsoftiotsecurity) \| \| [IoT security](/azure/iot/iot-security-architecture) \| > \| [Microsoft.StreamAnalytics](./permissions/internet-of-things.md#microsoftstreamanalytics) \| Real-time data stream processing from millions of IoT devices. \| [Stream Analytics](/azure/stream-analytics/) \| Click the resource provider name in the following list to see the list of permis > \| [Microsoft.HealthcareApis](./permissions/integration.md#microsofthealthcareapis) \| \| [Azure API for FHIR](/azure/healthcare-apis/azure-api-for-fhir/) \| > \| [Microsoft.HealthDataAIServices](./permissions/integration.md#microsofthealthdataaiservices) \| \| [Azure Health Data Services](/azure/healthcare-apis/healthcare-apis-overview) \| > \| [Microsoft.Logic](./permissions/integration.md#microsoftlogic) \| Automate the access and use of data across clouds without writing code. \| [Logic Apps](/azure/logic-apps/) \| +> \| [Microsoft.ModSimWorkbench](./permissions/integration.md#microsoftmodsimworkbench) \| \| [Azure Modeling and Simulation Workbench](/azure/modeling-simulation-workbench/modeling-simulation-workbench-overview) \| > \| [Microsoft.NotificationHubs](./permissions/integration.md#microsoftnotificationhubs) \| Send push notifications to any platform from any back end. \| [Notification Hubs](/azure/notification-hubs/) \| > \| [Microsoft.Relay](./permissions/integration.md#microsoftrelay) \| Expose services that run in your corporate network to the public cloud. \| [Azure Relay](/azure/azure-relay/relay-what-is-it) \| +> \| [Microsoft.ResourceNotifications](./permissions/integration.md#microsoftresourcenotifications) \| \| [Azure Event Grid](/azure/event-grid/overview) \| > \| [Microsoft.ServiceBus](./permissions/integration.md#microsoftservicebus) \| Connect across private and public cloud environments. \| [Service Bus](/azure/service-bus-messaging/) \| > \| [Microsoft.ServicesHub](./permissions/integration.md#microsoftserviceshub) \| \| [Services Hub](/services-hub/) \| Click the resource provider name in the following list to see the list of permis > \| Resource provider \| Description \| Azure service \| > \| \| \| \| > \| [Microsoft.Chaos](./permissions/devops.md#microsoftchaos) \| \| [Azure Chaos Studio](/azure/chaos-studio/) \| +> \| [Microsoft.DevCenter](./permissions/devops.md#microsoftdevcenter) \| \| [Azure Deployment Environments](/azure/deployment-environments/overview-what-is-azure-deployment-environments) \| > \| [Microsoft.DevTestLab](./permissions/devops.md#microsoftdevtestlab) \| Quickly create environments using reusable templates and artifacts. \| [Azure Lab Services](/azure/lab-services/) \| > \| [Microsoft.LabServices](./permissions/devops.md#microsoftlabservices) \| Set up labs for classrooms, trials, development and testing, and other scenarios. \| [Azure Lab Services](/azure/lab-services/) \| > \| [Microsoft.LoadTestService](./permissions/devops.md#microsoftloadtestservice) \| \| [Azure Load Testing](/azure/load-testing/) \| Click the resource provider name in the following list to see the list of permis > \| [Microsoft.Authorization](./permissions/management-and-governance.md#microsoftauthorization) \| \| [Azure Policy](/azure/governance/policy/overview)<br/>[Azure RBAC](/azure/role-based-access-control/overview)<br/>[Azure Resource Manager](/azure/azure-resource-manager/) \| > \| [Microsoft.Automation](./permissions/management-and-governance.md#microsoftautomation) \| Simplify cloud management with process automation. \| [Automation](/azure/automation/) \| > \| [Microsoft.Billing](./permissions/management-and-governance.md#microsoftbilling) \| Manage your subscriptions and see usage and billing. \| [Cost Management + Billing](/azure/cost-management-billing/) \| +> \| [Microsoft.BillingBenefits](./permissions/management-and-governance.md#microsoftbillingbenefits) \| \| [Azure savings plans](/azure/cost-management-billing/savings-plan/savings-plan-compute-overview) \| > \| [Microsoft.Blueprint](./permissions/management-and-governance.md#microsoftblueprint) \| Enabling quick, repeatable creation of governed environments. \| [Azure Blueprints](/azure/governance/blueprints/) \| > \| [Microsoft.Carbon](./permissions/management-and-governance.md#microsoftcarbon) \| \| [Azure carbon optimization](/azure/carbon-optimization/overview) \| > \| [Microsoft.Consumption](./permissions/management-and-governance.md#microsoftconsumption) \| Programmatic access to cost and usage data for your Azure resources. \| [Cost Management](/azure/cost-management-billing/) \| > \| [Microsoft.CostManagement](./permissions/management-and-governance.md#microsoftcostmanagement) \| Optimize what you spend on the cloud, while maximizing cloud potential. \| [Cost Management](/azure/cost-management-billing/) \| +> \| [Microsoft.CustomerLockbox](./permissions/management-and-governance.md#microsoftcustomerlockbox) \| Interface for customers to review and approve or reject customer data access requests. \| [Customer Lockbox for Microsoft Azure](/azure/security/fundamentals/customer-lockbox-overview) \| > \| [Microsoft.Features](./permissions/management-and-governance.md#microsoftfeatures) \| \| [Azure Resource Manager](/azure/azure-resource-manager/) \| > \| [Microsoft.GuestConfiguration](./permissions/management-and-governance.md#microsoftguestconfiguration) \| Audit settings inside a machine using Azure Policy. \| [Azure Policy](/azure/governance/policy/) \| > \| [Microsoft.Intune](./permissions/management-and-governance.md#microsoftintune) \| Enable your workforce to be productive on all their devices, while keeping your organization's information protected. \| \| Click the resource provider name in the following list to see the list of permis > \| [Microsoft.ResourceHealth](./permissions/management-and-governance.md#microsoftresourcehealth) \| Diagnose and get support for service problems that affect your Azure resources. \| [Azure Service Health](/azure/service-health/) \| > \| [Microsoft.Resources](./permissions/management-and-governance.md#microsoftresources) \| Deployment and management service for Azure that enables you to create, update, and delete resources in your Azure subscription. \| [Azure Resource Manager](/azure/azure-resource-manager/) \| > \| [Microsoft.Solutions](./permissions/management-and-governance.md#microsoftsolutions) \| Find the solution to meet the needs of your application or business. \| [Azure Managed Applications](/azure/azure-resource-manager/managed-applications/) \| +> \| [Microsoft.Workloads](./permissions/management-and-governance.md#microsoftworkloads) \| \| [SAP on Azure](/azure/sap/) \| <a name='microsoftkubernetes'></a>
role-based-access-control	Troubleshooting	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/troubleshooting.md	If you're a Microsoft Entra Global Administrator and you don't have access to a ## Classic subscription administrators > [!IMPORTANT] -> As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. +> As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. If you still have active Co-Administrator or Service Administrator role assignments, convert these role assignments to Azure RBAC immediately. > > For more information, see [Azure classic subscription administrators](classic-administrators.md).
sap	Acss Backup Integration	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/acss-backup-integration.md	If you have already configured Backup from Azure Backup Center for your SAP VMs ## Prerequisites - A Virtual Instance for SAP solutions (VIS) resource representing your SAP system on Azure Center for SAP solutions.-- An Azure account with Contributor role access on the Subscription in which your SAP system exists.- -To be able to configure Backup from the VIS resource, assign the following roles to Azure Workloads Connector Service first-party app - 1. Backup Contributor role access on the Subscription or specific Resource group which has the Recovery services vault that will be used for Backup. - 2. Virtual Machine Contributor role access on the Subscription or Resource groups which have the Compute resources of the SAP systems. -You can skip this step if you have already configured Backup for your VMs and HANA DB using Azure Backup Center. You will be able to monitor Backup of your SAP system from the VIS. - -> [!IMPORTANT] -> Once you have completed configuring Backup from the VIS experience, it is recommended that you remove role access assigned to Azure Workloads Connector Service first-party app, as the access is no longer needed when monitoring backup status from VIS. +- An Azure account with Backup Contributor and Virtual Machine Contributor role access on the Subscription in which your SAP system exists. - For HANA database backup, ensure the [prerequisites](/azure/backup/tutorial-backup-sap-hana-db#prerequisites) required by Azure Backup are in place. - For HANA database backup, create a HDB Userstore key that will be used for preparing HANA DB for configuring Backup. For a highly available(HA) HANA database, the Userstore key should be created in both Primary and Secondary databases.
service-connector	Tutorial Django Webapp Postgres Cli	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/tutorial-django-webapp-postgres-cli.md	Previously updated : 05/13/2024 Last updated : 09/10/2024 # Tutorial: Using Service Connector to build a Django app with Postgres on Azure App Service > [!NOTE] -> In this tutorial, you use Service Connector that simplifies the process of connecting a web app to a database service. This tutorial is a modification of the [App Service tutorial](../app-service/tutorial-python-postgresql-app.md), so you may see some similarities. Look into section [Configure environment variables to connect the database](#configure-environment-variables-to-connect-the-database) to see where Service Connector comes into play and simplifies the connection process given in the App Service tutorial. +> In this tutorial, you use Service Connector to connect a web app to a database service. This tutorial is a modification of the [App Service tutorial](../app-service/tutorial-python-postgresql-app.md), so you may see some similarities. Look into section [Create a passwordless connector to Postgres database](#create-a-passwordless-connector-to-postgres-database) to see where Service Connector comes into play and simplifies the connection process given in the App Service tutorial. -This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an [Azure Database for PostgreSQL Flexible server](/azure/postgresql/flexible-server/) database. +This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](../app-service/overview.md) and connect it to an [Azure Database for PostgreSQL Flexible server](/azure/postgresql/flexible-server/) database. In this tutorial, you use the Azure CLI to complete the following tasks: In this tutorial, you use the Azure CLI to complete the following tasks: ## Set up your initial environment -1. Install [Python 3.8 or higher](https://www.python.org/downloads/). To check if your Python version is 3.8 or higher, run the following code in a terminal window: +### [CloudShell](#tab/cloudshell) +Launch from [Azure Cloud Shell](../cloud-shell/overview.md) in the Azure Portal and install the service connector passwordless extension for the Azure CLI. - ### [Bash](#tab/bash) - - ```bash - python3 --version - ``` - - ### [PowerShell](#tab/powershell) +```terminal +az extension add --name serviceconnector-passwordless --upgrade +``` - ```cmd - py -3 --version - ``` +### [Local shell](#tab/localshell) - ### [Cmd](#tab/cmd) +1. Install the [Azure CLI](/cli/azure/install-azure-cli) 2.30.0 or higher. To check if your Azure CLI version is 2.30.0 or higher, run the `az --version` command. If you need to upgrade, run `az upgrade` (requires version 2.11.0+). - ```cmd - py -3 --version - ``` +1. Sign in to Azure using the CLI with `az login`. This command opens a browser to gather your credentials. When the command finishes, it shows JSON output containing information about your subscriptions. Once signed in, you can run Azure commands with the Azure CLI to work with resources in your subscription. - +1. Install the service connector passwordless extension for Azure CLI -1. Install the [Azure CLI](/cli/azure/install-azure-cli) 2.30.0 or higher. To check if your Azure CLI version is 2.30.0 or higher, run the `az --version` command. If you need to upgrade, run `az upgrade` (requires version 2.30.0+). +```terminal +az extension add --name serviceconnector-passwordless --upgrade +``` -1. Sign in to Azure using the CLI with `az login`. This command opens a browser to gather your credentials. When the command finishes, it shows JSON output containing information about your subscriptions. Once signed in, you can run Azure commands with the Azure CLI to work with resources in your subscription. + ## Clone or download the sample app In this tutorial, you use the Azure CLI to complete the following tasks: Clone the sample repository: ```terminal -git clone https://github.com/Azure-Samples/serviceconnector-webapp-postgresql-django.git +git clone https://github.com/Azure-Samples/serviceconnector-webapp-postgresql-django-passwordless.git ``` Navigate into the following folder: ```terminal -cd serviceconnector-webapp-postgresql-django -``` - -Use the flexible-server branch of the sample, which contains a few necessary changes, such as how the database server URL is set and adding `'OPTIONS': {'sslmode': 'require'}` to the Django database configuration as required by Azure PostgreSQL Flexible server. - -```terminal -git checkout flexible-server +cd serviceconnector-webapp-postgresql-django-passwordless ``` ### [Download](#tab/download) -Visit [https://github.com/Azure-Samples/djangoapp](https://github.com/Azure-Samples/djangoapp). - -For Flexible server, select the branches control that says "master" and then select the flexible-server branch. +Visit [https://github.com/Azure-Samples/serviceconnector-webapp-postgresql-django-passwordless](https://github.com/Azure-Samples/serviceconnector-webapp-postgresql-django-passwordless). Select Code, and then select Download ZIP. -Unpack the ZIP file into a folder named djangoapp. +Unpack the ZIP file into a folder named serviceconnector-webapp-postgresql-django-passwordless. -Open a terminal window in that djangoapp folder. +Open a terminal window in that serviceconnector-webapp-postgresql-django-passwordless folder. -The djangoapp sample contains the data-driven Django polls app you get by following [Writing your first Django app](https://docs.djangoproject.com/en/5.0/intro/tutorial01/) in the Django documentation. The completed app is provided here for your convenience. - -The sample is also modified to run in a production environment like App Service: +In this tutorial, you deploy a [Django](https://www.djangoproject.com/) web app to Azure App Service. The web app uses a system-assigned [managed identity](/azure/active-directory/managed-identities-azure-resources/overview) (passwordless connections) with Azure role-based access control to access [Azure Storage](/azure/storage/common/storage-introduction) and [Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server) resources. The code uses the [DefaultAzureCredential](/azure/developer/intro/passwordless-overview#introducing-defaultazurecredential) class of the [Azure Identity client library](/python/api/overview/azure/identity-readme) for Python. The `DefaultAzureCredential` class automatically detects that a managed identity exists for the App Service and uses it to access other Azure resources. * Production settings are in the azuresite/production.py file. Development settings are in azuresite/settings.py. * The app uses production settings when the `WEBSITE_HOSTNAME` environment variable is set. Azure App Service automatically sets this variable to the URL of the web app, such as `msdocs-django.azurewebsites.net`. Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). ## Create Postgres database in Azure -1. Enable parameters caching with the Azure CLI so you don't need to provide those parameters with every command. (Cached values are saved in the .azure folder.) +1. Set up the environment variables needed for the tutorial. - ```azurecli - az config param-persist on + ```bash + LOCATION="eastus" + RAND_ID=$RANDOM + RESOURCE_GROUP_NAME="msdocs-mi-web-app" + APP_SERVICE_NAME="msdocs-mi-web-$RAND_ID" + DB_SERVER_NAME="msdocs-mi-postgres-$RAND_ID" + ADMIN_USER="demoadmin" + ADMIN_PW="{your database password}" ``` + > [!IMPORTANT] + > The `ADMIN_PW` must contain 8 to 128 characters from three of the following categories: English uppercase letters, English lowercase letters, numbers, and nonalphanumeric characters. When creating usernames or passwords do not use the `$` character. Later you create environment variables with these values where the `$` character has a specific meaning within the Linux container used to run Python apps. + 1. Create a [resource group](../azure-resource-manager/management/overview.md#terminology) (you can change the name, if desired). The resource group name is cached and automatically applied to subsequent commands. ```azurecli - az group create --name ServiceConnector-tutorial-rg --location eastus + az group create --name $RESOURCE_GROUP_NAME --location $LOCATION ``` -1. Create the database server (the process takes a few minutes): +1. Create the database server. If prompted to enable access to current client IP address, type `y` for yes. This process takes a few minutes: ```azurecli - az postgres flexible-server create --sku-name Standard_B1ms --public-access all + az postgres flexible-server create \ + --resource-group $RESOURCE_GROUP_NAME \ + --name $DB_SERVER_NAME \ + --location $LOCATION \ + --admin-user $ADMIN_USER \ + --admin-password $ADMIN_PW \ + --sku-name Standard_D2ds_v4 + --active-directory-auth Enabled ``` If the `az` command isn't recognized, be sure you have the Azure CLI installed as described in [Set up your initial environment](#set-up-your-initial-environment). Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). * Create a default resource group if there's not a cached name already. * Create a PostgreSQL Flexible server: - * By default, the command uses a generated name like `server383813186`. You can specify your own name with the `--name` parameter. The name must be unique across all of Azure. - * The command uses the lowest-cost `Standard_B1ms` pricing tier. Omit the `--sku-name` argument to use the default `Standard_D2s_v3` tier. - * The command uses the resource group and location cached from the previous `az group create` command, which in this example is the resource group `ServiceConnector-tutorial-rg` in the `eastus` region. - * Create an administrator account with a username and password. You can specify these values directly with the `--admin-user` and `--admin-password` parameters. - * Create a database named `flexibleserverdb` by default. You can specify a database name with the `--database-name` parameter. - * Enables complete public access, which you can control using the `--public-access` parameter. + * With the server name specified with the `--name` parameter. The name must be unique across all of Azure. + * With the sku specified with the `--sku-name` parameter. + * Create an administrator account with a username and password specified with the `--admin-user` and `--admin-password` parameters. + * Create a database which name is specified with the `--database-name` parameter. -1. When the command completes, copy the command's JSON output to a file as you need values from the output later in this tutorial, specifically the host, username, and password, along with the database name. +1. Configure a firewall rule on your server with the [az postgres flexible-server firewall-rule create](/cli/azure/postgres/flexible-server/firewall-rule) command. This rule allows your local environment access to the server. (If you're prompted to enable access from your client IP address in previous step, you can skip this step.) -Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). + ```azurecli + IP_ADDRESS=<your IP> + az postgres flexible-server firewall-rule create \ + --resource-group $RESOURCE_GROUP_NAME \ + --name $DB_SERVER_NAME \ + --rule-name AllowMyIP \ + --start-ip-address $IP_ADDRESS \ + --end-ip-address $IP_ADDRESS + ``` + + Use any tool or website that shows your IP address to substitute `<your IP>` in the command. For example, you can use the [What's My IP Address?](https://www.whatismyip.com/) website. + +1. Create a database named `restaurant` using the [az postgres flexible-server execute](/cli/azure/postgres/flexible-server#az-postgres-flexible-server-execute) command. + + ```azurecli + az postgres flexible-server execute \ + --name $DB_SERVER_NAME \ + --admin-user $ADMIN_USER \ + --admin-password $ADMIN_PW \ + --database-name postgres \ + --querytext 'create database restaurant;' + ``` ## Deploy the code to Azure App Service In this section, you create app host in App Service app, connect this app to the ### Create the App Service app -1. In the terminal, make sure you're in the djangoapp repository folder that contains the app code. - -1. Switch to the sample app's `flexible-server` branch. This branch contains specific configuration needed for PostgreSQL Flexible server: - - ```cmd - git checkout flexible-server - ``` +1. In the terminal, make sure you're in the serviceconnector-webapp-postgresql-django-passwordless repository folder that contains the app code. 1. Run the following [`az webapp up`](/cli/azure/webapp#az-webapp-up) command to create the App Service host for the app: ```azurecli - az webapp up --name <app-name> --sku B1 + az webapp up \ + --resource-group $RESOURCE_GROUP_NAME \ + --location $LOCATION \ + --name $APP_SERVICE_NAME \ + --runtime PYTHON:3.9 \ + --sku B1 ```+ + The sku defines the size (CPU, memory) and cost of the App Service plan. The B1 (Basic) service plan incurs a small cost in your Azure subscription. For a full list of App Service plans, view the [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/) page. + <!-- without --sku creates PremiumV2 plan --> - This command performs the following actions, which may take a few minutes, using resource group and location cached from the previous `az group create` command (the group `Python-Django-PGFlex-rg` in the `eastus` region in this example). + This command performs the following actions, which may take a few minutes, using resource group and location cached from the previous `az group create` command (the group `$RESOURCE_GROUP_NAME` in the `eastus` region in this example). <!- <!-- No it doesn't. az webapp up doesn't respect --resource-group --> In this section, you create app host in App Service app, connect this app to the * Enable default logging for the app. * Upload the repository using ZIP deployment with build automation enabled. -Upon successful deployment, the command generates JSON output like the following example: -- -Having issues? Refer first to the [Troubleshooting guide](../app-service/configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). - -### Configure environment variables to connect the database - -With the code now deployed to App Service, the next step is to connect the app to the Postgres database in Azure. - -The app code expects to find database information in four environment variables named `AZURE_POSTGRESQL_HOST`, `AZURE_POSTGRESQL_NAME`, `AZURE_POSTGRESQL_USER`, and `AZURE_POSTGRESQL_PASS`. +1. Configure App Service to use the start.sh in the repo with the [az webapp config set](/cli/azure/webapp/config#az-webapp-config-set) command. + ```azurecli + az webapp config set \ + --resource-group $RESOURCE_GROUP_NAME \ + --name $APP_SERVICE_NAME \ + --startup-file "start.sh" + ``` -To set environment variables in App Service, create "app settings" with the following `az connection create` command. +### Create a passwordless connector to Postgres database -```azurecli -az webapp connection create postgres-flexible --client-type django -``` +With the code now deployed to App Service, the next step is to connect the app to the Postgres database in Azure. The app code expects to find database information in an environment variable named `AZURE_POSTGRESQL_CONNECTIONSTRING` for PostgresSQL flexible server and an environment variable named `AZURE_STORAGEBLOB_RESOURCEENDPOINT` for Azure Storage account. -The resource group, app name, db name are drawn from the cached values. You need to provide admin password of your postgres database during the execution of this command. +The Service Connector commands configure Azure Storage and Azure Database for PostgreSQL resources to use managed identity and Azure role-based access control. The commands create app settings in the App Service that connect your web app to these resources. The output from the commands lists the service connector actions taken to enable passwordless capability. -* The command creates settings named "AZURE_POSTGRESQL_HOST", "AZURE_POSTGRESQL_NAME", "AZURE_POSTGRESQL_USER", "AZURE_POSTGRESQL_PASS" as expected by the app code. -* If you forgot your admin credentials, the command would guide you to reset it. +1. Add a PostgreSQL service connector with the [az webapp connection create postgres-flexible](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres-flexible) command. The system-assigned managed identity is used to authenticate the web app to the target resource, PostgreSQL in this case. + ```azurecli + az webapp connection create postgres-flexible \ + --resource-group $RESOURCE_GROUP_NAME \ + --name $APP_SERVICE_NAME \ + --target-resource-group $RESOURCE_GROUP_NAME \ + --server $DB_SERVER_NAME \ + --database restaurant \ + --client-type python \ + --system-identity + ``` > [!NOTE] > If you see the error message "The subscription is not registered to use Microsoft.ServiceLinker", please run `az provider register -n Microsoft.ServiceLinker` to register the Service Connector resource provider and run the connection command again. In your Python code, you access these settings as environment variables with sta Having issues? Refer first to the [Troubleshooting guide](../app-service/configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). -### Run Django database migrations +### Create a storage account and connect to it -Django database migrations ensure that the schema in the PostgreSQL on Azure database matches with your code. - -1. Run `az webapp ssh` to open an SSH session for the web app in the browser: +1. Use the [az webapp connection create storage-blob](/cli/azure/webapp/connection/create#az-webapp-connection-create-storage-blob) command to create a storage account and creates a service connector that does the following configurations: + * Enables system-assigned managed identity on the web app + * Adds the web app with role Storage Blob Data Contributor to the newly created storage account. + * Configure the storage account network to accept access from the web app. ```azurecli - az webapp ssh + STORAGE_ACCOUNT_URL=$(az webapp connection create storage-blob \ + --new true \ + --resource-group $RESOURCE_GROUP_NAME \ + --name $APP_SERVICE_NAME \ + --target-resource-group $RESOURCE_GROUP_NAME \ + --client-type python \ + --system-identity \ + --query configurations[].value \ + --output tsv) + STORAGE_ACCOUNT_NAME=$(cut -d . -f1 <<< $(cut -d / -f3 <<< $STORAGE_ACCOUNT_URL)) ``` +1. Update the storage account to allow blob public access for the restaurant app users to access images. -1. In the SSH session, run the following commands: - - ```bash - # Run database migrations - python manage.py migrate - - # Create the super user (follow prompts) - python manage.py createsuperuser + ```azurecli + az storage account update \ + --name $STORAGE_ACCOUNT_NAME \ + --allow-blob-public-access ``` - If you encounter any errors related to connecting to the database, check the values of the application settings created in the previous section. - -1. The `createsuperuser` command prompts you for superuser credentials. For the purposes of this tutorial, use the default username `root`, press Enter for the email address to leave it blank, and enter `Pollsdb1` for the password. - -1. If you see an error that the database is locked, make sure that you ran the `az webapp settings` command in the previous section. Without those settings, the migrate command can't communicate with the database, resulting in the error. - -Having issues? Refer first to the [Troubleshooting guide](../app-service/configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). - -### Create a poll question in the app - -1. Open the app website. The app should display the message "Polls app" and "No polls are available" because there are no specific polls yet in the database. +1. Create a container called `photos` in the storage account with the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command. Allow anonymous read (public) access to blobs in the newly created container. ```azurecli - az webapp browse + # Set the BLOB_ENDPOINT variable + BLOB_ENDPOINT=$(az storage account show --name $STORAGE_ACCOUNT_NAME --query "primaryEndpoints.blob" \| sed 's/"//g') + echo $BLOB_ENDPOINT + + # Create the storage container using the BLOB_ENDPOINT variable + az storage container create \ + --account-name $STORAGE_ACCOUNT_NAME \ + --name photos \ + --public-access blob \ + --auth-mode login \ + --blob-endpoint $BLOB_ENDPOINT ``` - If you see "Application Error", then it's likely that you either didn't create the required settings in the previous step "[Configure environment variables to connect the database](#configure-environment-variables-to-connect-the-database)", or that these values contain errors. Run the command `az webapp config appsettings list` to check the settings. - - After updating the settings to correct any errors, give the app a minute to restart, then refresh the browser. +## Test the Python web app in Azure -1. Browse to the web app's admin page by appending `/admin` to the URL, for example, `http://<app-name>.azurewebsites.net/admin`. Sign in using Django superuser credentials from the previous section (`root` and `Pollsdb1`). Under Polls, select Add next to Questions and create a poll question with some choices. +The sample Python app uses the [azure.identity](https://pypi.org/project/azure-identity/) package and its `DefaultAzureCredential` class. When the app is running in Azure, `DefaultAzureCredential` automatically detects if a managed identity exists for the App Service and, if so, uses it to access other Azure resources (storage and PostgreSQL in this case). There's no need to provide storage keys, certificates, or credentials to the App Service to access these resources. -1. Return to the main website (`http://<app-name>.azurewebsites.net`) to confirm that the questions are now presented to the user. Answer questions however you like to generate some data in the database. +1. Browse to the deployed application at the URL `http://$APP_SERVICE_NAME.azurewebsites.net`. -Congratulations! You're running a Python Django web app in Azure App Service for Linux, with an active Postgres database. + It can take a minute or two for the app to start. If you see a default app page that isn't the default sample app page, wait a minute and refresh the browser. +2. Test the functionality of the sample app by adding a restaurant and some reviews with photos for the restaurant. + The restaurant and review information is stored in Azure Database for PostgreSQL and the photos are stored in Azure Storage. Here's an example screenshot: -> [!NOTE] -> App Service detects a Django project by looking for a wsgi.py file in each subfolder, which `manage.py startproject` creates by default. When App Service finds that file, it loads the Django web app. For more information, see [Configure built-in Python image](../app-service/configure-language-python.md). + :::image type="content" source="media/tutorial-django-webapp-postgres-cli/example-of-review-sample-app-production-deployed-small.png" lightbox="media/tutorial-django-webapp-postgres-cli/example-of-review-sample-app-production-deployed.png" alt-text="Screenshot of the sample app showing restaurant review functionality using Azure App Service, Azure PostgreSQL Database, and Azure Storage." ::: ## Clean up resources If you'd like to keep the app or continue to more tutorials, skip ahead to [Next steps](#next-step). Otherwise, to avoid incurring ongoing charges, delete the resource group created for this tutorial: ```azurecli -az group delete --name ServiceConnector-tutorial-rg --no-wait +az group delete --name $RESOURCE_GROUP_NAME --no-wait ``` By deleting the resource group, you also deallocate and delete all the resources contained within it. Be sure you no longer need the resources in the group before using the command.
site-recovery	Azure To Azure Architecture	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-architecture.md	Title: Azure to Azure disaster recovery architecture in Azure Site Recovery description: Overview of the architecture used when you set up disaster recovery between Azure regions for Azure VMs, using the Azure Site Recovery service.- -+ Last updated 02/29/2024
site-recovery	Azure To Azure Common Questions	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-common-questions.md	Title: Common questions about Azure virtual machine disaster recovery with Azure description: This article answers common questions about Azure virtual machine disaster recovery when you use Azure Site Recovery. - Last updated 09/16/2024-+
site-recovery	Azure Vm Disaster Recovery With Accelerated Networking	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-vm-disaster-recovery-with-accelerated-networking.md	Title: Enable accelerated networking for Azure VM disaster recovery with Azure Site Recovery description: Describes how to enable Accelerated Networking with Azure Site Recovery for Azure virtual machine disaster recovery- - - Previously updated : 03/07/2024+ Last updated : 09/23/2024
site-recovery	Azure Vm Disaster Recovery With Expressroute	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-vm-disaster-recovery-with-expressroute.md	Title: Integrate Azure ExpressRoute Azure VM disaster recovery with Azure Site Recovery -description: Describes how to set up disaster recovery for Azure VMs using Azure Site Recovery and Azure ExpressRoute - + Title: Integrate Azure ExpressRoute Azure virtual machine disaster recovery with Azure Site Recovery +description: Describes how to set up disaster recovery for Azure virtual machines using Azure Site Recovery and Azure ExpressRoute - -+ Last updated 12/14/2023 -# Integrate ExpressRoute with disaster recovery for Azure VMs +# Integrate ExpressRoute with disaster recovery for Azure virtual machines -This article describes how to integrate Azure ExpressRoute with [Azure Site Recovery](site-recovery-overview.md), when you set up disaster recovery for Azure VMs to a secondary Azure region. +This article describes how to integrate Azure ExpressRoute with [Azure Site Recovery](site-recovery-overview.md), when you set up disaster recovery for Azure virtual machines to a secondary Azure region. -Site Recovery enables disaster recovery of Azure VMs by replicating Azure VM data to Azure. +Site Recovery enables disaster recovery of Azure virtual machines by replicating Azure virtual machine data to Azure. -- If Azure VMs use [Azure managed disks](/azure/virtual-machines/managed-disks-overview), VM data is replicated to a replicated managed disk in the secondary region.-- If Azure VMs don't use managed disks, VM data is replicated to an Azure storage account.-- Replication endpoints are public, but replication traffic for Azure VMs doesn't cross the internet. +- If Azure virtual machines use [Azure managed disks](/azure/virtual-machines/managed-disks-overview), virtual machine data is replicated to a replicated managed disk in the secondary region. +- If Azure virtual machines don't use managed disks, virtual machine data is replicated to an Azure storage account. +- Replication endpoints are public, but replication traffic for Azure virtual machines doesn't cross the internet. ExpressRoute enables you to extend on-premises networks into the Microsoft Azure cloud over a private connection, facilitated by a connectivity provider. If you have ExpressRoute configured, it integrates with Site Recovery as follows: -- During replication between Azure regions: Replication traffic for Azure VM disaster recovery is within Azure only, and ExpressRoute isn't needed or used for replication. However, if you're connecting from an on-premises site to the Azure VMs in the primary Azure site, there are many issues to be aware of when you're setting up disaster recovery for those Azure VMs.-- Failover between Azure regions: When outages occur, you fail over Azure VMs from the primary to secondary Azure region. After failing over to a secondary region, there are many steps to take in order to access the Azure VMs in the secondary region using ExpressRoute. +- During replication between Azure regions: Replication traffic for Azure virtual machine disaster recovery is within Azure only, and ExpressRoute isn't needed or used for replication. However, if you're connecting from an on-premises site to the Azure virtual machines in the primary Azure site, there are many issues to be aware of when you're setting up disaster recovery for those Azure virtual machines. +- Failover between Azure regions: When outages occur, you fail over Azure virtual machines from the primary to secondary Azure region. After failing over to a secondary region, there are many steps to take in order to access the Azure virtual machines in the secondary region using ExpressRoute. ## Before you begin Before you begin, make sure you understand the following concepts: - ExpressRoute [circuits](../expressroute/expressroute-circuit-peerings.md) - ExpressRoute [routing domains](../expressroute/expressroute-circuit-peerings.md#routingdomains) - ExpressRoute [locations](../expressroute/expressroute-locations.md).-- Azure VM [replication architecture](azure-to-azure-architecture.md)-- How to [set up replication](azure-to-azure-tutorial-enable-replication.md) for Azure VMs.-- How to [fail over](azure-to-azure-tutorial-failover-failback.md) Azure VMs. +- Azure virtual machine [replication architecture](azure-to-azure-architecture.md) +- How to [set up replication](azure-to-azure-tutorial-enable-replication.md) for Azure virtual machines. +- How to [fail over](azure-to-azure-tutorial-failover-failback.md) Azure virtual machines. ## General recommendations Before you begin, make sure you understand the following concepts: For best practice, and to ensure efficient Recovery Time Objectives (RTOs) for disaster recovery, we recommend you do the following when you set up Site Recovery to integrate with ExpressRoute: - Provision networking components before failover to a secondary region: - - When you enable replication for Azure VMs, Site Recovery can automatically deploy networking resources such as networks, subnets, and gateways in the target Azure region, based on source network settings. + - When you enable replication for Azure virtual machines, Site Recovery can automatically deploy networking resources using the source network settings. For example, networks, subnets, and gateways in the target Azure region. - Site Recovery can't automatically set up networking resources such as VNet gateways. - - We recommend you provision these additional networking resources before failover. A small downtime is associated with this deployment, and it can impact the overall recovery time, if you didn't account for it during deployment planning. + - We recommend you provision these extra networking resources before failover. A small downtime is associated with this deployment, and it can impact the overall recovery time, if you didn't account for it during deployment planning. - Run regular disaster recovery drills: - A drill validates your replication strategy without data loss or downtime, and doesn't affect your production environment. It helps avoid last-minute configuration issues that can adversely impact RTO. - - When you run a test failover for the drill, we recommend that you use a separate Azure VM network, instead of the default network that's set up when you enable replication. + - When you run a test failover for the drill, we recommend using a separate Azure virtual machine network instead of the default network set up during replication. - Use different IP address spaces if you have a single ExpressRoute circuit. - We recommend that you use a different IP address space for the target virtual network. This avoids issues when establishing connections during regional outages. - If you can't use a separate address space, be sure to run the disaster recovery drill test failover on a separate test network with different IP addresses. You canΓÇÖt connect two VNets with overlapping IP address space to the same ExpressRoute circuit. -## Replicate Azure VMs when using ExpressRoute +## Replicate Azure virtual machines when using ExpressRoute -If you want to set up replication for Azure VMs in a primary site, and you're connecting to these VMs from your on-premises site over ExpressRoute, here's what you need to do: +If you want to set up replication for Azure virtual machines in a primary site, and you're connecting to these virtual machines from your on-premises site over ExpressRoute, here's what you need to do: -1. [Enable replication](azure-to-azure-tutorial-enable-replication.md) for each Azure VM. +1. [Enable replication](azure-to-azure-tutorial-enable-replication.md) for each Azure virtual machine. 2. Optionally let Site Recovery set up networking: - - When you configure and enable replication, Site Recovery sets up networks, subnets, and gateway subnets in the target Azure region, to match those in the source region. Site Recovery also maps between the source and target virtual networks. + - When you configure and enable replication, Site Recovery sets up networks, subnets, and gateway subnets in the target Azure region to match those in the source region. Site Recovery also maps between the source and target virtual networks. - If you don't want Site Recovery to do this automatically, create the target-side network resources before you enable replication. 3. Create other networking elements: - Site Recovery doesn't create route tables, VNet gateways, VNet gateway connections, VNet peering, or other networking resources and connections in the secondary region. - - You need to create these additional networking elements in the secondary region, anytime before running a failover from the primary region. + - You need to create these extra networking elements in the secondary region, anytime before running a failover from the primary region. - You can use [recovery plans](site-recovery-create-recovery-plans.md) and automation scripts to set up and connect these networking resources. 1. If you have a network virtual appliance (NVA) deployed to control the flow of network traffic: - - Azure's default system route for Azure VM replication is 0.0.0.0/0. + - Azure's default system route for Azure virtual machine replication is 0.0.0.0/0. - Typically, NVA deployments also define a default route (0.0.0.0/0) that forces outbound Internet traffic to flow through the NVA. The default route is used when no other specific route configuration can be found. - If so, the NVA might be overloaded if all replication traffic passes through the NVA. - - The same limitation also applies when using default routes for routing all Azure VM traffic to on-premises deployments. + - The same limitation also applies when using default routes for routing all Azure virtual machine traffic to on-premises deployments. - In this scenario, we recommend that you [create a network service endpoint](azure-to-azure-about-networking.md#create-network-service-endpoint-for-storage) in your virtual network for the Microsoft.Storage service, so that the replication traffic doesn't leave Azure boundary. ## Replication example -Typically enterprise deployments have workloads split across multiple Azure VNets, with a central connectivity hub for external connectivity to the internet and to on-premises sites. A hub and spoke topology is typically used together with ExpressRoute. +In typical enterprise deployments, workloads are distributed across multiple Azure VNets with a central hub for internet and on-premises connectivity. This setup often uses a hub-and-spoke topology with ExpressRoute. ![On-premises-to-Azure with ExpressRoute before failover](./media/azure-vm-disaster-recovery-with-expressroute/site-recovery-with-expressroute-before-failover.png) Hub to spoke \| Use remove gateways \| Disabled ### Example steps -In our example, the following should happen when enabling replication for Azure VMs in the source network: +In our example, the following should happen when enabling replication for Azure virtual machines in the source network: -1. You [enable replication](azure-to-azure-tutorial-enable-replication.md) for a VM. +1. You [enable replication](azure-to-azure-tutorial-enable-replication.md) for a virtual machine. 2. Site Recovery creates replica vNets, subnets, and gateway subnets in the target region. 3. Site Recovery creates mappings between the source networks and the replica target networks it creates. 4. You manually create virtual network gateways, virtual network gateway connections, virtual network peering, or any other networking resources or connections. -## Fail over Azure VMs when using ExpressRoute +## Fail over Azure virtual machines when using ExpressRoute -After you fail Azure VMs over to the target Azure region using Site Recovery, you can access them using ExpressRoute [private peering](../expressroute/expressroute-circuit-peerings.md#privatepeering). +After you fail Azure virtual machines over to the target Azure region using Site Recovery, you can access them using ExpressRoute [private peering](../expressroute/expressroute-circuit-peerings.md#privatepeering). - You need to connect ExpressRoute to the target vNet with a new connection. The existing ExpressRoute connection isn't automatically transferred. - The way in which you set up your ExpressRoute connection to the target vNet depends on your ExpressRoute topology. After you fail Azure VMs over to the target Azure region using Site Recovery, yo This configuration helps protect ExpressRoute circuits against regional disaster. If your primary peering location goes down, connections can continue from the other location. - The circuit connected to the production environment is usually the primary. The secondary circuit typically has lower bandwidth, which can be increased if a disaster occurs.-- After failover, you can establish connections from the secondary ExpressRoute circuit to the target vNet. Alternatively, you can have connections set up and ready in case of disaster, to reduce overall recovery time. +- After failover, you can establish connections from the secondary ExpressRoute circuit to the target vNet. Alternatively, you can have connections set up and ready in disaster, to reduce overall recovery time. - With simultaneous connections to both primary and target vNets, make sure that your on-premises routing only uses the secondary circuit and connection after failover. - The source and target vNets can receive new IP addresses, or keep the same ones, after failover. In both cases, the secondary connections can be established prior to failover. In this configuration there's only one Expressroute circuit. Although the circui - In a regional failure, if the primary region is inaccessible, the disconnect operation could fail. This could impact connection creation to the target region. - If you created the connection in the target region, and primary region recovers later, you might experience packet drops if two simultaneous connections attempt to connect to the same address space. - To prevent this, terminate the primary connection immediately. - - After VM failback to the primary region, the primary connection can again be established, after you disconnect the secondary connection. + - After virtual machine failback to the primary region, the primary connection can again be established, after you disconnect the secondary connection. - If a different address space is used on the target vNet, you can simultaneously connect to the source and target vNets from the same ExpressRoute circuit. In this configuration there's only one Expressroute circuit. Although the circui In our example, we're using the following topology: - Two different ExpressRoute circuits in two different peering locations.-- Retain private IP addresses for the Azure VMs after failover. +- Retain private IP addresses for the Azure virtual machines after failover. - The target recovery region is Azure SouthEast Asia. - A secondary ExpressRoute circuit connection is established through a partner edge in Singapore. For a simple topology that uses a single ExpressRoute circuit, with same IP addr To automate recovery in this example, here's what you need to do: 1. Follow the steps to set up replication. -2. [Fail over the Azure VMs](azure-to-azure-tutorial-failover-failback.md), with these additional steps during or after the failover. +2. [Fail over the Azure virtual machines](azure-to-azure-tutorial-failover-failback.md), with these extra steps during or after the failover. a. Create the Azure ExpressRoute Gateway in the target region hub VNet. This is need to connect the target hub vNet to the ExpressRoute circuit. The above steps can be scripted as part of a [recovery plan](site-recovery-creat #### After recovery -After recovering the VMs and completing connectivity, the recovery environment is as follows. +After recovering the virtual machines and completing connectivity, the recovery environment is as follows. ![On-premises-to-Azure with ExpressRoute after Failover](./media/azure-vm-disaster-recovery-with-expressroute/site-recovery-with-expressroute-after-failover.png)
site-recovery	Concepts Azure To Azure High Churn Support	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-azure-to-azure-high-churn-support.md	Title: Azure Virtual Machines disaster recovery - High Churn support description: Describes how to protect your Azure Virtual Machines having high churning workloads.- - Previously updated : 05/31/2024+ Last updated : 09/18/2024
site-recovery	Concepts Expressroute With Site Recovery	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-expressroute-with-site-recovery.md	Title: About using ExpressRoute with Azure Site Recovery description: Describes how to use Azure ExpressRoute with the Azure Site Recovery service for disaster recovery and migration.- - - Previously updated : 10/13/2019+ Last updated : 09/18/2024 Azure Site Recovery enables disaster recovery of [Azure virtual machines](azure- For Azure VM disaster recovery, by default, ExpressRoute is not required for replication. After virtual machines fail over to the target Azure region, you can access them using [private peering](../expressroute/expressroute-circuit-peerings.md#privatepeering). Note that data transfer prices apply irrespective of the mode of data replication across Azure regions. -If you are already using ExpressRoute to connect from your on-premises datacenter to the Azure VMs on the source region, you can plan for re-establishing ExpressRoute connectivity at the failover target region. You can use the same ExpressRoute circuit to connect to the target region through a new virtual network connection or utilize a separate ExpressRoute circuit and connection for disaster recovery. The different possible scenarios are described [here](azure-vm-disaster-recovery-with-expressroute.md#fail-over-azure-vms-when-using-expressroute). +If you are already using ExpressRoute to connect from your on-premises datacenter to the Azure VMs on the source region, you can plan for re-establishing ExpressRoute connectivity at the failover target region. You can use the same ExpressRoute circuit to connect to the target region through a new virtual network connection or utilize a separate ExpressRoute circuit and connection for disaster recovery. The different possible scenarios are described [here](azure-vm-disaster-recovery-with-expressroute.md#fail-over-azure-virtual-machines-when-using-expressroute). You can replicate Azure virtual machines to any Azure region within the same geographic cluster as detailed [here](../site-recovery/azure-to-azure-support-matrix.md#region-support). If the chosen target Azure region is not within the same geopolitical region as the source, you might need to enable ExpressRoute Premium. For more details, check [ExpressRoute locations](../expressroute/expressroute-locations.md) and [ExpressRoute pricing](https://azure.microsoft.com/pricing/details/expressroute/).
site-recovery	Concepts Multiple Ip Address Failover	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-multiple-ip-address-failover.md	Title: Configure failover of multiple IP addresses with Azure Site Recovery description: This article describes how to configure the failover of secondary IP configs for Azure virtual machines.- -+ Last updated 04/29/2024
site-recovery	Concepts Network Security Group With Site Recovery	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-network-security-group-with-site-recovery.md	Title: Network Security Groups with Azure Site Recovery \| Microsoft Docs description: Describes how to use Network Security Groups with Azure Site Recovery for disaster recovery and migration - -+ Last updated 04/08/2019
site-recovery	Concepts Public Ip Address With Site Recovery	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-public-ip-address-with-site-recovery.md	Title: Assign public IP addresses after failover with Azure Site Recovery description: Describes how to set up public IP addresses with Azure Site Recovery and Azure Traffic Manager for disaster recovery and migration- - -+ Last updated 10/31/2023 Public IP addresses serve two purposes in Azure. First, they allow inbound communication from Internet resources to Azure resources. Secondly, they enable Azure resources to communicate outbound to the Internet and public-facing Azure services that have an IP address assigned to the resource. -- Allow inbound communication from the Internet to the resource, such as Azure Virtual Machines (VM), Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways, and others. You can still communicate with some resources, such as VMs, from the Internet, if a VM doesn't have a public IP address assigned to it, as long as the VM is part of a load balancer back-end pool, and the load balancer is assigned a public IP address. +- Allow inbound communication from the Internet to the resource, such as Azure Virtual Machines (VM), Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways, and others. You can still communicate with some resources, such as virtual machines, from the Internet, if a virtual machines doesn't have a public IP address assigned to it, as long as the virtual machines is part of a load balancer back-end pool, and the load balancer is assigned a public IP address. - Outbound connectivity to the Internet using a predictable IP address. For example, a virtual machine can communicate outbound to the Internet without a public IP address assigned to it, but its address is network address translated by Azure to an unpredictable public address, by default. Assigning a public IP address to a resource enables you to know which IP address is used for the outbound connection. Though predictable, the address can change, depending on the assignment method chosen. For more information, see [Create a public IP address](../virtual-network/ip-services/virtual-network-public-ip-address.md#create-a-public-ip-address). To learn more about outbound connections from Azure resources, see [Understand outbound connections](../load-balancer/load-balancer-outbound-connections.md?toc=%2fazure%2fvirtual-network%2ftoc.json). In Azure Resource Manager, a Public IP address is a resource that has its own properties. Some of the resources you can associate a public IP address resource with are: Public IP address of the production application **cannot be retained on failover The setup is as follows: - Create a [recovery plan](../site-recovery/site-recovery-create-recovery-plans.md#create-a-recovery-plan) and group your workloads as necessary into the plan.-- Customize the plan by adding a step to attach a public IP address using [Azure Automation runbooks](../site-recovery/site-recovery-runbook-automation.md#customize-the-recovery-plan) scripts to the failed over VM. +- Customize the plan by adding a step to attach a public IP address using [Azure Automation runbooks](../site-recovery/site-recovery-runbook-automation.md#customize-the-recovery-plan) scripts to the failed over virtual machines. ## Public endpoint switching with DNS level Routing
site-recovery	Concepts Traffic Manager With Site Recovery	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-traffic-manager-with-site-recovery.md	Title: Azure Traffic Manager with Azure Site Recovery \| Microsoft Docs description: Describes how to use Azure Traffic Manager with Azure Site Recovery for disaster recovery and migration- - -+ Last updated 12/14/2023
site-recovery	Concepts Types Of Failback	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/concepts-types-of-failback.md	Title: Failback during disaster recovery with Azure Site Recovery \| Microsoft Docs -description: This article provides an overview of various types of failback and caveats to be considered while failing back to on-premises during disaster recovery with the Azure Site Recovery service. + Title: Failback during disaster recovery with Azure Site Recovery +description: This article provides an overview of different types of failback and important considerations for failing back to on-premises during disaster recovery with Azure Site Recovery. -+ Last updated 08/07/2019 -# Failback of VMware VMs after disaster recovery to Azure +# Failback of VMware virtual machines after disaster recovery to Azure -After you have failed over to Azure as part of your disaster recovery process, you can fail back to your on-premises site. There are two different types of failback that are possible with Azure Site Recovery: +After failing over to Azure as part of your disaster recovery process, you can fail back to your on-premises site. With Azure Site Recovery, two types of failback are possible: - Fail back to the original location - Fail back to an alternate location -If you failed over a VMware virtual machine, you can fail back to the same source on-premises virtual machine if it still exists. In this scenario, only the changes are replicated back. This scenario is known as original location recovery. If the on-premises virtual machine does not exist, the scenario is an alternate location recovery. +If you failed over a VMware virtual machine, you can fail back to the same source on-premises virtual machine if it still exists. In this scenario, only the changes are replicated back. This scenario is known as original location recovery. If the on-premises virtual machine doesn't exist, the scenario is an alternate location recovery. > [!NOTE] -> You can only fail back to the original vCenter and Configuration server. You cannot deploy a new Configuration server and fail back using it. Also, you cannot add a new vCenter to the existing Configuration server and failback into the new vCenter. +> You can only fail back to the original vCenter and Configuration server. You can't deploy a new Configuration server and fail back using it. Also, you cannot add a new vCenter to the existing Configuration server and failback into the new vCenter. ## Original Location Recovery (OLR) If you choose to fail back to the original virtual machine, the following conditions need to be met: * If the virtual machine is managed by a vCenter server, then the master target's ESX host should have access to the virtual machine's datastore. -* If the virtual machine is on an ESX host but isnΓÇÖt managed by vCenter, then the hard disk of the virtual machine must be in a datastore that the master target's host can access. +* If the virtual machine is on an ESX host but isnΓÇÖt managed by vCenter, its hard disk must reside in a datastore accessible to the master target's host. * If your virtual machine is on an ESX host and doesn't use vCenter, then you should complete discovery of the ESX host of the master target before you reprotect. This applies if you're failing back physical servers, too. * You can fail back to a virtual storage area network (vSAN) or a disk that based on raw device mapping (RDM) if the disks already exist and are connected to the on-premises virtual machine. > [!IMPORTANT] -> It is important to enable disk.enableUUID= TRUE so that during failback, the Azure Site Recovery service is able to identify the original VMDK on the virtual machine to which the pending changes will be written. If this value is not set to be TRUE, then the service tries to identify the corresponding on-premises VMDK on a best effort basis. If the right VMDK is not found, it creates an extra disk and the data gets written on to that. +> It is important to enable disk.enableUUID= TRUE so that during failback, the Azure Site Recovery service is able to identify the original VMDK on the virtual machine to which the pending changes are written. If this value is not set to be TRUE, then the service tries to identify the corresponding on-premises VMDK on a best effort basis. If the right VMDK is not found, it creates an extra disk and the data gets written on to that. ## Alternate location recovery (ALR) -If the on-premises virtual machine does not exist before reprotecting the virtual machine, the scenario is called an alternate location recovery. The reprotect workflow creates the on-premises virtual machine again. This will also cause a full data download. +If the on-premises virtual machine doesn't exist before reprotecting the virtual machine, the scenario is called an alternate location recovery. The reprotected workflow creates the on-premises virtual machine again. This also causes a full data download. -* When you fail back to an alternate location, the virtual machine is recovered to the same ESX host on which the master target server is deployed. The datastore that's used to create the disk will be the same datastore that was selected when reprotecting the virtual machine. -* You can fail back only to a virtual machine file system (VMFS) or vSAN datastore. If you have an RDM, reprotect and failback will not work. -* Reprotect involves one large initial data transfer that's followed by the changes. This process exists because the virtual machine does not exist on premises. The complete data has to be replicated back. This reprotect will also take more time than an original location recovery. -* You cannot fail back to RDM-based disks. Only new virtual machine disks (VMDKs) can be created on a VMFS/vSAN datastore. +* When you fail back to an alternate location, the virtual machine is recovered to the same ESX host on which the master target server is deployed. The datastore that's used to create the disk is the same datastore that was selected when reprotecting the virtual machine. +* You can fail back only to a virtual machine file system (VMFS) or vSAN datastore. If you have an RDM, reprotect and failback won't work. +* Reprotect involves one large initial data transfer that's followed by the changes. This process exists because the virtual machine doesn't exist on premises. The complete data has to be replicated back. This reprotect also takes more time than an original location recovery. +* You can't fail back to RDM-based disks. Only new virtual machine disks (VMDKs) can be created on a VMFS/vSAN datastore. > [!NOTE] > A physical machine, when failed over to Azure, can be failed back only as a VMware virtual machine. This follows the same workflow as the alternate location recovery. Ensure that you discover at least one master target server and the necessary ESX/ESXi hosts to which you need to fail back.
site-recovery	Exclude Disks Replication	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/exclude-disks-replication.md	Title: Exclude disks from replication with Azure Site Recovery description: How to exclude disks from replication to Azure with Azure Site Recovery.- Previously updated : 12/04/2023+ Last updated : 09/18/2024
site-recovery	Failover Failback Overview Modernized	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/failover-failback-overview-modernized.md	Title: About failover and failback in Azure Site Recovery - Modernized description: Learn about failover and failback in Azure Site Recovery - Modernized.-+ Last updated 02/13/2024
site-recovery	Hyper V Azure Architecture	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-azure-architecture.md	Title: Hyper-V disaster recovery architecture in Azure Site Recovery description: This article provides an overview of components and architecture used when deploying disaster recovery for on-premises Hyper-V VMs (without VMM) to Azure with the Azure Site Recovery service. -+ Last updated 11/14/2019 The following table and graphic provide a high-level view of the components used Component \| Requirement \| Details \| \| -Azure \| An Azure subscription, Azure storage account, and Azure network. \| Replicated data from on-premises VM workloads is stored in the storage account. Azure VMs are created with the replicated workload data when failover from your on-premises site occurs.<br/><br/> The Azure VMs connect to the Azure virtual network when they're created. +Azure \| An Azure subscription, Azure storage account, and Azure network. \| Replicated data from on-premises virtual machine workloads is stored in the storage account. Azure virtual machines are created with the replicated workload data when failover from your on-premises site occurs.<br/><br/> The Azure virtual machines connect to the Azure virtual network when they're created. Hyper-V \| During Site Recovery deployment, you gather Hyper-V hosts and clusters into Hyper-V sites. You install the Azure Site Recovery Provider and Recovery Services agent on each standalone Hyper-V host, or on each Hyper-V cluster node. \| The Provider orchestrates replication with Site Recovery over the internet. The Recovery Services agent handles data replication.<br/><br/> Communications from both the Provider and the agent are secure and encrypted. Replicated data in Azure storage is also encrypted. -Hyper-V VMs \| One or more VMs running on Hyper-V. \| Nothing needs to be explicitly installed on VMs. +Hyper-V VMs \| One or more virtual machines running on Hyper-V. \| Nothing needs to be explicitly installed on VMs. Hyper-V to Azure architecture (without VMM) The following table and graphic provide a high-level view of the components used Component \| Requirement \| Details \| \| -Azure \| An Azure subscription, Azure storage account, and Azure network. \| Replicated data from on-premises VM workloads is stored in the storage account. Azure VMs are created with the replicated data when failover from your on-premises site occurs.<br/><br/> The Azure VMs connect to the Azure virtual network when they're created. +Azure \| An Azure subscription, Azure storage account, and Azure network. \| Replicated data from on-premises virtual machine workloads is stored in the storage account. Azure virtual machines are created with the replicated data when failover from your on-premises site occurs.<br/><br/> The Azure virtual machines connect to the Azure virtual network when they're created. VMM server \| The VMM server has one or more clouds containing Hyper-V hosts. \| You install the Site Recovery Provider on the VMM server, to orchestrate replication with Site Recovery, and register the server in the Recovery Services vault. Hyper-V host \| One or more Hyper-V hosts/clusters managed by VMM. \| You install the Recovery Services agent on each Hyper-V host or cluster node. -Hyper-V VMs \| One or VMs running on a Hyper-V host server. \| Nothing needs to explicitly installed on VMs. -Networking \| Logical and VM networks set up on the VMM server. The VM network should be linked to a logical network that's associated with the cloud. \| VM networks are mapped to Azure virtual networks. When Azure VMs are created after failover, they are added to the Azure network that's mapped to the VM network. +Hyper-V VMs \| One or virtual machines running on a Hyper-V host server. \| Nothing needs to explicitly installed on virtual machines. +Networking \| Logical and virtual machine networks set up on the VMM server. The virtual machine network should be linked to a logical network that's associated with the cloud. \| virtual machine networks are mapped to Azure virtual networks. When Azure virtual machines are created after failover, they are added to the Azure network that's mapped to the virtual machine network. Hyper-V to Azure architecture (with VMM) If you're using a URL-based firewall proxy to control outbound connectivity, all \| Name \| Commercial \| Government \| Description \| \| - \| -- \| - \| -- \| -\| Storage \| `.blob.core.windows.net` \| `.blob.core.usgovcloudapi.net` \| Allows data to be written from the VM to the cache storage account in the source region. \| +\| Storage \| `.blob.core.windows.net` \| `.blob.core.usgovcloudapi.net` \| Allows data to be written from the virtual machine to the cache storage account in the source region. \| \| Microsoft Entra ID \| `login.microsoftonline.com` \| `login.microsoftonline.us` \| Provides authorization and authentication to Site Recovery service URLs. \| -\| Replication \| `.hypervrecoverymanager.windowsazure.com` \| `.hypervrecoverymanager.windowsazure.com` \| Allows the VM to communicate with the Site Recovery service. \| -\| Service Bus \| `.servicebus.windows.net` \| `.servicebus.usgovcloudapi.net` \| Allows the VM to write Site Recovery monitoring and diagnostics data. \| +\| Replication \| `.hypervrecoverymanager.windowsazure.com` \| `.hypervrecoverymanager.windowsazure.com` \| Allows the virtual machine to communicate with the Site Recovery service. \| +\| Service Bus \| `.servicebus.windows.net` \| `.servicebus.usgovcloudapi.net` \| Allows the virtual machine to write Site Recovery monitoring and diagnostics data. \| ## Replication process If you're using a URL-based firewall proxy to control outbound connectivity, all ### Enable protection -1. After you enable protection for a Hyper-V VM, in the Azure portal or on-premises, the Enable protection starts. +1. After you enable protection for a Hyper-V virtual machine, in the Azure portal or on-premises, the Enable protection starts. 2. The job checks that the machine complies with prerequisites, before invoking the [CreateReplicationRelationship](/windows/win32/hyperv_v2/createreplicationrelationship-msvm-replicationservice), to set up replication with the settings you've configured. -3. The job starts initial replication by invoking the [StartReplication](/windows/win32/hyperv_v2/startreplication-msvm-replicationservice) method, to initialize a full VM replication, and send the VM's virtual disks to Azure. +3. The job starts initial replication by invoking the [StartReplication](/windows/win32/hyperv_v2/startreplication-msvm-replicationservice) method, to initialize a full virtual machine replication, and send the virtual machine's virtual disks to Azure. 4. You can monitor the job in the Jobs tab. ![Screenshot of the jobs list in the Jobs tab.](media/hyper-v-azure-architecture/image1.png) ![Screenshot of the Enable protection screen with more details.](media/hyper-v-azure-architecture/image2.png) If you're using a URL-based firewall proxy to control outbound connectivity, all ### Initial data replication -1. When initial replication is triggered, a [Hyper-V VM snapshot](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560637(v=ws.10)) snapshot is taken. -2. Virtual hard disks on the VM are replicated one by one, until they're all copied to Azure. This might take a while, depending on the VM size, and network bandwidth. [Learn how](https://support.microsoft.com/kb/3056159) to increase network bandwidth. +1. When initial replication is triggered, a [Hyper-V virtual machine snapshot](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560637(v=ws.10)) snapshot is taken. +2. Virtual hard disks on the virtual machine are replicated one by one, until they're all copied to Azure. This might take a while, depending on the virtual machine size, and network bandwidth. [Learn how](https://support.microsoft.com/kb/3056159) to increase network bandwidth. 3. If disk changes occur while initial replication is in progress, the Hyper-V Replica Replication Tracker tracks the changes as Hyper-V replication logs (.hrl). These log files are located in the same folder as the disks. Each disk has an associated .hrl file that's sent to secondary storage. The snapshot and log files consume disk resources while initial replication is in progress. -4. When the initial replication finishes, the VM snapshot is deleted. +4. When the initial replication finishes, the virtual machine snapshot is deleted. 5. Delta disk changes in the log are synchronized and merged to the parent disk. ### Finalize protection process -1. After the initial replication finishes, the Finalize protection on the virtual machine job runs. It configures network and other post-replication settings, so that the VM is protected. -2. At this stage you can check the VM settings to make sure that it's ready for failover. You can run a disaster recovery drill (test failover) for the VM, to check that it fails over as expected. +1. After the initial replication finishes, the Finalize protection on the virtual machine job runs. It configures network and other post-replication settings, so that the virtual machine is protected. +2. At this stage you can check the virtual machine settings to make sure that it's ready for failover. You can run a disaster recovery drill (test failover) for the virtual machine, to check that it fails over as expected. ## Delta replication If you're using a URL-based firewall proxy to control outbound connectivity, all 1. After the initial replication, delta replication begins, in accordance with the replication policy. 2. The Hyper-V Replica Replication Tracker tracks changes to a virtual hard disk as .hrl files. Each disk that's configured for replication has an associated .hrl file. 3. The log is sent to the customer's storage account. When a log is in transit to Azure, the changes in the primary disk are tracked in another log file, in the same folder. -4. During initial and delta replication, you can monitor the VM in the Azure portal. +4. During initial and delta replication, you can monitor the virtual machine in the Azure portal. ### Resynchronization process -1. If delta replication fails, and a full replication would be costly in terms of bandwidth or time, then a VM is marked for resynchronization. - - For example, if the .hrl files reach 50% of the disk size, then the VM will be marked for resynchronization. +1. If delta replication fails, and a full replication would be costly in terms of bandwidth or time, then a virtual machine is marked for resynchronization. + - For example, if the .hrl files reach 50% of the disk size, then the virtual machine will be marked for resynchronization. - By default resynchronization is scheduled to run automatically outside office hours. 1. Resynchronization sends delta data only. - - It minimizes the amount of data sent by computing checksums of the source and target VMs. + - It minimizes the amount of data sent by computing checksums of the source and target virtual machines. - It uses a fixed-block chunking algorithm where source and target files are divided into fixed chunks. - Checksums for each chunk are generated. These are compared to determine which blocks from the source need to be applied to the target. 2. After resynchronization finishes, normal delta replication should resume. -3. If you don't want to wait for default resynchronization outside hours, you can resynchronize a VM manually. For example, if an outage occurs. To do this, in the Azure portal, select the VM > Resynchronize. +3. If you don't want to wait for default resynchronization outside hours, you can resynchronize a virtual machine manually. For example, if an outage occurs. To do this, in the Azure portal, select the virtual machine > Resynchronize. ![Screenshot showing the Resynchronize option.](./media/hyper-v-azure-architecture/image4-site.png) If a replication error occurs, there's a built-in retry. Retry is classified as Category \| Details \| -Non-recoverable errors \| No retry is attempted. VM status will be Critical, and administrator intervention is required.<br/><br/> Examples of these errors include a broken VHD chain, an invalid state for the replica VM, network authentication errors, authorization errors, and VM not found errors (for standalone Hyper-V servers. +Non-recoverable errors \| No retry is attempted. virtual machine status will be Critical, and administrator intervention is required.<br/><br/> Examples of these errors include a broken VHD chain, an invalid state for the replica virtual machine, network authentication errors, authorization errors, and virtual machine not found errors (for standalone Hyper-V servers. Recoverable errors \| Retries occur every replication interval, using an exponential back-off that increases the retry interval from the start of the first attempt by 1, 2, 4, 8, and 10 minutes. If an error persists, retry every 30 minutes. Examples of these include network errors, low disk errors, and low memory conditions. ## Failover and failback process -1. You can run a planned or unplanned failover from on-premises Hyper-V VMs to Azure. If you run a planned failover, then source VMs are shut down to ensure no data loss. Run an unplanned failover if your primary site isn't accessible. +1. You can run a planned or unplanned failover from on-premises Hyper-V virtual machines to Azure. If you run a planned failover, then source virtual machines are shut down to ensure no data loss. Run an unplanned failover if your primary site isn't accessible. 2. You can fail over a single machine, or create recovery plans, to orchestrate failover of multiple machines. -3. You run a failover. After the first stage of failover completes, you should be able to see the created replica VMs in Azure. You can assign a public IP address to the VM if required. -4. You then commit the failover, to start accessing the workload from the replica Azure VM. +3. You run a failover. After the first stage of failover completes, you should be able to see the created replica virtual machines in Azure. You can assign a public IP address to the virtual machine if required. +4. You then commit the failover, to start accessing the workload from the replica Azure virtual machine. After your on-premises infrastructure is up and running again, you can fail back. Failback occurs in three stages: 1. Kick off a planned failover from Azure to the on-premises site: - - Minimize downtime: If you use this option Site Recovery synchronizes data before failover. It checks for changed data blocks and downloads them to the on-premises site, while the Azure VM keeps running, minimizing downtime. When you manually specify that the failover should complete, the Azure VM is shut down, any final delta changes are copied, and the failover starts. - - Full download: With this option data is synchronized during failover. This option downloads the entire disk. It's faster because no checksums are calculated, but there's more downtime. Use this option if you've been running the replica Azure VMs for some time, or if the on-premises VM was deleted. - - Create VM: You can select to fail back to the same VM or to an alternate VM. You can specify that Site Recovery should create the VM if it doesn't already exist. + - Minimize downtime: If you use this option Site Recovery synchronizes data before failover. It checks for changed data blocks and downloads them to the on-premises site, while the Azure virtual machine keeps running, minimizing downtime. When you manually specify that the failover should complete, the Azure virtual machine is shut down, any final delta changes are copied, and the failover starts. + - Full download: With this option data is synchronized during failover. This option downloads the entire disk. It's faster because no checksums are calculated, but there's more downtime. Use this option if you've been running the replica Azure virtual machines for some time, or if the on-premises virtual machine was deleted. + - Create virtual machine: You can select to fail back to the same virtual machine or to an alternate virtual machine. You can specify that Site Recovery should create the virtual machine if it doesn't already exist. -2. After initial synchronization finishes, you select to complete the failover. After it completes, you can log onto the on-premises VM to check everything's working as expected. In the Azure portal, you can see that the Azure VMs have been stopped. -3. Then, you commit the failover to finish up, and start accessing the workload from the on-premises VM again. -4. After workloads have failed back, you enable reverse replication, so that the on-premises VMs replicate to Azure again. +2. After initial synchronization finishes, you select to complete the failover. After it completes, you can log onto the on-premises virtual machine to check everything's working as expected. In the Azure portal, you can see that the Azure virtual machines have been stopped. +3. Then, you commit the failover to finish up, and start accessing the workload from the on-premises virtual machine again. +4. After workloads have failed back, you enable reverse replication, so that the on-premises virtual machines replicate to Azure again.
site-recovery	Hyper V Azure Common Questions	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-azure-common-questions.md	Title: Common questions for Hyper-V disaster recovery with Azure Site Recovery description: This article summarizes common questions about setting up disaster recovery for on-premises Hyper-V VMs to Azure using the Azure Site Recovery site. Last updated 07/10/2024 -+
site-recovery	Hyper V Azure Support Matrix	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-azure-support-matrix.md	Title: Support for disaster recovery of Hyper-V VMs to Azure with Azure Site Recovery description: Summarizes the supported components and requirements for Hyper-V VM disaster recovery to Azure with Azure Site Recovery - Previously updated : 12/04/2023+ Last updated : 09/18/2024
site-recovery	Hyper V Deployment Planner Analyze Report	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-deployment-planner-analyze-report.md	Title: Analyze the Hyper-V Deployment Planner report in Azure Site Recovery description: This article describes how to analyze a report generated by the Azure Site Recovery Deployment Planner for disaster recovery of Hyper-V VMs to Azure. - - Previously updated : 10/21/2019+ Last updated : 09/18/2024
site-recovery	Hyper V Deployment Planner Cost Estimation	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-deployment-planner-cost-estimation.md	Title: Review the Azure Site Recovery Deployment Planner cost estimation report description: This article describes how to review the cost estimation report generated the Azure Site Recovery Deployment Planner for Hyper-V disaster recovery to Azure. - - Previously updated : 4/9/2019+ Last updated : 09/18/2024
site-recovery	Hyper V Deployment Planner Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-deployment-planner-overview.md	Title: Deployment Planner for Hyper-V disaster recovery with Azure Site Recovery description: Learn about the Azure Site Recovery Deployment Planner Hyper-V disaster recovery to Azure. - -+ Last updated 03/13/2024 The tool provides the following details: >[!IMPORTANT] -> ->Because usage is likely to increase over time, all the preceding tool calculations are performed assuming a 30% growth factor in workload characteristics, and using a 95th percentile value of all the profiling metrics (read/write IOPS, churn, and so forth). Both of these elements (growth factor and percentile calculation) are configurable. To learn more about growth factor, see the "Growth-factor considerations" section. To learn more about percentile value, see the "Percentile value used for the calculation" section. -> +>Because usage is likely to increase over time, all the preceding tool calculations are performed assuming a 30% growth factor in workload characteristics, and using a 95th percentile value of all the profiling metrics (read/write IOPS, churn, and so forth). Both of these elements (growth factor and percentile calculation) are configurable. To learn more about growth factor, see the "Growth-factor considerations" section. To learn more about percentile value, see the "Percentile value used for the calculation" section. ## Support matrix If you have previous version of the deployment planner, do either of the followi >[!NOTE] - > >When you start profiling with the new version, pass the same output directory path so that the tool appends profile data on the existing files. A complete set of profiled data will be used to generate the report. If you pass a different output directory, new files are created, and old profiled data is not used to generate the report. > >Each new deployment planner is a cumulative update of the .zip file. You don't need to copy the newest files to the previous folder. You can create and use a new folder. ## Version history -The latest Azure Site Recovery Deployment Planner tool version is 2.5. +The latest Azure Site Recovery Deployment Planner tool version is 3.0. Refer to [Azure Site Recovery Deployment Planner Version History](/azure/site-recovery/site-recovery-deployment-planner-history) page for the fixes that are added in each update.
site-recovery	Migrate Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/migrate-overview.md	Title: Compare Azure Migrate and Site Recovery for migration to Azure description: Summarizes the advantages of using Azure Migrate for migration instead of Site Recovery. -+ Last updated 10/31/2023 # Migrating to Azure -For migration, we recommend that you use the Azure Migrate service to migrate your VMs and servers to Azure, instead of using Azure Site Recovery service. Learn about [Azure Migrate](../migrate/migrate-services-overview.md). +For migration, we recommend that you use the Azure Migrate service to migrate your virtual machines and servers to Azure, instead of using Azure Site Recovery service. Learn about [Azure Migrate](../migrate/migrate-services-overview.md). ## Why use Azure Migrate? Using Azure Migrate for migration provides many advantages: - The Migration and modernization tool is purpose-built for server migration to Azure. It's optimized for migration. You don't need to learn about concepts and scenarios that aren't directly relevant to migration. - Azure Migrate can be used to identify modernization opportunities and migration previews. - Some key features like OS upgrade are only available with Azure Migrate-- There are no tool usage charges for migration for 180 days, from the time replication is started for a VM. This gives you time to complete migration. You only pay for the storage and network resources used in replication, and for compute charges consumed during test migrations.-- Azure Migrate supports all migration scenarios supported by Site Recovery. In addition, for VMware VMs, Azure Migrate provides an agentless migration option. +- There are no tool usage charges for migration for 180 days, from the time replication is started for a virtual machine. This gives you time to complete migration. You only pay for the storage and network resources used in replication, and for compute charges consumed during test migrations. +- Azure Migrate supports all migration scenarios supported by Site Recovery. In addition, for VMware virtual machines, Azure Migrate provides an agentless migration option. - We're prioritizing new migration features for the Migration and modernization tool only. These features aren't targeted for Site Recovery. ## When to use Site Recovery? Using Azure Migrate for migration provides many advantages: Site Recovery should be used: - For disaster recovery of on-premises machines to Azure.-- For disaster recovery of Azure VMs, between Azure regions. +- For disaster recovery of Azure virtual machines, between Azure regions. ## Which service to use for migration? We recommend using Azure Migrate to migrate on-premises servers to Azure. However, if you've already started your migration journey with Site Recovery, consider the following details: -- If you're already using Azure Site Recovery to replicate your servers, you don't need to deploy a Migrate appliance. Remove the BCDR protection, and replicate with a new appliance. +- If you're already using Azure Site Recovery to replicate your servers, you don't need to deploy a Migrate appliance. Remove the Business Continuity Disaster Recovery protection, and replicate with a new appliance. - However, there are benefits to conducting assessment, dependency analysis, and business case review with the Azure Migrate discovery appliance even for workloads that are already replicating. - There could be architecture changes required to support the workload in the long term. In this case, address the requirements while continuing to use Azure Site Recovery to replicate so that you don't lose protections. Suggestions to choose between Azure Migrate and Site Recovery: - For new migration: If you're beginning a new migration and don't have either Azure Site Recovery or Migrate in place, we recommend that you use Azure Migrate. - For disaster recovery of on-premises machines to Azure: For disaster recovery of on-premises machines to Azure, we recommend that you use Azure Site Recovery. You can also use this service to migrate machines to Azure once it has been determined that they should be moved off-premise. -- For disaster recovery of Azure VMs between Azure region: For disaster recovery of Azure VMs between Azure regions, we recommend that you use Azure Site Recovery. Although you can use Azure Migrate to initially move them into Azure. +- For disaster recovery of Azure virtual machines between Azure region: For disaster recovery of Azure virtual machines between Azure regions, we recommend that you use Azure Site Recovery. Although you can use Azure Migrate to initially move them into Azure. - If you're already using Azure Site Recovery: If you're currently using Azure Site Recovery to actively protect your machines, continue to use it for replication. However, consider using Azure Migrate for conducting business cases and dependency analysis. ## Next steps
site-recovery	Monitor Site Recovery	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/monitor-site-recovery.md	Title: Monitor Azure Site Recovery description: Start here to learn how to monitor Azure Site Recovery. Last updated 03/21/2024 -+
site-recovery	Monitoring Common Questions	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/monitoring-common-questions.md	Title: Common questions about Azure Site Recovery monitoring description: Get answers to common questions about Azure Site Recovery monitoring, using inbuilt monitoring and Azure Monitor (Log Analytics) - Previously updated : 10/13/2023- Last updated : 09/18/2024+ This article answers common questions about monitoring Azure [Site Recovery](sit Site Recovery uses a multi-step, asynchronous process to replicate machines to Azure. - In the penultimate step of replication, recent changes on the machine, along with metadata, are copied into a log/cache storage account.-- These changes, along with the tag that identifies a recoverable point, are written to the storage account/managed disk in the target region. +- These changes, along with the tag that identifies a recoverable point, is written to the storage account/managed disk in the target region. - Site Recovery can now generate a recoverable point for the machine. - At this point, the RPO has been met for the changes uploaded to the storage account so far. In other words, the machine RPO at this point is equal to amount of time that's elapsed from the timestamp corresponding to the recoverable point. - Now, Site Recovery picks the uploaded data from the storage account, and applies it to the replica disks created for the machine. An incorrect system time on the replicating source machine, or on on-premises in ## Inbuilt Site Recovery logging -### Why is the VM count in the vault infrastructure view different from the total count shown in Replicated Items? +### Why is the virtual machine count in the vault infrastructure view different from the total count shown in Replicated Items? The vault infrastructure view is scoped by replication scenarios. Only machines in the currently selected replication scenario are included in the count for the view. In addition, we only count VMs that are configured to replicate to Azure. Failed over machines, or machines replicating back to an on-premises site, aren't counted in the view. Only machines for which initial replication has completed are included in the co - AzureSiteRecoveryReplicationDataUploadRate and AzureSiteRecoveryProtectedDiskDataChurn are sent every five minutes. - AzureSiteRecoveryJobs is sent at the trigger and completion of a job. - AzureSiteRecoveryEvents is sent whenever an event is generated. -- AzureSiteRecoveryReplicatedItems is sent whenever there is any environment change. Typically, the data refresh time is 15 minutes after a change. +- AzureSiteRecoveryReplicatedItems is sent whenever there's any environment change. Typically, the data refresh time is 15 minutes after a change. ### How long is data kept in Azure Monitor logs? Typically the size of a log is 15-20 KB. ### Is there any cost for using built-in Azure Monitor alerts for Azure Site Recovery? -With built-in Azure Monitor alerts, alerts for critical operations/failures generate by default (that you can view in the portal or via non-portal interfaces) at no additional cost. However, to route these alerts to a notification channel (such as email), it incurs a minor cost for notifications beyond the free tier (of 1000 emails per month). [Learn more about Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). +With built-in Azure Monitor alerts, alerts for critical operations/failures generate by default (that you can view in the portal or via nonportal interfaces) at no extra cost. However, to route these alerts to a notification channel (such as email), it incurs a minor cost for notifications beyond the free tier (of 1,000 emails per month). [Learn more about Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). ### Will the current email notification solution for Azure Site Recovery in Recovery Services vault continue to work? -As of today, the current email notification solution co-exists in parallel with the new built-in Azure Monitor alerts solution. we recommend you to try out the Azure Monitor based alerting to familiarize yourself with the new experience and leverage its capabilities. +As of today, the current email notification solution coexists in parallel with the new built-in Azure Monitor alerts solution. We recommend you to try out the Azure Monitor based alerting to familiarize yourself with the new experience and use its capabilities. ### What is the difference between alert rule, alert processing rule and action group? - Alert rule: Refers to a user-created rule that specifies the condition on which an alert should be fired.-- Alert processing rule (earlier called Action rule): Refers to a user-created rule that specifies the notification channels a particular fired alert should be routed to. You can also use alert processing rules to suppress notifications for a period of time. +- Alert processing rule (earlier called Action rule): Refers to a user-created rule that specifies the notification channels a particular fired alert should be routed to. You can also use alert processing rules to suppress notifications for time. - Action group: Refers to the notification channel (such as email, ITSM endpoint, logic app, webhook, and so on) that a fired alert can be routed to. In the case of built-in Azure Monitor alerts, as alerts already generate by default, you don't need to create an alert rule. To route these alerts to a notification channel, you should create an alert processing rule and an action group for these alerts. [Learn more](site-recovery-monitor-and-troubleshoot.md#configure-email-notifications-for-alerts)
site-recovery	Move From Classic To Modernized Vmware Disaster Recovery	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/move-from-classic-to-modernized-vmware-disaster-recovery.md	Title: Move from classic to modernized VMware disaster recovery. description: Learn about the architecture, necessary infrastructure, and FAQs about moving your VMware or Physical machine replications from classic to modernized protection architecture. -+ Last updated 05/23/2024
site-recovery	Physical Azure Set Up Source	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/physical-azure-set-up-source.md	Title: Set up the configuration server for disaster recovery of physical servers to Azure using Azure Site Recovery \| Microsoft Docs' + Title: Set up the configuration server for disaster recovery of physical servers to Azure using Azure Site Recovery description: This article describes how to set up the on-premises configuration server for disaster recovery of on-premises physical servers to Azure.- - -+ Last updated 07/03/2019
site-recovery	Physical Server Azure Architecture Modernized	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/physical-server-azure-architecture-modernized.md	Title: Physical server to Azure disaster recovery architecture ΓÇô Modernized description: This article provides an overview of components and architecture used when setting up disaster recovery of on-premises Windows and Linux servers to Azure with Azure Site Recovery - Modernized -+ Last updated 12/14/2023
site-recovery	Physical Server Enable Replication	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/physical-server-enable-replication.md	Title: Enable replication for a physical server ΓÇô Modernized description: This article describes how to enable physical servers replication for disaster recovery using the Azure Site Recovery service -+ Last updated 05/24/2024
site-recovery	Recovery Plan Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/recovery-plan-overview.md	Title: About recovery plans in Azure Site Recovery description: Learn about recovery plans in Azure Site Recovery. -+ Last updated 01/23/2020
site-recovery	Replication Appliance Support Matrix	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/replication-appliance-support-matrix.md	Title: Support requirements for Azure Site Recovery replication appliance description: This article describes support and requirements when deploying the replication appliance for VMware disaster recovery to Azure with Azure Site Recovery - Modernized -+ Last updated 12/04/2023
site-recovery	Service Updates How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/service-updates-how-to.md	Title: Updates and component upgrades in Azure Site Recovery description: Provides an overview of Azure Site Recovery service updates, MARS agent and component upgrades. - -+ Last updated 08/11/2021
site-recovery	Site Recovery Active Directory	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-active-directory.md	Title: Set up Active Directory/DNS disaster recovery with Azure Site Recovery description: This article describes how to implement a disaster recovery solution for Active Directory and DNS with Azure Site Recovery. - -+ Last updated 04/01/2020
site-recovery	Site Recovery Backup Interoperability	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-backup-interoperability.md	Title: Support for using Azure Site Recovery with Azure Backup description: Provides an overview of how Azure Site Recovery and Azure Backup can be used together. -+ Last updated 05/24/2024
site-recovery	Site Recovery Deployment Planner History	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-deployment-planner-history.md	Title: Azure Site Recovery Deployment Planner Version History description: Known different Site Recovery Deployment Planner Versions fixes and known limitations along with their release dates. -+ Last updated 08/07/2024
site-recovery	Site Recovery Deployment Planner	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-deployment-planner.md	Title: Azure Site Recovery Deployment Planner for VMware disaster recovery description: Learn about the Azure Site Recovery Deployment Planner for disaster recovery of VMware VMs to Azure. - -+ Last updated 08/30/2024
site-recovery	Site Recovery Manage Network Interfaces On Premises To Azure	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-manage-network-interfaces-on-premises-to-azure.md	Title: Manage network adapters for on-premises disaster recovery with Azure Site description: Describes how to manage network interfaces for on-premises disaster recovery to Azure with Azure Site Recovery -+ Last updated 05/27/2024
site-recovery	Site Recovery Manage Registration And Protection	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-manage-registration-and-protection.md	Title: Remove servers and disable protection description: This article describes how to unregister servers from a Site Recovery vault, and to disable protection for virtual machines and physical servers. -+ Last updated 07/08/2024
site-recovery	Site Recovery Monitor And Troubleshoot	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-monitor-and-troubleshoot.md	Title: Azure Site Recovery dashboard and built-in alerts description: Monitor and troubleshoot Azure Site Recovery replication issues and operations, and enable built-in alerts, by using the portal. -+ Last updated 07/10/2024
site-recovery	Site Recovery Plan Capacity Vmware	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-plan-capacity-vmware.md	Title: Plan capacity for VMware disaster recovery with Azure Site Recovery description: This article can help you plan capacity and scaling when you set up disaster recovery of VMware VMs to Azure by using Azure Site Recovery. - -+ Last updated 08/19/2021
site-recovery	Site Recovery Retain Ip Azure Vm Failover	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-retain-ip-azure-vm-failover.md	description: Describes how to retain IP addresses when failing over Azure VMs fo Last updated 07/25/2021 -+
site-recovery	Site Recovery Role Based Linked Access Control	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-role-based-linked-access-control.md	description: This article describes how to apply Azure role-based access control Last updated 04/08/2019 -+
site-recovery	Site Recovery Vmware Deployment Planner Cost Estimation	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-vmware-deployment-planner-cost-estimation.md	Title: Review cost estimations in the Azure Site Recovery Deployment Planner -description: This articles describes how to review the cost estimations in the Azure Site Recovery Deployment Planner for VMware disaster recovery. +description: This article describes how to review the cost estimations in the Azure Site Recovery Deployment Planner for VMware disaster recovery. - -+ Last updated 05/27/2021 # Review cost estimations in the VMware Deployment Planner -The deployment planner report provides the cost estimation summary in [Recommendations](site-recovery-vmware-deployment-planner-analyze-report.md#recommendations) sheets and detailed cost analysis in Cost Estimation sheet. It has the detailed cost analysis per VM. +The deployment planner report provides the cost estimation summary in [Recommendations](site-recovery-vmware-deployment-planner-analyze-report.md#recommendations) sheets and detailed cost analysis in Cost Estimation sheet. It has the detailed cost analysis per virtual machine. >[!Note] ->The current version of Deployment planner tool v2.5 provides cost estimation for VMs replicating to Managed Disks. +>The current version of Deployment planner tool v2.5 provides cost estimation for virtual machines replicating to Managed Disks. ### Cost estimation summary The graph shows the summary view of the estimated total disaster recovery (DR) cost to Azure of your chosen target region and the currency that you have specified for report generation. Cost estimation summary ![Cost estimation summary](media/site-recovery-vmware-deployment-planner-analyze-report/cost-estimation-summary-v2a.png) -The summary helps you to understand the cost that you need to pay for storage, compute, network, and license when you protect all your compatible VMs to Azure using Azure Site Recovery. The cost is calculated on for compatible VMs and not on all the profiled VMs. +The summary helps you to understand the cost that you need to pay for storage, compute, network, and license when you protect all your compatible virtual machines to Azure using Azure Site Recovery. The cost is calculated on for compatible virtual machines and not on all the profiled virtual machines. You can view the cost either monthly or yearly. Learn more about [supported target regions](./site-recovery-vmware-deployment-planner-cost-estimation.md#supported-target-regions) and [supported currencies](./site-recovery-vmware-deployment-planner-cost-estimation.md#supported-currencies). Cost by components -The total DR cost is divided into four components: Compute, Storage, Network, and Azure Site Recovery license cost. The cost is calculated based on the consumption that will be incurred during replication and at DR drill time for compute, storage (premium and standard), ExpressRoute/VPN that is configured between the on-premises site and Azure, and Azure Site Recovery license. +The total DR cost is divided into four components: Compute, Storage, Network, and Azure Site Recovery license cost. The cost is calculated based on the consumption that is incurred during replication and at DR drill time for compute, storage (premium and standard), ExpressRoute/VPN that is configured between the on-premises site and Azure, and Azure Site Recovery license. Cost by states The total disaster recovery (DR) cost is categories based on two different states - Replication and DR drill. -Replication cost: The cost that will be incurred during replication. It covers the cost of storage, network, and Azure Site Recovery license. +Replication cost: The cost that is incurred during replication. It covers the cost of storage, network, and Azure Site Recovery license. -DR-Drill cost: The cost that will be incurred during test failovers. Azure Site Recovery spins up VMs during test failover. The DR drill cost covers the running VMsΓÇÖ compute and storage cost. +DR-Drill cost: The cost that is incurred during test failovers. Azure Site Recovery spins up virtual machines during test failover. The DR drill cost covers the running virtual machinesΓÇÖ compute and storage cost. Azure storage cost per Month/Year -It shows the total storage cost that will be incurred for premium and standard storage for replication and DR drill. +It shows the total storage cost that is incurred for premium and standard storage for replication and DR drill. ## Detailed cost analysis -Azure prices for compute, storage, network, etc. varies across Azure regions. You can generate a cost estimation report with the latest Azure prices based on your subscription, the offer that is associated with your subscription and for the specified target Azure region in the specified currency. By default, the tool uses West US 2 Azure region and US dollar (USD) currency. If you have used any other region and currency, the next time when you generate a report without subscription ID, offer ID, target region, and currency, it will use prices of the last used target region and last used currency for cost estimation. -This section shows the subscription ID and offer ID that you have used for report generation. If not used, it is blank. +Azure prices for compute, storage, network, etc. varies across Azure regions. You can generate a cost estimation report with the latest Azure prices based on your subscription, the offer that is associated with your subscription and for the specified target Azure region in the specified currency. By default, the tool uses West US 2 Azure region and US dollar (USD) currency. If you have used any other region and currency, the next time when you generate a report without subscription ID, offer ID, target region, and currency, it'll use prices of the last used target region and last used currency for cost estimation. +This section shows the subscription ID and offer ID that you have used for report generation. If not used, it's blank. In the whole report, the cells marked in gray are read only. Cells in white can be modified per your requirements. In the whole report, the cells marked in gray are read only. Cells in white can ### Overall DR cost by components The first section shows the overall DR cost by components and DR cost by states. -Compute: Cost of IaaS VMs that run on Azure for DR needs. It includes VMs that are created by Azure Site Recovery during DR-drills (test failovers) and VMs running on Azure like SQL Server with Always On Availability Groups and domain controllers / Domain Name Servers. +Compute: Cost of IaaS virtual machines that run on Azure for DR needs. It includes virtual machines that are created by Azure Site Recovery during DR-drills (test failovers) and virtual machines running on Azure like SQL Server with Always On Availability Groups and domain controllers / Domain Name Servers. Storage: Cost of Azure storage consumption for DR needs. It includes storage consumption for replication and during DR drills. Network: ExpressRoute and Site to Site VPN cost for DR needs. -ASR license: Azure Site Recovery license cost for all compatible VMs. If you have manually entered a VM in the detailed cost analysis table, Azure Site Recovery license cost is also included for that VM. +ASR license: Azure Site Recovery license cost for all compatible virtual machines. If you have manually entered a virtual machine in the detailed cost analysis table, Azure Site Recovery license cost is also included for that virtual machine. ### Overall DR cost by states The total DR cost is categorized based on two different states - replication and DR-Drill. Replication cost: The cost incurs at the time of replication. It covers the cost of storage, network, and Azure Site Recovery license. -DR-Drill cost: The cost incurs at the time of DR drills. Azure Site Recovery spins up VMs during DR drills. The DR drill cost covers compute and storage cost of the running VMs. +DR-Drill cost: The cost incurs at the time of DR drills. Azure Site Recovery spins up virtual machines during DR drills. The DR drill cost covers compute and storage cost of the running virtual machines. 1. Total DR drill duration in a year = Number of DR drills x Each DR drill duration (days) Select the appropriate setting as per your requirements. ExpressRoute: By default, the tool selects the nearest ExpressRoute plan that matches with the required network bandwidth for delta replication. You can change the plan as per your requirements. -VPN Gateway: Select the VPN Gateway if you have any in your environment. By default, it is NA. +VPN Gateway: Select the VPN Gateway if you have any in your environment. By default, it's NA. Target Region: Specified Azure region for DR. The price used in the report for compute, storage, network, and license is based on the Azure pricing for that region. -### VM running on Azure -If you have any domain controller or DNS VM or SQL Server VM with Always On Availability Groups running on Azure for DR, you can provide the number of VMs and the size to consider their computing cost in the total DR cost. +### Virtual machine running on Azure +If you have any domain controller or DNS virtual machine or SQL Server virtual machine with Always On Availability Groups running on Azure for DR, you can provide the number of virtual machines and the size to consider their computing cost in the total DR cost. ### Apply overall discount if applicable If you are an Azure partner or a customer and are entitled to any discount on overall Azure pricing, you can use this field. The tool applies the discount (in %) on all components. ### Number of virtual machines type and compute cost (per year) -This table shows the number of Windows and non-Windows VMs and DR drill compute cost for them. +This table shows the number of Windows and non-Windows virtual machines and DR drill compute cost for them. ### Settings Cost duration: You can view all costs either for the month or for the whole yea ## Detailed cost analysis table ![Detailed cost analysis](media/site-recovery-hyper-v-deployment-planner-cost-estimation/detailed-cost-analysis-h2a.png) -The table lists the cost breakup for each compatible VM. -You can also use this table to get estimated Azure DR cost of non-profiled VMs by manually adding VMs. It is useful in cases where you need to estimate Azure costs for a new disaster recovery deployment without detailed profiling being done. -To manually add VMs: +The table lists the cost breakup for each compatible virtual machine. +You can also use this table to get estimated Azure DR cost of nonprofiled virtual machines by manually adding virtual machines. It's useful in cases where you need to estimate Azure costs for a new disaster recovery deployment without detailed profiling being done. +To manually add virtual machines: 1. Click on the 'Insert row' button to insert a new row between the Start and End rows. -2. Fill the following columns based on approximate VM size and number of VMs that match this configuration: +2. Fill the following columns based on approximate virtual machine size and number of virtual machines that match this configuration: -* Number of VMs, IaaS size (Your selection) +* Number of virtual machines, IaaS size (Your selection) * Storage Type (Standard/Premium) -* VM total storage size (GB) of the source machine +* virtual machine total storage size (GB) of the source machine * Number of DR drills in a year * Each DR drill duration (Days) * OS Type * Data redundancy * Azure Hybrid Benefit -1. You can apply the same value to all VMs in the table by clicking the 'Apply to all' button for Number of DR-Drills in a year, Each DR-Drill duration (Days), Data redundancy, and Azure Hybrid Use Benefit. +1. You can apply the same value to all virtual machines in the table by clicking the Apply to all button for Number of DR-Drills in a year, Each DR-Drill duration (Days), Data redundancy, and Azure Hybrid Use Benefit. -1. Click 'Re-calculate cost' to update cost. +1. Click Recalculate cost to update cost. -VM Name: The name of the VM. +virtual machine Name: The name of the virtual machine. -Number of VMs: The number of VMs that match the configuration. You can update the number of the existing VMs if similar configuration VMs are not profiled but will be protected. +Number of virtual machines: The number of virtual machines that match the configuration. You can update the number of the existing virtual machines if similar configuration virtual machines are not profiled but are protected. -IaaS size (Recommendation): It is the VM role size of the compatible VM that the tool recommends. +IaaS size (Recommendation): It's the virtual machine role size of the compatible virtual machine that the tool recommends. -IaaS size (Your selection): By default, it is the same as recommended VM role size. You can change the role based on your requirement. Compute cost is based on your selected VM role size. +IaaS size (Your selection): By default, it's the same as recommended virtual machine role size. You can change the role based on your requirement. Compute cost is based on your selected virtual machine role size. -Storage type: The type of the storage that is used by the VM. It is either standard or premium storage. +Storage type: The type of the storage that is used by the virtual machine. It's either standard or premium storage. -VM total storage size (GB): The total storage of the source VM. +virtual machine total storage size (GB): The total storage of the source virtual machine. -Number of DR-Drills in a year: The number of times you perform DR-Drills in a year. By default, it is 4 times in a year. You can modify the period for specific VMs or apply the new value to all VMs by entering the new value on the top row and clicking the ΓÇÿApply to allΓÇÖ button. Based on number of DR-Drills in a year and each DR-Drill duration period, the total DR-Drill cost is calculated. +Number of DR-Drills in a year: The number of times you perform DR-Drills in a year. By default, it's 4 times in a year. You can modify the period for specific virtual machines or apply the new value to all virtual machines by entering the new value on the top row and clicking the Apply to all button. Based on number of DR-Drills in a year and each DR-Drill duration period, the total DR-Drill cost is calculated. -Each DR-Drill duration (Days): The duration of each DR-Drill. By default, it is 7 days every 90 days as per the [Disaster Recovery Software Assurance benefit](https://azure.microsoft.com/pricing/details/site-recovery). You can modify the period for specific VMs or you can apply a new value to all VMs by entering new value on the top row and clicking the ΓÇÿApply to allΓÇÖ button. The total DR-Drill cost is calculated based on number of DR-Drills in a year and each DR-Drill duration period. +Each DR-Drill duration (Days): The duration of each DR-Drill. By default, it's 7 days every 90 days as per the [Disaster Recovery Software Assurance benefit](https://azure.microsoft.com/pricing/details/site-recovery). You can modify the period for specific virtual machines or you can apply a new value to all virtual machines by entering new value on the top row and clicking the Apply to all button. The total DR-Drill cost is calculated based on number of DR-Drills in a year and each DR-Drill duration period. -OS Type: The OS type of the VM. It is either Windows or Linux. If the OS type is Windows, then Azure Hybrid Use Benefit can be applied to that VM. +OS Type: The OS type of the virtual machine. It's either Windows or Linux. If the OS type is Windows, then Azure Hybrid Use Benefit can be applied to that virtual machine. -Data redundancy: It can be one of the following - Locally redundant storage (LRS), Geo-redundant storage (GRS) or Read-access geo-redundant storage (RA-GRS). Default is LRS. You can change the type based on your storage account for specific VMs or you can apply the new type to all VMs by changing the type of the top row and clicking ΓÇÿApply to allΓÇÖ button. The cost of storage for replication is calculated based on the price of data redundancy that you have selected. +Data redundancy: It can be one of the following - Locally redundant storage (LRS), Geo-redundant storage (GRS) or Read-access geo-redundant storage (RA-GRS). Default is LRS. You can change the type based on your storage account for specific virtual machines or you can apply the new type to all virtual machines by changing the type of the top row and clicking Apply to all button. The cost of storage for replication is calculated based on the price of data redundancy that you have selected. -Azure Hybrid Benefit: You can apply Azure Hybrid Benefit to Windows VMs if applicable. Default is Yes. You can change the setting for specific VMs or update all VMs by clicking the ΓÇÿApply to allΓÇÖ button. +Azure Hybrid Benefit: You can apply Azure Hybrid Benefit to Windows virtual machines if applicable. Default is Yes. You can change the setting for specific virtual machines or update all virtual machines by clicking the Apply to all button. -Total Azure consumption: It includes compute, storage, and Azure Site Recovery license cost for your DR. Based on your selection it shows the cost either monthly or yearly. +Total Azure consumption: It includes compute, storage, and Azure Site Recovery license cost for your DR. Based on your selection, it shows the cost either monthly or yearly. Steady state replication cost: It includes storage cost for replication. The Azure Site Recovery Deployment Planner can generate the cost report with any \|TRY\|Turkish Lira (TL)\|USD\| US Dollar ($)\|ZAR\|South African Rand (R)\| ## Next steps -Learn more about protecting [VMware VMs to Azure using Azure Site Recovery](./vmware-azure-tutorial.md). +Learn more about protecting [VMware virtual machines to Azure using Azure Site Recovery](./vmware-azure-tutorial.md).
site-recovery	Upgrade 2012R2 To 2016	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/upgrade-2012R2-to-2016.md	Title: Upgrade Windows Server and System Center VMM 2012 R2 to 2016 description: Learn how to upgrade Windows Server 2012 R2 hosts and System Center Virtual Machine Manager 2012 R2 configured with Azure Site Recovery to Windows Server 2016 and Virtual Machine Manager 2016.- --+ Previously updated : 03/02/2023 Last updated : 09/23/2024
site-recovery	Vmware Azure Deploy Configuration Server	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-deploy-configuration-server.md	Title: Deploy the configuration server in Azure Site Recovery description: This article describes how to deploy a configuration server for VMware disaster recovery with Azure Site Recovery- - -+ Last updated 11/01/2023
site-recovery	Vmware Azure Disaster Recovery Powershell	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-disaster-recovery-powershell.md	Title: Set up VMware disaster recovery using PowerShell in Azure Site Recovery description: Learn how to set up replication and failover to Azure for disaster recovery of VMware VMs using PowerShell in Azure Site Recovery. - -+ Last updated 03/07/2024
site-recovery	Vmware Azure Enable Replication	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-enable-replication.md	Title: Enable VMware VMs for disaster recovery using Azure Site Recovery description: This article describes how to enable VMware VM replication for disaster recovery using the Azure Site Recovery service - -+ Previously updated : 05/27/2021 Last updated : 09/24/2024 # Enable replication to Azure for VMware VMs
site-recovery	Vmware Azure Failback	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-failback.md	Title: Fail back VMware VMs/physical servers from Azure with Azure Site Recovery description: Learn how to fail back to the on-premises site after failover to Azure, during disaster recovery of VMware VMs and physical servers to Azure. - -+ Last updated 12/04/2023
site-recovery	Vmware Azure Install Mobility Service	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-install-mobility-service.md	Title: Prepare source machines to install the Mobility Service through push installation for disaster recovery of VMware VMs and physical servers to Azure \| Microsoft Docs + Title: Prepare source machines to install the Mobility Service through push installation for disaster recovery of VMware VMs and physical servers to Azure description: Learn how to prepare your server to install Mobility agent through push installation for disaster recovery of VMware VMs and physical servers to Azure using the Azure Site Recovery service.- -+ Previously updated : 04/02/2024 Last updated : 09/24/2024
site-recovery	Vmware Azure Manage Configuration Server	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-manage-configuration-server.md	Title: Manage the configuration server for disaster recovery with Azure Site Recovery description: Learn about the common tasks to manage an on-premises configuration server for disaster recovery of VMware VMs and physical servers to Azure with Azure Site Recovery. - -+ Last updated 08/03/2022
site-recovery	Vmware Azure Manage Process Server	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-manage-process-server.md	Title: Manage a process server for VMware VMs/physical server disaster recovery in Azure Site Recovery description: This article describes manage a process server for disaster recovery of VMware VMs/physical servers using Azure Site Recovery. - -+ Last updated 05/27/2021
site-recovery	Vmware Azure Manage Vcenter	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-manage-vcenter.md	Title: Manage VMware vCenter servers in Azure Site Recovery description: This article describes how to add and manage VMware vCenter for disaster recovery of VMware VMs to Azure with Azure Site Recovery. - -+ Last updated 05/27/2021
site-recovery	Vmware Azure Multi Tenant Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-multi-tenant-overview.md	Title: VMware VM multi-tenant disaster recovery with Azure Site Recovery description: Provides an overview of Azure Site Recovery support for VMWare disaster recovery to Azure in a multi-tenant environment (CSP) program. -+ Last updated 09/06/2024
site-recovery	Vmware Azure Prepare Failback	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-prepare-failback.md	Title: Prepare VMware VMs for reprotection and failback with Azure Site Recovery description: Prepare for fail back of VMware VMs after failover with Azure Site Recovery-+ Previously updated : 09/18/2023 Last updated : 09/24/2024
site-recovery	Vmware Azure Reprotect	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-reprotect.md	Title: Reprotect VMware VMs to an on-premises site with Azure Site Recovery description: Learn how to reprotect VMware VMs after failover to Azure with Azure Site Recovery. - -+ Last updated 03/13/2024
site-recovery	Vmware Azure Set Up Process Server Azure	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-set-up-process-server-azure.md	Title: Set up a process server VMware/physical failback in Azure Site Recovery description: This article describes how to set up a process server in Azure, to failback Azure VMs to VMware.-
site-recovery	Vmware Azure Troubleshoot Failback Reprotect	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-troubleshoot-failback-reprotect.md	Title: Troubleshoot failback in VMware VM disaster recovery with Azure Site Recovery description: This article describes ways to troubleshoot failback and reprotection issues during VMware VM disaster recovery to Azure with Azure Site Recovery. - -+ Last updated 11/27/2018
site-recovery	Vmware Azure Troubleshoot Push Install	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-troubleshoot-push-install.md	Title: Troubleshoot Mobility Service push installation with Azure Site Recovery description: Troubleshoot Mobility Services installation errors when enabling replication for disaster recovery with Azure Site Recovery. - -+ Last updated 05/27/2021
site-recovery	Vmware Physical Azure Classic Deprecation	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-azure-classic-deprecation.md	Title: Deprecation of classic experience to protect VMware and physical machines using Azure Site Recovery \| Microsoft Docs description: Details about upcoming deprecation of classic experience to protect VMware and physical machines to Azure and alternate options-- -+ Last updated 03/14/2023
site-recovery	Vmware Physical Azure Monitor Process Server	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-azure-monitor-process-server.md	Title: Monitor the Azure Site Recovery process server description: This article describes how to monitor Azure Site Recovery process server used for VMware VM/physical server disaster recovery - Previously updated : 11/14/2019+ Last updated : 09/24/2024
site-recovery	Vmware Physical Azure Support Matrix	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-azure-support-matrix.md	Title: Support matrix for VMware/physical disaster recovery in Azure Site Recovery. description: Summarizes support for disaster recovery of VMware VMs and physical server to Azure using Azure Site Recovery.-+ Last updated 07/15/2024
site-recovery	Vmware Physical Large Deployment	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-large-deployment.md	Title: Scale VMware/physical disaster recovery with Azure Site Recovery description: Learn how to set up disaster recovery to Azure for large numbers of on-premises VMware VMs or physical servers with Azure Site Recovery. -+ Last updated 08/31/2023
site-recovery	Vmware Physical Manage Mobility Service	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-manage-mobility-service.md	Title: Manage the Mobility agent for VMware/physical servers with Azure Site Recovery description: Manage Mobility Service agent for disaster recovery of VMware VMs and physical servers to Azure using the Azure Site Recovery service. - --+ Last updated 03/07/2024
static-web-apps	Enterprise Edge	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/enterprise-edge.md	Previously updated : 06/24/2024 Last updated : 09/23/2024 az staticwebapp enterprise-edge enable --name my-static-webapp --resource-group +## Considerations + +- Deleting a custom domain mapped to your account can take up to 48 hours to propagate. + ## Limitations - Private Endpoint can't be used with enterprise-grade edge.-- Custom domains configured using `A` records (DNS) aren't supported with enterprise-grade edge. ## Next steps
storage	Upgrade To Data Lake Storage Gen2 How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/upgrade-to-data-lake-storage-gen2-how-to.md	In some cases, you will have to allow time for clean-up operations after a featu > You cannot upgrade a storage account to Data Lake Storage that has ever had the change feed feature enabled. > Simply disabling change feed will not allow you to perform an upgrade. Instead, you must create an account with the hierarchical namespace feature enabled on it, and move then transfer your data into that account. +### Remove page blobs from the storage account + +You cannot upgrade a storage account that contains page blobs. Make sure to remove page blobs from the storage account before you perform the upgrade. + ### Ensure the segments of each blob path are named The migration process creates a directory for each path segment of a blob. Data Lake Storage directories must have a name so for migration to succeed, each path segment in a virtual directory must have a name. The same requirement is true for segments that are named only with a space character. If any path segments are either unnamed (`//`) or named only with a space character (`_`), then before you proceed with the migration, you must copy those blobs to a new path that is compatible with these naming requirements.
virtual-desktop	Autoscale Create Assign Scaling Plan	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/autoscale-create-assign-scaling-plan.md	To use scaling plans, make sure you follow these guidelines: - You must grant Azure Virtual Desktop access to manage the power state of your session host VMs. You must have the `Microsoft.Authorization/roleAssignments/write` permission on your subscriptions in order to assign the role-based access control (RBAC) role for the Azure Virtual Desktop service principal on those subscriptions. This is part of User Access Administrator and Owner built in roles. -- If you want to use personal desktop autoscale with hibernation, you'll need to enable the hibernation feature for VMs in your personal host pool. FSLogix and app attach currently don't support hibernate. Don't enable hibernate if you're using FSLogix or app attach for your personal host pools. For the full list of prerequisites for hibernation, see [Prerequisites to use hibernation](/azure/virtual-machines/hibernate-resume). +- If you want to use personal desktop autoscale with hibernation, you'll need to enable the hibernation feature for VMs in your personal host pool. FSLogix and app attach currently don't support hibernate. Don't enable hibernate if you're using FSLogix or app attach for your personal host pools. For more information on using hibernation, including how hibernaiton works, limitations, and prerequisites, see [Hibernation for Azure virtual machines](/azure/virtual-machines/hibernate-resume). - If you are using PowerShell to create and assign your scaling plan, you will need module [Az.DesktopVirtualization](https://www.powershellgallery.com/packages/Az.DesktopVirtualization/) version 4.2.0 or later. -- If you are [configuring a time limit policy using Microsoft Intune](#configure-a-time-limit-policy-using-microsoft-intune), you will need: - - A Microsoft Entra ID account that is assigned the Policy and Profile manager built-in RBAC role. - - A group containing the devices you want to configure. - +- If you are [configuring a time limit policy](#configure-a-time-limit-policy), you will need: + - For Intune: a Microsoft Entra ID account that is assigned the Policy and Profile manager built-in RBAC role and a group containing the devices you want to configure. + - For Group Policy: a domain account that has permission to create or edit Group Policy objects and a security group or organizational unit (OU) containing the devices you want to configure. ## Assign the Desktop Virtualization Power On Off Contributor role with the Azure portal Now that you've assigned the Desktop Virtualization Power On Off Contributor r > > - Whether youΓÇÖve enabled autoscale to force users to sign out during ramp-down or not, the [capacity threshold](autoscale-glossary.md#capacity-threshold) and the [minimum percentage of hosts](autoscale-glossary.md#minimum-percentage-of-hosts) are still respected, autoscale will only shut down VMs if all existing user sessions (active and disconnected) in the host pool can be consolidated to fewer VMs without exceeding the capacity threshold. > - > - You can also configure a time limit policy that will apply to all phases to sign out all disconnected users to reduce the [used host pool capacity](autoscale-glossary.md#used-host-pool-capacity). For more information, see [Configure a time limit policy using Microsoft Intune](#configure-a-time-limit-policy-using-microsoft-intune). - + > - You can also configure a time limit policy that will apply to all phases to sign out all disconnected users to reduce the [used host pool capacity](autoscale-glossary.md#used-host-pool-capacity). For more information, see [Configure a time limit policy](#configure-a-time-limit-policy). - Likewise, Off-peak hours works the same way as Peak hours: Here's how to create a scaling plan using the Az.DesktopVirtualization PowerShel -## Configure a time limit policy using Microsoft Intune +## Configure a time limit policy + +You can configure a time limit policy that will sign out all disconnected users once a set time is reached to reduce the [used host pool capacity](autoscale-glossary.md#used-host-pool-capacity) using Microsoft Intune or Group Policy. Select the relevant tab for your scenario. + +# [Microsoft Intune](#tab/intune) + +To configure a time limit policy using Intune: + +1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/). + +1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for Windows 10 and later devices, with the Session Time Limits profile type. + +1. In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits. + +1. Check the box for Set time limit for disconnected sessions, then close the settings picker. + +1. Expand the Administrative templates category, then toggle the switch for Set time limit for disconnected sessions to Enabled, then select a time value from the drop-down list. + +1. Select Next. -You can configure a time limit policy that will sign out all disconnected users to reduce the [used host pool capacity](autoscale-glossary.md#used-host-pool-capacity). +1. Optional: On the Scope tags tab, select a scope tag to filter the profile. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). -To configure the policy using Intune, follow these steps: +1. On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next. -1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/). -2. Select Devices and Configuration. Then, select Create and New policy. -3. In Profile type, select Settings catalog and then Create. This will take you to the Create profile page. -4. On the Basics tab, enter a name for your policy. Select Next. -5. On the Configuration settings tab, select Add settings. -6. In the Settings picker pane, select Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits. Then select the checkbox for Set time limit for disconnected sessions. -7. The settings to enable the time limit will appear in the Configuration settings tab. Select your desired time limit in the drop-down menu for End a disconnected session (Device) and change the toggle to Enabled for Set time limit for disconnected sessions. -8. On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next. -9. On the Review + create tab, review the settings, then select Create. +1. On the Review + create tab, review the settings, then select Create. +1. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect. + +# [Group Policy](#tab/group-policy) + +To configure a time limit policy using Group Policy: + +1. Open the Group Policy Management console on device you use to manage the Active Directory domain. + +1. Create or edit a policy that targets the computers providing a remote session you want to configure. + +1. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits. + +1. Double-click the policy setting Set time limit for disconnected sessions to open it. + +1. Select Enabled, select a time value from the drop-down list, then select OK. + +1. Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect. ++ ## Edit an existing scaling plan +Select the relevant tab for your scenario. + ### [Portal](#tab/portal) -To edit an existing scaling plan: +To edit an existing scaling plan using the Azure portal: 1. Sign in to the [Azure portal](https://portal.azure.com).
virtual-desktop	Configure Single Sign On	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/configure-single-sign-on.md	If your session hosts meet the following criteria, you must [Create a Kerberos S - Your session host is Microsoft Entra joined and your environment contains Active Directory domain controllers. You must have a Kerberos Server object for users to access on-premises resources, such as SMB shares, and Windows-integrated authentication to websites. > [!IMPORTANT] -> If you enable single sign-on on Microsoft Entra hybrid joined session hosts before you create a Kerberos server object, one of the following things can happen: +> If you enable single sign-on on Microsoft Entra hybrid joined session hosts without creating a Kerberos server object, one of the following things can happen: > > - You receive an error message saying the specific session doesn't exist. > - Single sign-on will be skipped and you see a standard authentication dialog for the session host.
virtual-desktop	Custom Image Templates	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/custom-image-templates.md	There are two parts to creating a custom image: A custom image template is a JSON file that contains your choices of source image, distribution targets, build properties, and customizations. Azure Image Builder uses this template to create a custom image, which you can use as the source image for your session hosts when creating or updating a host pool. When creating the image, Azure Image Builder also takes care of generalizing the image with sysprep. -Custom images can be stored in [Azure Compute Gallery](/azure/virtual-machines/azure-compute-gallery) or as a [managed image](../virtual-machines/windows/capture-image-resource.yml or both. Azure Compute Gallery allows you to manage region replication, versioning, and sharing of custom images. See [Create a legacy managed image of a generalized VM in Azure](/azure/virtual-machines/capture-image-resource) to review limitations for managed images. +Custom images can be stored in [Azure Compute Gallery](/azure/virtual-machines/azure-compute-gallery) or as a [managed image](/azure/virtual-machines/capture-image-resource) or both. Azure Compute Gallery allows you to manage region replication, versioning, and sharing of custom images. See [Create a legacy managed image of a generalized VM in Azure](/azure/virtual-machines/capture-image-resource) to review limitations for managed images. The source image must be [supported for Azure Virtual Desktop](prerequisites.md#operating-systems-and-licenses) and can be from:
virtual-desktop	Connect Windows	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/users/connect-windows.md	zone_pivot_groups: azure-virtual-desktop-windows-clients Previously updated : 02/20/2024 Last updated : 09/23/2024 # Connect to Azure Virtual Desktop with the Remote Desktop client for Windows ::: zone pivot="avd-store" > [!IMPORTANT] -> The Azure Virtual Desktop Store app for Windows is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> The Azure Virtual Desktop store app is no longer available for download or installation. To ensure a seamless experience and avoid any disruption, users are encouraged to download the Windows App Windows App is the gateway to securely connect to any devices or apps across Azure Virtual Desktop, Windows 365, and Microsoft Dev Box. For more information, see [What is Windows App](/windows-app/overview). ::: zone-end The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop client for Windows, which only allows you to subscribe to a feed made available to you by your organization administrators.
virtual-desktop	Whats New Client Windows	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-client-windows.md	zone_pivot_groups: azure-virtual-desktop-windows-clients Previously updated : 09/17/2024 Last updated : 09/23/2024 # What's new in the Remote Desktop client for Windows ::: zone pivot="avd-store"+ > [!IMPORTANT] -> The Azure Virtual Desktop Store app for Windows is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> The Azure Virtual Desktop store app is no longer available for download or installation. To ensure a seamless experience and avoid any disruption, users are encouraged to download the Windows App. Windows App is the gateway to securely connect to any devices or apps across Azure Virtual Desktop, Windows 365, and Microsoft Dev Box. For more information, see [What is Windows App](/windows-app/overview). + ::: zone-end In this article you'll learn about the latest updates for the Remote Desktop client for Windows. To learn more about using the Remote Desktop client for Windows with Azure Virtual Desktop, see [Connect to Azure Virtual Desktop with the Remote Desktop client for Windows](users/connect-windows.md) and [Use features of the Remote Desktop client for Windows when connecting to Azure Virtual Desktop](users/client-features-windows.md).
virtual-network	Routing Preference Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/routing-preference-overview.md	Public IP with routing preference choice Microsoft Global Network can be ass * Azure Kubernetes Service (AKS) -* Internet-facing load balancer +* Public load balancer (NIC-based backend only) * Application Gateway The price difference between both options is reflected in the internet egress da * Internet routing preference currently supports only IPv4 public IP addresses. IPv6 public IP addresses aren't supported. +* Internet routing preference public IP addresses are not compatible with NAT Gateways or IP-based Public Load Balancers. + ### Regional availability Internet routing preference is available in all regions listed below:
vpn-gateway	Azure Vpn Client Prerequisites Check	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/azure-vpn-client-prerequisites-check.md	+ + Title: 'Azure VPN Client prerequisites check' + +description: Learn how run the Azure VPN Client prerequisites test to identify missing prerequisites and mitigate them. +++ Last updated : 09/23/2024+++ +# Azure VPN Client prerequisites check for P2S VPN connections + +If you're using the Azure VPN Client for Windows to connect to your point-to-site (P2S) VPN, you can run a prerequisites check to identify missing prerequisites and mitigate them. The Run Prerequisites Test feature checks the state of Windows services, background permissions for the client, local setting permissions, internet access, and user device time sync status. You can use this feature to do the following: + +* Manually run a prerequisites check to identify missing prerequisites and mitigate them. +* Periodically run a prerequisites check automatically. + +The Run Prerequisites Test feature is available in the Azure VPN Client for Windows, version 3.4.0.0 and later. It's not available for other versions of the Azure VPN Client. For Azure VPN Client version information, see [Azure VPN Client versions](azure-vpn-client-versions.md). + +> [!NOTE] +> The prerequisites check is only available in the Azure VPN Client for Windows. + +## Run a prerequisites check manually + +1. Open the Azure VPN Client and select the client connection profile that you want to check. +1. At the bottom of the page, click Prerequisites to open the prerequisites page. +1. Select Run Prerequisites Test to run the check. +1. After the prerequisites check has completed, the Status shows Complete. Review the results. If any test items don't pass, the status indicates that and prescriptive measures are provided to help you mitigate the issue. + + :::image type="content" source="./media/azure-vpn-client-prerequisites-check/error.png" alt-text="Screenshot of prerequistes test status results." lightbox="./media/azure-vpn-client-prerequisites-check/error.png"::: + +## Disable automatic prerequisites checks + +The Enable Prerequisites Tests setting lets you select to enable or disable automatic periodic prerequisites checks. This setting is enabled by default. To disable automatic prerequisite checks: + +1. Open the Azure VPN Client. +1. Click ... at the bottom of the page and select Settings. +1. On the Settings page, de-select Enable Prerequisites Tests. The setting is automatically saved. Items shown on the Settings page apply to all client connection profiles. + +## Next steps + +For more information about P2S VPN, see the following articles: + +* [About point-to-site VPN](point-to-site-about.md) +* [About point-to-site VPN routing](vpn-gateway-about-point-to-site-routing.md)
vpn-gateway	Vpn Gateway Activeactive Rm Powershell	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/vpn-gateway-activeactive-rm-powershell.md	Use the following cmdlets to show the two public IP addresses allocated for your ```azurepowershell-interactive PS D:\> $gw1pip1.IpAddress -40.112.190.5 +198.51.100.5 PS D:\> $gw1pip2.IpAddress -138.91.156.129 +203.0.113.129 PS D:\> $vnet1gw.BgpSettingsText { PS D:\> $vnet1gw.BgpSettingsText } ``` -The order of the public IP addresses for the gateway instances and the corresponding BGP Peering Addresses are the same. In this example, the gateway VM with public IP of 40.112.190.5 uses 10.12.255.4 as its BGP Peering Address, and the gateway with 138.91.156.129 uses 10.12.255.5. This information is needed when you set up your on premises VPN devices connecting to the active-active gateway. The gateway is shown in the following diagram with all addresses: +The order of the public IP addresses for the gateway instances and the corresponding BGP Peering Addresses are the same. In this example, the gateway VM with public IP of 198.51.100.5 uses 10.12.255.4 as its BGP Peering Address, and the gateway with 203.0.113.129 uses 10.12.255.5. This information is needed when you set up your on premises VPN devices connecting to the active-active gateway. The gateway is shown in the following diagram with all addresses: ![active-active gateway](./media/vpn-gateway-activeactive-rm-powershell/active-active-gw.png) $RG5 = "TestAARG5" $Location5 = "West US" $LNGName51 = "Site5_1" $LNGPrefix51 = "10.52.255.253/32" -$LNGIP51 = "131.107.72.22" +$LNGIP51 = "192.0.2.13" $LNGASN5 = 65050 $BGPPeerIP51 = "10.52.255.253" ``` The following example lists the parameters that you enter into the BGP configura - Site5 BGP IP : 10.52.255.253 - Prefixes to announce : (for example) 10.51.0.0/16 and 10.52.0.0/16 - Azure VNet ASN : 65010-- Azure VNet BGP IP 1 : 10.12.255.4 for tunnel to 40.112.190.5-- Azure VNet BGP IP 2 : 10.12.255.5 for tunnel to 138.91.156.129-- Static routes : Destination 10.12.255.4/32, nexthop the VPN tunnel interface to 40.112.190.5 - Destination 10.12.255.5/32, nexthop the VPN tunnel interface to 138.91.156.129 +- Azure VNet BGP IP 1 : 10.12.255.4 for tunnel to 198.51.100.5 +- Azure VNet BGP IP 2 : 10.12.255.5 for tunnel to 203.0.113.129 +- Static routes : Destination 10.12.255.4/32, nexthop the VPN tunnel interface to 198.51.100.5 + Destination 10.12.255.5/32, nexthop the VPN tunnel interface to 203.0.113.129 - eBGP Multihop : Ensure the "multihop" option for eBGP is enabled on your device if needed ``` The gateway IP address, address prefix, and BGP peering address for the second l ```azurepowershell-interactive $LNGName52 = "Site5_2" $LNGPrefix52 = "10.52.255.254/32" -$LNGIP52 = "131.107.72.23" +$LNGIP52 = "192.0.2.14" $BGPPeerIP52 = "10.52.255.254" ``` Similarly, the following example lists the parameters you'll enter into the seco - Site5 BGP IP : 10.52.255.254 - Prefixes to announce : (for example) 10.51.0.0/16 and 10.52.0.0/16 - Azure VNet ASN : 65010-- Azure VNet BGP IP 1 : 10.12.255.4 for tunnel to 40.112.190.5-- Azure VNet BGP IP 2 : 10.12.255.5 for tunnel to 138.91.156.129-- Static routes : Destination 10.12.255.4/32, nexthop the VPN tunnel interface to 40.112.190.5 - Destination 10.12.255.5/32, nexthop the VPN tunnel interface to 138.91.156.129 +- Azure VNet BGP IP 1 : 10.12.255.4 for tunnel to 198.51.100.5 +- Azure VNet BGP IP 2 : 10.12.255.5 for tunnel to 203.0.113.129 +- Static routes : Destination 10.12.255.4/32, nexthop the VPN tunnel interface to 198.51.100.5 + Destination 10.12.255.5/32, nexthop the VPN tunnel interface to 203.0.113.129 - eBGP Multihop : Ensure the "multihop" option for eBGP is enabled on your device if needed ```
vpn-gateway	Vpn Gateway P2s Advertise Custom Routes	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes.md	To advertise custom routes, use the `Set-AzVirtualNetworkGateway cmdlet`. The fo ```cmd C:\>ping contoso.table.core.windows.net - Pinging table.by4prdstr05a.store.core.windows.net [13.88.144.250] with 32 bytes of data: + Pinging table.by4prdstr05a.store.core.windows.net [203.0.113.250] with 32 bytes of data: ``` 1. Run the following PowerShell commands: ```azurepowershell-interactive $gw = Get-AzVirtualNetworkGateway -Name <name of gateway> -ResourceGroupName <name of resource group> - Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute 13.88.144.250/32 + Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute 203.0.113.250/32 ``` 1. To add multiple custom routes, use a comma and spaces to separate the addresses. For example: