Updates from: 09/26/2023 01:21:29
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Inbound Provisioning Api Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-concepts.md
Title: API-driven inbound provisioning concepts description: An overview of API-driven inbound provisioning. -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Configure App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md
Title: Configure API-driven inbound provisioning app description: Learn how to configure API-driven inbound provisioning app. -+ Last updated 09/15/2023-+
If you're configuring inbound user provisioning to on-premises Active Directory,
## Create your API-driven provisioning app 1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-2. Browse to **Microsoft Entra ID** > **Applications** > **Enterprise applications**.
+2. Browse to **Identity** > **Applications** > **Enterprise applications**.
3. Click on **New application** to create a new provisioning application. [![Screenshot of Microsoft Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox) 4. Enter **API-driven** in the search field, then select the application for your setup:
active-directory Inbound Provisioning Api Curl Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-curl-tutorial.md
Title: Quickstart API-driven inbound provisioning with cURL description: Learn how to get started with API-driven inbound provisioning using cURL. -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Custom Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md
Title: Extend API-driven provisioning to sync custom attributes description: Learn how to extend API-driven inbound provisioning to sync custom attributes. -+ Last updated 09/15/2023-+
You have configured API-driven provisioning app. You're provisioning app is succ
In this step, we'll add the two attributes "HireDate" and "JobCode" that are not part of the standard SCIM schema to the provisioning app and use them in the provisioning data flow.
-1. Log in to your [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-1. Browse to **Enterprise applications** and open your API-driven provisioning app.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Open your API-driven provisioning app.
1. Open the **Provisioning** blade. 1. Click on the **Edit Provisioning** button. 1. Expand the **Mappings** section and click on the attribute mapping link. <br>
- :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::
+ :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::
1. Scroll down the **Attribute Mappings** page. Select **Show advanced options** and click on the **Edit attribute list for API** link.
- :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::
+ :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::
1. Scroll down to the end of the **Edit Attribute List** page. 1. Add the following two attributes to the list as SCIM schema extensions. You can use your own SCIM schema namespace. <br> `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:HireDate` <br> `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:JobCode` <br>
- :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::
-1. **Save** your changes
+ :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::
+1. **Save** your changes
> [!NOTE] > If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra admin center to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process.
active-directory Inbound Provisioning Api Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-faqs.md
Title: Frequently asked questions (FAQs) about API-driven inbound provisioning description: Learn more about the capabilities and integration scenarios supported by API-driven inbound provisioning. -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Grant Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-grant-access.md
Title: Grant access to inbound provisioning API description: Learn how to grant access to the inbound provisioning API. -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Graph Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-graph-explorer.md
Title: Quickstart API-driven inbound provisioning with Graph Explorer description: Learn how to get started quickly with API-driven inbound provisioning using Graph Explorer -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-issues.md
Title: Troubleshoot inbound provisioning API description: Learn how to troubleshoot issues with the inbound provisioning API.-+
active-directory Inbound Provisioning Api Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-logic-apps.md
Title: API-driven inbound provisioning with Azure Logic Apps (Public preview) description: Learn how to implement API-driven inbound provisioning with Azure Logic Apps. -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-postman.md
Title: Quickstart API-driven inbound provisioning with Postman description: Learn how to get started quickly with API-driven inbound provisioning using Postman -+ Last updated 09/15/2023-+
active-directory Inbound Provisioning Api Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md
Title: API-driven inbound provisioning with PowerShell script (Public preview) description: Learn how to implement API-driven inbound provisioning with a PowerShell script. -+ Last updated 09/15/2023-+
active-directory Insufficient Access Rights Error Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/insufficient-access-rights-error-troubleshooting.md
Title: Troubleshoot insufficient access rights error description: Learn how to troubleshoot InsufficientAccessRights error when provisioning to on-premises Active Directory.-+
active-directory On Premises Powershell Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-powershell-connector.md
Last updated 05/11/2023
- # Provisioning users into applications using PowerShell The following documentation provides configuration and tutorial information demonstrating how the generic PowerShell connector and the ECMA Connector Host can be used to integrate Microsoft Entra ID with external systems that offer Windows PowerShell based APIs. For additional information see [Windows PowerShell Connector technical reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-powershell) - ## Prerequisites for provisioning via PowerShell+ The following sections detail the prerequisites for this tutorial. ### Download the PowerShell setup files
-Download the PowerShell setup files from GitHub. The setup files consist of the configuration file, the input file, schema file and the scripts used. The files are located [here for download](https://github.com/microsoft/MIMPowerShellConnectors/tree/master/src/ECMA2HostCSV).
+[Download the PowerShell setup files from our GitHub repository](https://github.com/microsoft/MIMPowerShellConnectors/tree/master/src/ECMA2HostCSV). The setup files consist of the configuration file, the input file, schema file and the scripts used.
### On-premises prerequisites
The connector provides a bridge between the capabilities of the ECMA Connector H
`Set-ExecutionPolicy -ExecutionPolicy RemoteSigned` - Deploying this connector requires one or more PowerShell scripts. Some Microsoft products may provide scripts for use with this connector, and the support statement for those scripts would be provided by that product. If you are developing your own scripts for use with this connector, you'll need to have familiarity with the [Extensible Connectivity Management Agent API](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)?redirectedfrom=MSDN) to develop and maintain those scripts. If you are integrating with third party systems using your own scripts in a production environment, we recommend you work with the third party vendor or a deployment partner for help, guidance and support for this integration. -- ### Cloud requirements - A Microsoft Entra tenant with Microsoft Entra ID P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](../../../includes/active-directory-p1-license.md)]
The connector provides a bridge between the capabilities of the ECMA Connector H
If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
- 1. In the Azure portal, select **Microsoft Entra ID**.
- 2. On the left, select **Microsoft Entra Connect**.
- 3. On the left, select **Cloud sync**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**.
:::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
- 4. On the left, select **Agent**.
- 5. Select **Download on-premises agent**, and select **Accept terms & download**.
+1. Select **Download on-premises agent**, review the terms of service, then select **Accept terms & download**.
- >[!NOTE]
- >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
+ > [!NOTE]
+ > Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
- 6. Open the provisioning agent installer, agree to the terms of service, and select **next**.
- 7. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
- 8. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
- 9. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
- 10. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.
+1. Open the provisioning agent installer, agree to the terms of service, and select **next**.
+1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
+1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
+1. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
+1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.
## Configure the On-premises ECMA app [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
- 1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.
- 2. Go to **Enterprise applications** and select **New application**.
- 3. Search for the **On-premises ECMA app** application, give the app a name, and select **Create** to add it to your tenant.
- 4. Navigate to the **Provisioning** page of your application.
- 5. Select **Get started**.
- 6. On the **Provisioning** page, change the mode to **Automatic**.
- 7. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
- 8. Keep this browser window open, as you complete the next step of configuration using the configuration wizard.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select **New application**.
+1. Search for the **On-premises ECMA app** application, give the app a name, and select **Create** to add it to your tenant.
+1. Navigate to the **Provisioning** page of your application.
+1. Select **Get started**.
+1. On the **Provisioning** page, change the mode to **Automatic**.
+1. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
+1. Keep this browser window open, as you complete the next step of configuration using the configuration wizard.
+
+## Place the InputFile.txt and Schema.xml file in locations
- ## Place the InputFile.txt and Schema.xml file in locations
- Before you can create the PowerShell connector for this tutorial, you need to copy the InputFile.txt and Schema.xml file into the correct locations. These files are the ones you needed to download in section [Download the PowerShell setup files](#download-the-powershell-setup-files).
+Before you can create the PowerShell connector for this tutorial, you need to copy the InputFile.txt and Schema.xml file into the correct locations. These files are the ones you needed to download in section [Download the PowerShell setup files](#download-the-powershell-setup-files).
|File|location| |--|--|
If you have already downloaded the provisioning agent and configured it for anot
## Configure the Microsoft Entra ECMA Connector Host certificate
- 1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs.
- 2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name.
- 3. Select **Save**.
-
+1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs.
+2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name.
+3. Select **Save**.
## Create the PowerShell Connector ### General Screen
- 1. Launch the Microsoft ECMA2Host Configuration Wizard from the start menu.
- 2. At the top, select **Import** and select the configuration.xml file from step 1.
- 3. The new connector should be created and appear in red. Click **Edit**.
- 4. Generate a secret token used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string.
+1. Launch the Microsoft ECMA2Host Configuration Wizard from the start menu.
+2. At the top, select **Import** and select the configuration.xml file from step 1.
+3. The new connector should be created and appear in red. Click **Edit**.
+4. Generate a secret token used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string.
```powershell -join (((48..90) + (96..122)) * 16 | Get-Random -Count 16 | % {[char]$_}) ```
- 5. On the **Properties** page, all of the information should be populated. The table is provided as reference. Click **Next**.
+5. On the **Properties** page, all of the information should be populated. The table is provided as reference. Click **Next**.
- |Property|Value|
- |--|--|
- |Name|The name you chose for the connector, which should be unique across all connectors in your environment. For example, `PowerShell`.|
- |Autosync timer (minutes)|120|
- |Secret Token|Enter your secret token here. It should be 12 characters minimum.|
- |Extension DLL|For the PowerShell connector, select **Microsoft.IAM.Connector.PowerShell.dll**.|
+ |Property|Value|
+ |--|--|
+ |Name|The name you chose for the connector, which should be unique across all connectors in your environment. For example, `PowerShell`.|
+ |Autosync timer (minutes)|120|
+ |Secret Token|Enter your secret token here. It should be 12 characters minimum.|
+ |Extension DLL|For the PowerShell connector, select **Microsoft.IAM.Connector.PowerShell.dll**.|
:::image type="content" source="media/on-premises-powershell-connector/powershell-1.png" alt-text="Screenshot of general screen." lightbox="media/on-premises-powershell-connector/powershell-1.png"::: ### Connectivity+ The connectivity tab allows you to supply configuration parameters for connecting to a remote system. Configure the connectivity tab with the information provided in the table.
+- On the **Connectivity** page, all of the information should be populated. The table is provided as reference. Click **Next**.
- :::image type="content" source="media/on-premises-powershell-connector/powershell-2.png" alt-text="Screenshot of the connectivity screen." lightbox="media/on-premises-powershell-connector/powershell-2.png":::
|Parameter|Value|Purpose| |-|--|--|
The connectivity tab allows you to supply configuration parameters for connectin
### Capabilities+ The capabilities tab defines the behavior and functionality of the connector. The selections made on this tab cannot be modified when the connector has been created. Configure the capabilities tab with the information provided in the table. - On the **Capabilities** page, all of the information should be populated. The table is provided as reference. Click **Next**.
- :::image type="content" source="media/on-premises-powershell-connector/powershell-4.png" alt-text="Screenshot of the capabilities screen." lightbox="media/on-premises-powershell-connector/powershell-4.png":::
|Parameter|Value|Purpose| |-|--|--|
The capabilities tab defines the behavior and functionality of the connector. Th
|Delete-Add As Replace|Checked|Not supported. This will be ignored.| |Enable Export Password in First Pass|Unchecked|Not supported. This will be ignored.| - ### Global Parameters+ The Global Parameters tab enables you to configure the Windows PowerShell scripts that are run by the connector. You can also configure global values for custom configuration settings defined on the Connectivity tab. Configure the global parameters tab with the information provided in the table.
+- On the **Global Parameters** page, all of the information should be populated. The table is provided as reference. Click **Next**.
:::image type="content" source="media/on-premises-powershell-connector/powershell-5.png" alt-text="Screenshot of the global screen." lightbox="media/on-premises-powershell-connector/powershell-5.png":::
The Global Parameters tab enables you to configure the Windows PowerShell script
|Encoding_Global|\<Blank> (defaults to UTF8)| ### Partitions, Run Profiles, Export, FullImport+ Keep the defaults and click **next**. ### Object types+ Configure the object types tab with the information provided in the table. - On the **Object types** page, all of the information should be populated. The table is provided as reference. Click **Next**.
Configure the object types tab with the information provided in the table.
|DN|AzureObjectID| ### Select Attributes+ Ensure that the following attributes are selected: - On the **Select Attributes** page, all of the information should be populated. The table is provided as reference. Click **Next**.
On the Deprovisioning page, you can specify if you wish to have Microsoft Entra
Follow these steps to confirm that the connector host has started and has identified any existing users from the target system.
- 1. On the server running the Microsoft Entra ECMA Connector Host, select **Start**.
- 2. Select **run** if needed, then enter **services.msc** in the box.
- 3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**.
- 4. On the server running the Microsoft Entra ECMA Connector Host, launch PowerShell.
- 5. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`.
- 6. Change to the subdirectory `Troubleshooting`.
- 7. Run the script `TestECMA2HostConnection.ps1` in the directory as shown, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host is not listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector.
+1. On the server running the Microsoft Entra ECMA Connector Host, select **Start**.
+2. Select **run** if needed, then enter **services.msc** in the box.
+3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**.
+4. On the server running the Microsoft Entra ECMA Connector Host, launch PowerShell.
+5. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`.
+6. Change to the subdirectory `Troubleshooting`.
+7. Run the script `TestECMA2HostConnection.ps1` in the directory as shown, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host is not listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector.
``` PS C:\Program Files\Microsoft ECMA2Host\Troubleshooting> $cout = .\TestECMA2HostConnection.ps1 -ConnectorName PowerShell -ObjectTypePath cache; $cout.length -gt 9 Supply values for the following parameters: SecretToken: ************ ```
- 8. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard.
- 9. If the script displays the output `False`, then the connector has not seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section.
- 10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users.
+8. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard.
+9. If the script displays the output `False`, then the connector has not seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section.
+10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users.
<a name='test-the-connection-from-azure-ad-to-the-connector-host'></a> ## Test the connection from Microsoft Entra ID to the connector host
- 1. Return to the web browser window where you were configuring the application provisioning in the portal.
- >[!NOTE]
- >If the window had timed out, then you need to re-select the agent.
- 1. Sign in to the [Azure portal](https://portal.azure.com).
- 2. Go to **Enterprise applications** and the **On-premises ECMA app** application.
- 3. Click on **Provisioning**.
- 4. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**, and wait 10 minutes. Otherwise go to **Edit Provisioning**.
- 2. Under the **Admin credentials** section, enter the following URL. Replace the `connectorName` portion with the name of the connector on the ECMA host, such as `PowerShell`. If you provided a certificate from your certificate authority for the ECMA host, then replace `localhost` with the host name of the server where the ECMA host is installed.
+1. Return to the web browser window where you were configuring the application provisioning in the portal.
- |Property|Value|
- |--|--|
- |Tenant URL|https://localhost:8585/ecma2host_connectorName/scim|
+ > [!NOTE]
+ > If the window had timed out, then you need to re-select the agent.
+
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+ 1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+ 1. Select the **On-premises ECMA app** application.
+ 1. Select **Provisioning**.
+ 1. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**, and wait 10 minutes. Otherwise go to **Edit Provisioning**.
- 3. Enter the **Secret Token** value that you defined when you created the connector.
- >[!NOTE]
- >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-click the service, and restart.
- 4. Select **Test Connection**, and wait one minute.
- 5. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
+1. Under the **Admin credentials** section, enter the following URL. Replace the `connectorName` portion with the name of the connector on the ECMA host, such as `PowerShell`. If you provided a certificate from your certificate authority for the ECMA host, then replace `localhost` with the host name of the server where the ECMA host is installed.
-## Configure the application connection in the Azure portal
+ |Property|Value|
+ |--|--|
+ |Tenant URL|https://localhost:8585/ecma2host_connectorName/scim|
+
+1. Enter the **Secret Token** value that you defined when you created the connector.
+
+ > [!NOTE]
+ > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent** service, right-click the service, and restart.
+
+1. Select **Test Connection**, and wait one minute.
+1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
+
+## Configure the application connection
Return to the web browser window where you were configuring the application provisioning.
->[!NOTE]
->If the window had timed out, then you need to re-select the agent.
-
- 1. Sign in to the [Azure portal](https://portal.azure.com).
- 2. Go to **Enterprise applications** and the **On-premises ECMA app** application.
- 3. Select on **Provisioning**.
- 4. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you deployed and select **Assign Agent(s)**. Otherwise go to **Edit Provisioning**.
- 5. Under the **Admin credentials** section, enter the following URL. Replace the `{connectorName}` portion with the name of the connector on the ECMA connector host, such as **CSV**. The connector name is case sensitive and should be the same case as was configured in the wizard. You can also replace `localhost` with your machine hostname.
-
- |Property|Value|
- |--|--|
- |Tenant URL| `https://localhost:8585/ecma2host_CSV/scim`|
- 6. Enter the **Secret Token** value that you defined when you created the connector.
- >[!NOTE]
- >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent Service**, right-click the service, and restart.
- 7. Select **Test Connection**, and wait one minute.
- 8. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
+> [!NOTE]
+> If the window had timed out, then you need to re-select the agent.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select the **On-premises ECMA app** application.
+1. Select **Provisioning**.
+1. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you deployed and select **Assign Agent(s)**. Otherwise go to **Edit Provisioning**.
+1. Under the **Admin credentials** section, enter the following URL. Replace the `{connectorName}` portion with the name of the connector on the ECMA connector host, such as **CSV**. The connector name is case sensitive and should be the same case as was configured in the wizard. You can also replace `localhost` with your machine hostname.
+
+ |Property|Value|
+ |--|--|
+ |Tenant URL| `https://localhost:8585/ecma2host_CSV/scim`|
+
+1. Enter the **Secret Token** value that you defined when you created the connector.
+
+ > [!NOTE]
+ > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
+
+1. Select **Test Connection**, and wait one minute.
+1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
## Configure attribute mappings
Now you need to map attributes between the representation of the user in Microso
You'll use the Azure portal to configure the mapping between the Microsoft Entra user's attributes and the attributes that you previously selected in the ECMA Host configuration wizard.
- 1. In the Microsoft Entra portal, under **Enterprise applications**, select the **On-premises ECMA app** application, and then the **Provisioning** page.
- 2. Select **Edit provisioning**, and wait 10 seconds.
- 3. Expand **Mappings** and select **Provision Microsoft Entra Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder.
- 4. To confirm that the schema is available in Microsoft Entra ID, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list.
- 5. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning.
- Change the value to match the following:
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select the **On-premises ECMA app** application.
+1. Select **Provisioning**.
+1. Select **Edit provisioning**, and wait 10 seconds.
+1. Expand **Mappings** and select **Provision Azure Active Directory Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder.
+1. To confirm that the schema is available in Azure AD, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list.
+1. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning. Change the value to match the following:
- |Mapping type|Source attribute|Target attribute|
- |--|--|--|
- |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|
- 4. Now select **Add New Mapping**, and repeat the next step for each mapping.
- 5. Specify the source and target attributes for each of the mappings in the following table.
-
-
- |Mapping type|Source attribute|Target attribute|
- |--|--|--|
- |Direct|objectId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:AzureObjectID|
- |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|
- |Direct|displayName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:DisplayName|
- |Direct|employeeId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:EmployeeId|
- |Direct|jobTitle|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Title|
- |Direct|mail|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Email|
- |Expression|Switch([IsSoftDeleted],, "False", "True", "True", "False")|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:IsActive|
+ |Mapping type|Source attribute|Target attribute|
+ |--|--|--|
+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|
+
+1. Now select **Add New Mapping**, and repeat the next step for each mapping.
+1. Specify the source and target attributes for each of the mappings in the following table.
+
+ |Mapping type|Source attribute|Target attribute|
+ |--|--|--|
+ |Direct|objectId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:AzureObjectID|
+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|
+ |Direct|displayName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:DisplayName|
+ |Direct|employeeId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:EmployeeId|
+ |Direct|jobTitle|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Title|
+ |Direct|mail|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Email|
+ |Expression|Switch([IsSoftDeleted],, "False", "True", "True", "False")|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:IsActive|
+ :::image type="content" source="media/on-premises-powershell-connector/powershell-8.png" alt-text="Screenshot of attribute mappings." lightbox="media/on-premises-powershell-connector/powershell-8.png":::
- 6. Once all of the mappings have been added, select **Save**.
+1. Once all of the mappings have been added, select **Save**.
## Assign users to an application
If there are existing users in the InputFile.txt, then you should create applica
Otherwise, if there are no current users of the application, then select a test user from Microsoft Entra who will be provisioned to the application.
- 1. Ensure that the user selected has all the properties, mapped to the required attributes of the schema.
- 2. In the Azure portal, select **Enterprise applications**.
- 3. Select the **On-premises ECMA app** application.
- 4. On the left, under **Manage**, select **Users and groups**.
- 5. Select **Add user/group**.
- 6. Under **Users**, select **None Selected**.
- 7. Select users from the right and select the **Select** button.
- 8. Now select **Assign**.
+1. Ensure that the user selected has all the properties, mapped to the required attributes of the schema.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select the **On-premises ECMA app** application.
+1. On the left, under **Manage**, select **Users and groups**.
+1. Select **Add user/group**.
+1. Under **Users**, select **None Selected**.
+1. Select users from the right and select the **Select** button.
+1. Now select **Assign**.
## Test provisioning Now that your attributes are mapped and users are assigned, you can test on-demand provisioning with one of your users.
- 1. In the Azure portal, select **Enterprise applications**.
- 2. Select the **On-premises ECMA app** application.
- 3. On the left, select **Provisioning**.
- 4. Select **Provision on demand**.
- 5. Search for one of your test users, and select **Provision**.
- 6. After several seconds, then the message **Successfully created user in target system** appears, with a list of the user attributes.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select the **On-premises ECMA app** application.
+1. Select **Provisioning**.
+1. Select **Provision on demand**.
+1. Search for one of your test users, and select **Provision**.
+1. After several seconds, then the message **Successfully created user in target system** appears, with a list of the user attributes.
## Start provisioning users 1. After on-demand provisioning is successful, change back to the provisioning configuration page. Ensure that the scope is set to only assigned users and groups, turn provisioning **On**, and select **Save**. 2. Wait several minutes for provisioning to start. It might take up to 40 minutes. After the provisioning job has been completed, as described in the next section, if you're done testing, you can change the provisioning status to **Off**, and select **Save**. This action stops the provisioning service from running in the future. - ## Next steps - [App provisioning](user-provisioning.md)
active-directory On Premises Scim Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu
If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
- 1. In the Azure portal, select **Microsoft Entra ID**.
- 2. On the left, select **Microsoft Entra Connect**.
- 3. On the left, select **Cloud sync**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**.
- :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
+ :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
- 4. On the left, select **Agent**.
- 5. Select **Download on-premises agent**, and select **Accept terms & download**.
+1. Select **Download on-premises agent**, and select **Accept terms & download**.
>[!NOTE] >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
If you have already downloaded the provisioning agent and configured it for anot
## Provisioning to SCIM-enabled application Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
- 1. In the Azure portal navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 2. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
- 3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
- 4. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
- 5. Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection.
- 6. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 7. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
- >[!NOTE]
-> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.
-
- 8. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
- 9. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
- 10. Test provisioning a few users [on demand](provision-on-demand.md).
- 11. Add more users into scope by assigning them to your application.
- 12. Go to the **Provisioning** pane, and select **Start provisioning**.
- 13. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+1. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
+1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
+1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
+1. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
+1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim
+
+ ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
+
+1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
+
+ > [!NOTE]
+ > If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.
+
+1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
+1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
+1. Test provisioning a few users [on demand](provision-on-demand.md).
+1. Add more users into scope by assigning them to your application.
+1. Go to the **Provisioning** pane, and select **Start provisioning**.
+1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
The following video provides an overview of on-premises provisioning.+ > [!VIDEO https://www.youtube.com/embed/QdfdpaFolys] ## Additional requirements
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
You also need a valid Microsoft Entra ID P1 or higher subscription license for e
### Prerequisites -- Microsoft Entra ID [hybrid identity administrator](../roles/permissions-reference.md#hybrid-identity-administrator) to configure the Microsoft Entra Connect provisioning agent.-- Microsoft Entra ID [application administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app in the Azure portal
+- [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure the Connect provisioning agent.
+- [Application Administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app.
- A test and production instance of the cloud HR app. - Administrator permissions in the cloud HR app to create a system integration user and make changes to test employee data for testing purposes. - For user provisioning to Active Directory, a server running Windows Server 2016 or greater is required to host the Microsoft Entra Connect provisioning agent. This server should be a tier 0 server based on the Active Directory administrative tier model.
active-directory Provision On Demand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md
Use on-demand provisioning to provision a user or group in seconds. Among other
::: zone pivot="app-provisioning"
-2. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
+2. Browse to **Identity** > **Applications** > **Enterprise applications** > select your application.
+3. Select **Provisioning**.
-3. Select your application, and then go to the provisioning configuration page.
::: zone-end ::: zone pivot="cross-tenant-synchronization" 2. Browse to **Identity** > **External Identities** > **Cross-tenant Synchronization** > **Configurations**- 3. Select your configuration, and then go to the **Provisioning** configuration page.+ ::: zone-end 4. Configure provisioning by providing your admin credentials.
Use on-demand provisioning to provision a user or group in seconds. Among other
5. Select **Provision on demand**. 6. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to five users. + > [!NOTE] > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday.
active-directory Skip Out Of Scope Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/skip-out-of-scope-deletions.md
Because this configuration is widely used with the *Workday to Active Directory
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.
-1. In the Properties section of your provisioning app, copy the GUID value associated with the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select your application and go to Properties section of your provisioning app. In this example we are using Workday.
+1. Copy the GUID value in the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
![Screenshot of Workday App Service Principal ID.](./media/skip-out-of-scope-deletions/wd_export_01.png)
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Use the general guidelines when implementing a SCIM endpoint to ensure compatibi
* `id` is a required property for all resources. Every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero elements. * Values sent should be stored in the same format they were sent. Invalid values should be rejected with a descriptive, actionable error message. Transformations of data shouldn't happen between data from Microsoft Entra ID and data stored in the SCIM application. (for example. A phone number sent as 55555555555 shouldn't be saved/returned as +5 (555) 555-5555) * It isn't necessary to include the entire resource in the **PATCH** response.
-* Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Microsoft Entra ID emits the values of `op` as **Add**, **Replace**, and **Remove**.
-* Microsoft Entra ID makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow in the [Azure portal](https://portal.azure.com).
+* Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Azure AD emits the values of `op` as **Add**, **Replace**, and **Remove**.
+* Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow.
* Support HTTPS on your SCIM endpoint. * Custom complex and multivalued attributes are supported but Microsoft Entra ID doesn't have many complex data structures to pull data from in these cases. Name/value attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes isn't supported. * The "type" subattribute values of multivalued complex attributes must be unique. For example, there can't be two different email addresses with the "work" subtype.
Use the general guidelines when implementing a SCIM endpoint to ensure compatibi
* Response to a query/filter request should always be a `ListResponse`. * Microsoft Azure AD only uses the following operators: `eq`, `and`
-* The attribute that the resources can be queried on should be set as a matching attribute on the application in the [Microsoft Entra admin center](https://entra.microsoft.com), see [Customizing User Provisioning Attribute Mappings](customize-application-attributes.md).
+* The attribute that the resources can be queried on should be set as a matching attribute on the application, see [Customizing User Provisioning Attribute Mappings](customize-application-attributes.md).
### /Users:
Use the general guidelines when implementing a SCIM endpoint to ensure compatibi
* If a value isn't present, don't send null values. * Property values should be camel cased (for example, readWrite). * Must return a list response.
-* The Microsoft Entra provisioning service makes the /schemas request when you save the provisioning configuration in the Azure portal. The request is also made when you open the edit provisioning page in the Azure portal. Other attributes discovered are surfaced to customers in the attribute mappings under the target attribute list. Schema discovery only leads to more target attributes being added. Attributes aren't removed.
+* The Microsoft Entra provisioning service makes the /schemas request when you save the provisioning configuration. The request is also made when you open the edit provisioning page. Other attributes discovered are surfaced to customers in the attribute mappings under the target attribute list. Schema discovery only leads to more target attributes being added. Attributes aren't removed.
### User provisioning and deprovisioning
It's recommended, but not required, that you support multiple secrets for easy r
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application** > **Provisioning** and select **Authorize**.
- 1. Microsoft Entra admin center redirects user to the Authorization URL (sign in page for the third party app).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select your application and go to **Provisioning**.
+1. Select **Authorize**.
+
+ 1. Users are redirected to the Authorization URL (sign in page for the third party app).
1. Admin provides credentials to the third party application.
- 1. Third party app redirects user back to Microsoft Entra admin center and provides the grant code
+ 1. The third party app redirects user back and provides the grant code
- 1. Microsoft Entra provisioning service calls the token URL and provides the grant code. The third party application responds with the access token, refresh token, and expiry date
+ 1. The Provisioning Service calls the token URL and provides the grant code. The third party application responds with the access token, refresh token, and expiry date
1. When the provisioning cycle begins, the service checks if the current access token is valid and exchanges it for a new token if needed. The access token is provided in each request made to the app and the validity of the request is checked before each request.
active-directory User Provisioning Sync Attributes For Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md
You can use Microsoft Graph and PowerShell to extend the user schema for users i
Once schema extensions are created, these extension attributes are automatically discovered when you next visit the provisioning page in the Microsoft Entra admin center, in most cases.
-When you've more than 1000 service principals, you may find extensions missing in the source attribute list. If an attribute you've created doesn't automatically appear, then verify the attribute was created and add it manually to your schema. To verify it was created, use Microsoft Graph and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview). To add it manually to your schema, see [Editing the list of supported attributes](customize-application-attributes.md#editing-the-list-of-supported-attributes).
+When you have more than 1000 service principals, you may find extensions missing in the source attribute list. If an attribute you've created doesn't automatically appear, then verify the attribute was created and add it manually to your schema. To verify it was created, use Microsoft Graph and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview). To add it manually to your schema, see [Editing the list of supported attributes](customize-application-attributes.md#editing-the-list-of-supported-attributes).
### Create an extension attribute for cloud only users using Microsoft Graph You can extend the schema of Microsoft Entra users using [Microsoft Graph](/graph/overview).
First, list the apps in your tenant to get the ID of the app you're working on.
GET https://graph.microsoft.com/v1.0/applications ```
-Next, create the extension attribute. Replace the **ID** property below with the **ID** retrieved in the previous step. You'll need to use the **"ID"** attribute and not the "appId". To learn more, see [Create extensionProperty]/graph/api/application-post-extensionproperty).
+Next, create the extension attribute. Replace the **ID** property below with the **ID** retrieved in the previous step. You need to use the **"ID"** attribute and not the "appId". To learn more, see [Create extensionProperty]/graph/api/application-post-extensionproperty).
```json POST https://graph.microsoft.com/v1.0/applications/{id}/extensionProperties
Content-type: application/json
"extension_inputAppId_extensionName": "extensionValue" } ```
-Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). Note that the Graph v1.0 does not by default return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return.
+Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). Graph v1.0 doesn't by default return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return.
```json GET https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_inputAppId_extensionName
GET https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_in
### Create an extension attribute on a cloud only user using PowerShell Create a custom extension using PowerShell and assign a value to a user.
-```
+```PowerShell
#Connect to your Azure AD tenant Connect-AzureAD
Get-AzureADUser -ObjectId 0ccf8df6-62f1-4175-9e55-73da9e742690 | Select -ExpandP
``` ## Create an extension attribute using cloud sync
-Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to auto-discover these attributes and set up a corresponding mapping to Microsoft Entra ID.
+Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to autodiscover these attributes and set up a corresponding mapping to Azure AD.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
-2. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect**.
-3. Select **Manage Microsoft Entra cloud sync**.
-
-4. Select the configuration you wish to add the extension attribute and mapping.
-5. Under **Manage attributes** select **click to edit mappings**.
-6. Click **Add attribute mapping**. The attributes will automatically be discovered.
-7. The new attributes will be available in the drop-down under **source attribute**.
-8. Fill in the type of mapping you want and click **Apply**.
+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync**.
+1. Select the configuration you wish to add the extension attribute and mapping.
+1. Under **Manage attributes** select **click to edit mappings**.
+1. Select **Add attribute mapping**. The attributes will automatically be discovered.
+1. The new attributes are available in the drop-down under **source attribute**.
+1. Fill in the type of mapping you want and select **Apply**.
+ [![Custom attribute mapping](media/user-provisioning-sync-attributes-for-mapping/schema-1.png)](media/user-provisioning-sync-attributes-for-mapping/schema-1.png#lightbox) For more information, see [Cloud Sync Custom Attribute Mapping](../hybrid/cloud-sync/custom-attribute-mapping.md)
For more information, see [Cloud Sync Custom Attribute Mapping](../hybrid/cloud-
If users who will access the applications originate in on-premises Active Directory, then you must sync the attributes with the users from Active Directory to Microsoft Entra ID. You will need to perform the following tasks before configuring provisioning to your application.
-1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.
+1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they aren't, extend the AD DS schema in the domains where those users have accounts.
1. Open the Microsoft Entra Connect wizard, choose Tasks, and then choose **Customize synchronization options**. ![Microsoft Entra Connect wizard Additional tasks page](./media/user-provisioning-sync-attributes-for-mapping/active-directory-connect-customize.png)
-2. Sign in as a Microsoft Entra Global Administrator.
+2. Sign in as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
3. On the **Optional Features** page, select **Directory extension attribute sync**.
active-directory Workday Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-integration-reference.md
Let's say you want to retrieve the following data sets from Workday and use them
The above data sets aren't included by default. To retrieve these data sets:
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) and open your Workday to AD/Azure AD user provisioning app.
-1. In the Provisioning blade, edit the mappings and open the Workday attribute list from the advanced section.
-1. Add the following attributes definitions and mark them as "Required". These attributes aren't mapped to any attribute in AD or Microsoft Entra ID. They serve as signals to the connector to retrieve the Cost Center, Cost Center Hierarchy and Pay Group information.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select your Workday to AD/Azure AD user provisioning application.
+1. Select **Provisioning**.
+1. Edit the mappings and open the Workday attribute list from the advanced section.
+1. Add the following attributes definitions and mark them as "Required". These attributes aren't mapped to any attribute in AD or Azure AD. They serve as signals to the connector to retrieve the Cost Center, Cost Center Hierarchy and Pay Group information.
> [!div class="mx-tdCol2BreakAll"] >| Attribute Name | XPATH API expression |
active-directory Workday Retrieve Pronoun Information https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-retrieve-pronoun-information.md
Once you confirm that pronoun data is available in the *Get_Workers* response, g
<a name='updating-azure-ad-provisioning-app-to-retrieve-pronouns'></a>
-To retrieve pronouns from Workday, update your Microsoft Entra provisioning app to query Workday using v38.1 of the Workday Web Services. We recommend testing this configuration first in your test/sandbox environment before implementing the change in production.
+To retrieve pronouns from Workday, update your Azure AD provisioning app to query Workday using v38.1 of the Workday Web Services. We recommend testing this configuration first in your test/sandbox environment before implementing the change in production.
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
-1. Open your *Workday to AD User provisioning* app OR *Workday to Microsoft Entra ID User provisioning* app.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select your Workday to AD/Azure AD user provisioning application and go to **Provisioning** .
1. In the **Admin Credentials** section, update the **Tenant URL** to include the Workday Web Service version v38.1 as shown. >[!div class="mx-imgBorder"]
active-directory Application Proxy Configure Native Client Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-native-client-application.md
The required info in the sample code can be found in the Microsoft Entra admin c
| Info required | How to find it in the Microsoft Entra admin center | | | |
-| \<Tenant ID> | **Microsoft Entra ID** > **Properties** > **Directory ID** |
+| \<Tenant ID> | **Identity** > **Overview** > **Properties** |
| \<App ID of the Native app> | **Application registration** > *your native application* > **Overview** > **Application ID** | | \<Scope> | **Application registration** > *your native application* > **API permissions** > Click on the Permission API (user_impersonation) > A panel with the caption **user_impersonation** appears on the right hand side. > The scope is the URL in the edit box. | \<Proxy App URL> | the External URL and path to the API
active-directory Application Proxy Configure Single Sign On Password Vaulting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md
You should already have published and tested your app with Application Proxy. If
1. Select **Users and Groups**. 1. Assign users to the application with selecting **Add user**. 1. If you want to predefine credentials for a user, check the box front of the user name and select **Update credentials**.
-1. Select **Microsoft Entra ID** > **App registrations** > **All applications**.
+1. Browse to **Identity** > **Applications** > **App registrations** > **All applications**.
1. From the list, select the app that you configured with Password SSO. 1. Select **Branding**. 1. Update the **Home page URL** with the **Sign on URL** from the Password SSO page and select **Save**.
active-directory Application Proxy Integrate With Teams https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-teams.md
Your users can add cloud apps to their Teams channels [using tabs](https://suppo
If you haven't already, [configure Application Proxy for your tenant and install the connector](../app-proxy/application-proxy-add-on-premises-application.md). Then, publish your on-premises application for remote access. When you're publishing the app, make note of the external URL because it's used to add the app to Teams.
-If you already have your apps published but don't remember their external URLs, look them up in the [Microsoft Entra admin center](https://portal.azure.com). Sign in, then navigate to **Microsoft Entra ID** > **Enterprise applications** > **All applications** > select your app > **Application proxy**.
+If you already have your apps published but don't remember their external URLs, look them up in the [Microsoft Entra admin center](https://entra.microsoft.com). Sign in, then browse to **Identity** > **Applications** > **Enterprise applications** > select your app > **Application proxy**.
## Add your app to Teams
active-directory 4 Secure Access Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/4-secure-access-groups.md
Learn more:
* [Overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups?view=o365-worldwide&preserve-view=true) * [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups?view=o365-worldwide&preserve-view=true)
-* [Azure portal](https://portal.azure.com/)
+* [Microsoft Entra admin center](https://entra.microsoft.com)
* [Microsoft 365 admin center](https://admin.microsoft.com/) ### Microsoft 365 Groups roles
active-directory 9 Secure Access Teams Sharepoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/9-secure-access-teams-sharepoint.md
Sharing in Microsoft 365 is partially governed by the **External Identities, Ext
Learn more:
-* [Azure portal](https://portal.azure.com/)
-* [External Identities in Microsoft Entra ID](../external-identities/external-identities-overview.md)
+* [Microsoft Entra admin center](https://entra.microsoft.com)
+* [External Identities in Azure AD](../external-identities/external-identities-overview.md)
### Guest user access Guest users are invited to have access to resources.
-1. Sign in to the **Azure portal**
-1. Browse to **Microsoft Entra ID** > **External Identities** > **External collaboration settings**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
+1. Browse to **Identity** > **External Identities** > **External collaboration settings**.
1. Find the **Guest user access** options. 1. To prevent guest-user access to other guest-user details, and to prevent enumeration of group membership, select **Guest users have limited access to properties and memberships of directory objects**.
active-directory How To Authentication Methods Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-methods-manage.md
If you aren't using SSPR and aren't yet using the Authentication methods policy,
### Review the legacy MFA policy
-Start by documenting which methods are available in the legacy MFA policy. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Go to **Microsoft Entra ID** > **Users** > **All users** > **Per-user MFA** > **service settings** to view the settings. These settings are tenant-wide, so there's no need for user or group information.
+Start by documenting which methods are available in the legacy MFA policy. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Go to **Identity** > **Users** > **All users** > **Per-user MFA** > **service settings** to view the settings. These settings are tenant-wide, so there's no need for user or group information.
:::image type="content" border="false" source="media/how-to-authentication-methods-manage/legacy-mfa-policy.png" alt-text="Screenshot the shows the legacy Microsoft Entra multifactor authentication policy." lightbox="media/how-to-authentication-methods-manage/legacy-mfa-policy.png":::
For each method, note whether or not it's enabled for the tenant. The following
### Review the legacy SSPR policy
-To get the authentication methods available in the legacy SSPR policy, go to **Microsoft Entra ID** > **Users** > **Password reset** > **Authentication methods**. The following table lists the available methods in the legacy SSPR policy and corresponding methods in the Authentication method policy.
+To get the authentication methods available in the legacy SSPR policy, go to **Identity** > **Users** > **Password reset** > **Authentication methods**. The following table lists the available methods in the legacy SSPR policy and corresponding methods in the Authentication method policy.
:::image type="content" border="false" source="media/how-to-authentication-methods-manage/legacy-sspr-policy.png" alt-text="Screenshot that shows the legacy Microsoft Entra SSPR policy." lightbox="media/how-to-authentication-methods-manage/legacy-sspr-policy.png":::
active-directory Howto Mfa Mfasettings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md
To block a user, complete the following steps.
[Watch a short video that describes this process.](https://www.youtube.com/watch?v=WdeE1On4S1o&feature=youtu.be)
-1. Browse to **Microsoft Entra ID** > **Security** > **multifactor authentication** > **Block/unblock users**.
+1. Browse to **Protection** > **Multifactor authentication** > **Block/unblock users**.
1. Select **Add** to block a user. 1. Enter the user name for the blocked user in the format `username@domain.com`, and then provide a comment in the **Reason** box. 1. Select **OK** to block the user.
To block a user, complete the following steps.
To unblock a user, complete the following steps:
-1. Go to **Microsoft Entra ID** > **Security** > **multifactor authentication** > **Block/unblock users**.
+1. Go to **Protection** > **Multifactor authentication** > **Block/unblock users**.
1. In the **Action** column next to the user, select **Unblock**. 1. Enter a comment in the **Reason for unblocking** box. 1. Select **OK** to unblock the user.
To enable **Report suspicious activity** from the Authentication methods **Setti
When a user reports a MFA prompt as suspicious, the event shows up in the Sign-ins report (as a sign-in that was rejected by the user), in the Audit logs, and in the Risk detections report. -- To view the risk detections report, select **Microsoft Entra ID** > **Security** > **Identity Protection** > **Risk detection**. The risk event is part of the standard **Risk Detections** report, and will appear as Detection Type **User Reported Suspicious Activity**, Risk level **High**, Source **End user reported**.
+- To view the risk detections report, select **Protection** > **Identity Protection** > **Risk detection**. The risk event is part of the standard **Risk Detections** report, and will appear as Detection Type **User Reported Suspicious Activity**, Risk level **High**, Source **End user reported**.
-- To view fraud reports in the Sign-ins report, select **Microsoft Entra ID** > **Sign-in logs** > **Authentication Details**. The fraud report is part of the standard **Microsoft Entra Sign-ins** report and appears in the Result Detail as MFA denied, Fraud Code Entered.
+- To view fraud reports in the Sign-ins report, select **Identity** > **Monitoring & health** > **Sign-in logs** > **Authentication Details**. The fraud report is part of the standard **Azure AD Sign-ins** report and appears in the Result Detail as MFA denied, Fraud Code Entered.
-- To view fraud reports in the Audit logs, select **Microsoft Entra ID** > **Audit logs**. The fraud report appears under Activity type Fraud reported - user is blocked for MFA or Fraud reported - no action taken based on the tenant-level settings for fraud report.
+- To view fraud reports in the Audit logs, select **Identity** > **Monitoring & health** > **Audit logs**. The fraud report appears under Activity type Fraud reported - user is blocked for MFA or Fraud reported - no action taken based on the tenant-level settings for fraud report.
### Manage suspicious activity events
You can configure Microsoft Entra ID to send email notifications when users repo
To configure fraud alert notifications:
-1. Go to **Microsoft Entra ID** > **Security** > **multifactor authentication** > **Notifications**.
+1. Go to **Protection** > **Multi-Factor Authentication** > **Notifications**.
1. Enter the email address to send the notification to. 1. To remove an existing email address, select **...** next to the email address, and then select **Delete**. 1. Select **Save**.
The following table lists more numbers for different countries.
To configure your own caller ID number, complete the following steps:
-1. Go to **Microsoft Entra ID** > **Security** > **multifactor authentication** > **Phone call settings**.
+1. Go to **Protection** > **Multifactor authentication** > **Phone call settings**.
1. Set the **MFA caller ID number** to the number you want users to see on their phones. Only US-based numbers are allowed. 1. Select **Save**.
You can use the following sample scripts to create your own custom messages. The
To use your own custom messages, complete the following steps:
-1. Go to **Microsoft Entra ID** > **Security** > **multifactor authentication** > **Phone call settings**.
+1. Go to **Protection** > **Multifactor authentication** > **Phone call settings**.
1. Select **Add greeting**. 1. Choose the **Type** of greeting, such as **Greeting (standard)** or **Authentication successful**. 1. Select the **Language**. See the previous section on [custom message language behavior](#custom-message-language-behavior).
active-directory Howto Mfa Server Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-server-settings.md
Caching is primarily used when on-premises systems, such as VPN, send multiple v
To set up caching, complete the following steps:
-1. Browse to **Microsoft Entra ID** > **Security** > **MFA** > **Caching rules**.
+1. Browse to **Protection** > **Multifactor authentication** > **Caching rules**.
1. Select **Add**. 1. Select the **cache type** from the drop-down list. Enter the maximum number of **cache seconds**. 1. If necessary, select an authentication type and specify an application.
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-grant.md
The following client apps support this setting. This list isn't exhaustive and i
- Microsoft Cortana - Microsoft Edge - Microsoft Excel-- Microsoft Flow Mobile
+- Microsoft Power Automate
- Microsoft Launcher - Microsoft Lists - Microsoft Office
The following client apps support this setting. This list isn't exhaustive and i
- Nine Mail - Email and Calendar - Notate for Intune - Provectus - Secure Contacts-- Yammer (Android, iOS, and iPadOS)
+- Viva Engage (Android, iOS, and iPadOS)
> [!NOTE] > Kaizala, Skype for Business, and Visio don't support the **Require app protection policy** grant. If you require these apps to work, use the **Require approved apps** grant exclusively. Using the "or" clause between the two grants will not work for these three applications.
active-directory Policy Migration Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration-mfa.md
Title: Migrate a classic Conditional Access policy
-description: This article shows how to migrate a classic Conditional Access policy in the Azure portal.
+description: This article shows how to migrate a classic Conditional Access policy.
active-directory Require Tou https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/require-tou.md
The scenario in this quickstart uses:
In the previous section, you created a Conditional Access policy requiring terms of use be accepted.
-To test your policy, try to sign in to the [Azure portal](https://portal.azure.com) using your test account. You should see a dialog that requires you to accept your terms of use.
+To test your policy, try to sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) using your test account. You should see a dialog that requires you to accept your terms of use.
:::image type="content" source="./media/require-tou/57.png" alt-text="Screenshot of a dialog box titled Identity Security Protection terms of use, with Decline and Accept buttons and a button labeled My TOU." border="false":::
active-directory Howto Add App Roles In Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-add-app-roles-in-apps.md
Previously updated : 09/27/2022 Last updated : 09/25/2023
If you have not already done so, you'll need to assign yourself as the applicati
> > Ensure that both the API application and the application you want to add permissions to both have an owner, otherwise the API will not be listed when requesting API permissions.
-## Assign users and groups to roles
-
-Once you've added app roles in your application, you can assign users and groups to the roles. Assignment of users and groups to roles can be done through the portal's UI, or programmatically using [Microsoft Graph](/graph/api/user-post-approleassignments). When the users assigned to the various app roles sign in to the application, their tokens will have their assigned roles in the `roles` claim.
-
-To assign users and groups to roles by using the Microsoft Entra admin center:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.
-1. Browse to **Identity** > **Applications** > **Enterprise applications**.
-1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.
-1. Select the application in which you want to assign users or security group to roles.
-1. Under **Manage**, select **Users and groups**.
-1. Select **Add user** to open the **Add Assignment** pane.
-1. Select the **Users and groups** selector from the **Add Assignment** pane. A list of users and security groups is displayed. You can search for a certain user or group and select multiple users and groups that appear in the list.
-1. Once you've selected users and groups, select the **Select** button to proceed.
-1. Select **Select a role** in the **Add assignment** pane. All the roles that you've defined for the application are displayed.
-1. Choose a role and select the **Select** button.
-1. Select the **Assign** button to finish the assignment of users and groups to the app.
-
-Confirm that the users and groups you added appear in the **Users and groups** list.
- ## Assign app roles to applications
-Once you've added app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).
+Once you've added app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments). This is not to be confused with [assigning roles to users](../roles/manage-roles-portal.md).
When you assign app roles to an application, you create _application permissions_. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API call as themselves, without the interaction of a user.
To assign app roles to an application by using the Microsoft Entra admin center:
1. Select the application to which you want to assign an app role. 1. Select **API permissions** > **Add a permission**. 1. Select the **My APIs** tab, and then select the app for which you defined app roles.
-1. Select **Application permissions**.
-1. Select the role(s) you want to assign.
+1. Under **Permission**, select the role(s) you want to assign.
1. Select the **Add permissions** button complete addition of the role(s). The newly added roles should appear in your app registration's **API permissions** pane.
Developers can use app roles to control whether a user can sign in to an app or
App roles are preferred by developers when they want to describe and control the parameters of authorization in their app themselves. For example, an app using groups for authorization will break in the next tenant as both the group ID and name could be different. An app using app roles remains safe. In fact, assigning groups to app roles is popular with SaaS apps for the same reasons as it allows the SaaS app to be provisioned in multiple tenants.
+## Assign users and groups to Microsoft Entra roles
+
+Once you've added app roles in your application, you can assign users and groups to [Microsoft Entra roles](../roles/permissions-reference.md). Assignment of users and groups to roles can be done through the portal's UI, or programmatically using [Microsoft Graph](/graph/api/user-post-approleassignments). When the users assigned to the various roles sign in to the application, their tokens will have their assigned roles in the `roles` claim.
+
+To assign users and groups to roles by using the Microsoft Entra admin center:
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.
+1. Select the application in which you want to assign users or security group to roles.
+1. Under **Manage**, select **Users and groups**.
+1. Select **Add user** to open the **Add Assignment** pane.
+1. Select the **Users and groups** selector from the **Add Assignment** pane. A list of users and security groups is displayed. You can search for a certain user or group and select multiple users and groups that appear in the list.
+1. Once you've selected users and groups, select the **Select** button to proceed.
+1. Select **Select a role** in the **Add assignment** pane. All the roles that you've defined for the application are displayed.
+1. Choose a role and select the **Select** button.
+1. Select the **Assign** button to finish the assignment of users and groups to the app.
+
+Confirm that the users and groups you added appear in the **Users and groups** list.
+ ## Next steps Learn more about app roles with the following resources.
active-directory Howto Create Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-service-principal-portal.md
To upload the certificate:
After registering the certificate with your application in the application registration portal, enable the [confidential client application](authentication-flows-app-scenarios.md#single-page-public-client-and-confidential-client-applications) code to use the certificate.
-### Option 3: Create a new application secret
+### Option 3: Create a new client secret
-If you choose not to use a certificate, you can create a new application secret.
+If you choose not to use a certificate, you can create a new client secret.
1. Browse to **Identity** > **Applications** > **App registrations**, then select your application. 1. Select **Certificates & secrets**.
If you choose not to use a certificate, you can create a new application secret.
1. Provide a description of the secret, and a duration. 1. Select **Add**.
-Once you've saved the client secret, the value of the client secret is displayed. Copy this value because you won't be able to retrieve the key later. You'll provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.
+Once you've saved the client secret, the value of the client secret is displayed. This is only displayed once, so copy this value and store it where your application can retrieve it, usually where your application keeps values like `clientId`, or `authoruty` in the source code. You'll provide the secret value along with with the application's client ID to sign in as the application.
:::image type="content" source="media/howto-create-service-principal-portal/copy-secret.png" alt-text="Screenshot showing the client secret.":::
To configure access policies:
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select your key vault and select **Access policies**.
-1. Select **Add access policy**, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.
+1. Select **Add access policy**, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.
1. Select **Add** to add the access policy. 1. **Save**.
active-directory Howto Get List Of All Auth Library Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-get-list-of-all-auth-library-apps.md
No sign-in event that occurred *before* you configure Microsoft Entra ID to send
Once you've integrated your Microsoft Entra sign-in and audit logs with Azure Monitor as specified in the Azure Monitor integration, access the sign-ins workbook:
- 1. Sign in to the [Azure portal](https://portal.azure.com).
- 1. Navigate to **Identity** > **Monitoring & health** > **Workbooks**.
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../roles/permissions-reference.md#reports-reader).
+ 1. Browse to **Identity** > **Monitoring & health** > **Workbooks**.
1. In the **Usage** section, open the **Sign-ins** workbook. :::image type="content" source="media/howto-get-list-of-all-auth-library-apps/sign-in-workbook.png" alt-text="Screenshot of the Azure portal workbooks interface highlighting the sign-ins workbook.":::
active-directory Msal Android Shared Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-shared-devices.md
Shared device mode also provides Microsoft identity backed management of the dev
To create a shared device mode app, developers and cloud device admins work together: - Developers write a single-account app (multiple-account apps aren't supported in shared device mode), add `"shared_device_mode_supported": true` to the app's configuration, and write code to handle things like shared device sign-out.-- Device admins prepare the device to be shared by installing the authenticator app, and setting the device to shared mode using the authenticator app. Only users who are in the [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator) role can put a device into shared mode by using the [Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc). You can configure the membership of your organizational roles in the Azure portal via:
- **Identity** > **Roles & admins** > **Roles & admins** > **Cloud Device Administrator**.
+- Device admins prepare the device to be shared by installing the authenticator app, and setting the device to shared mode using the authenticator app. Only users who are in the [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator) role can put a device into shared mode by using the [Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc). You can configure the membership of your organizational roles in the Microsoft Entra admin center under:
+
+**Identity** > **Roles & Admins** > **Roles & Admins** > **Cloud Device Administrator**.
This article focuses primarily what developers should think about.
active-directory Quickstart Console App Nodejs Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-console-app-nodejs-acquire-token.md
Follow the steps below to get started.
To register your application and add the app's registration information to your solution manually, follow these steps:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
-1. Search for and select **Microsoft Entra ID**.
-1. Under **Manage**, select **App registrations** > **New registration**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **App registrations**.
+1. Select **New registration**.
1. Enter a **Name** for your application, for example `msal-node-cli`. Users of your app might see this name, and you can change it later. 1. Select **Register**. 1. Under **Manage**, select **Certificates & secrets**.
To register your application and add the app's registration information to your
1. Extract the zip file to a local folder close to the root of the disk, for example, *C:/Azure-Samples*. 1. Edit *.env* and replace the values of the fields `TENANT_ID`, `CLIENT_ID`, and `CLIENT_SECRET` with the following snippet:
- ```
- "TENANT_ID": "Enter_the_Tenant_Id_Here",
+ ```
+ "TENANT_ID": "Enter_the_Tenant_Id_Here",
"CLIENT_ID": "Enter_the_Application_Id_Here", "CLIENT_SECRET": "Enter_the_Client_Secret_Here" ```+ Where:
- - `Enter_the_Application_Id_Here` - is the **Application (client) ID** of the application you registered earlier. Find this ID on the app registration's **Overview** pane in the Azure portal.
- - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant ID** or **Tenant name** (for example, contoso.microsoft.com). Find these values on the app registration's **Overview** pane in the Azure portal.
- - `Enter_the_Client_Secret_Here` - replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal.
+ - `Enter_the_Application_Id_Here` - is the **Application (client) ID** of the application you registered earlier. Find this ID on the app registration's **Overview**.
+ - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant ID** or **Tenant name** (for example, contoso.microsoft.com). Find these values on the app registration's **Overview**.
+ - `Enter_the_Client_Secret_Here` - replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings.
Using a plaintext secret in the source code poses an increased security risk for your application. Although the sample in this quickstart uses a plaintext client secret, it's only for simplicity. We recommend using [certificate credentials](./certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
-3. Edit *.env* and replace the Microsoft Entra ID and Microsoft Graph endpoints with the following values:
+1. Edit *.env* and replace the Microsoft Entra ID and Microsoft Graph endpoints with the following values:
- For the Microsoft Entra endpoint, replace `Enter_the_Cloud_Instance_Id_Here` with `https://login.microsoftonline.com`. - For the Microsoft Graph endpoint, replace `Enter_the_Graph_Endpoint_Here` with `https://graph.microsoft.com/`. #### Step 4: Admin consent
-If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires **admin consent**: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:
+If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires **admin consent**: an [Application Administrator](../roles/permissions-reference.md#application-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator) must give consent to your application. Select one of the options below depending on your role:
-##### Global tenant administrator
+##### Administrators
-If you're a global tenant administrator, go to **API Permissions** page in the Azure portal's Application Registration and select **Grant admin consent for {Tenant Name}** (where {Tenant Name} is the name of your directory).
+If you're assigned the [Application Administrator](../roles/permissions-reference.md#application-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator) roles, go to **API Permissions** page in the Azure portal's Application Registration and select **Grant admin consent for {Tenant Name}** (where {Tenant Name} is the name of your directory).
-##### Standard user
+##### Standard users
If you're a standard user of your tenant, then you need to ask a global administrator to grant **admin consent** for your application. To do this, give the following URL to your administrator:
active-directory Quickstart Single Page App Angular Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-angular-sign-in.md
Previously updated : 09/13/2023 Last updated : 09/25/2023
This quickstart uses a sample Angular single-page app (SPA) to show you how to sign in users by using the [authorization code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow) with Proof Key for Code Exchange (PKCE) and call the Microsoft Graph API. The sample uses the [Microsoft Authentication Library for JavaScript](/javascript/api/@azure/msal-react) to handle authentication.
-In this article you'll register a SPA in the Microsoft Entra admin center, and download a sample Angular SPA. Next, you'll run the sample application, sign in with your personal Microsoft account or a work/school account, and sign out.
- ## Prerequisites * An Azure account with an active subscription. If you don't already have one, [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
To obtain the sample application, you can either clone it from GitHub or downloa
```console git clone https://github.com/Azure-Samples/ms-identity-docs-code-javascript.git ```--- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/archive/refs/heads/main.zip)
+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters.
## Configure the project
active-directory Quickstart Single Page App Javascript Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-javascript-sign-in.md
Previously updated : 09/13/2023 Last updated : 09/25/2023
This quickstart uses a sample JavaScript (JS) single-page app (SPA) to show you how to sign in users by using the [authorization code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow) with Proof Key for Code Exchange (PKCE) and call the Microsoft Graph API. The sample uses the [Microsoft Authentication Library for JavaScript](/javascript/api/@azure/msal-react) to handle authentication.
-In this article you'll register a SPA in the Microsoft Entra admin center, and download a sample JS SPA. Next, you'll run the sample application, sign in with your personal Microsoft account or a work or school account, and sign out.
- ## Prerequisites * An Azure account with an active subscription. If you don't already have one, [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
To obtain the sample application, you can either clone it from GitHub or downloa
```console git clone https://github.com/Azure-Samples/ms-identity-javascript-tutorial ```--- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/archive/refs/heads/main.zip).
+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters.
## Configure the project 1. In your IDE, open the project folder, *ms-identity-javascript-tutorial/angular-spa*, containing the sample. 1. Open *1-Authentication/1-sign-in/App/authConfig.js* and replace the file contents with the following snippet:
- ```javascript
- /**
- * Configuration object to be passed to MSAL instance on creation.
- * For a full list of MSAL.js configuration parameters, visit:
- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md
- */
-
- const msalConfig = {
- auth: {
- clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply.
- authority: 'https://login.microsoftonline.com/Enter_the_Tenant_Info_Here', // Defaults to "https://login.microsoftonline.com/common"
- redirectUri: '/', // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href e.g. http://localhost:3000/
- navigateToLoginRequestUrl: true, // If "true", will navigate back to the original request location before processing the auth code response.
- },
- cache: {
- cacheLocation: 'sessionStorage', // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO.
- storeAuthStateInCookie: false, // set this to true if you have to support IE
- },
- system: {
- loggerOptions: {
- loggerCallback: (level, message, containsPii) => {
- if (containsPii) {
- return;
- }
- switch (level) {
- case msal.LogLevel.Error:
- console.error(message);
- return;
- case msal.LogLevel.Info:
- console.info(message);
- return;
- case msal.LogLevel.Verbose:
- console.debug(message);
- return;
- case msal.LogLevel.Warning:
- console.warn(message);
- return;
- }
- },
- },
- },
- };
-
- /**
- * Scopes you add here will be prompted for user consent during sign-in.
- * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
- * For more information about OIDC scopes, visit:
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
- */
- const loginRequest = {
- scopes: ["openid", "profile"],
- };
-
- /**
- * An optional silentRequest object can be used to achieve silent SSO
- * between applications by providing a "login_hint" property.
- */
-
- // const silentRequest = {
- // scopes: ["openid", "profile"],
- // loginHint: "example@domain.net"
- // };
-
- // exporting config object for jest
- if (typeof exports !== 'undefined') {
- module.exports = {
- msalConfig: msalConfig,
- loginRequest: loginRequest,
- };
- }
- ```
+ :::code language="csharp" source="~/ms-identity-docs-code-javascript/js-spa/App/authConfig.js":::
* `TenantId` - The identifier of the tenant where the application is registered. Replace the text in quotes with the **Directory (tenant) ID** that was recorded earlier from the overview page of the registered application. * `ClientId` - The identifier of the application, also referred to as the client. Replace the text in quotes with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.
Run the project with a web server by using Node.js:
npm install npm start ```
-1. Copy the https URL that appears in the terminal, for example, `https://localhost:3000`, and paste it into a browser. We recommend using a private or incognito browser session.
+1. Copy the `https` URL that appears in the terminal, for example, `https://localhost:3000`, and paste it into a browser. We recommend using a private or incognito browser session.
1. Follow the steps and enter the necessary details to sign in with your Microsoft account. You'll be requested an email address so a one time passcode can be sent to you. Enter the code when prompted. 1. The application will request permission to maintain access to data you have given it access to, and to sign you in and read your profile. Select **Accept**. 1. The following screenshot appears, indicating that you have signed in to the application and have accessed your profile details from the Microsoft Graph API.
active-directory Quickstart Single Page App React Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-react-sign-in.md
Previously updated : 09/13/2023 Last updated : 09/25/2023
This quickstart uses a sample React single-page app (SPA) to show you how to sign in users by using the [authorization code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow) with Proof Key for Code Exchange (PKCE). The sample uses the [Microsoft Authentication Library for JavaScript](/javascript/api/@azure/msal-react) to handle authentication.
-In this article you'll register a SPA in the Microsoft Entra admin center, and download a sample React SPA. Next, you'll run the sample application, sign in with your personal Microsoft account or a work or school account, and sign out.
- ## Prerequisites * An Azure account with an active subscription. If you don't already have one, [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
In this article you'll register a SPA in the Microsoft Entra admin center, and d
1. Select **New registration**. 1. When the **Register an application** page appears, enter a name for your application, such as *identity-client-app*. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
-1. The application's overview pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.
1. Select **Register**. 1. The application's Overview pane displays upon successful registration. Record the **Application (client) ID** and **Directory (tenant) ID** to be used in your application source code.
To obtain the sample application, you can either clone it from GitHub or downloa
```console git clone https://github.com/Azure-Samples/ms-identity-docs-code-javascript.git ```-- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/tree/main)-
-If you choose to download the `.zip` file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.
+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/tree/main). Extract it to a file path where the length of the name is fewer than 260 characters.
## Configure the project
active-directory Quickstart V2 Aspnet Core Web Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-aspnet-core-web-api.md
> > First, register the web API in your Microsoft Entra tenant and add a scope by following these steps: >
-> 1. Sign in to the [Azure portal](https://portal.azure.com/).
-> 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.
-> 1. Search for and select **Microsoft Entra ID**.
-> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+> 1. Browse to **Identity** > **Applications** > **App registrations**.
+> 1. Select **New registration**.
> 1. For **Name**, enter a name for the application. For example, enter **AspNetCoreWebApi-Quickstart**. Users of the app will see this name, and can be changed later. > 1. Select **Register**. > 1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, accept the default by selecting **Save and continue**, and then enter the following details:
This quickstart will be deprecated in the near future and will be updated to use
> > The line that contains `.AddMicrosoftIdentityWebApi` adds the Microsoft identity platform authorization to the web API. It's then configured to validate access tokens issued by the Microsoft identity platform based on the information in the `AzureAD` section of the *appsettings.json* configuration file: >
-> | *appsettings.json* key | Description
-|
-> ||-|
-> | `ClientId` | Application (client) ID of the application registered in the Azure portal. |
-> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
-> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |
+> |*appsettings.json* key | Description |
+> | | -- |
+> | `ClientId` | Application (client) ID of the application registered. |
+> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
+> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |
> > The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality: >
active-directory Quickstart V2 Dotnet Native Aspnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-dotnet-native-aspnet.md
> > Register your web API in **App registrations** in the Azure portal. >
-> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
-> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
-> 1. Browse to **Identity** > **Applications** > **App registrations** and select **New registration**.
+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+> 1. Browse to **Identity** > **Applications** > **App registrations**.
+> 1. Select **New registration**.
> 1. Enter a **Name** for your application, for example `AppModelv2-NativeClient-DotNet-TodoListService`. Users of your app might see this name, and you can change it later. > 1. For **Supported account types**, select **Accounts in any organizational directory**. > 1. Select **Register** to create the application.
active-directory Quickstart Web App Aspnet Core Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-aspnet-core-sign-in.md
In this article you register a web application in the Microsoft Entra admin cent
## Clone or download the sample application To obtain the sample application, you can either clone it from GitHub or download it as a *.zip* file.-- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters. - To clone the sample, open a command prompt and navigate to where you wish to create the project, and enter the following command: ```console git clone https://github.com/Azure-Samples/ms-identity-docs-code-dotnet.git ```
+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters.
## Create and upload a self-signed certificate
active-directory Scenario Protected Web Api App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-protected-web-api-app-registration.md
To add another layer of security, a Microsoft Entra tenant administrator can con
To increase security by restricting token issuance only to client apps that have been assigned app roles:
-1. In the Azure portal, select your app in **Identity** > **App registrations**.
+1. In the [Microsoft Entra admin center](https://entra.microsoft.com), select your app under **Identity** > **Applications** > **App registrations**.
1. On the application's overview page, select its **Managed application in local directory** link to navigate to its **Enterprise Application Overview** page. 1. Under **Manage**, select **Properties**. 1. Set **Assignment required?** to **Yes**.
active-directory Single Page App Tutorial 02 Prepare Spa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-tutorial-02-prepare-spa.md
Identity related **npm** packages must be installed in the project to enable use
1. Ensure that the correct directory is selected (*reactspalocal*) then enter the following into the terminal to install the relevant `msal` and `bootstrap` packages. ```powershell
- npm install @azure/msal-browser @azure/msal-react
+ npm install @azure/msal-browser @azure/msal-react @azure/msal-common
npm install react-bootstrap bootstrap ```
active-directory Test Setup Environment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/test-setup-environment.md
If your app will primarily be used by a single organization (commonly referred t
Replicating Conditional Access policies ensures you don't encounter unexpected blocked access when moving to production and your application can appropriately handle the errors it's likely to receive.
-Viewing your production tenant Conditional Access policies may need to be performed by a company administrator.
+Viewing your production tenant Conditional Access policies may need to be performed by a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).
1. Go to **Identity** > **Applications** > **Enterprise applications** > **Conditional Access**. 1. View the list of policies in your tenant. Click the first one. 1. Navigate to **Cloud apps or actions**. 1. If the policy only applies to a select group of apps, then move on to the next policy. If not, then it will likely apply to your app as well when you move to production. You should copy the policy over to your test tenant.
-In a new tab or browser session, sign in to the [Azure portal](https://portal.azure.com) to access your test tenant.
+In a new tab or browser session, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) to access your test tenant.
-1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Conditional Access**.
+1. Browse to **Protection** > **Conditional Access**.
1. Select **Create new policy** 1. Copy the settings from the production tenant policy, identified through the previous steps.
active-directory V2 Protocols Oidc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-protocols-oidc.md
ID tokens aren't issued by default for an application registered with the Micros
Or:
-1. Select **Identity** > **App registrations** > *\<your application\>* > **Manifest**.
+1. Select **Identity** > **Applications** > **App registrations** > *\<your application\>* > **Manifest**.
1. Set `oauth2AllowIdTokenImplicitFlow` to `true` in the app registration's [application manifest](reference-app-manifest.md). If ID tokens are not enabled for your app and one is requested, the Microsoft identity platform returns an `unsupported_response` error similar to:
active-directory V2 Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-protocols.md
https://login.microsoftonline.com/<issuer>/oauth2/v2.0/token
To find the endpoints for an application you've registered, in the [Microsoft Entra admin center](https://entra.microsoft.com) navigate to:
-**Identity** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**
+**Identity** > **Applications** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**
## Next steps
active-directory Web Api Quickstart Portal Aspnet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-quickstart-portal-aspnet-core.md
> > First, register the web API in your Microsoft Entra tenant and add a scope by following these steps: >
-> 1. Sign in to the [Azure portal](https://portal.azure.com/).
-> 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
-> 1. Search for and select **Identity**.
-> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+> 1. Browse to **Identity** > **Applications** > **App registrations**.
+> 1. Select **New registration**.
> 1. For **Name**, enter a name for your application. For example, enter **AspNetCoreWebApi-Quickstart**. Users of your app will see this name, and you can change it later. > 1. Select **Register**. > 1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, accept the default by selecting **Save and continue**, and then enter the following details:
> "TenantId": "Enter_the_Tenant_Info_Here" > ``` >
-> - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered in the Azure portal. You can find the application (client) ID on the app's **Overview** page.
+> - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered. You can find the application (client) ID on the app's **Overview** page.
> - Replace `Enter_the_Tenant_Info_Here` with one of the following: > - If your application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or tenant name (for example, `contoso.onmicrosoft.com`). You can find the directory (tenant) ID on the app's **Overview** page. > - If your application supports **Accounts in any organizational directory**, replace this value with `organizations`.
> > The line that contains `.AddMicrosoftIdentityWebApi` adds the Microsoft identity platform authorization to your web API. It's then configured to validate access tokens issued by the Microsoft identity platform based on the information in the `AzureAD` section of the *appsettings.json* configuration file: >
-> | *appsettings.json* key | Description |
-> ||-|
-> | `ClientId` | Application (client) ID of the application registered in the Azure portal. |
-> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
-> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |
+> | *appsettings.json* key | Description |
+> |--|--|
+> | `ClientId` | Application (client) ID of the application registered. |
+> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
+> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |
> > The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality: >
active-directory Web Api Quickstart Portal Dotnet Native Aspnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-quickstart-portal-dotnet-native-aspnet.md
> > Register your web API in **App registrations** in the Azure portal. >
-> 1. Sign in to the [Azure portal](https://portal.azure.com/).
-> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
-> 1. Find and select **Identity**.
-> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+> 1. Browse to **Identity** > **Applications** > **App registrations**.
+> 1. Select **New registration**.
> 1. Enter a **Name** for your application, for example `AppModelv2-NativeClient-DotNet-TodoListService`. Users of your app might see this name, and you can change it later. > 1. For **Supported account types**, select **Accounts in any organizational directory**. > 1. Select **Register** to create the application.
active-directory Assign Local Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md
Additionally, you can also add users using the command prompt:
## Next steps -- To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md).
+- To get an overview of how to manage devices, see [managing device identities](manage-device-identities.md).
- To learn more about device-based Conditional Access, see [Conditional Access: Require compliant or Microsoft Entra hybrid joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md).
active-directory Concept Device Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-device-registration.md
The goal of Microsoft Entra registered - also known as Workplace joined - device
Microsoft Entra registered devices are signed in to using a local account like a Microsoft account on a Windows 10 or newer device. These devices have a Microsoft Entra account for access to organizational resources. Access to resources in the organization can be limited based on that Microsoft Entra account and Conditional Access policies applied to the device identity.
-Microsoft Entra Registration is not the same as device enrolment. If Administrators permit users to enrol their devices, organisations can further control these Microsoft Entra registered devices by enrolling the device(s) into Mobile Device Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, and security software kept updated.
+Microsoft Entra Registration is not the same as device enrollment. If Administrators permit users to enroll their devices, organizations can further control these Microsoft Entra registered devices by enrolling the device(s) into Mobile Device Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, and security software kept updated.
Microsoft Entra registration can be accomplished when accessing a work application for the first time or manually using the Windows 10 or Windows 11 Settings menu.
Another user wants to access their organizational email on their personal Androi
## Next steps -- [Manage device identities using the Azure portal](manage-device-identities.md)
+- [Manage device identities](manage-device-identities.md)
- [Manage stale devices in Microsoft Entra ID](manage-stale-devices.md) - [Register your personal device on your work or school network](https://support.microsoft.com/account-billing/register-your-personal-device-on-your-work-or-school-network-8803dd61-a613-45e3-ae6c-bd1ab25bf8a8)
active-directory Concept Directory Join https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-directory-join.md
Microsoft Entra join can be deployed by using any of the following methods:
- [Plan your Microsoft Entra join implementation](device-join-plan.md) - [Co-management using Configuration Manager and Microsoft Intune](/mem/configmgr/comanage/overview) - [How to manage the local administrators group on Microsoft Entra joined devices](assign-local-admin.md)-- [Manage device identities using the Azure portal](manage-device-identities.md)
+- [Manage device identities](manage-device-identities.md)
- [Manage stale devices in Microsoft Entra ID](manage-stale-devices.md)
active-directory Concept Hybrid Join https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-hybrid-join.md
Use Microsoft Entra hybrid joined devices if:
- [Plan your Microsoft Entra hybrid join implementation](hybrid-join-plan.md) - [Co-management using Configuration Manager and Microsoft Intune](/mem/configmgr/comanage/overview)-- [Manage device identities using the Azure portal](manage-device-identities.md)
+- [Manage device identities](manage-device-identities.md)
- [Manage stale devices in Microsoft Entra ID](manage-stale-devices.md)
active-directory Device Join Out Of Box https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-join-out-of-box.md
To verify whether a device is joined to your Microsoft Entra ID, review the **Ac
## Next steps -- For more information about managing devices, see [managing devices using the Azure portal](manage-device-identities.md).
+- For more information about managing devices, see [managing device identities](manage-device-identities.md).
- [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune) - [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) - [Passwordless authentication options for Microsoft Entra ID](../authentication/concept-authentication-passwordless.md)
active-directory Device Join Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-join-plan.md
Choose your deployment approach or approaches by reviewing the previous table an
## Configure your device settings
-The Azure portal allows you to control the deployment of Microsoft Entra joined devices in your organization. To configure the related settings, on the **Microsoft Entra ID page**, select `Devices > Device settings`. [Learn more](manage-device-identities.md)
+The [Microsoft Entra admin center](https://entra.microsoft.com) allows you to control the deployment of Microsoft Entra joined devices in your organization. To configure the related settings, browse to **Identity** > **Devices** > **All devices** > **Device settings**. [Learn more](manage-device-identities.md)
<a name='users-may-join-devices-to-azure-ad'></a>
active-directory Enterprise State Roaming Group Policy Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-group-policy-settings.md
Use these Group Policy and mobile device management (MDM) settings only on corporate-owned devices because these policies are applied to the userΓÇÖs entire device. Applying an MDM policy to disable settings sync for a personal, user-owned device will negatively impact the use of that device. Additionally, other user accounts on the device will also be affected by the policy.
-Enterprises that want to manage roaming for personal (unmanaged) devices can use the Azure portal to enable or disable roaming, rather than using Group Policy or MDM.
+Enterprises that want to manage roaming for personal (unmanaged) devices can use the Microsoft Entra admin center to enable or disable roaming, rather than using Group Policy or MDM.
The following tables describe the policy settings available. > [!NOTE]
active-directory Enterprise State Roaming Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md
Enterprise State Roaming requires the device to be registered with Microsoft Ent
**Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have ΓÇ£NOΓÇ¥ in the field value, the device was domain-joined and registered with Microsoft Entra ID, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Microsoft Entra ID. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
-**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Microsoft Entra ID** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
+**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Identity** > **Devices** > **Overview** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
## Enterprise State Roaming and multifactor authentication Under certain conditions, Enterprise State Roaming can fail to sync data if Microsoft Entra multifactor authentication is configured. For more information on these symptoms, see the support document [KB3193683](https://support.microsoft.com/kb/3193683).
-**Potential issue**: If your device is configured to require multifactor authentication on the Azure portal, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of multifactor authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing multifactor authentication while accessing other Azure services like Microsoft 365.
+**Potential issue**: If your device is configured to require multifactor authentication on the Microsoft Entra admin center, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of multifactor authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing multifactor authentication while accessing other Azure services like Microsoft 365.
**Potential issue**: Sync can fail if the admin configures the Active Directory Federation Services multifactor authentication Conditional Access policy and the access token on the device expires. Ensure that you sign in and sign out using the Windows Hello for Business PIN or complete multifactor authentication while accessing other Azure services like Microsoft 365.
active-directory How To Hybrid Join Verify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join-verify.md
Here are three ways to locate and verify the hybrid joined device state:
1. Open Windows PowerShell. 2. Enter `dsregcmd /status`. 3. Verify that both **AzureAdJoined** and **DomainJoined** are set to **YES**.
-4. You can use the **DeviceId** and compare the status on the service using either the Azure portal or PowerShell.
+4. You can use the **DeviceId** and compare the status on the service using either the Microsoft Entra admin center or PowerShell.
For downlevel devices, see the article [Troubleshooting Microsoft Entra hybrid joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md#step-1-retrieve-the-registration-status)
-## Using the Azure portal
+## Using the Microsoft Entra admin center
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com)ntra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). 1. Browse to **Identity** > **Devices** > **All devices**.
active-directory Howto Manage Local Admin Passwords https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-manage-local-admin-passwords.md
You can also use Microsoft Graph API [Get deviceLocalCredentialInfo](/graph/api/
## List all Windows LAPS enable devices
-To list all Windows LAPS enabled devices in Microsoft Entra ID, you can browse to **Microsoft Entra ID** > **Devices** > **Local administrator password recovery (Preview)** or use the Microsoft Graph API.
+To list all Windows LAPS enabled devices, you can browse to **Identity** > **Devices** > **Overview** > **Local administrator password recovery (Preview)** or use the Microsoft Graph API.
## Auditing local administrator password update and recovery
-To view audit events, you can browse to **Microsoft Entra ID** > **Devices** > **Audit logs**, then use the **Activity** filter and search for **Update device local administrator password** or **Recover device local administrator password** to view the audit events.
+To view audit events, you can browse to **Identity** > **Devices** > **Overview** > **Audit logs**, then use the **Activity** filter and search for **Update device local administrator password** or **Recover device local administrator password** to view the audit events.
## Conditional Access policies for local administrator password recovery
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension
- `curl https://pas.windows.net/ -D -` > [!NOTE]
- > Replace `<TenantID>` with the Microsoft Entra tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Microsoft Entra ID** > **Properties** > **Directory ID**.
+ > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Identity** > **Overview** > **Properties** > **Tenant ID**.
> > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.
active-directory Hybrid Join Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-control.md
Use the following example to create a Group Policy Object (GPO) to deploy a regi
1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**. 1. Value name: **TenantId**. 1. Value type: **REG_SZ**.
- 1. Value data: The GUID or **Tenant ID** of your Microsoft Entra instance (This value can be found in the **Azure portal** > **Microsoft Entra ID** > **Properties** > **Tenant ID**).
+ 1. Value data: The GUID or **Tenant ID** of your Microsoft Entra instance (This value can be found in the **Microsoft Entra admin center** > **Identity** > **Properties** > **Tenant ID**).
1. Select **OK**. 1. Right-click on the Registry and select **New** > **Registry Item**. 1. On the **General** tab, configure the following.
active-directory Manage Device Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md
Title: Manage devices in Microsoft Entra ID using the Azure portal
-description: This article describes how to use the Azure portal to manage device identities and monitor related event information.
+ Title: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center
+description: This article describes how to use the Microsoft Entra admin center to manage device identities and monitor related event information.
-# Manage device identities by using the Azure portal
+# Manage device identities using the Microsoft Entra admin center
Microsoft Entra ID provides a central place to manage device identities and monitor related event information.
Microsoft Entra ID provides a central place to manage device identities and moni
You can access the devices overview by completing these steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader).
-1. Go to **Microsoft Entra ID** > **Devices**.
+1. Go to **Identity** > **Devices** > **Overview**.
In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring.
The exported list includes these device identity attributes:
## Configure device settings
-If you want to manage device identities by using the Azure portal, the devices need to be either [registered or joined](overview.md) to Microsoft Entra ID. As an administrator, you can control the process of registering and joining devices by configuring the following device settings.
+If you want to manage device identities by using the Microsoft Entra admin center, the devices need to be either [registered or joined](overview.md) to Microsoft Entra ID. As an administrator, you can control the process of registering and joining devices by configuring the following device settings.
You must be assigned one of the following roles to view device settings:
active-directory Manage Stale Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md
If the delta between the existing value of the activity timestamp and the curren
You have two options to retrieve the value of the activity timestamp: -- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).
+- The **Activity** column on the all devices page.
:::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot listing the name, owner, and other information of devices. One column lists the activity time stamp." border="false":::
Disable or delete Microsoft Entra registered devices in the Microsoft Entra ID.
> - Deleting a Microsoft Entra registered device in Microsoft Entra ID does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. Conditional Access). > - Read more on [how to remove a registration on the client](faq.yml)
-## Clean up stale devices in the Azure portal
+## Clean up stale devices
-While you can clean up stale devices in the Azure portal, it's more efficient, to handle this process using a PowerShell script. Use the latest PowerShell V2 module to use the timestamp filter and to filter out system-managed devices such as Autopilot.
+While you can clean up stale devices in the Microsoft Entra admin center, it's more efficient to handle this process using a PowerShell script. Use the latest PowerShell V2 module to use the timestamp filter and to filter out system-managed devices such as Autopilot.
A typical routine consists of the following steps:
Any authentication where a device is being used to authenticate to Microsoft Ent
Devices managed with Intune can be retired or wiped, for more information see the article [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe).
-To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md)
+To get an overview of how to manage devices, see [managing device identities](manage-device-identities.md)
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/overview.md
Getting devices in to Microsoft Entra ID can be done in a self-service manner or
- Learn more about [Microsoft Entra registered devices](concept-device-registration.md) - Learn more about [Microsoft Entra joined devices](concept-directory-join.md) - Learn more about [Microsoft Entra hybrid joined devices](concept-hybrid-join.md)-- To get an overview of how to manage device identities, see [Managing device identities using the Azure portal](manage-device-identities.md).
+- To get an overview of how to manage device identities, see [Managing device identities](manage-device-identities.md).
- To learn more about device-based Conditional Access, see [Configure Microsoft Entra device-based Conditional Access policies](../conditional-access/concept-conditional-access-grant.md).
active-directory Plan Device Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/plan-device-deployment.md
This article helps you evaluate the methods to integrate your device with Micros
The landscape of your user's devices is constantly expanding. Organizations may provide desktops, laptops, phones, tablets, and other devices. Your users may bring their own array of devices, and access information from varied locations. In this environment, your job as an administrator is to keep your organizational resources secure across all devices.
-Microsoft Entra ID enables your organization to meet these goals with device identity management. You can now get your devices in Microsoft Entra ID and control them from a central location in the [Azure portal](https://portal.azure.com/). This process gives you a unified experience, enhanced security, and reduces the time needed to configure a new device.
+Microsoft Entra ID enables your organization to meet these goals with device identity management. You can now get your devices in Microsoft Entra ID and control them from a central location in the [Microsoft Entra admin center](https://entra.microsoft.com). This process gives you a unified experience, enhanced security, and reduces the time needed to configure a new device.
There are multiple methods to integrate your devices into Microsoft Entra ID, they can work separately or together based on the operating system and your requirements:
The key benefits of giving your devices a Microsoft Entra identity:
* Improve user experience ΓÇô Provide your users with easy access to your organizationΓÇÖs cloud-based resources from both personal and corporate devices. Administrators can enable [Enterprise State Roaming](./enterprise-state-roaming-enable.md) for a unified experience across all Windows devices.
-* Simplify deployment and management ΓÇô Simplify the process of bringing devices to Microsoft Entra ID with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot), [bulk provisioning](/mem/intune/enrollment/windows-bulk-enroll), or [self-service: Out of Box Experience (OOBE)](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). Manage devices with Mobile Device Management (MDM) tools like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and their identities in the [Azure portal](https://portal.azure.com/).
+* Simplify deployment and management ΓÇô Simplify the process of bringing devices to Microsoft Entra ID with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot), [bulk provisioning](/mem/intune/enrollment/windows-bulk-enroll), or [self-service: Out of Box Experience (OOBE)](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). Manage devices with Mobile Device Management (MDM) tools like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and their identities in the [Microsoft Entra admin center](https://entra.microsoft.com).
## Plan the deployment project
You may determine that Microsoft Entra hybrid join is the best solution for a de
## Manage your devices
-Once you've registered or joined your devices to Microsoft Entra ID, use the [Azure portal](https://portal.azure.com/) as a central place to manage your device identities. The Microsoft Entra devices page enables you to:
+Once you've registered or joined your devices to Microsoft Entra ID, use the [Microsoft Entra admin center](https://entra.microsoft.com) as a central place to manage your device identities. The Microsoft Entra devices page enables you to:
* [Configure your device settings](manage-device-identities.md#configure-device-settings). * You need to be a local administrator to manage Windows devices. [Microsoft Entra ID updates this membership for Microsoft Entra joined devices](assign-local-admin.md), automatically adding users with the device manager role as administrators to all joined devices.
active-directory Troubleshoot Device Windows Joined https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-windows-joined.md
If you have a Windows 11 or Windows 10 device that isn't working with Microsoft
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 1. Browse to **Identity** > **Devices** > **All devices** > **Diagnose and solve problems**. 1. Select **Troubleshoot** under the **Windows 10+ related issue** troubleshooter.
- :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane of the Azure portal." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png":::
+ :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png":::
1. Select **instructions** and follow the steps to download, run, and collect the required logs for the troubleshooter to analyze.
-1. Return to the Azure portal when you've collected and zipped the `authlogs` folder and contents.
+1. Return to the Microsoft Entra admin center when you've collected and zipped the `authlogs` folder and contents.
1. Select **Browse** and choose the zip file you wish to upload. :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png" alt-text="A screenshot showing how to browse to select the logs gathered in the previous step to allow the troubleshooter to make recommendations." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png":::
active-directory Clean Up Stale Guest Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/clean-up-stale-guest-accounts.md
Use the following instructions to learn how to enhance monitoring of inactive gu
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-1. Sign in to the [Azure portal](https://portal.azure.com) and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
+1. Browse to **Identity governance** > **Dashboard**
+1. Access the inactive guest account report by navigating to the **Guest access governance** card then select **View inactive guests**.
+1. You will see the inactive guest report which will provide insights about inactive guest users based on 90 days of inactivity. The threshold is set to 90 days by default but can be configured using "Edit inactivity threshold" based on your organization's needs.
+1. The following insights are provided as part of this report:
-2. Access the inactive guest account report by navigating to "Guest access governance" card and click on "View inactive guests"
-
-3. You will see the inactive guest report which will provide insights about inactive guest users based on 90 days of inactivity. The threshold is set to 90 days by default but can be configured using "Edit inactivity threshold" based on your organization's needs.
-
-4. The following insights are provided as part of this report:
-
- Guest account overview (total guests and inactive guests with further categorization of guests who have never signed in or signed in at least once) - Guest inactivity distribution (Percentage distribution of guest users based on days since last sign in) - Guest inactivity overview (Guest inactivity guidance to configure inactivity threshold) - Guest accounts summary (A tabular view with details of all guest accounts with insights into their activity state. The Activity state could be active or inactive based on the configured inactivity threshold)
-5. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date.
+1. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date.
- ### License requirements
+### License requirements
[!INCLUDE [active-directory-entra-governance-license.md](../../../includes/active-directory-entra-governance-license.md)] > [!NOTE]
active-directory Groups Dynamic Rule Validation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-rule-validation.md
# Validate a dynamic group membership rule (preview) in Microsoft Entra ID
-Microsoft Entra ID, part of Microsoft Entra, now provides the means to validate dynamic group rules (in public preview). On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When you create or update dynamic group rules, you want to know whether a user or a device will be a member of the group. This knowledge helps you evaluate whether a user or device meets the rule criteria and help you troubleshoot when membership isn't expected.
+Microsoft Entra ID provides the means to validate dynamic group rules (in public preview). On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When you create or update dynamic group rules, you want to know whether a user or a device will be a member of the group. This knowledge helps you evaluate whether a user or device meets the rule criteria and help you troubleshoot when membership isn't expected.
## Prerequisites To evaluate the dynamic group rule membership feature, the administrator must have one of the following rules assigned directly: Global Administrator, Groups Administrator, or Intune Administrator.
To evaluate the dynamic group rule membership feature, the administrator must ha
## Step-by-step walk-through
-To get started, go to **Microsoft Entra ID** > **Groups**. Select an existing dynamic group or create a new dynamic group and select **Dynamic membership rules**. You can then see the **Validate Rules** tab.
+To get started, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator).
+
+Browse to **Identity** > **Groups** > **All groups**. Select an existing dynamic group or create a new dynamic group and select **Dynamic membership rules**. You can then see the **Validate Rules** tab.
![Find the Validate rules tab and start with an existing rule](./media/groups-dynamic-rule-validation/validate-tab.png)
active-directory Groups Dynamic Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-tutorial.md
First, you'll create a group for your guest users who all are from a single part
Now that you have your new group, you can apply the licenses that these partner users need.
-1. In Microsoft Entra ID, select **Licenses**, select one or more licenses, and then select **Assign**.
+1. In the Microsoft Entra admin center browse to **Identity** > **Billing** > **Licenses** > **All products**, select one or more licenses, and then select **Assign**.
2. Select **Users and groups**, and select the **Guest users Contoso** group, and save your changes. 3. **Assignment options** allow you to turn on or off the service plans included the licenses that you selected. When you make a change, be sure to click **OK** to save your changes. 4. To complete the assignment, on the **Assign license** pane, click **Assign** at the bottom of the pane.
Perhaps your ultimate administrative plan is to assign all of your guest users t
### To remove the guest users group
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).
-1. Select Microsoft Entra ID.
-2. Select **Groups**. Select the **Guest users Contoso** group, select the ellipsis (...), and then select **Delete**. When you delete the group, any assigned licenses are removed.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator).
+1. Browse to **Groups** > **All groups**.
+1. Select the **Guest users Contoso** group, select the ellipsis (...), and then select **Delete**. When you delete the group, any assigned licenses are removed.
### To restore the All Users group
-1. Select **Microsoft Entra ID** > **Groups**. Select the name of the **All users** group to open the group.
+1. Select **Identity** > **Groups** > **All groups**. Select the name of the **All users** group to open the group.
1. Select **Dynamic membership rules**, clear all the text in the rule, and select **Save**. ## Next steps
active-directory Groups Quickstart Expiration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-quickstart-expiration.md
If you don't have an Azure subscription, [create a free account](https://azure.m
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).
-1. Select Microsoft Entra ID.
-
-2. Select **Groups** > **All groups** and then select **General**.
+1. Browse to **Identity** > **Groups** > **All groups** and then select **General**.
![Self-service group settings page](./media/groups-quickstart-expiration/self-service-settings.png)
If you don't have an Azure subscription, [create a free account](https://azure.m
## Set group expiration 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator).
-1. Select Microsoft Entra ID.
-1. Select **Groups** > **All groups** > **Expiration** to open the expiration settings.
+1. Browse to **Identity** > **Groups** > **All groups** > **Expiration** to open the expiration settings.
![Expiration settings page for group](./media/groups-quickstart-expiration/expiration-settings.png)
That's it! In this quickstart, you successfully set the expiration policy for th
### To remove the expiration policy 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator).
-1. Select Microsoft Entra ID.
-1. Select **Groups** > **All groups** > **Expiration**.
+1. Browse to **Identity** > **Groups** > **All groups** > **Expiration**.
1. Set **Enable expiration for these Microsoft 365 groups** to **None**. ### To turn off user creation for groups
-1. Select **Microsoft Entra ID** > **Groups** > **General**.
-2. Set **Users can create Microsoft 365 groups in Azure portals** to **No**.
+1. Browse to **Identity** > **Groups** > **Group settings** > **General**.
+1. Set **Users can create Microsoft 365 groups in Azure portals** to **No**.
## Next steps
active-directory Licensing Groups Resolve Problems https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md
The following sections give a description of each potential problem and the way
**Problem:** There aren't enough available licenses for one of the products that's specified in the group. You need to either purchase more licenses for the product or free up unused licenses from other users or groups.
-To see how many licenses are available, go to **Microsoft Entra ID** > **Licenses** > **All products**.
+To see how many licenses are available, go to **Identity** > **Billing** > **Licenses** > **All products**.
To see which users and groups are consuming licenses, select a product. Under **Licensed users**, you see a list of all users who have had licenses assigned directly or via one or more groups. Under **Licensed groups**, you see all groups that have that products assigned.
active-directory Claims Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/claims-mapping.md
Microsoft Entra ID supports customizing the claims that are issued in the SAML token for [B2B collaboration](what-is-b2b.md) users. When a user authenticates to the application, Microsoft Entra ID issues a SAML token to the app that contains information (or claims) about the user that uniquely identifies them. By default, this claim includes the user's user name, email address, first name, and last name.
-In the [Azure portal](https://portal.azure.com), you can view or edit the claims that are sent in the SAML token to the application. To access the settings, select **Microsoft Entra ID** > **Enterprise applications** > the application that's configured for single sign-on > **Single sign-on**. See the SAML token settings in the **User Attributes** section.
+In the [Microsoft Entra admin center](https://entra.microsoft.com), you can view or edit the claims that are sent in the SAML token to the application. To access the settings, browse to **Identity** > **Applications** > **Enterprise applications** > the application that's configured for single sign-on > **Single sign-on**. See the SAML token settings in the **User Attributes** section.
:::image type="content" source="media/claims-mapping/view-claims-in-saml-token-attributes.png" alt-text="Screenshot of the SAML token attributes in the UI.":::
active-directory Self Service Sign Up Add Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md
Content-type: application/json
} ```
-Only user properties and custom attributes listed in the **Identity** > **External Identities** > **Custom user attributes** experience are available to be sent in the request.
+Only user properties and custom attributes listed in the **Identity** > **External Identities** > **Overview** > **Custom user attributes** experience are available to be sent in the request.
Custom attributes exist in the **extension_\<extensions-app-id>_AttributeName** format in the directory. Your API should expect to receive claims in this same serialized format. For more information on custom attributes, see [define custom attributes for self-service sign-up flows](user-flow-add-custom-attributes.md).
active-directory User Flow Add Custom Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/user-flow-add-custom-attributes.md
You can create custom attributes in the Microsoft Entra admin center and use the
"extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyNumber": "212342" ```
-The `<extensions-app-id>` is specific to your tenant. To find this identifier, navigate to **Identity** > **App registrations** > **All applications**. Search for the app that starts with `aad-extensions-app` and select it. On the app's Overview page, note the Application (client) ID.
+The `<extensions-app-id>` is specific to your tenant. To find this identifier, navigate to **Identity** > **Applications** > **App registrations** > **All applications**. Search for the app that starts with "aad-extensions-app" and select it. On the app's Overview page, note the Application (client) ID.
## Create a custom attribute
active-directory Custom Security Attributes Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-troubleshoot.md
## Symptom - Custom security attributes page is disabled
-When signed in to the Azure portal as Global Administrator and you try to access the **Custom security attributes** page, it is disabled.
+When signed in to the [Microsoft Entra admin center](https://entra.microsoft.com) and you try to access the **Custom security attributes** page, it is disabled.
![Custom security attributes page disabled in Azure portal.](./media/custom-security-attributes-troubleshoot/attributes-disabled.png)
Custom security attributes require a Microsoft Entra ID P1 or P2 license.
**Solution**
-Open **Microsoft Entra ID** > **Overview** and check the license for your tenant.
+Browse to **Identity** > **Overview** and check the license for your tenant.
## Symptom - Add attribute set is disabled
-When signed in to the Azure portal as Global Administrator and you try to click the **Custom security attributes** > **Add attribute set** option, it is disabled.
+When signed in to the [Microsoft Entra admin center](https://entra.microsoft.com) and you try to click the **Custom security attributes** > **Add attribute set** option, it is disabled.
![Add attribute set option disabled in Azure portal.](./media/custom-security-attributes-troubleshoot/attribute-set-add-disabled.png)
active-directory Tutorial Prepare User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-prepare-user-accounts.md
You need to do perform this action for both $UPN_employee and $UPN_manager
After editing the script, save it and follow these steps:
- 1. Open a Windows PowerShell command prompt, with Administrative privileges, from a machine that has access to the Microsoft Entra admin center.
+1. Open a Windows PowerShell command prompt, with Administrative privileges, from a machine that has access to the Microsoft Entra admin center.
1. Navigate to the saved PowerShell script location and run it. 1. If prompted select **Yes to all** when installing the Azure AD PowerShell module. 1. When prompted, sign in to the Microsoft Entra admin center with a global administrator for your tenant.
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md
This cmdlet modifies *AADConnectProvisioningAgent.exe.config* to disable verbose
This cmdlet pauses synchronization.
+### Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention
+
+Disables accidentalDeletionPrevention tenant feature
+``` powershell
+Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId <TenantId>
+```
+
+This cmdlet requires `TenantId` of the Azure AD tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Azure AD Connect (ADSync, not Cloud Sync), is enabled and disables it.
+
+#### Example:
+``` powershell
+Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039-1234-5678-9012-28fe88f83980"
+```
++ ## Next steps - [What is provisioning?](../what-is-provisioning.md)
active-directory How To Connect Fed Group Claims https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-group-claims.md
After you add a group claim configuration to the **User Attributes & Claims** co
You can also configure group claims in the [optional claims](../../develop/optional-claims.md) section of the [application manifest](../../develop/reference-app-manifest.md).
-1. In the portal, select **Microsoft Entra ID** > **Application Registrations** > **Select Application** > **Manifest**.
+1. In the portal, select **Identity** > **Applications** > **App registrations** > **Select Application** > **Manifest**.
2. Enable group membership claims by changing `groupMembershipClaims`.
active-directory Tshoot Connect Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-sso.md
This article helps you find troubleshooting information about common problems re
## Check status of feature
-Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Microsoft Entra ID** > **Microsoft Entra Connect** pane in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/).
+Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Identity** > **Hybrid management** > **Azure AD Connect** > **Connect Sync** pane in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/).
![Screenshot of the Microsoft Entra admin center: Microsoft Entra Connect pane.](./media/tshoot-connect-sso/sso10.png)
If your tenant has a Microsoft Entra ID P1 or P2 license associated with it, you
![Screenshot of the Microsoft Entra admin center: Sign-ins report.](media/tshoot-connect-sso/sso9.png)
-Browse to **Microsoft Entra ID** > **Sign-ins** in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/), and then select a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution by using the following table:
+Browse to **Identity** > **Monitoring & health** > **Sign-ins** in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/), and then select a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution by using the following table:
|Sign-in error code|Sign-in failure reason|Resolution | | |
active-directory Howto Identity Protection Simulate Risk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md
This risk detection indicates that the application's valid credentials have been
"AadTenantDomain": "XXXX.onmicrosoft.com", "AadTenantId": "99d4947b-XXX-XXXX-9ace-abceab54bcd4", ```
-1. In about 8 hours, you'll be able to view a leaked credential detection under **Microsoft Entra ID** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit.
+1. In about 8 hours, you'll be able to view a leaked credential detection under **Protection** > **Identity Protection** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit.
## Testing risk policies
active-directory Manage Application Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-application-permissions.md
To review an application's permissions that have been granted for the entire org
1. Select the application that you want to restrict access to. 1. Select **Permissions**. 1. To view permissions that apply to your entire organization, select the **Admin consent** tab. To view permissions granted to a specific user or group, select the **User consent** tab.
-1. To view the details of a given permission, select the permission from the list. The **Permission Details** pane opens.
-1. To revoke a given permission, choose the permission you would like to revoke, select the **...** control for that permission, and then choose **Revoke permission**.
+1. To view the details of a given permission, select the permission from the list. The **Permission Details** pane opens.
+ After you've reviewed the permissions granted to an application, you can revoke permissions granted by admins for your entire organization.
+ > [!NOTE]
+ > You can't revoke permissions in the **User consent** tab using the portal. You can revoke these permissions using Microsoft Graph API calls or PowerShell cmdlets. Go to the PowerShell and Microsoft Graph tabs of this article for more information.
+
+To revoke permissions in the **Admin consent** tab:
+
+1. View the list of permissions in the **Admin consent** tab.
+1. Choose the permission you would like to revoke, then select the **...** control for that permission.
+ :::image type="content" source="media/manage-application-permissions/revoke-permissions.png" alt-text="Screenshot shows how to revoke admin consent.":::
+1. Select **Revoke permission**.
:::zone-end
active-directory Tutorial Manage Access Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tutorial-manage-access-security.md
For the application that the administrator added to their tenant, they want to s
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**.
-4. Select the application to which you want to grant tenant-wide admin consent.
-5. Under **Security**, select **Permissions**.
-6. Carefully review the permissions that the application requires. If you agree with the permissions the application requires, select **Grant admin consent**.
+1. Select the application to which you want to grant tenant-wide admin consent.
+1. Under **Security**, select **Permissions**.
+1. Carefully review the permissions that the application requires. If you agree with the permissions the application requires, select **Grant admin consent**.
## Create a Conditional Access policy
active-directory Workbook Mfa Gaps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/workbook-mfa-gaps.md
The summary widget provides a detailed look at sign-ins related to multifactor a
* **Number of sign-ins not protected by multi-factor authentication requirement by location:** This widget shows the sign-ins counts that are not protected by MFA requirement in map bubble chart on the world map. ## How to import the workbook
-1. Navigate to **Microsoft Entra ID** > **Monitoring** > **Workbooks**.
+1. Navigate to **Identity** > **Monitoring & health** > **Workbooks**.
1. Select **+ New**. 1. Select the **Advanced Editor** button from the top of the page. A JSON editor opens. ![Screenshot of the Advanced Editor button on the new workbook page.](./media/workbook-mfa-gaps/advanced-editor-button.png)
active-directory Bustle B2b Transport Systems Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bustle-b2b-transport-systems-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Bustle B2B Transport Systems for automatic user provisioning with Microsoft Entra ID'
+description: Learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Bustle B2B Transport Systems.
++
+writer: twimmers
+
+ms.assetid: 8bcb45f4-8f3d-4d7a-b2d7-ea7290bbc93b
++++ Last updated : 09/22/2023+++
+# Tutorial: Configure Bustle B2B Transport Systems for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Bustle B2B Transport Systems and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users to [Bustle B2B Transport Systems](https://app.bustle.tech) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md).
++
+## Supported capabilities
+> [!div class="checklist"]
+> * Create users in Bustle B2B Transport Systems.
+> * Remove users in Bustle B2B Transport Systems when they do not require access anymore.
+> * Keep user attributes synchronized between Microsoft Entra ID and Bustle B2B Transport Systems.
+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Bustle B2B Transport Systems (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [A Microsoft Entra tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Microsoft Entra ID with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Bustle B2B Transport Systems with Admin permissions.
+
+## Step 1: Plan your provisioning deployment
+* Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+* Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+* Determine what data to [map between Microsoft Entra ID and Bustle B2B Transport Systems](../app-provisioning/customize-application-attributes.md).
+
+## Step 2: Configure Bustle B2B Transport Systems to support provisioning with Microsoft Entra ID
+Contact Bustle B2B Transport Systems support to configure Bustle B2B Transport Systems to support provisioning with Microsoft Entra ID.
+
+## Step 3: Add Bustle B2B Transport Systems from the Microsoft Entra application gallery
+
+Add Bustle B2B Transport Systems from the Microsoft Entra application gallery to start managing provisioning to Bustle B2B Transport Systems. If you have previously setup Bustle B2B Transport Systems for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4: Define who will be in scope for provisioning
+
+The Microsoft Entra provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
++
+## Step 5: Configure automatic user provisioning to Bustle B2B Transport Systems
+
+This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in TestApp based on user assignments in Microsoft Entra ID.
+
+<a name='to-configure-automatic-user-provisioning-for-Bustle B2B Transport Systems-in-azure-ad'></a>
+
+### To configure automatic user provisioning for Bustle B2B Transport Systems in Microsoft Entra ID:
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**
+
+ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
+
+1. In the applications list, select **Bustle B2B Transport Systems**.
+
+ ![Screenshot of the Bustle B2B Transport Systems link in the Applications list.](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Screenshot of Provisioning tab.](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
+
+1. Under the **Admin Credentials** section, input your Bustle B2B Transport Systems Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Bustle B2B Transport Systems. If the connection fails, ensure your Bustle B2B Transport Systems account has Admin permissions and try again.
+
+ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Screenshot of Notification Email.](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Bustle B2B Transport Systems**.
+
+1. Review the user attributes that are synchronized from Microsoft Entra ID to Bustle B2B Transport Systems in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Bustle B2B Transport Systems for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Bustle B2B Transport Systems API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|Required by Bustle B2B Transport Systems|
+ |||||
+ |userName|String|&check;|&check;
+ |active|Boolean||
+ |emails[type eq "work"].value|String||&check;
+ |name.givenName|String||&check;
+ |name.familyName|String||&check;
+ |phoneNumbers[type eq "work"].value|String||&check;
+ |externalId|String||&check;
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Microsoft Entra provisioning service for Bustle B2B Transport Systems, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png)
+
+1. Define the users that you would like to provision to Bustle B2B Transport Systems by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png)
+
+1. When you're ready to provision, click **Save**.
+
+ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running.
+
+## Step 6: Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Microsoft Entra ID?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Presentation Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/presentation-request-api.md
The following example demonstrates a callback payload after the verifiable crede
}, "domainValidation": { "url": "https://contoso.com/"
- }
+ },
+ "issuanceDate": "yyyy-MM-ddTHH:mm:ssZ",
+ "expirationDate": "yyyy-MM-ddTHH:mm:ssZ"
} ], "receipt": {
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/whats-new.md
This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.
+## September 2023
+
+Verified ID is retiring old Request Service API endpoints that were available before Verified ID was General Available. These APIs should not have been used since GA in August 2022, but if they are used in your app, you need to migrate. The API endpoints being retired are:
+
+```http
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/request
+GET https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/request/:requestId
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/present
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/issuance
+```
+
+The first API was for creating an issuance or presentation request. The second API was for retrieving a request and the last two APIs was for a wallet completing issuance or presentation. The API endpoints to use since preview are the following.
+
+```http
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/createPresentationRequest
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/createIssuanceRequest
+GET https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/presentationRequests/:requestId
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/completeIssuance
+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/verifyPresentation
+```
+
+Please note that the `/request` API is split into two depending on if you are creating an issuance or presentation request.
+
+The retired API endpoints will not work after October 2023, 2023.
+
+## August 2023
+
+The `presentation_verified` callback from the Request Service API now returns when a Verified ID credential was issued and when it expires. Business rules can use these values to see the time windoww of when the presented Verified ID credential is valid. An example of this is that it expires in an hour while the business required in needs to be valid until the end of the day.
+ ## June 2023 Tutorial for getting started with the Wallet Library demo on Android and iOS available [here](using-wallet-library.md).
ai-services Batch Inference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/batch-inference.md
description: Trigger batch inference with trained model
--+ Last updated 11/01/2022
ai-services Create Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/create-resource.md
description: Create an Anomaly Detector resource
--+ Last updated 11/01/2022
ai-services Deploy Anomaly Detection On Container Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/deploy-anomaly-detection-on-container-instances.md
description: Deploy the Anomaly Detector container to an Azure Container Instanc
--+ Last updated 04/01/2020
ai-services Deploy Anomaly Detection On Iot Edge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/deploy-anomaly-detection-on-iot-edge.md
description: Deploy the Anomaly Detector module to IoT Edge.
--+ Last updated 12/03/2020
ai-services Identify Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/identify-anomalies.md
description: Learn how to detect anomalies in your data either as a batch, or on
--+ Last updated 10/01/2019
ai-services Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/postman.md
description: Learn how to detect anomalies in your data either as a batch, or on
--+ Last updated 12/20/2022
ai-services Prepare Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/prepare-data.md
description: Prepare your data and upload to Storage Account
--+ Last updated 11/01/2022
ai-services Streaming Inference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/streaming-inference.md
description: Streaming inference with trained model
--+ Last updated 11/01/2022
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/How-to/train-model.md
description: Train a Multivariate Anomaly Detection model
--+ Last updated 11/01/2022
ai-services Anomaly Detector Container Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/anomaly-detector-container-configuration.md
description: The Anomaly Detector API container runtime environment is configure
--+ Last updated 05/07/2020
ai-services Anomaly Detector Container Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/anomaly-detector-container-howto.md
description: Use the Anomaly Detector API's algorithms to find anomalies in your
--+ Last updated 01/27/2023
ai-services Anomaly Detection Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/concepts/anomaly-detection-best-practices.md
description: Learn about best practices when detecting anomalies with the Anomal
--+ Last updated 01/22/2021
ai-services Best Practices Multivariate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/concepts/best-practices-multivariate.md
description: Best practices for using the Anomaly Detector Multivariate API's to
--+ Last updated 06/07/2022
ai-services Multivariate Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/concepts/multivariate-architecture.md
description: Reference architecture for using the Anomaly Detector Multivariate
--+ Last updated 12/15/2022
ai-services Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/concepts/troubleshoot.md
description: Learn how to remediate common error codes when you use the Azure AI
--+ Last updated 04/01/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/overview.md
description: Use the Anomaly Detector API's algorithms to apply anomaly detectio
--+ Last updated 10/27/2022
ai-services Client Libraries Multivariate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/quickstarts/client-libraries-multivariate.md
zone_pivot_groups: anomaly-detector-quickstart-multivariate--+ Last updated 10/27/2022
ai-services Client Libraries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/quickstarts/client-libraries.md
zone_pivot_groups: anomaly-detector-quickstart--+ Last updated 10/27/2022
ai-services Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/regions.md
description: A list of available regions and endpoints for the Anomaly Detector
--+ Last updated 11/1/2022
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/service-limits.md
description: Service limits for Anomaly Detector service, including Univariate A
--+ Last updated 1/31/2023
ai-services Azure Data Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/tutorials/azure-data-explorer.md
description: Learn how to use the Univariate Anomaly Detector with Azure Data Ex
--+ Last updated 12/19/2022
ai-services Batch Anomaly Detection Powerbi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/tutorials/batch-anomaly-detection-powerbi.md
description: Learn how to use the Anomaly Detector API and Power BI to visualize
--+ Last updated 09/10/2020
ai-services Multivariate Anomaly Detection Synapse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/tutorials/multivariate-anomaly-detection-synapse.md
description: Learn how to use the Multivariate Anomaly Detector with Azure Synap
--+ Last updated 08/03/2022
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/Anomaly-Detector/whats-new.md
Title: What's New - Anomaly Detector description: This article is regularly updated with news about the Azure AI Anomaly Detector.--+
ai-services Category Taxonomy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/Category-Taxonomy.md
--+ Last updated 04/17/2019
ai-services Build Enrollment App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/Tutorials/build-enrollment-app.md
description: Learn how to set up your development environment and deploy a Face
--++ Last updated 11/17/2020
ai-services Storage Lab Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/Tutorials/storage-lab-tutorial.md
description: In this tutorial, you'll learn how to integrate the Azure AI Vision
--+ Last updated 12/29/2022
ai-services Computer Vision How To Install Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/computer-vision-how-to-install-containers.md
description: Use the Read 3.2 OCR containers from Azure AI Vision to extract tex
--+ Last updated 08/29/2023
ai-services Computer Vision Resource Container Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/computer-vision-resource-container-config.md
description: This article shows you how to configure both required and optional
--+ Last updated 04/09/2021
ai-services Concept Background Removal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-background-removal.md
--+ Last updated 03/02/2023
ai-services Concept Brand Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-brand-detection.md
--+ Last updated 07/05/2022
ai-services Concept Categorizing Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-categorizing-images.md
--+ Last updated 07/05/2022
ai-services Concept Describe Images 40 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-describe-images-40.md
--+ Last updated 01/24/2023
ai-services Concept Describing Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-describing-images.md
--+ Last updated 07/04/2023
ai-services Concept Detecting Adult Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-detecting-adult-content.md
--+ Last updated 12/27/2022
ai-services Concept Detecting Color Schemes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-detecting-color-schemes.md
--+ Last updated 11/17/2021
ai-services Concept Detecting Domain Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-detecting-domain-content.md
--+ Last updated 02/08/2019
ai-services Concept Detecting Faces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-detecting-faces.md
--+ Last updated 12/27/2022
ai-services Concept Detecting Image Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-detecting-image-types.md
--+ Last updated 03/11/2019
ai-services Concept Face Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-face-detection.md
--++ Last updated 07/04/2023
ai-services Concept Face Recognition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-face-recognition.md
--++ Last updated 12/27/2022
ai-services Concept Generate Thumbnails 40 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-generate-thumbnails-40.md
--+ Last updated 01/24/2023
ai-services Concept Generating Thumbnails https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-generating-thumbnails.md
--+ Last updated 11/09/2022
ai-services Concept Image Retrieval https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-image-retrieval.md
--+ Last updated 03/06/2023
ai-services Concept Model Customization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-model-customization.md
--+ Last updated 02/06/2023
ai-services Concept Object Detection 40 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-object-detection-40.md
--+ Last updated 01/24/2023
ai-services Concept Object Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-object-detection.md
--+ Last updated 11/03/2022
ai-services Concept Ocr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-ocr.md
description: Extract text from in-the-wild and non-document images with a fast a
--+ Last updated 07/04/2023
ai-services Concept People Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-people-detection.md
--+ Last updated 09/12/2022
ai-services Concept Shelf Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-shelf-analysis.md
--+ Last updated 05/03/2023
ai-services Concept Tag Images 40 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-tag-images-40.md
--+ Last updated 01/24/2023
ai-services Concept Tagging Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/concept-tagging-images.md
--+ Last updated 09/20/2022
ai-services Deploy Computer Vision On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/deploy-computer-vision-on-premises.md
description: Learn how to deploy the Azure AI Vision container using Kubernetes
--+ Last updated 05/09/2022
ai-services Enrollment Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/enrollment-overview.md
description: Learn about the process of Face enrollment to register users in a f
--++ Last updated 09/27/2021
ai-services Add Faces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/add-faces.md
description: This guide demonstrates how to add a large number of persons and fa
--++ Last updated 04/10/2019
ai-services Analyze Video https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/analyze-video.md
--+ Last updated 07/05/2022 ms.devlang: csharp
ai-services Background Removal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/background-removal.md
--+ Last updated 03/03/2023
ai-services Blob Storage Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/blob-storage-search.md
--+ Last updated 03/06/2023
ai-services Call Analyze Image 40 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/call-analyze-image-40.md
--+ Last updated 08/01/2023
ai-services Call Analyze Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/call-analyze-image.md
--+ Last updated 12/27/2022
ai-services Call Read Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/call-read-api.md
--+ Last updated 11/03/2022
ai-services Find Similar Faces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/find-similar-faces.md
--++ Last updated 11/07/2022
ai-services Generate Thumbnail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/generate-thumbnail.md
--+ Last updated 07/20/2022
ai-services Identity Access Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/identity-access-token.md
--++ Last updated 05/11/2023
ai-services Identity Detect Faces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/identity-detect-faces.md
--++ Last updated 12/27/2022
ai-services Image Retrieval https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/image-retrieval.md
--+ Last updated 02/21/2023
ai-services Migrate Face Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/migrate-face-data.md
description: This guide shows you how to migrate your stored face data from one
--+ Last updated 02/22/2021
ai-services Shelf Analyze https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/shelf-analyze.md
description: Use the Product Understanding API to analyze a shelf image and receive rich product data. --+ Last updated 04/26/2023
ai-services Shelf Model Customization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/shelf-model-customization.md
description: Learn how to use the Image Analysis model customization feature to
--+ Last updated 05/02/2023
ai-services Shelf Modify Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/shelf-modify-images.md
description: Use the stitching and rectification APIs to prepare organic photos of retail shelves for accurate image analysis. --+ Last updated 07/10/2023
ai-services Shelf Planogram https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/shelf-planogram.md
description: Learn how to use the Planogram Matching API to check that a retail shelf in a photo matches its planogram layout. --+ Last updated 05/02/2023
ai-services Specify Detection Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/specify-detection-model.md
--++ Last updated 03/05/2021
ai-services Specify Recognition Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/specify-recognition-model.md
description: This article will show you how to choose which recognition model to
--+ Last updated 03/05/2021
ai-services Use Headpose https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/use-headpose.md
description: Learn how to use the HeadPose attribute to automatically rotate the
--++ Last updated 02/23/2021
ai-services Use Large Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/use-large-scale.md
--++ Last updated 05/01/2019
ai-services Use Persondirectory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/use-persondirectory.md
--++ Last updated 07/20/2022
ai-services Identity Api Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/identity-api-reference.md
--++ Last updated 02/17/2021
ai-services Identity Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/identity-encrypt-data-at-rest.md
description: Microsoft offers Microsoft-managed encryption keys, and also lets y
--++ Last updated 08/28/2020
ai-services Intro To Spatial Analysis Public Preview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/intro-to-spatial-analysis-public-preview.md
--+ Last updated 12/27/2022
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/language-support.md
description: This article provides a list of natural languages supported by Azur
--+ Last updated 12/27/2022
ai-services Overview Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/overview-identity.md
description: The Azure AI Face service provides AI algorithms that you use to de
--++ Last updated 07/04/2023
ai-services Overview Image Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/overview-image-analysis.md
description: The Image Analysis service uses pretrained AI models to extract man
--+ Last updated 07/04/2023
ai-services Overview Ocr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/overview-ocr.md
--+ Last updated 07/04/2023
ai-services Overview Vision Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/overview-vision-studio.md
description: Learn how to set up and use Vision Studio to test features of Azure
--+ Last updated 12/27/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/overview.md
--+ Last updated 07/04/2023
ai-services Client Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/quickstarts-sdk/client-library.md
description: Learn how to use Optical character recognition (OCR) in your applic
--+ Last updated 08/07/2023
ai-services Identity Client Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/quickstarts-sdk/identity-client-library.md
zone_pivot_groups: programming-languages-set-face--++ Last updated 07/04/2023
ai-services Image Analysis Client Library 40 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/quickstarts-sdk/image-analysis-client-library-40.md
description: Learn how to tag images in your application using Image Analysis 4.
--+ Last updated 01/24/2023
ai-services Image Analysis Client Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/quickstarts-sdk/image-analysis-client-library.md
description: Learn how to tag images in your application using Image Analysis th
--+ Last updated 12/27/2022
ai-services Read Container Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/read-container-migration-guide.md
description: Learn how to migrate to the v3 Read OCR containers
--+ Last updated 09/28/2021
ai-services Spatial Analysis Camera Placement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-camera-placement.md
description: Learn how to set up a camera for use with Spatial Analysis
--+ Last updated 06/08/2021
ai-services Spatial Analysis Container https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-container.md
description: The Spatial Analysis container lets you can detect people and dista
--+ Last updated 12/27/2022
ai-services Spatial Analysis Local https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-local.md
description: Use this guide to learn how to run Spatial Analysis on a recorded l
--+ Last updated 06/28/2022
ai-services Spatial Analysis Logging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-logging.md
description: Spatial Analysis provides each container with a common configuratio
--+ Last updated 06/08/2021
ai-services Spatial Analysis Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-operations.md
description: The Spatial Analysis operations.
--+ Last updated 02/02/2022
ai-services Spatial Analysis Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-web-app.md
description: Learn how to use Spatial Analysis in a web application.
--+ Last updated 06/08/2021
ai-services Spatial Analysis Zone Line Placement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-zone-line-placement.md
description: Learn how to set up zones and lines with Spatial Analysis
--+ Last updated 06/08/2021
ai-services Upgrade Api Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/upgrade-api-versions.md
--+ Last updated 08/11/2020
ai-services Use Case Alt Text https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/use-case-alt-text.md
--+ Last updated 03/17/2023
ai-services Use Case Dwell Time https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/use-case-dwell-time.md
--+ Last updated 07/22/2022
ai-services Use Case Identity Verification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/use-case-identity-verification.md
--+ Last updated 07/22/2022
ai-services Use Case Queue Time https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/use-case-queue-time.md
--+ Last updated 07/22/2022
ai-services Vehicle Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/vehicle-analysis.md
description: Vehicle analysis provides each container with a common configuratio
--+ Last updated 11/07/2022
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/whats-new.md
description: Stay up to date on recent releases and updates to Azure AI Vision.
--+ Last updated 12/27/2022
ai-services Azure Kubernetes Recipe https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/containers/azure-kubernetes-recipe.md
description: Deploy the language detection container, with a running sample, to
--+ Last updated 01/10/2022
ai-services Api Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/api-reference.md
description: Learn about the content moderation APIs for Content Moderator.
--+ Last updated 05/29/2019
ai-services Client Libraries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/client-libraries.md
zone_pivot_groups: programming-languages-set-conmod--+ Last updated 09/28/2021
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/encrypt-data-at-rest.md
description: Content Moderator encryption of data at rest. --+ Last updated 03/13/2020
ai-services Export Delete Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/export-delete-data.md
description: You have full control over your data. Learn how to view, export or
--+ Last updated 02/07/2019
ai-services Image Lists Quickstart Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/image-lists-quickstart-dotnet.md
description: How to moderate images with custom image lists using the Content Mo
--+ Last updated 10/24/2019
ai-services Image Moderation Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/image-moderation-api.md
description: Use Content Moderator's machine-assisted image moderation to modera
--+ Last updated 10/27/2021
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/language-support.md
description: This is a list of natural languages that the Content Moderator API
--+ Last updated 10/27/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/overview.md
description: Learn how to use Content Moderator to track, flag, assess, and filt
--+ Last updated 11/06/2021
ai-services Samples Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/samples-dotnet.md
description: Learn how to use Content Moderator in your .NET applications throug
--+ Last updated 10/27/2021
ai-services Samples Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/samples-rest.md
description: Use Content Moderator feature based samples in your applications th
--+ Last updated 01/10/2019
ai-services Term Lists Quickstart Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/term-lists-quickstart-dotnet.md
description: How to moderate text with custom term lists using the Content Moder
--+ Last updated 10/24/2019
ai-services Text Moderation Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/text-moderation-api.md
description: Use text moderation for possible unwanted text, personal data, and
--+ Last updated 10/27/2021
ai-services Try Image Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/try-image-api.md
description: Use the Image Moderation API in Azure AI Content Moderator to scan
--+ Last updated 01/10/2019
ai-services Try Image List Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/try-image-list-api.md
description: You use the List Management API in Azure AI Content Moderator to cr
--+ Last updated 01/10/2019
ai-services Try Terms List Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/try-terms-list-api.md
description: Use the List Management API to create custom lists of terms to use
--+ Last updated 01/10/2019
ai-services Try Text Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/try-text-api.md
--+ Last updated 10/27/2021
ai-services Video Moderation Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/video-moderation-api.md
description: How to analyze video content for various objectionable material usi
--+ Last updated 10/27/2021
ai-services Harm Categories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/concepts/harm-categories.md
description: Learn about the different content moderation flags and severity lev
--+ Last updated 04/06/2023
ai-services Response Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/concepts/response-codes.md
description: See the possible error codes for the Content Safety APIs.
--+ Last updated 05/09/2023
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/how-to/encrypt-data-at-rest.md
description: Learn how Azure AI Content Safety encrypts your data when it's pers
--+ Last updated 07/04/2023
ai-services Use Blocklist https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/how-to/use-blocklist.md
description: Learn how to customize text moderation in Content Safety by using y
--+ Last updated 07/20/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/language-support.md
description: This is a list of natural languages that the Content Safety API sup
--+ Last updated 08/01/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/overview.md
description: Learn how to use Content Safety to track, flag, assess, and filter
--+ Last updated 07/18/2023
ai-services Quickstart Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/quickstart-image.md
description: Get started using Content Safety to analyze image content for objec
--+ Last updated 05/08/2023
ai-services Quickstart Text https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/quickstart-text.md
description: Get started using Content Safety to analyze image and text content
--+ Last updated 07/18/2023
ai-services Studio Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/studio-quickstart.md
description: In this quickstart, get started with the Content Safety service usi
--+ Last updated 04/27/2023
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/whats-new.md
description: Stay up to date on recent releases and updates to Azure AI Content
--+ Last updated 04/07/2023
ai-services Copy Move Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/copy-move-projects.md
description: Learn how to use the ExportProject and ImportProject APIs to copy and back up your Custom Vision projects. --+ Last updated 01/20/2022
ai-services Custom Vision Onnx Windows Ml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/custom-vision-onnx-windows-ml.md
--+ Last updated 04/29/2020
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/encrypt-data-at-rest.md
description: Microsoft offers Microsoft-managed encryption keys, and also lets y
--+ Last updated 08/28/2020
ai-services Export Delete Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/export-delete-data.md
--+ Last updated 03/21/2019
ai-services Export Model Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/export-model-python.md
--+ Last updated 07/05/2022
ai-services Export Programmatically https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/export-programmatically.md
--+ Last updated 06/28/2021
ai-services Export Your Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/export-your-model.md
--+ Last updated 07/05/2022
ai-services Get Started Build Detector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/get-started-build-detector.md
description: In this quickstart, you'll learn how to use the Custom Vision websi
--+ Last updated 12/27/2022
ai-services Getting Started Build A Classifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/getting-started-build-a-classifier.md
description: In this quickstart, you'll learn how to use the Custom Vision web p
--+ Last updated 11/03/2022
ai-services Getting Started Improving Your Classifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/getting-started-improving-your-classifier.md
--+ Last updated 07/05/2022
ai-services Iot Visual Alerts Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/iot-visual-alerts-tutorial.md
--+ Last updated 11/23/2020
ai-services Limits And Quotas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/limits-and-quotas.md
--+ Last updated 07/05/2022
ai-services Logo Detector Mobile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/logo-detector-mobile.md
description: In this tutorial, you will step through a sample app that uses Cust
--+ Last updated 07/04/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/overview.md
--+ Last updated 07/04/2023
ai-services Image Classification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/quickstarts/image-classification.md
description: "Quickstart: Create an image classification project, add tags, upload images, train your project, and make a prediction using the Custom Vision client library or the REST API" --+ Last updated 11/03/2022 ms.devlang: csharp, golang, java, javascript, python
ai-services Object Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/quickstarts/object-detection.md
description: "Quickstart: Create an object detection project, add custom tags, upload images, train the model, and detect objects in images using the Custom Vision client library." --+ Last updated 11/03/2022 ms.devlang: csharp, golang, java, javascript, python
ai-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/release-notes.md
--+ Last updated 04/03/2019
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/role-based-access-control.md
description: This article will show you how to configure Azure role-based access control for your Custom Vision projects. --+ Last updated 09/11/2020
ai-services Select Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/select-domain.md
description: This article will show you how to select a domain for your project
--+ Last updated 06/13/2022
ai-services Storage Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/storage-integration.md
description: Learn how to integrate Azure storage to receive push notifications when you train or export Custom Vision models. You can also save a backup of exported models. --+ Last updated 06/25/2021
ai-services Suggested Tags https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/suggested-tags.md
--+ Last updated 12/27/2022
ai-services Test Your Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/test-your-model.md
--+ Last updated 07/05/2022
ai-services Update Application To 3.0 Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/update-application-to-3.0-sdk.md
--+ Last updated 12/27/2022
ai-services Use Prediction Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/use-prediction-api.md
description: Learn how to use the API to programmatically test images with your Custom Vision Service classifier. --+ Last updated 12/27/2022
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/custom-vision-service/whats-new.md
description: This article contains news about Custom Vision.
--+ Last updated 09/27/2021
ai-services Changelog Release History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/changelog-release-history.md
description: A version-based description of Document Intelligence feature and capability releases, changes, enhancements, and updates. --+ Last updated 08/17/2023
ai-services Choose Model Feature https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/choose-model-feature.md
description: Choose the best Document Intelligence model to meet your needs. --+ Last updated 07/18/2023
ai-services Concept Accuracy Confidence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-accuracy-confidence.md
description: Best practices to interpret the accuracy score from the train model operation and the confidence score from analysis operations. --+ Last updated 07/18/2023
ai-services Concept Add On Capabilities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-add-on-capabilities.md
description: How to increase service limit capacity with add-on capabilities. --+ Last updated 08/25/2023
ai-services Concept Analyze Document Response https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-analyze-document-response.md
description: Description of the different objects returned as part of the analyze document response and how to use the document analysis response in your applications. --+ Last updated 07/18/2023
ai-services Concept Business Card https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-business-card.md
description: OCR and machine learning based business card scanning in Document Intelligence extracts key data from business cards. --+ Last updated 07/18/2023
ai-services Concept Composed Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-composed-models.md
description: Compose several custom models into a single model for easier data extraction from groups of distinct form types. --+ Last updated 07/18/2023
ai-services Concept Contract https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-contract.md
description: Automate tax document data extraction with Document Intelligence's tax document models. --+ Last updated 09/20/2023
ai-services Concept Custom Classifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom-classifier.md
description: Use the custom classification model to train a model to identify and split the documents you process within your application. --+ Last updated 07/18/2023
ai-services Concept Custom Label Tips https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom-label-tips.md
description: Label tips and tricks for Document Intelligence Studio --+ Last updated 07/18/2023
ai-services Concept Custom Label https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom-label.md
description: Label documents in the Studio to create a training dataset. Labeling guidelines aimed at training a model with high accuracy --+ Last updated 07/18/2023
ai-services Concept Custom Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom-lifecycle.md
description: Document Intelligence custom model lifecycle and management guide. --+ Last updated 07/24/2023
ai-services Concept Custom Neural https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom-neural.md
description: Use the custom neural document model to train a model to extract data from structured, semistructured, and unstructured documents. --+ Last updated 07/18/2023
ai-services Concept Custom Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom-template.md
description: Use the custom template document model to train a model to extract data from structured or templated forms. --+ Last updated 07/18/2023
ai-services Concept Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom.md
description: Label and train customized models for your documents and compose multiple models into a single model identifier. --+ Last updated 07/18/2023
ai-services Concept Document Intelligence Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-document-intelligence-studio.md
description: "Concept: Form and document processing, data extraction, and analysis using Document Intelligence Studio " --+ Last updated 07/18/2023
ai-services Concept General Document https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-general-document.md
description: Extract key-value pairs, tables, selection marks, and text from your documents with Document Intelligence --+ Last updated 07/18/2023
ai-services Concept Health Insurance Card https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-health-insurance-card.md
description: Data extraction and analysis extraction using the health insurance card model --+ Last updated 07/18/2023
ai-services Concept Id Document https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-id-document.md
description: Automate identity document (ID) processing of driver licenses, passports, and more with Document Intelligence. --+ Last updated 07/18/2023
ai-services Concept Invoice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-invoice.md
description: Automate invoice data extraction with Document Intelligence's invoice model to extract accounts payable data including invoice line items. --+ Last updated 08/10/2023
ai-services Concept Layout https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-layout.md
description: Extract text, tables, selections, titles, section headings, page headers, page footers, and more with layout analysis model from Document Intelligence. --+ Last updated 07/18/2023
ai-services Concept Model Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-model-overview.md
description: Document processing models for OCR, document layout, invoices, identity, custom models, and more to extract text, structure, and key-value pairs. --+ Last updated 09/20/2023
ai-services Concept Query Fields https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-query-fields.md
description: Use Document Intelligence to extract query field data. --+ Last updated 07/18/2023
ai-services Concept Read https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-read.md
description: Extract print and handwritten text from scanned and digital documents with Document Intelligence's Read OCR model. --+ Last updated 07/18/2023
ai-services Concept Receipt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-receipt.md
description: Use machine learning powered receipt data extraction model to digitize receipts. --+ Last updated 07/18/2023
ai-services Concept Tax Document https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-tax-document.md
description: Automate tax document data extraction with Document Intelligence's tax document models --+ Last updated 07/18/2023
ai-services Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/containers/configuration.md
description: Learn how to configure the Document Intelligence container to parse form and table data. --+ Last updated 07/18/2023
ai-services Disconnected https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/containers/disconnected.md
Title: Use Document Intelligence (formerly Form Recognizer) containers in disconnected environments description: Learn how to run Cognitive Services Docker containers disconnected from the internet.--+
ai-services Image Tags https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/containers/image-tags.md
description: A listing of all Document Intelligence container image tags. --+ Last updated 07/18/2023
ai-services Install Run https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/containers/install-run.md
description: Use the Docker containers for Document Intelligence on-premises to identify and extract key-value pairs, selection marks, tables, and structure from forms and documents. --+ Last updated 07/18/2023
ai-services Create Document Intelligence Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/create-document-intelligence-resource.md
description: Create a Document Intelligence resource in the Azure portal --+ Last updated 07/18/2023
ai-services Create Sas Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/create-sas-tokens.md
description: How to create Shared Access Signature tokens (SAS) for containers a
--+ Last updated 07/18/2023 monikerRange: '<=doc-intel-3.1.0'
ai-services Deploy Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/deploy-label-tool.md
description: Learn the different ways you can deploy the Document Intelligence Sample Labeling tool to help with supervised learning. --+ Last updated 07/18/2023
ai-services Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/disaster-recovery.md
description: Learn how to use the copy model API to back up your Document Intelligence resources. --+ Last updated 07/18/2023
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/encrypt-data-at-rest.md
description: Microsoft offers Microsoft-managed encryption keys, and also lets you manage your Azure AI services subscriptions with your own keys, called customer-managed keys (CMK). This article covers data encryption at rest for Document Intelligence, and how to enable and manage CMK. --+ Last updated 07/18/2023
ai-services Build A Custom Classifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/how-to-guides/build-a-custom-classifier.md
description: Learn how to label, and build a custom document classification model. --+ Last updated 07/18/2023
ai-services Build A Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/how-to-guides/build-a-custom-model.md
description: Learn how to build, label, and train a custom model. --+ Last updated 07/18/2023
ai-services Compose Custom Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/how-to-guides/compose-custom-models.md
description: Learn how to create, use, and manage Document Intelligence custom and composed models --+ Last updated 07/18/2023
ai-services Estimate Cost https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/how-to-guides/estimate-cost.md
description: Learn how to use Azure portal to check how many pages are analyzed and estimate the total price. --+ Last updated 07/18/2023
ai-services Project Share Custom Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/how-to-guides/project-share-custom-models.md
description: Learn how to share custom model projects using Document Intelligence Studio. --+ Last updated 07/18/2023
ai-services Use Sdk Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/how-to-guides/use-sdk-rest-api.md
description: Learn how to use Document Intelligence SDKs or REST API and create apps to extract key data from documents. --+ Last updated 08/21/2023
ai-services Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/label-tool.md
description: How to use the Document Intelligence sample tool to analyze documents, invoices, receipts etc. Label and create a custom model to extract text, tables, selection marks, structure and key-value pairs from documents. --+ Last updated 07/18/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/language-support.md
description: Learn more about the human languages that are available with Document Intelligence. --+ Last updated 07/18/2023 monikerRange: '<=doc-intel-3.1.0'
ai-services Managed Identities Secured Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/managed-identities-secured-access.md
description: Learn how to configure secure communications between Document Intelligence and other Azure Services. --+ Last updated 07/18/2023
ai-services Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/managed-identities.md
description: Understand how to create and use managed identity with Document Intelligence --+ Last updated 07/18/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/overview.md
description: Azure AI Document Intelligence is a machine-learning based OCR and intelligent document processing service to automate extraction of key data from forms and documents. --+ Last updated 09/20/2023
ai-services Get Started Sdks Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/get-started-sdks-rest-api.md
description: Use a Document Intelligence SDK or the REST API to create a forms processing app that extracts key data and structure elements from your documents. --+ Last updated 08/15/2023
ai-services Try Document Intelligence Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/try-document-intelligence-studio.md
description: Form and document processing, data extraction, and analysis using Document Intelligence Studio --+ Last updated 07/18/2023
ai-services Try Sample Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/try-sample-label-tool.md
description: In this quickstart, you'll learn to use the Document Intelligence Sample Labeling tool to manually label documents. Then you'll train a custom document processing model with the labeled documents and use the model to extract key/value pairs. --+ Last updated 07/18/2023
ai-services Resource Customer Stories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/resource-customer-stories.md
description: Highlight customer stories with Document Intelligence. --+ Last updated 07/18/2023
ai-services Sdk Overview V3 0 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/sdk-overview-v3-0.md
description: Document Intelligence v3.0 software development kits (SDKs) expose Document Intelligence models, features and capabilities, using C#, Java, JavaScript, and Python programming language. --+ Last updated 09/05/2023
ai-services Sdk Overview V3 1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/sdk-overview-v3-1.md
description: The Document Intelligence v3.1 software development kits (SDKs) expose Document Intelligence models, features and capabilities that are in active development for C#, Java, JavaScript, or Python programming language. --+ Last updated 09/05/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/service-limits.md
description: Quick reference, detailed description, and best practices for worki
--+ Last updated 07/18/2023
ai-services Studio Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/studio-overview.md
description: Learn how to set up and use Document Intelligence Studio to test features of Azure AI Document Intelligence on the web. --+ Last updated 07/18/2023
ai-services Supervised Table Tags https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/supervised-table-tags.md
description: Learn how to effectively use supervised table tag labeling. --+ Last updated 07/18/2023
ai-services Tutorial Azure Function https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/tutorial-azure-function.md
description: This guide shows you how to use an Azure function to trigger the pr
--+ Last updated 07/18/2023
ai-services Tutorial Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/tutorial-logic-apps.md
description: A tutorial introducing how to use Document intelligence with Logic Apps. --+ Last updated 08/01/2023
ai-services V3 1 Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/v3-1-migration-guide.md
description: In this how-to guide, learn the differences between Document Intelligence API v3.0 and v3.1 and how to move to the newer version of the API. --+ Last updated 07/18/2023
ai-services V3 Error Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/v3-error-guide.md
description: Learn how errors are represented in Document Intelligence and find a list of possible errors returned by the service. --+ Last updated 07/18/2023
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/whats-new.md
description: Learn the latest changes to the Document Intelligence API. --+ Last updated 07/18/2023
ai-services How To Cache Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-cache-token.md
description: This article will show you how to cache the authentication token.
--+ Last updated 01/14/2020
ai-services How To Configure Read Aloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-configure-read-aloud.md
description: This article will show you how to configure the various options for
--+ Last updated 06/29/2020
ai-services How To Configure Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-configure-translation.md
description: This article will show you how to configure the various options for
--+ Last updated 01/06/2022
ai-services How To Create Immersive Reader https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-create-immersive-reader.md
description: This article shows you how to create a new Immersive Reader resourc
--+ Last updated 03/31/2023
ai-services How To Customize Launch Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-customize-launch-button.md
--+ Last updated 03/08/2021
ai-services How To Launch Immersive Reader https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-launch-immersive-reader.md
description: Learn how to launch the Immersive reader using JavaScript, Python, Android, or iOS. Immersive Reader uses proven techniques to improve reading comprehension for language learners, emerging readers, and students with learning differences. --+ Last updated 03/04/2021
ai-services How To Multiple Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-multiple-resources.md
description: In this tutorial, you'll create a Node.js application that launches
--+ Last updated 01/14/2020
ai-services How To Prepare Html https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-prepare-html.md
description: Learn how to launch the Immersive reader using HTML, JavaScript, Python, Android, or iOS. Immersive Reader uses proven techniques to improve reading comprehension for language learners, emerging readers, and students with learning differences. --+ Last updated 03/04/2021
ai-services How To Store User Preferences https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-store-user-preferences.md
description: This article will show you how to store the user's preferences.
--+ Last updated 06/29/2020
ai-services Display Math https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to/display-math.md
description: This article will show you how to display math in the Immersive Rea
--+ Last updated 01/14/2020
ai-services Set Cookie Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to/set-cookie-policy.md
--+ Last updated 01/06/2020
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/language-support.md
description: Learn more about the human languages that are available with Immers
--+ Last updated 11/15/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/overview.md
--+ Last updated 11/15/2021
ai-services Client Libraries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/quickstarts/client-libraries.md
zone_pivot_groups: programming-languages-set-twenty--+ Last updated 03/08/2021
ai-services Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/reference.md
--+ Last updated 11/15/2021
ai-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/release-notes.md
--+ Last updated 11/15/2021
ai-services Security How To Update Role Assignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/security-how-to-update-role-assignment.md
--+ Last updated 01/06/2022
ai-services Tutorial Ios Picture Immersive Reader https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/tutorial-ios-picture-immersive-reader.md
description: In this tutorial, you will build an iOS app from scratch and add th
--+ Last updated 01/14/2020
ai-services Configure Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/configure-containers.md
--+ Last updated 11/02/2021
ai-services Multi Region Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/custom-features/multi-region-deployment.md
description: Learn about deploying your language projects to multiple regions.
--+ Last updated 10/11/2022
ai-services Project Versioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/custom-features/project-versioning.md
description: Learn how versioning works in conversational language understanding
--+ Last updated 10/10/2022
ai-services Data Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/data-limits.md
description: Data and service limitations for Azure AI Language features.
--+ Last updated 10/05/2022
ai-services Developer Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/developer-guide.md
description: Learn about how to integrate the Language service SDK and REST API
--+ Last updated 02/14/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/language-support.md
description: This article explains which natural languages are supported by the
--+ Last updated 03/09/2023
ai-services Migrate Language Service Latest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/migrate-language-service-latest.md
description: Learn how to move your Text Analytics applications to use the lates
--+ Last updated 08/08/2022
ai-services Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/migrate.md
description: Use this article to learn if you need to migrate your applications from LUIS, QnA Maker, and Text Analytics. --+ Last updated 09/29/2022
ai-services Model Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/model-lifecycle.md
description: This article describes the timelines for models and model versions
--+ Last updated 11/29/2022
ai-services Multilingual Emoji Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/multilingual-emoji-support.md
description: Learn about offsets caused by multilingual and emoji encodings in L
--+ Last updated 11/02/2021
ai-services Previous Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/previous-updates.md
description: An archive of previous Azure AI Language updates.
--+ Last updated 06/23/2022
ai-services Regional Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/regional-support.md
description: Learn which Azure regions are supported by the Language service.
--+ Last updated 08/23/2023
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/role-based-access-control.md
description: Learn how to use Azure RBAC for managing individual access to Azure
--+ Last updated 10/31/2022
ai-services Use Asynchronously https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/use-asynchronously.md
description: Learn how to send Language service API requests asynchronously.
--+ Last updated 10/31/2022
ai-services Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md
description: Apply best practices when using conversational language understandi
--+ Last updated 09/22/2023
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/data-formats.md
description: Learn about the data formats accepted by conversational language un
--+ Last updated 06/20/2023
ai-services Entity Components https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/entity-components.md
description: Learn how Conversational Language Understanding extracts entities f
--+ Last updated 10/11/2022
ai-services Evaluation Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/evaluation-metrics.md
description: Learn about evaluation metrics in Conversational Language Understan
--+ Last updated 05/13/2022
ai-services Multiple Languages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/multiple-languages.md
description: Learn about which how to make use of multilingual projects in conve
--+ Last updated 01/10/2022
ai-services None Intent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/none-intent.md
description: Learn about the default None intent in conversational language unde
--+ Last updated 05/13/2022
ai-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/faq.md
description: Use this article to quickly get the answers to FAQ about conversati
--+ Last updated 09/29/2022
ai-services Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/glossary.md
description: Learn about definitions used in conversational language understandi
--+ Last updated 05/13/2022
ai-services Build Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/build-schema.md
description: Use this article to start building a Conversational Language Unders
--+ Last updated 05/13/2022
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/call-api.md
description: Learn about sending prediction requests for conversational language
--+ Last updated 06/28/2022
ai-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/create-project.md
description: Use this article to learn how to create projects in Conversational
--+ Last updated 09/29/2022
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/deploy-model.md
description: Use this article to learn how to deploy models for conversational l
--+ Last updated 10/12/2022
ai-services Fail Over https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/fail-over.md
description: Learn how to save and recover your conversational language understa
--+ Last updated 05/16/2022
ai-services Migrate From Luis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/migrate-from-luis.md
description: Learn about backwards compatibility between LUIS and Conversational
--+ Last updated 09/08/2022
ai-services Tag Utterances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/tag-utterances.md
description: Use this article to tag your utterances in Conversational Language
--+ Last updated 08/25/2023
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/train-model.md
description: Use this article to train a model and view its evaluation details t
--+ Last updated 08/25/2023
ai-services View Model Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/view-model-evaluation.md
--+ Last updated 05/16/2022
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/language-support.md
description: This article explains which natural languages are supported by the
--+ Last updated 05/12/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/overview.md
description: Customize an AI model to predict the intentions of utterances, and
--+ Last updated 10/26/2022
ai-services Prebuilt Component Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/prebuilt-component-reference.md
description: Learn about which entities can be detected automatically in Convers
--+ Last updated 11/02/2021
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/quickstart.md
description: Quickly start building an AI model to extract information and predi
--+ Last updated 03/14/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/service-limits.md
description: Learn about the data, region, and throughput limits for Conversatio
--+ Last updated 08/23/2023
ai-services Bot Framework https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/tutorials/bot-framework.md
--+ Last updated 05/25/2022
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/concepts/data-formats.md
description: Learn about the data formats accepted by custom NER.
--+ Last updated 10/17/2022
ai-services Evaluation Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/concepts/evaluation-metrics.md
description: Learn about evaluation metrics in Custom Named Entity Recognition (
--+ Last updated 08/08/2022
ai-services Fail Over https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/fail-over.md
description: Learn how to save and recover your custom NER models.
--+ Last updated 04/25/2022
ai-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/faq.md
description: Learn about Frequently asked questions when using custom Named Enti
--+ Last updated 08/08/2022
ai-services Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/glossary.md
description: Definitions and terms you may encounter when building AI models usi
--+ Last updated 05/06/2022
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/call-api.md
--+ Last updated 05/11/2023
ai-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/create-project.md
description: Learn how to create and manage projects and Azure resources for cus
--+ Last updated 06/03/2022
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/deploy-model.md
description: Learn how to deploy a model for custom NER.
--+ Last updated 03/23/2023
ai-services Design Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/design-schema.md
description: Learn about how to select and prepare data, to be successful in cre
--+ Last updated 05/09/2022
ai-services Tag Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/tag-data.md
description: Learn how to label your data for use with Custom Named Entity Recog
--+ Last updated 05/24/2022
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/train-model.md
description: Learn about how to train your model for Custom Named Entity Recogni
--+ Last updated 05/06/2022
ai-services Use Autolabeling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/use-autolabeling.md
description: Learn how to use autolabeling in custom named entity recognition.
--+ Last updated 03/20/2023
ai-services Use Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/use-containers.md
description: Learn how to use Docker containers for Custom Named Entity Recognit
--+ Last updated 05/08/2023
ai-services View Model Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/view-model-evaluation.md
description: Learn how to evaluate and score your Custom Named Entity Recognitio
--+ Last updated 02/28/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/language-support.md
description: Learn about the languages and regions supported by custom named ent
--+ Last updated 05/06/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/overview.md
description: Customize an AI model to label and extract information from documen
--+ Last updated 02/22/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/quickstart.md
description: Quickly start building an AI model to categorize and extract inform
--+ Last updated 01/25/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/service-limits.md
description: Learn about the data and service limits when using Custom Named Ent
--+ Last updated 08/23/2023
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/concepts/data-formats.md
description: Learn about the data formats accepted by custom text analytics for
--+ Last updated 04/14/2023
ai-services Entity Components https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/concepts/entity-components.md
description: Learn how custom Text Analytics for health extracts entities from t
--+ Last updated 04/14/2023
ai-services Evaluation Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/concepts/evaluation-metrics.md
description: Learn about evaluation metrics in custom Text Analytics for health
--+ Last updated 04/14/2023
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/call-api.md
--+ Last updated 04/14/2023
ai-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/create-project.md
description: Learn about the steps for using Azure resources with custom text an
--+ Last updated 04/14/2023
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/deploy-model.md
description: Learn about deploying a model for custom Text Analytics for health.
--+ Last updated 04/14/2023
ai-services Design Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/design-schema.md
description: Learn about how to select and prepare data, to be successful in cre
--+ Last updated 04/14/2023
ai-services Fail Over https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/fail-over.md
description: Learn how to save and recover your custom Text Analytics for health
--+ Last updated 04/14/2023
ai-services Label Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/label-data.md
description: Learn how to label your data for use with custom Text Analytics for
--+ Last updated 04/14/2023
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/train-model.md
description: Learn about how to train your model for custom Text Analytics for h
--+ Last updated 04/14/2023
ai-services View Model Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/view-model-evaluation.md
description: Learn how to evaluate and score your Custom Text Analytics for heal
--+ Last updated 04/14/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/language-support.md
description: Learn about the languages and regions supported by custom Text Anal
--+ Last updated 04/14/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/overview.md
description: Customize an AI model to label and extract healthcare information f
--+ Last updated 04/14/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/quickstart.md
description: Quickly start building an AI model to categorize and extract inform
--+ Last updated 04/14/2023
ai-services Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/reference/glossary.md
description: Learn about definitions used in custom Text Analytics for health
--+ Last updated 04/14/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/reference/service-limits.md
description: Learn about the data and service limits when using Custom Text Anal
--+ Last updated 08/23/2023
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/concepts/data-formats.md
description: Learn about the data formats accepted by custom text classification
--+ Last updated 05/24/2022
ai-services Evaluation Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/concepts/evaluation-metrics.md
description: Learn about evaluation metrics in custom text classification.
--+ Last updated 08/08/2022
ai-services Fail Over https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/fail-over.md
description: Learn how to save and recover your custom text classification model
--+ Last updated 04/22/2022
ai-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/faq.md
description: Learn about Frequently asked questions when using the custom text c
--+ Last updated 04/22/2022
ai-services Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/glossary.md
description: Learn about definitions used in custom text classification.
--+ Last updated 04/14/2022
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/call-api.md
--+ Last updated 03/23/2023
ai-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/create-project.md
description: Learn about the steps for using Azure resources with custom text cl
--+ Last updated 06/03/2022
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/deploy-model.md
description: Learn how to deploy a model for custom text classification.
--+ Last updated 03/23/2023
ai-services Design Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/design-schema.md
description: Learn about data selection, preparation, and creating a schema for
--+ Last updated 05/05/2022
ai-services Tag Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/tag-data.md
description: Learn about how to label your data for use with the custom text cla
--+ Last updated 11/10/2022
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/train-model.md
description: Learn about how to train your model for custom text classification.
--+ Last updated 08/08/2022
ai-services Use Autolabeling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/use-autolabeling.md
description: Learn how to use autolabeling in custom text classification.
--+ Last updated 3/15/2023
ai-services View Model Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/view-model-evaluation.md
description: Learn how to view the evaluation scores for a custom text classific
--+ Last updated 10/12/2022
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/language-support.md
description: Learn about which languages are supported by custom text classifica
--+ Last updated 05/06/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/overview.md
description: Customize an AI model to classify documents and other content using
--+ Last updated 06/17/2022
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/quickstart.md
description: Quickly start building an AI model to identify and apply labels (cl
--+ Last updated 01/25/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/service-limits.md
Last updated 08/23/2023--+
ai-services Triage Email https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/tutorials/triage-email.md
description: Learn how to use custom text classification to categorize and triag
--+ Last updated 01/27/2023
ai-services Azure Machine Learning Labeling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom/azure-machine-learning-labeling.md
--+ Last updated 04/17/2023
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/how-to/call-api.md
description: Learn how to identify and link entities found in text with the enti
--+ Last updated 11/02/2021
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/language-support.md
description: A list of natural languages supported by the entity linking API
--+ Last updated 11/02/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/overview.md
description: An overview of entity linking in Azure AI services, which helps you
--+ Last updated 01/10/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/quickstart.md
description: 'Use this quickstart to perform Entity Linking, using C#, Python, J
--+ Last updated 02/17/2023
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/key-phrase-extraction/how-to/call-api.md
description: How to extract key phrases by using the Key Phrase Extraction API.
--+ Last updated 01/10/2023
ai-services Use Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/key-phrase-extraction/how-to/use-containers.md
description: Learn how to use Docker containers for Key Phrase Extraction on-pre
--+ Last updated 04/11/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/key-phrase-extraction/language-support.md
description: Use this article to find the natural languages supported by Key Phr
--+ Last updated 09/18/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/key-phrase-extraction/overview.md
description: An overview of key phrase extraction in Azure AI services, which he
--+ Last updated 01/10/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/key-phrase-extraction/quickstart.md
description: Use this quickstart to start using the Key Phrase Extraction API.
--+ Last updated 02/17/2023
ai-services Integrate Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/key-phrase-extraction/tutorials/integrate-power-bi.md
description: Learn how to use the key phrase extraction feature to get text stor
--+ Last updated 09/28/2022
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/how-to/call-api.md
description: This article will show you how to detect the language of written te
--+ Last updated 03/01/2022
ai-services Use Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/how-to/use-containers.md
description: Use Docker containers for the Language Detection API to determine t
--+ Last updated 04/11/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/language-support.md
description: This article explains which natural languages are supported by the
--+ Last updated 11/02/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/overview.md
description: An overview of language detection in Azure AI services, which helps
--+ Last updated 07/27/2022
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/quickstart.md
description: Use this quickstart to start using Language Detection.
--+ Last updated 02/17/2023
ai-services Language Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-studio.md
description: Use this article to learn about Language Studio, and testing featur
--+ Last updated 01/03/2023
ai-services Entity Metadata https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/concepts/entity-metadata.md
description: Learn about entity metadata in the NER feature.
--+ Last updated 06/13/2023
ai-services Entity Resolutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/concepts/entity-resolutions.md
description: Learn about entity resolutions in the NER feature.
--+ Last updated 10/12/2022
ai-services Ga Preview Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/concepts/ga-preview-mapping.md
description: Learn about the NER preview API.
--+ Last updated 06/14/2023
ai-services Named Entity Categories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/concepts/named-entity-categories.md
description: Learn about the entities the NER feature can recognize from unstruc
--+ Last updated 11/02/2021
ai-services How To Call https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/how-to-call.md
description: This article will show you how to extract named entities from text.
--+ Last updated 01/10/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/language-support.md
description: This article explains which natural languages are supported by the
--+ Last updated 06/27/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/overview.md
description: An overview of the Named Entity Recognition feature in Azure AI ser
--+ Last updated 06/15/2022
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/quickstart.md
description: Use this quickstart to start using the Named Entity Recognition (NE
--+ Last updated 02/17/2023
ai-services Extract Excel Information https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/tutorials/extract-excel-information.md
description: Learn how to Extract Excel text without having to write code, using
--+ Last updated 11/21/2022
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/data-formats.md
description: Learn about the data formats accepted by orchestration workflow.
--+ Last updated 05/19/2022
ai-services Evaluation Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/evaluation-metrics.md
description: Learn about evaluation metrics in orchestration workflow
--+ Last updated 05/19/2022
ai-services Fail Over https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/fail-over.md
description: Learn how to save and recover your orchestration workflow models.
--+ Last updated 05/19/2022
ai-services None Intent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/none-intent.md
description: Learn about the default None intent in orchestration workflow.
--+ Last updated 06/03/2022
ai-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/faq.md
description: Use this article to quickly get the answers to FAQ about orchestrat
--+ Last updated 06/21/2022
ai-services Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/glossary.md
description: Learn about definitions used in orchestration workflow.
--+ Last updated 05/19/2022
ai-services Build Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/build-schema.md
--+ Last updated 05/20/2022
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/call-api.md
description: Learn about sending requests for orchestration workflow.
--+ Last updated 06/28/2022
ai-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/create-project.md
description: Use this article to learn how to create projects in orchestration w
--+ Last updated 03/23/2023
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/deploy-model.md
description: Learn about deploying orchestration workflow projects.
--+ Last updated 10/12/2022
ai-services Tag Utterances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/tag-utterances.md
description: Use this article to tag utterances
--+ Last updated 05/20/2022
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/train-model.md
--+ Last updated 05/20/2022
ai-services View Model Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/view-model-evaluation.md
--+ Last updated 10/12/2022
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/language-support.md
description: Learn about the languages supported by orchestration workflow.
--+ Last updated 05/17/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/overview.md
description: Customize an AI model to connect your Conversational Language Under
--+ Last updated 08/10/2022
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/quickstart.md
description: Quickly start creating an AI model to connect your Conversational L
--+ Last updated 02/28/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/service-limits.md
description: Learn about the data, region, and throughput limits for Orchestrati
--+ Last updated 08/23/2023
ai-services Connect Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/tutorials/connect-services.md
--+ Last updated 05/25/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/overview.md
description: Learn how to integrate AI into your applications that can extract i
--+ Last updated 07/19/2023
ai-services Conversations Entity Categories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/concepts/conversations-entity-categories.md
description: Learn about the entities the Conversational PII feature (preview) c
--+ Last updated 05/15/2022
ai-services Entity Categories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/concepts/entity-categories.md
description: Learn about the entities the PII feature can recognize from unstruc
--+ Last updated 11/15/2021
ai-services How To Call For Conversations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/how-to-call-for-conversations.md
description: This article will show you how to extract PII from chat and spoken
--+ Last updated 01/31/2023
ai-services How To Call https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/how-to-call.md
description: This article will show you how to extract PII and health informatio
--+ Last updated 07/27/2022
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/language-support.md
description: This article explains which natural languages are supported by the
--+ Last updated 08/02/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/overview.md
description: An overview of the PII detection feature in Azure AI services, whic
--+ Last updated 01/10/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/personally-identifiable-information/quickstart.md
description: Use this quickstart to start using the PII detection API.
--+ Last updated 02/17/2023
ai-services Azure Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/azure-resources.md
Title: Azure resources - question answering description: Question answering uses several Azure sources, each with a different purpose. Understanding how they are used individually allows you to plan for and select the correct pricing tier or know when to change your pricing tier. Understanding how they are used in combination allows you to find and fix problems when they occur.--+
ai-services Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/best-practices.md
Title: Best practices - question answering description: Use these best practices to improve your project and provide better results to your application/chat bot's end users.--+
ai-services Confidence Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/confidence-score.md
--+ Last updated 11/02/2021
ai-services Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/limits.md
Title: Limits and boundaries - question answering description: Question answering has meta-limits for parts of the knowledge base and service. It is important to keep your knowledge base within those limits in order to test and publish.--+
ai-services Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/plan.md
Title: Plan your app - question answering description: Learn how to plan your question answering app. Understand how question answering works and interacts with other Azure services and some project concepts.--+
ai-services Precise Answering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/precise-answering.md
Title: Precise answering using answer span detection - question answering description: Understand Precise answering feature available in question answering.--+
ai-services Project Development Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/concepts/project-development-lifecycle.md
Title: Project lifecycle - question answering description: Question answering learns best in an iterative cycle of model changes, utterance examples, deployment, and gathering data from endpoint queries.--+
ai-services Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/analytics.md
displayName: chat history, history, chat logs, logs--+ Last updated 11/02/2021
ai-services Authoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/authoring.md
Title: Authoring API - question answering description: Use the question answering Authoring API to automate common tasks like adding new question answer pairs, and creating, and publishing projects. --+
ai-services Azure Openai Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/azure-openai-integration.md
Title: Connect Custom Question Answering with Azure OpenAI on your data description: Learn how to use Custom Question Answering with Azure OpenAI.--+
ai-services Change Default Answer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/change-default-answer.md
Title: Get default answer - custom question answering description: The default answer is returned when there is no match to the question. You may want to change the default answer from the standard default answer in custom question answering.--+ Last updated 11/02/2021
ai-services Chit Chat https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/chit-chat.md
--+ Last updated 11/02/2021
ai-services Configure Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/configure-resources.md
Title: Configure Question Answering service description: This document outlines advanced configurations for custom question answering enabled resources.--+
ai-services Create Test Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/create-test-deploy.md
Title: Create, test, and deploy your question answering project description: You can create a question answering project from your own content, such as FAQs or product manuals. This article includes an example of creating a question answering project from a simple FAQ webpage, to answer questions.--+
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/encrypt-data-at-rest.md
description: Microsoft offers Microsoft-managed encryption keys, and also lets you manage your Azure AI services subscriptions with your own keys, called customer-managed keys (CMK). This article covers data encryption at rest for custom question answering, and how to enable and manage CMK. --+ Last updated 06/03/2022
ai-services Manage Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/manage-knowledge-base.md
Title: Manage projects - question answering description: Custom question answering allows you to manage projects by providing access to the project settings and content.--+
ai-services Migrate Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/migrate-knowledge-base.md
Title: Move projects - custom question answering description: Moving a custom question answering project requires exporting a project from one resource, and then importing into another.--+
ai-services Migrate Qnamaker To Question Answering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/migrate-qnamaker-to-question-answering.md
Title: Migrate from QnA Maker to Question Answering description: Details on features, requirements, and examples for migrating from QnA Maker to Question Answering--+ ms.
ai-services Migrate Qnamaker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/migrate-qnamaker.md
Title: Migrate QnA Maker knowledge bases to custom question answering description: Migrate your legacy QnAMaker knowledge bases to custom question answering to take advantage of the latest features.--+
ai-services Network Isolation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/network-isolation.md
Title: Network isolation and Private Link -question answering description: Users can restrict public access to question answering resources.--+
ai-services Prebuilt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/prebuilt.md
Title: Prebuilt API - question answering description: Use the question answering Prebuilt API to ask and receive answers to questions without having to create a project. --+
ai-services Smart Url Refresh https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/smart-url-refresh.md
Title: Smart URL refresh - question answering description: Use the question answering smart URL refresh feature to keep your project up to date.--+
ai-services Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/troubleshooting.md
Title: Troubleshooting - question answering description: The curated list of the most frequently asked questions regarding question answering will help you adopt the feature faster and with better results.--+
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/language-support.md
recommendations: false--+ Last updated 11/02/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/overview.md
Title: What is question answering? description: Question answering is a cloud-based Natural Language Processing (NLP) service that easily creates a natural conversational layer over your data. It can be used to find the most appropriate answer for any given natural language input, from your custom project.--+ recommendations: false
ai-services Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/quickstart/sdk.md
Title: "Quickstart: Use SDK to create and manage project - custom question answering" description: This quickstart shows you how to create and manage your project using custom question answering.--+ Last updated 06/06/2022
ai-services Document Format Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/reference/document-format-guidelines.md
Title: Import document format guidelines - question answering description: Use these guidelines for importing documents to get the best results for your content with question answering.--+
ai-services Markdown Format https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/reference/markdown-format.md
Title: Markdown format - question answering description: Following is the list of markdown formats that you can use your answer text.--+
ai-services Active Learning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/active-learning.md
Title: Enrich your project with active learning description: In this tutorial, learn how to enrich your question answering projects with active learning--+
ai-services Adding Synonyms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/adding-synonyms.md
Title: Improve the quality of responses with synonyms description: In this tutorial, learn how to improve response with synonyms and alternate words--+
ai-services Bot Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/bot-service.md
Title: "Tutorial: Create an FAQ bot with question answering and Azure AI Bot Service" description: In this tutorial, create a no code FAQ Bot with question answering and Azure AI Bot Service.--+
ai-services Guided Conversations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/guided-conversations.md
Title: Add guided conversations with multi-turn prompts description: In this tutorial, learn how to make guided conversations with multi-turn prompts.--+
ai-services Multiple Domains https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/multiple-domains.md
Title: "Tutorial: Create a FAQ bot for multiple categories with Azure AI Bot Service" description: In this tutorial, create a no code FAQ Bot for production use cases with question answering and Azure AI Bot Service.--+
ai-services Multiple Languages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/multiple-languages.md
Title: Create projects in multiple languages -question answering description: In this tutorial, you will learn how to create projects with multiple languages.--+
ai-services Power Virtual Agents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/tutorials/power-virtual-agents.md
Title: "Tutorial: Add your Question Answering project to Power Virtual Agents" description: In this tutorial, you will learn how to add your Question Answering project to Power Virtual Agents.--+
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/concepts/data-formats.md
description: Learn about the data formats accepted by custom sentiment analysis.
--+ Last updated 07/19/2023
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/call-api.md
--+ Last updated 07/19/2023
ai-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/create-project.md
description: Learn about the steps for using Azure resources with Custom sentime
--+ Last updated 07/19/2023
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/deploy-model.md
description: Learn about deploying a model for Custom sentiment analysis.
--+ Last updated 07/19/2023
ai-services Design Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/design-schema.md
description: Learn about data selection and preparation for custom sentient anal
--+ Last updated 07/19/2023
ai-services Label Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/label-data.md
description: Learn about how to label your data for use with the custom Sentimen
--+ Last updated 07/19/2023
ai-services Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/train-model.md
description: Learn about how to train your model for Custom sentiment analysis.
--+ Last updated 07/19/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/quickstart.md
description: Quickly start building an AI model to identify the sentiment of tex
--+ Last updated 07/19/2023
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/how-to/call-api.md
description: This article will show you how to detect sentiment, and mine for op
--+ Last updated 07/19/2023
ai-services Use Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/how-to/use-containers.md
description: Use the Docker containers for the Sentiment Analysis API to perform
--+ Last updated 09/18/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/language-support.md
description: This article explains which languages are supported by the Sentimen
--+ Last updated 09/18/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/overview.md
description: An overview of the sentiment analysis feature in Azure AI services,
--+ Last updated 07/19/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/quickstart.md
description: Use this quickstart to start using the Sentiment Analysis API.
--+ Last updated 07/19/2023
ai-services Data Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/custom/how-to/data-formats.md
description: Learn about how to select and prepare data, to be successful in cre
--+ Last updated 06/01/2022
ai-services Deploy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/custom/how-to/deploy-model.md
description: Learn about deploying a model for Custom summarization.
--+ Last updated 06/02/2023
ai-services Test Evaluate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/custom/how-to/test-evaluate.md
description: Learn about how to test and evaluate custom summarization models.
--+ Last updated 06/01/2022
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/custom/quickstart.md
description: Quickly start building an AI model to summarize text.
--+ Last updated 05/26/2023
ai-services Conversation Summarization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/how-to/conversation-summarization.md
description: This article will show you how to summarize chat logs with the conv
--+ Last updated 01/31/2023
ai-services Document Summarization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/how-to/document-summarization.md
description: This article will show you how to summarize text with the extractiv
--+ Last updated 09/26/2022
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/language-support.md
description: Learn about which languages are supported by document summarization
--+ Last updated 09/28/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/overview.md
description: Learn about summarizing text.
--+ Last updated 01/12/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/quickstart.md
description: Use this quickstart to start using Document Summarization.
--+ Last updated 02/17/2023
ai-services Region Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/region-support.md
description: Learn about which regions are supported by document summarization.
--+ Last updated 06/11/2023
ai-services Assertion Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/concepts/assertion-detection.md
description: Learn about assertion detection.
--+ Last updated 01/04/2023
ai-services Health Entity Categories https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/concepts/health-entity-categories.md
description: Learn about categories recognized by Text Analytics for health
--+ Last updated 01/04/2023
ai-services Relation Extraction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/concepts/relation-extraction.md
description: Learn about relation extraction
--+ Last updated 01/04/2023
ai-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/how-to/call-api.md
description: Learn how to extract and label medical information from unstructure
--+ Last updated 01/04/2023
ai-services Configure Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/how-to/configure-containers.md
description: Text Analytics for health containers uses a common configuration fr
--+ Last updated 11/02/2021
ai-services Use Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/how-to/use-containers.md
description: Learn how to extract and label medical information on premises usin
--+ Last updated 01/18/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/language-support.md
description: "This article explains which natural languages are supported by the
--+ Last updated 01/04/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/overview.md
description: An overview of Text Analytics for health in Azure AI services, whic
--+ Last updated 01/06/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/text-analytics-for-health/quickstart.md
description: Use this quickstart to start using Text Analytics for health.
--+ Last updated 02/17/2023
ai-services Power Automate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/tutorials/power-automate.md
description: Learn how to use Azure AI Language in power automate, without writi
--+ Last updated 03/02/2023
ai-services Use Kubernetes Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/tutorials/use-kubernetes-service.md
description: Deploy a key phrase extraction container image to Azure Kubernetes
--+ Last updated 05/27/2022
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/whats-new.md
description: Find out about new releases and features for the Azure AI Language.
--+ Last updated 04/14/2023
ai-services Cost Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/cost-management.md
description: Learn about cost management and pricing for Azure AI Metrics Advisor --+ Last updated 09/06/2022
ai-services Data Feeds From Different Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/data-feeds-from-different-sources.md
description: Add different data feeds to Metrics Advisor --+ Last updated 05/26/2021
ai-services Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/encryption.md
description: Metrics Advisor service encryption of data at rest. --+ Last updated 07/02/2021
ai-services Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/glossary.md
description: Key ideas and concepts for the Metrics Advisor service --+ Last updated 09/14/2020
ai-services Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/alerts.md
description: How to configure your Metrics Advisor alerts using hooks for email, web and Azure DevOps. --+ Last updated 09/14/2020
ai-services Anomaly Feedback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/anomaly-feedback.md
description: Learn how to send feedback on anomalies found by your Metrics Advisor instance, and tune the results. --+ Last updated 11/24/2020
ai-services Configure Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/configure-metrics.md
description: How to configure your Metrics Advisor instance and fine-tune the anomaly detection results. --+ Last updated 05/12/2022
ai-services Credential Entity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/credential-entity.md
description: How to create a credential entity to manage your credential in secure. --+ Last updated 06/22/2021
ai-services Diagnose An Incident https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/diagnose-an-incident.md
description: Learn how to diagnose an incident using Metrics Advisor, and get detailed views of anomalies in your data. --+ Last updated 04/15/2021
ai-services Further Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/further-analysis.md
description: Learn how to leverage analysis tools to further analyze an incident. --+ Last updated 04/15/2021
ai-services Manage Data Feeds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/manage-data-feeds.md
description: Learn how to manage data feeds that you've added to Metrics Advisor. --+ Last updated 10/25/2022
ai-services Metrics Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/metrics-graph.md
description: How to configure your Metrics graph and visualize related anomalies in your data. --+ Last updated 09/08/2020
ai-services Onboard Your Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/onboard-your-data.md
description: How to get started with onboarding your data feeds to Metrics Advisor. --+ Last updated 04/20/2021
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/overview.md
description: What is Metrics Advisor? --+ Last updated 07/06/2021
ai-services Rest Api And Client Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/quickstarts/rest-api-and-client-library.md
description: Use this quickstart to connect your applications to the Metrics Advisor API from Azure AI services. --+ Last updated 11/07/2022
ai-services Web Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/quickstarts/web-portal.md
Last updated 11/07/2022 --+
ai-services Enable Anomaly Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/tutorials/enable-anomaly-notification.md
Title: Metrics Advisor anomaly notification e-mails with Azure Logic Apps
description: Learn how to automate sending e-mail alerts in response to Metric Advisor anomalies --+ Last updated 05/20/2021
ai-services Write A Valid Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/tutorials/write-a-valid-query.md
Title: Write a query for Metrics Advisor data ingestion
description: Learn how to onboard your data to Metrics Advisor. --+ Last updated 05/20/2021
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/whats-new.md
description: Learn about what is new with Metrics Advisor --+ Last updated 12/16/2022
ai-services Chatgpt Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/chatgpt-quickstart.md
description: Walkthrough on how to get started with GPT-35-Turbo and GPT-4 on Azure OpenAI Service. --+
ai-services Abuse Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/abuse-monitoring.md
description: Learn about the abuse monitoring capabilities of Azure OpenAI Service --+ Last updated 06/16/2023
ai-services Advanced Prompt Engineering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/advanced-prompt-engineering.md
description: Learn about the options for how to use prompt engineering with GPT-3, GPT-35-Turbo, and GPT-4 models --+ Last updated 04/20/2023
ai-services Content Filter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/content-filter.md
description: Learn about the content filtering capabilities of Azure OpenAI in Azure AI services --+ Last updated 09/15/2023
keywords:
> [!IMPORTANT] > The content filtering system isn't applied to prompts and completions processed by the Whisper model in Azure OpenAI Service. Learn more about the [Whisper model in Azure OpenAI](models.md#whisper-preview).
-Azure OpenAI Service includes a content filtering system that works alongside core models. This system works by running both the prompt and completion through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Variations in API configurations and application design may affect completions and thus filtering behavior. The content filtering system supports the following languages: Chinese, English, French, German, Italian, Japanese, Portuguese, and Spanish. It might not be able to detect inappropriate content in languages that it hasn't been trained or tested to process.
+Azure OpenAI Service includes a content filtering system that works alongside core models. This system works by running both the prompt and completion through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Variations in API configurations and application design may affect completions and thus filtering behavior.
+
+The content filtering models have been specifically trained and tested on the following languages: English, German, Japanese, Spanish, French, Italian, Portuguese, and Chinese. However, the service can work in many other languages, but the quality may vary. In all cases, you should do your own testing to ensure that it works for your application.
In addition to the content filtering system, the Azure OpenAI Service performs monitoring to detect content and/or behaviors that suggest use of the service in a manner that may violate applicable product terms. For more information about understanding and mitigating risks associated with your application, see the [Transparency Note for Azure OpenAI](/legal/cognitive-services/openai/transparency-note?tabs=text). For more information about how data is processed in connection with content filtering and abuse monitoring, see [Data, privacy, and security for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy?context=/azure/ai-services/openai/context/context#preventing-abuse-and-harmful-content-generation).
ai-services Legacy Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/legacy-models.md
Title: Azure OpenAI Service legacy models description: Learn about the legacy models in Azure OpenAI. --+ Last updated 07/06/2023
ai-services Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/models.md
Title: Azure OpenAI Service models description: Learn about the different model capabilities that are available with Azure OpenAI. --+ Last updated 09/15/2023
ai-services Prompt Engineering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/prompt-engineering.md
Title: Azure OpenAI Service | Introduction to Prompt engineering description: Learn how to use prompt engineering to optimize your work with Azure OpenAI Service.--+ Last updated 03/21/2023
ai-services Red Teaming https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/red-teaming.md
Title: Introduction to red teaming large language models (LLMs) description: Learn about how red teaming and adversarial testing is an essential practice in the responsible development of systems and features using large language models (LLMs)--+ Last updated 05/18/2023
ai-services System Message https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/system-message.md
Title: System message framework and template recommendations for Large Language Models(LLMs) description: Learn about how to construct system messages also know as metaprompts to guide an AI system's behavior.--+ Last updated 05/19/2023
ai-services Understand Embeddings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/understand-embeddings.md
description: Learn more about Azure OpenAI embeddings API for document search and cosine similarity --+ Last updated 09/12/2023
ai-services Use Your Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/use-your-data.md
description: Use this article to learn about using your data for better text generation in Azure OpenAI. --+
ai-services Dall E Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/dall-e-quickstart.md
description: Learn how to get started generating images with Azure OpenAI Service by using the Python SDK, the REST APIs, or Azure OpenAI Studio. --+
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/encrypt-data-at-rest.md
description: Learn how Azure OpenAI encrypts your data when it's persisted to th
--+ Last updated 11/14/2022
ai-services Business Continuity Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/business-continuity-disaster-recovery.md
description: Considerations for implementing Business Continuity and Disaster Recovery (BCDR) with Azure OpenAI --+ Last updated 8/17/2023
ai-services Chatgpt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/chatgpt.md
description: Learn about the options for how to use the GPT-35-Turbo and GPT-4 models --+ Last updated 05/15/2023
ai-services Completions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/completions.md
description: Learn how to generate or manipulate text, including code by using a completion endpoint in Azure OpenAI Service. --+ Last updated 08/15/2023
ai-services Content Filters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/content-filters.md
description: Learn how to use content filters (preview) with Azure OpenAI Service --+ Last updated 6/5/2023
ai-services Create Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/create-resource.md
description: Learn how to get started with Azure OpenAI Service and create your first resource and deploy your first model in the Azure CLI or the Azure portal. --+ Last updated 08/25/2023
ai-services Embeddings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/embeddings.md
description: Learn how to generate embeddings with Azure OpenAI --+ Last updated 9/12/2023
ai-services Fine Tuning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/fine-tuning.md
description: Learn how to create your own customized model with Azure OpenAI Service by using Python, the REST APIs, or Azure OpenAI Studio. --+ Last updated 09/01/2023
ai-services Function Calling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/function-calling.md
description: Learn how to use function calling with the GPT-35-Turbo and GPT-4 models --+ Last updated 07/20/2023
ai-services Integrate Synapseml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/integrate-synapseml.md
description: Learn how to integrate Azure OpenAI Service with SynapseML and Apache Spark to apply large language models at a distributed scale. --+ Last updated 09/01/2023
ai-services Manage Costs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/manage-costs.md
description: Learn how to plan for and manage costs for Azure OpenAI by using co
--+ Last updated 08/22/2023
ai-services Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/managed-identity.md
Title: How to configure Azure OpenAI Service with managed identities description: Provides guidance on how to set managed identity with Azure Active Directory--+ Last updated 06/24/2022
ai-services Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/monitoring.md
Title: Monitoring Azure OpenAI Service
description: Learn how to use Azure Monitor tools like Log Analytics to capture and analyze metrics and data logs for your Azure OpenAI Service resources. --+ Last updated 09/07/2023
ai-services Prepare Dataset https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/prepare-dataset.md
description: Learn how to prepare your dataset for fine-tuning --+ Last updated 06/24/2022
ai-services Quota https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/quota.md
description: Learn how to use Azure OpenAI to control your deployments rate limi
--+ Last updated 08/01/2023
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/role-based-access-control.md
description: Learn how to use Azure RBAC for managing individual access to Azure
--+ Last updated 08/30/2022
ai-services Switching Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/switching-endpoints.md
description: Learn about the changes you need to make to your code to swap back and forth between OpenAI and Azure OpenAI endpoints. --+ Last updated 07/20/2023
ai-services Work With Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/work-with-code.md
description: Learn how to use the Codex models on Azure OpenAI to handle a variety of coding tasks --+ Last updated 06/24/2022
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/overview.md
description: Apply advanced language models to variety of use cases with Azure O
--+ Last updated 09/15/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/quickstart.md
description: Walkthrough on how to get started with Azure OpenAI and make your first completions call. --+
ai-services Quotas Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/quotas-limits.md
description: Quick reference, detailed description, and best practices on the qu
--+ Last updated 06/08/2023
ai-services Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/reference.md
description: Learn how to use Azure OpenAI's REST API. In this article, you'll learn about authorization options, how to structure a request and receive a response. --+ Last updated 09/15/2023
ai-services Embeddings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/tutorials/embeddings.md
description: Learn how to use Azure OpenAI's embeddings API for document search with the BillSum dataset --+ Last updated 09/12/2023
ai-services Use Your Data Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/use-your-data-quickstart.md
description: Use this article to import and use your data in Azure OpenAI. --+
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/whats-new.md
description: Learn about the latest news and features updates for Azure OpenAI
--+ Last updated 09/20/2023 recommendations: false
ai-services Concept Active Inactive Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concept-active-inactive-events.md
description: This article discusses the use of active and inactive events within
ms.--+ Last updated 02/20/2020
ai-services Concept Active Learning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concept-active-learning.md
description: Learning settings determine the *hyperparameters* of the model trai
ms.--+ Last updated 02/20/2020
ai-services Concept Apprentice Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concept-apprentice-mode.md
description: Learn how to use apprentice mode to gain confidence in a model with
ms.--+ Last updated 07/26/2022
ai-services Concept Auto Optimization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concept-auto-optimization.md
description: This article provides a conceptual overview of the auto-optimize fe
ms.--+ Last updated 03/08/2021
ai-services Concept Multi Slot Personalization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concept-multi-slot-personalization.md
--+ Last updated 05/24/2021
ai-services Concept Rewards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concept-rewards.md
description: The reward score indicates how well the personalization choice, Rew
ms.--+ Last updated 02/20/2020
ai-services Concepts Exploration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concepts-exploration.md
description: With exploration, Personalizer is able to continuously deliver good
ms.--+ Last updated 08/28/2022
ai-services Concepts Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concepts-features.md
description: Personalizer uses features, information about actions and context,
ms.--+ Last updated 12/28/2022
ai-services Concepts Offline Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concepts-offline-evaluation.md
description: This article will explain how to use offline evaluation to measure
ms.--+ Last updated 02/20/2020
ai-services Concepts Reinforcement Learning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concepts-reinforcement-learning.md
description: Personalizer uses information about actions and current context to
ms.--+ Last updated 05/07/2019
ai-services Concepts Scalability Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/concepts-scalability-performance.md
description: "High-performance and high-traffic websites and applications have t
ms.--+ Last updated 10/24/2019
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/encrypt-data-at-rest.md
description: Learn about the keys that you use for data-at-rest encryption in Personalizer. See how to use Azure Key Vault to configure customer-managed keys. --+ Last updated 06/02/2022
ai-services How Personalizer Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-personalizer-works.md
description: The Personalizer _loop_ uses machine learning to build the model th
ms.--+ Last updated 02/18/2020
ai-services How To Create Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-create-resource.md
description: In this article, learn how to create a personalizer resource in the
ms.--+ Last updated 03/26/2020
ai-services How To Feature Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-feature-evaluation.md
description: When you run a Feature Evaluation in your Personalizer resource fro
ms.--+ Last updated 09/22/2022
ai-services How To Inference Explainability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-inference-explainability.md
description: Personalizer can return feature scores in each Rank call to provide
ms.--+ Last updated 09/20/2022
ai-services How To Learning Behavior https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-learning-behavior.md
description: Apprentice mode gives you confidence in the Personalizer service an
ms.--+ Last updated 07/26/2022
ai-services How To Manage Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-manage-model.md
description: The machine-learned model and learning settings can be exported for
ms.--+ Last updated 02/20/2020
ai-services How To Multi Slot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-multi-slot.md
--+ Last updated 05/24/2021 zone_pivot_groups: programming-languages-set-six
ai-services How To Offline Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-offline-evaluation.md
description: This article will show you how to use offline evaluation to measure
ms.--+ Last updated 02/20/2020
ai-services How To Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-settings.md
description: Service configuration includes how the service treats rewards, how
ms.--+ Last updated 04/29/2020
ai-services How To Thick Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/how-to-thick-client.md
--+ Last updated 09/06/2022
ai-services Quickstart Personalizer Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/quickstart-personalizer-sdk.md
description: This quickstart shows you how to create and manage a Personalizer l
ms.--+ Last updated 02/02/2023 ms.devlang: csharp, javascript, python
ai-services Responsible Characteristics And Limitations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/responsible-characteristics-and-limitations.md
description: Characteristics and limitations of Personalizer
--+ Last updated 05/23/2022
ai-services Responsible Data And Privacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/responsible-data-and-privacy.md
description: Data and privacy for Personalizer
--+ Last updated 05/23/2022
ai-services Responsible Guidance Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/responsible-guidance-integration.md
description: Guidance for integration and responsible use of Personalizer
--+ Last updated 05/23/2022
ai-services Responsible Use Cases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/responsible-use-cases.md
description: Transparency Note for Personalizer
--+ Last updated 05/23/2022
ai-services Terminology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/terminology.md
description: Personalizer uses terminology from reinforcement learning. These te
ms.--+ Last updated 09/16/2022
ai-services Tutorial Use Azure Notebook Generate Loop Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/tutorial-use-azure-notebook-generate-loop-data.md
description: This tutorial simulates a Personalizer loop _system in an Azure Not
ms.--+ Last updated 04/27/2020
ai-services Tutorial Use Personalizer Chat Bot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/tutorial-use-personalizer-chat-bot.md
description: Customize a C# .NET chat bot with a Personalizer loop to provide th
ms.--+ Last updated 05/17/2021 ms.devlang: csharp
ai-services Tutorial Use Personalizer Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/tutorial-use-personalizer-web-app.md
description: Customize a C# .NET web app with a Personalizer loop to provide the
ms.--+ Last updated 06/10/2020 ms.devlang: csharp
ai-services What Is Personalizer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/what-is-personalizer.md
description: Personalizer is a cloud-based service that allows you to choose the
ms.--+ Last updated 11/17/2022
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/whats-new.md
description: This article contains news about Personalizer.
ms.--+ Last updated 05/28/2021
ai-services Where Can You Use Personalizer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/personalizer/where-can-you-use-personalizer.md
description: Personalizer can be applied in any situation where your application
ms.--+ Last updated 02/18/2020
ai-services Migrate To Openai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/migrate-to-openai.md
Title: Migrate QnA Maker to Azure OpenAI on your data description: Learn how to migrate your QnA Maker projects to Azure OpenAI.--+
ai-services Audio Processing Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/audio-processing-overview.md
description: An overview of audio processing and capabilities of the Microsoft A
--+ Last updated 09/07/2022
ai-services Audio Processing Speech Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/audio-processing-speech-sdk.md
description: An overview of the features, capabilities, and restrictions for aud
--+ Last updated 09/16/2022
ai-services Bring Your Own Storage Speech Resource Speech To Text https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/bring-your-own-storage-speech-resource-speech-to-text.md
description: Learn how to use Bring your own storage (BYOS) Speech resource with
--+ Last updated 03/28/2023
ai-services Bring Your Own Storage Speech Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/bring-your-own-storage-speech-resource.md
description: Learn how to set up Bring your own storage (BYOS) Speech resource.
--+ Last updated 03/28/2023
ai-services How To Get Speech Session Id https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-get-speech-session-id.md
description: Learn how to get Speech service Speech to text Session ID and Trans
--+ Last updated 11/29/2022
ai-services Keyword Recognition Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/keyword-recognition-guidelines.md
description: An overview of recommendations and guidelines when using keyword re
--+ Last updated 04/30/2021
ai-services Keyword Recognition Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/keyword-recognition-overview.md
description: An overview of the features, capabilities, and restrictions for key
--+ Last updated 04/30/2021
ai-services Logging Audio Transcription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/logging-audio-transcription.md
description: Learn how to use audio and transcription logging for speech to text
--+ Last updated 03/28/2023
ai-services Sovereign Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/sovereign-clouds.md
description: Learn how to use Sovereign Clouds
--+ Last updated 05/10/2022
ai-services Speech Service Vnet Service Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-service-vnet-service-endpoint.md
description: This article describes how to use Speech service with an Azure Virt
--+ Last updated 03/19/2021
ai-services Speech Services Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-services-private-link.md
description: Learn how to use Speech service with private endpoints provided by
--+ Last updated 04/07/2021
ai-services Speech Services Quotas And Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-services-quotas-and-limits.md
description: Quick reference, detailed description, and best practices on the qu
--+ Last updated 02/17/2023
ai-services Document Translation Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/connector/document-translation-flow.md
description: Use Microsoft Translator V3 connector and Power Automate to create a Document Translation flow. --+ Last updated 07/18/2023
ai-services Text Translator Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/connector/text-translator-flow.md
description: Use Microsoft Translator V3 connector and Power Automate to configure a Text Translation flow. --+ Last updated 07/18/2023
ai-services Deploy User Managed Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/containers/deploy-user-managed-glossary.md
description: How to deploy a user-managed glossary in the Translator container e
--+ Last updated 08/15/2023
ai-services Translator Container Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/containers/translator-container-configuration.md
description: The Translator container runtime environment is configured using th
--+ Last updated 07/18/2023
ai-services Translator Container Supported Parameters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/containers/translator-container-supported-parameters.md
--+ Last updated 07/18/2023
ai-services Translator How To Install Container https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/containers/translator-how-to-install-container.md
description: Use the Docker container for Translator API to translate text.
--+ Last updated 07/18/2023
ai-services Create Translator Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/create-translator-resource.md
--+ Last updated 09/06/2023
ai-services Beginners Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/beginners-guide.md
description: A user guide for understanding the end-to-end customized machine translation process. --+ Last updated 07/18/2023
ai-services Bleu Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/bleu-score.md
description: BLEU is a measurement of the differences between machine translation and human-created reference translations of the same source sentence. --+ Last updated 07/18/2023
ai-services Customization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/customization.md
description: Use the Microsoft Translator Hub to build your own machine translat
--+ Last updated 07/18/2023
ai-services Data Filtering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/data-filtering.md
description: When you submit documents to be used for training a custom system, the documents undergo a series of processing and filtering steps. --+ Last updated 07/18/2023
ai-services Dictionaries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/dictionaries.md
description: How to create an aligned document that specifies a list of phrases or sentences (and their translations) that you always want Microsoft Translator to translate the same way. Dictionaries are sometimes also called glossaries or term bases. --+ Last updated 07/18/2023
ai-services Document Formats Naming Convention https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/document-formats-naming-convention.md
description: This article is a guide to document formats and naming conventions in Custom Translator to avoid naming conflicts. --+ Last updated 07/18/2023
ai-services Model Training https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/model-training.md
description: A model is the system, which provides translation for a specific language pair. The outcome of a successful training is a model. To train a model, three mutually exclusive data sets are required training dataset, tuning dataset, and testing dataset. --+ Last updated 07/18/2023
ai-services Parallel Documents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/parallel-documents.md
description: Parallel documents are pairs of documents where one is the translation of the other. One document in the pair contains sentences in the source language and the other document contains these sentences translated into the target language. --+ Last updated 07/18/2023
ai-services Sentence Alignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/sentence-alignment.md
description: During the training execution, sentences present in parallel documents are paired or aligned. Custom Translator learns translations one sentence at a time, by reading a sentence and translating it. Then it aligns words and phrases in these two sentences to each other. --+ Last updated 07/18/2023
ai-services Workspace And Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/concepts/workspace-and-project.md
description: This article will explain the differences between a workspace and a
--+ Last updated 07/18/2023
ai-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/faq.md
description: This article contains answers to frequently asked questions about the Azure AI Translator Custom Translator. --+ Last updated 07/18/2023
ai-services Copy Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/copy-model.md
description: This article explains how to copy a custom model to another workspace using the Azure AI Translator Custom Translator. --+ Last updated 07/18/2023
ai-services Create Manage Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/create-manage-project.md
description: How to create and manage a project in the Azure AI Translator Custom Translator. --+ Last updated 07/18/2023
ai-services Create Manage Training Documents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/create-manage-training-documents.md
description: How to build and upload parallel documents (two documents where one is the origin and the other is the translation) using Custom Translator. --+ Last updated 07/18/2023
ai-services Create Manage Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/create-manage-workspace.md
description: How to create and manage workspaces --+ Last updated 07/18/2023
ai-services Enable Vnet Service Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/enable-vnet-service-endpoint.md
description: This article describes how to use Custom Translator service with an
--+ Last updated 08/08/2023
ai-services Publish Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/publish-model.md
description: This article explains how to publish a custom model using the Azure AI Translator Custom Translator. --+ Last updated 07/18/2023
ai-services Test Your Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/test-your-model.md
description: How to test your custom model BLEU score and evaluate translations --+ Last updated 07/18/2023
ai-services Train Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/train-custom-model.md
description: How to train a custom model --+ Last updated 07/18/2023
ai-services Translate With Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/how-to/translate-with-custom-model.md
description: How to make translation requests using custom models published with the Azure AI Translator Custom Translator. --+ Last updated 07/18/2023
ai-services Key Terms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/key-terms.md
description: List of key terms used in Custom Translator articles. --+ Last updated 07/18/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/overview.md
description: Custom Translator offers similar capabilities to what Microsoft Translator Hub does for Statistical Machine Translation (SMT), but exclusively for Neural Machine Translation (NMT) systems. --+ Last updated 07/18/2023
ai-services Platform Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/platform-upgrade.md
description: Custom Translator v1.0 upgrade --+ Last updated 07/18/2023
ai-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/quickstart.md
description: A step-by-step guide to building a translation system using the Custom Translator portal v2. --+ Last updated 07/05/2023
ai-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/custom-translator/release-notes.md
description: Custom Translator releases, improvements, bug fixes, and known issues. --+ Last updated 07/18/2023
ai-services Document Sdk Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/document-sdk-overview.md
description: Document Translation software development kits (SDKs) expose Document Translation features and capabilities, using C#, Java, JavaScript, and Python programming language. --+ Last updated 07/18/2023
ai-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/faq.md
--+ Last updated 07/18/2023
ai-services Create Sas Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-sas-tokens.md
Title: Create shared access signature (SAS) tokens for storage containers and blobs description: How to create Shared Access Signature tokens (SAS) for containers and blobs with Microsoft Storage Explorer and the Azure portal.--+
ai-services Create Use Glossaries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-use-glossaries.md
Title: Create and use a glossary with Document Translation description: How to create and use a glossary with Document Translation. --+
ai-services Create Use Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-use-managed-identities.md
description: Understand how to create and use managed identities in the Azure portal --+ Last updated 07/18/2023
ai-services Use Rest Api Programmatically https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/use-rest-api-programmatically.md
description: "How to create a Document Translation service using C#, Go, Java, N
--+ Last updated 07/18/2023
ai-services Language Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/language-studio.md
description: "Document Translation in Azure AI Language Studio."
--+ Last updated 09/19/2023
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/overview.md
description: An overview of the cloud-based batch Document Translation service a
--+ Last updated 07/18/2023
ai-services Document Translation Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/quickstarts/document-translation-rest-api.md
description: "How to create a Document Translation service using C#, Go, Java, N
--+ Last updated 07/18/2023
ai-services Document Translation Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/quickstarts/document-translation-sdk.md
description: Use the Translator C#/.NET or Python client library (SDK) for cloud
--+ Last updated 07/18/2023
ai-services Cancel Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/cancel-translation.md
--+ Last updated 07/18/2023
ai-services Get Document Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-document-status.md
--+ Last updated 07/18/2023
ai-services Get Documents Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-documents-status.md
--+ Last updated 07/18/2023
ai-services Get Supported Document Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-supported-document-formats.md
--+ Last updated 07/18/2023
ai-services Get Supported Glossary Formats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-supported-glossary-formats.md
--+ Last updated 07/18/2023
ai-services Get Supported Storage Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-supported-storage-sources.md
--+ Last updated 07/18/2023
ai-services Get Translation Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-translation-status.md
--+ Last updated 07/18/2023
ai-services Get Translations Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/get-translations-status.md
--+ Last updated 07/18/2023
ai-services Rest Api Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/rest-api-guide.md
description: View a list of with links to the Document Translation REST APIs.
--+ Last updated 09/07/2023
ai-services Start Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/reference/start-translation.md
--+ Last updated 09/07/2023
ai-services Dynamic Dictionary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/dynamic-dictionary.md
description: This article explains how to use the dynamic dictionary feature of
--+ Last updated 07/18/2023
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/encrypt-data-at-rest.md
description: Microsoft lets you manage your Azure AI services subscriptions with your own keys, called customer-managed keys (CMK). This article covers data encryption at rest for Translator, and how to enable and manage CMK. --+ Last updated 07/18/2023
ai-services Firewalls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/firewalls.md
description: Azure AI Translator can translate behind firewalls using either dom
--+ Last updated 07/18/2023
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/language-support.md
description: Azure AI Translator supports the following languages for text to te
--+ Last updated 07/18/2023
ai-services Migrate To V3 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/migrate-to-v3.md
description: This article provides the steps to help you migrate from V2 to V3 o
--+ Last updated 07/18/2023
ai-services Modifications Deprecations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/modifications-deprecations.md
description: Translator Service changes, modifications, and deprecations
-+ - Last updated 07/18/2023
ai-services Prevent Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/prevent-translation.md
description: Prevent translation of content with the Translator. The Translator
--+ Last updated 07/18/2023
ai-services Profanity Filtering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/profanity-filtering.md
description: Use Translator profanity filtering to determine the level of profan
--+ Last updated 07/18/2023
ai-services Quickstart Text Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/quickstart-text-rest-api.md
description: "Learn to translate text with the Translator service REST APIs. Exa
--+ Last updated 09/06/2023
ai-services Quickstart Text Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/quickstart-text-sdk.md
description: "Learn to translate text with the Translator service SDks in a prog
--+ Last updated 09/06/2023
ai-services Rest Api Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/rest-api-guide.md
description: View a list of with links to the Text Translation REST APIs.
--+ Last updated 09/18/2023
ai-services V3 0 Break Sentence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-break-sentence.md
--+ Last updated 07/18/2023
ai-services V3 0 Detect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-detect.md
--+ Last updated 09/19/2023
ai-services V3 0 Dictionary Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-dictionary-examples.md
--+ Last updated 09/19/2023
ai-services V3 0 Dictionary Lookup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-dictionary-lookup.md
--+ Last updated 09/19/2023
ai-services V3 0 Languages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-languages.md
--+ Last updated 09/19/2023
ai-services V3 0 Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-reference.md
description: Reference documentation for the Translator V3.0. Version 3.0 of the
--+ Last updated 09/19/2023
ai-services V3 0 Translate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-translate.md
--+ Last updated 07/18/2023
ai-services V3 0 Transliterate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-transliterate.md
--+ Last updated 09/18/2023
ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/service-limits.md
description: This article lists service limits for the Translator text and docum
--+ Last updated 07/18/2023
ai-services Sovereign Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/sovereign-clouds.md
description: Using Translator in sovereign clouds
--+ Last updated 07/18/2023
ai-services Text Sdk Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/text-sdk-overview.md
description: Azure Text Translation software development kits (SDKs) expose Text Translation features and capabilities, using C#, Java, JavaScript, and Python programming language. --+ Last updated 07/18/2023
ai-services Text Translation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/text-translation-overview.md
description: Integrate the Text Translation API into your applications, websites
-+ - Last updated 07/18/2023
ai-services Translator Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/translator-faq.md
--+ Last updated 07/18/2023
ai-services Translator Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/translator-overview.md
description: Integrate Translator into your applications, websites, tools, and o
-+ - Last updated 07/18/2023
ai-services Translator Text Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/translator-text-apis.md
description: "Learn to translate text, transliterate text, detect language and m
--+ Last updated 07/18/2023
ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/whats-new.md
description: Learn of the latest changes to the Translator Service API. --+ Last updated 09/12/2023
ai-services Word Alignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/word-alignment.md
description: To receive alignment information, use the Translate method and incl
--+ Last updated 07/18/2023
aks Access Private Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-private-cluster.md
Last updated 09/15/2023
# Access a private Azure Kubernetes Service (AKS) cluster
-When you access a private AKS cluster, you must connect to the cluster from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network.
+When you access a private AKS cluster, you need to connect to the cluster from the cluster virtual network, a peered network, or a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network.
-With the Azure CLI, you can use `command invoke` to access private clusters without the need to configure a VPN or Express Route. `command invoke` allows you to remotely invoke commands, like `kubectl` and `helm`, on your private cluster through the Azure API without directly connecting to the cluster. The `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` actions control the permissions for using `command invoke`. With the Azure portal, you can use the `Run command` feature to run commands on your private cluster. The `Run command` feature uses the same `command invoke` functionality to run commands on your cluster.
+With the Azure CLI, you can use `command invoke` to access private clusters without the need to configure a VPN or Express Route. `command invoke` allows you to remotely invoke commands, like `kubectl` and `helm`, on your private cluster through the Azure API without directly connecting to the cluster. The `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` actions control the permissions for using `command invoke`.
-## Prerequisites
+With the Azure portal, you can use the `Run command` feature to run commands on your private cluster. The `Run command` feature uses the same `command invoke` functionality to run commands on your cluster.
-* An existing private cluster.
-* The Azure CLI version 2.24.0 or later.
+## Before you begin
+
+Before you begin, make sure you have the following resources and permissions:
+
+* An existing private cluster. If you don't have one, see [Create a private AKS cluster](./private-clusters.md).
+* The Azure CLI version 2.24.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
* Access to the `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` roles on the cluster. ### Limitations
aks Api Server Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/api-server-vnet-integration.md
AKS clusters configured with API Server VNet Integration can have public network
--disable-private-cluster ```
+## Connect to cluster using kubectl
+
+* Configure `kubectl` to connect to your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
+
+ ```azurecli-interactive
+ az aks get-credentials -g <resource-group> -n <cluster-name>
+ ```
+ ## Next steps For associated best practices, see [Best practices for network connectivity and security in AKS][operator-best-practices-network].
For associated best practices, see [Best practices for network connectivity and
[az-identity-create]: /cli/azure/identity#az-identity-create [az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create [ref-support-levels]: /cli/azure/reference-types-and-status
+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
aks Certificate Rotation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/certificate-rotation.md
Last updated 01/19/2023
# Certificate rotation in Azure Kubernetes Service (AKS)
-Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. If you have a RBAC-enabled cluster built after March 2022, it's enabled with certificate auto-rotation. Periodically, you may need to rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.
+Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. RBAC-enabled clusters created after March 2022 are enabled with certificate auto-rotation. You may need to periodically rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.
> [!NOTE]
-> Certificate auto-rotation will *only* be enabled by default for RBAC enabled AKS clusters.
+> Certificate auto-rotation is *only* enabled by default for RBAC enabled AKS clusters.
This article shows you how certificate rotation works in your AKS cluster. ## Before you begin
-This article requires that you are running the Azure CLI version 2.0.77 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+This article requires the Azure CLI version 2.0.77 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
## AKS certificates, Certificate Authorities, and Service Accounts
-AKS generates and uses the following certificates, Certificate Authorities, and Service Accounts:
+AKS generates and uses the following certificates, Certificate Authorities (CA), and Service Accounts (SA):
-* The AKS API server creates a Certificate Authority (CA) called the Cluster CA.
+* The AKS API server creates a CA called the Cluster CA.
* The API server has a Cluster CA, which signs certificates for one-way communication from the API server to kubelets.
-* Each kubelet also creates a Certificate Signing Request (CSR), which is signed by the Cluster CA, for communication from the kubelet to the API server.
+* Each kubelet creates a Certificate Signing Request (CSR), which the Cluster CA signs, for communication from the kubelet to the API server.
* The API aggregator uses the Cluster CA to issue certificates for communication with other APIs. The API aggregator can also have its own CA for issuing those certificates, but it currently uses the Cluster CA.
-* Each node uses a Service Account (SA) token, which is signed by the Cluster CA.
+* Each node uses an SA token, which the Cluster CA signs.
* The `kubectl` client has a certificate for communicating with the AKS cluster.
-Certificates mentioned above are maintained by Microsoft, except the cluster certificate, which you have to maintain.
+Microsoft maintains all certificates mentioned in this section, except for the cluster certificate.
> [!NOTE]
-> AKS clusters created prior to May 2019 have certificates that expire after two years. Any cluster created after May 2019 or any cluster that has its certificates rotated have Cluster CA certificates that expire after 30 years. All other AKS certificates, which use the Cluster CA for signing, will expire after two years and are automatically rotated during an AKS version upgrade which happened after 8/1/2021. To verify when your cluster was created, use `kubectl get nodes` to see the *Age* of your node pools.
>
-> Additionally, you can check the expiration date of your cluster's certificate. For example, the following bash command displays the client certificate details for the *myAKSCluster* cluster in resource group *rg*:
-> ```console
-> kubectl config view --raw -o jsonpath="{.users[?(@.name == 'clusterUser_rg_myAKSCluster')].user.client-certificate-data}" | base64 -d | openssl x509 -text | grep -A2 Validity
-> ```
+> * **AKS clusters created *before* May 2019** have certificates that expire after two years.
+> * **AKS clusters created *after* May 2019** have Cluster CA certificates that expire after 30 years.
+>
+> You can verify when your cluster was created using the `kubectl get nodes` command, which shows you the *Age* of your node pools.
-To check expiration date of apiserver certificate, run the following command:
+## Check certificate expiration dates
-```console
-curl https://{apiserver-fqdn} -k -v 2>&1 |grep expire
-```
+### Check cluster certificate expiration date
-To check the expiration date of certificate on VMAS agent node, run the following command:
+* Check the expiration date of the cluster certificate using the `kubectl config view` command.
-```azurecli
-az vm run-command invoke -g MC_rg_myAKSCluster_region -n vm-name --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"
-```
+ ```console
+ kubectl config view --raw -o jsonpath="{.users[?(@.name == 'clusterUser_rg_myAKSCluster')].user.client-certificate-data}" | base64 -d | openssl x509 -text | grep -A2 Validity
+ ```
-To check expiration date of certificate on one virtual machine scale set agent node, run the following command:
+### Check API server certificate expiration date
-```azurecli
-az vmss run-command invoke --resource-group "MC_rg_myAKSCluster_region" --name "vmss-name " --command-id RunShellScript --instance-id 1 --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate" --query "value[0].message"
-```
+* Check the expiration date of the API server certificate using the following `curl` command.
-## Certificate Auto Rotation
+ ```console
+ curl https://{apiserver-fqdn} -k -v 2>&1 |grep expire
+ ```
-For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) which has been enabled by default in all Azure regions.
+### Check VMAS agent node certificate expiration date
-> [!NOTE]
-> If you have an existing cluster you have to upgrade that cluster to enable Certificate Auto-Rotation.
-> Do not disable bootstrap to keep your auto-rotation enabled.
+* Check the expiration date of the VMAS agent node certificate using the `az vm run-command invoke` command.
-> [!NOTE]
-> If the cluster is in a stopped state during the auto certificate rotation only the control plane certificates are rotated. In this case the nodepool should be recreated, after certificate rotation, in order to initiate the nodepool certificate rotation.
+ ```azurecli-interactive
+ az vm run-command invoke -g MC_rg_myAKSCluster_region -n vm-name --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"
+ ```
-For any AKS clusters created or upgraded after March 2022 Azure Kubernetes Service will automatically rotate non-CA certificates on both the control plane and agent nodes within 80% of the client certificate valid time, before they expire with no downtime for the cluster.
+### Check Virtual Machine Scale Set agent node certificate expiration date
-### How to check whether current agent node pool is TLS Bootstrapping enabled?
+* Check the expiration date of the Virtual Machine Scale Set agent node certificate using the `az vm run-command invoke` command.
-To verify if TLS Bootstrapping is enabled on your cluster browse to the following paths:
+ ```azurecli-interactive
+ az vmss run-command invoke --resource-group "MC_rg_myAKSCluster_region" --name "vmss-name" --command-id RunShellScript --instance-id 1 --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate" --query "value[0].message"
+ ```
-* On a Linux node: */var/lib/kubelet/bootstrap-kubeconfig* or */host/var/lib/kubelet/bootstrap-kubeconfig*
-* On a Windows node: *C:\k\bootstrap-config*
+## Certificate Auto Rotation
-To access agent nodes, see [Connect to Azure Kubernetes Service cluster nodes for maintenance or troubleshooting][aks-node-access] for more information.
+For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/), which is enabled by default in all Azure regions.
> [!NOTE]
-> The file path may change as Kubernetes version evolves in the future.
+>
+> * If you have an existing cluster, you have to upgrade that cluster to enable Certificate Auto Rotation.
+> * Don't disable Bootstrap to keep auto rotation enabled.
+> * If the cluster is in a stopped state during the auto certificate rotation, only the control plane certificates are rotated. In this case, you should recreate the node pool after certificate rotation to initiate the node pool certificate rotation.
-Once a region is configured, create a new cluster or upgrade an existing cluster with `az aks upgrade` to set that cluster for auto-certificate rotation. A control plane and node pool upgrade is needed to enable this feature.
+For any AKS clusters created or upgraded after March 2022, Azure Kubernetes Service automatically rotates non-CA certificates on both the control plane and agent nodes within 80% of the client certificate valid time before they expire with no downtime for the cluster.
-```azurecli
-az aks upgrade -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
-```
+### How to check whether current agent node pool is TLS Bootstrapping enabled?
-### Limitation
+1. Verify if your cluster has TLS Bootstrapping enabled by browsing to one to the following paths:
-Certificate auto-rotation will only be enabled by default for RBAC enabled AKS clusters.
+ * On a Linux node: */var/lib/kubelet/bootstrap-kubeconfig* or */host/var/lib/kubelet/bootstrap-kubeconfig*
+ * On a Windows node: *C:\k\bootstrap-config*
+
+ For more information, see [Connect to Azure Kubernetes Service cluster nodes for maintenance or troubleshooting][aks-node-access].
+
+ > [!NOTE]
+ > The file path may change as Kubernetes versions evolve.
+
+2. Once a region is configured, create a new cluster or upgrade an existing cluster to set auto rotation for the cluster certificate. You need to upgrade the control plane and node pool to enable this feature.
## Manually rotate your cluster certificates > [!WARNING]
-> Rotating your certificates using `az aks rotate-certs` will recreate all of your nodes, VM scale set and their Disks and can cause up to 30 minutes of downtime for your AKS cluster.
+> Rotating your certificates using `az aks rotate-certs` recreates all of your nodes, Virtual Machine Scale Sets and Disks and can cause up to *30 minutes of downtime* for your AKS cluster.
-Use [az aks get-credentials][az-aks-get-credentials] to sign in to your AKS cluster. This command also downloads and configures the `kubectl` client certificate on your local machine.
+1. Connect to your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
-```azurecli
-az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
-```
+ ```azurecli-interactive
+ az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
+ ```
-Use `az aks rotate-certs` to rotate all certificates, CAs, and SAs on your cluster.
+2. Rotate all certificates, CAs, and SAs on your cluster using the [`az aks rotate-certs`][az-aks-rotate-certs] command.
-```azurecli
-az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
-```
+ ```azurecli-interactive
+ az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
+ ```
-> [!IMPORTANT]
-> It may take up to 30 minutes for `az aks rotate-certs` to complete. If the command fails before completing, use `az aks show` to verify the status of the cluster is *Certificate Rotating*. If the cluster is in a failed state, rerun `az aks rotate-certs` to rotate your certificates again.
+ > [!IMPORTANT]
+ > It may take up to 30 minutes for `az aks rotate-certs` to complete. If the command fails before completing, use `az aks show` to verify the status of the cluster is *Certificate Rotating*. If the cluster is in a failed state, rerun `az aks rotate-certs` to rotate your certificates again.
-Verify that the old certificates aren't valid by running any `kubectl` command. If you haven't updated the certificates used by `kubectl`, you'll see an error similar to the following example:
+3. Verify the old certificates are no longer valid using any `kubectl` command, such as `kubectl get nodes`.
-```console
-kubectl get nodes
-Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca")
-```
+ ```azurecli-interactive
+ kubectl get nodes
+ ```
-To update the certificate used by `kubectl`, run the [az aks get-credentials][az-aks-get-credentials] command:
+ If you haven't updated the certificates used by `kubectl`, you see an error similar to the following example output:
-```azurecli
-az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME --overwrite-existing
-```
+ ```output
+ Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca")
+ ```
-To verify the certificates have been updated, run the following [kubectl get][kubectl-get] command:
+4. Update the certificate used by `kubectl` using the [`az aks get-credentials`][az-aks-get-credentials] command with the `--overwrite-existing` flag.
-```console
-kubectl get nodes
-```
+ ```azurecli-interactive
+ az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME --overwrite-existing
+ ```
-> [!NOTE]
-> If you have any services that run on top of AKS, you might need to update their certificates.
+5. Verify the certificates have been updated using the [`kubectl get`][kubectl-get] command.
+
+ ```azurecli-interactive
+ kubectl get nodes
+ ```
+
+ > [!NOTE]
+ > If you have any services that run on top of AKS, you might need to update their certificates.
## Next steps
-This article showed you how to automatically rotate your cluster's certificates, CAs, and SAs. You can see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades] for more information on AKS security best practices.
+This article showed you how to automatically rotate your cluster certificates, CAs, and SAs. For more information, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].
+<!-- LINKS - internal -->
[azure-cli-install]: /cli/azure/install-azure-cli [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
-[az-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
-[az-extension-add]: /cli/azure/extension#az_extension_add
-[az-extension-update]: /cli/azure/extension#az_extension_update
[aks-best-practices-security-upgrades]: operator-best-practices-cluster-security.md [aks-node-access]: ./node-access.md
+[az-aks-rotate-certs]: /cli/azure/aks#az_aks_rotate_certs
+
+<!-- LINKS - external -->
+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
aks Configure Kube Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kube-proxy.md
Title: Configure kube-proxy (iptables/IPVS) (preview)
+ Title: Configure kube-proxy (iptables/IPVS) (Preview)
description: Learn how to configure kube-proxy to utilize different load balancing configurations with Azure Kubernetes Service (AKS). Previously updated : 10/25/2022 Last updated : 09/25/2023 #Customer intent: As a cluster operator, I want to utilize a different kube-proxy configuration.
-# Configure `kube-proxy` in Azure Kubernetes Service (AKS) (preview)
+# Configure `kube-proxy` in Azure Kubernetes Service (AKS) (Preview)
-`kube-proxy` is a component of Kubernetes that handles routing traffic for services within the cluster. There are two backends available for Layer 3/4 load balancing in upstream `kube-proxy` - iptables and IPVS.
+`kube-proxy` is a component of Kubernetes that handles routing traffic for services within the cluster. There are two backends available for Layer 3/4 load balancing in upstream `kube-proxy`: iptables and IPVS.
-- iptables is the default backend utilized in the majority of Kubernetes clusters. It is simple and well supported, but is not as efficient or intelligent as IPVS.-- IPVS utilizes the Linux Virtual Server, a layer 3/4 load balancer built into the Linux kernel. IPVS provides a number of advantages over the default iptables configuration, including state awareness, connection tracking, and more intelligent load balancing.
+- **iptables** is the default backend utilized in the majority of Kubernetes clusters. It's simple and well-supported, but not as efficient or intelligent as IPVS.
+- **IPVS** uses the Linux Virtual Server, a layer 3/4 load balancer built into the Linux kernel. IPVS provides a number of advantages over the default iptables configuration, including state awareness, connection tracking, and more intelligent load balancing. IPVS *doesn't support Azure Network Policy*.
-The AKS managed `kube-proxy` DaemonSet can also be disabled entirely if that is desired to support [bring-your-own CNI][aks-byo-cni].
+For more information, see the [Kubernetes documentation on kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/).
-## Prerequisites
-
-* Azure CLI with aks-preview extension 0.5.105 or later.
-* If using ARM or the REST API, the AKS API version must be 2022-08-02-preview or later.
-
-## Install the aks-preview Azure CLI extension
+> [!NOTE]
+> If you want, you can disable the AKS-managed `kube-proxy` DaemonSet to support [bring-your-own CNI][aks-byo-cni].
[!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
-To install the aks-preview extension, run the following command:
-
-```azurecli-interactive
-az extension add --name aks-preview
-```
+## Before you begin
-Run the following command to update to the latest version of the extension released:
+- If using the Azure CLI, you need the `aks-preview` extension. See [Install the `aks-preview` Azure CLI extension](#install-the-aks-preview-azure-cli-extension).
+- If using ARM or the REST API, the AKS API version must be *2022-08-02-preview or later*.
+- You need to register the `KubeProxyConfigurationPreview` feature flag. See [Register the `KubeProxyConfigurationPreview` feature flag](#register-the-kubeproxyconfigurationpreview-feature-flag).
-```azurecli-interactive
-az extension update --name aks-preview
-```
+### Install the `aks-preview` Azure CLI extension
-## Register the 'KubeProxyConfigurationPreview' feature flag
+1. Install the `aks-preview` extension using the [`az extension add`][az-extension-add] command.
-Register the `KubeProxyConfigurationPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+ ```azurecli-interactive
+ az extension add --name aks-preview
+ ```
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"
-```
+2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command.
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:
+ ```azurecli-interactive
+ az extension update --name aks-preview
+ ```
-```azurecli-interactive
-az feature show --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"
-```
+### Register the `KubeProxyConfigurationPreview` feature flag
-When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+1. Register the `KubeProxyConfigurationPreview` feature flag using the [`az feature register`][az-feature-register] command.
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
+ ```azurecli-interactive
+ az feature register --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"
+ ```
-## Configurable options
+ It takes a few minutes for the status to show *Registered*.
-The full `kube-proxy` configuration structure can be found in the [AKS Cluster Schema][aks-schema-kubeproxyconfig].
+2. Verify the registration status using the [`az feature show`][az-feature-show] command.
-- `enabled` - whether or not to deploy the `kube-proxy` DaemonSet. Defaults to true.-- `mode` - can be set to `IPTABLES` or `IPVS`. Defaults to `IPTABLES`.-- `ipvsConfig` - if `mode` is `IPVS`, this object contains IPVS-specific configuration properties.
- - `scheduler` - which connection scheduler to utilize. Supported values:
- - `LeastConnection` - sends connections to the backend pod with the fewest connections
- - `RoundRobin` - distributes connections evenly between backend pods
- - `tcpFinTimeoutSeconds` - the value used for timeout after a FIN has been received in a TCP session
- - `tcpTimeoutSeconds` - the value used for timeout length for idle TCP sessions
- - `udpTimeoutSeconds` - the value used for timeout length for idle UDP sessions
+ ```azurecli-interactive
+ az feature show --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"
+ ```
-> [!NOTE]
-> IPVS load balancing operates in each node independently and is still only aware of connections flowing through the local node. This means that while `LeastConnection` results in more even load under higher number of connections, when low numbers of connections (# connects < 2 * node count) occur traffic may still be relatively unbalanced.
-
-## Utilize `kube-proxy` configuration in a new or existing AKS cluster using Azure CLI
+3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.
-`kube-proxy` configuration is a cluster-wide setting. No action is needed to update your services.
-
->[!WARNING]
-> Changing the kube-proxy configuration may cause a slight interruption in cluster service traffic flow.
+ ```azurecli-interactive
+ az provider register --namespace Microsoft.ContainerService
+ ```
-To begin, create a JSON configuration file with the desired settings:
+## `kube-proxy` configuration options
-### Create a configuration file
+You can view the full `kube-proxy` configuration structure in the [AKS Cluster Schema][aks-schema-kubeproxyconfig].
-```json
-{
- "enabled": true,
- "mode": "IPVS",
- "ipvsConfig": {
- "scheduler": "LeastConnection",
- "TCPTimeoutSeconds": 900,
- "TCPFINTimeoutSeconds": 120,
- "UDPTimeoutSeconds": 300
- }
-}
-```
+- **`enabled`**: Determines deployment of the `kube-proxy` DaemonSet. Defaults to `true`.
+- **`mode`**: You can set to either `IPTABLES` or `IPVS`. Defaults to `IPTABLES`.
+- **`ipvsConfig`**: If `mode` is `IPVS`, this object contains IPVS-specific configuration properties.
+ - **`scheduler`**: Determines which connection scheduler to use. Supported values include:
+ - **`LeastConnection`**: Sends connections to the backend pod with the fewest connections.
+ - **`RoundRobin`**: Evenly distributes connections between backend pods.
+ - **`tcpFinTimeoutSeconds`**: Sets the timeout length value after a TCP session receives a FIN.
+ - **`tcpTimeoutSeconds`**: Sets the timeout length value for idle TCP sessions.
+ - **`udpTimeoutSeconds`**: Sets the timeout length value for idle UDP sessions.
-### Deploy a new cluster
-
-Deploy your cluster using `az aks create` and pass in the configuration file:
-
-```bash
-az aks create -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json
-```
-
-### Update an existing cluster
-
-Configure your cluster using `az aks update` and pass in the configuration file:
+> [!NOTE]
+> IPVS load balancing operates in each node independently and is only aware of connections flowing through the local node. This means that while `LeastConnection` results in a more even load under a higher number of connections, when a low amount of connections (# connects < 2 * node count) occur, traffic may be relatively unbalanced
-```bash
-az aks update -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json
-```
+## Use `kube-proxy` in a new or existing AKS cluster
-### Limitations
+`kube-proxy` configuration is a cluster-wide setting. You don't need to update your services.
-When using kube-proxy IPVS, the following restrictions apply:
+> [!WARNING]
+> Changing the kube-proxy configuration may cause a slight interruption in cluster service traffic flow.
-- Azure Network Policy is not supported.
+1. Create a configuration file with the desired `kube-proxy` configuration. For example, the following configuration enables IPVS with the `LeastConnection` scheduler and sets the TCP timeout to 900 seconds.
+
+ ```json
+ {
+ "enabled": true,
+ "mode": "IPVS",
+ "ipvsConfig": {
+ "scheduler": "LeastConnection",
+ "TCPTimeoutSeconds": 900,
+ "TCPFINTimeoutSeconds": 120,
+ "UDPTimeoutSeconds": 300
+ }
+ }
+ ```
+
+2. Create a new cluster or update an existing cluster with the configuration file using the [`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] command with the `--kube-proxy-config` parameter set to the configuration file.
+
+ ```azurecli-interactive
+ # Create a new cluster
+ az aks create -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json
+
+ # Update an existing cluster
+ az aks update -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json
+ ```
## Next steps
-Learn more about utilizing the Standard Load Balancer for inbound traffic at the [AKS Standard Load Balancer documentation](load-balancer-standard.md).
-
-Learn more about using Internal Load Balancer for Inbound traffic at the [AKS Internal Load Balancer documentation](internal-lb.md).
+This article covered how to configure `kube-proxy` in Azure Kubernetes Service (AKS). To learn more about load balancing in AKS, see the following articles:
-Learn more about Kubernetes services at the [Kubernetes services documentation][kubernetes-services].
+- [Use a standard public load balancer in AKS](load-balancer-standard.md)
+- [Use an internal load balancer in AKS](internal-lb.md)
<!-- LINKS - External -->
-[kubernetes-services]: https://kubernetes.io/docs/concepts/services-networking/service/
[aks-schema-kubeproxyconfig]: /azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-bicep#containerservicenetworkprofilekubeproxyconfig <!-- LINKS - Internal -->
Learn more about Kubernetes services at the [Kubernetes services documentation][
[az-provider-register]: /cli/azure/provider#az-provider-register [az-feature-register]: /cli/azure/feature#az-feature-register [az-feature-show]: /cli/azure/feature#az-feature-show
+[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-update]: /cli/azure/aks#az-aks-update
aks Csi Secrets Store Identity Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md
Before you begin, you must have the following prerequisites:
## Access with a user-assigned managed identity
-1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity you created when you [enabled a managed identity on your AKS cluster][use-managed-identity].
+1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity created by the add-on when you [enabled the Azure Key Vault Provider for Secrets Store CSI Driver on your AKS Cluster](./csi-secrets-store-driver.md#create-an-aks-cluster-with-azure-key-vault-provider-for-secrets-store-csi-driver-support).
```azurecli-interactive az aks show -g <resource-group> -n <cluster-name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv
aks Quick Kubernetes Deploy Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-terraform.md
In this article, you learn how to:
- **Kubernetes command-line tool (kubectl):** [Download kubectl](https://kubernetes.io/releases/download/).
+## Login to your Azure Account
++ ## Implement the Terraform code > [!NOTE]
aks Limit Egress Traffic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/limit-egress-traffic.md
You need to configure Azure Firewall inbound and outbound rules. The main purpos
Azure automatically routes traffic between Azure subnets, virtual networks, and on-premises networks. If you want to change any of Azure's default routing, you can create a route table.
+> [!IMPORTANT]
+> Outbound type of UDR requires a route for 0.0.0.0/0 and a next hop destination of NVA in the route table.
+> The route table already has a default 0.0.0.0/0 to the Internet. Without a public IP address for Azure to use for Source Network Address Translation (SNAT), simply adding this route won't provide you outbound Internet connectivity. AKS validates that you don't create a 0.0.0.0/0 route pointing to the Internet but instead to a gateway, NVA, etc.
+> When using an outbound type of UDR, a load balancer public IP address for **inbound requests** isn't created unless you configure a service of type *loadbalancer*. AKS never creates a public IP address for **outbound requests** if you set an outbound type of UDR.
+> For more information, see [Outbound rules for Azure Load Balancer](../load-balancer/outbound-rules.md#scenario6out).
+ 1. Create an empty route table to be associated with a given subnet using the [`az network route-table create`][az-network-route-table-create] command. The route table will define the next hop as the Azure Firewall created above. Each subnet can have zero or one route table associated to it. ```azurecli
api-management Self Hosted Gateway Enable Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-azure-ad.md
Assign the API Management Configuration API Access Validator Service Role to the
Create a new Azure AD app. For steps, see [Create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This app will be used by the self-hosted gateway to authenticate to the API Management instance.
-* Generate a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret)
+* Generate a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret)
* Take note of the following application values for use in the next section when deploying the self-hosted gateway: application (client) ID, directory (tenant) ID, and client secret #### Step 2: Assign API Management Gateway Configuration Reader Service Role
attestation Quickstart Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/quickstart-terraform.md
Previously updated : 07/26/2023 Last updated : 09/25/2023 content_well_notification: - AI-contribution # Quickstart: Create an Azure Attestation provider by using Terraform
-[Microsoft Azure Attestation](overview.md) is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of deploying a Bicep file to create a Microsoft Azure Attestation policy.
+[Microsoft Azure Attestation](overview.md) is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of creating a Microsoft Azure Attestation policy using Terraform.
In this article, you learn how to:
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/update-management/overview.md
# Update Management overview > [!Important]
-> - Automation Update management relies on [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) (aka MMA agent), which is on a deprecation path and wonΓÇÖt be supported after **August 31, 2024**.
-> - [Azure Update Manager](../../update-center/overview.md) (AUM) is the v2 version of Automation Update management and the future of Update management in Azure. AUM is a native service in Azure and does not rely on [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) or [Azure Monitor agent](../../azure-monitor/agents/agents-overview.md).
-> - Follow [guidance](../../update-center/guidance-migration-automation-update-management-azure-update-manager.md) to migrate machines and schedules from Automation Update Management to Azure Update Manager.
-> - If you are using Automation Update Management, we recommend that you continue to use the Log Analytics agent and *not* migrate to the Azure Monitor agent until machines and schedules are migrated to Azure Update Manager.
-> - The Log Analytics agent wouldn't be deprecated before moving all Automation Update Management customers to Update Manager.
+> Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update Management solution relies on this agent and may encounter issues once the agent is retired as it does not work with Azure Monitoring Agent (AMA). Therefore, if you are using the Azure Automation Update Management solution, we recommend that you move to Azure Update Manager for your software update needs. All the capabilities of Azure Automation Update management solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](../../update-center/guidance-migration-automation-update-management-azure-update-manager.md) to move your machines and schedules from Automation Update Management to Azure Update Manager.
You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux virtual machines in Azure, physical or VMs in on-premises environments, and in other cloud environments. You can quickly assess the status of available updates and manage the process of installing required updates for your machines reporting to Update Management.
azure-functions Functions Host Json V1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-host-json-v1.md
Configuration setting for the [SendGrind output binding](functions-bindings-send
Configuration setting for [Service Bus triggers and bindings](functions-bindings-service-bus.md). ```json
-{
+{ "extensions":
"serviceBus": { "maxConcurrentCalls": 16, "prefetchCount": 100,
azure-functions Update Java Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/update-java-versions.md
+
+ Title: Update Java versions in Azure Functions
+description: Learn how to update an existing function app in Azure Functions to run on a new version of Java.
+ Last updated : 09/14/2023
+zone_pivot_groups: app-service-platform-windows-linux
++
+# Update Java versions in Azure Functions
+
+The Azure Functions supports specific versions of Java. This support changes based on the support or Java versions. As these supported versions change, you need to update your Java function apps. You may also want to update your apps to take advantage of features in newer supported version of Java. For more information, see [Supported versions](functions-reference-java.md#supported-versions) in the Java developer guide.
+
+The way that you update your function app depends on whether you run on Windows or Linux. This version is for Windows. Choose your OS at the [top](#top) of the article.
+The way that you update your function app depends on whether you run on Windows or Linux. This version is for Linux. Choose your OS at the [top](#top) of the article.
+
+## Prepare to update
+
+Before you update the Java version in Azure, you should complete these tasks:
+
+### 1. Verify your functions locally
+
+Before upgrading the Java version used by your function app in Azure, make sure that you have fully tested and verified your function code locally on the new target version of Java. Examples in this article assume you're updating to Java 17.
+
+### 2. Move to the latest Functions runtime
+
+Before updating your Java version, make sure your function app is running on the latest version of the Functions runtime (version 4.x).
+
+### [Azure portal](#tab/azure-portal)
+
+Use these steps to determine your Functions runtime version:
+
+1. In the [Azure portal](https://portal.azure.com), locate your function app and select **Configuration** on the left-hand side under **Settings**.
+
+1. Select the **Function runtime settings** tab and check the **Runtime version** value to see if your function app is running on version 4.x of the Functions runtime (`~4`).
+
+ :::image type="content" source="media/update-java-versions/update-functions-version-portal.png" alt-text="Screenshot of how to view the Functions runtime version for your app in the Azure portal.":::
+
+### [Azure CLI](#tab/azure-cli)
+
+Use this [`az functionapp config appsettings list`](/cli/azure/functionapp/config/appsettings#az-functionapp-config-appsettings-list) command to check your runtime version:
+
+```azurecli
+az functionapp config appsettings list --name "<FUNCTION_APP_NAME>" --resource-group "<RESOURCE_GROUP_NAME>"
+```
+The `FUNCTIONS_EXTENSION_VERSION` setting sets the runtime version. A value of `~4` means that your function app is already running on the latest minor version of the latest major version (4.x).
+++
+If you need to first update your function app to version 4.x, seeΓÇ»[Migrate apps from Azure Functions version 3.x to version 4.x](./migrate-version-3-version-4.md). You should follow the instructions in this article rather than just manually changing the `FUNCTIONS_EXTENSION_VERSION` setting.
+
+## Update the Java version
+You can use the Azure portal, Azure CLI, or Azure PowerShell to update the Java version for your function app.
+These procedures apply to all [Functions hosting options](./functions-scale.md).
+>[!NOTE]
+> You can't change the Java version in the Azure portal when your function app is running on Linux in a [Consumption plan](./consumption-plan.md). Instead use the Azure CLI.
+### [Azure portal](#tab/azure-portal)
+You can only use these steps for function apps hosted in a [Premium plan](./functions-premium-plan.md) or a [Dedicated (App Service) plan](./dedicated-plan.md). For a [Consumption plan](./consumption-plan.md), you must instead use the Azure CLI.
+Use the following steps to update the Java version:
+
+1. In the [Azure portal](https://portal.azure.com), locate your function app and select **Configuration** on the left-hand side.
+
+1. In the **General settings** tab, update the **Java version** to `Java 17`.
+
+ :::image type="content" source="media/update-java-versions/update-java-version-portal.png" alt-text="Screenshot of how to set the desired Java version for a function app in the Azure portal.":::
+
+1. When notified about a restart, select **Continue**, and then **Save**.
+
+### [Azure CLI](#tab/azure-cli)
+
+You can use the Azure CLI to update the Java version for any hosting plan.
+
+Run the [`az functionapp config set`](/cli/azure/functionapp/config#az-functionapp-config-set) command to update the Java version site setting to `17`:
+
+```azurecli
+az functionapp config set --java-version "17" --name "<APP_NAME>" --resource-group "<RESOURCE_GROUP>"
+```
+Run the [`az functionapp config set`](/cli/azure/functionapp/config#az-functionapp-config-set) command to update the Linux site setting with the new Java version for your function app.
+
+```azurecli
+az functionapp config set --linux-fx-version "java|17" --name "<APP_NAME>" --resource-group "<RESOURCE_GROUP>"
+```
+
+In this example, replace `<APP_NAME>` and `<RESOURCE_GROUP>` with the name of your function app and resource group, respectively.
+++
+Your function app restarts after you update the Java version. To learn more about Functions support for Java, seeΓÇ»[Language runtime support policy](language-support-policy.md).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Java developer guide](./functions-reference-java.md)
+
azure-maps About Azure Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/about-azure-maps.md
Azure Maps consists of the following services that can provide geographic contex
### Data registry service
-Data is imperative for maps. Use the Data registry service to access geospatial data, used with spatial operations or image composition, previously uploaded to your [Azure Storage]. By bringing customer data closer to the Azure Maps service, you reduce latency and increase productivity. For more information on this service, see [Data registry service].
+Data is imperative for maps. Use the Data registry service to access geospatial data, used with spatial operations or image composition, previously uploaded to your [Azure Storage]. By bringing customer data closer to the Azure Maps service, you reduce latency and increase productivity. For more information, see [Data registry] in the Azure Maps REST API documentation.
> [!NOTE] > > **Azure Maps Data service retirement** >
-> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry service] by 9/16/24. For more information, see [How to create data registry].
+> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data registry] service by 9/16/24. For more information, see [How to create data registry].
### Geolocation service Use the Geolocation service to retrieve the two-letter country/region code for an IP address. This service can help you enhance user experience by providing customized application content based on geographic location.
-For more information, see the [Geolocation service] documentation.
+For more information, see [Geolocation] in the Azure Maps REST API documentation.
### Render service
-[Render service] introduces a new version of the [Get Map Tile] API that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 tile sizes (where applicable) and numerous map types such as road, weather, contour, or map tiles. For a complete list, see [TilesetID] in the REST API documentation. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API].
+[Render] service introduces a new version of the [Get Map Tile] API that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 tile sizes (where applicable) and numerous map types such as road, weather, contour, or map tiles. For a complete list, see [TilesetID] in the REST API documentation. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API].
:::image type="content" source="./media/about-azure-maps/intro_map.png" border="false" alt-text="Example of a map from the Render service":::
The Route service offers advanced set features, such as:
* Matrices of travel time and distance between a set of origins and destinations. * Finding routes or distances that users can travel based on time or fuel requirements.
-For more information on routing capabilities, see the [Route service] documentation.
+For more information, see [Route] in the Azure Maps REST API documentation.
### Search service
The Search service also provides advanced features such as:
* Batch a group of search requests. * Search electric vehicle charging stations and Point of Interest (POI) data by brand name.
-For more information on search capabilities, see the [Search service] documentation.
+For more information, see [Search] in the Azure Maps REST API documentation.
### Spatial service The Spatial service quickly analyzes location information to help inform customers of ongoing events happening in time and space. It enables near real-time analysis and predictive modeling of events.
-The service enables customers to enhance their location intelligence with a library of common geospatial mathematical calculations. Common calculations include closest point, great circle distance, and buffers. For more information about the Spatial service and its various features, see the [Spatial service] documentation.
+The service enables customers to enhance their location intelligence with a library of common geospatial mathematical calculations. Common calculations include closest point, great circle distance, and buffers. For more information about the Spatial service and its various features, see [Spatial] in the Azure Maps REST API documentation.
### Timezone service
A typical JSON response for a query to the Time zone service looks like the foll
} ```
-For more information, see the [Time zone service] documentation.
+For more information, see [Timezone] in the Azure Maps REST API documentation.
### Traffic service
The Traffic service is a suite of web services that developers can use for web o
![Example of a map with traffic information](media/about-azure-maps/intro_traffic.png)
-For more information, see the [Traffic service] documentation.
+For more information, see [Traffic] in the Azure Maps REST API documentation.
### Weather service
Stay up to date on Azure Maps:
[What is Azure Maps Creator?]: about-creator.md [v1]: /rest/api/maps/data [v2]: /rest/api/maps/data-v2
-[Data Registry service]: /rest/api/maps/data-registry
[How to create data registry]: how-to-create-data-registries.md <! REST API Links >
-[Data registry service]: /rest/api/maps/data-registry
-[Geolocation service]: /rest/api/maps/geolocation
+[Data registry]: /rest/api/maps/data-registry
+[Geolocation]: /rest/api/maps/geolocation
[Get Map Tile]: /rest/api/maps/render-v2/get-map-tile [Get Weather along route API]: /rest/api/maps/weather/getweatheralongroute
-[Render service]: /rest/api/maps/render-v2
+[Render]: /rest/api/maps/render-v2
[REST APIs]: /rest/api/maps/
-[Route service]: /rest/api/maps/route
-[Search service]: /rest/api/maps/search
-[Spatial service]: /rest/api/maps/spatial
+[Route]: /rest/api/maps/route
+[Search]: /rest/api/maps/search
+[Spatial]: /rest/api/maps/spatial
[TilesetID]: /rest/api/maps/render-v2/get-map-tile#tilesetid
-[Time zone service]: /rest/api/maps/timezone
-[Traffic service]: /rest/api/maps/traffic
+[Timezone]: /rest/api/maps/timezone
+[Traffic]: /rest/api/maps/traffic
<! JavaScript API Links > [JavaScript map control]: /javascript/api/azure-maps-control <! External Links >
azure-maps About Creator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/about-creator.md
Creator is a platform for building indoor mapping solutions for all your needs.
An [onboarding tool] is provided to prepare your facility's DWGs by identifying the data to use and to positioning your facility on the map. The conversion service then converts the geometry and data from your DWG files into a digital indoor map.
-The first step in creating your indoor map is to upload a drawing package into your Azure Maps account. A drawing package contains one or more CAD (computer-aided design) drawings of your facility along with a manifest describing the drawings. The drawings define the elements of the facility while the manifest tells the Azure Maps [Conversion service] how to read the facility drawing files and metadata. For more
+The first step in creating your indoor map is to upload a drawing package into your Azure Maps account. A drawing package contains one or more CAD (computer-aided design) drawings of your facility along with a manifest describing the drawings. The drawings define the elements of the facility while the manifest tells the Azure Maps [Conversion] service how to read the facility drawing files and metadata. For more
information about manifest properties, see [Manifest file requirements] and for more information on creating and uploading a drawing package, see the [Drawing package guide]. ### Dataset
This section provides a high-level overview of the indoor map creation workflow.
account. Upload drawing packages using the [Data Upload API]. 1. **Convert**. Once the drawing package is uploaded into your Azure Maps account,
- use the [Conversion service] to validate the data in the uploaded drawing
+ use the [Conversion] service to validate the data in the uploaded drawing
package and convert it into map data. 1. **Dataset**. Create a [dataset] from the map data. A dataset is collection
This section provides a high-level overview of the indoor map creation workflow.
[Azure Maps Creator onboarding tool]: https://azure.github.io/azure-maps-creator-onboarding-tool [Azure Maps Creator REST API]: /rest/api/maps-creator
-[Conversion service]: /rest/api/maps/v2/conversion
+[Conversion]: /rest/api/maps/v2/conversion
[Create a feature stateset]: how-to-creator-feature-stateset.md [Create custom styles for indoor maps]: how-to-create-custom-styles.md [Create dataset using GeoJson package]: how-to-dataset-geojson.md
azure-maps Azure Maps Qps Rate Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/azure-maps-qps-rate-limits.md
The following list shows the QPS usage limits for each Azure Maps service by Pri
| Traffic service | 50 | 50 | 50 | | Weather service | 50 | 50 | 50 |
-<sup>1</sup> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry service] by 9/16/24. For more information, see [How to create data registry].
+<sup>1</sup> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry] service by 9/16/24. For more information, see [How to create data registry].
When QPS limits are reached, an HTTP 429 error is returned. If you're using the Gen 2 or Gen 1 S1 pricing tiers, you can create an Azure Maps *Technical* Support Request in the [Azure portal] to increase a specific QPS limit if needed. QPS limits for the Gen 1 S0 pricing tier can't be increased.
When QPS limits are reached, an HTTP 429 error is returned. If you're using the
[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md [v1]: /rest/api/maps/data [v2]: /rest/api/maps/data-v2
-[Data Registry service]: /rest/api/maps/data-registry
+[Data Registry]: /rest/api/maps/data-registry
[How to create data registry]: how-to-create-data-registries.md
azure-maps How To Search For Address https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-search-for-address.md
# Search for a location using Azure Maps Search services
-The [Search service] is a set of RESTful APIs designed to help developers search addresses, places, and business listings by name, category, and other geographic information. In addition to supporting traditional geocoding, services can also reverse geocode addresses and cross streets based on latitudes and longitudes. Latitude and longitude values returned by the search can be used as parameters in other Azure Maps services, such as [Route] and [Weather] services.
+The [Search] service is a set of RESTful APIs designed to help developers search addresses, places, and business listings by name, category, and other geographic information. In addition to supporting traditional geocoding, services can also reverse geocode addresses and cross streets based on latitudes and longitudes. Latitude and longitude values returned by the search can be used as parameters in other Azure Maps services, such as [Route] and [Weather].
This article demonstrates how to:
This example demonstrates how to search for a cross street based on the coordina
[Search Address]: /rest/api/maps/search/getsearchaddress [Search Coverage]: geocoding-coverage.md [Search Polygon API]: /rest/api/maps/search/getsearchpolygon
-[Search service]: /rest/api/maps/search
+[Search]: /rest/api/maps/search
[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [URI Parameter reference]: /rest/api/maps/search/getsearchfuzzy#uri-parameters [Weather]: /rest/api/maps/weather
azure-maps Migrate From Bing Maps Web Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps-web-services.md
In Azure Maps, pushpins can also be added to a static map image by specifying th
More styles can be used by adding more `pins` parameters to the URL with a different style and set of locations.
-Regarding pin locations, Azure Maps requires the coordinates to be in `longitude latitude` format whereas Bing Maps uses `latitude,longitude` format. Also note that **there is a space, not a comma** separating longitude and latitude in Azure Maps.
+Regarding pin locations, Azure Maps requires the coordinates to be in `longitude,latitude` format whereas Bing Maps uses `latitude,longitude` format. Also note that **there is a space, not a comma** separating longitude and latitude in Azure Maps.
The `iconType` value specifies the type of pin to create and can have the following values:
In Azure Maps, lines and polygons can also be added to a static map image by spe
> `&path=pathStyles||pathLocation1|pathLocation2|...`
-When it comes to path locations, Azure Maps requires the coordinates to be in `longitude latitude` format whereas Bing Maps uses `latitude,longitude` format. Also note that **there is a space, not a comma separating** longitude and latitude in Azure Maps. Azure Maps doesn't support encoded paths currently.
+When it comes to path locations, Azure Maps requires the coordinates to be in `longitude,latitude` format whereas Bing Maps uses `latitude,longitude` format. Also note that **there is a space, not a comma separating** longitude and latitude in Azure Maps. Azure Maps doesn't support encoded paths currently.
Path styles in Azure Maps are added with the format `optionNameValue`, with multiple styles separated by pipe (`|`) characters like this `optionName1Value1|optionName2Value2`. Note the option names and values aren't separated. The following style option names can be used to style paths in Azure Maps:
azure-maps Migrate From Google Maps Web Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-google-maps-web-services.md
Add markers to a static map image by specifying the `pins` parameter in the URL.
To use other styles, add extra `pins` parameters to the URL with a different style and set of locations.
-In Azure Maps, the pin location needs to be in the "longitude latitude" format. Google Maps uses "latitude,longitude" format. A space, not a comma, separates longitude and latitude in the Azure Maps format.
+In Azure Maps, the pin location needs to be in the "longitude,latitude" format. Google Maps uses "latitude,longitude" format. A space, not a comma, separates longitude and latitude in the Azure Maps format.
The `iconType` specifies the type of pin to create. It can have the following values:
Add lines and polygons to a static map image by specifying the `path` parameter
&path=pathStyles||pathLocation1|pathLocation2|... ```
-When it comes to path locations, Azure Maps requires the coordinates to be in "longitude latitude" format. Google Maps uses "latitude,longitude" format. A space, not a comma, separates longitude and latitude in the Azure Maps format. Azure Maps doesn't support encoded paths or addresses for points.
+When it comes to path locations, Azure Maps requires the coordinates to be in "longitude,latitude" format. Google Maps uses "latitude,longitude" format. A space, not a comma, separates longitude and latitude in the Azure Maps format. Azure Maps doesn't support encoded paths or addresses for points.
Add path styles with the `optionNameValue` format. Separate multiple styles by pipe (\|) characters, like this `optionName1Value1|optionName2Value2`. The option names and values aren't separated. Use the following style option names to style paths in Azure Maps:
azure-maps Understanding Azure Maps Transactions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/understanding-azure-maps-transactions.md
The following table summarizes the Azure Maps services that generate transaction
| [Traffic] | Yes | One request = 1 transaction (except tiles)<br>15 tiles = 1 transaction | <ul><li>Location Insights Traffic (Gen2 pricing)</li><li>Standard S1 Traffic Transactions (Gen1 S1 pricing)</li><li>Standard Geolocation Transactions (Gen1 S0 pricing)</li><li>Maps Traffic Tiles (Gen2 pricing)</li><li>Standard S1 Tile Transactions (Gen1 S1 pricing)</li><li>Standard Tile Transactions (Gen1 S0 pricing)</li></ul> | | [Weather] | Yes | One request = 1 transaction | <ul><li>Location Insights Weather (Gen2 pricing)</li><li>Standard S1 Weather Transactions (Gen1 S1 pricing)</li><li>Standard Weather Transactions (Gen1 S0 pricing)</li></ul> |
-<sup>1</sup> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry service] by 9/16/24. For more information, see [How to create data registry].
+<sup>1</sup> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry] service by 9/16/24. For more information, see [How to create data registry].
<!-- In Bing Maps, any time a synchronous Truck Routing request is made, three transactions are counted. Does this apply also to Azure Maps?-->
The following table summarizes the Azure Maps services that generate transaction
[Data registry]: /rest/api/maps/data-registry [v1]: /rest/api/maps/data [v2]: /rest/api/maps/data-v2
-[Data Registry service]: /rest/api/maps/data-registry
[How to create data registry]: how-to-create-data-registries.md [Dataset]: /rest/api/maps/v2/dataset [Feature State]: /rest/api/maps/v2/feature-state
azure-monitor Api Filtering Sampling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/api-filtering-sampling.md
Insert a telemetry initializer by adding the onInit callback function in the [Ja
```html <script type="text/javascript"> !function(v,y,T){<!-- Removed the JavaScript (Web) SDK Loader Script code for brevity -->}(window,document,{
-src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js",
+src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
crossOrigin: "anonymous", onInit: function (sdk) { sdk.addTelemetryInitializer(function (envelope) {
azure-monitor App Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-insights-overview.md
Autoinstrumentation is available for [Azure App Service](azure-web-apps-nodejs.m
The [Application Insights SDK](nodejs.md) is an alternative. We also have an [OpenTelemetry](opentelemetry-enable.md?tabs=nodejs) offering available.
-### [JavaScript](#tab/javascript)
-
-JavaScript requires the [Application Insights SDK](javascript.md).
- ### [Python](#tab/python)
-Python applications can be monitored by using [OpenCensus Python SDK via the Azure Monitor exporters](opencensus-python.md).
+Python applications can be monitored by using the [Azure Monitor OpenTelemetry Distro](opentelemetry-enable.md?tabs=python).
-An extension is available for monitoring [Azure Functions](opencensus-python.md#integrate-with-azure-functions).
+### [JavaScript](#tab/javascript)
-An [OpenTelemetry](opentelemetry-enable.md?tabs=python) offering is also available.
+JavaScript requires the [Application Insights SDK](javascript.md).
An [OpenTelemetry](opentelemetry-enable.md?tabs=python) offering is also availab
This section outlines supported scenarios.
-* [C#|VB (.NET)](./asp-net.md)
+### Automatic instrumentation (enable without code changes)
+* [Autoinstrumentation supported environments and languages](codeless-overview.md#supported-environments-languages-and-resource-providers)
+
+### Manual instrumentation
+
+#### OpenTelemetry Distro
+
+* [ASP.NET](opentelemetry-enable.md?tabs=net)
+* [Java](opentelemetry-enable.md?tabs=java)
+* [Node.js](opentelemetry-enable.md?tabs=nodejs)
+* [Python](opentelemetry-enable.md?tabs=python)
+* [ASP.NET Core](opentelemetry-enable.md?tabs=aspnetcore) (preview)
+
+#### Application Insights SDK (Classic API)
+
+* [ASP.NET](./asp-net.md)
* [Java](./opentelemetry-enable.md?tabs=java)
-* [JavaScript](./javascript.md)
* [Node.js](./nodejs.md) * [Python](./opencensus-python.md)
+* [ASP.NET Core](./asp-net-core.md)
+
+#### Client-side JavaScript SDK
+
+* [JavaScript](./javascript.md)
+ * [React](./javascript-framework-extensions.md)
+ * [React Native](./javascript-framework-extensions.md)
+ * [Angular](./javascript-framework-extensions.md)
### Supported platforms and frameworks
This section lists all supported platforms and frameworks.
* [Azure Spring Apps](../../spring-apps/how-to-application-insights.md) * [Azure Cloud Services](./azure-web-apps-net-core.md), including both web and worker roles
-#### Autoinstrumentation (enable without code changes)
-* [ASP.NET: For web apps hosted with IIS](./application-insights-asp-net-agent.md)
-* [ASP.NET Core: For web apps hosted with IIS](./application-insights-asp-net-agent.md)
-* [Java](./opentelemetry-enable.md?tabs=java)
-
-#### Manual instrumentation/SDK (some code changes required)
-* [ASP.NET](./asp-net.md)
-* [ASP.NET Core](./asp-net-core.md)
-* [Node.js](./nodejs.md)
-* [Python](./opencensus-python.md)
-* [JavaScript: Web](./javascript.md)
- * [React](./javascript-framework-extensions.md)
- * [React Native](./javascript-framework-extensions.md)
- * [Angular](./javascript-framework-extensions.md)
-
-> [!NOTE]
-> OpenTelemetry-based instrumentation is available for [C#, Node.js, and Python](opentelemetry-enable.md). Review the limitations noted at the beginning of each language's official documentation. If you require a full-feature experience, use the existing Application Insights SDKs.
-
-### Logging frameworks
-* [ILogger](./ilogger.md)
+#### Logging frameworks
+* [`ILogger`](./ilogger.md)
* [Log4Net, NLog, or System.Diagnostics.Trace](./asp-net-trace-logs.md)
-* [Log4J, Logback, or java.util.logging](./opentelemetry-add-modify.md?tabs=java#logs)
+* [`Log4J`, Logback, or java.util.logging](./opentelemetry-add-modify.md?tabs=java#logs)
* [LogStash plug-in](https://github.com/Azure/azure-diagnostics-tools/tree/master/Logstash/logstash-output-applicationinsights) * [Azure Monitor](/archive/blogs/msoms/application-insights-connector-in-oms)
-### Export and data analysis
+#### Export and data analysis
* [Power BI](https://powerbi.microsoft.com/blog/explore-your-application-insights-data-with-power-bi/) * [Power BI for workspace-based resources](../logs/log-powerbi.md) ### Unsupported SDKs
-Several other community-supported Application Insights SDKs exist. Azure Monitor only provides support when you use the supported instrumentation options listed in this article.
+Many community-supported Application Insights SDKs exist. Azure Monitor only provides support when you use the supported instrumentation options listed in this article.
-We're constantly assessing opportunities to expand our support for other languages. For the latest SDK news, see [Azure updates for Application Insights](https://azure.microsoft.com/updates/?query=application%20insights).
+We're constantly assessing opportunities to expand our support for other languages. For the latest news, see [Azure updates for Application Insights](https://azure.microsoft.com/updates/?query=application%20insights).
From server web apps:
* HTTP requests. * [Dependencies](./asp-net-dependencies.md). Calls to SQL databases, HTTP calls to external services, Azure Cosmos DB, Azure Table Storage, Azure Blob Storage, and Azure Queue Storage. * [Exceptions](./asp-net-exceptions.md) and stack traces.
-* [Performance counters](./performance-counters.md): If you use the [Azure Monitor Application Insights agent](./application-insights-asp-net-agent.md), [Azure monitoring for VMs or virtual machine scale sets](./azure-vm-vmss-apps.md), or the [Application Insights collectd writer](/previous-versions/azure/azure-monitor/app/deprecated-java-2x#collectd-linux-performance-metrics-in-application-insights-deprecated).
+* [Performance counters](./performance-counters.md): Performance counters are available when using:
+- [Azure Monitor Application Insights agent](application-insights-asp-net-agent.md)
+- [Azure monitoring for VMs or virtual machine scale sets](./azure-vm-vmss-apps.md)
+- [Application Insights `collectd` writer](/previous-versions/azure/azure-monitor/app/deprecated-java-2x#collectd-linux-performance-metrics-in-application-insights-deprecated).
* [Custom events and metrics](./api-custom-events-metrics.md) that you code. * [Trace logs](./asp-net-trace-logs.md) if you configure the appropriate collector.
You can [write PowerShell scripts](./powershell.md) by using Azure Resource Moni
You can't set up a metrics explorer report or set up continuous export.
-### How can I query Application Insights telemetery?
+### How can I query Application Insights telemetry?
Use the [REST API](/rest/api/application-insights/) to run [Log Analytics](../logs/log-query-overview.md) queries.
Post general questions to the Microsoft Q&A [answers forum](/answers/topics/2422
### Stack Overflow
-Post coding questions to [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-application-insights) by using an Application Insights tag.
+Post coding questions to [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-application-insights) by using an `azure-application-insights` tag.
### Feedback Community
azure-monitor Data Model Complete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-complete.md
ibiza Previously updated : 06/23/2023 Last updated : 09/25/2023 # Application Insights telemetry data model
PageView Telemetry includes URL and you could parse the UTM parameter using a re
Occasionally, this data might be missing or inaccurate if the user or enterprise disables sending User Agent in browser settings. The [UA Parser regexes](https://github.com/ua-parser/uap-core/blob/master/regexes.yaml) might not include all device information. Or Application Insights might not have adopted the latest updates.
+### Why would a custom measurement succeed without error but the log doesn't show up?
+
+This can occur if you're using string values. Only numeric values work with custom measurements.
+ ## Next steps Learn how to use the [Application Insights API for custom events and metrics](./api-custom-events-metrics.md), including:
azure-monitor Java Get Started Supplemental https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-get-started-supplemental.md
For more information, see [Using Azure Monitor Application Insights with Spring
## Java Application servers
-The following sections show how to set the Application Insights Java agent path for different application servers. You can find the configuration options [here](./java-standalone-config.md).
+For information on setting up the Application Insights Java agent, see [Enabling Azure Monitor OpenTelemetry for Java](./opentelemetry-enable.md?tabs=java). The following sections provide additional details which may be helpful when configuring the `-javaagent:...` JVM arg on different application servers.
### Tomcat 8 (Linux)
azure-monitor Javascript Feature Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-feature-extensions.md
Users can set up the Click Analytics Auto-Collection plug-in via JavaScript (Web
}; // Application Insights JavaScript (Web) SDK Loader Script code !function(v,y,T){<!-- Removed the JavaScript (Web) SDK Loader Script code for brevity -->}(window,document,{
- src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js",
+ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
crossOrigin: "anonymous", cfg: configObj // configObj is defined above. });
azure-monitor Javascript Sdk Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk-upgrade.md
If you're using the current application insights PRODUCTION SDK (1.0.20) and wan
- Download via CDN scenario: Update the JavaScript (Web) SDK Loader Script that you currently use to point to the following URL: ```
- "https://js.monitor.azure.com/scripts/b/ai.2.min.js"
+ "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js"
``` - npm scenario: Call `downloadAndSetup` to download the full ApplicationInsights script from CDN and initialize it with a connection string:
If you're using the current application insights PRODUCTION SDK (1.0.20) and wan
```ts appInsights.downloadAndSetup({ connectionString: "Copy connection string from Application Insights Resource Overview",
- url: "https://js.monitor.azure.com/scripts/b/ai.2.min.jss"
+ url: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js"
}); ```
azure-monitor Javascript Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk.md
# Enable Azure Monitor Application Insights Real User Monitoring
-The Microsoft Azure Monitor Application Insights JavaScript SDK collects usage data which allows you to monitor and analyze the performance of JavaScript web applications. This is commonly referred to as Real User Monitoring or RUM.
+The Microsoft Azure Monitor Application Insights JavaScript SDK collects usage data, which allows you to monitor and analyze the performance of JavaScript web applications. This is commonly referred to as Real User Monitoring or RUM.
-The Application Insights JavaScript SDK has a base SDK and several plugins for additional capabilities.
+The Application Insights JavaScript SDK has a base SDK and several plugins for more capabilities.
:::image type="content" source="media/javascript-sdk/conceptual-diagram-javascript-sdk.png" alt-text="Conceptual diagram that shows the Application Insights JavaScript SDK, its plugins/extensions, and their relationship to each other." lightbox="media/javascript-sdk/conceptual-diagram-javascript-sdk.png"::: We collect page views by default. But if you want to also collect clicks by default, consider adding the [Click Analytics Auto-Collection plug-in](./javascript-feature-extensions.md): -- If you're adding a [framework extension](./javascript-framework-extensions.md), which you can [add](#optional-add-advanced-sdk-configuration) after you follow the steps to get started below, you'll have the option to add Click Analytics when you add the framework extension.
+- If you're adding a [framework extension](./javascript-framework-extensions.md), which you can [add](#optional-add-advanced-sdk-configuration) after you follow the steps to get started below, you can optionally add Click Analytics when you add the framework extension.
- If you're not adding a framework extension, [add the Click Analytics plug-in](./javascript-feature-extensions.md) after you follow the steps to get started. We provide the [Debug plugin](https://github.com/microsoft/ApplicationInsights-JS/blob/main/extensions/applicationinsights-debugplugin-js/README.md) and [Performance plugin](https://github.com/microsoft/ApplicationInsights-JS/blob/main/extensions/applicationinsights-perfmarkmeasure-js/README.md) for debugging/testing. In rare cases, it's possible to build your own extension by adding a [custom plugin](https://github.com/microsoft/ApplicationInsights-JS/blob/e4be62c0aa9318b540157118b729bb0c4d8b6c6e/API-reference.md#custom-extension).
Two methods are available to add the code to enable Application Insights via the
Preferably, you should add it as the first script in your `<head>` section so that it can monitor any potential issues with all of your dependencies.
+ If Internet Explorer 8 is detected, JavaScript SDK v2.x is automatically loaded.
+ ```html <script type="text/javascript">
- !function(v,y,T){var S=v.location,k="script",D="instrumentationKey",C="ingestionendpoint",I="disableExceptionTracking",E="ai.device.",b="toLowerCase",w=(D[b](),"crossOrigin"),N="POST",e="appInsightsSDK",t=T.name||"appInsights",n=((T.name||v[e])&&(v[e]=t),v[t]||function(l){var u=!1,d=!1,g={initialize:!0,queue:[],sv:"6",version:2,config:l};function m(e,t){var n={},a="Browser";return n[E+"id"]=a[b](),n[E+"type"]=a,n["ai.operation.name"]=S&&S.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(g.sv||g.version),{time:(a=new Date).getUTCFullYear()+"-"+i(1+a.getUTCMonth())+"-"+i(a.getUTCDate())+"T"+i(a.getUTCHours())+":"+i(a.getUTCMinutes())+":"+i(a.getUTCSeconds())+"."+(a.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}}};function i(e){e=""+e;return 1===e.length?"0"+e:e}}var e,n,f=l.url||T.src;function a(e){var t,n,a,i,o,s,r,c,p;u=!0,g.queue=[],d||(d=!0,i=f,r=(c=function(){var e,t={},n=l.connectionString;if(n)for(var a=n.split(";"),i=0;i<a.length;i++){var o=a[i].split("=");2===o.length&&(t[o[0][b]()]=o[1])}return t[C]||(t[C]="https://"+((e=(n=t.endpointsuffix)?t.location:null)?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||l[D]||"",c=(c=c[C])?c+"/v2/track":l.endpointUrl,(p=[]).push((t="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",n=i,o=c,(s=(a=m(r,"Exception")).data).baseType="ExceptionData",s.baseData.exceptions=[{typeName:"SDKLoadFailed",message:t.replace(/\./g,"-"),hasFullStack:!1,stack:t+"\nSnippet failed to load ["+n+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(S&&S.pathname||"_unknown_")+"\nEndpoint: "+o,parsedStack:[]}],a)),p.push((s=i,t=c,(o=(n=m(r,"Message")).data).baseType="MessageData",(a=o.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+s+")").replace(/\"/g,"")+'"',a.properties={endpoint:t},n)),i=p,r=c,JSON&&((o=v.fetch)&&!T.useXhr?o(r,{method:N,body:JSON.stringify(i),mode:"cors"}):XMLHttpRequest&&((s=new XMLHttpRequest).open(N,r),s.setRequestHeader("Content-type","application/json"),s.send(JSON.stringify(i)))))}function i(e,t){d||setTimeout(function(){!t&&g.core||a()},500)}f&&((n=y.createElement(k)).src=f,!(o=T[w])&&""!==o||"undefined"==n[w]||(n[w]=o),n.onload=i,n.onerror=a,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||i(0,t)},e=n,T.ld<0?y.getElementsByTagName("head")[0].appendChild(e):setTimeout(function(){y.getElementsByTagName(k)[0].parentNode.appendChild(e)},T.ld||0));try{g.cookie=y.cookie}catch(h){}function t(e){for(;e.length;)!function(t){g[t]=function(){var e=arguments;u||g.queue.push(function(){g[t].apply(g,e)})}}(e.pop())}var s,r,o="track",c="TrackPage",p="TrackEvent",o=(t([o+"Event",o+"PageView",o+"Exception",o+"Trace",o+"DependencyData",o+"Metric",o+"PageViewPerformance","start"+c,"stop"+c,"start"+p,"stop"+p,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),g.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(l.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==l[I]&&!0!==o[I]&&(t(["_"+(s="onerror")]),r=v[s],v[s]=function(e,t,n,a,i){var o=r&&r(e,t,n,a,i);return!0!==o&&g["_"+s]({message:e,url:t,lineNumber:n,columnNumber:a,error:i,evt:v.event}),o},l.autoExceptionInstrumented=!0),g}(T.cfg));function a(){T.onInit&&T.onInit(n)}(v[t]=n).queue&&0===n.queue.length?(n.queue.push(a),n.trackPageView({})):a()}(window,document,{
- src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js",
+ !(function (cfg){function e(){cfg.onInit&&cfg.onInit(i)}var S,u,D,t,n,i,C=window,x=document,w=C.location,I="script",b="ingestionendpoint",E="disableExceptionTracking",A="ai.device.";"instrumentationKey"[S="toLowerCase"](),u="crossOrigin",D="POST",t="appInsightsSDK",n=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=n),i=C[n]||function(l){var d=!1,g=!1,f={initialize:!0,queue:[],sv:"7",version:2,config:l};function m(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[A+"id"]=i[S](),n[A+"type"]=i,n["ai.operation.name"]=w&&w.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(f.sv||f.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:4,seq:"1",aiDataContract:undefined}}var h=-1,v=0,y=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],k=l.url||cfg.src;if(k){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~k.indexOf("ai.3")&&(k=k.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<y.length;e++)if(0<k.indexOf(y[e])){h=e;break}var i=function(e){var a,t,n,i,o,r,s,c,p,u;f.queue=[],g||(0<=h&&v+1<y.length?(a=(h+v+1)%y.length,T(k.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+y[a]+i})),v+=1):(d=g=!0,o=k,c=(p=function(){var e,t={},n=l.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][S]()]=o[1])}return t[b]||(e=(n=t.endpointsuffix)?t.location:null,t[b]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||l.instrumentationKey||"",p=(p=p[b])?p+"/v2/track":l.endpointUrl,(u=[]).push((t="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",n=o,r=p,(s=(i=m(c,"Exception")).data).baseType="ExceptionData",s.baseData.exceptions=[{typeName:"SDKLoadFailed",message:t.replace(/\./g,"-"),hasFullStack:!1,stack:t+"\nSnippet failed to load ["+n+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(w&&w.pathname||"_unknown_")+"\nEndpoint: "+r,parsedStack:[]}],i)),u.push((s=o,t=p,(r=(n=m(c,"Message")).data).baseType="MessageData",(i=r.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+s+")").replace(/\"/g,"")+'"',i.properties={endpoint:t},n)),o=u,c=p,JSON&&((r=C.fetch)&&!cfg.useXhr?r(c,{method:D,body:JSON.stringify(o),mode:"cors"}):XMLHttpRequest&&((s=new XMLHttpRequest).open(D,c),s.setRequestHeader("Content-type","application/json"),s.send(JSON.stringify(o))))))},a=function(e,t){g||setTimeout(function(){!t&&f.core||i()},500),d=!1},T=function(e){var n=x.createElement(I),e=(n.src=e,cfg[u]);return!e&&""!==e||"undefined"==n[u]||(n[u]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?x.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){x.getElementsByTagName(I)[0].parentNode.appendChild(n)},cfg.ld||0),n};T(k)}try{f.cookie=x.cookie}catch(p){}function t(e){for(;e.length;)!function(t){f[t]=function(){var e=arguments;d||f.queue.push(function(){f[t].apply(f,e)})}}(e.pop())}var r,s,n="track",o="TrackPage",c="TrackEvent",n=(t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+o,"stop"+o,"start"+c,"stop"+c,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),f.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(l.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==l[E]&&!0!==n[E]&&(t(["_"+(r="onerror")]),s=C[r],C[r]=function(e,t,n,i,a){var o=s&&s(e,t,n,i,a);return!0!==o&&f["_"+r]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},l.autoExceptionInstrumented=!0),f}(cfg.cfg),(C[n]=i).queue&&0===i.queue.length?(i.queue.push(e),i.trackPageView({})):e();})({
+ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
// name: "appInsights", // ld: 0, // useXhr: 1, crossOrigin: "anonymous", // onInit: null,
+ // cr: 0,
cfg: { // Application Insights Configuration connectionString: "YOUR_CONNECTION_STRING" }});
Two methods are available to add the code to enable Application Insights via the
| useXhr | boolean | Optional | This setting is used only for reporting SDK load failures. For example, this setting is useful when the JavaScript (Web) SDK Loader Script is preventing the HTML page from loading, causing fetch() to be unavailable.<br><br>Reporting first attempts to use fetch() if available and then fallback to XHR. Set this setting to `true` to bypass the fetch check. This setting is only required if your application is being used in an environment where fetch would fail to send the failure events such as if the JavaScript (Web) SDK Loader Script isn't loading successfully. | crossOrigin | string | Optional | By including this setting, the script tag added to download the SDK includes the crossOrigin attribute with this string value. Use this setting when you need to provide support for CORS. When not defined (the default), no crossOrigin attribute is added. Recommended values are not defined (the default), "", or "anonymous". For all valid values, see the [cross origin HTML attribute](https://developer.mozilla.org/docs/Web/HTML/Attributes/crossorigin) documentation. | onInit | function(aiSdk) { ... } | Optional | This callback function is called after the main SDK script has been successfully loaded and initialized from the CDN (based on the src value). This callback function is useful when you need to insert a telemetry initializer. It's passed one argument, which is a reference to the SDK instance that's being called for and is also called before the first initial page view. If the SDK has already been loaded and initialized, this callback is still called. NOTE: During the processing of the sdk.queue array, this callback is called. You CANNOT add any more items to the queue because they're ignored and dropped. (Added as part of JavaScript (Web) SDK Loader Script version 5--the sv:"5" value within the script). |
+ | cr | boolean | Optional | If the SDK fails to load and the endpoint value defined for `src` is the public CDN location, this configuration option attempts to immediately load the SDK from one of the following backup CDN endpoints:<ul><li>js.monitor.azure.com</li><li>js.cdn.applicationinsights.io</li><li>js.cdn.monitor.azure.com</li><li>js0.cdn.applicationinsights.io</li><li>js0.cdn.monitor.azure.com</li><li>js2.cdn.applicationinsights.io</li><li>js2.cdn.monitor.azure.com</li><li>az416426.vo.msecnd.net</li></ul>NOTE: az416426.vo.msecnd.net is partially supported, so it's not recommended.<br><br>If the SDK successfully loads from a backup CDN endpoint, it loads from the first available one, which is determined when the server performs a successful load check. If the SDK fails to load from any of the backup CDN endpoints, the SDK Failure error message appears.<br><br>When not defined, the default value is `true`. If you donΓÇÖt want to load the SDK from the backup CDN endpoints, set this configuration option to `false`.<br><br>If youΓÇÖre loading the SDK from your own privately hosted CDN endpoint, this configuration option is not applicable.
#### [npm package](#tab/npmpackage)
To paste the connection string in your environment, follow these steps:
1. Replace the placeholder `"YOUR_CONNECTION_STRING"` in the JavaScript code with your [connection string](./sdk-connection-string.md) copied to the clipboard.
+ The `connectionString` format must follow "InstrumentationKey=xxxx;....". If the string provided does not meet this format, the SDK load process fails.
+ The connection string isn't considered a security token or key. For more information, see [Do new Azure regions require the use of connection strings?](./sdk-connection-string.md#do-new-azure-regions-require-the-use-of-connection-strings). ### (Optional) Add SDK configuration
If you want to use the extra features provided by plugins for specific framework
It might take a few minutes for data to show up in the portal. If the only data you see showing up is a load failure exception, see [Troubleshoot SDK load failure for JavaScript web apps](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting#troubleshoot-sdk-load-failure-for-javascript-web-apps).
+ In some cases, if multiple instances of different versions of Application Insights are running on the same page, errors can occur during initialization. For these cases and the error message that appears, see [Running multiple versions of the Application Insights JavaScript SDK in one session](https://github.com/microsoft/ApplicationInsights-JS/blob/main/versionConflict.md). If you've encountered one of these errors, try changing the namespace by using the `name` setting. For more information, see [JavaScript (Web) SDK Loader Script configuration](#javascript-web-sdk-loader-script-configuration).
+ :::image type="content" source="media/javascript-sdk/confirm-data-flowing.png" alt-text="Screenshot of the Application Insights Transaction search pane in the Azure portal with the Page View option selected. The page views are highlighted." lightbox="media/javascript-sdk/confirm-data-flowing.png"::: 1. If you want to query data to confirm data is flowing:
azure-monitor Opentelemetry Add Modify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md
Dependencies
- [Redis-4](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-redis-4) - [Azure SDK](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/instrumentation/opentelemetry-instrumentation-azure-sdk)
-Auto instrumentation of Logs is currently only supported when using `applicationinsights` v3 Beta package. (https://www.npmjs.com/package/applicationinsights/v/beta)
+Automatic instrumentation of Logs is currently only supported when using `applicationinsights` v3 Beta package. (https://www.npmjs.com/package/applicationinsights/v/beta)
+ Logs - [Node.js console](https://nodejs.org/api/console.html) - [Bunyan](https://github.com/trentm/node-bunyan#readme)
To add a community instrumentation library (not officially supported/included in
> Instrumenting a [supported instrumentation library](.\opentelemetry-add-modify.md?tabs=python#included-instrumentation-libraries) manually with `instrument()` in conjunction with the distro `configure_azure_monitor()` is not recommended. This is not a supported scenario and you may get undesired behavior for your telemetry. ```python
+# Import the `configure_azure_monitor()`, `SQLAlchemyInstrumentor`, `create_engine`, and `text` functions from the appropriate packages.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry.instrumentation.sqlalchemy import SQLAlchemyInstrumentor from sqlalchemy import create_engine, text
+# Configure OpenTelemetry to use Azure Monitor.
configure_azure_monitor()
+# Create a SQLAlchemy engine.
engine = create_engine("sqlite:///:memory:")
-# SQLAlchemy instrumentation is not officially supported by this package
-# However, you can use the OpenTelemetry instrument() method manually in
-# conjunction with configure_azure_monitor
+
+# SQLAlchemy instrumentation is not officially supported by this package, however, you can use the OpenTelemetry `instrument()` method manually in conjunction with `configure_azure_monitor()`.
SQLAlchemyInstrumentor().instrument( engine=engine, )
-# Database calls using the SqlAlchemy library will be automatically captured
+# Database calls using the SQLAlchemy library will be automatically captured.
with engine.connect() as conn: result = conn.execute(text("select 'hello world'")) print(result.all())
public class Program {
#### [Python](#tab/python) ```python
+# Import the `configure_azure_monitor()` and `metrics` functions from the appropriate packages.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import metrics
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )+
+# Get a meter provider and a meter with the name "otel_azure_monitor_histogram_demo".
meter = metrics.get_meter_provider().get_meter("otel_azure_monitor_histogram_demo")
+# Record three values to the histogram.
histogram = meter.create_histogram("histogram") histogram.record(1.0, {"test_key": "test_value"}) histogram.record(100.0, {"test_key2": "test_value"}) histogram.record(30.0, {"test_key": "test_value2"})
+# Wait for background execution.
input() ```
public class Program {
#### [Python](#tab/python) ```python
+# Import the `configure_azure_monitor()` and `metrics` functions from the appropriate packages.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import metrics
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )
+# Get a meter provider and a meter with the name "otel_azure_monitor_counter_demo".
meter = metrics.get_meter_provider().get_meter("otel_azure_monitor_counter_demo")
+# Create a counter metric with the name "counter".
counter = meter.create_counter("counter")+
+# Add three values to the counter.
+# The first argument to the `add()` method is the value to add.
+# The second argument is a dictionary of dimensions.
+# Dimensions are used to group related metrics together.
counter.add(1.0, {"test_key": "test_value"}) counter.add(5.0, {"test_key2": "test_value"}) counter.add(3.0, {"test_key": "test_value2"})
+# Wait for background execution.
input() ```
public class Program {
#### [Python](#tab/python) ```python
+# Import the necessary packages.
from typing import Iterable from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import metrics from opentelemetry.metrics import CallbackOptions, Observation
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )+
+# Get a meter provider and a meter with the name "otel_azure_monitor_gauge_demo".
meter = metrics.get_meter_provider().get_meter("otel_azure_monitor_gauge_demo")
+# Define two observable gauge generators.
+# The first generator yields a single observation with the value 9.
+# The second generator yields a sequence of 10 observations with the value 9 and a different dimension value for each observation.
def observable_gauge_generator(options: CallbackOptions) -> Iterable[Observation]: yield Observation(9, {"test_key": "test_value"})
def observable_gauge_sequence(options: CallbackOptions) -> Iterable[Observation]
) return observations
+# Create two observable gauges using the defined generators.
gauge = meter.create_observable_gauge("gauge", [observable_gauge_generator]) gauge2 = meter.create_observable_gauge("gauge2", [observable_gauge_sequence])
+# Wait for background execution.
input() ```
You can use `opentelemetry-api` to update the status of a span and record except
The OpenTelemetry Python SDK is implemented in such a way that exceptions thrown are automatically captured and recorded. See the following code sample for an example of this behavior. ```python
+# Import the necessary packages.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import trace
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )+
+# Get a tracer for the current module.
tracer = trace.get_tracer("otel_azure_monitor_exception_demo") # Exception events try:
+ # Start a new span with the name "hello".
with tracer.start_as_current_span("hello") as span: # This exception will be automatically recorded raise Exception("Custom exception message.")
within the context manager and use `record_exception()` directly as shown in the
```python ...
+# Start a new span with the name "hello" and disable exception recording.
with tracer.start_as_current_span("hello", record_exception=False) as span: try:
+ # Raise an exception.
raise Exception("Custom exception message.") except Exception as ex: # Manually record exception
The code example shows how to use the `tracer.start_as_current_span()` method to
```python ...
+# Import the necessary packages.
from opentelemetry import trace
+# Get a tracer for the current module.
tracer = trace.get_tracer(__name__)
+# Start a new span with the name "my first span" and make it the current span.
# The "with" context manager starts, makes the span current, and ends the span within it's context with tracer.start_as_current_span("my first span") as span: try:
- # Do stuff within the context of this
+ # Do stuff within the context of this span.
+ # All telemetry generated within this scope will be attributed to this span.
except Exception as ex:
+ # Record the exception on the span.
span.record_exception(ex) ...
If your method represents a background job not already captured by autoinstrumen
```python ...
+# Import the necessary packages.
from opentelemetry import trace from opentelemetry.trace import SpanKind
+# Get a tracer for the current module.
tracer = trace.get_tracer(__name__)+
+# Start a new span with the name "my request span" and the kind set to SpanKind.SERVER.
with tracer.start_as_current_span("my request span", kind=SpanKind.SERVER) as span:
+ # Do stuff within the context of this span.
... ```
Not available in .NET.
If you want to add custom events or access the Application Insights API, replace the @azure/monitor-opentelemetry package with the `applicationinsights` [v3 Beta package](https://www.npmjs.com/package/applicationinsights/v/beta). It offers the same methods and interfaces, and all sample code for @azure/monitor-opentelemetry applies to the v3 Beta package.
-To send custom telemetry with the Application Insights Classic API, use the `applicationinsights` [v3 Beta package](https://www.npmjs.com/package/applicationinsights/v/beta).
+You need to use the `applicationinsights` v3 Beta package to send custom telemetry using the Application Insights classic API. (https://www.npmjs.com/package/applicationinsights/v/beta)
```javascript const { TelemetryClient } = require("applicationinsights");
Use a custom processor:
```python ...
+# Import the necessary packages.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import trace
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )+
+# Create a SpanEnrichingProcessor instance.
span_enrich_processor = SpanEnrichingProcessor()
-# Add the processor shown below to the current `TracerProvider`
+
+# Add the span enrich processor to the current TracerProvider.
trace.get_tracer_provider().add_span_processor(span_enrich_processor) ... ```
trace.get_tracer_provider().add_span_processor(span_enrich_processor)
Add `SpanEnrichingProcessor.py` to your project with the following code: ```python
+# Import the SpanProcessor class from the opentelemetry.sdk.trace module.
from opentelemetry.sdk.trace import SpanProcessor class SpanEnrichingProcessor(SpanProcessor): def on_end(self, span):
+ # Prefix the span name with the string "Updated-".
span._name = "Updated-" + span.name
+ # Add the custom dimension "CustomDimension1" with the value "Value1".
span._attributes["CustomDimension1"] = "Value1"
+ # Add the custom dimension "CustomDimension2" with the value "Value2".
span._attributes["CustomDimension2"] = "Value2" ```
Use the add [custom property example](#add-a-custom-property-to-a-span), but rep
Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code in `SpanEnrichingProcessor.py`: ```python
+# Set the `http.client_ip` attribute of the span to the specified IP address.
span._attributes["http.client_ip"] = "<IP Address>" ```
Use the add [custom property example](#add-a-custom-property-to-a-span), but rep
Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code: ```python
+# Set the `enduser.id` attribute of the span to the specified user ID.
span._attributes["enduser.id"] = "<User ID>" ```
The Python [logging](https://docs.python.org/3/howto/logging.html) library is [a
```python ...
+# Create a warning log message with the properties "key1" and "value1".
logger.warning("WARNING: Warning log with properties", extra={"key1": "value1"}) ...
Use the add [custom property example](#add-a-custom-property-to-a-span), but rep
```python ...
+ # Import the Flask and Azure Monitor OpenTelemetry SDK libraries.
import flask from azure.monitor.opentelemetry import configure_azure_monitor
- # Configure Azure monitor collection telemetry pipeline
+ # Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+ # Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )
+
+ # Create a Flask application.
app = flask.Flask(__name__)
- # Requests sent to this endpoint will not be tracked due to
- # flask_config configuration
+ # Define a route. Requests sent to this endpoint will not be tracked due to
+ # flask_config configuration.
@app.route("/ignore") def ignore(): return "Request received but not tracked."
Use the add [custom property example](#add-a-custom-property-to-a-span), but rep
```python ...
+ # Import the necessary libraries.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import trace
+ # Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+ # Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )
+
+ # Add a SpanFilteringProcessor to the tracer provider.
trace.get_tracer_provider().add_span_processor(SpanFilteringProcessor()) ... ```
Use the add [custom property example](#add-a-custom-property-to-a-span), but rep
Add `SpanFilteringProcessor.py` to your project with the following code: ```python
+ # Import the necessary libraries.
from opentelemetry.trace import SpanContext, SpanKind, TraceFlags from opentelemetry.sdk.trace import SpanProcessor
+ # Define a custom span processor called `SpanFilteringProcessor`.
class SpanFilteringProcessor(SpanProcessor):
- # prevents exporting spans from internal activities
+ # Prevents exporting spans from internal activities.
def on_start(self, span):
+ # Check if the span is an internal activity.
if span._kind is SpanKind.INTERNAL:
+ # Create a new span context with the following properties:
+ # * The trace ID is the same as the trace ID of the original span.
+ # * The span ID is the same as the span ID of the original span.
+ # * The is_remote property is set to `False`.
+ # * The trace flags are set to `DEFAULT`.
+ # * The trace state is the same as the trace state of the original span.
span._context = SpanContext( span.context.trace_id, span.context.span_id,
Get the request trace ID and the span ID in your code:
Get the request trace ID and the span ID in your code:
- ```python
- from opentelemetry import trace
+```python
+# Import the necessary libraries.
+from opentelemetry import trace
- trace_id = trace.get_current_span().get_span_context().trace_id
- span_id = trace.get_current_span().get_span_context().span_id
- ```
+# Get the trace ID and span ID of the current span.
+trace_id = trace.get_current_span().get_span_context().trace_id
+span_id = trace.get_current_span().get_span_context().span_id
+```
azure-monitor Opentelemetry Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md
Use one of the following two ways to configure the connection string:
- Pass into `configure_azure_monitor`: ```python
+# Import the `configure_azure_monitor()` function from the `azure.monitor.opentelemetry` package.
from azure.monitor.opentelemetry import configure_azure_monitor
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+# Replace `<your-connection-string>` with the connection string of your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )
useAzureMonitor(options);
#### [Python](#tab/python) ```python
+# Import the `ManagedIdentityCredential` class from the `azure.identity` package.
from azure.identity import ManagedIdentityCredential
+# Import the `configure_azure_monitor()` function from the `azure.monitor.opentelemetry` package.
from azure.monitor.opentelemetry import configure_azure_monitor
+# Configure OpenTelemetry to use Azure Monitor with a managed identity credential.
+# This will allow OpenTelemetry to authenticate to Azure Monitor without requiring you to provide a connection string.
configure_azure_monitor( credential=ManagedIdentityCredential(), )
To override the default directory, you should set `storage_directory` to the dir
For example: ```python ...
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string and storage directory.
+# Replace `your-connection-string` with the connection string to your Azure Monitor Application Insights resource.
+# Replace `C:\\SomeDirectory` with the directory where you want to store the telemetry data before it is sent to Azure Monitor.
configure_azure_monitor( connection_string="your-connection-string", storage_directory="C:\\SomeDirectory",
To disable this feature, you should set `disable_offline_storage` to `True`. Def
For example: ```python ...
+# Configure OpenTelemetry to use Azure Monitor with the specified connection string and disable offline storage.
+# Replace `your-connection-string` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="your-connection-string", disable_offline_storage=True,
For more information about Java, see the [Java supplemental documentation](java-
1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see this [README](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/monitor/azure-monitor-opentelemetry-exporter/samples/traces#collector). ```python
+ # Import the `configure_azure_monitor()`, `trace`, `OTLPSpanExporter`, and `BatchSpanProcessor` classes from the appropriate packages.
from azure.monitor.opentelemetry import configure_azure_monitor from opentelemetry import trace from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter from opentelemetry.sdk.trace.export import BatchSpanProcessor
+ # Configure OpenTelemetry to use Azure Monitor with the specified connection string.
+ # Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.
configure_azure_monitor( connection_string="<your-connection-string>", )
+
+ # Get the tracer for the current module.
tracer = trace.get_tracer(__name__)
+ # Create an OTLP span exporter that sends spans to the specified endpoint.
+ # Replace `http://localhost:4317` with the endpoint of your OTLP collector.
otlp_exporter = OTLPSpanExporter(endpoint="http://localhost:4317")
+
+ # Create a batch span processor that uses the OTLP span exporter.
span_processor = BatchSpanProcessor(otlp_exporter)
+
+ # Add the batch span processor to the tracer provider.
trace.get_tracer_provider().add_span_processor(span_processor)
+ # Start a new span with the name "test".
with tracer.start_as_current_span("test"): print("Hello world!") ```
azure-monitor Container Insights Onboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-onboard.md
- Title: Enable Container insights description: This article describes how to enable and configure Container insights so that you can understand how your container is performing and what performance-related issues have been identified.
If you're going to configure the cluster to [collect Prometheus metrics](contain
### Permissions
-To enable container monitoring, you require the following permissions:
+To enable Container insights, you require the following permissions:
-- You must be a member of the [Log Analytics contributor](../logs/manage-access.md#azure-rbac) role.-- You must be a member of the [*Owner* group](../../role-based-access-control/built-in-roles.md#owner) on any AKS cluster resources.
+- You must have at least [Contributor](../../role-based-access-control/built-in-roles.md#contributor) access to the AKS cluster.
To view data after container monitoring is enabled, you require the following permissions: -- You must be a member of the [Log Analytics reader](../logs/manage-access.md#azure-rbac) role if you aren't already a member of the [Log Analytics contributor](../logs/manage-access.md#azure-rbac) role.
+- You must have [Monitoring Reader](../roles-permissions-security.md#monitoring-reader) or [Monitoring Contributor](../roles-permissions-security.md#monitoring-contributor) role.
### Kubelet secure port
The following table lists the extra firewall configuration required for managed
After you've enabled monitoring, you can begin analyzing the performance of your Kubernetes clusters that are hosted on AKS, Azure Stack, or another environment. To learn how to use Container insights, see [View Kubernetes cluster performance](container-insights-analyze.md).+
azure-monitor Profiler Aspnetcore Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-aspnetcore-linux.md
description: Learn how to enable Profiler on your ASP.NET Core web application h
ms.devlang: csharp Previously updated : 08/30/2023 Last updated : 09/22/2023 # Customer Intent: As a .NET developer, I'd like to enable Application Insights Profiler for my .NET web application hosted in Linux
azure-monitor Profiler Azure Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-azure-functions.md
Title: Profile Azure Functions app with Application Insights Profiler
description: Enable Application Insights Profiler for Azure Functions app. ms.contributor: charles.weininger Previously updated : 07/15/2022- Last updated : 09/22/2023+ # Profile live Azure Functions app with Application Insights
azure-monitor Profiler Bring Your Own Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-bring-your-own-storage.md
reviewer: cweining Previously updated : 07/07/2023 Last updated : 09/22/2023
azure-monitor Profiler Cloudservice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-cloudservice.md
Title: Enable Profiler for Azure Cloud Services | Microsoft Docs
description: Profile Azure Cloud Services in real time with Application Insights Profiler. Previously updated : 07/07/2023 Last updated : 09/22/2023 # Enable Profiler for Azure Cloud Services
azure-monitor Profiler Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-containers.md
Title: Profile Azure containers with Application Insights Profiler
description: Learn how to enable the Application Insights Profiler for your ASP.NET Core application running in Azure containers. ms.contributor: charles.weininger Previously updated : 08/30/2023- Last updated : 09/22/2023+ # Customer Intent: As a .NET developer, I'd like to learn how to enable Profiler on my ASP.NET Core application running in my container.
azure-monitor Profiler Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-data.md
Title: Generate load and view Application Insights Profiler data
description: Generate load to your Azure service to view the Profiler data ms.contributor: charles.weininger Previously updated : 04/11/2023 Last updated : 09/22/2023
azure-monitor Profiler Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-overview.md
Title: Profile production apps in Azure with Application Insights Profiler
+ Title: Analyze application performance traces with Application Insights Profiler
description: Identify the hot path in your web server code with a low-footprint profiler. ms.contributor: charles.weininger Previously updated : 07/15/2022- Last updated : 09/21/2023+ # Profile production applications in Azure with Application Insights Profiler
-Diagnosing performance issues can be difficult, especially when your application is running on a production environment in the cloud. The cloud is dynamic. Machines come and go, and user input and other conditions are constantly changing. There's also potential for high scale. Slow responses in your application could be caused by infrastructure, framework, or application code handling the request in the pipeline.
+Diagnosing your application's performance issues can be difficult, especially when running on a production environment in the dynamic cloud. Slow responses in your application could be caused by infrastructure, framework, or application code handling the request in the pipeline.
-With Application Insights Profiler, you can capture and view performance traces for your application in all these dynamic situations. The process occurs automatically at scale and doesn't negatively affect your users. Profiler captures the following information so that you can easily identify performance issues while your app is running in Azure:
+With Application Insights Profiler, you can capture, identify, and view performance traces for your application running in Azure, regardless of the scenario. The Profiler trace process occurs automatically, at scale, and doesn't negatively affect your users. The Profiler identifies:
-- Identifies the median, fastest, and slowest response times for each web request made by your customers.-- Helps you identify the "hot" code path spending the most time handling a particular web request.
+- The median, fastest, and slowest response times for each web request made by your customers.
+- The "hot" code path spending the most time handling a particular web request.
-Enable the Profiler on all your Azure applications to catch issues early and prevent your customers from being widely affected. When you enable Profiler, it gathers data with these triggers:
+Enable the Profiler on all your Azure applications to gather data with the following triggers:
- **Sampling trigger**: Starts Profiler randomly about once an hour for two minutes. - **CPU trigger**: Starts Profiler when the CPU usage percentage is over 80 percent. - **Memory trigger**: Starts Profiler when memory usage is above 80 percent.
-Each of these triggers can be configured, enabled, or disabled on the [Configure Profiler page](./profiler-settings.md#trigger-settings).
+Each of these triggers can be [configured, enabled, or disabled](./profiler-settings.md#trigger-settings).
## Overhead and sampling algorithm
-Profiler randomly runs two minutes per hour on each virtual machine hosting the application with Profiler enabled for capturing traces. When Profiler is running, it adds from 5 percent to 15 percent CPU overhead to the server.
+Profiler randomly runs two minutes per hour on each virtual machine hosting applications with Profiler enabled. When Profiler is running, it adds from 5 percent to 15 percent CPU overhead to the server.
## Supported in Profiler
Profiler works with .NET applications deployed on the following Azure services.
| [Azure Container Instances for Linux](profiler-containers.md) | No | Yes | No | | Kubernetes | No | Yes | No | | [Azure Functions](./profiler-azure-functions.md) | Yes | Yes | No |
-| Azure Spring Cloud | N/A | No | No |
| [Azure Service Fabric](profiler-servicefabric.md) | Yes | Yes | No | If you've enabled Profiler but aren't seeing traces, see the [Troubleshooting guide](profiler-troubleshooting.md).
azure-monitor Profiler Servicefabric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-servicefabric.md
Title: Enable Profiler for Azure Service Fabric applications
description: Profile live Azure Service Fabric apps with Application Insights. Previously updated : 07/15/2022 Last updated : 09/22/2023 # Enable Profiler for Azure Service Fabric applications
azure-monitor Profiler Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-settings.md
Title: Configure Application Insights Profiler | Microsoft Docs
description: Use the Application Insights Profiler settings pane to see Profiler status and start profiling sessions ms.contributor: Charles.Weininger Previously updated : 08/09/2022 Last updated : 09/22/2023 # Configure Application Insights Profiler
To open the Application Insights Profiler settings pane, select **Performance**
You can view Profiler traces across your Azure resources via two methods: -- By the **Profiler** button:
+- The **Profiler** button:
Select **Profiler**. :::image type="content" source="./media/profiler-overview/profiler-button-inline.png" alt-text="Screenshot that shows the Profiler button on the Performance pane." lightbox="media/profiler-settings/profiler-button.png"::: -- By operation:
+- Operations:
1. Select an operation from the **Operation name** list. **Overall** is highlighted by default. 1. Select **Profiler traces**.
Within Profiler, you can configure and view Profiler. The **Application Insights
**Recent profiling sessions** | Displays information about past profiling sessions, which you can sort by using the filters at the top of the page. ## Profile now+ Select **Profile now** to start a profiling session on demand. When you select this link, all Profiler agents that are sending data to this Application Insights instance start to capture a profile. After 5 to 10 minutes, the profile session is shown in the list. To manually trigger a Profiler session, you need, at minimum, *write* access on your role for the Application Insights component. In most cases, you get write access automatically. If you're having issues, you need the **Application Insights Component Contributor** subscription scope role added. For more information, see [Resources, roles, and access control in Application Insights](../app/resources-roles-access-control.md).
CPU % | Percentage of CPU used while Profiler was running.
Memory % | Percentage of memory used while Profiler was running. ## Next steps+ [Enable Profiler and view traces](profiler-overview.md?toc=/azure/azure-monitor/toc.json) [profiler-on-demand]: ./media/profiler-settings/profiler-on-demand.png
azure-monitor Profiler Trackrequests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-trackrequests.md
Title: Write code to track requests with Application Insights | Microsoft Docs
description: Write code to track requests with Application Insights so you can get profiles for your requests. Previously updated : 08/09/2022 Last updated : 09/22/2023 # Write code to track requests with Application Insights
-Application Insights needs to track requests for your application to provide profiles for your application on the **Performance** page in the Azure portal.
-
-For applications built on already-instrumented frameworks (like ASP.NET and ASP.NET Core), Application Insights can automatically track requests.
+Application Insights needs to track requests for your application to provide profiles for your application on the **Performance** page in the Azure portal. For applications built on already-instrumented frameworks (like ASP.NET and ASP.NET Core), Application Insights can automatically track requests.
For other applications (like Azure Cloud Services worker roles and Azure Service Fabric stateless APIs), you need to track requests with code that tells Application Insights where your requests begin and end. Requests telemetry is then sent to Application Insights, which you can view on the **Performance** page. Profiles are collected for those requests.
azure-monitor Profiler Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-vm.md
Title: Enable Profiler for web apps on an Azure virtual machine description: Profile web apps running on an Azure virtual machine or a virtual machine scale set by using Application Insights Profiler Previously updated : 07/18/2022 Last updated : 09/22/2023
[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
-In this article, you learn how to run Application Insights Profiler on your Azure virtual machine (VM) or Azure virtual machine scale set via three different methods. With any of these methods, you:
+In this article, you learn how to run Application Insights Profiler on your Azure virtual machine (VM) or Azure virtual machine scale set via three different methods:
+
+- Visual Studio and Azure Resource Manager
+- PowerShell
+- Azure Resource Explorer
+
+With any of these methods, you:
- Configure the Azure Diagnostics extension to run Profiler. - Install the Application Insights SDK on a VM.
In this article, you learn how to run Application Insights Profiler on your Azur
## Prerequisites
-You need:
- - A functioning [ASP.NET Core application](/aspnet/core/getting-started). - An [Application Insights resource](../app/create-workspace-resource.md). - To review the Azure Resource Manager templates (ARM templates) for the Azure Diagnostics extension:
You need:
You can enable Profiler by any of three ways: -- Within your ASP.NET Core application by using an Azure Resource Manager template and Visual Studio. We recommend this method.
+- Within your ASP.NET Core application by using an Azure Resource Manager template and Visual Studio. **Recommended.**
- By using a PowerShell command via the Azure CLI. - By using Azure Resource Explorer.
azure-monitor Profiler https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler.md
Title: Enable Profiler for Azure App Service apps | Microsoft Docs description: Profile live apps on Azure App Service with Application Insights Profiler. Previously updated : 05/01/2023- Last updated : 09/21/2023+ # Enable Profiler for Azure App Service apps
-Application Insights Profiler is preinstalled as part of the Azure App Service runtime. You can run Profiler on ASP.NET and ASP.NET Core apps running on App Service by using the Basic service tier or higher. Follow these steps even if you've included the Application Insights SDK in your application at build time.
+Application Insights Profiler is preinstalled as part of the Azure App Service runtime. You can run Profiler on ASP.NET and ASP.NET Core apps running on App Service by using the Basic service tier or higher. Follow these steps, even if you included the Application Insights SDK in your application at build time.
To enable Profiler on Linux, walk through the [ASP.NET Core Azure Linux web apps instructions](profiler-aspnetcore-linux.md). > [!NOTE]
-> Codeless installation of Application Insights Profiler follows the .NET Core support policy.
-> For more information about supported runtime, see [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).
+> Codeless installation of Application Insights Profiler follows the .NET Core support policy. For more information about supported runtime, see [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).
## Prerequisites
-You need:
- - An [Azure App Service ASP.NET/ASP.NET Core app](../../app-service/quickstart-dotnetcore.md). - An [Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource) connected to your App Service app.
-## Verify the Always on setting is enabled
+## Verify the "Always on" setting is enabled
1. In the Azure portal, go to your App Service instance. 1. Under **Settings** on the left pane, select **Configuration**.
azure-resource-manager Async Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/async-operations.md
There are two different ways to monitor the status the asynchronous operation. Y
If `Azure-AsyncOperation` isn't one of the header values, then look for:
-* `Location` - URL for determining when an operation has completed. Only use this value only when `Azure-AsyncOperation` isn't returned.
+* `Location` - URL for determining when an operation has completed. Use this value only when `Azure-AsyncOperation` isn't returned.
* `Retry-After` - The number of seconds to wait before checking the status of the asynchronous operation. > [!NOTE]
If the request is still running, you receive a status code 202. If the request h
## Next steps * For documentation about each REST operation, see [REST API documentation](/rest/api/azure/).
-* For information about deploying templates through the Resource Manager REST API, see [Deploy resources with Resource Manager templates and Resource Manager REST API](../templates/deploy-rest.md).
+* For information about deploying templates through the Resource Manager REST API, see [Deploy resources with Resource Manager templates and Resource Manager REST API](../templates/deploy-rest.md).
backup Save Backup Passphrase Securely In Azure Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/save-backup-passphrase-securely-in-azure-key-vault.md
Based on the Key Vault permission model (either role-based access permissions or
To assign the permissions, follow these steps: 1. Go to your *Azure Key Vault* > **Settings** > **Access Configuration** to ensure that the permission model is **RBAC**.
-
+
+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/open-access-configuration.png" alt-text="Screenshot shows how to open access configuration under settings." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/open-access-configuration.png":::
+ 2. Select **Access control (IAM)** > **+Add** to add role assignment. 3. The Recovery Services vault identity requires the **Set permission on Secret** to create and add the passphrase as a Secret to the Key Vault. You can select a *built-in role* such as **Key Vault Secrets Officer** that has the permission (along with other permissions not required for this feature) or [create a custom role](../key-vault/general/rbac-guide.md?tabs=azurepowershell#creating-custom-roles) with only Set permission on Secret.
- Select **Details** to view the permissions granted by the role and ensure Set permission on Secret is available.
+ Under **Details**, select **View** to view the permissions granted by the role and ensure *Set* permission on *Secret* is available.
+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/view-permission-details.png" alt-text="Screenshot shows how to view the permission details." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/view-permission-details.png":::
+
+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/check-set-permission-availability-on-secret.png" alt-text="Screenshot shows how to check the Set permission availability." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/check-set-permission-availability-on-secret.png":::
+ 4. Select **Next** to proceed to select Members for assignment. 5. Select **Managed identity** and then **+ Select members**. choose the **Subscription** of the target Recovery Services vault, select Recovery Services vault under **System-assigned managed identity**. Search and select the *name of the Recovery Services vault*.+
+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/add-members-in-managed-identity.png" alt-text="Screenshot shows how to add members in managed identity." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/add-members-in-managed-identity.png":::
6. Select **Next**, review the assignment, and select **Review + assign**.
-
-7. Go to **Access control (IAM)** in the Key Vault, select **Role assignments** and ensure that the Recovery Services vault is listed.
+
+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/review-and-assign-permissions.png" alt-text="Screenshot shows how to review and assign permissions." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/review-and-assign-permissions.png":::
+
+7. Go to **Access control (IAM)** in the Key Vault, select **Role assignments** and ensure that the Recovery Services vault is listed.
+
+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/recovery-services-vault-listed-in-access-control.png" alt-text="Screenshot shows the Recovery Services vault is listed in access control." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/recovery-services-vault-listed-in-access-control.png":::
# [PowerShell](#tab/powershell)
chaos-studio Chaos Studio Target Selection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-target-selection.md
+
+ Title: Target selection in Azure Chaos Studio Preview
+description: Understand two different ways to select experiment targets in Azure Chaos Studio Preview.
++++ Last updated : 09/25/2023+++
+# Target selection in Azure Chaos Studio Preview
+
+Every chaos experiment is made up of a different combination of faults and targets, building up to a unique outage scenario to test your system's resilience against. You may want to select a fixed set of targets for your chaos experiment, or provide a rule in which all matching fault-onboarded resources are included as targets in your experiment. Chaos Studio enables you to do both by providing both manual and query-based target selection.
+
+## List-based manual target selection
+
+List-based manual target selection allows you to select a fixed set of onboarded targets for a particular fault in your chaos experiment. Depending on the selected fault, you may select one or more onboarded resources to target. The aforementioned resources are added to the experiment upon creation time. In order to modify the list, you must navigate to the experiment's page and add or remove fault targets manually. An example of manual target selection is shown below.
+
+[ ![Screenshot that shows the list-based manual target selection option in the Azure portal.](images/manual-target-selection.png) ](images/manual-target-selection.png#lightbox)
+
+## Query-based dynamic target selection
+
+Query-based dynamic target selection allows you to input a KQL query that will select all onboarded targets that match the query result set. Using your query, you may filter targets based on common Azure resource parameters including type, region, name, and more. Upon experiment creation time, only the query itself will be added to your chaos experiment.
+
+The inputted query will run and add onboarded targets that match its result set upon experiment execution time. Thus, any resources onboarded to Chaos Studio after experiment creation time that match the query result set upon experiment execution time will be targeted by your experiment. You may preview your query's result set when adding it to your experiment, but be aware that it may not match the result set at experiment execution time. An example of a possible dynamic target query is shown below.
+
+[ ![Screenshot that shows the query-based dynamic target selection option in the Azure portal.](images/dynamic-target-selection-preview.png) ](images/dynamic-target-selection-preview.png#lightbox)
+
+## Next steps
+Now that you understand both ways to select targets within a chaos experiment, you're ready to:
+
+- [Create and run your first experiment](chaos-studio-tutorial-service-direct-portal.md)
communication-services Call Recording https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/call-recording.md
Call Recording enables you to record multiple calling scenarios available in Azure Communication Services by providing you with a set of APIs to start, stop, pause and resume recording. Whether it's a PSTN, WebRTC, or SIP call, these APIs can be accessed from your server-side business logic. Also, recordings can be triggered by a user action that tells the server application to start recording. Depending on your business needs, you can use Call Recording for different Azure Communication Services calling implementations.
-For example, you can record 1:1 or 1:N scenarios for audio and video calls enabled by [Calling Client SDK](./calling-sdk-features.md).
+For example, you can record 1:1 or 1:N audio and video calls:
![Diagram showing a call that it's being recorded.](../media/call-recording-client.png)
But also, you can use Call Recording to record complex PSTN or VoIP inbound and
Regardless of how you established the call, Call Recording allows you to produce mixed or unmixed media files that are stored for 48 hours on a built-in temporary storage. You can retrieve the files and take them to the long-term storage solution of your choice. Call Recording supports all Azure Communication Services data regions.
-![Diagram showing call recording architecture using calling client sdk.](../media/call-recording-with-call-automation.png)
+![Diagram showing call recording architecture.](../media/call-recording-with-call-automation.png)
## Call Recording that supports your business needs Call Recording supports multiple media outputs and content types to address your business needs and use cases. You might use mixed formats for scenarios such as keeping records, meeting notes, coaching and training, or even compliance and adherence. Or, you can use unmixed audio format to address quality assurance use cases or even more complex scenarios like advanced analytics or AI-based (Artificial Intelligence) sophisticated post-call processes.
communication-services Calling Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md
The Azure Communication Services Calling SDK supports the following streaming co
| Limit | Web | Windows/Android/iOS | | - | | -- | | **Maximum # of outgoing local streams that can be sent simultaneously** | 1 video and 1 screen sharing | 1 video + 1 screen sharing |
-| **Maximum # of incoming remote streams that can be rendered simultaneously** | 9 videos + 1 screen sharing WebSDK version [1.16.3](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md#1163-stable-2023-08-24) or greater | 9 videos + 1 screen sharing |
+| **Maximum # of incoming remote streams that can be rendered simultaneously** | 9 videos + 1 screen sharing on desktop browsers*, 4 videos + 1 screen sharing on web mobile browsers | 9 videos + 1 screen sharing |
+\* Starting from ACS Web Calling SDK version [1.16.3](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md#1163-stable-2023-08-24)
While the Calling SDK don't enforce these limits, your users may experience performance degradation if they're exceeded. Use the API of [Optimal Video Count](../../how-tos/calling-sdk/manage-video.md?pivots=platform-web#remote-video-quality) to determine how many current incoming video streams your web environment can support. ## Calling SDK timeouts
confidential-computing Vmss Deployment From Hardened Linux Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/vmss-deployment-from-hardened-linux-image.md
+
+ Title: Deploy a virtual machine scale set using a hardened Linux image
+description: Learn how to use vmss to deploy a scale set using the hardened linux image.
++
+m
++ Last updated : 9/12/2023++++
+# Deploy a virtual machine scale set using a hardened Linux image
+
+**Applies to:** :heavy_check_mark: Hardened Linux Images
+
+Virtual machine scale set deployments using images from Azure marketplace can be done following the steps described for standard [VMSS deployments](/azure/virtual-machine-scale-sets/flexible-virtual-machine-scale-sets-cli).
+
+However, if you have chosen to create a hardened linux image by removing the Azure guest agents, it's crucial to comprehend what functionalities the VM loses before you decide to remove the Azure Linux Agent, and how it affects vmss deployment.
+
+This "how to" document describes the steps to deploy a virtual machine scale set instance while comprehending the functional limitations of the hardened image on deploying the vmss instance.
+## Prerequisites
+
+- Azure subscription - If you don't have an Azure subscription, [create a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- If your free trial accounts don't have access to the VMs used in this tutorial, one option is to use a [pay as you go subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/).
+- A hardened linux image - you can create one from this [article](harden-a-linux-image-to-remove-azure-guest-agent.md).
+
+### VMSS confidential VM deployment from a hardened Linux image
+
+Steps to deploy a scale set using VMSS and a hardened image are as follows:
+
+1. Follow the steps to harden a Linux image.
+
+ [Harden a Linux image to remove Azure guest agent](harden-a-linux-image-to-remove-azure-guest-agent.md).
+
+ [Harden a Linux image to remove sudo users](harden-the-linux-image-to-remove-sudo-users.md).
+
+2. Log in to the Azure CLI.
+
+ Make sure that you've installed the latest [Azure CLI](/cli/azure/install-azure-cli) and are logged in to an Azure account with [az login](/cli/azure/reference-index).
+
+3. Launch Azure Cloud Shell.
+
+ The [Azure Cloud Shell](https://shell.azure.com/cli) is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
+
+ To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to https://shell.azure.com/bash. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and select Enter to run it.
+
+ If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.30 or later. Run az--version to find the version. If you need to install or upgrade, see Install Azure CLI.
+
+4. Create a resource group.
+
+ Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named myResourceGroup in the eastus location:
+
+
+ ```Azure CLI
+ az group create --name myResourceGroup --location eastus
+ ```
+
+ > [!NOTE]
+ > Confidential VMs are not available in all locations. For currently supported locations, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).
+
+5. Create a Virtual Machine Scale Set.
+
+ Now create a Virtual Machine Scale Set with az vmss create az cli. The following example creates a scale set called myScaleSet with an instance count of 2.
+
+ If you are looking to set an admin username, ensure that it isn't part of the [reserved words](/rest/api/compute/virtualmachines/createorupdate#osprofile) list for vmss.
+ In this case, the username is auto set to azureuser.
+ For the admin credentials, you will be able to use the credentials that you set from the hardened image while you create the vm.
+
+ > [!NOTE]
+ > For specalized images, [osprofile properties](/azure/virtual-machines/shared-image-galleries) are handled differently than generalized images.
+ > Using a [load balancer](/azure/load-balancer/load-balancer-overview) is optional but is encouraged for these reasons.
+
+ ```azurecli-interactive
+ az vmss create \
+ --resource-group myResourceGroup \
+ --name myScaleSet \
+ --vm-sku "Standard_DC4as_v5" \
+ --security-type ConfidentialVM \
+ --os-disk-security-encryption-type DiskwithVMGuestState \
+ --os-disk-secure-vm-disk-encryption-set "/subscriptions/.../disk-encryption-sets/<des-name>" \
+ --image "/subscriptions/.../images/<imageName>/versions/<version>" \
+ --enable-vtpm true \
+ --enable-secure-boot true \
+ --vnet-name <virtual-network-name> \
+ --subnet <subnet-name> \
+ --lb "/subscriptions/.../loadBalancers/<lb-name>" \
+ --specialized true \
+ --instance-count 2 \
+ --admin-username "azureuser" \
+ --admin-password ""
+ ```
+
+6. Access the virtual machine scale set from the portal.
+
+ You can access your cvm scale set and use the admin username and password set previously to log in. Please note that if you choose to update the admin credentials, do so directly in the scale set model using the cli.
+
+ > [!NOTE]
+ > If you are looking to deploy cvm scaled scale using the custom hardened image, please note that some features related to auto scaling will be restricted. Will manual scaling rules continue to work as expected, the autoscaling ability will be limited due to the agentless custom image. More details on the restrictions can be found here for the [provisioning agent](/azure/virtual-machines/linux/disable-provisioning). Alternatively, you can navigate to the metrics tab on the azure portal and confirm the same.
+ > However, you can continue to set up custom rules based on load balancer metrics such as SYN count, SNAT connection count, etc.
+
+## Next Steps
+
+In this article, you learned how to deploy a virtual machine scale set instance with a hardened linux image. For more information about CVM, see [DCasv5 and ECasv5 series confidential VMs](confidential-vm-overview.md).
container-registry Container Registry Troubleshoot Login https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-troubleshoot-login.md
Related links:
* [Login with repository-scoped token](container-registry-repository-scoped-permissions.md) * [Add or remove Azure role assignments using the Azure portal](../role-based-access-control/role-assignments-portal.md) * [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md)
-* [Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret)
+* [Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret)
* [Azure AD authentication and authorization codes](../active-directory/develop/reference-aadsts-error-codes.md) ### Check that credentials aren't expired
If you don't resolve your problem here, see the following options.
* [Troubleshoot registry performance](container-registry-troubleshoot-performance.md) * [Community support](https://azure.microsoft.com/support/community/) options * [Microsoft Q&A](/answers/products/)
-* [Open a support ticket](https://azure.microsoft.com/support/create-ticket/) - based on information you provide, a quick diagnostic might be run for authentication failures in your registry
+* [Open a support ticket](https://azure.microsoft.com/support/create-ticket/) - based on information you provide, a quick diagnostic might be run for authentication failures in your registry
cosmos-db Index Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/index-overview.md
Azure Cosmos DB currently supports three types of indexes. You can configure the
### Range Index
-**Range** index is based on an ordered tree-like structure. The range index type is used for:
+**Range** indexes are based on an ordered tree-like structure. The range index type is used for:
- Equality queries:
Spatial indexes can be used on correctly formatted [GeoJSON](./sql-query-geospat
SELECT * FROM container c WHERE c.property1 = 'value' ORDER BY c.property1, c.property2 ``` -- Queries with a filter on two or more properties were at least one property is an equality filter
+- Queries with a filter on two or more properties where at least one property is an equality filter
```sql SELECT * FROM container c WHERE c.property1 = 'value' AND c.property2 > 'value'
Spatial indexes can be used on correctly formatted [GeoJSON](./sql-query-geospat
As long as one filter predicate uses one of the index type, the query engine evaluates that first before scanning the rest. For example, if you have a SQL query such as `SELECT * FROM c WHERE c.firstName = "Andrew" and CONTAINS(c.lastName, "Liu")` -- The above query will first filter for entries where firstName = "Andrew" by using the index. It then pass all of the firstName = "Andrew" entries through a subsequent pipeline to evaluate the CONTAINS filter predicate.
+- The above query will first filter for entries where firstName = "Andrew" by using the index. It then passes all of the firstName = "Andrew" entries through a subsequent pipeline to evaluate the CONTAINS filter predicate.
- You can speed up queries and avoid full container scans when using functions that perform a full scan like CONTAINS. You can add more filter predicates that use the index to speed up these queries. The order of filter clauses isn't important. The query engine figures out which predicates are more selective and run the query accordingly.
Here's a table that summarizes the different ways indexes are used in Azure Cosm
| Full index scan | Read distinct set of indexed values and load only matching items from the transactional data store | Contains, EndsWith, RegexMatch, LIKE | Increases linearly based on the cardinality of indexed properties | Increases based on number of items in query results | | Full scan | Load all items from the transactional data store | Upper, Lower | N/A | Increases based on number of items in container |
-When writing queries, you should use filter predicate that uses the index as efficiently as possible. For example, if either `StartsWith` or `Contains` would work for your use case, you should opt for `StartsWith` since it does a precise index scan instead of a full index scan.
+When writing queries, you should use filter predicates that use the index as efficiently as possible. For example, if either `StartsWith` or `Contains` would work for your use case, you should opt for `StartsWith` since it does a precise index scan instead of a full index scan.
## Index usage details
To execute this query, the query engine must do an index seek on `headquarters/e
Queries with aggregate functions must rely exclusively on the index in order to use it.
-In some cases, the index can return false positives. For example, when evaluating `Contains` on the index, the number of matches in the index may exceed the number of query results. The query engine loads all index matches, evaluate the filter on the loaded items, and return only the correct results.
+In some cases, the index can return false positives. For example, when evaluating `Contains` on the index, the number of matches in the index may exceed the number of query results. The query engine loads all index matches, evaluates the filter on the loaded items, and returns only the correct results.
-For most queries, loading false positive index matches don't have any noticeable effect on index utilization.
+For most queries, loading false positive index matches doesn't have any noticeable effect on index utilization.
For example, consider the following query:
cosmos-db How To Configure Cosmos Db Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-configure-cosmos-db-trigger.md
To enable logging when using Azure Functions trigger for Azure Cosmos DB, locate
{ "version": "2.0", "logging": {
- "fileLoggingMode": "always",
+ "fileLoggingMode": "debugOnly",
"logLevel": { "Host.Triggers.CosmosDB": "Warning" }
cost-management-billing Exchange And Refund Azure Reservations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/exchange-and-refund-azure-reservations.md
Previously updated : 08/08/2023 Last updated : 09/25/2023
You can exchange your reservation from the [Azure portal](https://portal.azure.c
1. Review and complete the transaction. [![Example image showing the VM product to purchase with an exchange, completing the return](./media/exchange-and-refund-azure-reservations/exchange-refund-confirm-exchange.png)](./media/exchange-and-refund-azure-reservations/exchange-refund-confirm-exchange.png#lightbox)
-To refund a reservation, go into the Reservationthat you are looking to cancel and select **Return**.
+To refund a reservation, go into the Reservation that you're looking to cancel and select **Return**.
## Exchange multiple reservations
Money is added to the Azure Prepayment (previously called monetary commitment) f
If the original reservation purchase was made from an overage, the refund is returned to you as a partial credit note. The refund doesnΓÇÖt affect the original or later invoices.
+### Microsoft Customer Agreement customers
+
+For customers that pay by wire transfer, the refunded amount is automatically applied to the next monthΓÇÖs invoice. The return or refund doesn't generate a new invoice.
+
+For customers that pay by credit card, the refunded amount is returned to the credit card that was used for the original purchase. If you've changed your card, [contact support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
+ ### Pay-as-you-go invoice payments and CSP program The original reservation purchase invoice is canceled and then a new invoice is created for the refund. For exchanges, the new invoice shows the refund and the new purchase. The refund amount is adjusted against the purchase. If you only refunded a reservation, then the prorated amount stays with Microsoft and it's adjusted against a future reservation purchase. If you bought a reservation at pay-as-you-go rates and later move to a CSP, the reservation can be returned and repurchased without a penalty.
data-factory Concepts Pipelines Activities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/concepts-pipelines-activities.md
Policies affect the run-time behavior of an activity, giving configuration optio
JSON name | Description | Allowed Values | Required | -- | -- | --
-timeout | Specifies the timeout for the activity to run. | Timespan | No. Default timeout is 12 hours.
+timeout | Specifies the timeout for the activity to run. | Timespan | No. Default timeout is 12 hours, minimum 10 minutes.
retry | Maximum retry attempts | Integer | No. Default is 0 retryIntervalInSeconds | The delay between retry attempts in seconds | Integer | No. Default is 30 seconds secureOutput | When set to true, the output from activity is considered as secure and aren't logged for monitoring. | Boolean | No. Default is false.
data-factory Connector Azure Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-sql-database.md
Settings specific to Azure SQL Database are available in the **Source Options**
:::image type="content" source="media/data-flow/isolationlevel.png" alt-text="Isolation Level":::
-**Enable incremental extract**: Use this option to tell ADF to only process rows that have changed since the last time that the pipeline executed.
+**Enable incremental extract**: Use this option to tell ADF to only process rows that have changed since the last time that the pipeline executed.To enable incremental extract with schema drift, choose tables based on Incremental / Watermark columns rather than tables that are enabled for Native Change Data Capture.
**Incremental column**: When using the incremental extract feature, you must choose the date/time or numeric column that you wish to use as the watermark in your source table.
data-factory Copy Activity Data Consistency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/copy-activity-data-consistency.md
[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
-When you move data from source to destination store, the copy activity provides an option for you to do additional data consistency verification to ensure the data is not only successfully copied from source to destination store, but also verified to be consistent between source and destination store. Once inconsistent files have been found during the data movement, you can either abort the copy activity or continue to copy the rest by enabling fault tolerance setting to skip inconsistent files. You can get the skipped file names by enabling session log setting in copy activity. You can refer to [session log in copy activity](copy-activity-log.md) for more details.
+When you move data from source to destination store, the copy activity provides an option for you to do further data consistency verification to ensure the data is not only successfully copied from source to destination store, but also verified to be consistent between source and destination store. Once inconsistent files have been found during the data movement, you can either abort the copy activity or continue to copy the rest by enabling fault tolerance setting to skip inconsistent files. You can get the skipped file names by enabling session log setting in copy activity. You can refer to [session log in copy activity](copy-activity-log.md) for more details.
## Supported data stores and scenarios - Data consistency verification is supported by all the connectors except FTP, SFTP, HTTP, Snowflake, Office 365 and Azure Databricks Delta Lake. -- Data consistency verification is not supported in staging copy scenario.
+- Data consistency verification isn't supported in staging copy scenario.
- When copying binary files, data consistency verification is only available when 'PreserveHierarchy' behavior is set in copy activity. - When copying multiple binary files in single copy activity with data consistency verification enabled, you have an option to either abort the copy activity or continue to copy the rest by enabling fault tolerance setting to skip inconsistent files. - When copying a table in single copy activity with data consistency verification enabled, copy activity fails if the number of rows read from the source is different from the number of rows copied to the destination plus the number of incompatible rows that were skipped.
When you move data from source to destination store, the copy activity provides
The following example provides a JSON definition to enable data consistency verification in Copy Activity: ```json
-"typeProperties": {
-"source": {
+{
+ "name":"CopyActivityDataConsistency",
+ "type":"Copy",
+ "typeProperties": {
+ "source": {
"type": "BinarySource", "storeSettings": { "type": "AzureDataLakeStoreReadSettings",
The following example provides a JSON definition to enable data consistency veri
"storeSettings": { "type": "AzureDataLakeStoreWriteSettings" }
-},
+ },
"validateDataConsistency": true, "skipErrorFile": { "dataInconsistency": true
The following example provides a JSON definition to enable data consistency veri
Property | Description | Allowed values | Required -- | -- | -- | --
-validateDataConsistency | If you set true for this property, when copying binary files, copy activity will check file size, lastModifiedDate, and MD5 checksum for each binary file copied from source to destination store to ensure the data consistency between source and destination store. When copying tabular data, copy activity will check the total row count after job completes to ensure the total number of rows read from the source is same as the number of rows copied to the destination plus the number of incompatible rows that were skipped. Be aware the copy performance will be affected by enabling this option. | True<br/>False (default) | No
+validateDataConsistency | If you set true for this property, when copying binary files, copy activity will check file size, lastModifiedDate, and MD5 checksum for each binary file copied from source to destination store to ensure the data consistency between source and destination store. When copying tabular data, copy activity will check the total row count after job completes, ensuring the total number of rows read from the source is same as the number of rows copied to the destination plus the number of incompatible rows that were skipped. Be aware the copy performance is affected by enabling this option. | True<br/>False (default) | No
dataInconsistency | One of the key-value pairs within skipErrorFile property bag to determine if you want to skip the inconsistent files. <br/> -True: you want to copy the rest by skipping inconsistent files.<br/> - False: you want to abort the copy activity once inconsistent file found.<br/>Be aware this property is only valid when you are copying binary files and set validateDataConsistency as True. | True<br/>False (default) | No logSettings | A group of properties that can be specified to enable session log to log skipped files. | | No linkedServiceName | The linked service of [Azure Blob Storage](connector-azure-blob-storage.md#linked-service-properties) or [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#linked-service-properties) to store the session log files. | The names of an `AzureBlobStorage` or `AzureBlobFS` types linked service, which refers to the instance that you use to store the log files. | No path | The path of the log files. | Specify the path that you want to store the log files. If you do not provide a path, the service creates a container for you. | No >[!NOTE]
->- When copying binary files from, or to Azure Blob or Azure Data Lake Storage Gen2, the service does block level MD5 checksum verification leveraging [Azure Blob API](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions?view=azure-dotnet-legacy&preserve-view=true) and [Azure Data Lake Storage Gen2 API](/rest/api/storageservices/datalakestoragegen2/path/update#request-headers). If ContentMD5 on files exist on Azure Blob or Azure Data Lake Storage Gen2 as data sources, the service does file level MD5 checksum verification after reading the files as well. After copying files to Azure Blob or Azure Data Lake Storage Gen2 as data destination, the service writes ContentMD5 to Azure Blob or Azure Data Lake Storage Gen2 which can be further consumed by downstream applications for data consistency verification.
+>- When copying binary files from or to Azure Blob or Azure Data Lake Storage Gen2, the service does block level MD5 checksum verification leveraging [Azure Blob API](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions?view=azure-dotnet-legacy&preserve-view=true) and [Azure Data Lake Storage Gen2 API](/rest/api/storageservices/datalakestoragegen2/path/update#request-headers). If ContentMD5 on files exist on Azure Blob or Azure Data Lake Storage Gen2 as data sources, the service does file level MD5 checksum verification after reading the files as well. After copying files to Azure Blob or Azure Data Lake Storage Gen2 as data destination, the service writes ContentMD5 to Azure Blob or Azure Data Lake Storage Gen2 which can be further consumed by downstream applications for data consistency verification.
>- The service does file size verification when copying binary files between any storage stores. ## Monitoring
You can see the details of data consistency verification from "dataConsistencyVe
Value of **VerificationResult**: - **Verified**: Your copied data has been verified to be consistent between source and destination store. -- **NotVerified**: Your copied data has not been verified to be consistent because you have not enabled the validateDataConsistency in copy activity. -- **Unsupported**: Your copied data has not been verified to be consistent because data consistency verification is not supported for this particular copy pair.
+- **NotVerified**: Your copied data hasn't been verified to be consistent because you haven't enabled the validateDataConsistency in copy activity.
+- **Unsupported**: Your copied data hasn't been verified to be consistent because data consistency verification isn't supported for this particular copy pair.
Value of **InconsistentData**: - **Found**: The copy activity has found inconsistent data. - **Skipped**: The copy activity has found and skipped inconsistent data. -- **None**: The copy activity has not found any inconsistent data. It can be either because your data has been verified to be consistent between source and destination store or because you disabled validateDataConsistency in copy activity.
+- **None**: The copy activity hasn't found any inconsistent data. It can be either because your data has been verified to be consistent between source and destination store or because you disabled validateDataConsistency in copy activity.
### Session log from copy activity
-If you configure to log the inconsistent file, you can find the log file from this path: `https://[your-blob-account].blob.core.windows.net/[path-if-configured]/copyactivity-logs/[copy-activity-name]/[copy-activity-run-id]/[auto-generated-GUID].csv`. The log files will be the csv files.
+If you configure to log the inconsistent file, you can find the log file from this path: `https://[your-blob-account].blob.core.windows.net/[path-if-configured]/copyactivity-logs/[copy-activity-name]/[copy-activity-run-id]/[auto-generated-GUID].csv`. The log files are the csv files.
The schema of a log file is as following: Column | Description -- | -- Timestamp | The timestamp when the service skips the inconsistent files.
-Level | The log level of this item. It will be in 'Warning' level for the item showing file skipping.
-OperationName | The copy activity operational behavior on each file. It will be 'FileSkip' to specify the file to be skipped.
+Level | The log level of this item. It is in 'Warning' level for the item showing file skipping.
+OperationName | The copy activity operational behavior on each file. It is 'FileSkip' to specify the file to be skipped.
OperationItem | The file name to be skipped. Message | More information to illustrate why files being skipped.
From the log file above, you can see sample1.csv has been skipped because it fai
See the other Copy Activity articles: - [Copy activity overview](copy-activity-overview.md)-- [Copy activity fault tolerance](copy-activity-fault-tolerance.md)
+- [Copy activity fault tolerance](copy-activity-fault-tolerance.md)
data-factory Copy Activity Fault Tolerance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/copy-activity-fault-tolerance.md
To configure fault tolerance in a Copy activity in a pipeline with UI, complete
When you copy binary files between storage stores, you can enable fault tolerance as followings: ```json
-"typeProperties": {
- "source": {
- "type": "BinarySource",
- "storeSettings": {
- "type": "AzureDataLakeStoreReadSettings",
- "recursive": true
- }
- },
- "sink": {
- "type": "BinarySink",
- "storeSettings": {
- "type": "AzureDataLakeStoreWriteSettings"
- }
- },
- "skipErrorFile": {
- "fileMissing": true,
- "fileForbidden": true,
- "dataInconsistency": true,
- "invalidFileName": true
- },
- "validateDataConsistency": true,
+{
+ "name": "CopyActivityFaultTolerance",
+ "type": "Copy",
+ "typeProperties": {
+ "source": {
+ "type": "BinarySource",
+ "storeSettings": {
+ "type": "AzureDataLakeStoreReadSettings",
+ "recursive": true
+ }
+ },
+ "sink": {
+ "type": "BinarySink",
+ "storeSettings": {
+ "type": "AzureDataLakeStoreWriteSettings"
+ }
+ },
+ "skipErrorFile": {
+ "fileMissing": true,
+ "fileForbidden": true,
+ "dataInconsistency": true,
+ "invalidFileName": true
+ },
+ "validateDataConsistency": true,
"logSettings": {
- "enableCopyActivityLog": true,
- "copyActivityLogSettings": {
- "logLevel": "Warning",
- "enableReliableLogging": false
+ "enableCopyActivityLog": true,
+ "copyActivityLogSettings": {
+ "logLevel": "Warning",
+ "enableReliableLogging": false
+ },
+ "logLocationSettings": {
+ "linkedServiceName": {
+ "referenceName": "ADLSGen2",
+ "type": "LinkedServiceReference"
},
- "logLocationSettings": {
- "linkedServiceName": {
- "referenceName": "ADLSGen2",
- "type": "LinkedServiceReference"
- },
- "path": "sessionlog/"
- }
+ "path": "sessionlog/"
+ }
}
-}
+ }
+}
``` Property | Description | Allowed values | Required -- | -- | -- | --
data-factory Copy Activity Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/copy-activity-log.md
See below for details of the log output format.
The following example provides a JSON definition to enable session log in Copy Activity: ```json
-"typeProperties": {
+{
+ "name": "CopyActivityLog",
+ "type": "Copy",
+ "typeProperties": {
"source": {
- "type": "BinarySource",
- "storeSettings": {
- "type": "AzureDataLakeStoreReadSettings",
- "recursive": true
- },
- "formatSettings": {
- "type": "BinaryReadSettings"
- }
+ "type": "BinarySource",
+ "storeSettings": {
+ "type": "AzureDataLakeStoreReadSettings",
+ "recursive": true
+ },
+ "formatSettings": {
+ "type": "BinaryReadSettings"
+ }
}, "sink": {
- "type": "BinarySink",
- "storeSettings": {
- "type": "AzureBlobFSWriteSettings"
- }
- },
+ "type": "BinarySink",
+ "storeSettings": {
+ "type": "AzureBlobFSWriteSettings"
+ }
+ },
"skipErrorFile": {
- "fileForbidden": true,
- "dataInconsistency": true
+ "fileForbidden": true,
+ "dataInconsistency": true
}, "validateDataConsistency": true, "logSettings": {
- "enableCopyActivityLog": true,
- "copyActivityLogSettings": {
- "logLevel": "Warning",
- "enableReliableLogging": false
+ "enableCopyActivityLog": true,
+ "copyActivityLogSettings": {
+ "logLevel": "Warning",
+ "enableReliableLogging": false
+ },
+ "logLocationSettings": {
+ "linkedServiceName": {
+ "referenceName": "ADLSGen2",
+ "type": "LinkedServiceReference"
},
- "logLocationSettings": {
- "linkedServiceName": {
- "referenceName": "ADLSGen2",
- "type": "LinkedServiceReference"
- },
- "path": "sessionlog/"
- }
+ "path": "sessionlog/"
+ }
}
+ }
} ```
databox-online Azure Stack Edge Gpu Deploy Configure Network Compute Web Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md
Previously updated : 09/08/2023 Last updated : 09/22/2023 zone_pivot_groups: azure-stack-edge-device-deployment # Customer intent: As an IT admin, I need to understand how to connect and activate Azure Stack Edge Pro so I can use it to transfer data to Azure.
Follow these steps to configure the network for your device.
## Configure virtual switches
-Follow these steps to add or delete virtual switches and virtual networks.
+Follow these steps to add or delete virtual switches.
1. In the local UI, go to **Advanced networking** page.
-1. In the **Virtual switch** section, you'll add or delete virtual switches. Select **Add virtual switch** to create a new switch.
+1. In the **Virtual switch** section, add or delete virtual switches. Select **Add virtual switch** to create a new switch.
- ![Screenshot of "Advanced networking" page in local UI for one node with Add virtual switch selected.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-1.png)
+ ![Screenshot of the Add a virtual switch option on the Advanced networking page in local UI](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/azure-stack-edge-advanced-networking-add-virtual-switch.png)
-1. In the **Network settings** blade, if using a new switch, provide the following:
+1. In the **Network settings** blade, if using a new virtual switch, provide the following:
- 1. Provide a name for your virtual switch.
- 1. Choose the network interface on which the virtual switch should be created.
- 1. Select **Apply**. You can see that the specified virtual switch is created.
-
- You can create Virtual Machines from Azure portal using any of the virtual networks you have created.
-
- ![Screenshot of "Advanced networking" page with virtual switch added and enabled for compute in local UI for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-3.png)
+ 1. Provide a **Name** for the virtual switch.
+ 1. Choose the **Network interface** onto which the virtual switch should be created.
+ 1. Set the **MTU** (Maximum Transmission Unit) parameter for the virtual switch (Optional).
+ 1. Select **Modify** and **Apply** to save your changes.
+
+ The MTU value determines the maximum packet size that can be transmitted over a network. Azure Stack Edge supports MTU values in the following table. If a device on the network path has an MTU setting lower than 1500, IP packets with the ΓÇ£do not fragmentΓÇ¥ flag (DF) with packet size 1500 will be dropped.
+
+ | Azure Stack Edge SKU | Network interface | Supported MTU values |
+ |-|--||
+ | Pro-GPU | Ports 1, 2, 3, and 4 | 1400 - 1500 |
+ | Pro-GPU | Ports 5 and 6 | Not configurable, set to default. |
+ | Pro 2 | Ports 1 and 2 | 1400 - 1500 |
+ | Pro 2 | Ports 3 and 4 | Not configurable, set to default. |
+
+ The host virtual switch will use the specified MTU setting.
+
+ If a virtual network interface is created on the virtual switch, the interface will use the specified MTU setting. If this virtual switch is enabled for compute, the Azure Kubernetes Service VMs and container network interfaces (CNIs) will use the specified MTU as well.
+
+ ![Screenshot of the Add a virtual switch settings on the Advanced networking page in local UI](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/azure-stack-edge-advanced-networking-add-virtual-switch-settings.png)
+
+ When you create a virtual switch, the MTU column is populated with its MTU value.
+
+ ![Screenshot of the MTU setting in Advanced networking in local UI](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/azure-stack-edge-mtu-value.png)
+
+1. The configuration will take a few minutes to apply and once the virtual switch is created, the list of virtual switches updates to reflect the newly created switch. You can see that the specified virtual switch is created and enabled for compute.
+
+ ![Screenshot of the Configure compute page in Advanced networking in local UI 3](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-3.png)
1. You can create more than one switch by following the steps described earlier.
-1. To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.
-You can now create virtual networks and associate with the virtual switches you created.
+1. To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.
+Next, you can create and associate virtual networks with your virtual switches.
## Configure virtual networks
After the cluster is formed and configured, you can now create new virtual switc
![Screenshot of the Add a virtual switch option on the Advanced networking page in local UI](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/azure-stack-edge-advanced-networking-add-virtual-switch.png)
-1. In the **Network settings** be, if using a new virtual switch, provide the following:
+1. In the **Network settings** blade, if using a new virtual switch, provide the following:
1. Provide a **Name** for the virtual switch. 1. Choose the **Network interface** onto which the virtual switch should be created.
digital-twins How To Use 3D Scenes Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-use-3d-scenes-studio.md
To use 3D Scenes Studio, you'll need the following resources:
* Take note of the *URL* of your storage account to use later. * A private container in the storage account. For instructions, see [Create a container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). * Take note of the *name* of your storage container to use later.
-* *Storage Blob Data Owner* or *Storage Blob Data Contributor* access to your storage resources. You can grant required roles at either the storage account level or the container level. For instructions and more information about permissions to Azure storage, see [Assign an Azure role](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role).
+* *Storage Blob Data Owner* or *Storage Blob Data Contributor* and also at least *Reader* roles are needed to access your storage resources. You can grant required roles at either the storage account level or the container level. For instructions and more information about permissions to Azure storage, see [Assign an Azure role](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role).
* Configure CORS for your storage account (see details in the following sub-section). ### Configure CORS
energy-data-services Resources Partner Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/resources-partner-solutions.md
This article highlights Microsoft partners with software solutions officially su
| Interica | Interica OneView&trade; harnesses the power of application connectors to extract rich metadata from live projects discovered across the organization. IOV scans automatically discover content and extract detailed metadata at the subelement level. Quickly and easily discover data across multiple file systems and data silos and determine which projects contain selected data objects to inform business decisions. Live data discovery enables businesses to see a holistic view of subsurface project landscapes for improved time to decisions, more efficient data search, and effective storage management. | [Accelerate Azure Data Manager for Energy adoption with Interica OneView&trade;](https://www.petrosys.com.au/interica-oneview-connecting-to-microsoft-data-services/) [Interica OneView&trade;](https://www.petrosys.com.au/assets/Interica_OneView_Accelerate_MEDS_Azure_adoption.pdf) [Interica OneView&trade; connecting to Microsoft Data Services](https://youtu.be/uPEOo3H01w4)| | Katalyst | Katalyst Data Management&reg; provides the only integrated, end-to-end subsurface data management solution for the oil and gas industry. Over 160 employees operate in North America, Europe, and Asia-Pacific, dedicated to enabling digital transformation and optimizing the value of geotechnical information for exploration, production, and M&A activity. |[Katalyst Data Management solution](https://www.katalystdm.com/seismic-news/katalyst-announces-sub-surface-data-management-solution-powered-by-microsoft-energy-data-services/) | | RoQC | RoQC Data Management AS is a Software, Advisory, and Consultancy company specializing in Subsurface Data Management. RoQCΓÇÖs LogQA provides powerful native, machine learningΓÇôbased QA and cleanup tools for log data once the data has been migrated to Microsoft Azure Data Manager for Energy, an enterprise-grade OSDU&trade; Data Platform on the Microsoft Cloud.| [RoQC and Microsoft simplify cloud migration with Microsoft Energy Data Services](https://azure.microsoft.com/blog/roqc-and-microsoft-simplify-cloud-migration-with-microsoft-energy-data-services/)|
-| SLB | SLB is the largest provider of digital solutions and technologies to the global energy industry. With deep expertise in the business needs of exploration and production (E&P) companies, SLB works in close partnership with its customers to enable performance, create industry-changing technologies, and improve sustainability throughout the global energy transition. Ensuring progress for people and the planet on the journey to net zero and beyond drives us. | [Schlumberger Launches Enterprise Data Solution](https://www.slb.com/news-and-insights/newsroom/press-release/2022/pr-2022-09-21-slb-enterprise-data-solution)|
+| SLB | SLB is the largest provider of digital solutions and technologies to the global energy industry. With deep expertise in the business needs of exploration and production (E&P) companies, SLB offers a broad range of digital software and solutions to support customers in all parts of their business. SLB deploys with Azure Data Manager for Energy for a wide array of these capabilities encompassing subsurface workflows, data management, and AI across E&P, as well as for energy transition efforts like CCS. | [Schlumberger Launches Enterprise Data Solution](https://www.slb.com/news-and-insights/newsroom/press-release/2022/pr-2022-09-21-slb-enterprise-data-solution)|
| Wipro | Wipro offers services and accelerators that use the WINS (Wipro INgestion Service) framework, which speeds up the time-to-market and allows for seamless execution of domain workflows with data stored in Microsoft Azure Data Manager for Energy with minimal effort. | [Wipro and Microsoft partner on services and accelerators for the new Microsoft Energy Data Services](https://azure.microsoft.com/blog/wipro-and-microsoft-partner-on-services-and-accelerators-for-the-new-microsoft-energy-data-services/)| ## Next steps
expressroute How To Configure Traffic Collector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-configure-traffic-collector.md
Title: 'Configure ExpressRoute Traffic Collector for ExpressRoute Direct using the Azure portal (Preview)'
-description: Learn how to create an ExpressRoute Traffic Collector resource to import logs into a Log Analytics workspace.
+ Title: Configure Traffic Collector for ExpressRoute Direct
+
+description: This article shows you how to create an ExpressRoute Traffic Collector resource and import logs into a Log Analytics workspace.
- Previously updated : 07/15/2022+ Last updated : 08/09/2023
+#Customer intent: As a network engineer, I want to configure ExpressRoute Traffic Collector to import flow logs into a Log Analytics workspace.
-# Configure ExpressRoute Traffic Collector for ExpressRoute Direct using the Azure portal (Preview)
+# Configure Traffic Collector for ExpressRoute Direct
-This article will help you deploy an ExpressRoute Traffic Collector using the Azure portal. You'll learn how to add and remove an ExpressRoute Traffic Collector, associate it to an ExpressRoute Direct circuit and Log Analytics workspace. Once the ExpressRoute Traffic Collector is deployed, sampled flow logs will get imported into a Log Analytics workspace. For more information, see [About ExpressRoute Traffic Collector](traffic-collector.md).
+This article helps you deploy an ExpressRoute Traffic Collector using the Azure portal. You learn how to add and remove an ExpressRoute Traffic Collector, associate it to an ExpressRoute Direct circuit and Log Analytics workspace. Once the ExpressRoute Traffic Collector is deployed, sampled flow logs get imported into a Log Analytics workspace. For more information, see [About ExpressRoute Traffic Collector](traffic-collector.md).
-> [!IMPORTANT]
-> ExpressRoute Traffic Collector is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+## Prerequisites
+
+- An ExpressRoute Direct circuit with Private or Microsoft peering configured.
+- A Log Analytics workspace (Create new or use existing workspace).
## Limitations - ExpressRoute Traffic Collector supports a maximum ExpressRoute Direct circuit size of 100 Gbps.-- You can associate up to 20 ExpressRoute Direct circuits with ExpressRoute Traffic Collector as long as the total circuit bandwidth doesn't exceed 100 Gbps.-
-## Prerequisites
--- ExpressRoute Direct circuit with Private or Microsoft peering configured.-- A Log Analytics workspace (Create new or use existing).
+- You can associate up to 20 ExpressRoute Direct circuits with ExpressRoute Traffic Collector. The total circuit bandwidth can't exceed 100 Gbps.
+- The ExpressRoute Direct circuit, Traffic Collector and the Log Analytics workspace must be in the same geo-political region. Cross geo-political resource association isn't supported.
+- The ExpressRoute Direct circuit and Traffic Collector must be deployed in the same subscription. Cross subscription deployments aren't available.
> [!NOTE]
-> - The ExpressRoute Direct circuit, ExpressRoute Traffic Collector and the Log Analytics workspace must be in the same geo-political region. Cross geo-political resource association is not supported.
-> - The ExpressRoute Direct circuit and ExpressRoute Traffic Collector must be deployed in the same subscription. Cross subscription deployment is currently not available.
-> - Log Analytics and ExpressRoute Traffic Collector can be deployed in cross subscription.
+> - Log Analytics and ExpressRoute Traffic Collector can be deployed in a different subscription.
> - When ExpressRoute Traffic Collector gets deployed in an Azure region that supports availability zones, it will have availability zone enabled by default. ## Permissions -- Minimum contributor access is required to deploy ExpressRoute Traffic Collector.-- Minimum contributor access is required to associate ExpressRoute Direct circuit with ExpressRoute Traffic Collector.-- Monitor contributor role is required to associate Log Analytics workspace with ExpressRoute Traffic Collector.
+- Minimum of **contributor** access is required to deploy ExpressRoute Traffic Collector.
+- Minimum of **contributor** access is required to associate ExpressRoute Direct circuit with ExpressRoute Traffic Collector.
+- **Monitor contributor** role is required to associate Log Analytics workspace with ExpressRoute Traffic Collector.
For more information, see [Identity and access management](../active-directory/fundamentals/active-directory-ops-guide-iam.md). ## Deploy ExpressRoute Traffic Collector
-1. Sign in to the [Azure portal](https://portal.azure.com/)
+1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. In the portal, go to the list of ExpressRoute circuits and select **ExpressRoute Traffic Collectors**. Then select **+ Create new**.
+1. In the portal, go to the ExpressRoute circuits page and select **ExpressRoute Traffic Collectors** from the top of the page. Select **+ Create new** from the drop-down menu.
:::image type="content" source="./media/how-to-configure-traffic-collector/circuit-list.png" alt-text="Screenshot of the create new ExpressRoute Traffic Collector button from the ExpressRoute circuit list page.":::
For more information, see [Identity and access management](../active-directory/f
| Region | Select a region to deploy this resource into. This resource needs to be in the same geo-political region as the Log Analytics workspace and the ExpressRoute Direct circuits. | | Collector Policy | This value is automatically filled in as **Default**. |
-1. On the **Select ExpressRoute circuit** tab, select **+ Add ExpressRoute Circuits**. Select the checkbox next to the circuit you would like to add to the Traffic Collector and then select **Add**. Once you're satisfied with the circuits added, select **Next**.
+1. On the **Select ExpressRoute circuit** tab, select **+ Add ExpressRoute Circuits**.
+
+1. On the **Add Circuits** page, select the checkbox next to the circuit you would like Traffic Collector to monitor and then select **Add**. Select **Next** to configure where logs gets forwarded to.
:::image type="content" source="./media/how-to-configure-traffic-collector/select-circuits.png" alt-text="Screenshot of the select ExpressRoute circuits tab and add circuits page.":::
-1. On the **Forward Logs** tab, select the checkbox for **Send to Log Analytics workspace**. You can create a new Log Analytics workspace or choose an existing. The workspace can be in a different Azure subscription but has to be in the same geo-political region. Select **Next** once a workspace has been chosen.
+1. On the **Forward Logs** tab, select the checkbox for **Send to Log Analytics workspace**. You can create a new Log Analytics workspace or select an existing one. The workspace can be in a different Azure subscription but has to be in the same geo-political region. Select **Next** once a workspace has been chosen.
:::image type="content" source="./media/how-to-configure-traffic-collector/forward-logs.png" alt-text="Screenshot of the forward logs tab to Logs Analytics workspace.":::
Once all circuits have been removed from the ExpressRoute Traffic Collector, sel
:::image type="content" source="./media/how-to-configure-traffic-collector/overview.png" alt-text="Screenshot of delete button on overview page." lightbox="./media/how-to-configure-traffic-collector/overview.png":::
-## Next steps
+## Next step
-- [ExpressRoute Traffic Collector Metrics](expressroute-monitoring-metrics-alerts.md#expressroute-traffic-collector-metrics)
+- Learn about [ExpressRoute Traffic Collector metrics](expressroute-monitoring-metrics-alerts.md#expressroute-traffic-collector-metrics) to monitor your ExpressRoute Traffic Collector resource.
expressroute Traffic Collector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/traffic-collector.md
Title: Enable flow logging using Azure ExpressRoute Traffic Collector (Preview)
-description: Learn about ExpressRoute Traffic Collector and the different use cases where this feature will be helpful.
+ Title: Azure ExpressRoute Traffic Collector
+
+description: Learn about ExpressRoute Traffic Collector and the different use cases where this feature is helpful.
Previously updated : 08/02/2022 Last updated : 08/21/2023
-# Enable flow logging using ExpressRoute Traffic Collector (Preview)
+# Azure ExpressRoute Traffic Collector
-ExpressRoute Traffic Collector enables sampling of network flows sent over your ExpressRoute Direct circuits. Flow logs get sent to a [Log Analytics workspace](../azure-monitor/logs/log-analytics-overview.md) where you can create your own log queries for further analysis, export the data to any visualization tool or SIEM (Security Information and Event Management) of your choice. Flow logging can be enabled for both private peering and Microsoft peering with ExpressRoute Traffic Collector.
-
-> [!IMPORTANT]
-> ExpressRoute Traffic Collector is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+ExpressRoute Traffic Collector enables sampling of network flows sent over your ExpressRoute Direct circuits. Flow logs get sent to a [Log Analytics workspace](../azure-monitor/logs/log-analytics-overview.md) where you can create your own log queries for further analysis. You can also export the data to any visualization tool or SIEM (Security Information and Event Management) of your choice. Flow logs can be enabled for both private peering and Microsoft peering with ExpressRoute Traffic Collector.
:::image type="content" source="./media/traffic-collector/main-diagram.png" alt-text="Diagram of ExpressRoute traffic collector in an Azure environment."::: ## Use cases
-Flow logs can help you derive various traffic insights. Most common use cases are:
+Flow logs can help you look into various traffic insights. Some common use cases are:
### Network monitoring
Flow logs can help you derive various traffic insights. Most common use cases ar
## Flow log collection and sampling
-ExpressRoute Traffic Collector enables flow collection for Azure private peering and Microsoft peering. Flow logs are collected every minute. All packets collected for a given flow gets aggregated and imported into a Log Analytics workspace for further analysis. During flow collection, not every packet is captured into its own flow record. ExpressRoute Traffic Collector uses a sampling rate of 1:4096, meaning 1 out of every 4096 packets gets captured. Therefore, sampling rate short flows (in total bytes) may not get collected. This sampling size doesn't affect network traffic analysis when sampled data is aggregated over a longer period of time. Flow collection time and sampling rate are fixed and can't be changed.
+Flow logs are collected at an interval of every 1 minute. All packets collected for a given flow get aggregated and imported into a Log Analytics workspace for further analysis. During flow collection, not every packet is captured into its own flow record. ExpressRoute Traffic Collector uses a sampling rate of 1:4096, meaning 1 out of every 4096 packets gets captured. Therefore, sampling rate short flows (in total bytes) may not get collected. This sampling size doesn't affect network traffic analysis when sampled data is aggregated over a longer period of time. Flow collection time and sampling rate are fixed and can't be changed.
## Flow log schema
ExpressRoute Traffic Collector enables flow collection for Azure private peering
ExpressRoute Traffic Collector is supported in the following regions:
+### North America
+- Canada East
+- Canada Central
- Central US-- East US-- East US 2
+- Central US EUAP
- North Central US - South Central US -- West Central US
+- West Central US
+- East US
+- East US 2
- West US - West US 2 - West US 3
+### South America
+- Brazil South
+- Brazil Southeast
+
+### Europe
+- West Europe
+- North Europe
+- UK South
+- UK West
+- France Central
+- France South
+- Germany North
+- Sweden Central
+- Sweden South
+- Switzerland North
+- Switzerland West
+- Norway East
+- Norway West
+
+### Asia
+- East Asia
+- Central India
+- South India
+- Japan West
+- Korea South
+- UAE North
+
+### Africa
+- South Africa North
+- South Africa West
+
+### Pacific
+- Australia Central
+- Australia Central 2
+- Australia East
+- Australia Southeast
+ ## Next steps - Learn how to [set up ExpressRoute Traffic Collector](how-to-configure-traffic-collector.md).
global-secure-access Concept Global Secure Access Logs Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/concept-global-secure-access-logs-monitoring.md
- Title: Global Secure Access (preview) logs and monitoring
-description: Learn about the available Global Secure Access (preview) logs and monitoring options.
---- Previously updated : 06/11/2023----
-# Global Secure Access (preview) logs and monitoring
-
-As an IT administrator, you need to monitor the performance, experience, and availability of the traffic flowing through your networks. Within the Global Secure Access (preview) logs there are many data points that you can review to gain insights into your network traffic. This article describes the logs and dashboards that are available to you and some common monitoring scenarios.
-
-## Network traffic dashboard
-
-The Global Secure Access network traffic dashboard provides you with visualizations of the traffic flowing through the Microsoft Entra Private Access and Microsoft Entra Internet Access services, which include Microsoft 365 and Private Access traffic. The dashboard provides a summary of the data related to product deployment and insights. Within these categories you can see the number of users, devices, and applications seen in the last 24 hours. You can also see device activity and cross-tenant access.
-
-For more information, see [Global Secure Access network traffic dashboard](concept-traffic-dashboard.md).
-
-## Audit logs
-
-The Microsoft Entra audit log is a valuable source of information when researching or troubleshooting changes to your Microsoft Entra environment. Changes related to Global Secure Access are captured in the audit logs in several categories, such as filtering policy, forwarding profiles, remote network management, and more.
-
-For more information, see [Global Secure Access audit logs](how-to-access-audit-logs.md).
-
-## Traffic logs
-
-The Global Secure Access traffic logs provide a summary of the network connections and transactions that are occurring in your environment. These logs look at *who* accessed *what* traffic from *where* to *where* and with what *result*. The traffic logs provide a snapshot of all connections in your environment and breaks that down into traffic that applies to your traffic forwarding profiles. The logs details provide the traffic type destination, source IP, and more.
-
-For more information, see [Global Secure Access traffic logs](how-to-view-traffic-logs.md).
-
-## Enriched Office 365 logs
-
-The *Enriched Office 365 logs* provide you with the information you need to gain insights into the performance, experience, and availability of the Microsoft 365 apps your organization uses. You can integrate the logs with a Log Analytics workspace or third-party SIEM tool for further analysis.
-
-Customers use existing *Office Audit logs* for monitoring, detection, investigation, and analytics. We understand the importance of these logs and have partnered with Microsoft 365 to include SharePoint logs. These enriched logs include details like client information and original public IP details that can be used for troubleshooting security scenarios.
-
-For more information, see [Enriched Office 365 logs](how-to-view-enriched-logs.md).
--
-## Next steps
--- [Learn how to access, store, and analyze activity logs](/azure/active-directory/reports-monitoring/howto-access-activity-logs)
global-secure-access Concept Private Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/concept-private-access.md
- Title: Learn about Microsoft Entra Private Access
-description: Learn about how Microsoft Entra Private Access secures access to your private corporate resources through the creation of Quick Access and Global Secure Access apps.
---- Previously updated : 07/27/2023------
-# Learn about Microsoft Entra Private Access
-
-Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
-
-Private Access provides two ways to configure the private resources that you want to tunnel through the service. You can configure Quick Access, which is the primary group of FQDNs and IP addresses that you want to secure. You can also configure a Global Secure Access app for per-app access, which allows you to specify a subset of private resources that you want to secure. The Global Secure Access app provides a granular approach to securing your private resources.
-
-The features of Microsoft Entra Private Access provide a quick and easy way to replace your VPN to allow secure access to your internal resources with an easy-one time configuration, using the secure capabilities of Conditional Access.
-
-## Quick Access and Global Secure Access apps
-
-When you configure the Quick Access and Global Secure Access apps, you create a new enterprise application. The app serves as a container for the private resources that you want to secure. The application has its own [Microsoft Entra application proxy connector](how-to-configure-connectors.md) to broker the connection between the service and the internal resource. You can assign users and groups to the app, and then use Conditional Access policies to control access to the app.
-
-Quick Access and Per-app Access are similar, but there are a few key concepts to understand so you can decide how to configure each one.
-
-### Quick Access app
-
-Quick Access is the primary group of FQDNs and IP addresses that you want to secure. As you're planning your Global Secure Access deployment, review your list of private resources and determine which resources you *always* want to tunnel through the service. This primary group of FQDNs, IP addresses, and IP ranges is what you add to Quick Access.
-
-![Diagram of the Quick Access app process with traffic flowing through the service to the app, and granting access through App Proxy.](media/concept-private-access/quick-access-diagram.png)
-
-### Global Secure Access app
-
-A Global Secure Access app could be configured if any of the following scenarios sound familiar:
--- I need to apply a different set of Conditional Access policies to a subset of users.-- I have a few private resources that I want to secure, but they should have a different set of access policies.-- I have a subset of private resources that I only want to secure for a specific time frame.-
-![Diagram of the Global Secure Access app process with traffic flowing through the service to the app, and granting access through App Proxy.](media/concept-private-access/private-access-diagram.png)
-
-The Global Secure Access app takes a more detailed approach to securing your private resources. You can create multiple per-app access apps to secure different private resources. Paired with Conditional Access policies, you have a powerful yet fine-grained way to secure your private resources.
-
-## Next steps
--- [Configure Quick Access](how-to-configure-quick-access.md)
global-secure-access Concept Remote Network Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/concept-remote-network-connectivity.md
- Title: Global Secure Access (preview) remote network connectivity
-description: Learn how remote network connectivity in Global Secure Access (preview) allows users to connect to your corporate network from a remote location, such as a branch office.
---- Previously updated : 07/27/2023----
-# Understand remote network connectivity
-
-Global Secure Access (preview) supports two connectivity options: installing a client on end-user device and configuring a remote network, for example a branch location with a physical router. Remote network connectivity streamlines how your end-users and guests connect from a remote network without needing to install the Global Secure Access Client.
-
-This article describes the key concepts of remote network connectivity along with common scenarios where it may be useful.
-
-## What is a remote network?
-
-Remote networks are remote locations or networks that require internet connectivity. For example, many organizations have a central headquarters and branch office locations in different geographic areas. These branch offices need access to corporate data and services. They need a secure way to talk to the data center, headquarters, and remote workers. The security of remote networks is crucial for many types of organizations.
-
-Remote networks, such as a branch location, are typically connected to the corporate network through a dedicated Wide Area Network (WAN) or a Virtual Private Network (VPN) connection. Employees in the branch location connect to the network using customer premises equipment (CPE).
-
-## Current challenges of remote network security
-
-**Bandwidth requirements have grown** ΓÇô The number of devices requiring Internet access has increased exponentially. Traditional networks are difficult to scale. With the advent of Software as a Service (SaaS) applications like Microsoft 365, there are ever-growing demands of low latency and jitter-less communication that traditional technologies like Wide Area Network (WAN) and Multi-Protocol Label Switching (MPLS) struggle with.
-
-**IT teams are expensive** ΓÇô Typically, firewalls are placed on physical devices on-premises, which requires an IT team for setup and maintenance. Maintaining an IT team at every branch location is expensive.
-
-**Evolving threats** ΓÇô Malicious actors are finding new avenues to attack the devices at the edge of networks. Edge devices in branch offices or even home offices are often the most vulnerable point of attack.
-
-## How does Global Secure Access remote network connectivity work?
-
-To connect a remote network to Global Secure Access, you set up an Internet Protocol Security (IPSec) tunnel between your on-premises equipment and the Global Secure Access endpoint. Traffic that you specify is routed through the IPSec tunnel to the nearest Global Secure Access endpoint. You can apply security policies in the Microsoft Entra admin center.
-
-Global Secure Access remote network connectivity provides a secure solution between a remote network and the
-Global Secure Access service. It doesn't provide a secure connection between one remote network and another.
-To learn more about secure remote network-to-remote network connectivity, see the [Azure Virtual WAN documentation](/azure/virtual-wan/).
-
-## Why remote network connectivity may be important for you?
-Maintaining security of a corporate network is increasingly difficult in a world of remote work and distributed teams. Security Service Edge (SSE) promises a world of security where customers can access their corporate resources from anywhere in the world without needing to back haul their traffic to headquarters.
-
-## Common remote network connectivity scenarios
-
-### I donΓÇÖt want to install clients on thousands of devices on-premises.
-Generally, SSE is enforced by installing a client on a device. The client creates a tunnel to the nearest SSE endpoint and routes all Internet traffic through it. SSE solutions inspect the traffic and enforce security policies. If your users aren't mobile and based in a physical branch location, then remote network connectivity for that branch location removes the pain of installing a client on every device. You can connect the entire branch location by creating an IPSec tunnel between the core router of the branch office and the Global Secure Access endpoint.
-
-### I can't install clients on all the devices my organization owns.
-Sometimes, clients can't be installed on all devices. Global Secure Access currently provides clients for Windows. But what about Linux, mainframes, cameras, printers and other types of devices that are on premises and sending traffic to the Internet? This traffic still needs to be monitored and secured. When you connect a remote network, you can set policies for all traffic from that location regardless of the device where it originated.
-
-### I have guests on my network who don't have the client installed.
-Guest devices on your network may not have the client installed. To ensure that those devices adhere to your network security policies, you need their traffic routed through the Global Secure Access endpoint. Remote network connectivity solves this problem. No clients need to be installed on guest devices. All outgoing traffic from the remote network is going through security evaluation by default.
--
-## Next steps
-- [List all remote networks](how-to-list-remote-networks.md)-- [Manage remote networks](how-to-manage-remote-networks.md)
global-secure-access Concept Traffic Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/concept-traffic-dashboard.md
- Title: Global Secure Access (preview) network traffic dashboard
-description: Learn how to use the Global Secure Access (preview) network traffic dashboard.
---- Previously updated : 05/15/2023----
-# Global Secure Access (preview) network traffic dashboard
-
-The Global Secure Access (preview) network traffic dashboard provides you with visualizations of the network traffic acquired by the Microsoft Entra Private and Microsoft Entra Internet Access services. The dashboard compiles the data from your network configurations, including devices, users, and tenants into several widgets that provide you with answers to the following questions:
--- How many active devices are deployed on my network?-- Was there a recent change to the number of active devices?-- What are the most used applications?-- How many unique users are accessing the network across all my tenants?-
-This article describes each of the widgets and how you can use the data on the dashboard to monitor and improve your network configurations.
-
-## How to access the dashboard
-
-Viewing the Global Secure Access dashboard requires a Reports Reader role in Microsoft Entra ID.
-
-To access the dashboard:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Dashboard**.
-
- :::image type="content" source="media/concept-traffic-dashboard/traffic-dashboard.png" alt-text="Screenshot of the Private access profile, with the view applications link highlighted." lightbox="media/concept-traffic-dashboard/traffic-dashboard-expanded.png":::
-
-## Relationship map
-
-This widget provides a summary of how many users and devices are using the service and how many applications were secured through the service.
--- **Users**: The number of distinct users seen in the last 24 hours. The data uses the *user principal name (UPN)*.-- **Devices**: The number of distinct devices seen in the last 24 hours. The data uses the *device ID*.-- **Workloads**: The number of distinct destinations seen in the last 24 hours. The data uses fully qualified domain names (FQDNs) and IP addresses.-
-![Screenshot of the relationship map widget.](media/concept-traffic-dashboard/relationship-map.png)
-
-## Product deployment
-
-There are two product deployment widgets that look at the active and inactive devices that you have deployed.
--- **Active devices**: The number of distinct device IDs seen in the last 24 hours and the % change during that time.-- **Inactive devices**: The number of distinct device IDs that were seen in the last seven days, but not during the last 24 hours. The % change during the last 24 hours is also displayed.-
-![Screenshot of the product deployment widget.](media/concept-traffic-dashboard/product-deployment.png)
-
-## Product insights
-
-There are two product insights widgets that look at your cross-tenant access and top used applications.
-
-### Cross-tenant access
--- **Sign-ins**: The number of sign-ins through Microsoft Entra ID to Microsoft 365 in the last 24 hours. This widget provides you with information about the activity in your tenant. -- **Total distinct tenants**: The number of distinct tenant IDs seen in the last 24 hours.-- **Unseen tenants**: The number of distinct tenant IDs that were seen in the last 24 hours, but not in the previous seven days.-- **Users**: The number of distinct user sign-ins to other tenants in the last 24 hours. -- **Devices**: The number of distinct devices that signed in to other tenants in the last 24 hours.-
-![Screenshot of the product insights widget.](media/concept-traffic-dashboard/product-insights.png)
-
-### Top used destinations
-
-The top-visited destinations are displayed in the second product insight widget. You can change this view to look at the following options:
--- **Transactions**: Displayed by default and shows the total number of transactions in the last 24 hours. -- **Users**: The number of distinct users (UPN) accessing the destination in the last 24 hours.-- **Devices**: The number of distinct device IDs accessing the destination in the last 24 hours.-
-![Screenshot of the top destinations widget with the number of transactions field highlighted.](media/concept-traffic-dashboard/product-insights-top-destinations.png)
--
-## Next steps
--- [Explore the traffic logs](how-to-view-traffic-logs.md)-- [Access the audit logs](how-to-access-audit-logs.md)
global-secure-access Concept Traffic Forwarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/concept-traffic-forwarding.md
- Title: Global Secure Access (preview) traffic forwarding profiles
-description: Learn about how traffic forwarding profiles for Global Secure Access (preview) streamlines how you route traffic through your network.
---- Previously updated : 06/09/2023-----
-# Global Secure Access (preview) traffic forwarding profiles
-
-With the traffic forwarding profiles in Global Secure Access (preview), you can apply policies to the network traffic that your organization needs to secure and manage. Network traffic is evaluated against the traffic forwarding policies you configure. The profiles are applied and the traffic goes through the service to the appropriate apps and resources.
-
-This article describes the traffic forwarding profiles and how they work.
-
-## Traffic forwarding
-
-**Traffic forwarding** enables you to configure the type of network traffic to tunnel through the Microsoft Entra Private Access and Microsoft Entra Internet Access services. You set up profiles to manage how specific types of traffic are managed.
-
-When traffic comes through Global Secure Access, the service evaluates the type of traffic first through the **Microsoft 365 profile** and then through the **Private access profile**. Any traffic that doesn't match the first two profiles isn't forwarded to Global Secure Access.
-
-For each traffic forwarding profile, you can configure three main details:
--- What traffic to forward to the service-- What Conditional Access policies to apply-- How your end-users connect to the service-
-## Microsoft 365
-
-The Microsoft 365 traffic forwarding profile includes SharePoint Online, Exchange Online, and Microsoft 365 apps. All of the destinations for these apps are automatically included in the profile. Within each of the three main groups of destinations, you can choose to forward that traffic to Global Secure Access or bypass the service.
-
-Microsoft 365 traffic is forwarded to the service by either connecting through a [remote network](concept-remote-network-connectivity.md), such as branch office location, or through the [Global Secure Access desktop client](how-to-install-windows-client.md).
-
-## Private access
-
-With the Private Access profile, you can route traffic to your private resources. This traffic forwarding profile requires configuring Quick Access, which includes the fully qualified domain names (FQDNs) and IP addresses of the private apps and resources you want to forward to the service.
-
-Private access traffic can be forwarded to the service by connecting through the [Global Secure Access desktop client](how-to-install-windows-client.md).
--
-## Next steps
--- [Manage the Microsoft 365 traffic profile](how-to-manage-microsoft-365-profile.md)-- [Manage the Private access traffic profile](how-to-manage-private-access-profile.md)-- [Configure Quick Access](how-to-configure-quick-access.md)
global-secure-access Concept Universal Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/concept-universal-conditional-access.md
- Title: Learn about Universal Conditional Access through Global Secure Access
-description: Learn about how Microsoft Entra Internet Access and Microsoft Entra Private Access secures access to your resources through Conditional Access.
---- Previously updated : 07/27/2023------
-# Universal Conditional Access through Global Secure Access
-
-In addition to sending traffic to Global Secure Access (preview), administrators can use Conditional Access policies to secure traffic profiles. They can mix and match controls as needed like requiring multifactor authentication, requiring a compliant device, or defining an acceptable sign-in risk. Applying these controls to network traffic not just cloud applications allows for what we call universal Conditional Access.
-
-Conditional Access on traffic profiles provides administrators with enormous control over their security posture. Administrators can enforce [Zero Trust principles](/security/zero-trust/) using policy to manage access to the network. Using traffic profiles allows consistent application of policy. For example, applications that don't support modern authentication can now be protected behind a traffic profile.
-
-This functionality allows administrators to consistently enforce Conditional Access policy based on [traffic profiles](concept-traffic-forwarding.md), not just applications or actions. Administrators can target specific traffic profiles like Microsoft 365 or private, internal resources with these policies. Users can access these configured endpoints or traffic profiles only when they satisfy the configured Conditional Access policies.
-
-## Prerequisites
-
-* Administrators who interact with **Global Secure Access preview** features must have one or more of the following role assignments depending on the tasks they're performing.
- * [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference)
- * [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-* To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.
-
-### Known limitations
--- Continuous access evaluation is not currently supported for Universal Conditional Access for Microsoft 365 traffic.-- Applying Conditional Access policies to Private Access traffic is not currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see [Apply Conditional Access to Private Access apps](how-to-target-resource-private-access-apps.md).-- Applying Conditional Access policies to Internet traffic is not currently supported. Internet traffic is in private preview. To request access to the private preview, complete [the private preview interest form](https://aka.ms/entra-ia-preview).-- Microsoft 365 traffic can be accessed through remote network connectivity without the Global Secure Access Client; however the Conditional Access policy isn't enforced. In other words, Conditional Access policies for the Global Secure Access Microsoft 365 traffic are only enforced when a user has the Global Secure Access Client.--
-## Conditional Access policies
-
-With Conditional Access, you can enable access controls and security policies for the network traffic acquired by Microsoft Entra Internet Access and Microsoft Entra Private Access.
--- Create a policy that targets all [Microsoft 365 traffic](how-to-target-resource-microsoft-365-profile.md).-- Apply Conditional Access policies to your [Private Access apps](how-to-target-resource-private-access-apps.md), such as Quick Access.-- Enable [Global Secure Access signaling in Conditional Access](how-to-source-ip-restoration.md) so the source IP address is visible in the appropriate logs and reports.--
-## User experience
-
-When users sign in to a machine with the Global Secure Access Client installed, configured, and running for the first time they're prompted to sign in. When users attempt to access a resource protected by a policy. like the previous example, the policy is enforced and they're prompted to sign in if they haven't already. Looking at the system tray icon for the Global Secure Access Client you see a red circle indicating it's signed out or not running.
--
-When a user signs in the Global Secure Access Client has a green circle that you're signed in, and the client is running.
--
-## Next steps
--- [Enable source IP restoration](how-to-source-ip-restoration.md)-- [Create a Conditional Access policy for Microsoft 365 traffic](how-to-target-resource-microsoft-365-profile.md)-- [Create a Conditional Access policy for Private Access apps](how-to-target-resource-private-access-apps.md)
global-secure-access How To Access Audit Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-access-audit-logs.md
- Title: How to access Global Secure Access (preview) audit logs
-description: Learn how to access Global Secure Access (preview) audit logs.
---- Previously updated : 06/01/2023----
-# How to access the Global Secure Access (preview) audit logs
-
-The Microsoft Entra audit logs are a valuable source of information when investigating or troubleshooting changes to your Microsoft Entra environment. Changes related to Global Secure Access are captured in the audit logs in several categories, such as traffic forwarding profiles, remote network management, and more. This article describes how to use the audit log to track changes to your Global Secure Access environment.
-
-## Prerequisites
-
-To access the audit log for your tenant, you must have one of the following roles:
--- Reports Reader-- Security Reader-- Security Administrator-- Global Reader-- Global Administrator-
-Audit logs are available in [all editions of Microsoft Entra](/azure/active-directory/reports-monitoring/concept-audit-logs). Storage and integration with analysis and monitoring tools may require additional licenses and roles.
-
-## Access the audit logs
-
-There are several ways to view the audit logs. For more information on the options and recommendations for when to use each option, see [How to access activity logs](/azure/active-directory/reports-monitoring/howto-access-activity-logs).
-
-### Access audit logs from the Microsoft Entra admin center
-
-You can access the audit logs from **Global Secure Access** and from **Microsoft Entra ID Monitoring & health**.
-
-**From Global Secure Access:**
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) using one of the required roles.
-1. Browse to **Global Secure Access (preview)** > **Audit logs**. The filters are pre-populated with the categories and activities related to Global Secure Access.
-
-**From Microsoft Entra ID Monitoring & health:**
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) using one of the required roles.
-1. Browse to **Identity** > **Monitoring & health** > **Audit logs**.
-1. Select the **Date** range you want to query.
-1. Open the **Service** filter, select **Global Secure Access**, and select the **Apply** button.
-1. Open the **Category** filter, select at least one of the available options, and select the **Apply** button.
-
-## Save audit logs
-
-Audit log data is only kept for 30 days by default, which may not be long enough for every organization. You may also want to integrate your logs with other services for enhanced monitoring and analysis if you need to view or query logs after 30 days.
--- [Stream activity logs to an event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) to integrate with other tools, like Azure Monitor or Splunk.-- [Export activity logs for storage](/azure/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account).-- [Monitor activity in real-time with Microsoft Sentinel](/azure/sentinel/quickstart-onboard).--
-## Next steps
--- [View network traffic logs](how-to-view-traffic-logs.md)-- [Access the enriched Microsoft 365 logs](how-to-view-enriched-logs.md)
global-secure-access How To Assign Traffic Profile To Remote Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-assign-traffic-profile-to-remote-network.md
- Title: How to assign a remote network to a traffic forwarding profile for Global Secure Access (preview)
-description: Learn how to assign a remote network to a traffic forwarding profile for Global Secure Access (preview).
---- Previously updated : 06/09/2023---
-# Assign a remote network to a traffic forwarding profile for Global Secure Access (preview)
-
-If you're tunneling your Microsoft 365 traffic through the Microsoft Entra Internet Access service, you can assign remote networks to the traffic forwarding profile. Your end users can access Microsoft 365 resources by connecting to the service from a remote network, such as a branch office location.
-
-There are multiple ways to assign a remote network to the traffic forwarding profile:
--- When you create or manage a remote network in the Microsoft Entra admin center-- When you enable or manage the traffic forwarding profile in the Microsoft Entra admin center-- Using the Microsoft Graph API-
-## Prerequisites
-
-To assign a remote network to a traffic forwarding profile to, you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID. -- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-- To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.-
-### Known limitations
--- At this time, remote networks can only be assigned to the Microsoft 365 traffic forwarding profile.-
-## Assign the Microsoft 365 traffic profile to a remote network
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote network**.
-1. Select a remote network.
-1. Select **Traffic profiles**.
-1. Select (or unselect) the checkbox for **Microsoft 365 traffic forwarding profile**.
-1. Select **Save**.
-
-![Screenshot of the traffic profiles in Remote networks.](media/how-to-assign-traffic-profile-to-remote-network/remote-network-traffic-profile.png)
-
-## Assign a remote network to the Microsoft 365 traffic forwarding profile
-
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Traffic forwarding**.
-1. Select the **Add/edit assignments** button for **Microsoft 365 traffic profile**.
-
-![Screenshot of the add/edit assignment button on the Microsoft 365 traffic profile.](media/how-to-assign-traffic-profile-to-remote-network/microsoft-365-traffic-profile-remote-network-button.png)
-
-### Assign a traffic profile to a remote network using the Microsoft Graph API
-
-Associating a traffic profile to your remote network using the Microsoft Graph API is two-step process. First, you need to get the traffic forwarding profile ID. This ID is unique for all tenants. With the traffic forwarding profile ID, you can assign the traffic forwarding profile with your remote network.
-
-A traffic forwarding profile can be assigned using Microsoft Graph on the `/beta` endpoint.
-
-1. Open a web browser and navigate to the Graph Explorer at https://aka.ms/ge.
-1. SelectΓÇ»**GET** as the HTTP method from the dropdown.
-1. Select the API version toΓÇ»**beta**.
-1. Enter the query:
- ```
- GET https://graph.microsoft.com/beta/networkaccess/forwardingprofiles
- ```
-1. SelectΓÇ»**Run query**.
-1. Find the ID of the desired traffic forwarding profile.
-1. Select PATCH as the HTTP method from the dropdown.
-1. Enter the query:
- ```
- PATCH https://graph.microsoft.com/beta/networkaccess/branches/d2b05c5-1e2e-4f1d-ba5a-1a678382ef16/forwardingProfiles
- {
- "@odata.context": "#$delta",
- "value":
- [{
- "ID": "1adaf535-1e31-4e14-983f-2270408162bf"
- }]
- }
- ```
-1. Select **Run query** to update the branch.
--
-## Next steps
-- [List remote networks](how-to-list-remote-networks.md)
global-secure-access How To Compliant Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-compliant-network.md
- Title: Enable compliant network check with Conditional Access
-description: Learn how to require known compliant network locations in order to connect to your secured resources with Conditional Access.
---- Previously updated : 08/09/2023------
-# Enable compliant network check with Conditional Access
-
-Organizations who use Conditional Access along with the Global Secure Access preview, can prevent malicious access to Microsoft apps, third-party SaaS apps, and private line-of-business (LoB) apps using multiple conditions to provide defense-in-depth. These conditions may include device compliance, location, and more to provide protection against user identity or token theft. Global Secure Access introduces the concept of a compliant network within Conditional Access and continuous access evaluation. This compliant network check ensures users connect from a verified network connectivity model for their specific tenant and are compliant with security policies enforced by administrators.
-
-The Global Secure Access Client installed on devices or configured remote network allows administrators to secure resources behind a compliant network with advanced Conditional Access controls. This compliant network makes it easier for administrators to manage and maintain, without having to maintain a list of all of an organization's locations IP addresses. Administrators don't need to hairpin traffic through their organization's VPN egress points to ensure security.
-
-This compliant network check is specific to each tenant.
--- Using this check you can ensure that other organizations using Microsoft's Global Secure Access services can't access your resources.
- - For example: Contoso can protect their services like Exchange Online and SharePoint Online behind their compliant network check to ensure only Contoso users can access these resources.
- - If another organization like Fabrikam was using a compliant network check, they wouldn't pass Contoso's compliant network check.
-
-The compliant network is different than [IPv4, IPv6, or geographic locations](/azure/active-directory/conditional-access/location-condition) you may configure in Microsoft Entra ID. No administrator upkeep is required.
-
-## Prerequisites
-
-* Administrators who interact with **Global Secure Access preview** features must have one or more of the following role assignments depending on the tasks they're performing.
- * The **Global Secure Access Administrator** role to manage the Global Secure Access preview features
- * [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies and named locations.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-* To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.
-
-### Known limitations
--- Continuous access evaluation is not currently supported for compliant network check.-
-## Enable Global Secure Access signaling for Conditional Access
-
-To enable the required setting to allow the compliant network check, an administrator must take the following steps.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (Preview)** > **Global settings** > **Session management** **Adaptive access**.
-1. Select the toggle to **Enable Global Secure Access signaling in Conditional Access**.
-1. Browse to **Protection** > **Conditional Access** > **Named locations**.
- 1. Confirm you have a location called **All Compliant Network locations** with location type **Network Access**. Organizations can optionally mark this location as trusted.
--
-> [!CAUTION]
-> If your organization has active Conditional Access policies based on compliant network check, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.
-
-## Protect Exchange and SharePoint Online behind the compliant network
-
-The following example shows a Conditional Access policy that requires Exchange Online and SharePoint Online to be accessed from behind a compliant network as part of the preview.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator).
-1. Browse to **Protection** > **Conditional Access**.
-1. Select **Create new policy**.
-1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-1. Under **Assignments**, select **Users or workload identities**.
- 1. Under **Include**, select **All users**.
- 1. Under **Exclude**, select **Users and groups** and choose your organization's [emergency access or break-glass accounts](#user-exclusions).
-1. Under **Target resources** > **Include**, and select **Select apps**.
- 1. Choose **Office 365 Exchange Online** and/or **Office 365 SharePoint Online**.
- 1. Office 365 apps are currently NOT supported, so do not select this option.
-1. Under **Conditions** > **Location**.
- 1. Set **Configure** to **Yes**
- 1. Under **Include**, select **Any location**.
- 1. Under **Exclude**, select **Selected locations**
- 1. Select the **All Compliant Network locations** location.
- 1. Select **Select**.
-1. Under **Access controls**:
- 1. **Grant**, select **Block Access**, and select **Select**.
-1. Confirm your settings and set **Enable policy** to **Report-only**.
-1. Select **Create** to create to enable your policy.
-
-After administrators confirm the policy settings using [report-only mode](/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
-
-### User exclusions
--
-## Try your compliant network policy
-
-1. On an end-user device with the [NaaS client installed and running](how-to-install-windows-client.md)
-1. Browse to [https://outlook.office.com/mail/](https://outlook.office.com/mail/) or `https://yourcompanyname.sharepoint.com/`, you have access to resources.
-1. Pause the NaaS client by right-clicking the application in the Windows tray and selecting **Pause**.
-1. Browse to [https://outlook.office.com/mail/](https://outlook.office.com/mail/) or `https://yourcompanyname.sharepoint.com/`, you're blocked from accessing resources with an error message that says **You cannot access this right now**.
--
-## Troubleshooting
-
-Verify the new named location was automatically created using [Microsoft Graph](https://developer.microsoft.com/graph/graph-explorer).
-
-`GET https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations`
---
-## Next steps
-
-[The Global Secure Access Client for Windows (preview)](how-to-install-windows-client.md)
global-secure-access How To Configure Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-configure-connectors.md
- Title: How to configure connectors for Microsoft Entra Private Access
-description: Learn how to configure App Proxy connectors for Microsoft Entra Private Access.
---- Previously updated : 08/09/2023----
-# How to configure App Proxy connectors for Microsoft Entra Private Access
-
-Connectors are lightweight agents that sit on-premises and facilitate the outbound connection to the Global Secure Access service. Connectors must be installed on a Windows Server that has access to the backend application. You can organize connectors into connector groups, with each group handling traffic to specific applications. To learn more about connectors, see [Understand Microsoft Entra application proxy connectors](/azure/active-directory/app-proxy/application-proxy-connectors).
-
-## Prerequisites
-
-To add an on-premises application to Microsoft Entra ID you need:
-
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-* An Application Administrator account.
-
-User identities must be synchronized from an on-premises directory or created directly within your Microsoft Entra tenants. Identity synchronization allows Microsoft Entra ID to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
-
-### Windows server
-
-To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.
--- For high availability in your environment, we recommend having more than one Windows server. -- The minimum .NET version required for the connector is v4.7.1+.-- For more information, see [App Proxy connectors](/azure/active-directory/app-proxy/application-proxy-connectors#requirements-and-deployment).-- For more information, see [Determine which .NET framework versions are installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed).-
-### Prepare your on-premises environment
-
-Start by enabling communication to Azure data centers to prepare your environment for Microsoft Entra application proxy. If there's a firewall in the path, make sure it's open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.
-
-> [!IMPORTANT]
-> If you are installing the connector for Azure Government cloud follow the [prerequisites](/azure/active-directory/hybrid/connect/reference-connect-government-cloud#allow-access-to-urls) and [installation steps](/azure/active-directory/hybrid/connect/reference-connect-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation.
-
-#### Open ports
-
-Open the following ports to **outbound** traffic.
-
-| Port number | How it's used |
-| -- | |
-| 80 | Downloading certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
-| 443 | All outbound communication with the Application Proxy service |
-
-If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a Network Service.
-
-#### Allow access to URLs
-
-Allow access to the following URLs:
-
-| URL | Port | How it's used |
-| | | |
-| `*.msappproxy.net` <br> `*.servicebus.windows.net` | 443/HTTPS | Communication between the connector and the Application Proxy cloud service |
-| `crl3.digicert.com` <br> `crl4.digicert.com` <br> `ocsp.digicert.com` <br> `crl.microsoft.com` <br> `oneocsp.microsoft.com` <br> `ocsp.msocsp.com`<br> | 80/HTTP | The connector uses these URLs to verify certificates. |
-| `login.windows.net` <br> `secure.aadcdn.microsoftonline-p.com` <br> `*.microsoftonline.com` <br> `*.microsoftonline-p.com` <br> `*.msauth.net` <br> `*.msauthimages.net` <br> `*.msecnd.net` <br> `*.msftauth.net` <br> `*.msftauthimages.net` <br> `*.phonefactor.net` <br> `enterpriseregistration.windows.net` <br> `management.azure.com` <br> `policykeyservice.dc.ad.msft.net` <br> `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 443/HTTPS | The connector uses these URLs during the registration process. |
-| `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 80/HTTP | The connector uses these URLs during the registration process. |
-
-You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other URLs above if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.
-
-> [!IMPORTANT]
-> Avoid all forms of inline inspection and termination on outbound TLS communications between Microsoft Entra application proxy connectors and Microsoft Entra application proxy Cloud services.
-
-## Install and register a connector
-
-To use Private Access, install a connector on each Windows server you're using for Microsoft Entra Private Access. The connector is an agent that manages the outbound connection from the on-premises application servers to Global Secure Access. You can install a connector on servers that also have other authentication agents installed such as Microsoft Entra Connect.
-
-> [!NOTE]
-> Setting up App Proxy connectors and connector groups require planning and testing to ensure you have the right configuration for your organization. If you don't already have connector groups set up, pause this process and return when you have a connector group ready.
->
->The minimum version of connector required for Private Access is **1.5.3417.0**.
->Starting from the version 1.5.3437.0, having the .NET version 4.7.1 or greater is required for successful installation (upgrade).
--
-**To install the connector**:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a Global Administrator of the directory that uses Application Proxy.
- - For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.
-1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy.
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Connectors**.
-1. Select **Download connector service**.
-
- ![Screenshot of the Download connector service button in the App proxy page.](media/how-to-configure-connectors/app-proxy-download-connector-service.png)
-1. Read the Terms of Service. When you're ready, select **Accept terms & Download**.
-1. At the bottom of the window, select **Run** to install the connector. An install wizard opens.
-1. Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Microsoft Entra tenant, provide your Global Administrator credentials.
- - For Internet Explorer (IE): If IE Enhanced Security Configuration is set to On, you may not see the registration screen. To get access, follow the instructions in the error message. Make sure that Internet Explorer Enhanced Security Configuration is set to Off.
-
-## Things to know
-
-If you've previously installed a connector, reinstall it to get the latest version. When upgrading, uninstall the existing connector and delete any related folders. To see information about previously released versions and what changes they include, see [Application Proxy: Version Release History](/azure/active-directory/app-proxy/application-proxy-release-version-history).
-
-If you choose to have more than one Windows server for your on-premises applications, you need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](/azure/active-directory/app-proxy/application-proxy-connector-groups).
-
-If you have installed connectors in different regions, you can optimize traffic by selecting the closest Application Proxy cloud service region to use with each connector group, see [Optimize traffic flow with Microsoft Entra application proxy](/azure/active-directory/app-proxy/application-proxy-network-topology).
-
-## Verify the installation and registration
-
-You can use the Global Secure Access portal or your Windows server to confirm that a new connector installed correctly.
-
-### Verify the installation through the Microsoft Entra admin center
-
-To confirm the connector installed and registered correctly:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a Global Administrator of the directory that uses Application Proxy.
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Connectors**
- - All of your connectors and connector groups appear on this page.
-1. View a connector to verify its details.
- - Expand the connector to view the details if it's not already expanded.
- - An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages.
-
- ![Screenshot of the connector groups and connector group details.](media/how-to-configure-connectors/app-proxy-connectors-status.png)
-
-For more help with installing a connector, see [Problem installing the Application Proxy Connector](/azure/active-directory/app-proxy/application-proxy-connector-installation-problem).
-
-### Verify the installation through your Windows server
-
-To confirm the connector installed and registered correctly:
-1. Select the **Windows** key and enter `services.msc` to open the Windows Services Manager.
-1. Check to see if the status for the following services **Running**.
- - *Microsoft Entra application proxy Connector* enables connectivity.
- - *Microsoft Entra application proxy Connector Updater* is an automated update service.
- - The updater checks for new versions of the connector and updates the connector as needed.
-
- ![Screenshot of the App proxy connector and connector updater services in Windows Services Manager.](media/how-to-configure-connectors/app-proxy-services.png)
-
-1. If the status for the services isn't **Running**, right-click to select each service and choose **Start**.
-
-## Create connector groups
-
-To create as many connector groups as you want:
-
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Connectors**.
-1. Select **New connector group**.
-1. Give your new connector group a name, then use the dropdown menu to select which connectors belong in this group.
-1. Select **Save**.
-
-To learn more about connector groups, see [Publish applications on separate networks and locations using connector groups](/azure/active-directory/app-proxy/application-proxy-connector-groups).
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Private Access is to configure the Quick Access or Global Secure Access application:
-- [Configure Quick Access to your private resources](how-to-configure-quick-access.md)-- [Configure per-app access for Microsoft Entra Private Access](how-to-configure-per-app-access.md)
global-secure-access How To Configure Customer Premises Equipment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-configure-customer-premises-equipment.md
- Title: How to configure customer premises equipment for Global Secure Access (preview)
-description: Learn how to configure customer premises equipment for Global Secure Access (preview).
---- Previously updated : 06/08/2023----
-# Configure customer premises equipment for Global Secure Access (preview)
-
-IPSec tunnel is a bidirectional communication. One side of the communication is established when [adding a device link to a remote network](how-to-manage-remote-network-device-links.md) in Global Secure Access (preview). During that process, you enter your public IP address and BGP addresses in the Microsoft Entra admin center to tell us about your network configurations.
-
-The other side of the communication channel is configured on your customer premises equipment (CPE). This article provides the steps to set up your CPE using the network configurations provided by Microsoft.
-
-## Prerequisites
-
-To configure your customer premises equipment (CPE), you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID.-- Sent an email to Global Secure Access onboarding according to the onboarding process in the **Remote network** area of Global Secure Access.-- Received the connectivity information from Global Secure Access onboarding.-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-## How to configure your customer premises equipment
-
-To onboard to Global Secure Access remote network connectivity, you must have completed the [onboarding process](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks). In order to configure your CPE, you need the connectivity information provided by the Global Secure Access onboarding team.
-
-Once you have the details you need, go to the preferred interface of your CPE (UX or API), and enter the information you received to set up the IPSec tunnel. Follow the instructions provided by the CPE provider.
-
-> [!IMPORTANT]
->The crypto profile you specified for the device link should match with what you specify on your CPE. If you chose the "default" IKE policy when configuring the device link, use the configurations described in the [Remote network configurations](reference-remote-network-configurations.md) article.
--
-## Next steps
--- [How to manage remote networks](how-to-manage-remote-networks.md)-- [How to manage remote network device links](how-to-manage-remote-network-device-links.md)
global-secure-access How To Configure Per App Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-configure-per-app-access.md
- Title: How to configure Per-app Access using Global Secure Access applications
-description: Learn how to configure per-app access to your private, internal resources using Global Secure Access applications for Microsoft Entra Private Access.
---- Previously updated : 07/27/2023----
-# How to configure Per-app Access using Global Secure Access applications
-
-Microsoft Entra Private Access provides secure access to your organization's internal resources. You create a Global Secure Access application and specify the internal, private resources that you want to secure. By configuring a Global Secure Access application, you're creating per-app access to your internal resources. Global Secure Access application provides a more detailed ability to manage how the resources are accessed on a per-app basis.
-
-This article describes how to configure Per-app Access using Global Secure Access applications.
-
-## Prerequisites
-
-To configure a Global Secure Access app, you must have:
--- The **Global Secure Access Administrator** and **Application Administrator** roles in Microsoft Entra ID-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-To manage App Proxy connector groups, which is required for Global Secure Access apps, you must have:
--- An **Application Administrator** role in Microsoft Entra ID-- Microsoft Entra ID P1 or P2 licenses-
-### Known limitations
--- Avoid overlapping app segments between Quick Access and Global Secure Access apps.-- Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local subnet.-- At this time, Private Access traffic can only be acquired with the Global Secure Access Client. Remote networks can't be assigned to the Private access traffic forwarding profile.-
-## Setup overview
-
-Per-App Access is configured by creating a new Global Secure Access app. You create the app, select a connector group, and add network access segments. These settings make up the individual app that you can assign users and groups to.
-
-To configure Per-App Access, you need to have a connector group with at least one active [Microsoft Entra application proxy](/azure/active-directory/app-proxy/application-proxy) connector. This connector group handles the traffic to this new application. With Connectors, you can isolate apps per network and connector.
-
-To summarize, the overall process is as follows:
-
-1. Create a connector group with at least one active App Proxy connector, if you don't already have one. If you already have a connector group, make sure you're on the latest version.
-1. Create a Global Secure Access app.
-1. Assign users and groups to the app.
-1. Configure Conditional Access policies.
-1. Enable Microsoft Entra Private Access.
-
-Let's look at each of these steps in more detail.
-
-## Create an App Proxy connector group
-
-To configure a Global Secure Access app, you must have a connector group with at least one active App Proxy connector.
-
-If you don't already have a connector set up, see [Configure connectors](how-to-configure-connectors.md).
-
-> [!NOTE]
-> If you've previously installed a connector, reinstall it to get the latest version. When upgrading, uninstall the existing connector and delete any related folders.
->
-> The minimum version of connector required for Private Access is **1.5.3417.0**.
-## Create a Global Secure Access application
-
-To create a new app, you provide a name, select a connector group, and then add application segments. App segments include the fully qualified domain names (FQDNs) and IP addresses you want to tunnel through the service. You can complete all three steps at the same time, or you can add them after the initial setup is complete.
-
-### Choose name and connector group
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with the appropriate roles.
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Enterprise applications**.
-1. Select **New application**.
-
- ![Screenshot of the Enterprise apps and Add new application button.](media/how-to-configure-per-app-access/new-enterprise-app.png)
-
-1. Enter a name for the app.
-1. Select a Connector group from the dropdown menu.
- - Existing connector groups appear in the dropdown menu.
-1. Select the **Save** button at the bottom of the page to create your app without adding private resources.
-
-### Add application segment
-
-The **Add application segment** process is where you define the FQDNs and IP addresses that you want to include in the traffic for the Global Secure Access app. You can add sites when you create the app and return to add more or edit them later.
-
-You can add fully qualified domain names (FQDN), IP addresses, and IP address ranges.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Enterprise applications**.
-1. Select **New application**.
-1. Select **Add application segment**.
-
- ![Screenshot of the Add application segment button.](media/how-to-configure-per-app-access/enterprise-app-add-application-segment.png)
-
- - **IP address**: Internet Protocol version 4 (IPv4) address, such as 192.0.2.1, that identifies a device on the network.
- - **Fully qualified domain name** (including wildcard FQDNs): Domain name that specifies the exact location of a computer or a host in the Domain Name System (DNS).
- - **IP address range (CIDR)**: Classless Inter-Domain Routing is a way of representing a range of IP addresses in which an IP address is followed by a suffix that indicates the number of network bits in the subnet mask. For example, 192.0.2.0/24 indicates that the first 24 bits of the IP address represent the network address, while the remaining 8 bits represents the host address.
- - **IP address range (IP to IP)**: Range of IP addresses from start IP (such as 192.0.2.1) to end IP (such as 192.0.2.10).
-1. Enter the appropriate detail for what you selected.
-1. Enter the port. The following table provides the most commonly used ports and their associated networking protocols:
-
- | Port | Protocol |
- | | |
- | 22 | Secure Shell (SSH) |
- | 80 | Hypertext Transfer Protocol (HTTP) |
- | 443 | Hypertext Transfer Protocol Secure (HTTPS) |
- | 445 | Server Message Block (SMB) file sharing |
- | 3389 | Remote Desktop Protocol (RDP) |
-1. Select the **Save** button when you're finished.
-
-> [!NOTE]
-> You can add up to 500 application segments to your app.
->
-> Do not overlap FQDNs, IP addresses, and IP ranges between your Quick Access app and any Private Access apps.
-
-### Assign users and groups
-
-You need to grant access to the app you created by assigning users and/or groups to the app. For more information, see [Assign users and groups to an application.](/azure/active-directory/manage-apps/assign-user-or-group-access-portal)
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Enterprise applications**.
-1. Search for and select your application.
-1. Select **Users and groups** from the side menu.
-1. Add users and groups as needed.
-
-> [!NOTE]
-> Users must be directly assigned to the app or to the group assigned to the app. Nested groups are not supported.
-
-## Update application segments
-
-You can add or update the FQDNs and IP addresses included in your app at any time.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Enterprise applications**.
-1. Search for and select your application.
-1. Select **Network access properties** from the side menu.
- - To add a new FQDN or IP address, select **Add application segment**.
- - To edit an existing app, select it from the **Destination type** column.
-
-## Enable or disable access with the Global Secure Access Client
-
-You can enable or disable access to the Global Secure Access app using the Global Secure Access Client. This option is selected by default, but can be disabled, so the FQDNs and IP addresses included in the app segments aren't tunneled through the service.
-
-![Screenshot of the enable access checkbox.](media/how-to-configure-per-app-access/per-app-access-enable-checkbox.png)
-
-## Assign Conditional Access policies
-
-Conditional Access policies for Per-app Access are configured at the application level for each app. Conditional Access policies can be created and applied to the application from two places:
--- Go to **Global Secure Access (preview)** > **Applications** > **Enterprise applications**. Select an application and then select **Conditional Access** from the side menu.-- Go to **Protection** > **Conditional Access** > **Policies**. Select **+ Create new policy**.-
-For more information, see [Apply Conditional Access policies to Private Access apps](how-to-target-resource-private-access-apps.md).
-
-## Enable Microsoft Entra Private Access
-
-Once you have your app configured, your private resources added, users assigned to the app, you can enable the Private access traffic forwarding profile. You can enable the profile before configuring a Global Secure Access app, but without the app and profile configured, there's no traffic to forward.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Traffic forwarding**.
-1. Select the checkbox for **Private access profile**.
-
-![Screenshot of the traffic forwarding page with the Private access profile enabled.](media/how-to-configure-per-app-access/private-access-traffic-profile.png)
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Private Access is to [enable the Private Access traffic forwarding profile](how-to-manage-private-access-profile.md).
-
-For more information about Private Access, see the following articles:
-- [Learn about traffic management profiles](concept-traffic-forwarding.md)-- [Manage the Private Access traffic profile](how-to-manage-private-access-profile.md)-- [Apply Conditional Access policies to the Global Secure Access application](how-to-target-resource-private-access-apps.md)
global-secure-access How To Configure Quick Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-configure-quick-access.md
- Title: How to configure Quick Access for Global Secure Access
-description: Learn how to specify the internal resources to secure with Microsoft Entra Private Access using a Quick Access app.
---- Previously updated : 07/27/2023-----
-# How to configure Quick Access for Global Secure Access
-
-With Global Secure Access, you can define specific fully qualified domain names (FQDNs) or IP addresses of private resources to include in the traffic for Microsoft Entra Private Access. Your organization's employees can then access the apps and sites that you specify. This article describes how to configure Quick Access for Microsoft Entra Private Access.
-
-## Prerequisites
-
-To configure Quick Access, you must have:
--- The **Global Secure Access Administrator** and **Application Administrator** roles in Microsoft Entra ID-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-To manage App Proxy connector groups, which is required for Quick Access, you must have:
--- An **Application Administrator** role in Microsoft Entra ID-- Microsoft Entra ID P1 or P2 licenses-
-### Known limitations
--- Avoid overlapping app segments between Quick Access and per-app access.-- Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local subnet. -- At this time, Private access traffic can only be acquired with the Global Secure Access Client. Remote networks can't be assigned to the Private access traffic forwarding profile.-
-## Setup overview
-
-Configuring your Quick Access settings is a major component to utilizing Microsoft Entra Private Access. When you configure Quick Access for the first time, Private Access creates a new enterprise application. The properties of this new app are automatically configured to work with Private Access.
-
-To configure Quick Access, you need to have a connector group with at least one active [Microsoft Entra application proxy](/azure/active-directory/app-proxy/application-proxy) connector. The connector group handles the traffic to this new application. Once you have Quick Access and an App proxy connector group configured, you need to grant access to the app.
-
-To summarize, the overall process is as follows:
-
-1. Create a connector group with at least one active App Proxy connector, if you don't already have one. If you already have a connector group, make sure you're on the latest version.
-1. Configure Quick Access, which creates a new enterprise app.
-1. Assign users and groups to the app.
-1. Configure Conditional Access policies.
-1. Enable the Private access traffic forwarding profile.
-
-Let's look at each of these steps in more detail.
-
-## Create an App Proxy connector group
-
-To configure Quick Access, you must have a connector group with at least one active App Proxy connector.
-
-If you don't already have a connector group set up, see [Configure connectors for Quick Access](how-to-configure-connectors.md).
-
-> [!NOTE]
-> If you've previously installed a connector, reinstall it to get the latest version. When upgrading, uninstall the existing connector and delete any related folders.
->
-> The minimum version of connector required for Private Access is **1.5.3417.0**.
--
-## Configure Quick Access
-
-On the Quick Access page, you provide a name for the Quick Access app, select a connector group, and add application segments, which include FQDNs and IP addresses. You can complete all three steps at the same time, or you can add the application segments after the initial setup is complete.
-
-### Name and connector group
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with the appropriate roles.
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Quick access**.
-1. Enter a name. *We recommend using the name Quick Access*.
-1. Select a Connector group from the dropdown menu.
-
- ![Screenshot of the Quick Access app name.](media/how-to-configure-quick-access/new-quick-access-name.png)
-
- - Existing connector groups appear in the dropdown menu.
-1. Select the **Save** button at the bottom of the page to create your "Quick Access" app without FQDNs and IP addresses.
-
-### Add Quick Access application segment
-
-The **Add Quick Access application segment** portion of this process is where you define the FQDNs and IP addresses that you want to include in the traffic for Microsoft Entra Private Access. You can add these resources when you create the Quick Access app and return to add more or edit them later.
-
-You can add fully qualified domain names (FQDN), IP addresses, and IP address ranges.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Quick Access**.
-1. Select **Add Quick Access application segment**.
-
- ![Screenshot of the Add Quick Access application segment button.](media/how-to-configure-quick-access/add-quick-access-application-segment.png)
-
-1. In the **Create application segment** panel that opens, select a **Destination type**. Choose from one of the following options. Depending on what you select, the subsequent fields change accordingly.
- - **IP address**: Internet Protocol version 4 (IPv4) address, such as 192.0.2.1, that identifies a device on the network.
- - **Fully qualified domain name** (including wildcard FQDNs): Domain name that specifies the exact location of a computer or a host in the Domain Name System (DNS).
- - **IP address range (CIDR)**: Classless Inter-Domain Routing is a way of representing a range of IP addresses in which an IP address is followed by a suffix indicating the number of network bits in the subnet mask. For example 192.0.2.0/24 indicates that the first 24 bits of the IP address represent the network address, while the remaining 8 bits represents the host address.
- - **IP address range (IP to IP)**: Range of IP addresses from start IP (such as 192.0.2.1) to end IP (such as 192.0.2.10).
-1. Enter the appropriate detail for what you selected.
-1. Enter the port. The following table provides the most commonly used ports and their associated networking protocols:
-
- | Port | Protocol |
- | -- | -- |
- | 22 | Secure Shell (SSH) |
- | 80 | Hypertext Transfer Protocol (HTTP) |
- | 443 | Hypertext Transfer Protocol Secure (HTTPS) |
- | 445 | Server Message Block (SMB) file sharing |
- | 3389 | Remote Desktop Protocol (RDP) |
-
-1. Select the **Save** button when you're finished.
-
-> [!NOTE]
-> You can add up to 500 application segments to your Quick Access app.
->
-> Do not overlap FQDNs, IP addresses, and IP ranges between your Quick Access app and any Private Access apps.
-
-## Assign users and groups
-
-When you configure Quick Access, a new enterprise app is created on your behalf. You need to grant access to the Quick Access app you created by assigning users and/or groups to the app.
-
-You can view the properties from **Quick Access** or navigate to **Enterprise applications** and search for your Quick Access app.
-
-1. Select the **Edit application settings** button from Quick Access.
-
- ![Screenshot of the edit application settings button.](media/how-to-configure-quick-access/edit-application-settings.png)
-
-1. Select **Users and groups** from the side menu.
-
-1. Add users and groups as needed.
- - For more information, see [Assign users and groups to an application](/azure/active-directory/manage-apps/assign-user-or-group-access-portal).
-
-> [!NOTE]
-> Users must be directly assigned to the app or to the group assigned to the app. Nested groups are not supported.
-
-## Update Quick Access application segments
-
-You can add or update the FQDNs and IP addresses included in your Quick Access app at any time.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Quick Access**.
- - To add an FQDN or IP address, select **Add Quick Access application segment**.
- - To edit an FQDN or IP address, select it from the **Destination type** column.
-
-## Link Conditional Access policies
-
-Conditional Access policies can be applied to your Quick Access app. Applying Conditional Access policies provides more options for managing access to applications, sites, and services.
-
-Creating a Conditional Access policy is covered in detail in [How to create a Conditional Access policy for Private Access apps](how-to-target-resource-private-access-apps.md).
-
-## Enable Microsoft Entra Private Access
-
-Once you have your Quick Access app configured, your private resources added, users assigned to the app, you can enable the Private access profile from the **Traffic forwarding** area of Global Secure Access. You can enable the profile before configuring Quick Access, but without the app and profile configured, there's no traffic to forward.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Traffic forwarding**.
-1. Select the checkbox for **Private access profile**.
-
-![Screenshot of the traffic forwarding page with the Private access profile enabled.](media/how-to-configure-quick-access/private-access-traffic-profile.png)
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Private Access is to [enable the Private Access traffic forwarding profile](how-to-manage-private-access-profile.md).
-
-For more information about Private Access, see the following articles:
-- [Learn about traffic profiles](concept-traffic-forwarding.md)-- [Configure per-app access](how-to-configure-per-app-access.md)
global-secure-access How To Create Remote Network Custom Ike Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-create-remote-network-custom-ike-policy.md
- Title: How to create a remote network with a customer IKE policy for Global Secure Access (preview)
-description: Learn how to create a remote network with a customer IKE policy for Global Secure Access (preview).
---- Previously updated : 06/08/2023----
-# Create a remote network with a customer IKE policy for Global Secure Access (preview)
-
-IPSec tunnel is a bidirectional communication. This article provides the steps to set up the policy side the communication channel using the Microsoft Graph API. The other side of the communication is configured on your customer premises equipment.
-
-For more information about creating a remote network and the custom IKE policy, see [Create a remote network](how-to-create-remote-networks.md#create-a-remote-network) and [Remote network configurations](reference-remote-network-configurations.md).
--
-## Prerequisites
-
-To create a remote network with a custom IKE policy, you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID.-- Sent an email to Global Secure Access onboarding team according to the [onboarding process](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks).-- Received the connectivity information from Global Secure Access onboarding.-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-## How to use Microsoft Graph to create a remote network with a custom IKE policy
-
-Remote networks with a custom IKE policy can be created using Microsoft Graph on the `/beta` endpoint.
-
-To get started, follow these instructions to work with remote networks using the Microsoft Graph API in Graph Explorer.
-
-1. Sign in to [Graph Explorer](https://aka.ms/ge).
-1. Select **POST** as the HTTP method from the dropdown.
-1. Set the API version to **beta**.
-1. Add the following query, then select the **Run query** button.
-
-```http
- POST https://graph.microsoft.com/beta/networkaccess/connectivity/branches
-{
- "name": "BranchOffice_CustomIKE",
- "region": "eastUS",
- "deviceLinks": [
- {
- "name": "custom link",
- "ipAddress": "114.20.4.14",
- "deviceVendor": "ciscoMeraki",
- "tunnelConfiguration": {
- "saLifeTimeSeconds": 300,
- "ipSecEncryption": "gcmAes128",
- "ipSecIntegrity": "gcmAes128",
- "ikeEncryption": "aes128",
- "ikeIntegrity": "sha256",
- "dhGroup": "ecp384",
- "pfsGroup": "ecp384",
- "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom",
- "preSharedKey": "SHAREDKEY"
- },
- "bgpConfiguration": {
- "localIpAddress": "10.1.1.11",
- "peerIpAddress": "10.6.6.6",
- "asn": 65000
- },
- "redundancyConfiguration": {
- "redundancyTier": "zoneRedundancy",
- "zoneLocalIpAddress": "10.1.1.12"
- },
- "bandwidthCapacityInMbps": "mbps250"
- }
- ]
-}
-```
--
-## Next steps
--- [How to manage remote networks](how-to-manage-remote-networks.md)-- [How to manage remote network device links](how-to-manage-remote-network-device-links.md)
global-secure-access How To Create Remote Networks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-create-remote-networks.md
- Title: How to create remote networks for Global Secure Access (preview)
-description: Learn how to create remote networks, such as branch office locations, for Global Secure Access (preview).
---- Previously updated : 08/30/2023---
-# How to create a remote network
-
-Remote networks are remote locations, such as a branch office, or networks that require internet connectivity. Setting up remote networks connects your users in remote locations to Global Secure Access (preview). Once a remote network is configured, you can assign a traffic forwarding profile to manage your corporate network traffic. Global Secure Access provides remote network connectivity so you can apply network security policies to your outbound traffic.
-
-There are multiple ways to connect remote networks to Global Secure Access. In a nutshell, you're creating an Internet Protocol Security (IPSec) tunnel between a core router at your remote network and the nearest Global Secure Access endpoint. All internet-bound traffic is routed through the core router of the remote network for security policy evaluation in the cloud. Installation of a client isn't required on individual devices.
-
-This article explains how to create a remote network for Global Secure Access (preview).
-
-## Prerequisites
-
-To configure remote networks, you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID-- Completed the [onboarding process](#onboard-your-tenant-for-remote-networks) for remote networks-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-- To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.-- Review the valid configurations for setting up remote networks here - [Global Secure Access remote network configurations](reference-remote-network-configurations.md)-
-### Known limitations
--- At this time, the number of remote networks per tenant is limited to 10, and the number of device links per remote network is limited to four.-- Customer premises equipment (CPE) devices must support the following protocols:
- - Internet Protocol Security (IPSec)
- - Internet Key Exchange Version 2 (IKEv2)
- - Border Gateway Protocol (BGP)
-- Remote network connectivity solution uses *RouteBased* and *Responder* modes.-- Microsoft 365 traffic can be accessed through remote network connectivity without the Global Secure Access Client; however the Conditional Access policy isn't enforced. In other words, Conditional Access policies for the Global Secure Access Microsoft 365 traffic are only enforced when a user has the Global Secure Access Client.-
-## Onboard your tenant for remote networks
-
-Before you can set up remote networks, you need to onboard your tenant information with Microsoft. This one-time process enables your tenant to use remote network connectivity.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote network**.
-1. Select the link to the **Onboarding form** in the message at the top of the page.
-
- ![Screenshot of the onboarding form link.](media/how-to-create-remote-networks/create-remote-network-onboarding-form-link.png)
-
-1. In the window that opens, review the Tenant ID and remote network region details.
-1. Select the **Next** button.
-
- ![Screenshot of the first tab of the onboarding form.](media/how-to-create-remote-networks/onboard-tenant-info.png)
-
-1. Select the email address link. It sends a predrafted email in your default mail client on your device. Send that email to the Global Secure Access team. Once your tenant is processed - which may take up to seven business days - we'll send IPsec tunnel and BDG connectivity details to the email you used.
-
- ![Screenshot of the send email steps for the onboard tenant process.](media/how-to-create-remote-networks/onboard-tenant-send-email.png)
-
-1. Once the email step is complete, return to this form, select the acknowledgment checkbox, and select the **Submit** button.
-
-You MUST complete the email step before selecting the checkbox.
-
-## Create a remote network
-
-You can create a remote network in the Microsoft Entra admin center or through the Microsoft Graph API.
-
-# [Microsoft Entra admin center](#tab/microsoft-entra-admin-center)
-
-Remote networks are configured on three tabs. You must complete each tab in order. After completing the tab either select the next tab from the top of the page, or select the **Next** button at the bottom of the page.
-
-### Basics
-The first step is to provide the name and location of your remote network. Completing this tab is required.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote network**.
-1. Select the **Create remote network** button and provide the following details:
- - **Name**
- - **Region**
-1. Select the **Next** button.
-
- ![Screenshot of the basics tab of the create device link process.](media/how-to-create-remote-networks/create-basics-tab.png)
-
-### Connectivity
-
-The connectivity tab is where you add the device links for the remote network. You need to provide the device type, IP address, border gateway protocol (BGP) address, and autonomous system number (ASN) for each device link. You can also add device links after creating the remote network.
-
-This process is covered in detail in the [How to manage remote network device links](how-to-manage-remote-network-device-links.md).
-
-![Screenshot of the general tab of the create device link process.](media/how-to-create-remote-networks/device-link-general-tab.png)
-
-### Traffic forwarding profiles
-
-You can assign the remote network to a traffic forwarding profile when you create the remote network. You can also assign the remote network at a later time. For more information, see [Traffic forwarding profiles](concept-traffic-forwarding.md).
-
-1. Either select the **Next** button or select the **Traffic profiles** tab.
-1. Select the appropriate traffic forwarding profile.
-1. Select the **Review + Create** button.
-
-### Review and create
-
-The final tab in the process is to review all of the settings that you provided. Review the details provided here and select the **Create remote network** button.
-
-# [Microsoft Graph API](#tab/microsoft-graph-api)
-
-Global Secure Access remote networks can be viewed and managed using Microsoft Graph on the `/beta` endpoint. Creating a remote network and assigning a traffic forwarding profile are separate API calls.
-
-1. Sign in to [Graph Explorer](https://aka.ms/ge).
-1. Select POST as the HTTP method.
-1. Select BETA as the API version.
-1. Add the following query to use Create Branches API
- ```
- POST https://graph.microsoft.com/beta/networkaccess/connectivity/branches
- {
- "name": "ContosoBranch",
- "region": "East US",
- "deviceLinks": [
- {
- "name": "CPE Link 1",
- "ipAddress": "20.125.118.219",
- "deviceVendor": "Other",
- "bgpConfiguration": {
- "localIpAddress": "172.16.11.5",
- "peerIpAddress": "10.16.11.5",
- "asn": 8888
- },
- "redundancyConfiguration": {
- "redundancyTier": "noRedundancy",
- "zoneLocalIpAddress": "1.2.1.1"
- },
- "bandwidthCapacityInMbps": "mbps250"
- "tunnelConfiguration": {
- "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default",
- "preSharedKey": "Detective5OutgrowDiligence"
- }
- }]
- }
- ```
-
-1. Select **Run query** to create a remote network.
-
-### Assign a traffic forwarding profile
-
-Associating a traffic forwarding profile to your remote network using the Microsoft Graph API is two step process. First, locate the ID of the traffic profile. The ID is different for all tenants. Second, associate the traffic forwarding profile with your desired remote network.
-
-1. Sign in to [Graph Explorer](https://aka.ms/ge).
-1. SelectΓÇ»**PATCH** as the HTTP method from the dropdown.
-1. Select the API version toΓÇ»**beta**.
-1. Enter the query:
- ```
- GET https://graph.microsoft.com/beta/networkaccess/forwardingprofiles
- ```
-1. SelectΓÇ»**Run query**.
-1. Find the ID of the desired traffic forwarding profile.
-1. Select PATCH as the HTTP method from the dropdown.
-1. Enter the query:
- ```
- PATCH https://graph.microsoft.com/beta/networkaccess/connectivity/branches/d2b05c5-1e2e-4f1d-ba5a-1a678382ef16/forwardingProfiles
- {
- "@odata.context": "#$delta",
- "value":
- [{
- "ID": "1adaf535-1e31-4e14-983f-2270408162bf"
- }]
- }
- ```
-
-1. Select **Run query** to update the remote network.
--
-## Verify your remote network configurations
-
-There are a few things to consider and verify when creating remote networks. You may need to double-check some settings.
--- **Verify IKE crypto profile**: The crypto profile (IKE phase 1 and phase 2 algorithms) set for a device link should match what has been set on the CPE. If you chose the **default IKE policy**, ensure that your CPE is set up with the crypto profile specified in the [Remote network configurations](reference-remote-network-configurations.md) reference article.--- **Verify pre-shared key**: Compare the pre-shared key (PSK) you specified when creating the device link in Microsoft Global Secure Access with the PSK you specified on your CPE. This detail is added on the **Security** tab during the **Add a link** process. For more information, see [How to manage remote network device links.](how-to-manage-remote-network-device-links.md#add-a-device-link-using-the-microsoft-entra-admin-center).--- **Verify local and peer BGP IP addresses**: The public IP addresses and BGP addresses specified while creating a device link in Microsoft Global Secure Access should match what you specified when configuring the CPE.
- - The local and peer BGP addresses are reversed between the CPE and what is entered in Global Secure Access.
- - **CPE**: Local BGP IP address = IP1, Peer BGP IP address = IP2
- - **Global Secure Access**: Local BGP IP address = IP2, Peer BGP IP address = IP1
- - Choose an IP address for Global Secure Access that doesn't overlap with your on-premises network.
- - The same rule applies to ASNs.
--- **Verify ASN**: Global Secure Access uses BGP to advertise routes between two autonomous systems: your network and Microsoft's. These autonomous systems should have different ASNs.
- - When creating a remote network in the Microsoft Entra admin center, use your network's ASN.
- - When configuring your CPE, use Microsoft's ASN. Go to **Global Secure Access** > **Devices** > **Remote Networks**. Select **Links** and confirm the value in the **Link ASN** column.
--- **Verify your public IP address**: In a test environment or lab setup, the public IP address of your CPE may change unexpectedly. This change can cause the IKE negotiation to fail even though everything remains the same.
- - If you encounter this scenario, complete the following steps:
- - Update the public IP address in the crypto profile of your CPE.
- - Go to the **Global Secure Access** > **Devices** > **Remote Networks**.
- - Select the appropriate remote network, delete the old tunnel, and recreate a new tunnel with the updated public IP address.
--- **Port forwarding**: In some situations, the ISP router can also be a network address translation (NAT) device. A NAT converts the private IP addresses of home devices to a public internet-routable device.
- - Generally, a NAT device changes both the IP address and the port. This port changing is the root of the problem.
- - For IPsec tunnels to work, Global Secure Access uses port 500. This port is where IKE negotiation happens.
- - If the ISP router changes this port to something else, Global Secure Access can't identify this traffic and negotiation fails.
- - As a result, phase 1 of IKE negotiation fails and the tunnel isn't established.
- - To remediate this failure, complete the port forwarding on your device, which tells the ISP router to not change the port and forward it as-is.
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Internet Access is to [target the Microsoft 365 traffic profile with Conditional Access policy](how-to-target-resource-microsoft-365-profile.md).
-
-For more information about remote networks, see the following articles:
-- [List remote networks](how-to-list-remote-networks.md)-- [Manage remote networks](how-to-manage-remote-networks.md)-- [Learn how to add remote network device links](how-to-manage-remote-network-device-links.md)
global-secure-access How To Get Started With Global Secure Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-get-started-with-global-secure-access.md
- Title: Get started with Global Secure Access (preview)
-description: Configure the main components of Microsoft Entra Internet Access and Microsoft Entra Private Access, which make up Global Secure Access, Microsoft's Security Service Edge solution.
---- Previously updated : 07/27/2023---
-# Get started with Global Secure Access
-
-Global Secure Access (preview) is the centralized location in the Microsoft Entra admin center where you can configure and manage Microsoft Entra Private Access and Microsoft Entra Internet Access. Many features and settings apply to both services, but some are specific to one or the other.
-
-This guide helps you get started configuring both services for the first time.
-
-## Prerequisites
-
-Administrators who interact with **Global Secure Access preview** features must have the [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference). Some features may also require other roles.
-
-To follow the [Zero Trust principle of least privilege](/security/zero-trust/), consider using [Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/pim-configure) to activate just-in-time privileged role assignments.
-
-The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense). To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended. After general availability, Microsoft Entra Private Access and Microsoft Entra Internet Access may require different licenses.
-
-There may be limitations with some features of the Global Secure Access preview, which are defined in the associated articles.
-
-## Access the Microsoft Entra admin center
-
-Global Secure Access (preview) is the area in the Microsoft Entra admin center where you configure and manage Microsoft Entra Internet Access and Microsoft Entra Private Access.
--- Go to [**https://entra.microsoft.com**](https://entra.microsoft.com/).-
-If you encounter access issues, refer to this [FAQ regarding tenant restrictions](resource-faq.yml).
-
-## Microsoft Entra Internet Access
-
-Microsoft Entra Internet Access isolates the traffic for Microsoft 365 applications and resources, such as Exchange Online and SharePoint Online. Users can access these resources by connecting to the Global Secure Access Client or through a remote network, such as in a branch office location.
-
-### Install the client to access Microsoft 365 traffic
-
-![Diagram of the basic Microsoft Entra Internet Access traffic flow.](media/how-to-get-started-with-global-secure-access/internet-access-basic-option.png)
-
-1. [Enable the Microsoft 365 traffic forwarding profile](how-to-manage-microsoft-365-profile.md).
-1. [Install and configure the Global Secure Access Client on end-user devices](how-to-install-windows-client.md).
-1. [Enable universal tenant restrictions](how-to-universal-tenant-restrictions.md).
-1. [Enable enhanced Global Secure Access signaling and Conditional Access](how-to-compliant-network.md).
-
-After you complete these four steps, users with the Global Secure Access client installed on their Windows device can securely access Microsoft 365 resources from anywhere. Conditional Access policy requires users to use the Global Secure Access client or a configured remote network, when they access Exchange Online and SharePoint Online.
-
-### Create a remote network, apply Conditional Access, and review the logs
-
-![Diagram of the Microsoft Entra Internet Access traffic flow with remote networks and Conditional Access.](media/how-to-get-started-with-global-secure-access/internet-access-remote-networks-option.png)
-
-1. [Create a remote network](how-to-manage-remote-networks.md).
-1. [Target the Microsoft 365 traffic profile with Conditional Access policy](how-to-target-resource-microsoft-365-profile.md).
-1. [Review the Global Secure Access logs](concept-global-secure-access-logs-monitoring.md).
-
-After you complete these optional steps, users can connect to Microsoft 365 services without the Global Secure Access client if they're connecting through the remote network you created *and* if they meet the conditions you added to the Conditional Access policy.
-
-## Microsoft Entra Private Access
-
-Microsoft Entra Private Access provides a secure, zero-trust access solution for accessing internal resources without requiring a VPN. Configure Quick Access and enable the Private access traffic forwarding profile to specify the sites and apps you want routed through Microsoft Entra Private Access. At this time, the Global Secure Access Client must be installed on end-user devices to use Microsoft Entra Private Access, so that step is included in this section.
-
-### Configure Quick Access to your primary private resources
-
-Set up Quick Access for broader access to your network using Microsoft Entra Private Access.
-
-![Diagram of the Quick Access traffic flow for private resources.](media/how-to-get-started-with-global-secure-access/private-access-diagram-quick-access.png)
-
-1. [Configure an App Proxy connector and connector group](how-to-configure-connectors.md).
-1. [Configure Quick Access to your private resources](how-to-configure-quick-access.md).
-1. [Enable the Private Access traffic forwarding profile](how-to-manage-private-access-profile.md).
-1. [Install and configure the Global Secure Access Client on end-user devices](how-to-install-windows-client.md).
-
-After you complete these four steps, users with the Global Secure Access client installed on a Windows device can connect to your primary resources, through a Quick Access app and App Proxy connector.
-
-### Configure Global Secure Access apps for per-app access to private resources
-
-Create specific private apps for granular segmented access to private access resources using Microsoft Entra Private Access.
-
-![Diagram of the Global Secure Access app traffic flow for private resources.](media/how-to-get-started-with-global-secure-access/private-access-diagram-global-secure-access.png)
-
-1. [Configure an App Proxy connector and connector group](how-to-configure-connectors.md).
-1. [Create a private Global Secure Access application](how-to-configure-per-app-access.md).
-1. [Enable the Private Access traffic forwarding profile](how-to-manage-private-access-profile.md).
-1. [Install and configure the Global Secure Access Client on end-user devices](how-to-install-windows-client.md).
-
-After you complete these steps, users with the Global Secure Access client installed on a Windows device can connect to your private resources through a Global Secure Access app and App Proxy connector.
-
-Optionally:
--- [Secure Quick Access applications with Conditional Access policies](how-to-target-resource-private-access-apps.md).-- [Review the Global Secure Access logs](concept-global-secure-access-logs-monitoring.md).--
-## Next steps
-
-To get started with Microsoft Entra Internet Access, start by [enabling the Microsoft 365 traffic forwarding profile](how-to-manage-microsoft-365-profile.md).
-
-To get started with Microsoft Entra Private Access, start by [configuring an App Proxy connector group for the Quick Access app](how-to-configure-connectors.md).
global-secure-access How To Install Windows Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-install-windows-client.md
- Title: The Global Secure Access Client for Windows (preview)
-description: Install the Global Secure Access Client for Windows to enable connectivity to Microsoft's Security Edge Solutions, Microsoft Entra Internet Access and Microsoft Entra Private Access.
-- Previously updated : 08/04/2023-----
-# The Global Secure Access Client for Windows (preview)
-
-The Global Secure Access Client allows organizations control over network traffic at the end-user computing device, giving organizations the ability to route specific traffic profiles through Microsoft Entra Internet Access and Microsoft Entra Private Access. Routing traffic in this method allows for more controls like continuous access evaluation (CAE), device compliance, or multifactor authentication to be required for resource access.
-
-The Global Secure Access Client acquires traffic using a lightweight filter (LWF) driver, while many other security service edge (SSE) solutions integrate as a virtual private network (VPN) connection. This distinction allows the Global Secure Access Client to coexist with these other solutions. The Global Secure Access Client acquires the traffic based on the traffic forwarding profiles you configure prior to other solutions.
-
-## Prerequisites
--- The Global Secure Access Client is supported on 64-bit versions of Windows 11 or Windows 10.-- Devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined.
- - Microsoft Entra registered devices aren't supported.
-- Local administrator credentials are required for installation.-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-### Known limitations
--- Multiple user sessions on the same device, like those from a Remote Desktop Server (RDP), aren't supported.-- Connecting to networks that use a captive portal, like some guest wireless network solutions, might fail. As a workaround you can [pause the Global Secure Access Client](#troubleshooting).-- Virtual machines where both the host and guest Operating Systems have the Global Secure Access Client installed aren't supported. Individual virtual machines with the client installed are supported.-- If the Global Secure Access Client isn't able to connect to the service (for example due to an authorization or Conditional Access failure), the service *bypasses* the traffic. Traffic is sent direct-and-local instead of being blocked. In this scenario, you can create a Conditional Access policy for the [compliant network check](how-to-compliant-network.md), to block traffic if the client isn't able to connect to the service.--
-There are several other limitations based on the traffic forwarding profile in use:
-
-| Traffic forwarding profile | Limitation |
-| | |
-| [Microsoft 365](how-to-manage-microsoft-365-profile.md) | Tunneling [IPv6 traffic isn't currently supported](#disable-ipv6-and-secure-dns). |
-| [Microsoft 365](how-to-manage-microsoft-365-profile.md) and [Private access](how-to-manage-private-access-profile.md) | To tunnel network traffic based on rules of FQDNs (in the forwarding profile), [DNS over HTTPS (Secure DNS) needs to be disabled](#disable-ipv6-and-secure-dns). |
-| [Microsoft 365](how-to-manage-microsoft-365-profile.md) | The Global Secure Access Client currently only supports TCP traffic. Exchange Online uses the QUIC protocol for some traffic over UDP port 443 force this traffic to use HTTPS (443 TCP) by [blocking the QUIC traffic with a local firewall rule](#block-quic-when-tunneling-exchange-online-traffic). Non-HTTP protocols, such as POP3, IMAP, SMTP, aren't acquired from the Client and are sent direct-and-local. |
-| [Microsoft 365](how-to-manage-microsoft-365-profile.md) and [Private access](how-to-manage-private-access-profile.md) | If the end-user device is configured to use a proxy server, locations that you wish to tunnel using the Global Secure Access Client must be excluded from that configuration. For examples, see [Proxy configuration example](#proxy-configuration-example). |
-| [Private access](how-to-manage-private-access-profile.md) | Single label domains, like `https://contosohome` for private apps aren't supported, instead use a fully qualified domain name (FQDN), like `https://contosohome.contoso.com`. Administrators can also choose to append DNS suffixes via Windows. |
-
-## Download the client
-
-The most current version of the Global Secure Access Client can be downloaded from the Microsoft Entra admin center.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (Preview)** > **Devices** > **Clients**.
-1. Select **Download**.
-
- ![Screenshot of the download Windows client button.](media/how-to-install-windows-client/client-download-screen.png)
-
-## Install the client
-
-Organizations can install the client interactively, silently with the `/quiet` switch, or use mobile device management platforms like [Microsoft Intune to deploy it](/mem/intune/apps/apps-win32-app-management) to their devices.
-
-1. Copy the Global Secure Access Client setup file to your client machine.
-1. Run the setup file, like *GlobalSecureAccessInstaller 1.5.527*. Accept the software license terms.
-1. After the client is installed, users are prompted to sign in with their Microsoft Entra credentials.
-
- :::image type="content" source="media/how-to-install-windows-client/client-install-first-sign-in.png" alt-text="Screenshot showing the sign-in box appears after client installation completes." lightbox="media/how-to-install-windows-client/client-install-first-sign-in.png":::
-
-1. After users sign in, the connection icon turns green, and double-clicking on it opens a notification with client information showing a connected state.
-
- :::image type="content" source="media/how-to-install-windows-client/client-install-connected.png" alt-text="Screenshot showing the client is connected.":::
-
-## Troubleshooting
-
-To troubleshoot the Global Secure Access Client, right-click the client icon in the taskbar.
---- **Switch user**
- - Forces sign-in screen to change user or reauthenticate the existing user.
-- **Pause**
- - This option can be used to temporarily disable traffic tunneling. As this client is part of your organization's security posture we recommend leaving it running always.
- - This option stops the Windows services related to client. When these services are stopped, traffic is no longer tunneled from the client machine to the cloud service. Network traffic behaves as if the client isn't installed while the client is paused. If the client machine is restarted, the services automatically restart with it.
-- **Resume**
- - This option starts the underlying services related to the Global Secure Access Client. This option would be used to resume after temporarily pausing the client for troubleshooting. Traffic resumes tunneling from the client to the cloud service.
-- **Restart**
- - This option stops and starts the Windows services related to client.
-- **Collect logs**
- - Collect logs for support and further troubleshooting. These logs are collected and stored in `C:\Program Files\Global Secure Access Client\Logs` by default.
- - These logs include information about the client machine, the related event logs for the services, and registry values including the traffic forwarding profiles applied.
-- **Client Checker**
- - Runs a script to test client components ensuring the client is configured and working as expected.
-- **Connection Diagnostics** provides a live display of client status and connections tunneled by the client to the Global Secure Access service. 
- - **Summary** tab shows general information about the client configuration including: policy version in use, last policy update date and time, and the ID of the tenant the client is configured to work with.
- - Hostname acquisition state changes to green when new traffic acquired by FQDN is tunneled successfully based on a match of the destination FQDN in a traffic forwarding profile.
- - **Flows** show a live list of connections initiated by the end-user device and tunneled by the client to the Global Secure Access edge. Each connection is new row.
- - **Timestamp** is the time when the connection was first established.
- - **Fully Qualified Domain Name (FQDN)** of the destination of the connection. If the decision to tunnel the connection was made based on an IP rule in the forwarding policy not by an FQDN rule, the FQDN column shows N/A.
- - **Source** port of the end-user device for this connection.
- - **Destination IP** is the destination of the connection.
- - **Protocol** only TCP is supported currently.
- - **Process** name that initiated the connection.
- - **Flow** active provides a status of whether the connection is still open.
- - **Sent data** provides the number of bytes sent by the end-user device over the connection.
- - **Received data** provides the number of bytes received by the end-user device over the connection.
- - **Correlation ID** is provided to each connection tunneled by the client. This ID allows tracing of the connection in the client logs (event viewer and ETL file) and the [Global Secure Access traffic logs](how-to-view-traffic-logs.md).
- - **Flow ID** is the internal ID of the connection used by the client shown in the ETL file.
- - **Channel name** identifies the traffic forwarding profile to which the connection is tunneled. This decision is taken according to the rules in the forwarding profile.
- - **HostNameAcquisition** provides a list of hostnames that the client acquired based on the FQDN rules in the forwarding profile. Each hostname is shown in a new row. Future acquisition of the same hostname creates another row if DNS resolves the hostname (FQDN) to a different IP address.
- - **Timestamp** is the time when the connection was first established.
- - **FQDN** that is resolved.
- - **Generated IP address** is an IP address generated by the client for internal purposes. This IP is shown in flows tab for connections that are established to the relative FQDN.
- - **Original IP address** is the first IPv4 address in the DNS response when querying the FQDN. If the DNS server that the end-user device points to doesnΓÇÖt return an IPv4 address for the query, the original IP address shows `0.0.0.0`.
- - **Services** shows the status of the Windows services related to the Global Secure Access Client. Services that are started have a green status icon, services that are stopped show a red status icon. All three Windows services must be started for the client to function.
- - **Channels** list the traffic forwarding profiles assigned to the client and the state of the connection to the Global Secure Access edge.
-
-### Event logs
-
-Event logs related to the Global Secure Access Client can be found in the Event Viewer under `Applications and Services/Microsoft/Windows/Global Secure Access Client/Operational`. These events provide useful detail regarding the state, policies, and connections made by the client.
-
-### Disable IPv6 and secure DNS
-
-If you need assistance disabling IPv6 or secure DNS on Windows devices you're trying the preview with, the following script provides assistance.
-
-```powershell
-function CreateIfNotExists
-{
- param($Path)
- if (-NOT (Test-Path $Path))
- {
- New-Item -Path $Path -Force | Out-Null
- }
-}
-
-$disableBuiltInDNS = 0x00
-
-# Prefer IPv4 over IPv6 with 0x20, disable IPv6 with 0xff, revert to default with 0x00.
-# This change takes effect after reboot.
-$setIpv6Value = 0x20
-Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "DisabledComponents" -Type DWord -Value $setIpv6Value
-
-# This section disables browser based secure DNS lookup.
-# For the Microsoft Edge browser.
-CreateIfNotExists "HKLM:\SOFTWARE\Policies\Microsoft"
-CreateIfNotExists "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
-
-Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "DnsOverHttpsMode" -Value "off"
-
-Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "BuiltInDnsClientEnabled" -Type DWord -Value $disableBuiltInDNS
-
-# For the Google Chrome browser.
-
-CreateIfNotExists "HKLM:\SOFTWARE\Policies\Google"
-CreateIfNotExists "HKLM:\SOFTWARE\Policies\Google\Chrome"
-
-Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "DnsOverHttpsMode" -Value "off"
-
-Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "BuiltInDnsClientEnabled" -Type DWord -Value $disableBuiltInDNS
-```
-
-### Proxy configuration example
-
-Example proxy PAC file containing exclusions:ΓÇ»
-
-```
-function FindProxyForURL(url, host) {  // basic function; do not change
- if (isPlainHostName(host) ||   
- dnsDomainIs(host, ".contoso.com") || //tunneledΓÇ»
-      dnsDomainIs(host, ".fabrikam.com")) // tunneled 
-      return "DIRECT";                    // If true, sets "DIRECT" connection 
-      else                                   // for all other destinations
-      return "PROXY 10.1.0.10:8080";  // transfer the traffic to the proxy.
-}ΓÇ»
-```
-
-Organizations must then create a system variable named `grpc_proxy` with a value like `http://10.1.0.10:8080` that matches your proxy server's configuration on end-user machines to allow the Global Secure Access Client services to use the proxy by configuring the following.
-
-### Block QUIC when tunneling Exchange Online traffic
-
-Since UDP traffic isn't supported in the current preview, organizations that plan to tunnel their Exchange Online traffic should disable the QUIC protocol (443 UDP). Administrators can disable this protocol triggering clients to fall back to HTTPS (443 TCP) with the following Windows Firewall rule:
-
-```powershell
-New-NetFirewallRule -DisplayName "Block QUIC for Exchange Online" -Direction Outbound -Action Block -Protocol UDP -RemoteAddress 13.107.6.152/31,13.107.18.10/31,13.107.128.0/22,23.103.160.0/20,40.96.0.0/13,40.104.0.0/15,52.96.0.0/14,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,204.79.197.215/32,6.6.0.0/16 -RemotePort 443
-```
-
-This list of IPv4 addresses is based on the [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#exchange-online) and the IPv4 block used by the Global Secure Access Client.
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Internet Access is to [enable universal tenant restrictions](how-to-universal-tenant-restrictions.md).
global-secure-access How To List Remote Networks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-list-remote-networks.md
- Title: How to list remote networks for Global Secure Access (preview)
-description: Learn how to list remote networks for Global Secure Access (preview).
---- Previously updated : 06/01/2023----
-# How to list remote networks for Global Secure Access (preview)
-
-Reviewing your remote networks is an important part of managing your Global Secure Access (preview) deployment. As your organization grows, you may need to add new remote networks. You can use the Microsoft Entra admin center or the Microsoft Graph API.
-
-## Prerequisites
--- A **Global Secure Access Administrator** role in Microsoft Entra ID-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-## List all remote networks using the Microsoft Entra admin center
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote network**.
-
-All remote networks are listed. Select a remote network to view its details.
-
-## List all remote networks using the Microsoft Graph API
-
-1. Sign in to theΓÇ»[Graph Explorer](https://aka.ms/ge).
-1. Select `GET` as the HTTP method from the dropdown.
-1. Set the API version to beta.
-1. Enter the following query:
- ```
- GET https://graph.microsoft.com/beta/networkaccess/connectivity/branches
- ```
-1. Select the **Run query** button to list the remote networks.
--
-## Next steps
-- [Create remote networks](how-to-manage-remote-networks.md)
global-secure-access How To Manage Microsoft 365 Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-manage-microsoft-365-profile.md
- Title: How to enable and manage the Microsoft 365 profile
-description: Learn how to enable and manage the Microsoft 365 traffic forwarding profile for Global Secure Access (preview).
---- Previously updated : 07/03/2023---
-# How to enable and manage the Microsoft 365 traffic forwarding profile
-
-With the Microsoft 365 profile enabled, Microsoft Entra Internet Access acquires the traffic going to all Microsoft 365 services. The **Microsoft 365** profile manages the following policy groups:
--- Exchange Online-- SharePoint Online and OneDrive for Business-- Microsoft 365 Common and Office Online (only Microsoft Entra ID and Microsoft Graph)-
-## Prerequisites
-
-To enable the Microsoft 365 traffic forwarding profile for your tenant, you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-- To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.-
-### Known limitations
--- Teams is currently not supported as part of the Microsoft 365 Common endpoints. Only Microsoft Entra ID and Microsoft Graph are supported.-- For details on limitations for the Microsoft 365 traffic profile, see [Windows Client known limitations](how-to-install-windows-client.md#known-limitations)
-## Enable the Microsoft 365 traffic profile
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Traffic forwarding**.
-1. Select the checkbox for **Microsoft 365 access profile**.
-
-![Screenshot of the traffic forwarding page with the Private access profile enabled.](media/how-to-manage-microsoft-365-profile/microsoft-365-traffic-profile.png)
-
-## Microsoft 365 traffic policies
-
-To manage the details included in the Microsoft 365 traffic forwarding policy, select the **View** link for **Microsoft 365 traffic policies**.
--
-The policy groups are listed, with a checkbox to indicate if the policy group is enabled. Expand a policy group to view all of the IPs and FQDNs included in the group.
-
-![Screenshot of the Microsoft 365 profile details.](media/how-to-manage-microsoft-365-profile/microsoft-365-profile-details.png)
-
-The policy groups include the following details:
--- **Destination type**: FQDN or IP subnet-- **Destination**: The details of the FQDN or IP subnet-- **Ports**: TCP or UDP ports that are combined with the IP addresses to form the network endpoint-- **Protocol**: TCP (Transmission Control Protocol) or UDP (User Datagram Protocol)-- **Action**: Forward or Bypass-
-You can choose to bypass certain traffic. Users can still access the site; however, the service doesn't process the traffic. You can bypass traffic to a specific FQDN or IP address, an entire policy group within the profile, or the entire Microsoft 365 profile itself. If you only need to forward some of the Microsoft 365 resources within a policy group, enable the group then change the **Action** in the details accordingly.
-
-The following example shows setting the `*.sharepoint.com` FQDN to **Bypass** so the traffic won't be forwarded to the service.
-
-![Screenshot of the Action dropdown menu.](media/how-to-manage-microsoft-365-profile/microsoft-365-policies-forward-bypass.png)
-
-If the Global Secure Access client isn't able to connect to the service (for example due to an authorization or Conditional Access failure), the service *bypasses* the traffic. Traffic is sent direct-and-local instead of being blocked. In this scenario, you can create a Conditional Access policy for the [compliant network check](how-to-compliant-network.md), to block traffic if the client isn't able to connect to the service.
-
-## Linked Conditional Access policies
-
-[Conditional Access policies](/azure/active-directory/conditional-access/overview) are created and applied to the traffic forwarding profile in the Conditional Access area of Microsoft Entra ID. For example, you can create a policy that requires using compliant devices when accessing Microsoft 365 services.
-
-If you see "None" in the **Linked Conditional Access policies** section, there isn't a Conditional Access policy linked to the traffic forwarding profile. To create a Conditional Access policy, see [Universal Conditional Access through Global Secure Access.](how-to-target-resource-microsoft-365-profile.md).
-
-### Edit an existing Conditional Access policy
-
-If the traffic forwarding profile has a linked Conditional Access policy, you can view and edit that policy.
-
-1. Select the **View** link for **Linked Conditional Access policies**.
-
- ![Screenshot of traffic forwarding profiles with Conditional Access link highlighted.](media/how-to-manage-microsoft-365-profile/microsoft-365-conditional-access-policy-link.png)
-
-1. Select a policy from the list. The details of the policy open in Conditional Access.
-
- ![Screenshot of the applied Conditional Access policies.](media/how-to-manage-microsoft-365-profile/conditional-access-applied-policies.png)
-
-## Microsoft 365 remote network assignments
-
-Traffic profiles can be assigned to remote networks, so that the network traffic is forwarded to Global Secure Access without having to install the client on end user devices. As long as the device is behind the customer premises equipment (CPE), the client isn't required. You must create a remote network before you can add it to the profile. For more information, see [How to create remote networks](how-to-create-remote-networks.md).
-
-**To assign a remote network to the Microsoft 365 profile**:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
-1. Browse to **Global Secure Access (preview)** > **Traffic forwarding**.
-1. Select the **Add assignments** button for the profile.
- - If you're editing the remote network assignments, select the **Add/edit assignments** button.
-1. Select a remote network from the list and select **Add**.
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Internet Access is to [install and configure the Global Secure Access Client on end-user devices](how-to-install-windows-client.md)
-
-For more information about traffic forwarding, see the following article:
--- [Learn about traffic forwarding profiles](concept-traffic-forwarding.md)
global-secure-access How To Manage Private Access Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-manage-private-access-profile.md
- Title: How to manage the Private access profile
-description: Learn how to manage the Private access traffic forwarding profile for Microsoft Entra Private Access.
---- Previously updated : 07/18/2023-----
-# How to manage the Private access traffic forwarding profile
-
-The Private Access traffic forwarding profile routes traffic to your private network through the Global Secure Access Client. Enabling this traffic forwarding profile allows remote workers to connect to internal resources without a VPN. With the features of Microsoft Entra Private Access, you can control which private resources to tunnel through the service and apply Conditional Access policies to secure access to those services. Once your configurations are in place, you can view and manage all of those configurations from one place.
-
-## Prerequisites
-
-To enable the Microsoft 365 traffic forwarding profile for your tenant, you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-### Known limitations
--- At this time, Private Access traffic can only be acquired with the Global Secure Access Client. Private Access traffic can't be acquired from remote networks.-- Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local subnet. -- You must disable DNS over HTTPS (Secure DNS) to tunnel network traffic based on the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. -
-## Enable the Private access traffic forwarding profile
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Connect** > **Traffic forwarding**.
-1. Select the checkbox for **Private Access profile**.
-
-![Screenshot of the traffic forwarding page with the Private access profile enabled.](media/how-to-manage-private-access-profile/private-access-traffic-profile.png)
-
-## Private Access policies
-
-To enable the Private Access traffic forwarding profile, we recommend you first configure Quick Access. Quick Access includes the IP addresses, IP ranges, and fully qualified domain names (FQDNs) for the private resources you want to include in the policy. For more information, see [Configure Quick Access](how-to-configure-quick-access.md).
-
-You can also configure per-app access to your private resources by creating a Private Access app. Similar to Quick Access, you create a new Enterprise app, which can then be assigned to the Private Access traffic forwarding profile. Quick Access contains the main group of private resources you always want to route through the service. Private Access apps can be enabled and disabled as needed without impacting the FQDNs and IP addresses included in Quick Access.
-
-To manage the details included in the Private access traffic forwarding policy, select the **View** link for **Private access policies**.
--
-Details of your Quick Access and enterprise apps for Private Access are displayed. Select the link for the application to view the details from the Enterprise applications area of Microsoft Entra ID.
-
-![Screenshot of the private access application details.](media/how-to-manage-private-access-profile/private-access-app-details.png)
-
-## Linked Conditional Access policies
-
-Conditional Access policies for Private Access are configured at the application level for each app. Conditional Access policies can be created and applied to the application from two places:
--- Go to **Global Secure Access (preview)** > **Applications** > **Enterprise applications**. Select an application and then select **Conditional Access** from the side menu.-- Go to **Protection** > **Conditional Access** > **Policies**. Select **+ Create new policy**.-
-For more information, see [Apply Conditional Access policies to Private Access apps](how-to-target-resource-private-access-apps.md).
-
-### Edit an existing Conditional Access policy
-
-1. Select the **View** link for **Linked Conditional Access policies**.
-1. Select a policy from the list. The details of the policy open in Conditional Access.
---
-## Next steps
-
-The next step for getting started with Microsoft Entra Internet Access is to [install and configure the Global Secure Access Client on end-user devices](how-to-install-windows-client.md).
-
-For more information about Private Access, see the following articles:
-- [Learn about traffic forwarding](concept-traffic-forwarding.md)-- [Configure Quick Access](how-to-configure-quick-access.md)
global-secure-access How To Manage Remote Network Device Links https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-manage-remote-network-device-links.md
- Title: How to add device links to remote networks for Global Secure Access (preview)
-description: Learn how to add device links to remote networks for Global Secure Access (preview).
---- Previously updated : 06/29/2023----
-# Add and delete remote networks device links
-
-You can create device links when you create a new remote network or add them after the remote network is created.
-
-This article explains how to add and delete device links for remote networks for Global Secure Access.
-
-## Prerequisites
-
-To configure remote networks, you must have:
--- A **Global Secure Access Administrator** role in Microsoft Entra ID.-- Completed the [onboarding process](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks) for remote networks.-- Created a remote network.-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-
-## Add a device link using the Microsoft Entra admin center
-
-You can add a device link to a remote network at any time.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote network**.
-1. Select a remote network from the list.
-1. Select **Links** from the menu.
-1. Select the **+ Add a link** button.
-
-**General**
-
-1. Enter the following details:
- - **Link name**: Name of your CPE.
- - **Device type**: Choose one of the options from the dropdown list.
- - **IP address**: Public IP address of your device.
- - **Peer BGP address**: The border gateway protocol address of the CPE.
- - **Link ASN**: Provide the autonomous system number of the CPE. For more information, see the **Valid ASNs** section of the [Remote network configurations](reference-remote-network-configurations.md) article.
- - **Redundancy**: Select either *No redundancy* or *Zone redundancy* for your IPSec tunnel.
- - **Bandwidth capacity (Mbps)**: Choose the bandwidth for your IPSec tunnel.
-1. Select the **Next** button.
-
-![Screenshot of the general tab of the create device link process.](media/how-to-manage-remote-network-device-links/device-link-general-tab.png)
-
-**Details**
-
-1. **IKEv2** is selected by default. Currently only IKEv2 is supported.
-1. The IPSec/IKE policy is set to **Default** but you can change to **Custom**.
- - If you select **Custom**, you must use a combination of settings that are supported by Global Secure Access.
- - The valid configurations you can use are mapped out in the [Remote network valid configurations](reference-remote-network-configurations.md) reference article.
- - Whether you choose Default or Custom, the IPSec/IKE policy you specify must match the policy on your CPE.
- - View the [remote network valid configurations](reference-remote-network-configurations.md).
-
-1. Select the **Next** button.
-
-![Screenshot of the custom details for the device link.](media/how-to-manage-remote-network-device-links/device-link-details.png)
-
-**Security**
-
-1. Enter the Preshared key (PSK): `<Enter the secret key. The same secret key must be used on your CPE.>`
-1. Select **Add link**.
-
-## Add a device link using Microsoft Graph API
-
-1. Sign in to theΓÇ»[Graph Explorer](https://aka.ms/ge).
-1. Select `POST` as the HTTP method from the dropdown.
-1. Set the API version to beta.
-1. Enter the following query:
-
-```http
-POST https://graph.microsoft.com/beta/networkaccess/connectivity/branches/BRANCH_ID/deviceLinks
- {
- "name": "CPE2",
- "ipAddress": "100.1.1.56",
- "BandwidthCapacityInMbps": "Mbps250",
- "bgpConfiguration": {
- "LocalIpAddress": "10.1.1.28",
- "PeerIpAddress": "10.1.1.28",
- "asn": 5555
- },
- "tunnelConfiguration": {
- "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default",
- "preSharedKey": "secret.ppk"
- },
- "redundancyConfiguration": {
- "redundancyTier": "zoneRedundancy",
- "zoneLocalIpAddress": "1.1.1.12"
- },
- "deviceVendor": "citrix"
- }
-
-```
-
-## Delete device links
-
-If your remote network has device links added, they appear in the **Links** column on the list of remote networks. Select the link from the column to navigate directly to the device link details page.
-
-To delete a device link, navigate to the device link details page and select the **Delete** icon. A confirmation dialog appears. Select **Delete** to confirm the deletion.
-
-![Screenshot of the delete icon for remote network device links.](media/how-to-manage-remote-network-device-links/delete-device-link.png)
-
-## Delete a device link using Microsoft Graph API
-
-1. Sign in to theΓÇ»[Graph Explorer](https://aka.ms/ge).
-1. Select `DELETE` as the HTTP method from the dropdown.
-1. Set the API version to beta.
-1. Enter the following query:
-
-```http
-DELETE https://graph.microsoft.com/beta/networkaccess/connectivity/branches/BRANCH_ID/deviceLinks/LINK_ID
-
-```
--
-## Next steps
-- [List remote networks](how-to-list-remote-networks.md)
global-secure-access How To Manage Remote Networks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-manage-remote-networks.md
- Title: How to update and delete remote networks for Global Secure Access (preview)
-description: Learn how to update and delete remote networks for Global Secure Access (preview).
---- Previously updated : 06/01/2023---
-# Manage remote networks
-
-Remote networks connect your users in remote locations to Global Secure Access (preview). Adding, updating, and removing remote networks from your environment are likely common tasks for many organizations.
-
-This article explains how to manage your existing remote networks for Global Secure Access.
-
-## Prerequisites
--- A **Global Secure Access Administrator** role in Microsoft Entra ID-- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).-- To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.-
-### Known limitations
--- At this time, remote networks can only be assigned to the Microsoft 365 traffic forwarding profile.-
-## Update remote networks
-
-To update the details of your remote networks:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote networks**.
-1. Select the remote network you need to update.
- - **Basics**: Select the pencil icon to edit the name of the remote network.
- - **Links**: Select the trash can icon to delete a remote network device link.
- - **Traffic profiles**: Enable or disable the available traffic forwarding profile.
-
-### Update remote network details with the Microsoft Graph API
-
-To edit the details of a remote network:
-
-1. Sign in to [Graph Explorer](https://aka.ms/ge).
-1. SelectΓÇ»**PATCH** as the HTTP method from the dropdown.
-1. Select the API version toΓÇ»**beta**.
-1. Enter the query:
- ```
- PATCH https://graph.microsoft.com/beta/networkaccess/connectivity/branches/8d2b05c5-1e2e-4f1d-ba5a-1a678382ef16
- {
- "@odata.context": "#$delta",
- "name": "ContosoRemoteNetwork2"
- }
- ```
-1. Select **Run query** to update the remote network.
-
-## Delete a remote network
-
-1. Sign in to the Microsoft Entra admin center atΓÇ»[https://entra.microsoft.com](https://entra.microsoft.com).
-1. Browse to **Global Secure Access (preview)** > **Devices** > **Remote networks**.
-1. Select the remote network you need to delete.
-1. Select the **Delete** button.
-1. Select **Delete** from the confirmation message.
-
-![Screenshot of the delete remote network button.](media/how-to-manage-remote-networks/delete-remote-network.png)
-
-### Delete a remote network using the API
-
-1. Sign in to [Graph Explorer](https://aka.ms/ge).
-1. SelectΓÇ»**PATCH** as the HTTP method from the dropdown.
-1. Select the API version toΓÇ»**beta**.
-1. Enter the query:
- ```
- DELETE https://graph.microsoft.com/beta/networkaccess/connectivity/branches/97e2a6ea-c6c4-4bbe-83ca-add9b18b1c6b
- ```
-1. Select **Run query** to delete the remote network.
--
-## Next steps
--- [List remote networks](how-to-list-remote-networks.md)
global-secure-access How To Simulate Remote Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-simulate-remote-network.md
- Title: Extend remote network connectivity to Azure virtual networks
-description: Configure Azure resources to simulate remote network connectivity to Microsoft's Security Edge Solutions, Microsoft Entra Internet Access and Microsoft Entra Private Access.
-- Previously updated : 08/28/2023-----
-# Create a remote network using Azure virtual networks
-
-Organizations may want to extend the capabilities of Microsoft Entra Internet Access to entire networks not just individual devices they can [install the Global Secure Access Client](how-to-install-windows-client.md) on. This article shows how to extend these capabilities to an Azure virtual network hosted in the cloud. Similar principles may be applied to a customer's on-premises network equipment.
--
-## Prerequisites
-
-In order to complete the following steps, you must have these prerequisites in place.
--- An Azure subscription and permission to create resources in the [Azure portal](https://portal.azure.com).
- - A basic understanding of [site-to-site VPN connections](/azure/vpn-gateway/tutorial-site-to-site-portal).
-- A Microsoft Entra tenant with the [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator) role assigned.-- Completed the [remote network onboarding steps](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks).-
-## Infrastructure creation
-
-Building this functionality out in Azure provides organizations the ability to understand how Microsoft Entra Internet Access works in a more broad implementation. The resources we create in Azure correspond to on-premises concepts in the following ways:
--- The **[virtual network](#virtual-network)** corresponds to your on-premises IP address space.-- The **[virtual network gateway](#virtual-network-gateway)** corresponds to an on-premises virtual private network (VPN) router. This device is sometimes referred to as customer premises equipment (CPE).-- The **[local network gateway](#local-network-gateway)** corresponds to the Microsoft side of the connection where traffic would flow to from your on-premises VPN router. The information provided by Microsoft as part of the [remote network onboarding steps](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks) is used here.-- The **[connection](#create-site-to-site-vpn-connection)** links the two network gateways and contains the settings required to establish and maintain connectivity.-- The **[virtual machine](#virtual-machine)** corresponds to client devices on your on-premises network.-
-In this document, we use the following default values. Feel free to configure these settings according to your own requirements.
-
-**Subscription:** Visual Studio Enterprise
-**Resource group name:** Network_Simulation
-**Region:** East US
-
-### Resource group
-
-Create a resource group to contain all of the necessary resources.
-
-1. Sign in to the [Azure portal](https://portal.azure.com) with permission to create resources.
-1. Select **Create a resource**.
-1. Search for **Resource group** and choose **Create** > **Resource group**.
-1. Select your **Subscription**, **Region**, and provide a name for your **Resource group**.
-1. Select **Review + create**.
-1. Confirm your details, then select **Create**.
-
-> [!TIP]
-> If you're using this article for testing Microsoft Entra Internet Access, you may clean up all related Azure resources by deleting the resource group you create after you're done.
-
-### Virtual network
-
-Next we need to create a virtual network inside of our resource group, then add a gateway subnet that we'll use in a future step.
-
-1. From the Azure portal, select **Create a resource**.
-1. Select **Networking** > **Virtual Network**.
-1. Select the **Resource group** created previously.
-1. Provide your network with a **Name**.
-1. Leave the default values for the other fields.
-1. Select **Review + create**.
-1. Select **Create**.
-
-When the virtual network is created, select **Go to resource** or browse to it inside of the resource group and complete the following steps:
-
-1. Select **Subnets**.
-1. Select **+ Gateway subnet**.
-1. Leave the defaults and select **Save**.
-
-### Virtual network gateway
-
-Next we need to create a virtual network gateway inside of our resource group.
-
-1. From the Azure portal, select **Create a resource**.
-1. Select **Networking** > **Virtual network gateway**.
-1. Provide your virtual network gateway with a **Name**.
-1. Select the appropriate region.
-1. Select the **Virtual network** created in the previous section.
-1. Create a **Public IP address** and **SECOND PUBLIC IP ADDRESS** and provide them with descriptive names.
- 1. Set their **Availability zone** to **Zone-redundant**.
-1. Set **Configure BGP** to **Enabled**
- 1. Set the **Autonomous system number (ASN)** to an appropriate value.
- 1. Don't use any reserved ASN numbers or the ASN provided as part of [onboarding to Microsoft Entra Internet Access](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks). For more information, see the article [Global Secure Access remote network configurations](reference-remote-network-configurations.md#valid-autonomous-system-number-asn).
-1. Leave all other settings their defaults or blank.
-1. Select **Review + create**, confirm your settings.
-1. Select **Create**.
- 1. You can continue to the following sections while the gateway is created.
--
-### Local network gateway
-
-You need to create two local network gateways. One for your primary and one for the secondary endpoints.
-
-You use the BGP IP addresses, Public IP addresses, and ASN values provided by Microsoft when you [onboard to Microsoft Entra Internet Access](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks) in this section.
-
-1. From the Azure portal, select **Create a resource**.
-1. Select **Networking** > **Local network gateway**.
-1. Select the **Resource group** created previously.
-1. Select the appropriate region.
-1. Provide your local network gateway with a **Name**.
-1. For **Endpoint**, select **IP address**, then provide the IP address provided in the Microsoft Entra admin center.
-1. Select **Next: Advanced**.
-1. Set **Configure BGP** to **Yes**
- 1. Set the **Autonomous system number (ASN)** to the appropriate value provided in the Microsoft Entra admin center.
- 1. Set the **BGP peer IP address** to the appropriate value provided in the Microsoft Entra admin center.
-1. Select **Review + create**, confirm your settings.
-1. Select **Create**.
--
-### Virtual machine
-
-1. From the Azure portal, select **Create a resource**.
-1. Select **Virtual machine**.
-1. Select the **Resource group** created previously.
-1. Provide a **Virtual machine name**.
-1. Select the Image you want to use, for this example we choose **Windows 11 Pro, version 22H2 - x64 Gen2**
-1. Select **Run with Azure Spot discount** for this test.
-1. Provide a **Username** and **Password** for your VM
-1. Move to the **Networking** tab.
- 1. Select the **Virtual network** created previously.
- 1. Keep the other networking defaults.
-1. Move to the **Management** tab
- 1. Check the box **Login with Microsoft Entra ID**
- 1. Keep the other management defaults.
-1. Select **Review + create**, confirm your settings.
-1. Select **Create**.
-
-You may choose to lock down remote access to the network security group to only a specific network or IP.
-
-### Create Site-to-site VPN connection
-
-You create two connections one for your primary and secondary gateways.
-
-1. From the Azure portal, select **Create a resource**.
-1. Select **Networking** > **Connection**.
-1. Select the **Resource group** created previously.
-1. Under **Connection type**, select **Site-to-site (IPsec)**.
-1. Provide a **Name** for the connection, and select the appropriate **Region**.
-1. Move to the **Settings** tab.
- 1. Select your **Virtual network gateway** and **Local network gateway** created previously.
- 1. Create a **Shared key (PSK)** that you'll use in a future step.
- 1. Check the box for **Enable BGP**.
- 1. Keep the other default settings.
-1. Select **Review + create**, confirm your settings.
-1. Select **Create**.
--
-## Enable remote connectivity in Microsoft Entra
-
-### Create a remote network
-
-You need the public IP addresses of your virtual network gateway. These IP addresses can be found by browsing to the Configuration page of your virtual and local network gateways. You complete the **Add a link** sections twice to create a link for your primary and secondary connections.
--
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access Preview** > **Remote network** > **Create remote network**.
-1. Provide a **Name** for your network, select an appropriate **Region**, then select **Next: Connectivity**.
-1. On the **Connectivity** tab, select **Add a link**.
- 1. On the **General** tab:
- 1. Provide a **Link name** and set **Device type** to **Other**.
- 1. Set the **IP address** to the primary IP address of your virtual network gateway.
- 1. Set the **Local BGP address** to the primary private BGP IP address of your local network gateway.
- 1. Set the **Peer BGP address** to the BGP IP address of your virtual network gateway.
- 1. Set the **Link ASN** to the ASN of your virtual network gateway.
- 1. Leave **Redundancy** set to **No redundancy**.
- 1. Set **Bandwidth capacity (Mbps)** to the appropriate setting.
- 1. Select Next to continue to the **Details** tab.
- 1. On the **Details** tab:
- 1. Leave the defaults selected unless you made a different selection previously.
- 1. Select Next to continue to the **Security** tab.
- 1. On the **Security** tab:
- 1. Enter the **Pre-shared key (PSK)** set in the [previous section when creating the site to site connection](#create-site-to-site-vpn-connection).
- 1. Select **Add link**.
- 1. Select **Next: Traffic profiles**.
-1. On the **Traffic profiles** tab:
- 1. Check the box for the **Microsoft 365 traffic profile**.
- 1. Select **Next: Review + create**.
-1. Confirm your settings and select **Create remote network**.
-
-For more information about remote networks, see the article [How to create a remote network](how-to-create-remote-networks.md)
-
-## Verify connectivity
-
-After you create the remote networks in the previous steps, it may take a few minutes for the connection to be established. From the Azure portal, we can validate that the VPN tunnel is connected and that BGP peering is successful.
-
-1. In the Azure portal, browse to the **virtual network gateway** created earlier and select **Connections**.
-1. Each of the connections should show a **Status** of **Connected** once the configuration is applied and successful.
-1. Browsing to **BGP peers** under the **Monitoring** section allows you to confirm that BGP peering is successful. Look for the peer addresses provided by Microsoft. Once configuration is applied and successful, the **Status** should show **Connected**.
--
-You can also use the virtual machine you created to validate that traffic is flowing to Microsoft 365 locations like SharePoint Online. Browsing to resources in SharePoint or Exchange Online should result in traffic on your virtual network gateway. This traffic can be seen by browsing to [Metrics on the virtual network gateway](/azure/vpn-gateway/monitor-vpn-gateway#analyzing-metrics) or by [Configuring packet capture for VPN gateways](/azure/vpn-gateway/packet-capture).
-
-## Next steps
--- [Tutorial: Create a site-to-site VPN connection in the Azure portal](/azure/vpn-gateway/tutorial-site-to-site-portal)
global-secure-access How To Source Ip Restoration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-source-ip-restoration.md
- Title: Enable source IP restoration with the Global Secure Access preview
-description: Learn how to enable source IP restoration to ensure the source IP matches in downstream resources.
---- Previously updated : 07/27/2023------
-# Source IP restoration
-
-With a cloud based network proxy between users and their resources, the IP address that the resources see doesn't match the actual source IP address. In place of the end-usersΓÇÖ source IP, the resource endpoints see the cloud proxy as the source IP address. Customers with these cloud proxy solutions can't use this source IP information.
-
-Source IP restoration in Global Secure Access (preview) allows backward compatibility for Microsoft Entra customers to continue using original user Source IP. Administrators can benefit from the following capabilities:
--- Continue to enforce Source IP-based location policies across both [Conditional Access](/azure/active-directory/conditional-access/overview) and [continuous access evaluation](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)-- [Identity Protection risk detections](/azure/active-directory/identity-protection/concept-identity-protection-risks) get a consistent view of original user Source IP address for assessing various risk scores.-- Original user Source IP is also made available in [Microsoft Entra sign-in logs](/azure/active-directory/reports-monitoring/concept-all-sign-ins).-
-## Prerequisites
-
-* Administrators who interact with **Global Secure Access preview** features must have both of the following role assignments depending on the tasks they're performing.
- * A **Global Secure Access Administrator** role to manage the Global Secure Access preview features
- * [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies and named locations.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-
-### Known limitations
--- When source IP restoration is enabled, you can only see the source IP. The IP address of the Global Secure Access service isn't visible. If you want to see the Global Secure Access service IP address, disable source IP restoration.
-## Enable Global Secure Access signaling for Conditional Access
-
-To enable the required setting to allow source IP restoration, an administrator must take the following steps.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access** > **Global settings** > **Session management** > **Adaptive Access**.
-1. Select the toggle to **Enable Global Secure Access signaling in Conditional Access**.
-
-This functionality allows services like Microsoft Graph, Microsoft Entra ID, SharePoint Online, and Exchange Online to see the actual source IP address.
--
-> [!CAUTION]
-> If your organization has active Conditional Access policies based on IP location checks, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.
-
-## Sign-in log behavior
-
-To see source IP restoration in action, administrators can take the following steps.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Reader](/azure/active-directory/roles/permissions-reference#security-reader).
-1. Browse to **Identity** > **Users** > **All users** > select one of your test users > **Sign-in logs**.
-1. With source IP restoration enabled, you see IP addresses that include their actual IP address.
- - If source IP restoration is disabled, you can't see their actual IP address.
-
-Sign-in log data may take some time to appear, this delay is normal as there's some processing that must take place.
---
-## Next steps
--- [Set up tenant restrictions V2 (Preview)](/azure/active-directory/external-identities/tenant-restrictions-v2)-- [Enable compliant network check with Conditional Access](how-to-compliant-network.md)
global-secure-access How To Target Resource Microsoft 365 Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-target-resource-microsoft-365-profile.md
- Title: How to apply Conditional Access policies to the Microsoft 365 traffic profile
-description: Learn how to apply Conditional Access policies to the Microsoft 365 traffic profile.
---- Previously updated : 07/07/2023------
-# Apply Conditional Access policies to the Microsoft 365 traffic profile
-
-With a devoted traffic forwarding profile for all your Microsoft 365 traffic, you can apply Conditional Access policies to all of your Microsoft 365 traffic. With Conditional Access, you can require multifactor authentication and device compliance for accessing Microsoft 365 resources.
-
-This article describes how to apply Conditional Access policies to your Microsoft 365 traffic forwarding profile.
-
-## Prerequisites
-
-* Administrators who interact with **Global Secure Access preview** features must have one or more of the following role assignments depending on the tasks they're performing.
- * [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference)
- * [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-* To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.
-
-## Create a Conditional Access policy targeting the Microsoft 365 traffic profile
-
-The following example policy targets all users except for your break-glass accounts and guest/external users, requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device when accessing Microsoft 365 traffic.
--
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator).
-1. Browse to **Identity** > **Protection** > **Conditional Access**.
-1. Select **Create new policy**.
-1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-1. Under **Assignments**, select **Users or workload identities**.
- 1. Under **Include**, select **All users**.
- 1. Under **Exclude**:
- 1. Select **Users and groups** and choose your organization's [emergency access or break-glass accounts](#user-exclusions).
- 1. Select **Guest or external users** and select all checkboxes.
-1. Under **Target resources** > **Network Access (Preview)***.
- 1. Choose **Microsoft 365 traffic**.
-1. Under **Access controls** > **Grant**.
- 1. Select **Require multifactor authentication**, **Require device to be marked as compliant**, and **Require Microsoft Entra hybrid joined device**
- 1. **For multiple controls** select **Require one of the selected controls**.
- 1. Select **Select**.
-
-After administrators confirm the policy settings using [report-only mode](/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
-
-### User exclusions
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Internet Access is to [review the Global Secure Access logs](concept-global-secure-access-logs-monitoring.md).
-
-For more information about traffic forwarding, see the following articles:
--- [Learn about traffic forwarding profiles](concept-traffic-forwarding.md)-- [Manage the Microsoft 365 traffic profile](how-to-manage-microsoft-365-profile.md)
global-secure-access How To Target Resource Private Access Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-target-resource-private-access-apps.md
- Title: How to apply Conditional Access policies to Microsoft Entra Private Access apps
-description: How to apply Conditional Access policies to Microsoft Entra Private Access apps.
---- Previously updated : 07/07/2023------
-# Apply Conditional Access policies to Private Access apps
-
-Applying Conditional Access policies to your Microsoft Entra Private Access apps is a powerful way to enforce security policies for your internal, private resources. You can apply Conditional Access policies to your Quick Access and Private Access apps from Global Secure Access (preview).
-
-This article describes how to apply Conditional Access policies to your Quick Access and Private Access apps.
-
-## Prerequisites
-
-* Administrators who interact with **Global Secure Access preview** features must have one or more of the following role assignments depending on the tasks they're performing.
- * [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference)
- * [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies.
-* You need to have configured Quick Access or Private Access.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-
-### Known limitations
--- At this time, connecting through the Global Secure Access Client is required to acquire Private Access traffic.-
-## Conditional Access and Global Secure Access
-
-You can create a Conditional Access policy for your Quick Access or Private Access apps from Global Secure Access. Starting the process from Global Secure Access automatically adds the selected app as the **Target resource** for the policy. All you need to do is configure the policy settings.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator).
-1. Browse to **Global Secure Access (preview)** > **Applications** > **Enterprise applications.**
-1. Select an application from the list.
-
- ![Screenshot of the Enterprise applications details.](media/how-to-target-resource-private-access-apps/enterprise-apps.png)
-
-1. Select **Conditional Access** from the side menu. Any existing Conditional Access policies appear in a list.
-
- ![Screenshot of the Conditional Access menu option.](media/how-to-target-resource-private-access-apps/conditional-access-policies.png)
-
-1. Select **Create new policy**. The selected app appears in the **Target resources** details.
-
- ![Screenshot of the Conditional Access policy with the Quick Access app selected.](media/how-to-target-resource-private-access-apps/quick-access-target-resource.png)
-
-1. Configure the conditions, access controls, and assign users and groups as needed.
-
-You can also apply Conditional Access policies to a group of applications based on custom attributes. To learn more, go to [Filter for applications in Conditional Access policy (Preview)](/azure/active-directory/conditional-access/concept-filter-for-applications).
-
-### Assignments and Access controls example
-
-Adjust the following policy details to create a Conditional Access policy requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device for your Quick Access application. The user assignments ensure that your organization's emergency access or break-glass accounts are excluded from the policy.
-
-1. Under **Assignments**, select **Users**:
- 1. Under **Include**, select **All users**.
- 1. Under **Exclude**, select **Users and groups** and choose your organization's [emergency access or break-glass accounts](#user-exclusions).
-1. Under **Access controls** > **Grant**:
- 1. Select **Require multifactor authentication**, **Require device to be marked as compliant**, and **Require Microsoft Entra hybrid joined device**
-1. Confirm your settings and set **Enable policy** to **Report-only**.
-
-After administrators confirm the policy settings using [report-only mode](/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
-
-### User exclusions
--
-## Next steps
--- [Enable the Private Access traffic forwarding profile](how-to-manage-private-access-profile.md)-- [Enable source IP restoration](how-to-source-ip-restoration.md)
global-secure-access How To Universal Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-universal-tenant-restrictions.md
- Title: Global Secure Access (preview) and universal tenant restrictions
-description: Learn about how Global Secure Access (preview) secures access to your corporate network by restricting access to external tenants.
---- Previously updated : 07/27/2023------
-# Universal tenant restrictions
-
-Universal tenant restrictions enhance the functionality of [tenant restriction v2](https://aka.ms/tenant-restrictions-enforcement) using Global Secure Access (preview) to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity. Administrators no longer have to manage proxy server configurations or complex network configurations.
-
-Universal Tenant Restrictions does this enforcement using Global Secure Access based policy signaling for both the authentication and data plane. Tenant restrictions v2 enables enterprises to prevent data exfiltration by users using external tenant identities for Microsoft Entra integrated applications like Microsoft Graph, SharePoint Online, and Exchange Online. These technologies work together to prevent data exfiltration universally across all devices and networks.
--
-The following table explains the steps taken at each point in the previous diagram.
-
-| Step | Description |
-| | |
-| **1** | Contoso configures a **tenant restrictions v2** policy in their cross-tenant access settings to block all external accounts and external apps. Contoso enforces the policy using Global Secure Access universal tenant restrictions. |
-| **2** | A user with a Contoso-managed device tries to access a Microsoft Entra integrated app with an unsanctioned external identity. |
-| **3** | When the traffic reaches Microsoft's Security Service Edge, an HTTP header is added to the request. The header contains Contoso's tenant ID and the tenant restrictions policy ID. |
-| **4** | *Authentication plane protection:* Microsoft Entra ID uses the header in the authentication request to look up the tenant restrictions policy. Contoso's policy blocks unsanctioned external accounts from accessing external tenants. |
-| **5** | *Data plane protection:* If the user again tries to access an external unsanctioned application by copying an authentication response token they obtained outside of Contoso's network and pasting it into the device, they're blocked. The resource provider checks that the claim in the token and the header in the packet match. Any mismatch in the token and header triggers reauthentication and blocks access. |
-
-Universal tenant restrictions help to prevent data exfiltration across browsers, devices, and networks in the following ways:
--- It injects the following attributes into the header of outbound HTTP traffic at the client level in both the authentication control and data path to Microsoft 365 endpoints:
- - Cloud ID of the device tenant
- - Tenant ID of the device tenant
- - Tenant restrictions v2 policy ID of the device tenant
-- It enables Microsoft Entra ID, Microsoft Accounts, and Microsoft 365 applications to interpret this special HTTP header enabling lookup and enforcement of the associated tenant restrictions v2 policy. This lookup enables consistent policy application. -- Works with all Microsoft Entra integrated third-party apps at the auth plane during sign in.-- Works with Exchange, SharePoint, and Microsoft Graph for data plane protection.-
-## Prerequisites
-
-* Administrators who interact with **Global Secure Access preview** features must have one or more of the following role assignments depending on the tasks they're performing.
- * The **Global Secure Access Administrator** role to manage the Global Secure Access preview features
- * [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies and named locations.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-
-### Known limitations
--- If you have enabled universal tenant restrictions and you are accessing the Microsoft Entra admin center for one of the allow listed tenants, you may see an "Access denied" error. Add the following feature flag to the Microsoft Entra admin center:
- - `?feature.msaljs=true&exp.msaljsexp=true`
- - For example, you work for Contoso and you have allow listed Fabrikam as a partner tenant. You may see the error message for the Fabrikam tenant's Microsoft Entra admin center.
- - If you received the "access denied" error message for this URL: `https://entra.microsoft.com/` then add the feature flag as follows: `https://entra.microsoft.com/?feature.msaljs%253Dtrue%2526exp.msaljsexp%253Dtrue#home`
--
-Outlook uses the QUIC protocol for some communications. We don't currently support the QUIC protocol. Organizations can use a firewall policy to block QUIC and fallback to non-QUIC protocol. The following PowerShell command creates a firewall rule to block this protocol.
-
-```PowerShell
-@New-NetFirewallRule -DisplayName "Block QUIC for Exchange Online" -Direction Outbound -Action Block -Protocol UDP -RemoteAddress 13.107.6.152/31,13.107.18.10/31,13.107.128.0/22,23.103.160.0/20,40.96.0.0/13,40.104.0.0/15,52.96.0.0/14,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,204.79.197.215/32,6.6.0.0/16 -RemotePort 443
-```
-## Configure tenant restrictions v2 policy
-
-Before an organization can use universal tenant restrictions, they must configure both the default tenant restrictions and tenant restrictions for any specific partners.
-
-For more information to configure these policies, see the article [Set up tenant restrictions V2 (Preview)](/azure/active-directory/external-identities/tenant-restrictions-v2).
--
-## Enable tagging for tenant restrictions v2
-
-Once you have created the tenant restriction v2 policies, you can utilize Global Secure Access to apply tagging for tenant restrictions v2. An administrator with both the [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference) and [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) roles must take the following steps to enable enforcement with Global Secure Access.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
-1. Browse to **Global Secure Access** > **Global Settings** > **Session Management** > **Tenant Restrictions**.
-1. Select the toggle to **Enable tagging to enforce tenant restrictions on your network**.
-1. Select **Save**.
--
-## Try Universal tenant restrictions with SharePoint Online.
-
-This capability works the same for Exchange Online and Microsoft Graph in the following examples we explain how to see it in action in your own environment.
-
-### Try the authentication path:
-
-1. With universal tenant restrictions turned off in Global Secure Access global settings.
-1. Go to SharePoint Online, `https://yourcompanyname.sharepoint.com/`, with an external identity that isn't allow-listed in a tenant restrictions v2 policy.
- 1. For example, a Fabrikam user in the Fabrikam tenant.
- 1. The Fabrikam user should be able to access SharePoint Online.
-1. Turn on universal tenant restrictions.
-1. As an end-user, with the Global Secure Access Client running, go to SharePoint Online with an external identity that hasn't been explicitly allow-listed.
- 1. For example, a Fabrikam user in the Fabrikam tenant.
- 1. The Fabrikam user should be blocked from accessing SharePoint Online with an error message saying:
- 1. **Access is blocked, The Contoso IT department has restricted which organizations can be accessed. Contact the Contoso IT department to gain access.**
-
-### Try the data path
-
-1. With universal tenant restrictions turned off in Global Secure Access global settings.
-1. Go to SharePoint Online, `https://yourcompanyname.sharepoint.com/`, with an external identity that isn't allow-listed in a tenant restrictions v2 policy.
- 1. For example, a Fabrikam user in the Fabrikam tenant.
- 1. The Fabrikam user should be able to access SharePoint Online.
-1. In the same browser with SharePoint Online open, go to Developer Tools, or press F12 on the keyboard. Start capturing the network logs. You should see Status 200, when everything is working as expected.
-1. Ensure the **Preserve log** option is checked before continuing.
-1. Keep the browser window open with the logs.
-1. Turn on universal tenant restrictions.
-1. As the Fabrikam user, in the browser with SharePoint Online open, within a few minutes, new logs appear. Also, the browser may refresh itself based on the request and responses happening in the back-end. If the browser doesn't automatically refresh after a couple of minutes, hit refresh on the browser with SharePoint Online open.
- 1. The Fabrikam user sees that their access is now blocked saying:
- 1. **Access is blocked, The Contoso IT department has restricted which organizations can be accessed. Contact the Contoso IT department to gain access.**
-1. In the logs, look for a **Status** of 302. This row shows universal tenant restrictions being applied to the traffic.
- 1. In the same response, check the headers for the following information identifying that universal tenant restrictions were applied:
- 1. `Restrict-Access-Confirm: 1`
- 1. `x-ms-diagnostics: 2000020;reason="xms_trpid claim was not present but sec-tenant-restriction-access-policy header was in requres";error_category="insufficiant_claims"`
--
-## Next steps
-
-The next step for getting started with Microsoft Entra Internet Access is to [Enable enhanced Global Secure Access signaling](how-to-source-ip-restoration.md#enable-global-secure-access-signaling-for-conditional-access).
-
-For more information on Conditional Access policies for Global Secure Access (preview), see the following articles:
--- [Set up tenant restrictions V2 (Preview)](/azure/active-directory/external-identities/tenant-restrictions-v2)-- [Source IP restoration](how-to-source-ip-restoration.md)-- [Enable compliant network check with Conditional Access](how-to-compliant-network.md)
global-secure-access How To View Enriched Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-view-enriched-logs.md
- Title: How to use enriched Microsoft 365 logs
-description: Learn how to use enriched Microsoft 365 logs for Global Secure Access (preview).
---- Previously updated : 06/27/2023----
-# How to use the Global Secure Access (preview) enriched Microsoft 365 logs
-
-With your Microsoft 365 traffic flowing through the Microsoft Entra Private Internet service, you want to gain insights into the performance, experience, and availability of the Microsoft 365 apps your organization uses. The enriched Microsoft 365 logs provide you with the information you need to gain these insights. You can integrate the logs with a third-party security information and event management (SIEM) tool for further analysis.
-
-This article describes the information in the logs and how to export them.
-
-## Prerequisites
-
-To use the enriched logs, you need the following roles and subscriptions:
-
-* A **Global Administrator** role is required to enable the enriched Microsoft 365 logs.
-* The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
-* To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.
-
-You must configure the endpoint for where you want to route the logs prior to configuring Diagnostic settings. The requirements for each endpoint vary and are described in the [Configure Diagnostic settings](#configure-diagnostic-settings) section.
-
-## What the logs provide
-
-The enriched Microsoft 365 logs provide information about Microsoft 365 workloads, so you can review network diagnostic data, performance data, and security events relevant to Microsoft 365 apps. For example, if access to Microsoft 365 is blocked for a user in your organization, you need visibility into how the user's device is connecting to your network.
-
-These logs provide:
-- Improved latency-- Additional information added to original logs-- Accurate IP address-
-These logs are a subset of the logs available in the [Microsoft 365 audit logs](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=0365-worldwide&preserve-view=true). The logs are enriched with additional information, including the device ID, operating system, and original IP address. Enriched SharePoint logs provide information on files that were downloaded, uploaded, deleted, modified, or recycled. Deleted or recycled list items are also included in the enriched logs.
-
-## How to view the logs
-
-Viewing the enriched Microsoft 365 logs is a two-step process. First, you need to enable the log enrichment from Global Secure Access. Second, you need to configure Microsoft Entra diagnostic settings to route the logs to an endpoint, such as a Log Analytics workspace.
-
-> [!NOTE]
-> At this time, only SharePoint Online logs are available for log enrichment.
-
-### Enable the log enrichment
-
-To enable the Enriched Microsoft 365 logs:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)..
-1. Browse to **Global Secure Access (preview)** > **Global settings** > **Logging**.
-1. Select the type of Microsoft 365 logs you want to enable.
-1. Select **Save**.
-
- :::image type="content" source="media/how-to-view-enriched-logs/enriched-logs-sharepoint.png" alt-text="Screenshot of the Logging area of Global Secure Access." lightbox="media/how-to-view-enriched-logs/enriched-logs-sharepoint-expanded.png":::
-
-The enriched logs may take up to 72 hours to fully integrate with the service.
-
-### Configure Diagnostic settings
-
-To view the enriched Microsoft 365 logs, you must export or stream the logs to an endpoint, such as a Log Analytics workspace or a SIEM tool. The endpoint must be configured before you can configure Diagnostic settings.
-
-* To integrate logs with Log Analytics, you need a **Log Analytics workspace**.
- - [Create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
- - [Integrate logs with Log Analytics](/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics)
-* To stream logs to a SIEM tool, you need to create an Azure event hub and an event hub namespace.
- - [Set up an Event Hubs namespace and an event hub](/azure/event-hubs/event-hubs-create).
- - [Stream logs to an event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)
-* To archive logs to a storage account, you need an Azure storage account that you have `ListKeys` permissions for.
- - [Create an Azure storage account](/azure/storage/common/storage-account-create).
- - [Archive logs to a storage account](/azure/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account)
-
-With your endpoint created, you can configure Diagnostic settings.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator).
-1. Browse to **Identity** > **Monitoring & health** > **Diagnostic settings**.
-1. Select **Add Diagnostic setting**.
-1. Give your diagnostic setting a name.
-1. Select `EnrichedOffice365AuditLogs`.
-1. Select the **Destination details** for where you'd like to send the logs. Choose any or all of the following destinations. Additional fields appear, depending on your selection.
-
- * **Send to Log Analytics workspace:** Select the appropriate details from the menus that appear.
- * **Archive to a storage account:** Provide the number of days you'd like to retain the data in the **Retention days** boxes that appear next to the log categories. Select the appropriate details from the menus that appear.
- * **Stream to an event hub:** Select the appropriate details from the menus that appear.
- * **Send to partner solution:** Select the appropriate details from the menus that appear.
-
-The following example is sending the enriched logs to a Log Analytics workspace, which requires selecting the Subscription and Log Analytics workspace from the menus that appear.
---
-## Next steps
--- [Explore the Global Secure Access logs and monitoring options](concept-global-secure-access-logs-monitoring.md)-- [Learn about Global Secure Access audit logs](how-to-access-audit-logs.md)
global-secure-access How To View Traffic Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-view-traffic-logs.md
- Title: How to use Global Secure Access (preview) traffic logs
-description: Learn how to use traffic logs for Global Secure Access (preview).
---- Previously updated : 06/27/2023----
-# How to use the Global Secure Access (preview) traffic logs
-
-Monitoring the traffic for Global Secure Access (preview) is an important activity for ensuring your tenant is configured correctly and that your users are getting the best experience possible. The Global Secure Access traffic logs provide insight into who is accessing what resources, where they're accessing them from, and what action took place.
-
-This article describes how to use the traffic logs for Global Secure Access.
-
-## How the traffic logs work
-
-Viewing traffic logs requires a Reports Reader role in Microsoft Entra ID.
-
-The Global Secure Access logs provide details of your network traffic. To better understand those details and how you can analyze those details to monitor your environment, it's helpful to look at the three levels of the logs and their relationship to each other.
-
-A user accessing a website represents one *session*, and within that session there may be multiple *connections*, and within that connection there may be multiple *transactions*.
--- **Session**: A session is identified by the first URL a user accesses. That session could then open many connections, for example a news site that contains multiple ads from several different sites.-- **Connection**: A connection includes the source and destination IP, source and destination port, and fully qualified domain name (FQDN). The connection components comprise the 5 tuple.-- **Transaction**: A transaction is a unique request and response pair.-
-Within each log instance, you can see the connection ID and transaction ID in the details. By using the filters, you can look at all connections and transactions for a single session.
-
-## How to view the traffic logs
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](/azure/active-directory/roles/permissions-reference#reports-reader).
-1. **Global Secure Access (Preview)** > **Monitor** > **Traffic logs**.
-
-The top of the page displays a summary of all transactions as well as a breakdown for each type of traffic. Select the **Microsoft 365** or **Private access** buttons to filter the logs to each traffic type.
-
-> [!NOTE]
-> At this time, Session ID information is not available in the log details.
-
-### View the log details
-
-Select any log from the list to view the details. These details provide valuable information that can be used to filter the logs for specific details or to troubleshoot a scenario. The details can be added as a column and used to filter the logs.
-
-![Screenshot of the traffic log activity details.](media/how-to-view-traffic-logs/traffic-activity-details.png)
-
-### Filter and column options
-
-The traffic logs can provide many details, so to start only some columns are visible. Enable and disable the columns based on the analysis or troubleshooting tasks you're performing, as the logs could be difficult to view with too many columns selected. The column and filter options align with each item in the Activity details.
-
-Select **Columns** from the top of the page to change the columns that are displayed.
-
-![Screenshot of the traffic logs with the columns button highlighted.](media/how-to-view-traffic-logs/traffic-logs-columns-button.png)
-
-To filter the traffic logs to a specific detail, select the **Add filter** button and then enter the detail you want to filter by.
-
-For example if you want to look at all the logs from a specific connection:
-
-1. Select the log detail and copy the `connectionId` from the Activity details.
-1. Select **Add filter** and choose **Connection ID**.
-1. In the field that appears, paste the `connectionId` and select **Apply**.
-
- ![Screenshot of the traffic log filter.](media/how-to-view-traffic-logs/traffic-log-filter.png)
-
-### Troubleshooting scenarios
-
-The following details may be helpful for troubleshooting and analysis:
--- If you're interesting in the size of the traffic being sent and received, enable the **Sent Bytes** and **Received Bytes** columns. Select the column header to sort the logs by the size of the logs.-- If you are reviewing the network activity for a risky user, you can filter the results by user principal name and then review the sites they're accessing.-- To look at traffic associated with specific -
-The log details provide valuable information about your network traffic. Not all details are defined in the list below, but the following details are useful for troubleshooting and analysis:
--- **Transaction ID**: Unique identifier representing the request/response pair.-- **Connection ID**: Unique identifier representing the connection that initiated the log.-- **Device category**: Device type where the transaction initiated from. Either **client** or **remote network**.-- **Action**: The action taken on the network session. Either **Allowed** or **Denied**.-
-## Configure diagnostic settings to export logs
-
-You can export the Global Secure Access traffic logs to an endpoint for further analysis and alerting. This integration is configured in Microsoft Entra diagnostic settings.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator).
-1. Browse to **Identity** > **Monitoring & health** > **Diagnostic settings**.
-1. Select **Add Diagnostic setting**.
-1. Give your diagnostic setting a name.
-1. Select `NetworkAccessTrafficLogs`.
-1. Select the **Destination details** for where you'd like to send the logs. Choose any or all of the following destinations. Additional fields appear, depending on your selection.
-
- * **Send to Log Analytics workspace:** Select the appropriate details from the menus that appear.
- * **Archive to a storage account:** Provide the number of days you'd like to retain the data in the **Retention days** boxes that appear next to the log categories. Select the appropriate details from the menus that appear.
- * **Stream to an event hub:** Select the appropriate details from the menus that appear.
- * **Send to partner solution:** Select the appropriate details from the menus that appear.
--
-## Next steps
--- [Learn about the traffic dashboard](concept-traffic-dashboard.md)-- [View the audit logs for Global Secure Access](how-to-access-audit-logs.md)-- [View the enriched Microsoft 365 logs](how-to-view-enriched-logs.md)
global-secure-access Overview What Is Global Secure Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/overview-what-is-global-secure-access.md
- Title: What is Global Secure Access (preview)?
-description: Learn how Microsoft's Security Service Edge solution, Global Secure Access (preview), provides network access control and visibility to users and devices inside and outside a traditional office.
---- Previously updated : 07/27/2023----
-# What is Global Secure Access (preview)?
-
-The way people work has changed. Instead of working in traditional offices, people now work from nearly anywhere. With applications and data moving to the cloud, an identity-aware, cloud-delivered network perimeter for the modern workforce is needed. This new network security category is called Security Service Edge (SSE).
-
-Microsoft Entra Internet Access and Microsoft Entra Private Access comprise Microsoft's Security Service Edge solution. Global Secure Access (preview) is the unifying term used for both Microsoft Entra Internet Access and Microsoft Entra Private Access. Global Secure Access is the unified location in the Microsoft Entra admin center and is built upon the core principles of Zero Trust to use least privilege, verify explicitly, and assume breach.
-
-![Diagram of the Global Secure Access solution, illustrating how identities and remote networks can connect to Microsoft 365, private, and public resources through the service.](media/overview-what-is-global-secure-access/global-secure-access-diagram.png)
-
-## Global Secure Access is Microsoft's Security Service Edge solution
-
-Microsoft Entra Internet Access and Microsoft Entra Private Access - coupled with Microsoft Defender for Cloud Apps, our SaaS-security focused Cloud Access Security Broker (CASB) - are uniquely built as a solution that converges network, identity, and endpoint access controls so you can secure access to any app or resource, from anywhere. With the addition of these Global Secure Access products, Microsoft Entra ID simplifies access policy management and enables access orchestration for employees, business partners, and digital workloads. You can continuously monitor and adjust user access in real time if permissions or risk level changes.
-
-The Global Secure Access features streamline the roll-out and management of the access control capabilities with a unified portal. These features are delivered from Microsoft's Wide Area Network, spanning 140+ countries and 190+ network edge locations. This private network, which is one of the largest in the world, enables organizations to optimally connect users and devices to public and private resources seamlessly and securely. For a list of the current points of presence, see [Global Secure Access points of presence article](reference-points-of-presence.md).
-
-## Microsoft Entra Internet Access
-
-Microsoft Entra Internet Access secures access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats. Best-in-class security and visibility, along with fast and seamless access to Microsoft 365 apps is currently available in public preview. Secure access to public internet apps through the identity-centric, device-aware, cloud-delivered Secure Web Gateway (SWG) of Microsoft Entra Internet Access is in private preview.
-
-### Key features
--- Prevent stolen tokens from being replayed with the compliant network check in Conditional Access.-- Apply universal tenant restrictions to prevent data exfiltration to other tenants or personal accounts including anonymous access.-- Enriched logs with network and device signals currently supported for SharePoint Online traffic.-- Improve the precision of risk assessments on users, locations, and devices. -- Deploy side-by-side with third party SSE solutions.-- Acquire network traffic from the desktop client or from a remote network, such as a branch location.-
-#### Private preview features
-The following new capabilities are available in the private preview of Microsoft Entra Internet Access. To request access to the private preview, complete [the private preview interest form](https://aka.ms/entra-ia-preview).
--- Dedicated public internet traffic forwarding profile.-- Protect user access to the public internet while leveraging Microsoft's cloud-delivered, identity-aware SWG solution.-- Enable web content filtering to regulate access to websites based on their content categories through secure web gateway.-- Apply universal Conditional Access policies for all internet destinations, even if not federated with Microsoft Entra ID.-
-## Microsoft Entra Private Access
-
-Microsoft Entra Private Access provides your users - whether in an office or working remotely - secured access to your private, corporate resources. Microsoft Entra Private Access builds on the capabilities of Microsoft Entra application proxy and extends access to any private resource, port, and protocol.
-
-Remote users can connect to private apps across hybrid and multicloud environments, private networks, and data centers from any device and network without requiring a VPN. The service offers per-app adaptive access based on Conditional Access policies, for more granular security than a VPN.
-
-### Key features
--- Quick Access: Zero Trust based access to a range of IP addresses and/or FQDNs without requiring a legacy VPN.-- Per-app access for TCP apps (UDP support in development).-- Modernize legacy app authentication with deep Conditional Access integration.-- Provide a seamless end-user experience by acquiring network traffic from the desktop client and deploying side-by-side with your existing third-party SSE solutions.--
-## Next steps
--- [Get started with Global Secure Access](how-to-get-started-with-global-secure-access.md)-- [Stay in the loop with the latest Microsoft Entra ID updates](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/bg-p/Identity)
global-secure-access Reference Points Of Presence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/reference-points-of-presence.md
- Title: Global Secure Access points of presence
-description: Global Secure Access points of presence.
---- Previously updated : 07/03/2023---
-# Global Secure Access (preview) points of presence
-
-During the preview, Global Secure Access (preview) is available in limited points of presence, with new locations added periodically. The service routes traffic through one of the following nearby locations, so even if you're not in a listed location, you can still access the service.
-
-## Microsoft Entra Internet Access
-
-Tunneling Microsoft 365 traffic, which is part of Microsoft Entra Internet Access, is currently supported in the following locations:
-
-| Europe | North America | South America | Africa | Asia |
-||||||
-| Amsterdam, Netherlands | Columbia, Washington, USA | Rio de Janeiro, Brazil | Johannesburg, South Africa | Dubai, UAE|
-| Berlin, Germany | Des Moines, Iowa, USA | Sao Paulo, Brazil | | |
-| Dublin, Ireland | Manassas, Virginia, USA | | | |
-| Gavle, Sweden | Montreal, Quebec, Canada | | | |
-| London, UK | Phoenix, Arizona, USA | | | |
-| Paris, France | San Antonio, Texas, USA | | | |
-| | San Jose, California, USA | | | |
-| | Toronto, Ontario, Canada | | | |
-
-## Microsoft Entra Private Access
-
-Microsoft Entra Private Access is currently supported in the following locations:
-
-| Europe | North America | South America | Africa |
-|||||
-| Amsterdam, Netherlands |Manassas, Virginia, USA | Rio de Janeiro, Brazil | Johannesburg, South Africa |
-| Berlin, Germany | Montreal, Quebec, Canada | Sao Paulo, Brazil | |
-| Dublin, Ireland |Phoenix, Arizona, USA| | |
-| Gavle, Sweden | San Antonio, Texas, USA | | |
-| London, UK | San Jose, California, USA | | |
-| Paris, France | Toronto, Ontario, Canada | | |
global-secure-access Reference Remote Network Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/reference-remote-network-configurations.md
- Title: Global Secure Access remote network configurations
-description: Valid Global Secure Access configurations for custom remote network device links settings, including IKE, ASN, IPSec, and DH group.
---- Previously updated : 09/13/2023----
-# Global Secure Access remote network configurations
-
-Device links are the physical routers that connect your remote networks, such as branch locations, to Global Secure Access (preview). There's a specific set of combinations you must use if you choose the **Custom** option when adding device links. If you choose the **Default** option, you must enter a specific combination of properties on the customer premises equipment (CPE) device.
-
-## Default IPSec/IKE configurations
-
-When you select **Default** as your IPsec/IKE policy when configuring remote network device links in the Microsoft Entra admin center, we expect the following combinations in the tunnel handshake.
-
-*You must specify one of these combinations on your customer premise equipment (CPE).*
-
-### IKE Phase 1 combinations
-
-| Properties | Combination 1 | Combination 2 | Combination 3 | Combination 4 | Combination 5 |
-| | | | | | |
-| IKE encryption | GCMAES256 | GCMAES128 | AES256 | AES128 | AES256 |
-| IKEv2 integrity | SHA384 | SHA256 | SHA384 | SHA256 | SHA256 |
-| DH group | DHGroup24 | DHGroup24 | DHGroup24 | DHGroup24 | DHGroup2 |
-
-### IKE Phase 2 combinations
-
-| Properties | Combination 1 | Combination 2 | Combination 3 |
-| | | | |
-| IPSec encryption | GCMAES256 | GCMAES192 | GCMAES128 |
-| IPSec integrity | GCMAES256 | GCMAES192 | GCMAES128 |
-| PFS Group | None | None | None |
-
-## Custom IPSec/IKE combinations
-
-When you select **Custom** as IPSec/IKE configuration when configuring remote network device links in the Microsoft Entra admin center, you must use one of the following combinations.
-
-### IKE Phase 1 combinations
-
-There no limitations for the IKE phase 1 combinations. Any mix and match of encryption, integrity, and DH group is valid.
-
-### IKE Phase 2 combinations
-
-The IPSec encryption and integrity configurations are provided in the following table:
-
-| IPSec integrity | IPSec encryption |
-| | |
-| GCMAES128 | GCMAES128 |
-| GCMAES192 | GCMAES192 |
-| GCMAES256 | GCMAES256 |
-| None | SHA24 |
--- PFS group - No limitation.-- SA lifetime - must be >300 seconds.-
-### Valid autonomous system number (ASN)
-
-You can use any values *except* for the following reserved ASNs:
--- Azure reserved ASNs: 12076, 65517,65518, 65519, 65520, 8076, 8075-- IANA reserved ASNs: 23456, >= 64496 && <= 64511, >= 65535 && <= 65551, 4294967295-- 65476-
-### Valid enums
-
-#### IKE encryption
-
-| Value | Enum |
-| | |
-| AES128 | 0 |
-| AES192 | 1 |
-| AES256 | 2 |
-| GCMAES128 | 3 |
-| GCMAES256 | 4 |
-
-#### IKE integrity
-
-| Value | Enum |
-| | |
-| SHA256 | 0 |
-| SHA384 | 1 |
-| GCMAES256 | 2 |
-| GCMAES256 | 3 |
-
-#### DH group
-
-| Value | Enum |
-| | |
-| DHGroup14 | 0 |
-| DHGroup2048 | 1 |
-| ECP256 | 2 |
-| ECP384 | 3 |
-| DHGroup24 | 4 |
-
-#### IPSec encryption
-
-| Value | Enum |
-| | |
-| GCMAES128 | 0 |
-| GCMAES192 | 1 |
-| GCMAES256 | 2 |
-| None | 3 |
-
-#### IPSec integrity
-
-| Value | Enum |
-| | |
-| GCMAES128 | 0 |
-| GCMAES192 | 1 |
-| GCMAES256 | 2 |
-| SHA256 | 3 |
-
-#### PFS group
-
-| Value | Enum |
-| | |
-| PFS1 | 0 |
-| None | 1 |
-| PFS2 | 2 |
-| PFS2048 | 3 |
-| ECP256 | 4 |
-| ECP384 | 5 |
-| PFSMM | 6 |
-| PFS24 | 7 |
-| PFS14 | 8 |
-
healthcare-apis Access Healthcare Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/access-healthcare-apis.md
Title: Access Azure Health Data Services description: This article describes the different ways to access Azure Health Data Services in your applications using tools and programming languages. -+ Last updated 06/06/2022-+ # Access Azure Health Data Services
healthcare-apis Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/authentication-authorization.md
Title: Authentication and authorization description: This article provides an overview of the authentication and authorization of Azure Health Data Services. -+ Last updated 06/06/2022-+ # Authentication and authorization for Azure Health Data Services
healthcare-apis Configure Azure Rbac Using Scripts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/configure-azure-rbac-using-scripts.md
Title: Grant permissions to users and client applications using CLI and REST API - Azure Health Data Services description: This article describes how to grant permissions to users and client applications using CLI and REST API. -+ Last updated 06/06/2022-+ # Configure Azure RBAC role using Azure CLI and REST API
healthcare-apis Configure Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/configure-azure-rbac.md
Title: Configure Azure RBAC role for FHIR service - Azure Health Data Services description: This article describes how to configure Azure RBAC role for FHIR.-+ Last updated 06/06/2022-+ # Configure Azure RBAC role for Azure Health Data Services
healthcare-apis Deploy Healthcare Apis Using Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/deploy-healthcare-apis-using-bicep.md
Title: How to create Azure Health Data Services, workspaces, FHIR and DICOM service, and MedTech service using Azure Bicep description: This document describes how to deploy Azure Health Data Services using Azure Bicep.-+ Last updated 06/06/2022-+
healthcare-apis Get Access Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/get-access-token.md
Title: Get an access token to use the FHIR service or the DICOM service description: Learn how to get an access token for the FHIR service or the DICOM service. -+ Last updated 09/06/2023-+ ms.devlang: azurecli
healthcare-apis Healthcare Apis Configure Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/healthcare-apis-configure-private-link.md
Title: Private Link for Azure Health Data Services description: This article describes how to set up a private endpoint for Azure Health Data Services -+ Last updated 06/06/2022-+ # Configure Private Link for Azure Health Data Services
healthcare-apis Healthcare Apis Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/healthcare-apis-quickstart.md
Title: Deploy workspace in the Azure portal - Azure Health Data Services description: This document teaches users how to deploy a workspace in the Azure portal.-+ Last updated 06/06/2022-+
healthcare-apis Logging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/logging.md
Title: Logging for Azure Health Data Services description: This article explains how logging works and how to enable logging for the Azure Health Data Services -+ Last updated 10/10/2022-+ # Logging for Azure Health Data Services
healthcare-apis Register Application Cli Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/register-application-cli-rest.md
Title: Register a client application in Azure AD using CLI and REST API - Azure Health Data Services description: This article describes how to register a client application Azure AD using CLI and REST API. -+ Last updated 05/03/2022-+ # Register a client application using CLI and REST API
healthcare-apis Register Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/register-application.md
Title: Register a client application in Azure Active Directory for the Azure Health Data Services description: How to register a client application in the Azure AD and how to add a secret and API permissions to the Azure Health Data Services-+ Last updated 09/02/2022-+ # Register a client application in Azure Active Directory
load-balancer Gateway Deploy Dual Stack Load Balancer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/gateway-deploy-dual-stack-load-balancer.md
Previously updated : 09/15/2023 Last updated : 09/25/2023
Along with the Gateway Load Balancer, this scenario includes the following alrea
## Add IPv6 address ranges to an existing subnet
+This article assumes you already have a Gateway Load Balancer configured for IPv4 traffic, with a corresponding VNET and subnet. In this step, you add IPv6 ranges to your Gateway Load Balancer's VNET and subnet. This range is need when creating an IPv6 frontend configuration for your Gateway Load Balancer using a private IP address from this subnet/VNET.
# [PowerShell](#tab/powershell) ```powershell-interactive
az network vnet subnet update
## Add an IPv6 frontend to gateway load balancer
+Now that you've added IPv6 prefix ranges to your Gateway Load Balancer's subnet and VNET, we can create a new IPv6 frontend configuration on the Gateway Load Balancer, with an IPv6 address from your subnet's range.
+ # [PowerShell](#tab/powershell) ```powershell-interactive
az network lb frontend-ip create --lb-name myGatewayLoadBalancer
--resource-group myResourceGroup --private-ip-address-version IPv6 --vnet-name myVNetsubnet myGWS
+--subnet myGWSubnet
``` ## Add an IPv6 backend pool to gateway load balancer
+In order to distribute IPv6 traffic, you need a backend pool containing instances with IPv6 addresses. First, you create a backend pool on the Gateway Load Balancer. In the following step, you create IPv6 configurations to your existing backend NICs for IPv4 traffic, and attach them to this backend pool.
+ # [PowerShell](#tab/powershell) ```azurepowershell-interactive
az network nic ip-config create \
## Add a load balancing rule for IPv6 traffic
+Load balancing rules determine how traffic is routed to your backend instances. For Gateway Load Balancer, you create a load balancing rule with HA ports enabled, so that you can inspect traffic of all protocols, arriving on all ports.
+ # [PowerShell](#tab/powershell) ```azurepowershell-interactive
az network lb rule create \
## Chain the IPv6 load balancer frontend to gateway load balancer
+In this final step, you'll chain your existing Standard Load Balancer's IPv6 frontend to the Gateway Load Balancer's IPv6 frontend. Now, all IPv6 traffic headed to your Standard Load Balancer's frontend is forwarded to your Gateway Load Balancer for inspection by the configured NVAs before reaching your application.
+ # [PowerShell](#tab/powershell) ```azurepowershell-interactive
feid=$(az network lb frontend-ip show \
## Next steps -- Learn more about [Azure Gateway Load Balancer partners](./gateway-partners.md) for deploying network appliances.
+- Learn more about [Azure Gateway Load Balancer partners](./gateway-partners.md) for deploying network virtual appliances.
machine-learning Concept Endpoints Online https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-endpoints-online.md
To learn how to configure autoscaling, see [How to autoscale online endpoints](h
When deploying an ML model to a managed online endpoint, you can secure communication with the online endpoint by using [private endpoints](../private-link/private-endpoint-overview.md).
-You can configure security for inbound scoring requests and outbound communications with the workspace and other services separately. Inbound communications use the private endpoint of the Azure Machine Learning workspace. Outbound communications use private endpoints created for the workspace's managed virtual network (preview).
+You can configure security for inbound scoring requests and outbound communications with the workspace and other services separately. Inbound communications use the private endpoint of the Azure Machine Learning workspace. Outbound communications use private endpoints created for the workspace's managed virtual network.
For more information, see [Network isolation with managed online endpoints](concept-secure-online-endpoint.md).
machine-learning Concept Enterprise Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-enterprise-security.md
For more information, see the following articles:
## Network security and isolation
-To restrict network access to Azure Machine Learning resources, you can use an [Azure Machine Learning managed virtual network](how-to-managed-network.md) (preview) or [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md). Using a virtual network reduces the attack surface for your solution, and the chances of data exfiltration.
+To restrict network access to Azure Machine Learning resources, you can use an [Azure Machine Learning managed virtual network](how-to-managed-network.md) or [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md). Using a virtual network reduces the attack surface for your solution, and the chances of data exfiltration.
You don't have to pick one or the other. For example, you can use a managed virtual network to secure managed compute resources and an Azure Virtual Network for your unmanaged resources or to secure client access to the workspace.
-* __Azure Machine Learning managed virtual network__ (preview) provides a fully managed solution that enables network isolation for your workspace and managed compute resources. You can use private endpoints to secure communication with other Azure services, and can restrict outbound communications. The following managed compute resources are secured with a managed network:
+* __Azure Machine Learning managed virtual network__ provides a fully managed solution that enables network isolation for your workspace and managed compute resources. You can use private endpoints to secure communication with other Azure services, and can restrict outbound communications. The following managed compute resources are secured with a managed network:
* Serverless compute (including Spark serverless) * Compute cluster
You don't have to pick one or the other. For example, you can use a managed virt
* Managed online endpoints * Batch online endpoints
- For more information, see [Azure Machine Learning managed virtual network](how-to-managed-network.md) (preview).
+ For more information, see [Azure Machine Learning managed virtual network](how-to-managed-network.md).
* __Azure Virtual Networks__ provides a more customizable virtual network offering. However, you're responsible for configuration and management. You may need to use network security groups, user-defined routing, or a firewall to restrict outbound communication.
machine-learning How To Authenticate Batch Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-authenticate-batch-endpoint.md
In this case, we want to execute a batch endpoint using a service principal alre
# [Azure CLI](#tab/cli)
-1. Create a secret to use for authentication as explained at [Option 32: Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
+1. Create a secret to use for authentication as explained at [Option 32: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret).
1. To authenticate using a service principal, use the following command. For more details see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli). ```azurecli
In this case, we want to execute a batch endpoint using a service principal alre
# [Python](#tab/sdk)
-1. Create a secret to use for authentication as explained at [Option 3: Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
+1. Create a secret to use for authentication as explained at [Option 3: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret).
1. To authenticate using a service principal, indicate the tenant ID, client ID and client secret of the service principal using environment variables as demonstrated: ```python
In this case, we want to execute a batch endpoint using a service principal alre
# [REST](#tab/rest)
-1. Create a secret to use for authentication as explained at [Option 3: Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
+1. Create a secret to use for authentication as explained at [Option 3: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret).
1. Use the login service from Azure to get an authorization token. Authorization tokens are issued to a particular scope. The resource type for Azure Machine Learning is `https://ml.azure.com`. The request would look as follows:
machine-learning How To Managed Network Compute https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-managed-network-compute.md
Title: Managed computes in managed virtual network isolation (preview)
+ Title: Managed computes in managed virtual network isolation
description: Use managed compute resources with managed virtual network isolation with Azure Machine Learning.
# Use managed compute in a managed virtual network
-Learn how to configure compute clusters or compute instances in an Azure Machine Learning managed virtual network (preview).
+Learn how to configure compute clusters or compute instances in an Azure Machine Learning managed virtual network.
When using a managed network, compute resources managed by Azure Machine Learning can participate in the virtual network. Azure Machine Learning _compute clusters_, _compute instances_, and _managed online endpoints_ are created in the managed network.
machine-learning How To Managed Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-managed-network.md
Title: Managed virtual network isolation (preview)
+ Title: Managed virtual network isolation
description: Use managed virtual network isolation for network security with Azure Machine Learning.
-# Workspace managed network isolation (preview)
+# Workspace managed virtual network isolation
[!INCLUDE [dev v2](includes/machine-learning-dev-v2.md)]
-Azure Machine Learning provides support for managed virtual network (VNet) isolation. Managed VNet isolation streamlines and automates your network isolation configuration with a built-in, workspace-level Azure Machine Learning managed virtual network.
+Azure Machine Learning provides support for managed virtual network (managed VNet) isolation. Managed VNet isolation streamlines and automates your network isolation configuration with a built-in, workspace-level Azure Machine Learning managed VNet.
-
-## Managed virtual network architecture
+## managed virtual network architecture
When you enable managed virtual network isolation, a managed VNet is created for the workspace. Managed compute resources you create for the workspace automatically use this managed VNet. The managed VNet can use private endpoints for Azure resources that are used by your workspace, such as Azure Storage, Azure Key Vault, and Azure Container Registry.
-There are two different configuration modes for outbound traffic from the managed virtual network:
+There are two different configuration modes for outbound traffic from the managed VNet:
> [!TIP]
-> Regardless of the outbound mode you use, traffic to Azure resources can be configured to use a private endpoint. For example, you may allow all outbound traffic to the internet, but restrict communication with Azure resources by creating a private endpoint for that resource in the managed VNet
+> Regardless of the outbound mode you use, traffic to Azure resources can be configured to use a private endpoint. For example, you may allow all outbound traffic to the internet, but restrict communication with Azure resources by adding outbound rules for the resources.
| Outbound mode | Description | Scenarios | | -- | -- | -- |
-| Allow internet outbound | Allow all internet outbound traffic from the managed VNet. | Recommended if you need access to machine learning artifacts on the Internet, such as python packages or pretrained models. |
-| Allow only approved outbound | Outbound traffic is allowed by specifying service tags. | Recommended if you want to minimize the risk of data exfiltration but you need to prepare all required machine learning artifacts in your private locations. |
+| Allow internet outbound | Allow all internet outbound traffic from the managed VNet. | You want unrestricted access to machine learning resources on the internet, such as python packages or pretrained models.<sup>1</sup> |
+| Allow only approved outbound | Outbound traffic is allowed by specifying service tags. | * You want to minimize the risk of data exfiltration, but you need to prepare all required machine learning artifacts in your private environment.</br>* You want to configure outbound access to an approved list of services, service tags, or FQDNs. |
+| Disabled | Inbound and outbound traffic isn't restricted or you're using your own Azure Virtual Network to protect resources. | You want public inbound and outbound from the workspace, or you're handling network isolation with your own Azure VNet. |
+
+1: You can use outbound rules with _allow only approved outbound_ mode to achieve the same result as using allow internet outbound. The differences are:
+
+* You must add rules for each outbound connection you need to allow.
+* Adding FQDN outbound rules increase your costs as this rule type uses Azure Firewall.
+* The default rules for _allow only approved outbound_ are designed to minimize the risk of data exfiltration. Any outbound rules you add may increase your risk.
-The managed virtual network is preconfigured with [required default rules](#list-of-required-rules). It's also configured for private endpoint connections to your workspace default storage, container registry and key vault __if they're configured as private__. After choosing the isolation mode, you only need to consider other outbound requirements you may need to add.
+The managed VNet is preconfigured with [required default rules](#list-of-required-rules). It's also configured for private endpoint connections to your workspace, workspace's default storage, container registry and key vault __if they're configured as private__ or __the workspace isolation mode is set to allow only approved outbound__. After choosing the isolation mode, you only need to consider other outbound requirements you may need to add.
-The following diagram shows a managed virtual network configured to __allow internet outbound__:
+The following diagram shows a managed VNet configured to __allow internet outbound__:
-The following diagram shows a managed virtual network configured to __allow only approved outbound__:
+The following diagram shows a managed VNet configured to __allow only approved outbound__:
> [!NOTE] > In this configuration, the storage, key vault, and container registry used by the workspace are flagged as private. Since they are flagged as private, a private endpoint is used to communicate with them. ### Azure Machine Learning studio If you want to use the integrated notebook or create datasets in the default storage account from studio, your client needs access to the default storage account. Create a _private endpoint_ or _service endpoint_ for the default storage account in the Azure Virtual Network that the clients use.
-Part of Azure Machine Learning studio runs locally in the client's web browser, and communicates directly with the default storage for the workspace. Creating a private endpoint or service endpoint for the default storage account in the virtual network ensures that the client can communicate with the storage account.
-
-> [!TIP]
-> A using a service endpoint in this configuration can reduce costs.
+Part of Azure Machine Learning studio runs locally in the client's web browser, and communicates directly with the default storage for the workspace. Creating a private endpoint or service endpoint (for the default storage account) in the client's virtual network ensures that the client can communicate with the storage account.
For more information on creating a private endpoint or service endpoint, see the [Connect privately to a storage account](/azure/storage/common/storage-private-endpoints) and [Service Endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview) articles.
-## Supported scenarios
-
-|Scenarios|Supported|
-|||
-|Isolation Mode| &#x2022; Allow internet outbound<br>&#x2022; Allow only approved outbound|
-|Compute|&#x2022; [Compute Instance](concept-compute-instance.md)<br>&#x2022; [Compute Cluster](how-to-create-attach-compute-cluster.md)<br>&#x2022; [Serverless](how-to-use-serverless-compute.md)<br>&#x2022; [Serverless spark](apache-spark-azure-ml-concepts.md)<br>&#x2022; New managed online endpoint creation<br>&#x2022; No Public IP option of Compute Instance, Compute Cluster and Serverless |
-|Outbound|&#x2022; Private Endpoint<br>&#x2022; Service Tag<br>&#x2022; FQDN |
- ## Prerequisites Before following the steps in this article, make sure you have the following prerequisites:
Before following the steps in this article, make sure you have the following pre
* The [Azure CLI](/cli/azure/) and the `ml` extension to the Azure CLI. For more information, see [Install, set up, and use the CLI (v2)](how-to-configure-cli.md). >[!TIP]
- > Azure Machine Learning managed virtual network was introduced on May 23rd, 2023. If you have an older version of the ml extension, you may need to update it for the examples in this article work. To update the extension, use the following Azure CLI command:
+ > Azure Machine Learning managed VNet was introduced on May 23rd, 2023. If you have an older version of the ml extension, you may need to update it for the examples in this article work. To update the extension, use the following Azure CLI command:
> > ```azurecli > az extension update -n ml
Before following the steps in this article, make sure you have the following pre
* The Azure Machine Learning Python SDK v2. For more information on the SDK, see [Install the Python SDK v2 for Azure Machine Learning](/python/api/overview/azure/ai-ml-readme). > [!TIP]
- > Azure Machine learning managed virtual network was introduced on May 23rd, 2023. If you have an older version of the SDK installed, you may need to update it for the examples in this article to work. To update the SDK, use the following command:
+ > Azure Machine learning managed VNet was introduced on May 23rd, 2023. If you have an older version of the SDK installed, you may need to update it for the examples in this article to work. To update the SDK, use the following command:
> > ```bash > pip install --upgrade azure-ai-ml azure-identity
Before following the steps in this article, make sure you have the following pre
## Configure a managed virtual network to allow internet outbound
+> [!TIP]
+> The creation of the managed VNet is deferred until a compute resource is created or provisioning is manually started. When allowing automatic creation, it can take around __30 minutes__ to create the first compute resource as it is also provisioning the network. For more information, see [Manually provision the network](#manually-provision-a-managed-vnet).
+ > [!IMPORTANT]
-> The creation of the managed virtual network is deferred until a compute resource is created or provisioning is manually started. If you want to provision the managed virtual network and private endpoints, use the `az ml workspace provision-network` command from the Azure CLI. For example, `az ml workspace provision-network --name ws --resource-group rg`.
->
> __If you plan to submit serverless spark jobs__, you must manually start provisioning. For more information, see the [configure for serverless spark jobs](#configure-for-serverless-spark-jobs) section. # [Azure CLI](#tab/azure-cli)
You can configure a managed VNet using either the `az ml workspace create` or `a
* __Create a new workspace__:
- > [!TIP]
- > before creating a new workspace, you must create an Azure Resource Group to contain it. For more information, see [Manage Azure Resource Groups](/azure/azure-resource-manager/management/manage-resource-groups-cli).
- The following example creates a new workspace. The `--managed-network allow_internet_outbound` parameter configures a managed VNet for the workspace: ```azurecli
You can configure a managed VNet using either the `az ml workspace create` or `a
name: myworkspace location: EastUS managed_network:
- isolation_mode: allow_internet_outbound
+ isolation_mode: allow_internet_outbound
``` * __Update an existing workspace__:
You can configure a managed VNet using either the `az ml workspace create` or `a
az ml workspace update --name ws --resource-group rg --managed-network allow_internet_outbound ```
- To Update an existing workspace using the YAML file, use the `--file` parameter and specify the YAML file that contains the configuration settings:
+ To update an existing workspace using the YAML file, use the `--file` parameter and specify the YAML file that contains the configuration settings:
```azurecli az ml workspace update --file workspace.yaml --name ws --resource-group MyGroup
To configure a managed VNet that allows internet outbound communications, use th
* __Create a new workspace__:
- > [!TIP]
- > before creating a new workspace, you must create an Azure Resource Group to contain it. For more information, see [Manage Azure Resource Groups](/azure/developer/python/sdk/examples/azure-sdk-example-resource-group).
- The following example creates a new workspace named `myworkspace`, with an outbound rule named `myrule` that adds a private endpoint for an Azure Blob store: ```python
- # Basic managed network configuration
+ # Basic managed VNet configuration
network = ManagedNetwork(IsolationMode.ALLOW_INTERNET_OUTBOUND) # Workspace configuration
To configure a managed VNet that allows internet outbound communications, use th
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, "myworkspace") ws = ml_client.workspaces.get()
- # Basic managed network configuration
+ # Basic managed VNet configuration
ws.managed_network = ManagedNetwork(IsolationMode.ALLOW_INTERNET_OUTBOUND) # Example private endpoint outbound to a blob
To configure a managed VNet that allows internet outbound communications, use th
1. Provide the required information on the __Basics__ tab. 1. From the __Networking__ tab, select __Private with Internet Outbound__.
- :::image type="content" source="./media/how-to-managed-network/use-managed-network-internet-outbound.png" alt-text="Screenshot of creating a workspace with an internet outbound managed network." lightbox="./media/how-to-managed-network/use-managed-network-internet-outbound.png":::
+ :::image type="content" source="./media/how-to-managed-network/use-managed-network-internet-outbound.png" alt-text="Screenshot of creating a workspace with an internet outbound managed VNet." lightbox="./media/how-to-managed-network/use-managed-network-internet-outbound.png":::
1. To add an _outbound rule_, select __Add user-defined outbound rules__ from the __Networking__ tab. From the __Workspace outbound rules__ sidebar, provide the following information: * __Rule name__: A name for the rule. The name must be unique for this workspace.
- * __Destination type__: Private Endpoint is the only option when the network isolation is private with internet outbound. Azure Machine Learning managed virtual network doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.
+ * __Destination type__: Private Endpoint is the only option when the network isolation is private with internet outbound. Azure Machine Learning managed VNet doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.
* __Subscription__: The subscription that contains the Azure resource you want to add a private endpoint for. * __Resource group__: The resource group that contains the Azure resource you want to add a private endpoint for. * __Resource type__: The type of the Azure resource.
To configure a managed VNet that allows internet outbound communications, use th
[!INCLUDE [managed-vnet-update](includes/managed-vnet-update.md)]
- 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace that you want to enable managed virtual network isolation for.
+ 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace that you want to enable managed VNet isolation for.
1. Select __Networking__, then select __Private with Internet Outbound__.
- :::image type="content" source="./media/how-to-managed-network/update-managed-network-internet-outbound.png" alt-text="Screenshot of updating a workspace to managed network with internet outbound." lightbox="./media/how-to-managed-network/update-managed-network-internet-outbound.png":::
+ :::image type="content" source="./media/how-to-managed-network/update-managed-network-internet-outbound.png" alt-text="Screenshot of updating a workspace to managed VNet with internet outbound." lightbox="./media/how-to-managed-network/update-managed-network-internet-outbound.png":::
- * To _add_ an _outbound rule_, select __Add user-defined outbound rules__ from the __Networking__ tab. From the __Workspace outbound rules__ sidebar, provide the following information:
-
- * __Rule name__: A name for the rule. The name must be unique for this workspace.
- * __Destination type__: Private Endpoint is the only option when the network isolation is private with internet outbound. Azure Machine Learning managed virtual network doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.
- * __Subscription__: The subscription that contains the Azure resource you want to add a private endpoint for.
- * __Resource group__: The resource group that contains the Azure resource you want to add a private endpoint for.
- * __Resource type__: The type of the Azure resource.
- * __Resource name__: The name of the Azure resource.
- * __Sub Resource__: The sub resource of the Azure resource type.
- * __Spark enabled__: Select this option if you want to enable serverless spark jobs for the workspace. This option is only available if the resource type is Azure Storage.
+ * To _add_ an _outbound rule_, select __Add user-defined outbound rules__ from the __Networking__ tab. From the __Workspace outbound rules__ sidebar, provide the same information as used when creating a workspace in the 'Create a new workspace' section.
- :::image type="content" source="./media/how-to-managed-network/outbound-rule-private-endpoint.png" alt-text="Screenshot of updating a managed network by adding a private endpoint." lightbox="./media/how-to-managed-network/outbound-rule-private-endpoint.png":::
+ :::image type="content" source="./media/how-to-managed-network/outbound-rule-private-endpoint.png" alt-text="Screenshot of updating a managed VNet by adding a private endpoint." lightbox="./media/how-to-managed-network/outbound-rule-private-endpoint.png":::
* To __delete__ an outbound rule, select __delete__ for the rule.
- :::image type="content" source="./media/how-to-managed-network/delete-outbound-rule.png" alt-text="Screenshot of the delete rule icon for an approved outbound managed network.":::
+ :::image type="content" source="./media/how-to-managed-network/delete-outbound-rule.png" alt-text="Screenshot of the delete rule icon for an approved outbound managed VNet.":::
- 1. Select __Save__ at the top of the page to save the changes to the managed network.
+ 1. Select __Save__ at the top of the page to save the changes to the managed VNet.
## Configure a managed virtual network to allow only approved outbound
+> [!TIP]
+> The managed VNet is automatically provisioned when you create a compute resource. When allowing automatic creation, it can take around __30 minutes__ to create the first compute resource as it is also provisioning the network. If you configured FQDN outbound rules, the first FQDN rule adds around __10 minutes__ to the provisioning time. For more information, see [Manually provision the network](#manually-provision-a-managed-vnet).
+ > [!IMPORTANT]
-> The creation of the managed virtual network is deferred until a compute resource is created or provisioning is manually started. If you want to provision the managed virtual network and private endpoints, use the `az ml workspace provision-network` command from the Azure CLI. For example, `az ml workspace provision-network --name ws --resource-group rg`.
->
> __If you plan to submit serverless spark jobs__, you must manually start provisioning. For more information, see the [configure for serverless spark jobs](#configure-for-serverless-spark-jobs) section. # [Azure CLI](#tab/azure-cli)
managed_network:
isolation_mode: allow_only_approved_outbound ```
-You can also define _outbound rules_ to define approved outbound communication. An outbound rule can be created for a type of `service_tag` or `fqdn`. You can also define _private endpoints_ that allow an Azure resource to securely communicate with the managed VNet. The following rule demonstrates adding a private endpoint to an Azure Blob resource, a service tag to Azure Data Factory, and an FQDN to `pypi.org`:
+You can also define _outbound rules_ to define approved outbound communication. An outbound rule can be created for a type of `service_tag`, `fqdn`, and `private_endpoint`. The following rule demonstrates adding a private endpoint to an Azure Blob resource, a service tag to Azure Data Factory, and an FQDN to `pypi.org`:
> [!IMPORTANT] > * Adding an outbound for a service tag or FQDN is only valid when the managed VNet is configured to `allow_only_approved_outbound`. > * If you add outbound rules, Microsoft can't guarantee data exfiltration.
+> [!WARNING]
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ ```yaml managed_network: isolation_mode: allow_only_approved_outbound
You can configure a managed VNet using either the `az ml workspace create` or `a
* __Create a new workspace__:
- > [!TIP]
- > Before creating a new workspace, you must create an Azure Resource Group to contain it. For more information, see [Manage Azure Resource Groups](/azure/azure-resource-manager/management/manage-resource-groups-cli).
- The following example uses the `--managed-network allow_only_approved_outbound` parameter to configure the managed VNet: ```azurecli az ml workspace create --name ws --resource-group rg --managed-network allow_only_approved_outbound ```
- The following YAML file defines a workspace with a managed virtual network:
+ The following YAML file defines a workspace with a managed VNet:
```yml name: myworkspace location: EastUS managed_network:
- isolation_mode: allow_only_approved_outbound
+ isolation_mode: allow_only_approved_outbound
``` To create a workspace using the YAML file, use the `--file` parameter:
You can configure a managed VNet using either the `az ml workspace create` or `a
The following YAML file defines a managed VNet for the workspace. It also demonstrates how to add an approved outbound to the managed VNet. In this example, an outbound rule is added for both a service tag:
+ > [!WARNING]
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing.For more information, see [Pricing](#pricing).
+ ```yaml name: myworkspace_dep managed_network:
To configure a managed VNet that allows only approved outbound communications, u
* __Create a new workspace__:
- > [!TIP]
- > before creating a new workspace, you must create an Azure Resource Group to contain it. For more information, see [Manage Azure Resource Groups](/azure/developer/python/sdk/examples/azure-sdk-example-resource-group).
- The following example creates a new workspace named `myworkspace`, with several outbound rules: * `myrule` - Adds a private endpoint for an Azure Blob store. * `datafactory` - Adds a service tag rule to communicate with Azure Data Factory. > [!IMPORTANT]
- > * Adding an outbound for a service tag is only valid when the managed VNet is configured to `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`.
+ > * Adding an outbound for a service tag or FQDN is only valid when the managed VNet is configured to `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`.
> * If you add outbound rules, Microsoft can't guarantee data exfiltration.
+ > [!WARNING]
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ ```python
- # Basic managed virtual network configuration
+ # Basic managed VNet configuration
network = ManagedNetwork(IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND) # Workspace configuration
To configure a managed VNet that allows only approved outbound communications, u
* `datafactory` - Adds a service tag rule to communicate with Azure Data Factory. > [!TIP]
- > Adding an outbound for a service tag is only valid when the managed VNet is configured to `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`.
+ > Adding an outbound for a service tag or FQDN is only valid when the managed VNet is configured to `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`.
+
+ > [!WARNING]
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
```python # Get the existing workspace ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, "myworkspace") ws = ml_client.workspaces.get()
- # Basic managed virtual network configuration
+ # Basic managed VNet configuration
ws.managed_network = ManagedNetwork(IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND) # Append some rules
To configure a managed VNet that allows only approved outbound communications, u
1. Provide the required information on the __Basics__ tab. 1. From the __Networking__ tab, select __Private with Approved Outbound__.
- :::image type="content" source="./media/how-to-managed-network/use-managed-network-approved-outbound.png" alt-text="Screenshot of creating a workspace with an approved outbound managed network." lightbox="./media/how-to-managed-network/use-managed-network-approved-outbound.png":::
+ :::image type="content" source="./media/how-to-managed-network/use-managed-network-approved-outbound.png" alt-text="Screenshot of creating a workspace with an approved outbound managed VNet." lightbox="./media/how-to-managed-network/use-managed-network-approved-outbound.png":::
1. To add an _outbound rule_, select __Add user-defined outbound rules__ from the __Networking__ tab. From the __Workspace outbound rules__ sidebar, provide the following information:
To configure a managed VNet that allows only approved outbound communications, u
* __Spark enabled__: Select this option if you want to enable serverless spark jobs for the workspace. This option is only available if the resource type is Azure Storage. > [!TIP]
- > Azure Machine Learning managed virtual network doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.
+ > Azure Machine Learning managed VNet doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.
:::image type="content" source="./media/how-to-managed-network/outbound-rule-private-endpoint.png" alt-text="Screenshot of updating an approved outbound network by adding a private endpoint." lightbox="./media/how-to-managed-network/outbound-rule-private-endpoint.png":::
To configure a managed VNet that allows only approved outbound communications, u
If the destination type is __FQDN__, provide the following information:
+ > [!WARNING]
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ * __FQDN destination__: The fully qualified domain name to add to the approved outbound rules.
- :::image type="content" source="./media/how-to-managed-network/outbound-rule-fqdn.png" alt-text="Screenshot of updating an approved outbound network by adding an FQDN rule for an approved outbound managed network." lightbox="./media/how-to-managed-network/outbound-rule-fqdn.png":::
+ :::image type="content" source="./media/how-to-managed-network/outbound-rule-fqdn.png" alt-text="Screenshot of updating an approved outbound network by adding an FQDN rule for an approved outbound managed VNet." lightbox="./media/how-to-managed-network/outbound-rule-fqdn.png":::
Select __Save__ to save the rule. You can continue using __Add user-defined outbound rules__ to add rules.
To configure a managed VNet that allows only approved outbound communications, u
[!INCLUDE [managed-vnet-update](includes/managed-vnet-update.md)]
- 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace that you want to enable managed virtual network isolation for.
+ 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace that you want to enable managed VNet isolation for.
1. Select __Networking__, then select __Private with Approved Outbound__.
- :::image type="content" source="./media/how-to-managed-network/update-managed-network-approved-outbound.png" alt-text="Screenshot of updating a workspace to managed network with approved outbound." lightbox="./media/how-to-managed-network/update-managed-network-approved-outbound.png":::
-
- * To _add_ an _outbound rule_, select __Add user-defined outbound rules__ from the __Networking__ tab. From the __Workspace outbound rules__ sidebar, provide the following information:
-
- * __Rule name__: A name for the rule. The name must be unique for this workspace.
- * __Destination type__: Private Endpoint, Service Tag, or FQDN. Service Tag and FQDN are only available when the network isolation is private with approved outbound.
-
- If the destination type is __Private Endpoint__, provide the following information:
-
- * __Subscription__: The subscription that contains the Azure resource you want to add a private endpoint for.
- * __Resource group__: The resource group that contains the Azure resource you want to add a private endpoint for.
- * __Resource type__: The type of the Azure resource.
- * __Resource name__: The name of the Azure resource.
- * __Sub Resource__: The sub resource of the Azure resource type.
- * __Spark enabled__: Select this option if you want to enable serverless spark jobs for the workspace. This option is only available if the resource type is Azure Storage.
-
- > [!TIP]
- > Azure Machine Learning managed virtual network doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.
-
- :::image type="content" source="./media/how-to-managed-network/outbound-rule-private-endpoint.png" alt-text="Screenshot of updating an approved outbound network by adding a private endpoint rule." lightbox="./media/how-to-managed-network/outbound-rule-private-endpoint.png":::
-
- If the destination type is __Service Tag__, provide the following information:
-
- * __Service tag__: The service tag to add to the approved outbound rules.
- * __Protocol__: The protocol to allow for the service tag.
- * __Port ranges__: The port ranges to allow for the service tag.
-
- :::image type="content" source="./media/how-to-managed-network/outbound-rule-service-tag.png" alt-text="Screenshot of updating an approved outbound network by adding a service tag rule." lightbox="./media/how-to-managed-network/outbound-rule-service-tag.png" :::
+ :::image type="content" source="./media/how-to-managed-network/update-managed-network-approved-outbound.png" alt-text="Screenshot of updating a workspace to managed VNet with approved outbound." lightbox="./media/how-to-managed-network/update-managed-network-approved-outbound.png":::
- If the destination type is __FQDN__, provide the following information:
-
- * __FQDN destination__: The fully qualified domain name to add to the approved outbound rules.
-
- :::image type="content" source="./media/how-to-managed-network/outbound-rule-fqdn.png" alt-text="Screenshot of updating an approved outbound network by adding an FQDN rule." lightbox="./media/how-to-managed-network/outbound-rule-fqdn.png":::
-
- Select __Save__ to save the rule. You can continue using __Add user-defined outbound rules__ to add rules.
+ * To _add_ an _outbound rule_, select __Add user-defined outbound rules__ from the __Networking__ tab. From the __Workspace outbound rules__ sidebar, provide the same information as when creating a workspace in the previous 'Create a new workspace' section.
* To __delete__ an outbound rule, select __delete__ for the rule.
- :::image type="content" source="./media/how-to-managed-network/delete-outbound-rule.png" alt-text="Screenshot of the delete rule icon for an approved outbound managed network.":::
+ :::image type="content" source="./media/how-to-managed-network/delete-outbound-rule.png" alt-text="Screenshot of the delete rule icon for an approved outbound managed VNet.":::
- 1. Select __Save__ at the top of the page to save the changes to the managed network.
+ 1. Select __Save__ at the top of the page to save the changes to the managed VNet.
To enable the [serverless spark jobs](how-to-submit-spark-jobs.md) for the manag
Use a YAML file to define the managed VNet configuration and add a private endpoint for the Azure Storage Account. Also set `spark_enabled: true`:
- > [!NOTE]
- > This example is for a managed VNet configured to allow internet traffic. Currently, serverless Spark does not support `isolation_mode: allow_only_approved_outbound` to allow only approved outbound traffic.
+ > [!TIP]
+ > This example is for a managed VNet configured using `isolation_mode: allow_internet_outbound` to allow internet traffic. If you want to allow only approved outbound traffic to enable data exfiltration protection (DEP), use `isolation_mode: allow_only_approved_outbound`.
```yml name: myworkspace
To enable the [serverless spark jobs](how-to-submit-spark-jobs.md) for the manag
az ml workspace update --file workspace_pe.yml --resource_group rg --name ws ```
+ > [!NOTE]
+ > - When data exfiltration protection (DEP) is enabled, conda package dependencies defined in Spark session configuration will fail to install. To resolve this problem, upload a self-contained Python package wheel with no external dependencies to an Azure storage account and create private endpoint to this storage account. Use the path to Python package wheel as `py_files` parameter in your Spark job.
+ > - If the workspace was created with `isolation_mode: allow_internet_outbound`, it can not be updated later to use `isolation_mode: allow_only_approved_outbound`.
+ # [Python SDK](#tab/python) The following example demonstrates how to create a managed VNet for an existing Azure Machine Learning workspace named `myworkspace`. It also adds a private endpoint for the Azure Storage Account and sets `spark_enabled=true`:
- > [!NOTE]
- > The following example is for a managed VNet configured to allow internet traffic. Currently, serverless Spark does not support `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND` to allow only approved outbound traffic.
+ > [!TIP]
+ > The following example is for a managed VNet configured using `IsolationMode.ALLOW_INTERNET_OUTBOUND` to allow internet traffic. If you want to allow only approved outbound traffic to enable data exfiltration protection (DEP), use `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`.
```python # Get the existing workspace ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, "myworkspace") ws = ml_client.workspaces.get()
- # Basic managed network configuration
+ # Basic managed VNet configuration
ws.managed_network = ManagedNetwork(IsolationMode.ALLOW_INTERNET_OUTBOUND) # Example private endpoint outbound to a blob
To enable the [serverless spark jobs](how-to-submit-spark-jobs.md) for the manag
# Create the workspace ml_client.workspaces.begin_update(ws) ```
+ > [!NOTE]
+ > - When data exfiltration protection (DEP) is enabled, conda package dependencies defined in Spark session configuration will fail to install. To resolve this problem, upload a self-contained Python package wheel with no external dependencies to an Azure storage account and create private endpoint to this storage account. Use the path to Python package wheel as `py_files` parameter in the Spark job.
+ > - If the workspace was created with `IsolationMode.ALLOW_INTERNET_OUTBOUND`, it can not be updated later to use `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`.
# [Azure portal](#tab/portal) 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace.
- 1. Select __Networking__, then select __Add user-defined outbound rules__. Add a rule for the Azure Storage Account, and make sure that __Spark enabled__ is selected.
+ 2. Select __Networking__, then select __Add user-defined outbound rules__. Add a rule for the Azure Storage Account, and make sure that __Spark enabled__ is selected.
:::image type="content" source="./media/how-to-managed-network/add-outbound-spark-enabled.png" alt-text="Screenshot of an endpoint rule with Spark enabled selected." lightbox="./media/how-to-managed-network/add-outbound-spark-enabled.png":::
- 1. Select __Save__ to save the rule, then select __Save__ from the top of __Networking__ to save the changes to the manged virtual network.
+ 3. Select __Save__ to save the rule, then select __Save__ from the top of __Networking__ to save the changes to the manged virtual network.
-1. Provision the managed VNet.
+2. Provision the managed VNet.
> [!NOTE]
- > If your workspace is already configured for a public endpoint (for example, with an Azure Virtual Network), and has [public network access enabled](how-to-configure-private-link.md#enable-public-access), you must disable it before provisioning the managed virtual network. If you don't disable public network access when provisioning the managed virtual network, the private endpoints for the managed endpoint may not be created successfully.
+ > If your workspace is already configured for a public endpoint (for example, with an Azure Virtual Network), and has [public network access enabled](how-to-configure-private-link.md#enable-public-access), you must disable it before provisioning the managed VNet. If you don't disable public network access when provisioning the managed VNet, the private endpoints for the managed endpoint may not be created successfully.
# [Azure CLI](#tab/azure-cli)
To enable the [serverless spark jobs](how-to-submit-spark-jobs.md) for the manag
+## Manually provision a managed VNet
+
+The managed VNet is automatically provisioned when you create a compute resource. When you rely on automatic provisioning, it can take around __30 minutes__ to create the first compute resource as it is also provisioning the network. If you configured FQDN outbound rules (only available with allow only approved mode), the first FQDN rule adds around __10 minutes__ to the provisioning time.
+
+To reduce the wait time when someone attempts to create the first compute, you can manually provision the managed VNet after creating the workspace without creating a compute resource:
+
+> [!NOTE]
+> If your workspace is already configured for a public endpoint (for example, with an Azure Virtual Network), and has [public network access enabled](how-to-configure-private-link.md#enable-public-access), you must disable it before provisioning the managed VNet. If you don't disable public network access when provisioning the managed VNet, the private endpoints for the managed endpoint may not be created successfully.
+
+# [Azure CLI](#tab/azure-cli)
+
+The following example shows how to provision a managed VNet.
+
+> [!TIP]
+> If you plan to submit serverless spark jobs, add the `--include-spark` parameter.
+
+```azurecli
+az ml workspace provision-network -g my_resource_group -n my_workspace_name
+```
+
+# [Python SDK](#tab/python)
+
+The following example shows how to provision a managed VNet:
+
+```python
+# Connect to a workspace named "myworkspace"
+ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace_name="myworkspace")
+
+# whether to provision spark vnet as well
+include_spark = True
+
+provision_network_result = ml_client.workspaces.begin_provision_network(workspace_name=ws_name, include_spark=include_spark).result()
+```
+
+# [Azure portal](#tab/portal)
+
+Use the __Azure CLI__ or __Python SDK__ tabs to learn how to manually provision the managed VNet with serverless spark support.
+
+
+
+## Configure image builds
+
+When the Azure Container Registry for your workspace is behind a virtual network, it can't be used to directly build Docker images. Instead, configure your workspace to use a compute cluster or compute instance to build images.
+
+> [!IMPORTANT]
+> The compute resource used to build Docker images needs to be able to access the package repositories that are used to train and deploy your models. If you're using a network configured to allow only approved outbound, you may need to add [rules that allow access to public repos](#scenario-access-public-machine-learning-packages) or [use private Python packages](concept-vulnerability-management.md#using-a-private-package-repository).
+
+# [Azure CLI](#tab/azure-cli)
+
+To update a workspace to use a compute cluster or compute instance to build Docker images, use the `az ml workspace update` command with the `--image-build-compute` parameter:
+
+```azurecli
+az ml workspace update --name ws --resource-group rg --image-build-compute mycompute
+```
+
+# [Python SDK](#tab/python)
+
+The following example demonstrates how to update a workspace to use a compute cluster to build images:
+
+```python
+# import required libraries
+from azure.ai.ml import MLClient
+from azure.identity import DefaultAzureCredential
+
+subscription_id = "<your subscription ID>"
+resource_group = "<your resource group name>"
+workspace = "<your workspace name>"
+
+ml_client = MLClient(
+ DefaultAzureCredential(), subscription_id, resource_group, workspace
+)
+
+# Get workspace info
+ws=ml_client.workspaces.get(name=workspace)
+# Update to use cpu-cluster for image builds
+ws.image_build_compute="mycompute"
+ml_client.workspaces.begin_update(ws)
+# To switch back to using ACR to build (if ACR is not in the virtual network):
+# ws.image_build_compute = ''
+# ml_client.workspaces.begin_update(ws)
+```
+
+# [Azure portal](#tab/portal)
+
+Currently there isn't a way to set the image build compute from the Azure portal. Use the __Azure CLI__ or __Python SDK__ tabs to learn how to manually configure image builds.
+++ ## Manage outbound rules # [Azure CLI](#tab/azure-cli)
ml_client._workspace_outbound_rules.begin_remove(resource_group, ws_name, rule_n
# [Azure portal](#tab/portal)
-1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace that you want to enable managed virtual network isolation for.
+1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure Machine Learning workspace that you want to enable managed VNet isolation for.
1. Select __Networking__. The __Workspace Outbound access__ section allows you to manage outbound rules. :::image type="content" source="./media/how-to-managed-network/manage-outbound-rules.png" alt-text="Screenshot of the outbound rules section." lightbox="./media/how-to-managed-network/manage-outbound-rules.png":::
ml_client._workspace_outbound_rules.begin_remove(resource_group, ws_name, rule_n
> These rules are automatically added to the managed VNet. __Private endpoints__:
-* When the isolation mode for the managed network is `Allow internet outbound`, private endpoint outbound rules are automatically created as required rules from the managed network for the workspace and associated resources __with public network access disabled__ (Key Vault, Storage Account, Container Registry, Azure Machine Learning workspace).
-* When the isolation mode for the managed network is `Allow only approved outbound`, private endpoint outbound rules are automatically created as required rules from the managed network for the workspace and associated resources __regardless of public network access mode for those resources__ (Key Vault, Storage Account, Container Registry, Azure Machine Learning workspace).
+* When the isolation mode for the managed VNet is `Allow internet outbound`, private endpoint outbound rules are automatically created as required rules from the managed VNet for the workspace and associated resources __with public network access disabled__ (Key Vault, Storage Account, Container Registry, Azure Machine Learning workspace).
+* When the isolation mode for the managed VNet is `Allow only approved outbound`, private endpoint outbound rules are automatically created as required rules from the managed VNet for the workspace and associated resources __regardless of public network access mode for those resources__ (Key Vault, Storage Account, Container Registry, Azure Machine Learning workspace).
__Outbound__ service tag rules:
__Inbound__ service tag rules:
To allow installation of __Python packages for training and deployment__, add outbound _FQDN_ rules to allow traffic to the following host names:
+> [!WARNING]
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing.For more information, see [Pricing](#pricing).
+ [!INCLUDE [recommended outbound](includes/recommended-network-outbound.md)] ### Scenario: Use Visual Studio Code desktop or web with compute instance If you plan to use __Visual Studio Code__ with Azure Machine Learning, add outbound _FQDN_ rules to allow traffic to the following hosts:
+> [!WARNING]
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ * `*.vscode.dev` * `vscode.blob.core.windows.net` * `*.gallerycdn.vsassets.io`
When you create a private endpoint, you provide the _resource type_ and _subreso
When you create a private endpoint for Azure Machine Learning dependency resources, such as Azure Storage, Azure Container Registry, and Azure Key Vault, the resource can be in a different Azure subscription. However, the resource must be in the same tenant as the Azure Machine Learning workspace. > [!IMPORTANT]
-> When configuring private endpoints for an Azure Machine Learning managed virtual network, the private endpoints are only created when created when the first _compute is created_ or when managed network provisioning is forced. For more information on forcing the managed network provisioning, see [Configure for serverless spark jobs](#configure-for-serverless-spark-jobs).
+> When configuring private endpoints for an Azure Machine Learning managed VNet, the private endpoints are only created when created when the first _compute is created_ or when managed VNet provisioning is forced. For more information on forcing the managed VNet provisioning, see [Configure for serverless spark jobs](#manually-provision-a-managed-vnet).
## Pricing
-The Azure Machine Learning managed virtual network feature is free. However, you're charged for the following resources that are used by the managed virtual network:
+The Azure Machine Learning managed VNet feature is free. However, you're charged for the following resources that are used by the managed VNet:
-* Azure Private Link - Private endpoints used to secure communications between the managed virtual network and Azure resources relies on Azure Private Link. For more information on pricing, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
+* Azure Private Link - Private endpoints used to secure communications between the managed VNet and Azure resources relies on Azure Private Link. For more information on pricing, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
* FQDN outbound rules - FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. > [!IMPORTANT]
The Azure Machine Learning managed virtual network feature is free. However, you
## Limitations
-* Once you enable managed virtual network isolation of your workspace, you can't disable it.
-* Managed virtual network uses private endpoint connection to access your private resources. You can't have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios.
-* The managed network is deleted when the workspace is deleted.
+* Once you enable managed VNet isolation of your workspace, you can't disable it.
+* Managed VNet uses private endpoint connection to access your private resources. You can't have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios.
+* The managed VNet is deleted when the workspace is deleted.
* Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can't guarantee that you're protected from data exfiltration to those outbound destinations.
-* Creating a compute cluster in a different region than the workspace isn't supported when using a managed virtual network.
+* Creating a compute cluster in a different region than the workspace isn't supported when using a managed VNet.
+* Kubernetes and attached VMs aren't supported in an Azure Machine Learning managed VNet.
### Migration of compute resources
-If you have an existing workspace and want to enable managed virtual network for it, there's currently no supported migration path for existing manged compute resources. You'll need to delete all existing managed compute resources and recreate them after enabling the managed virtual network. The following list contains the compute resources that must be deleted and recreated:
+If you have an existing workspace and want to enable managed VNet for it, there's currently no supported migration path for existing manged compute resources. You'll need to delete all existing managed compute resources and recreate them after enabling the managed VNet. The following list contains the compute resources that must be deleted and recreated:
* Compute cluster * Compute instance
If you have an existing workspace and want to enable managed virtual network for
## Next steps
-* [Troubleshoot managed virtual network](how-to-troubleshoot-managed-network.md)
-* [Configure managed computes in a managed virtual network](how-to-managed-network-compute.md)
+* [Troubleshoot managed VNet](how-to-troubleshoot-managed-network.md)
+* [Configure managed computes in a managed VNet](how-to-managed-network-compute.md)
machine-learning How To Network Isolation Planning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-network-isolation-planning.md
In this article, you learn how to plan your network isolation for Azure Machine
## Recommended architecture (Managed Network Isolation pattern)
-[Using a Managed virtual network](how-to-managed-network.md) (preview) provides an easier configuration for network isolation. It automatically secures your workspace and managed compute resources in a managed virtual network. You can add private endpoint connections for other Azure services that the workspace relies on, such as Azure Storage Accounts. Depending on your needs, you can allow all outbound traffic to the public network or allow only the outbound traffic you approve. Outbound traffic required by the Azure Machine Learning service is automatically enabled for the managed virtual network. We recommend using workspace managed network isolation for a built-in friction less network isolation method. We have two patterns: allow internet outbound mode or allow only approved outbound mode.
+[Using a Managed virtual network](how-to-managed-network.md) provides an easier configuration for network isolation. It automatically secures your workspace and managed compute resources in a managed virtual network. You can add private endpoint connections for other Azure services that the workspace relies on, such as Azure Storage Accounts. Depending on your needs, you can allow all outbound traffic to the public network or allow only the outbound traffic you approve. Outbound traffic required by the Azure Machine Learning service is automatically enabled for the managed virtual network. We recommend using workspace managed network isolation for a built-in friction less network isolation method. We have two patterns: allow internet outbound mode or allow only approved outbound mode.
### Allow internet outbound mode
Azure Machine Learning uses a private endpoint to secure inbound communication t
#### Outbound communication -
-To secure outbound communication from a deployment to resources, Azure Machine Learning uses a workspace managed virtual network (preview). The deployment needs to be created in the workspace managed VNet so that it can use the private endpoints of the workspace managed virtual network for outbound communication.
+To secure outbound communication from a deployment to resources, Azure Machine Learning uses a workspace managed virtual network. The deployment needs to be created in the workspace managed VNet so that it can use the private endpoints of the workspace managed virtual network for outbound communication.
The following architecture diagram shows how communications flow through private endpoints to the managed online endpoint. Incoming scoring requests from a client's virtual network flow through the workspace's private endpoint to the managed online endpoint. Outbound communication from deployments to services is handled through private endpoints from the workspace's managed virtual network to those service instances.
machine-learning How To Submit Spark Jobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-submit-spark-jobs.md
These prerequisites cover the submission of a Spark job from Azure Machine Learn
> - To ensure successful execution of the Spark job, assign the **Contributor** and **Storage Blob Data Contributor** roles, on the Azure storage account used for data input and output, to the identity that the Spark job uses > - Public Network Access should be enabled in Azure Synapse workspace to ensure successful execution of the Spark job using an [attached Synapse Spark pool](./how-to-manage-synapse-spark-pool.md). > - If an [attached Synapse Spark pool](./how-to-manage-synapse-spark-pool.md) points to a Synapse Spark pool, in an Azure Synapse workspace that has a managed virtual network associated with it, [a managed private endpoint to storage account should be configured](../synapse-analytics/security/connect-to-a-secure-storage-account.md) to ensure data access.
-> - Serverless Spark compute supports Azure Machine Learning managed virtual network (preview). If a [managed network is provisioned for the serverless Spark compute, the corresponding private endpoints for the storage account should also be provisioned](./how-to-managed-network.md#configure-for-serverless-spark-jobs) to ensure data access.
+> - Serverless Spark compute supports Azure Machine Learning managed virtual network. If a [managed network is provisioned for the serverless Spark compute, the corresponding private endpoints for the storage account should also be provisioned](./how-to-managed-network.md#configure-for-serverless-spark-jobs) to ensure data access.
## Submit a standalone Spark job A Python script developed by [interactive data wrangling](./interactive-data-wrangling-with-apache-spark-azure-ml.md) can be used to submit a batch job to process a larger volume of data, after making necessary changes for Python script parameterization. A simple data wrangling batch job can be submitted as a standalone Spark job.
machine-learning How To Troubleshoot Online Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-troubleshoot-online-endpoints.md
Generally, issues with MLflow deployment stem from issues with the installation
To debug conda installation problems, try the following steps:
-1. Check the logs for conda installation. If the container crashed or taking too long to start up, it is likely that conda environment update has failed to resolve correctly.
+1. Check the logs for conda installation. If the container crashed or taking too long to start up, it's likely that conda environment update has failed to resolve correctly.
1. Install the mlflow conda file locally with the command `conda env create -n userenv -f <CONDA_ENV_FILENAME>`.
There are two supported tracing headers:
## Common deployment errors
-This is a list of common deployment errors that are reported as part of the deployment operation status.
+The following list is of common deployment errors that are reported as part of the deployment operation status:
* [ImageBuildFailure](#error-imagebuildfailure) * [OutOfQuota](#error-outofquota)
This is a list of common deployment errors that are reported as part of the depl
* [ResourceNotFound](#error-resourcenotfound) * [OperationCanceled](#error-operationcanceled)
-If you are creating or updating a Kubernetes online deployment, you can see [Common errors specific to Kubernetes deployments](#common-errors-specific-to-kubernetes-deployments).
+If you're creating or updating a Kubernetes online deployment, you can see [Common errors specific to Kubernetes deployments](#common-errors-specific-to-kubernetes-deployments).
### ERROR: ImageBuildFailure This error is returned when the environment (docker image) is being built. You can check the build log for more information on the failure(s). The build log is located in the default storage for your Azure Machine Learning workspace. The exact location may be returned as part of the error. For example, `"the build log under the storage account '[storage-account-name]' in the container '[container-name]' at the path '[path-to-the-log]'"`.
-This is a list of common image build failure scenarios:
+The following list contains common image build failure scenarios:
* [Azure Container Registry (ACR) authorization failure](#container-registry-authorization-failure) * [Image build compute not set in a private workspace with VNet](#image-build-compute-not-set-in-a-private-workspace-with-vnet) * [Generic or unknown failure](#generic-image-build-failure)
-We also recommend reviewing the default [probe settings](reference-yaml-deployment-managed-online.md#probesettings) in case of ImageBuild timeouts.
+We also recommend reviewing the default [probe settings](reference-yaml-deployment-managed-online.md#probesettings) if you have ImageBuild timeouts.
#### Container registry authorization failure
-If the error message mentions `"container registry authorization failure"` that means you cannot access the container registry with the current credentials.
+If the error message mentions `"container registry authorization failure"` that means you can't access the container registry with the current credentials.
The desynchronization of a workspace resource's keys can cause this error and it takes some time to automatically synchronize. However, you can [manually call for a synchronization of keys](/cli/azure/ml/workspace#az-ml-workspace-sync-keys), which may resolve the authorization failure.
Container registries that are behind a virtual network may also encounter this e
#### Image build compute not set in a private workspace with VNet
-If the error message mentions `"failed to communicate with the workspace's container registry"` and you're using virtual networks and the the workspace's Azure Container Registry is private and configured with a private endpoint, you will need to [enable Azure Container Registry](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr) to allow building images in the virtual network.
+If the error message mentions `"failed to communicate with the workspace's container registry"` and you're using virtual networks and the workspace's Azure Container Registry is private and configured with a private endpoint, you need to [enable Azure Container Registry](how-to-managed-network.md#configure-image-builds) to allow building images in the virtual network.
#### Generic image build failure
-As stated above, you can check the build log for more information on the failure.
+As stated previously, you can check the build log for more information on the failure.
If no obvious error is found in the build log and the last line is `Installing pip dependencies: ...working...`, then a dependency may cause the error. Pinning version dependencies in your conda file can fix this problem. We also recommend [deploying locally](#deploy-locally) to test and debug your models locally before deploying to the cloud. ### ERROR: OutOfQuota
-This is a list of common resources that might run out of quota when using Azure
+The following list is of common resources that might run out of quota when using Azure
* [CPU](#cpu-quota) * [Cluster](#cluster-quota)
This is a list of common resources that might run out of quota when using Azure
* [Region-wide VM capacity](#region-wide-vm-capacity) * [Other](#other-quota)
-Additionally, this is a list of common resources that might run out of quota only for Kubernetes online endpoint:
+Additionally, the following list is of common resources that might run out of quota only for Kubernetes online endpoint:
* [Kubernetes](#kubernetes-quota)
A possible mitigation is to check if there are unused deployments that you can d
#### Cluster quota
-This issue will occur when you do not have enough Azure ML Compute cluster quota. This quota defines the total number of clusters that may be in use at one time per subscription to deploy CPU or GPU nodes in Azure Cloud.
+This issue occurs when you don't have enough Azure ML Compute cluster quota. This quota defines the total number of clusters that may be in use at one time per subscription to deploy CPU or GPU nodes in Azure Cloud.
A possible mitigation is to check if there are unused deployments that you can delete. Or you can submit a [request for a quota increase](how-to-manage-quotas.md#request-quota-increases). Make sure to select `Machine Learning Service: Cluster Quota` as the quota type for this quota increase request. #### Disk quota
-This issue happens when the size of the model is larger than the available disk space and the model is not able to be downloaded. Try a [SKU](reference-managed-online-endpoints-vm-sku-list.md) with more disk space or reducing the image and model size.
+This issue happens when the size of the model is larger than the available disk space and the model isn't able to be downloaded. Try a [SKU](reference-managed-online-endpoints-vm-sku-list.md) with more disk space or reducing the image and model size.
#### Memory quota This issue happens when the memory footprint of the model is larger than the available memory. Try a [SKU](reference-managed-online-endpoints-vm-sku-list.md) with more memory. #### Role assignment quota
-When you are creating a managed online endpoint, role assignment is required for the [managed identity](../active-directory/managed-identities-azure-resources/overview.md) to access workspace resources. If you've reached the [role assignment limit](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits), try to delete some unused role assignments in this subscription. You can check all role assignments in the Azure portal by navigating to the Access Control menu.
+When you're creating a managed online endpoint, role assignment is required for the [managed identity](../active-directory/managed-identities-azure-resources/overview.md) to access workspace resources. If you've reached the [role assignment limit](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits), try to delete some unused role assignments in this subscription. You can check all role assignments in the Azure portal by navigating to the Access Control menu.
#### Endpoint quota Try to delete some unused endpoints in this subscription. If all of your endpoints are actively in use, you can try [requesting an endpoint quota increase](how-to-manage-quotas.md#endpoint-quota-increases).
-For Kubernetes online endpoints, there is the endpoint quota boundary at the cluster level as well, you can check the [Kubernetes online endpoint quota](how-to-manage-quotas.md#azure-machine-learning-kubernetes-online-endpoints) section for more details.
+For Kubernetes online endpoints, there's the endpoint quota boundary at the cluster level as well, you can check the [Kubernetes online endpoint quota](how-to-manage-quotas.md#azure-machine-learning-kubernetes-online-endpoints) section for more details.
#### Kubernetes quota This issue happens when the requested CPU or memory couldn't be satisfied due to all nodes are unschedulable for this deployment, such as nodes are cordoned or nodes are unavailable.
-The error message will typically indicate the resource insufficient in cluster, for example, `OutOfQuota: Kubernetes unschedulable. Details:0/1 nodes are available: 1 Too many pods...`, which means that there are too many pods in the cluster and not enough resources to deploy the new model based on your request.
+The error message typically indicates the resource insufficient in cluster, for example, `OutOfQuota: Kubernetes unschedulable. Details:0/1 nodes are available: 1 Too many pods...`, which means that there are too many pods in the cluster and not enough resources to deploy the new model based on your request.
You can try the following mitigation to address this issue: * For IT ops who maintain the Kubernetes cluster, you can try to add more nodes or clear some unused pods in the cluster to release some resources.
Due to a lack of Azure Machine Learning capacity in the region, the service has
To run the `score.py` provided as part of the deployment, Azure creates a container that includes all the resources that the `score.py` needs, and runs the scoring script on that container.
-If your container could not start, this means scoring could not happen. It might be that the container is requesting more resources than what `instance_type` can support. If so, consider updating the `instance_type` of the online deployment.
+If your container couldn't start, it means scoring couldn't happen. It might be that the container is requesting more resources than what `instance_type` can support. If so, consider updating the `instance_type` of the online deployment.
To get the exact reason for an error, run:
Use the **Endpoints** in the studio:
### ERROR: BadArgument
-This is a list of reasons you might run into this error when using either managed online endpoint or Kubernetes online endpoint:
+The following list is of reasons you might run into this error when using either managed online endpoint or Kubernetes online endpoint:
-* [Subscription does not exist](#subscription-does-not-exist)
+* [Subscription doesn't exist](#subscription-does-not-exist)
* [Startup task failed due to authorization error](#authorization-error) * [Startup task failed due to incorrect role assignments on resource](#authorization-error) * [Invalid template function specification](#invalid-template-function-specification)
This is a list of reasons you might run into this error when using either manage
* [Unable to download user model](#unable-to-download-user-model)
-Additionally, this is a list of reasons you might run into this error only when using Kubernetes online endpoint:
+The following list is of reasons you might run into this error only when using Kubernetes online endpoint:
* [Resource request was greater than limits](#resource-requests-greater-than-limits)
-* [azureml-fe for kubernetes online endpoint is not ready](#azureml-fe-not-ready)
+* [azureml-fe for kubernetes online endpoint isn't ready](#azureml-fe-not-ready)
#### Subscription does not exist
-The Azure subscription that is entered must be existing. This error occurs when we cannot find the Azure subscription that was referenced. This is likely due to a typo in the subscription ID. Please double-check that the subscription ID was correctly typed and that it is currently active.
+The Azure subscription that is entered must be existing. This error occurs when we can't find the Azure subscription that was referenced. This error is likely due to a typo in the subscription ID. Double-check that the subscription ID was correctly typed and that it's currently active.
For more information about Azure subscriptions, you can see the [prerequisites section](#prerequisites). #### Authorization error
-After you've provisioned the compute resource (while creating a deployment), Azure tries to pull the user container image from the workspace Azure Container Registry (ACR) and mount the user model and code artifacts into the user container from the workspace storage account.
+After you've provisioned the compute resource (while creating a deployment), Azure tries to pull the user container image from the workspace Azure Container Registry (ACR). It tries to mount the user model and code artifacts into the user container from the workspace storage account.
-To do these, Azure uses [managed identities](../active-directory/managed-identities-azure-resources/overview.md) to access the storage account and the container registry.
+To perform these actions, Azure uses [managed identities](../active-directory/managed-identities-azure-resources/overview.md) to access the storage account and the container registry.
- If you created the associated endpoint with System Assigned Identity, Azure role-based access control (RBAC) permission is automatically granted, and no further permissions are needed.
For more information, please see [Container Registry Authorization Error](#conta
#### Invalid template function specification
-This error occurs when a template function has been specified incorrectly. Please either fix the policy or remove the policy assignment to unblock. The error message may include the policy assignment name and the policy definition to help you debug this error, as well as the [Azure policy definition structure article](https://aka.ms/policy-avoiding-template-failures) which discusses tips to avoid template failures.
+This error occurs when a template function has been specified incorrectly. Either fix the policy or remove the policy assignment to unblock. The error message may include the policy assignment name and the policy definition to help you debug this error, and the [Azure policy definition structure article](https://aka.ms/policy-avoiding-template-failures), which discusses tips to avoid template failures.
#### Unable to download user container image
For example, if image is `testacr.azurecr.io/azureml/azureml_92a029f831ce58d2ed0
#### Unable to download user model
-It is possible that the user's model can't be found. Check [container logs](#get-container-logs) to get more details.
+It's possible that the user's model can't be found. Check [container logs](#get-container-logs) to get more details.
Make sure whether you have registered the model to the same workspace as the deployment. To show details for a model in a workspace:
Requests for resources must be less than or equal to limits. If you don't set li
#### azureml-fe not ready The front-end component (azureml-fe) that routes incoming inference requests to deployed services automatically scales as needed. It's installed during your k8s-extension installation.
-This component should be healthy on cluster, at least one healthy replica. You will get this error message if it's not available when you trigger kubernetes online endpoint and deployment creation/update request.
+This component should be healthy on cluster, at least one healthy replica. You receive this error message if it's not available when you trigger kubernetes online endpoint and deployment creation/update request.
-Please check the pod status and logs to fix this issue, you can also try to update the k8s-extension installed on the cluster.
+Check the pod status and logs to fix this issue, you can also try to update the k8s-extension installed on the cluster.
### ERROR: ResourceNotReady
To run the `score.py` provided as part of the deployment, Azure creates a contai
- A failure in the `init()` method. - If `get-logs` isn't producing any logs, it usually means that the container has failed to start. To debug this issue, try [deploying locally](#deploy-locally) instead. - Readiness or liveness probes aren't set up correctly.-- Container initialization is taking too long so that readiness or liveness probe fails beyond failure threshold. In this case, adjust [probe settings](reference-yaml-deployment-managed-online.md#probesettings) to allow longer time to initialize the container, or try a bigger VM SKU among [supported VM SKUs](reference-managed-online-endpoints-vm-sku-list.md) which will accelerate the initialization.
+- Container initialization is taking too long so that readiness or liveness probe fails beyond failure threshold. In this case, adjust [probe settings](reference-yaml-deployment-managed-online.md#probesettings) to allow longer time to initialize the container. Or try a bigger VM SKU among [supported VM SKUs](reference-managed-online-endpoints-vm-sku-list.md), which accelerates the initialization.
- There's an error in the environment set up of the container, such as a missing dependency.-- When you face `TypeError: register() takes 3 positional arguments but 4 were given` error, the error may be caused by the dependency between flask v2 and `azureml-inference-server-http`. See [FAQs for inference HTTP server](how-to-inference-server-http.md#1-i-encountered-the-following-error-during-server-startup) for more details.
+- When you receive the `TypeError: register() takes 3 positional arguments but 4 were given` error, check the dependency between flask v2 and `azureml-inference-server-http`. For more information, see [FAQs for inference HTTP server](how-to-inference-server-http.md#1-i-encountered-the-following-error-during-server-startup).
### ERROR: ResourceNotFound
-This is a list of reasons you might run into this error only when using either managed online endpoint or Kubernetes online endpoint:
+The following list is of reasons you might run into this error only when using either managed online endpoint or Kubernetes online endpoint:
-* [Azure Resource Manager cannot find a required resource](#resource-manager-cannot-find-a-resource)
+* [Azure Resource Manager can't find a required resource](#resource-manager-cannot-find-a-resource)
* [Azure Container Registry is private or otherwise inaccessible](#container-registry-authorization-error) #### Resource Manager cannot find a resource
For more information, see [Resolve Resource Not Found Errors](../azure-resource-
#### Container registry authorization error This error occurs when an image belonging to a private or otherwise inaccessible container registry was supplied for deployment.
-At this time, our APIs cannot accept private registry credentials.
+At this time, our APIs can't accept private registry credentials.
To mitigate this error, either ensure that the container registry is **not private** or follow the following steps: 1. Grant your private registry's `acrPull` role to the system identity of your online endpoint.
-1. In your environment definition, specify the address of your private image as well as the additional instruction to not modify (build) the image.
+1. In your environment definition, specify the address of your private image and the instruction to not modify (build) the image.
-If the mitigation is successful, the image will not require any building and the final image address will simply be the given image address.
-At deployment time, your online endpoint's system identity will pull the image from the private registry.
+If the mitigation is successful, the image doesn't require building, and the final image address is the given image address.
+At deployment time, your online endpoint's system identity pulls the image from the private registry.
For more diagnostic information, see [How To Use the Workspace Diagnostic API](../machine-learning/how-to-workspace-diagnostic-api.md). ### ERROR: OperationCanceled
-This is a list of reasons you might run into this error when using either managed online endpoint or Kubernetes online endpoint:
+The following list is of reasons you might run into this error when using either managed online endpoint or Kubernetes online endpoint:
* [Operation was canceled by another operation that has a higher priority](#operation-canceled-by-another-higher-priority-operation) * [Operation was canceled due to a previous operation waiting for lock confirmation](#operation-canceled-waiting-for-lock-confirmation) #### Operation canceled by another higher priority operation
-Azure operations have a certain priority level and are executed from highest to lowest. This error happens when your operation happened to be overridden by another operation that has a higher priority.
+Azure operations have a certain priority level and are executed from highest to lowest. This error happens when your operation was overridden by another operation that has a higher priority.
Retrying the operation might allow it to be performed without cancellation. #### Operation canceled waiting for lock confirmation
-Azure operations have a brief waiting period after being submitted during which they retrieve a lock to ensure that we don't run into race conditions. This error happens when the operation you submitted is the same as another operation that is currently still waiting for confirmation that it has received the lock to proceed. It may indicate that you've submitted a very similar request too soon after the initial request.
+Azure operations have a brief waiting period after being submitted during which they retrieve a lock to ensure that we don't run into race conditions. This error happens when the operation you submitted is the same as another operation. And the other operation is currently waiting for confirmation that it has received the lock to proceed. It may indicate that you've submitted a similar request too soon after the initial request.
Retrying the operation after waiting several seconds up to a minute may allow it to be performed without cancellation.
Others:
### ERROR: ACRSecretError
-This is a list of reasons you might run into this error when creating/updating the Kubernetes online deployments:
+The following list is of reasons you might run into this error when creating/updating the Kubernetes online deployments:
-* Role assignment has not yet been completed. In this case, please wait for a few seconds and try again later.
-* The Azure ARC (For Azure Arc Kubernetes cluster) or Azure Machine Learning extension (For AKS) is not properly installed or configured. Please try to check the Azure ARC or Azure Machine Learning extension configuration and status.
-* The Kubernetes cluster has improper network configuration, please check the proxy, network policy or certificate.
- * If you are using a private AKS cluster, it is necessary to set up private endpoints for ACR, storage account, workspace in the AKS vnet.
+* Role assignment hasn't yet been completed. In this case, wait for a few seconds and try again later.
+* The Azure ARC (For Azure Arc Kubernetes cluster) or Azure Machine Learning extension (For AKS) isn't properly installed or configured. Try to check the Azure ARC or Azure Machine Learning extension configuration and status.
+* The Kubernetes cluster has improper network configuration, check the proxy, network policy or certificate.
+ * If you're using a private AKS cluster, it's necessary to set up private endpoints for ACR, storage account, workspace in the AKS vnet.
* Make sure your Azure machine learning extension version is greater than v1.1.25. ### ERROR: TokenRefreshFailed
-This is because extension cannot get principal credential from Azure because the Kubernetes cluster identity is not set properly, please re-install the [Azure Machine Learning extension](../machine-learning/how-to-deploy-kubernetes-extension.md) and try again.
+ This error is because extension can't get principal credential from Azure because the Kubernetes cluster identity isn't set properly. Reinstall the [Azure Machine Learning extension](../machine-learning/how-to-deploy-kubernetes-extension.md) and try again.
### ERROR: GetAADTokenFailed
-This is because the Kubernetes cluster request AAD token failed or timeout, please check your network accessibility then try again.
+This error is because the Kubernetes cluster request AAD token failed or timed out, check your network accessibility then try again.
* You can follow the [Configure required network traffic](../machine-learning/how-to-access-azureml-behind-firewall.md#scenario-use-kubernetes-compute) to check the outbound proxy, make sure the cluster can connect to workspace. * The workspace endpoint url can be found in online endpoint CRD in cluster.
-If your workspace is a private workspace which disabled public network access, the Kubernetes cluster should only communicate with that private workspace through the private link.
+If your workspace is a private workspace, which disabled public network access, the Kubernetes cluster should only communicate with that private workspace through the private link.
-* You can check if the workspace access allows public access, no matter if an AKS cluster itself is public or private, it cannot access the private workspace.
+* You can check if the workspace access allows public access, no matter if an AKS cluster itself is public or private, it can't access the private workspace.
* More information you can refer to [Secure Azure Kubernetes Service inferencing environment](../machine-learning/how-to-secure-kubernetes-inferencing-environment.md#what-is-a-secure-aks-inferencing-environment) ### ERROR: ACRAuthenticationChallengeFailed
-This is because the Kubernetes cluster cannot reach ACR service of the workspace to do authentication challenge. Please check your network, especially the ACR public network access, then try again.
+This error is because the Kubernetes cluster can't reach ACR service of the workspace to do authentication challenge. Check your network, especially the ACR public network access, then try again.
You can follow the troubleshooting steps in [GetAADTokenFailed](#error-getaadtokenfailed) to check the network. ### ERROR: ACRTokenExchangeFailed
-This is because the Kubernetes cluster exchange ACR token failed because AAD token is unauthorized yet, since the role assignment takes some time, so you can wait a moment then try again.
+This error is because the Kubernetes cluster exchange ACR token failed because AAD token is unauthorized yet. Since the role assignment takes some time, so you can wait a moment then try again.
This failure may also be due to too many requests to the ACR service at that time, it should be a transient error, you can try again later.
You might get the following error during the Kubernetes model deployments:
To mitigate this error, you can:
-* Rotate AKS certificate for the cluster. More gudiance you can refer to [Certificate Rotation in Azure Kubernetes Service (AKS)](../aks/certificate-rotation.md).
+* Rotate AKS certificate for the cluster. For more information, see [Certificate Rotation in Azure Kubernetes Service (AKS)](../aks/certificate-rotation.md).
* The new certificate should be updated to after 5 hours, so you can wait for 5 hours and redeploy it.
To mitigate this error, first you can check the deployment logs for any exceptio
### ERROR: KubernetesCrashLoopBackOff
-This is a list of reasons you might run into this error when creating/updating the Kubernetes online endpoints/deployments:
+The following list is of reasons you might run into this error when creating/updating the Kubernetes online endpoints/deployments:
* One or more pod(s) stuck in CrashLoopBackoff status, you can check if the deployment log exists, and check if there are error messages in the log.
-* There is an error in `score.py` and the container crashed when init your score code, you can follow [ERROR: ResourceNotReady](#error-resourcenotready) part.
+* There's an error in `score.py` and the container crashed when init your score code, you can follow [ERROR: ResourceNotReady](#error-resourcenotready) part.
* Your scoring process needs more memory that your deployment config limit is insufficient, you can try to update the deployment with a larger memory limit. ### ERROR: NamespaceNotFound The reason you might run into this error when creating/updating the Kubernetes online endpoints is because the namespace your Kubernetes compute used is unavailable in your cluster.
-You can check the Kubernetes compute in your workspace portal and check the namespace in your Kubernetes cluster. If the namespace is not available, you can detach the legacy compute and reattach to create a new one, specifying a namespace that already exists in your cluster.
+You can check the Kubernetes compute in your workspace portal and check the namespace in your Kubernetes cluster. If the namespace isn't available, you can detach the legacy compute and reattach to create a new one, specifying a namespace that already exists in your cluster.
### ERROR: UserScriptInitFailed
You can check the deployment logs to see the exception message in detail and fix
### ERROR: UserScriptFunctionNotFound
-The reason you might run into this error when creating/updating the Kubernetes online deployments is because the `score.py` file you uploaded does not have a function named `init()` or `run()`. You can check your code and add the function.
+The reason you might run into this error when creating/updating the Kubernetes online deployments is because the `score.py` file you uploaded doesn't have a function named `init()` or `run()`. You can check your code and add the function.
### ERROR: EndpointNotFound
The endpoint name should be unique per workspace and per cluster, so in this cas
### ERROR: ScoringFeUnhealthy
-The reason you might run into this error when creating/updating a Kubernetes online endpoint/deployment is because the [Azureml-fe](how-to-kubernetes-inference-routing-azureml-fe.md) that is the system service running in the cluster is not found or unhealthy.
+The reason you might run into this error when creating/updating a Kubernetes online endpoint/deployment is because the [Azureml-fe](how-to-kubernetes-inference-routing-azureml-fe.md) that is the system service running in the cluster isn't found or unhealthy.
To trouble shoot this issue, you can reinstall or update the Azure Machine Learning extension in your cluster.
In this case, you can check the error message.
### ERROR: PodUnschedulable
-This is a list of reasons you might run into this error when creating/updating the Kubernetes online endpoints/deployments:
+The following list is of reasons you might run into this error when creating/updating the Kubernetes online endpoints/deployments:
+ * Unable to schedule pod to nodes, due to insufficient resources in your cluster. * No node match node affinity/selector.
The reason you might run into this error when you creating/updating online deplo
### ERROR: InferencingClientCallFailed
-The reason you might run into this error when creating/updating Kubernetes online endpoints/deployments is because the k8s-extension of the Kubernetes cluster is not connectable.
+The reason you might run into this error when creating/updating Kubernetes online endpoints/deployments is because the k8s-extension of the Kubernetes cluster isn't connectable.
In this case, you can detach and then **re-attach** your compute.
In this case, you can detach and then **re-attach** your compute.
> > To troubleshoot errors by reattaching, please guarantee to reattach with the exact same configuration as previously detached compute, such as the same compute name and namespace, otherwise you may encounter other errors.
-If it is still not working, you can ask the administrator who can access the cluster to use `kubectl get po -n azureml` to check whether the *relay server* pods are running.
+If it's still not working, you can ask the administrator who can access the cluster to use `kubectl get po -n azureml` to check whether the *relay server* pods are running.
## Autoscaling issues If you're having trouble with autoscaling, see [Troubleshooting Azure autoscale](../azure-monitor/autoscale/autoscale-troubleshoot.md).
-For Kubernetes online endpoint, there is **Azure Machine Learning inference router** which is a front-end component to handle autoscaling for all model deployments on the Kubernetes cluster, you can find more information in [Autoscaling of Kubernetes inference routing](how-to-kubernetes-inference-routing-azureml-fe.md#autoscaling)
+For Kubernetes online endpoint, there's **Azure Machine Learning inference router** which is a front-end component to handle autoscaling for all model deployments on the Kubernetes cluster, you can find more information in [Autoscaling of Kubernetes inference routing](how-to-kubernetes-inference-routing-azureml-fe.md#autoscaling)
## Common model consumption errors
-This is a list of common model consumption errors resulting from the endpoint `invoke` operation status.
+The following list is of common model consumption errors resulting from the endpoint `invoke` operation status.
* [Bandwidth limit issues](#bandwidth-limit-issues) * [HTTP status codes](#http-status-codes)
This is a list of common model consumption errors resulting from the endpoint `i
### Bandwidth limit issues
-Managed online endpoints have bandwidth limits for each endpoint. You find the limit configuration in [Manage and increase quotas for resources with Azure Machine Learning](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints). If your bandwidth usage exceeds the limit, your request will be delayed. To monitor the bandwidth delay:
+Managed online endpoints have bandwidth limits for each endpoint. You find the limit configuration in [Manage and increase quotas for resources with Azure Machine Learning](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints). If your bandwidth usage exceeds the limit, your request is delayed. To monitor the bandwidth delay:
- Use metric "Network bytes" to understand the current bandwidth usage. For more information, see [Monitor managed online endpoints](how-to-monitor-online-endpoints.md).-- There are two response trailers will be returned if the bandwidth limit enforced:
+- There are two response trailers returned if the bandwidth limit enforced:
- `ms-azureml-bandwidth-request-delay-ms`: delay time in milliseconds it took for the request stream transfer. - `ms-azureml-bandwidth-response-delay-ms`: delay time in milliseconds it took for the response stream transfer.
Managed online endpoints have bandwidth limits for each endpoint. You find the l
When you access online endpoints with REST requests, the returned status codes adhere to the standards for [HTTP status codes](https://aka.ms/http-status-codes). These are details about how endpoint invocation and prediction errors map to HTTP status codes. #### Common error codes for managed online endpoints
-These are common error codes when consuming managed online endpoints with REST requests:
+
+The following table contains common error codes when consuming managed online endpoints with REST requests:
| Status code | Reason phrase | Why this code might get returned | | -- | - | - |
These are common error codes when consuming managed online endpoints with REST r
| 404 | Not found | The endpoint doesn't have any valid deployment with positive weight. | | 408 | Request timeout | The model execution took longer than the timeout supplied in `request_timeout_ms` under `request_settings` of your model deployment config. | | 424 | Model Error | If your model container returns a non-200 response, Azure returns a 424. Check the `Model Status Code` dimension under the `Requests Per Minute` metric on your endpoint's [Azure Monitor Metric Explorer](../azure-monitor/essentials/metrics-getting-started.md). Or check response headers `ms-azureml-model-error-statuscode` and `ms-azureml-model-error-reason` for more information. If 424 comes with liveness or readiness probe failing, consider adjusting [probe settings](reference-yaml-deployment-managed-online.md#probesettings) to allow longer time to probe liveness or readiness of the container. |
-| 429 | Too many pending requests | Your model is currently getting more requests than it can handle. Azure Machine Learning has implemented a system that permits a maximum of `2 * max_concurrent_requests_per_instance * instance_count requests` to be processed in parallel at any given moment to guarantee smooth operation. Additional requests that exceed this maximum will be rejected. You can review your model deployment configuration under the request_settings and scale_settings sections to verify and adjust these settings. Additionally, as outlined in the [YAML definition for RequestSettings](reference-yaml-deployment-managed-online.md#requestsettings), it is important to ensure that the environment variable `WORKER_COUNT` is correctly passed. <br><br> If you're using auto-scaling and get this error, it means your model is getting requests quicker than the system can scale up. In this situation, consider resending requests with an [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) to give the system the time it needs to adjust. You could also increase the number of instances by using [code to calculate instance count](#how-to-calculate-instance-count). These steps, combined with setting auto-scaling, will help ensure that your model is ready to handle the influx of requests. |
+| 429 | Too many pending requests | Your model is currently getting more requests than it can handle. Azure Machine Learning has implemented a system that permits a maximum of `2 * max_concurrent_requests_per_instance * instance_count requests` to be processed in parallel at any given moment to guarantee smooth operation. Other requests that exceed this maximum are rejected. You can review your model deployment configuration under the request_settings and scale_settings sections to verify and adjust these settings. Additionally, as outlined in the [YAML definition for RequestSettings](reference-yaml-deployment-managed-online.md#requestsettings), it's important to ensure that the environment variable `WORKER_COUNT` is correctly passed. <br><br> If you're using autoscaling and get this error, it means your model is getting requests quicker than the system can scale up. In this situation, consider resending requests with an [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) to give the system the time it needs to adjust. You could also increase the number of instances by using [code to calculate instance count](#how-to-calculate-instance-count). These steps, combined with setting autoscaling, help ensure that your model is ready to handle the influx of requests. |
| 429 | Rate-limiting | The number of requests per second reached the [limit](./how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints) of managed online endpoints. | | 500 | Internal server error | Azure Machine Learning-provisioned infrastructure is failing. | #### Common error codes for kubernetes online endpoints
-These are common error codes when consuming Kubernetes online endpoints with REST requests:
+The following table contains common error codes when consuming Kubernetes online endpoints with REST requests:
| Status code | Reason phrase | Why this code might get returned | | -- | -- | | | 409 | Conflict error | When an operation is already in progress, any new operation on that same online endpoint responds with 409 conflict error. For example, If create or update online endpoint operation is in progress and if you trigger a new Delete operation it throws an error. |
-| 502 | Has thrown an exception or crashed in the `run()` method of the score.py file | When there's an error in `score.py`, for example an imported package does not exist in the conda environment, a syntax error, or a failure in the `init()` method. You can follow [here](#error-resourcenotready) to debug the file. |
+| 502 | Has thrown an exception or crashed in the `run()` method of the score.py file | When there's an error in `score.py`, for example an imported package doesn't exist in the conda environment, a syntax error, or a failure in the `init()` method. You can follow [here](#error-resourcenotready) to debug the file. |
| 503 | Receive large spikes in requests per second | The autoscaler is designed to handle gradual changes in load. If you receive large spikes in requests per second, clients may receive an HTTP status code 503. Even though the autoscaler reacts quickly, it takes AKS a significant amount of time to create more containers. You can follow [here](#how-to-prevent-503-status-codes) to prevent 503 status codes. |
-| 504 | Request has timed out | A 504 status code indicates that the request has timed out. The default timeout setting is 5 seconds. You can increase the timeout or try to speed up the endpoint by modifying the score.py to remove unnecessary calls. If these actions don't correct the problem, you can follow [here](#error-resourcenotready) to debug the score.py file. The code may be in a non-responsive state or an infinite loop. |
+| 504 | Request has timed out | A 504 status code indicates that the request has timed out. The default timeout setting is 5 seconds. You can increase the timeout or try to speed up the endpoint by modifying the score.py to remove unnecessary calls. If these actions don't correct the problem, you can follow [here](#error-resourcenotready) to debug the score.py file. The code may be in a nonresponsive state or an infinite loop. |
| 500 | Internal server error | Azure Machine Learning-provisioned infrastructure is failing. |
instance_count = ceil(concurrent_requests / max_concurrent_requests_per_instance
### Blocked by CORS policy
-Online endpoints (v2) currently do not support [Cross-Origin Resource Sharing](https://developer.mozilla.org/docs/Web/HTTP/CORS) (CORS) natively. If your web application tries to invoke the endpoint without proper handling of the CORS preflight requests, you can see the following error message:
+Online endpoints (v2) currently don't support [Cross-Origin Resource Sharing](https://developer.mozilla.org/docs/Web/HTTP/CORS) (CORS) natively. If your web application tries to invoke the endpoint without proper handling of the CORS preflight requests, you can see the following error message:
``` Access to fetch at 'https://{your-endpoint-name}.{your-region}.inference.ml.azure.com/score' from origin http://{your-url} has been blocked by CORS policy: Response to preflight request doesn't pass access control check. No 'Access-control-allow-origin' header is present on the request resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with the CORS disabled.
machine-learning How To Use Batch Azure Data Factory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-batch-azure-data-factory.md
You can use a service principal or a [managed identity](../active-directory/mana
# [Using a Service Principal](#tab/sp) 1. Create a service principal following the steps at [Register an application with Azure AD and create a service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal).
-1. Create a secret to use for authentication as explained at [Option 3: Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
-1. Take note of the `client secret` generated.
-1. Take note of the `client ID` and the `tenant id` as explained at [Get tenant and app ID values for signing in](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
+1. Create a secret to use for authentication as explained at [Option 3: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret).
+1. Take note of the client secret **Value** that is generated. This is only displayed once.
+1. Take note of the `client ID` and the `tenant id` in the **Overview** pane of the application.
1. Grant access for the service principal you created to your workspace as explained at [Grant access](../role-based-access-control/quickstart-assign-role-user-portal.md#grant-access). In this example the service principal will require: 1. Permission in the workspace to read batch deployments and perform actions over them.
machine-learning How To Use Event Grid Batch https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-event-grid-batch.md
Azure Logic Apps can invoke the REST APIs of batch endpoints by using the [HTTP]
We recommend to using a service principal for authentication and interaction with batch endpoints in this scenario. 1. Create a service principal following the steps at [Register an application with Azure AD and create a service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal).
-1. Create a secret to use for authentication as explained at [Option 3: Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
-1. Take note of the `client secret` generated.
-1. Take note of the `client ID` and the `tenant id` as explained at [Get tenant and app ID values for signing in](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret).
+1. Create a secret to use for authentication as explained at [Option 3: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret).
+1. Take note of the client secret **Value** that is generated. This is only displayed once.
+1. Take note of the `client ID` and the `tenant id` in the **Overview** pane of the application.
1. Grant access for the service principal you created to your workspace as explained at [Grant access](../role-based-access-control/quickstart-assign-role-user-portal.md#grant-access). In this example the service principal will require: 1. Permission in the workspace to read batch deployments and perform actions over them.
machine-learning How To Use Serverless Compute https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-serverless-compute.md
Last updated 05/09/2023
[!INCLUDE [dev v2](includes/machine-learning-dev-v2.md)]
-You no longer need to [create and manage compute](./how-to-create-attach-compute-cluster.md) to train your model in a scalable way. Your job can instead be submitted to a new compute target type, called _serverless compute_. Serverless compute is the easiest way to run training jobs on Azure Machine Learning. Serverless compute is a fully managed, on-demand compute. It is created, scaled, and managed by Azure Machine Learning for you. Through model training with serverless compute, machine learning professionals can focus on their expertise of building machine learning models and not have to learn about compute infrastructure or setting it up.
+You no longer need to [create and manage compute](./how-to-create-attach-compute-cluster.md) to train your model in a scalable way. Your job can instead be submitted to a new compute target type, called _serverless compute_. Serverless compute is the easiest way to run training jobs on Azure Machine Learning. Serverless compute is a fully managed, on-demand compute. Azure Machine Learning creates, scales, and manages the compute for you. Through model training with serverless compute, machine learning professionals can focus on their expertise of building machine learning models and not have to learn about compute infrastructure or setting it up.
[!INCLUDE [machine-learning-preview-generic-disclaimer](includes/machine-learning-preview-generic-disclaimer.md)]
-Machine learning professionals can specify the resources the job needs. Azure Machine Learning manages the compute infrastructure, and provides managed network (preview) isolation reducing the burden on you.
+Machine learning professionals can specify the resources the job needs. Azure Machine Learning manages the compute infrastructure, and provides managed network isolation reducing the burden on you.
Enterprises can also reduce costs by specifying optimal resources for each job. IT Admins can still apply control by specifying cores quota at subscription and workspace level and apply Azure policies.
Serverless compute can be used to run command, sweep, AutoML, pipeline, distribu
* You can optimize costs by specifying the exact resources each job needs at runtime in terms of instance type (VM size) and instance count. You can monitor the utilization metrics of the job to optimize the resources a job would need. * Reduction in steps involved to run a job * To further simplify job submission, you can skip the resources altogether. Azure Machine Learning defaults the instance count and chooses an instance type (VM size) based on factors like quota, cost, performance and disk size.
-* Lesser wait times before job starts executing in some cases.
+* Lesser wait times before jobs start executing in some cases.
* User identity and workspace user-assigned managed identity is supported for job submission.
-* With managed network isolation you can streamline and automate your network isolation configuration.
+* With managed network isolation, you can streamline and automate your network isolation configuration.
* Admin control through quota and Azure policies ## How to use serverless compute
Serverless compute can help speed up your training in the following ways:
When submitting the job, you still need sufficient Azure Machine Learning compute quota to proceed (both workspace and subscription level quota). The default VM size for serverless jobs is selected based on this quota. If you specify your own VM size/family:
-* If you have some quota for your VM size/family, but not sufficient quota for the number of instances, you'll see an error. The error recommends decreasing the number of instances to a valid number based on your quota limit or request a quota increase for this VM family or changing the VM size
-* If you don't have quota for your specified VM size, you'll see an error. The error recommends selecting a different VM size for which you do have quota or request quota for this VM family
-* If you do have sufficient quota for VM family to run the serverless job, but it's currently consumed by other jobs, you'll get a message that your job must wait in a queue until quota is available
+* If you have some quota for your VM size/family, but not sufficient quota for the number of instances, you see an error. The error recommends decreasing the number of instances to a valid number based on your quota limit or request a quota increase for this VM family or changing the VM size
+* If you don't have quota for your specified VM size, you see an error. The error recommends selecting a different VM size for which you do have quota or request quota for this VM family
+* If you do have sufficient quota for VM family to run the serverless job, but other jobs are using the quota, you get a message that your job must wait in a queue until quota is available
-When you [view your usage and quota in the Azure portal](how-to-manage-quotas.md#view-your-usage-and-quotas-in-the-azure-portal), you'll see the name "Serverless" to see all the quota consumed by serverless jobs.
+When you [view your usage and quota in the Azure portal](how-to-manage-quotas.md#view-your-usage-and-quotas-in-the-azure-portal), you see the name "Serverless" to see all the quota consumed by serverless jobs.
## Identity support and credential pass through
environment:
The compute defaults to serverless compute with: * Single node for this job. The default number of nodes is based on the type of job. See following sections for other job types.
-* CPU virtual machine, determined based on quota, performance, cost, and disk size.
+* CPU virtual machine, which is determined based on quota, performance, cost, and disk size.
* Dedicated virtual machines * Workspace location
You can override these defaults. If you want to specify the VM type or number o
## Example for all fields with command jobs
-Here's an example of all fields specified including identity the job should use. There's no need to specify virtual network settings as workspace level managed network isolation will be automatically used.
+Here's an example of all fields specified including identity the job should use. There's no need to specify virtual network settings as workspace level managed network isolation is automatically used.
# [Python SDK](#tab/python)
View more examples of training with serverless compute at:-
## AutoML job
-There's no need to specify compute for AutoML jobs. Resources can be optionally specified. If instance count isn't specified, then it's defaulted based on max_concurrent_trials and max_nodes parameters. If you submit an AutoML image classification or NLP task with no instance type, we will automatically select a GPU VM size. It is possible to submit AutoML job through CLIs, SDK, or Studio. To submit AutoML jobs with serverless compute in studio first enable the *Guided experience for submitting training jobs with serverless compute* feature in the preview panel and then [submit a training job in studio (preview)](how-to-train-with-ui.md).
+There's no need to specify compute for AutoML jobs. Resources can be optionally specified. If instance count isn't specified, then it's defaulted based on max_concurrent_trials and max_nodes parameters. If you submit an AutoML image classification or NLP task with no instance type, the GPU VM size is automatically selected. It's possible to submit AutoML job through CLIs, SDK, or Studio. To submit AutoML jobs with serverless compute in studio first enable the *Guided experience for submitting training jobs with serverless compute* feature in the preview panel and then [submit a training job in studio (preview)](how-to-train-with-ui.md).
# [Python SDK](#tab/python)
machine-learning How To Secure Prompt Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/how-to-secure-prompt-flow.md
Workspace managed virtual network is the recommended way to support network isol
az ml workspace provision-network --subscription <sub_id> -g <resource_group_name> -n <workspace_name> ```
-2. Add workspace MSI as `Storage File Data Privileged Contributor` to storage account linked with workspace.
+2. Add workspace MSI as `Storage File Data Privileged Contributor` and `Storage Table Data Contributor` to storage account linked with workspace.
2.1 Go to azure portal, find the workspace.
Workspace managed virtual network is the recommended way to support network isol
:::image type="content" source="./media/how-to-secure-prompt-flow/managed-identity-workspace.png" alt-text="Diagram showing how to assign storage file data privileged contributor role to workspace managed identity." lightbox = "./media/how-to-secure-prompt-flow/managed-identity-workspace.png"::: > [!NOTE]
+ > You need follow the same process to assign `Storage Table Data Contributor` role to workspace managed identity.
> This operation may take several minutes to take effect. 3. If you want to communicate with [private Azure Cognitive Services](../../ai-services/cognitive-services-virtual-networks.md), you need to add related user defined outbound rules to related resource. The Azure Machine Learning workspace creates private endpoint in the related resource with auto approve. If the status is stuck in pending, go to related resource to approve the private endpoint manually.
migrate Onboard To Azure Arc With Azure Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/onboard-to-azure-arc-with-azure-migrate.md
Once the vCenter Server discovery has been completed, software inventory (discov
The following inputs are required: - **Directory (tenant) ID** - The [unique identifier (GUID)](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application) that represents your dedicated instance of Azure AD. - **Application (client) ID** - The [unique identifier (GUID)](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application) that represents the application ID of the service principal.
- - **Service principal secret (application secret)** - The [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret) for password-based authentication.
+ - **Service principal secret (application secret)** - The [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret) for password-based authentication.
5. _Optional_: Provide the **proxy server IP address** or the name and **port number** if your discovered servers require a proxy server to connect to the Internet. Enter the value in the format `http://<proxyURL>:<proxyport>`. This proxy server used by the discovered servers can be different from the proxy server required by the appliance server to connect to the Internet (provided in the prerequisites section in the appliance configuration manager).
modeling-simulation-workbench How To Guide Download Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-download-data.md
Title: Export data from an Azure Modeling and Simulation Workbench
-description: Learn how to export data from a chamber in Azure Modeling and Simulation Workbench
+ Title: Export data from Azure Modeling and Simulation Workbench
+description: Learn how to export data from a chamber in Azure Modeling and Simulation Workbench.
Last updated 01/01/2023
-# Customer intent: As a Modeling and Simulation Workbench Chamber User, I want to export data from my chamber
+# Customer intent: As a Chamber User in Azure Modeling and Simulation Workbench, I want to export data from my chamber.
-# Export data from an Azure Modeling and Simulation Workbench
+# Export data from Azure Modeling and Simulation Workbench
-<! SCREENSHOT OF CHAMBER >
+Azure Modeling and Simulation Workbench uses a two-key approval process for optimal security and privacy when you're exporting data. A Chamber Admin provides the first key approval. A Workbench Owner provides the second key approval.
-Azure Modeling and Simulation Workbench uses a two key approvals process to ensure optimal security and privacy when exporting data. A Chamber Admin provides the first key approval. A Workbench Owner provides the second key approval.
-This article explains the steps to export data from Azure Modeling and Simulation Workbench."
+This article explains the steps to export data from Azure Modeling and Simulation Workbench.
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- An instance of Modeling and Simulation Design Workbench installed with at least one chamber.-- A user who is a Workbench Owner (Subscription Owner/Contributor) and a user provisioned as a Chamber Admin or Chamber User.-- [AzCopy](/azure/storage/common/storage-ref-azcopy) installed on machine, with access to the configured network for the target chamber. Only machines that are on the specified network path for the chamber can export files.
+- An instance of Azure Modeling and Simulation Design Workbench installed with at least one chamber.
+- A user who's a Workbench Owner (Subscription Owner or Subscription Contributor), and a user who's provisioned as a Chamber Admin or Chamber User.
+- [AzCopy](/azure/storage/common/storage-ref-azcopy) installed on the machine, with access to the configured network for the target chamber. Only machines on the specified network path for the chamber can export files.
-## Sign in to Azure portal
+## Sign in to the Azure portal
Open your web browser and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal.
-## Copy export file to data out folder
+## Copy the export file to the data-out folder
-To export a file, first you need to copy the file to the data out folder in the data pipeline.
+To export a file, you first need to copy the file to the data-out folder in the data pipeline.
- > [!NOTE]
- > Supported filename characters are alphanumerics, underscores, periods, and hyphens.
- > Data pipeline will only process files in /mount/datapipeline/dataout.
+> [!NOTE]
+> Supported characters for the file name are alphanumeric characters, underscores, periods, and hyphens.
+>
+> The data pipeline processes only files in */mount/datapipeline/dataout*.
-1. Type *Modeling and Simulation Workbench* in the global search and select **Modeling and Simulation Workbench** under **Services**.
+1. Enter **Modeling and Simulation Workbench** in the global search. Then, under **Services**, select **Modeling and Simulation Workbench**.
-1. Select your Modeling and Simulation Workbench from the resource list.
+1. Select your workbench from the resource list.
-1. Select **Settings > Chamber** in the left side menu. A resource list displays. Select the chamber you want to export data from.
+1. On the left menu, select **Settings** > **Chamber**. A resource list appears. Select the chamber that you want to export data from.
-1. Select **Settings > Connector** in the left side menu. A resource list displays. Select the displayed connector.
+1. On the left menu, select **Settings** > **Connector**. In the resource list, select the displayed connector.
-1. Select the "Dashboard URL" link that should take you to the ETX dashboard.
+1. Select the **Dashboard URL** link to open the ETX dashboard.
1. Select an available workload and open a terminal session.
-1. Copy the file you want to export to the data pipeline's data out folder: */mount/datapipeline/dataout.*
+1. Copy the file that you want to export to the data pipeline's data-out folder: */mount/datapipeline/dataout*.
## Request to export the file
-After the file is copied to the data out folder, a Chamber Admin completes the following steps to request to export the file.
+After you copy the file to the data-out folder, a Chamber Admin completes the following steps to request an export of the file:
-1. Select **Data Pipeline > File** in the chamber you're exporting data from.
+1. In the chamber that you're exporting data from, select **Data Pipeline** > **File**.
-1. Select the file you want to export from the displayed resource list. Files are named *mount-datapipeline-datain-\<filename\>.*
+1. In the resource list, select the file that you want to export. Files are named *mount-datapipeline-datain-\<filename\>.*
-1. Confirm the data pipeline direction in the File overview section is **outbound**. Then select **Request download.**
+1. Confirm that the data pipeline direction in the **File overview** section is **outbound**. Then select **Request download**.
-1. Enter a reason in the Description field and select **File Request.**
+1. Enter a reason in the **Description** box, and then select **File Request**.
> [!div class="mx-imgBorder"]
- > ![Screenshot of the Azure portal manage screen showing how to request file export](./media/howtoguide-download-data/file-request-download.png)
+ > ![Screenshot of the Azure portal pane for requesting a file download for export.](./media/howtoguide-download-data/file-request-download.png)
## Approve or reject an export request
-The next phase, approving (or rejecting) the export request, is completed by the Workbench Owner.
+The Workbench Owner completes the next phase, approving (or rejecting) the export request:
-1. Select **Data Pipeline > File Request** in the chamber you're exporting data from.
+1. In the chamber that you're exporting data from, select **Data Pipeline** > **File Request**.
-1. Select the file request you want to manage from the displayed resource list. In the File Request overview section, the status of the file request must display as **Requested** in order to approve it.
+1. In the resource list, select the file request that you want to manage.
-1. Select **Manage** in the File Request overview section.
+ In the **File Request overview** section, the status of the file request must appear as **Requested** for you to approve it.
-1. Select **Approve** or **Reject** in the Action drop-down and enter a description in the Description field.
+1. Select **Manage** in the **File Request overview** section.
+
+1. In the **Action** drop-down list, select **Approve** or **Reject**. In the **Description** box, enter a description.
> [!div class="mx-imgBorder"]
- > ![Screenshot of the Azure portal manage screen showing how to select Approved Action](./media/howtoguide-download-data/file-request-approve.png)
+ > ![Screenshot of the Azure portal that shows the Action and Description boxes in the pane for managing a file download request.](./media/howtoguide-download-data/file-request-approve.png)
+
+1. Select **Manage**.
-1. Select **Manage.**
+The status of the file export request appears in the **File Request overview** section as either **Approved** or **Rejected**. The status must be **Approved** to enable users to download the file.
-1. The status of the file export request displays in the File Request overview section as either Approved or Rejected. The status must show as **Approved** to enable users to download the file.
+## Download an approved export file from the chamber
-## Download approved export file from chamber
+Complete the following steps to download an approved export file from a chamber:
-Complete the following steps to download an approved export file from a chamber.
+1. In the chamber that you're exporting data from, select **Data Pipeline** > **File Request**.
-1. Select **Data Pipeline > File Request** in the chamber you're exporting data from.
+1. In the resource list, select the approved file request that you want to download. The status of the file request must appear as **Approved** for you to download it.
-1. Select the approved file request you want to download from the displayed resource list. The status of the file request must display as **Approved** in order to download it.
+1. In the **File Request overview** section, select the **Download URL** button.
-1. Select the **Download URL** button in the file request overview section, and copy the displayed Download URL from the popup.
+1. In the pop-up dialog, copy the **Download URL** value.
-1. Using the AzCopy command, copy out your file. for example, `azcopy copy "<downloadURL>" <targetFilePath>`
+1. Use the AzCopy command to copy out your file. For example, use `azcopy copy "<downloadURL>" <targetFilePath>`.
- > [!IMPORTANT]
- >
- > If you're exporting multiple smaller files, it's recommended to zip or tarball them into a single file.
- >
- > GB sized tarballs/zipped files are supported, depending on your connection type and network speed.
+> [!IMPORTANT]
+> If you're exporting multiple smaller files, we recommend that you zip or tarball them into a single file. Gigabyte-sized tarballs and zipped files are supported, depending on your connection type and network speed.
## Next steps
-Check out [Manage chamber storage](./how-to-guide-manage-storage.md) to learn how to manage chamber storage in Azure Modeling and Simulation Workbench.
+To learn how to manage chamber storage in Azure Modeling and Simulation Workbench, see [Manage chamber storage](./how-to-guide-manage-storage.md).
modeling-simulation-workbench How To Guide Licenses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-licenses.md
Title: Manage license service for Azure Modeling and Simulation Workbench
-description: In this How-to guide, you learn how to upload a license file to activate a license service for a Modeling and Simulation Workbench chamber.
+ Title: Manage a license service for Azure Modeling and Simulation Workbench
+description: In this how-to guide, you learn how to upload a license file to activate a license service for an Azure Modeling and Simulation Workbench chamber.
Last updated 09/15/2023
-# Customer intent: As a Modeling and Simulation Workbench Chamber Admin, I want to activate a license service in Modeling and Simulation Workbench chamber so that chamber users can run applications requiring licenses.
+# Customer intent: As a Chamber Admin in Azure Modeling and Simulation Workbench, I want to activate a license service in a chamber so that Chamber Users can run applications that require licenses.
-# Manage license service for Azure Modeling and Simulation Workbench
+# Manage a license service for Azure Modeling and Simulation Workbench
-A license service automates the installation of a license manager to help customers accelerate their engineering design. License management is integrated into Azure Modeling and Simulation Workbench flows via FLEXlm ΓÇô the most commonly used license manager. This article shows you how to upload a license file and activate a license service for a Modeling and Simulation Workbench chamber.
+A license service automates the installation of a license manager to help customers accelerate their engineering design. License management is integrated into Azure Modeling and Simulation Workbench flows via FLEXlm, which is the most commonly used license manager.
+
+This article shows you how to upload a license file and activate a license service for an Azure Modeling and Simulation Workbench chamber.
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -- A FLEXlm license file for a software vendor requiring license. You need to buy a production environment license from a vendor such as: Synopsys, Cadence, Siemens, or Ansys.
+- A FLEXlm license file for a software vendor that requires a license. You need to buy a production environment license from a vendor such as Synopsys, Cadence, Siemens, or Ansys.
-## Upload/update license for FLEXlm based tools
+## Upload or update a license for FLEXlm-based tools
-This section lists the steps associated with uploading a license for a FLEXlm based tool. First, you get the FLEXlm host ID or VM UUID from the chamber. Then you provide that value to the license vendor to get the license file. After you acquire the license file from the vendor, you upload the license file to the chamber and activate it.
+This section lists the steps to upload a license for a FLEXlm-based tool. First, you get the FLEXlm host ID or the virtual machine (VM) universally unique ID (UUID) from the chamber. Then you provide that value to the license vendor to get the license file. After you get the license file from the vendor, you upload it to the chamber and activate it.
1. Open your web browser and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal.
-1. Search for *Modeling and Simulation Workbench*. Select the workbench you want to provision from the resource list.
-1. Select **Settings > Chamber** in the left side menu. A resource list displays. Select the chamber you want to upload the data to.
-1. Select **License** blade in the Settings section on the left of the screen.
-1. Copy the **FLEXlm host ID or VM UUID** located on the **License Overview** page. You need to provide this value to your license vendor to get a license file from them.
-1. Once you get the vendor license file, Select **Update** on the **License Overview** page. The Update license window displays.
-1. Select the *chamber license service* for the license file you are uploading. Select **Enable** to enable the service. Then upload the license file from your storage space.
-1. Select the **Update** button in the **Update license** popup to activate your license service.
-1. The Workbench applies the new license to the license service and prompts a restart that may affect actively running jobs.
+1. Search for **Modeling and Simulation Workbench**. Select the workbench that you want to provision from the resource list.
+1. On the left menu, select **Settings** > **Chamber**. A resource list appears. Select the chamber that you want to upload the data to.
+1. In the **Settings** section, select the **License** pane.
+1. On the **License Overview** page, copy the **FLEXlm host ID** or **VM UUID** value. Provide this value to your license vendor to get a license file.
+1. After the vendor sends you the license file, select **Update** on the **License Overview** page. The **Update license** window appears.
+1. Select the chamber license service for the license file that you're uploading. Select **Enable** to enable the service. Then upload the license file from your storage space.
+1. In the **Update license** pop-up dialog, select the **Update** button to activate your license service.
+1. Azure Modeling and Simulation Workbench applies the new license to the license service and prompts a restart that might affect actively running jobs.
## Next steps
-To learn how to import data into an Azure Modeling and Simulation Workbench chamber, check [Import data.](./how-to-guide-upload-data.md)
+To learn how to import data into an Azure Modeling and Simulation Workbench chamber, see [Import data](./how-to-guide-upload-data.md).
modeling-simulation-workbench How To Guide Manage Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-manage-storage.md
Title: Manage chamber storage in Azure Modeling and Simulation Workbench
-description: Learn how to manage chamber storage within a Modeling and Simulation Workbench
+description: Learn how to manage chamber storage in Azure Modeling and Simulation Workbench.
Last updated 01/01/2023
-# Customer intent: As a Modeling and Simulation Workbench Chamber Admin, I want to manage chamber storage
+# Customer intent: As a Chamber Admin in Azure Modeling and Simulation Workbench, I want to manage chamber storage.
# Manage chamber storage in Azure Modeling and Simulation Workbench
-Chamber Admins and Workbench Owners can manage the storage capacity within Azure Modeling and Simulation Workbench to fit your organization's specific needs. For example, they can increase or decrease the amount of chamber storage, as well as change the performance tier.
+Chamber Admins and Workbench Owners can manage the storage capacity in Azure Modeling and Simulation Workbench to fit their organization's specific needs. For example, they can increase or decrease the amount of chamber storage. They can also change the performance tier.
-This article explains how Chamber Admins and Workbench Owners manage chamber storage
+This article explains how Chamber Admins and Workbench Owners manage chamber storage.
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- An instance of Modeling and Simulation Design Workbench installed with at least one chamber.-- You must be a Chamber Admin or Workbench Owner to manage chamber storage.
+- An instance of Azure Modeling and Simulation Design Workbench installed with at least one chamber.
+- A user who's provisioned as a Chamber Admin or Workbench Owner.
-## Sign in to Azure portal
+## Sign in to the Azure portal
Open your web browser and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal.
-## Access storage options in chamber
+## Access storage options in a chamber
If you're a Workbench Owner or Chamber Admin, complete the following steps to access the chamber storage options:
-1. Enter *Modeling and Simulation Workbench* in the global search and select **Modeling and Simulation Workbench** under **Services**.
+1. Enter **Modeling and Simulation Workbench** in the global search. Then, under **Services**, select **Modeling and Simulation Workbench**.
-1. Select your Modeling and Simulation Workbench from the resource list.
+1. Select your workbench from the resource list.
-1. Select **Settings > Chamber** in the left side menu. A resource list displays. Select the chamber where you want to manage the storage for.
+1. On the left menu, select **Settings** > **Chamber**. A resource list appears. Select the chamber where you want to manage the storage.
-1. Select **Settings > Storage** in the left side menu. A resource list displays. Select the displayed storage.
+1. On the left menu, select **Settings** > **Storage**. In the resource list, select the displayed storage.
-<! [!div class="mx-imgBorder"]
- ![Screenshot of the Azure portal chamber storage overview screen](./media/howtoguide-manage-storage/storage-overview.png)
->
### Resize chamber storage
-Workbench Owners and Chamber Admins can increase or decrease your chamber's storage capacity by resizing the storage size.
+If you're a Workbench Owner or Chamber Admin, you can increase or decrease a chamber's storage capacity by changing the storage size.
-The storage size can't be changed to less than what's currently being used for that storage instance. In addition, the storage size can't be changed to more than the available capacity for the region your workbench is installed in. The default storage quota limit is 25 TB across all workbenches installed in your subscription per region. Contact your Microsoft account manager for additional information about regional capacity resource limits.
+You can't change the storage size to less than what you're currently using for that storage instance. In addition, you can't change the storage size to more than the available capacity for the region where your workbench is installed. The default storage quota limit is 25 TB across all workbenches installed in your subscription per region. For more information about resource capacity limits, contact your Microsoft account manager.
-**Complete the following steps to increase or decrease the storage size:**
+Complete the following steps to increase or decrease the storage size:
-1. Select **Resize** option chamber storage overview.
-1. Enter desired storage size in the Resize popup.
-1. Select **Change** button to confirm resize request.
-1. Select **Refresh** to show the new size in the storage overview display.
+1. In the storage overview, select **Resize**.
+1. In the **Resize** pop-up dialog, enter the desired storage size.
+1. Select the **Change** button to confirm the resize request.
+1. Select **Refresh** to show the new size in the storage overview.
- > [!IMPORTANT]
- > Azure Net App Files Capacity availability is limited per region.
- > In addition, Azure Net App Files Quota availability is limited per region and customer customer subscription.
- > Contact your Microsoft account manager to request an increase in storage quota.
+> [!IMPORTANT]
+> Azure NetApp Files capacity availability is limited per region. Azure NetApp Files quota availability is limited per region and customer subscription. To request an increase in storage quota, contact your Microsoft account manager.
-### Change performance tier
+### Change the performance tier
-Workbench Owners and Chamber Admins can change the performance tier for your storage.
+If you're a Workbench Owner or a Chamber Admin, you can change the performance tier for storage.
-The storage performance tier can be changed to a higher tier, such as from standard to ultra, at any time. The storage performance tier can be changed to a lower tier, such as from ultra to standard, after the cool-down period. The Azure Net App Files cool-down period is one week from when the storage was created or one week from the last time the storage tier was increased.
+You can change the storage performance tier to a higher tier, such as from standard to ultra, at any time. You can change the storage performance tier to a lower tier, such as from ultra to standard, after the cool-down period. The Azure Net App Files cool-down period is one week from when you created the storage or one week from the last time that you increased the storage tier.
-**Complete the following steps to change the performance tier:**
+Complete the following steps to change the performance tier:
-1. Select **Change tier** option chamber storage overview.
-1. Select from combo box the desired storage tier in the Change tier popup.
-1. Select **Update** button to confirm change tier request.
-1. Select **Refresh** to show the new tier in the storage overview display.
+1. In the chamber storage overview, select **Change tier**.
+1. In the **Change tier** pop-up dialog, select the desired storage tier from the combo box.
+1. Select the **Update** button to confirm the request to change the tier.
+1. Select **Refresh** to show the new tier in the storage overview.
modeling-simulation-workbench How To Guide Manage Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-manage-users.md
Title: Manage users in Azure Modeling and Simulation Workbench
-description: In this how-to guide, you learn how to manage users' access to our Modeling and Simulation Workbench.
+description: In this how-to guide, you learn how to manage users' access to Azure Modeling and Simulation Workbench.
Last updated 01/01/2023
-# Customer intent: As a Modeling and Simulation Workbench Owner, I want to manage users who can access a chamber.
+# Customer intent: As a Workbench Owner in Azure Modeling and Simulation Workbench, I want to manage users who can access a chamber.
# Manage users in Azure Modeling and Simulation Workbench
-In order for users to access the Azure Modeling and Simulation Workbench chamber, they must be given explicit access. The Workbench uses Azure's built-in role based assignments to manage chamber access ΓÇô only users with the User Access Administrator can manage role assignments on Azure Resources. In the Workbench, the [IT Admin or Workbench Owner](./concept-user-personas.md)is responsible for managing user access to a chamber.
+For users to access an Azure Modeling and Simulation Workbench chamber, they need explicit access. Azure Modeling and Simulation Workbench uses the built-in role-based assignments in Azure to manage chamber access. Only the User Access Administrator can manage role assignments on Azure resources. In Azure Modeling and Simulation Workbench, the [IT Admin or Workbench Owner](./concept-user-personas.md) is responsible for managing user access to a chamber.
This article describes how to grant or remove user access to your chamber. ## Prerequisites -- To provision any users within a chamber, those users must exist in your company's Azure AD tenant. If you want to invite a guest to collaborate within your chamber, they must be added to your Azure AD tenant.
+- To provision users in a chamber, make sure that those users exist in your company's Microsoft Entra tenant. If you want to invite guests to collaborate in your chamber, you must add them to your Microsoft Entra tenant.
-- The email alias is used to identify and enable the user's access into the chamber workloads. Each user must have an email account set within their user profile. The email alias must exactly match the user Azure AD sign in alias. For example, an Azure AD sign in alias of jane.doe@contoso.com must also have email alias of jane.doe@contoso.com.
+- You use email aliases to identify and enable users' access to the chamber workloads. Each user must have an email account set in the user profile. The email alias must exactly match the user's Microsoft Entra sign-in alias. For example, a Microsoft Entra sign-in alias of jane.doe@contoso.com must also have email alias of jane.doe@contoso.com.
## Assign user roles
-User roles can either be assigned at the resource group level or at the chamber level. Users assigned at the resource group level can see Azure Modeling and Simulation Workbench resources and create workloads with a chamber. Users assigned at the chamber level can perform Azure Modeling and Simulation Workbench operations in Azure portal and access the chamber workloads.
+You can assign user roles at either of these levels:
+
+- Users assigned at the *resource group level* can see Azure Modeling and Simulation Workbench resources and create workloads in a chamber.
+- Users assigned at the *chamber level* can perform Azure Modeling and Simulation Workbench operations in the Azure portal and access the chamber workloads.
### Assign access to read and create workloads
-To allow users to see Azure Modeling and Simulation Workbench resources and to create workloads with a chamber, they need to have Azure roles assigned. These roles should be assigned at the resource group level where the Azure Modeling and Simulation Workbench instance exists. The recommendation to assign these roles at the resource group level is in line with least privilege principles, but these roles can also be assigned at the subscription level.
+To allow users to see Azure Modeling and Simulation Workbench resources and to create workloads in a chamber, you need to assign Azure roles to them. Assign these roles at the resource group level, where the Azure Modeling and Simulation Workbench instance exists. The recommendation to assign these roles at the resource group level is in line with least-privilege principles, but you can also assign these roles at the subscription level.
| Setting | Value | | : | :-- |
- | Role | **Reader** |
- | Assign access to | User, group, or service principal |
- | Members | \<users Azure account\> |
+ | **Role** | **Reader** |
+ | **Assign access to** | **User, group, or service principal** |
+ | **Members** | \<user's Azure account\> |
| Setting | Value | | : | :-- |
- | Role | **Classic Storage Account Contributor** |
- | Assign access to | User, group, or service principal |
- | Members | \<users Azure account\> |
+ | **Role** | **Classic Storage Account Contributor** |
+ | **Assign access to** | **User, group, or service principal** |
+ | **Members** | \<user's Azure account\> |
### Assign access to perform workbench operations and access workloads
-To allow users to perform Azure Modeling and Simulation Workbench operations in Azure portal and access the chamber workloads, they need to have Azure roles assigned **at the chamber level**. Assigning the role at any other level fails to grant users access to the remote desktop dashboard or chamber workloads. Don't assign both roles to a single user. They should be _either_ Chamber User or Chamber Admin.
+To allow users to perform Azure Modeling and Simulation Workbench operations in the Azure portal and access the chamber workloads, assign them Azure roles assigned *at the chamber level*. Assigning the roles at any other level fails to grant users access to the remote desktop dashboard or chamber workloads.
+
+Don't assign both roles to a single user. The user should be *either* a Chamber User or a Chamber Admin.
- 1. Navigate to the chamber you want to allow users to access. You must select and open your chamber, selecting 'myFirstChamber' as an example in following screenshot.
+1. Go to the chamber that you want to allow users to access. Select **Chamber (preview)**, and then select and open your chamber. The following screenshot shows an example chamber named **myFirstChamber**.
- :::image type="content" source="./media/quickstart-create-portal/chamber-iam-01.png" alt-text="Screenshot of the global search to select your chamber.":::
+ :::image type="content" source="./media/quickstart-create-portal/chamber-iam-01.png" alt-text="Screenshot of the global search to select a chamber.":::
- 1. Confirm you are within the context of your chamber and select **Access control (IAM)** from the left side menu of **your chamber**.
+1. Confirm that you're within the context of your chamber and select **Access control (IAM)** from the left menu.
- 1. Select **Add** > **Add role assignment**. If you don't have permissions to assign roles, the Add role assignment option is disabled.
+1. Select **Add** > **Add role assignment**. If you don't have permissions to assign roles, the **Add role assignment** option is unavailable.
- :::image type="content" source="./media/quickstart-create-portal/chamber-iam-02.png" alt-text="Screenshot of the Role assignments page showing where you select the Add role assignment command.":::
+ :::image type="content" source="./media/quickstart-create-portal/chamber-iam-02.png" alt-text="Screenshot that shows selections for adding a role assignment.":::
- 1. The **Add role assignment** pane opens. In the **Role** list, search or scroll to find the roles **Chamber Admin** and **Chamber User**. Choose the role appropriate for the users you're provisioning and select **Next**.
+1. The **Add role assignment** pane opens. In the **Role** list, search or scroll to find the roles **Chamber Admin** and **Chamber User**. Choose the role that's appropriate for the users you're provisioning, and then select **Next**.
- :::image type="content" source="./media/quickstart-create-portal/chamber-iam-03.png" alt-text="Screenshot of the Add role assignment page showing where you select the Role.":::
+ :::image type="content" source="./media/quickstart-create-portal/chamber-iam-03.png" alt-text="Screenshot of the Add role assignment page showing where you select the Role.":::
- 1. Leave the **Assign access to** default **User, group, or service principal**. Select **+ Select members**. In the **Select members** blade on the left side of the screen, search for your security principal by entering a string or scrolling through the list. Select your security principal. Select **Select** to save the selections.
+1. Leave the **Assign access to** default of **User, group, or service principal**. Choose **+ Select members**. On the **Select members** panel, search for your security principal by entering a string or scrolling through the list. Select your security principal, and then choose **Select**.
- :::image type="content" source="./media/quickstart-create-portal/chamber-iam-04.png" alt-text="Screenshot of the Add role assignment page showing where you select the security principal.":::
+ :::image type="content" source="./media/quickstart-create-portal/chamber-iam-04.png" alt-text="Screenshot of the pane for adding a role assignment and selecting a security principal.":::
- 1. Select **Review + assign** to assign the selected role.
+1. Select **Review + assign** to assign the selected role.
- 1. Repeat steps 1-6 to allow more users access to the chamber as **Chamber User** or **Chamber Admin** role.
+1. Repeat steps 1 to 6 to allow more users access to the chamber as the Chamber User or Chamber Admin role.
- > [!NOTE]
- > Allow 5 minutes for the provisioning of the users to propagate throughout the chamber so they have a successful login experience.
+ > [!NOTE]
+ > Allow five minutes for the provisioning of the users to propagate throughout the chamber, so they have a successful login experience.
## Remove access
-When you need to remove user access to your chamber, you need to remove the **Chamber Admin** or **Chamber User** roles assigned to those users.
+When you want to remove user access to your chamber, you need to remove the Chamber Admin or Chamber User roles assigned to those users:
- 1. Navigate to the chamber you want to remove user access from. You must select and open your chamber, selecting 'myFirstChamber' as an example in following screenshot.
+1. Go to the chamber where you want to remove user access. Select **Chamber (preview)**, and then select and open your chamber. The following screenshot shows an example chamber named **myFirstChamber**.
- :::image type="content" source="./media/quickstart-create-portal/chamber-iam-01.png" alt-text="Screenshot of the global search to select your chamber.":::
+ :::image type="content" source="./media/quickstart-create-portal/chamber-iam-01.png" alt-text="Screenshot of the global search to select your chamber.":::
- 1. Confirm you are within the context of your chamber and select **Access control (IAM)** from the left side menu of **your chamber**.
+1. Confirm that you're within the context of your chamber and select **Access control (IAM)** from the left menu.
- 1. Select the checkbox next to any user role assignments you wish to remove, then select the **X Remove** icon.
+1. Select the checkbox next to any user role assignments that you want to remove, and then select the **X Remove** icon.
- 1. Select **yes** when prompted to confirm role assignment removal.
+1. When you're prompted to confirm role assignment removal, select **Yes**.
- > [!NOTE]
- > This will not immediately interrupt active remote desktop dashboard sessions, but will block future logins. To interrupt or block any active sessions, a connector restart is required. A connector restart will impact all active users and sessions so should be used with caution. It will not stop any active jobs running on the workloads.
+> [!NOTE]
+> This procedure won't immediately interrupt active remote desktop dashboard sessions, but it will block future logins. To interrupt or block any active sessions, you must restart the connector. A connector restart will affect all active users and sessions, so use it with caution. It won't stop any active jobs that are running on the workloads.
## Next steps
-To learn how to set up networking for an Azure Modeling and Simulation Workbench chamber, check out [Set up Networking.](./how-to-guide-set-up-networking.md)
+To learn how to set up networking for an Azure Modeling and Simulation Workbench chamber, see [Set up networking](./how-to-guide-set-up-networking.md).
modeling-simulation-workbench How To Guide Set Up Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-set-up-networking.md
Title: Set up networking in Azure Modeling and Simulation Workbench
-description: In this how-to guide, you learn how to set up networking for a Modeling and Simulation Workbench connector.
+description: In this how-to guide, you learn how to set up networking for an Azure Modeling and Simulation Workbench connector.
Last updated 01/01/2023
-# Customer intent: As a Modeling and Simulation Workbench Owner, I want to set up networking for chamber access.
+# Customer intent: As Workbench Owner in Azure Modeling and Simulation Workbench, I want to set up networking for chamber access.
# Set up networking in Azure Modeling and Simulation Workbench
-The Workbench allows users to customize networking to meet their security and business requirements. Users can connect to the workbench using allowlisted Public IP addresses or VPN/Express Route. Each chamber has a dedicated connector. Each connector can support either of the above-mentioned protocols to establish network access between an onboarding customer's on-premises or cloud environment and the workbench.
+In Azure Modeling and Simulation Workbench, you can customize networking to meet your security and business requirements. You can connect to the workbench by using one of these methods:
-## VPN or Azure Express Route
+- Allowlisted public IP addresses
+- A virtual private network (VPN) and/or Azure ExpressRoute
-If your organization has set up an Azure network to oversee user access to the workbench, you can enforce stringent controls over the VNet and Subnet addresses employed to establish connections to the chamber. When you create the connector, the Workbench Owner (Subscription Owner) can link a virtual network with a VPN gateway and/or Express Route gateway. This link ensures a secure connection between your on-premises network and the chamber.
+Each chamber has a dedicated connector. Each connector can support either of the previously mentioned protocols to establish network access between a customer's on-premises or cloud environment and the workbench.
-### Add VPN/Express Route connection
+## Add a VPN or ExpressRoute connection
-1. Before you create a [connector](./concept-connector.md) for Private IP networking via VPN or Azure Express Route, perform this role assignment. The Azure Modeling and Simulation Workbench needs **Network Contributor** role set for the resource group in which you are hosting your virtual network connected with ExpressRoute or VPN.
+If your organization set up an Azure network to oversee user access to the workbench, you can enforce stringent controls over the virtual network and subnet addresses employed to establish connections to the chamber.
+
+When you create the connector, the Workbench Owner (Subscription Owner) can link a virtual network with a VPN gateway and/or ExpressRoute gateway. This link provides a secure connection between your on-premises network and the chamber.
+
+To add a VPN or ExpressRoute connection:
+
+1. Before you create a [connector](./concept-connector.md) for private IP networking via VPN or ExpressRoute, perform this role assignment. Azure Modeling and Simulation Workbench needs the **Network Contributor** role set for the resource group in which you're hosting your virtual network connected with ExpressRoute or VPN.
| Setting | Value | | : | :-- |
- | Role | **Network Contributor** |
- | Assign access to | User, group, or service principal |
- | Members | Azure Modeling and Simulation Workbench |
-
-1. When you create your connector, specify **VPN** or **Express Route** as your method to connect to on-premises network.
+ | **Role** | **Network Contributor** |
+ | **Assign access to** | **User, group, or service principal** |
+ | **Members** | **Azure Modeling and Simulation Workbench** |
-1. A list of available vNet subnets within your subscription are shown. Select a non gateway subnet within the same virtual network with the gateway subnet for VPN gateway or Express Route gateway.
+1. When you create your connector, specify **VPN** or **ExpressRoute** as your method to connect to your on-premises network.
-## Allowlisted Public IP addresses
+1. A list of available virtual network subnets within your subscription appears. Select a non-gateway subnet within the same virtual network that has the gateway subnet for the VPN gateway or ExpressRoute gateway.
-For organizations that don't have an Azure network setup or prefer to onboard with Public IP, the Azure portal allows IP addresses to be allowlisted to connect into the chamber. To use this connectivity method, you need to specify at least one IP address for the connector object when you initially create the workbench. Workbench Owners and Chamber Admins can add to and edit the allowlisted Public addresses for a connector after the connector object is initially created.
+## Edit allowed public IP addresses
-### Edit Public IP addresses
+For organizations that don't have an Azure network set up or that prefer to use a public IP, the Azure portal allows IP addresses to be allowlisted to connect into the chamber. To use this connectivity method, you need to specify at least one IP address for the connector object when you create the workbench. Workbench Owners and Chamber Admins can add to and edit the allowlisted public addresses for a connector after the connector object is created.
-To edit the allowed IP addresses list:
+To edit the list of allowed IP addresses:
-1. Go to the **Networking** blade for the connector object in the Azure portal.
+1. In the Azure portal, go to the **Networking** pane for the connector object.
1. Select **Edit allowed IP**. From here, you can delete existing IP addresses or add new ones. 1. Select **Submit** to save your changes.
-1. Once submitted, refresh the view for connector networking and see your changes reflected.
+1. Refresh the view for connector networking and confirm that your changes appear.
- :::image type="content" source="./media/resources-troubleshoot/chamber-connector-networking-network-allowlist.png" alt-text="Screenshot of the Azure portal in a web browser, showing the chamber connector networking allowlist.":::
+ :::image type="content" source="./media/resources-troubleshoot/chamber-connector-networking-network-allowlist.png" alt-text="Screenshot of the Azure portal in a web browser, showing the allowlist for chamber connector networking.":::
-## Add redirect URIs for the application in Azure Active Directory
+## Add redirect URIs for the application in Microsoft Entra ID
-A *redirect URI* is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. Each time you create a new connector, you need to register the *redirect URIs* for your application registration in Azure Active Directory.
+A *redirect URI* is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. Each time you create a new connector, you need to register the redirect URIs for your application registration in Microsoft Entra ID.
Follow these steps to get redirect URIs:
-1. On the page for your new Modeling and Simulation Workbench workbench, select the left side menu **Connector**. Then select the connector shown from the right side resource list.
+1. On the page for your new workbench in Azure Modeling and Simulation Workbench, select **Connector** on the left menu. Then select the connector in the resource list.
-1. On the **Overview** page, locate and document the two connector properties, **Dashboard reply URL** and **Authentication reply URL**, using the copy to clipboard icon. If these properties aren't visible, select the **See More** button on page to expand the window.
+1. On the **Overview** page, locate and document the following two connector properties by using the **Copy to clipboard** icon. If these properties aren't visible, select the **See More** button to expand the window.
- **Dashboard reply URL**: For example, https://<*dashboardFqdn*>/etx/oauth2/code - **Authentication reply URL**: For example, https://<*authenticationFqdn*>/otdsws/login?authhandler=AzureOIDC
- :::image type="content" source="./media/quickstart-create-portal/update-aad-app-01.png" alt-text="Screenshot of the connector overview page showing where you select the reply URLs.":::
+ :::image type="content" source="./media/quickstart-create-portal/update-aad-app-01.png" alt-text="Screenshot of the connector overview page that shows where you select the reply URLs.":::
Follow these steps to add redirect URIs:
-1. In the Azure portal, in **Azure Active Directory** > **App registrations**, select the application you created in your Azure Active Directory.
+1. In the Azure portal, in **Azure Active Directory** > **App registrations**, select the application that you created in your Microsoft Entra ID instance.
1. Under **Manage**, select **Authentication**. 1. Under **Platform configurations**, select **Add a platform**.
-1. Under **Configure platforms**, select **Web** tile.
+1. Under **Configure platforms**, select the **Web** tile.
-1. On the **Configure Web** pane, paste the **Dashboard reply URL** you documented in the previous step. Then select **Configure**.
+1. On the **Configure Web** pane, paste the **Dashboard reply URL** value that you documented earlier. Then select **Configure**.
1. Under **Platform configurations** > **Web** > **Redirect URIs**, select **Add URI**.
-1. Paste the **Authentication reply URL** you documented in the previous step. Then select **Save**.
+1. Paste the **Authentication reply URL** value that you documented earlier. Then select **Save**.
- :::image type="content" source="./media/quickstart-create-portal/update-aad-app-02.png" alt-text="Screenshot of the Azure AD app Authentication page showing where you select the Redirect URIs.":::
+ :::image type="content" source="./media/quickstart-create-portal/update-aad-app-02.png" alt-text="Screenshot of the Microsoft Entra app authentication page that shows where you select redirect URIs.":::
## Next steps
-To learn how to import data into an Azure Modeling and Simulation Workbench chamber, check out [Import data.](./how-to-guide-upload-data.md)
+To learn how to import data into an Azure Modeling and Simulation Workbench chamber, see [Import data](./how-to-guide-upload-data.md).
modeling-simulation-workbench How To Guide Upload Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-upload-data.md
Title: Import data into Azure Modeling and Simulation Workbench
-description: Learn how to import data to chamber in Azure Modeling and Simulation Workbench
+description: Learn how to import data into a chamber in Azure Modeling and Simulation Workbench.
Last updated 01/01/2023
-# Customer intent: As a Modeling and Simulation Workbench Chamber User, I want to import data into my chamber
+# Customer intent: As a Chamber User in Azure Modeling and Simulation Workbench, I want to import data into my chamber.
# Import data into Azure Modeling and Simulation Workbench
-<! SCREENSHOT OF CHAMBER >
-
-Azure Modeling and Simulation Workbench (preview) allows you to run your design applications in a secure and managed environment in Azure. This article explains how to upload files/import data into a chamber.
+You can use Azure Modeling and Simulation Workbench to run your design applications in a secure and managed environment in Azure. This article explains how to upload files and import data into a chamber.
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- An instance of Modeling and Simulation Design Workbench installed with at least one chamber.-- User must be provisioned as a Chamber Admin or Chamber User.-- [AzCopy](/azure/storage/common/storage-ref-azcopy) installed on machine, with access to the configured network for the target chamber. Only machines on the specified network path for the chamber can upload files.
+- An instance of Azure Modeling and Simulation Design Workbench installed with at least one chamber.
+- A user who's provisioned as a Chamber Admin or Chamber User.
+- [AzCopy](/azure/storage/common/storage-ref-azcopy) installed on the machine, with access to the configured network for the target chamber. Only machines on the specified network path for the chamber can upload files.
-## Sign in to Azure portal
+## Sign in to the Azure portal
Open your web browser and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal.
-## Browse to Chamber and get upload URL
+## Browse to the chamber and get the upload URL
-1. Type *Modeling and Simulation Workbench* in the global search and select **Modeling and Simulation Workbench** under **Services**.
+1. Enter **Modeling and Simulation Workbench** in the global search. Then, under **Services**, select **Modeling and Simulation Workbench**.
-1. Select your Modeling and Simulation Workbench from the resource list.
+1. Select your workbench from the resource list.
-1. Select **Settings > Chamber** in the left side menu. A resource list displays. Select the chamber you want to upload the data to.
+1. On the left menu, select **Settings** > **Chamber**. A resource list appears. Select the chamber that you want to upload the data to.
-1. Select the **Upload File** button in the chamber overview section.
+1. In the chamber overview section, select the **Upload File** button.
-1. Copy the **Upload URL** in the Upload File popup.
+1. In the **Upload File** pop-up dialog, copy the **Upload URL** value.
-1. Use the AzCopy command to upload your file. For example, `azcopy copy <sourceFilePath> "<uploadURL>"`
+1. Use the AzCopy command to upload your file. For example, use `azcopy copy <sourceFilePath> "<uploadURL>"`.
- > [!NOTE]
- > Supported filename characters are alphanumerics, underscores, periods, and hyphens.
- > Data pipeline will only process files at root, it will not process sub-folders.
+ > [!NOTE]
+ > Supported characters for the file name are alphanumeric characters, underscores, periods, and hyphens.
+ >
+ > The data pipeline processes only files at the root. It doesn't process subfolders.
-1. The uploaded file resource with the source filename displays under **Chamber | Data Pipeline | File**.
+1. Confirm that the uploaded file resource with the source file name appears under **Chamber** > **Data Pipeline** > **File**.
-1. The Chamber Admin and Users can access the uploaded file from the chamber by accessing the path: */mount/datapipeline/datain*.
+A Chamber Admin or Chamber User can access the uploaded file from the chamber by accessing the following path: */mount/datapipeline/datain*.
- > [!IMPORTANT]
- >
- > If you're importing multiple smaller files, it's recommended to zip or tarball them into a single file.
- >
- > GB sized tarballs/zipped files are supported, depending on your connection type and network speed.
+> [!IMPORTANT]
+> If you're importing multiple smaller files, we recommend that you zip or tarball them into a single file. Gigabyte-sized tarballs and zipped files are supported, depending on your connection type and network speed.
## Next steps
-To learn how to export data from an Azure Modeling and Simulation Workbench chamber, check out [Export data.](./how-to-guide-download-data.md)
+To learn how to export data from an Azure Modeling and Simulation Workbench chamber, see [Export data](./how-to-guide-download-data.md).
postgresql Concepts Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-networking.md
The hub is a virtual network that acts as a central location for managing extern
The spokes are also virtual networks in Azure, used to isolate individual workloads. The traffic flow between the on-premises headquarters and Azure is connected through ExpressRoute or Site to Site VPN, connected to the hub virtual network. The virtual networks from the spokes to the hub are peered, and enable communication to on-premises resources. You can implement the hub and each spoke in separate subscriptions or resource groups.
-There are two main patterns for connecting spoke virtual networks to each other:
+There are three main patterns for connecting spoke virtual networks to each other:
-* Spokes directly connected to each other. Virtual network peerings or VPN tunnels are created between the spoke virtual networks to provide direct connectivity without traversing the hub virtual network.
-* Spokes communicate over a network appliance. Each spoke virtual network has a peering to Virtual WAN or to a hub virtual network. An appliance routes traffic from spoke to spoke. The appliance can be managed by Microsoft (as with Virtual WAN) or by you.
+* **Spokes directly connected to each other**. Virtual network peerings or VPN tunnels are created between the spoke virtual networks to provide direct connectivity without traversing the hub virtual network.
+* **Spokes communicate over a network appliance**. Each spoke virtual network has a peering to Virtual WAN or to a hub virtual network. An appliance routes traffic from spoke to spoke. The appliance can be managed by Microsoft (as with Virtual WAN) or by you.
+* **Virtual Network Gateway attached to the hub network and make use of User Defined Routes (UDR)**, to enable communication between the spokes.
:::image type="content" source="./media/how-to-manage-virtual-network-portal/hub-spoke-architecture.png" alt-text="Diagram that shows basic hub and spoke architecture with hybrid connectivity via Express Hub.":::
reliability Cross Region Replication Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/cross-region-replication-azure.md
The table below lists Azure regions without a region pair:
|--|-| | Qatar | Qatar Central | | Poland | Poland Central |
-| Israel | Israel Central |
-| Italy | Italy North |
+| Israel | Israel Central (Coming soon)|
+| Italy | Italy North (Coming soon)|
| Austria | Austria East (Coming soon) | | Spain | Spain Central (Coming soon) | ## Next steps
reliability Reliability App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/reliability-app-service.md
By distributing your applications across multiple availability zones, you can en
# [Azure Resource Graph](#tab/graph) -
Availability zone support is only available on certain App Service plans. To see
# [Azure Resource Graph](#tab/graph) -
It's recommended that you enable autoscale/automatic scaling for your Azure App
# [Azure Resource Graph](#tab/graph) -
sap Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/tutorial.md
A valid SAP user account (SAP-User or S-User account) with software download pri
git clone https://github.com/Azure/sap-automation-samples.git samples cp -Rp samples/Terraform/WORKSPACES ~/Azure_SAP_Automated_Deployment/WORKSPACES
-
+ ``` 1. Optionally, validate the versions of Terraform and the Azure CLI available on your instance of Cloud Shell.
If you don't assign the User Access Administrator role to the service principal,
management_bastion_subnet_address_prefix = "10.10.20.128/26" bastion_deployment = true -
+ # deployer_enable_public_ip controls if the deployer Virtual machines will have Public IPs
deployer_enable_public_ip = true
-
+
+ # deployer_count defines how many deployer VMs will be deployed
+ deployer_count = 1
+
+ # use_service_endpoint defines that the management subnets have service endpoints enabled
+ use_service_endpoint = true
+
+ # use_private_endpoint defines that the storage accounts and key vaults have private endpoints enabled
+ use_private_endpoint = false
+
+ # enable_firewall_for_keyvaults_and_storage defines that the storage accounts and key vaults have firewall enabled
+ enable_firewall_for_keyvaults_and_storage = false
+
+ ```
+
+ Note the Terraform variable file locations for future edits during deployment.
+
+1. Find the Terraform variable files for the SAP Library in the appropriate subfolder. For example, the `LIBRARY` Terraform variable file might look like this example:
+
+ ```terraform
+ # The environment value is a mandatory field, it is used for partitioning the environments, for example, PROD and NP.
+ environment = "MGMT"
+ # The location/region value is a mandatory field, it is used to control where the resources are deployed
+ location = "westeurope"
+
+ #Defines the DNS suffix for the resources
+ dns_label = "azure.contoso.net"
+
+ # use_private_endpoint defines that the storage accounts and key vaults have private endpoints enabled
+ use_private_endpoint = false
``` Note the Terraform variable file locations for future edits during deployment.
The sample SAP library configuration file `MGMT-NOEU-SAP_LIBRARY.tfvars` is in t
cd $CONFIG_REPO_PATH
- ${DEPLOYMENT_REPO_PATH}/deploy/scripts/deploy_controlplane.sh \
- --deployer_parameter_file DEPLOYER/${env_code}-${region_code}-DEP00-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars \
- --library_parameter_file LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars \
- --subscription "${subscriptionId}" \
- --spn_id "${spn_id}" \
- --spn_secret "${spn_secret}" \
- --tenant_id "${tenant_id}" \
+ ${DEPLOYMENT_REPO_PATH}/deploy/scripts/deploy_controlplane.sh \
+ --deployer_parameter_file DEPLOYER/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars \
+ --library_parameter_file LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars \
+ --subscription "${subscriptionId}" \
+ --spn_id "${spn_id}" \
+ --spn_secret "${spn_secret}" \
+ --tenant_id "${tenant_id}" \
--auto-approve ```
The sample SAP library configuration file `MGMT-NOEU-SAP_LIBRARY.tfvars` is in t
The Terraform state file is now placed in the storage account whose name contains `tfstate`. The storage account has a container named `tfstate` with the deployer and library state files. The contents of the `tfstate` container after a successful control plane deployment are shown here.
- :::image type="content" source="media/tutorial/terraform-state-files.png" alt-text="Screenshot that shows the control plane tfstate files.":::
+ :::image type="content" source="media/tutorial/terraform-state-files.png" alt-text="Screenshot that shows the control plane terraform state files.":::
### Common issues and solutions
Here are some troubleshooting tips:
The file must contain the environment attribute!! ``` -- The following error is transient. Rerun the same command, `prepare_controlplane.sh`.
+- The following error is transient. Rerun the same command, `deploy_controlplane.sh`.
```text Error: file provisioner error
Here are some troubleshooting tips:
timeout - last error: dial tcp ``` -- If you have authentication issues directly after you run the script `prepare_controlplane.sh`, run this command:
+- If you have authentication issues directly after you run the script `deploy_controlplane.sh`, run this command:
```azurecli az logout
To connect to the deployer:
1. Connect to the virtual machine.
-To configure the deployer, run the following script:
-
-```bash
-
-mkdir -p ~/Azure_SAP_Automated_Deployment; cd $_
-
-git clone https://github.com/Azure/sap-automation.git sap-automation
-
-git clone https://github.com/Azure/sap-automation-samples.git samples
-
-cd sap-automation/deploy/scripts
-
-./configure_deployer.sh
-```
-
-The script installs Terraform and Ansible and configures the deployer.
The rest of the tasks must be executed on the deployer.
+## Securing the control plane
+
+The control plane is the most critical part of the SAP automation framework. It's important to secure the control plane. The following steps help you secure the control plane.
## Get SAP software by using the Bill of Materials The automation framework gives you tools to download software from SAP by using the SAP BOM. The software is downloaded to the SAP library, which acts as the archive for all media required to deploy SAP.
For this example configuration, the resource group is `MGMT-NOEU-DEP00-INFRASTRU
The first time an environment is instantiated, a Service Principal must be registered. In this tutorial, the control plane is in the `MGMT` environment and the workload zone is in `DEV`. Therefore, a Service Principal must be registered for the `DEV` environment. ```bash
- export subscriptionId="<subscriptionId>"
- export spn_id="<appID>"
- export spn_secret="<password>"
- export tenant_id="<tenant>"
- export key_vault="<vaultID>"
- export env_code="DEV"
- export region_code="<region_code>"
+ export ARM_SUBSCRIPTION_ID="<subscriptionId>"
+ export ARM_CLIENT_ID="<appID>"
+ export ARM_CLIENT_SECRET="<password>"
+ export ARM_TENANT_ID="<tenant>"
+ export key_vault="<vaultName>"
+ export env_code="DEV"
+ export region_code="<region_code>"
+ export SAP_AUTOMATION_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation" export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES"
For this example configuration, the resource group is `MGMT-NOEU-DEP00-INFRASTRU
--environment "${env_code}" \ --region "${region_code}" \ --vault "${key_vault}" \
- --subscription "${subscriptionId}" \
- --spn_id "${spn_id}" \
- --spn_secret "${spn_secret}" \
- --tenant_id "${tenant_id}"
+ --subscription "${ARM_SUBSCRIPTION_ID}" \
+ --spn_id "${ARM_CLIENT_ID}" \
+ --spn_secret "${ARM_CLIENT_SECRET}" \
+ --tenant_id "${ARM_TENANT_ID}"
``` ## Prepare the workload zone deployment
Use the [install_workloadzone](bash/install-workloadzone.md) script to deploy th
export sap_env_code="DEV" export region_code="<region_code>" export key_vault="<vaultID>"
-
+ export deployer_vnet_code="DEP01" export vnet_code="SAP02"
-
+ export ARM_SUBSCRIPTION_ID="<subscriptionId>" export ARM_CLIENT_ID="<appId>" export ARM_CLIENT_SECRET="<password>" export ARM_TENANT_ID="<tenantId>"
-
+ cd ~/Azure_SAP_Automated_Deployment/WORKSPACES/LANDSCAPE/${sap_env_code}-${region_code}-SAP01-INFRASTRUCTURE
-
+ export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES" export SAP_AUTOMATION_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
-
+ az login --service-principal -u "${ARM_CLIENT_ID}" -p="${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
-
+ cd "${CONFIG_REPO_PATH}/LANDSCAPE/${sap_env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE" parameterFile="${sap_env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars" deployerState="${deployer_env_code}-${region_code}-${deployer_vnet_code}-INFRASTRUCTURE.terraform.tfstate"
-
+ $SAP_AUTOMATION_REPO_PATH/deploy/scripts/install_workloadzone.sh \ --parameterfile "${parameterFile}" \
- --deployer_environment "${deployer_env_code}" \
+ --deployer_environment "${deployer_env_code}" \
--deployer_tfstate_key "${deployerState}" \ --keyvault "${key_vault}" \ --storageaccountname "${tfstate_storage_account}" \
sap Provider Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/monitor/provider-linux.md
Title: Configure Linux provider for Azure Monitor for SAP solutions
+ Title: Configure Linux provider for Azure Monitor for SAP solutions
description: This article explains how to configure a Linux OS provider for Azure Monitor for SAP solutions.
In this how-to guide, you learn how to create a Linux OS provider for Azure Moni
- An Azure subscription. - An existing Azure Monitor for SAP solutions resource. To create an Azure Monitor for SAP solutions resource, see the [quickstart for the Azure portal](quickstart-portal.md) or the [quickstart for PowerShell](quickstart-powershell.md). - Install the [node exporter latest version](https://prometheus.io/download/#node_exporter) in each SAP host that you want to monitor, either BareMetal or Azure virtual machine (VM). For more information, see the [node exporter GitHub repository](https://github.com/prometheus/node_exporter).
+- Node exporter uses the default port 9100 to expose the metrics. If you want to use a custom port, make sure to open the port in the firewall and use the same port while creating the provider.
+- Default port 9100 or custom port that will be configured for node exporter should be open and listening on the Linux host.
To install the node exporter on Linux:
-1. Run `wget https://github.com/prometheus/node_exporter/releases/download/v*/node_exporter-*.*-amd64.tar.gz`. Replace `*` with the version number.
+Right click on the relevant node exporter version for linux from https://prometheus.io/download/#node_exporter and copy the link address which will be used in the below command.
+For example - https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz
-1. Run `tar xvfz node_exporter-*.*-amd64.tar.gz`.
+1. Change to the directory where you want to install the node exporter.
+1. Run `wget https://github.com/prometheus/node_exporter/releases/download/v<xxx>/node_exporter-<xxx>.linux-amd64.tar.gz`. Replace `xxx` with the version number.
-1. Run `cd node_exporter-*.*-amd64`.
+1. Run `tar xvfz node_exporter-<xxx>.linux-amd64.tar.gz`
+
+1. Run `cd node_exporter-<xxx>linux-amd64`
1. Run `./node_exporter`.
+1. Run `./node_exporter --web.listen-address=":9100" &`
+ 1. The node exporter now starts collecting data. You can export the data at `http://IP:9100/metrics`. ## Script to set up the node exporter ```shell # To get the latest node exporter version from: https://prometheus.io/download/#node_exporter
-wget https://github.com/prometheus/node_exporter/releases/download/v*/node_exporter-*.*-amd64.tar.gz
-tar xvfz node_exporter-*.*-amd64.tar.gz
-if [[ "$(grep '^ID=' /etc/*-release)" == *"rhel"* ]]; then
- echo "Open firewall port 9100 on the Linux host"
- yum install firewalld -y
- systemctl start firewalld
- firewall-cmd --zone=public --permanent --add-port 9100/tcp
-else
- sudo ufw allow 9100/tcp
- sudo ufw reload
-fi
-
-cd node_exporter-*.*-amd64
+# Right click on the linux node exporter version and copy the link address which will be used in the below command. For example - https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz
+# Change to the directory where you want to install the node exporter.
+
+wget https://github.com/prometheus/node_exporter/releases/download/v<xxx>/node_exporter-<xxx>.linux-amd64.tar.gz
+tar xvfz node_exporter-<xxx>.linux-amd64.tar.gz
+cd node_exporter-<xxx>linux-amd64
nohup ./node_exporter --web.listen-address=":9100" & ```
nohup ./node_exporter --web.listen-address=":9100" &
1. If the target VM is restarted or stopped, node exporter is also stopped. It must be manually started again to continue monitoring. 1. Run the `sudo crontab -e` command to open a cron file.
-1. Add the command `@reboot cd /path/to/node/exporter && nohup ./node_exporter &` at the end of the cron file. This starts node exporter on a VM reboot.
+1. Add the command `@reboot cd <"add path of node exporter"> && nohup ./node_exporter &` at the end of cron file. This starts node exporter on VM reboot.
```shell # If you do not have a crontab file already, create one by running the command: sudo crontab -e sudo crontab -l > crontab_new
- echo "@reboot cd /path/to/node/exporter && nohup ./node_exporter &" >> crontab_new
+ echo "@reboot cd <"add path of node exporter"> && nohup ./node_exporter &" >> crontab_new
sudo crontab crontab_new sudo rm crontab_new ```
To [enable TLS 1.2 or higher](enable-tls-azure-monitor-sap-solutions.md), follow
1. Select **Add provider**. 1. Configure the following settings for the new provider: 1. For **Type**, select **OS (Linux)**.
- 1. For **Name**, enter a name that will be the identifier for the BareMetal instance.
+ 1. For **Name**, enter a unique name of the provider.
1. (Optional) Select **Enable secure communication**, choose a certificate type.
- 1. For **Node Exporter Endpoint**, enter `http://IP:9100/metrics`.
+ 1. For **Node Exporter Endpoint**, enter `http://IP:9100/metrics` if default port 9100 is used. If a custom port is used, enter `http://IP:PORT/metrics`. Replace `IP` with the IP address of the Linux host and `PORT` with the custom port number.
1. For the IP address, use the private IP address of the Linux host. Make sure the host and Azure Monitor for SAP solutions resource are in the same virtual network. 1. Open firewall port 9100 on the Linux host. 1. If you're using `firewall-cmd`, run `_firewall-cmd_ _--permanent_ _--add-port=9100/tcp_ ` and then run `_firewall-cmd_ _--reload_`.
Use these steps to resolve common errors.
When the provider settings validation operation fails with the code `PrometheusURLConnectionFailure`:
-1. Open firewall port 9100 on the Linux host.
- 1. If you're using `firewall-cmd`, run `_firewall-cmd_ _--permanent_ _--add-port=9100/tcp_ ` and then run `_firewall-cmd_ _--reload_`.
- 1. If you're using `ufw`, run `_ufw_ _allow_ _9100/tcp_` and then run `_ufw_ _reload_`.
+1. Check the default port 9100 or custom port that is configured for node exporter is open and listening on the Linux host.
1. Try to restart the node exporter agent:
- 1. Go to the folder where you installed the node exporter. The file name resembles `node_exporter-*.*-amd64`.
+ 1. Go to the folder where you installed the node exporter (the file name resembles `node_exporter-<xxxx>-amd64`).
1. Run `./node_exporter`.
- 1. Adding `nohup` and `&` to the preceding command decouples `node_exporter` from the Linux machine command line. If they're not included, `node_exporter` stops when the command line is closed.
+ 1. Run `nohup ./node_exporter &` command to enable node_exporter. Adding nohup and & to above command decouples the node_exporter from linux machine commandline. If not included node_exporter would stop when the commandline is closed.
1. Verify that the Prometheus endpoint is reachable from the subnet that you provided when you created the Azure Monitor for SAP solutions resource. ## Suggestion
sap Virtual Machine Scale Set Sap Deployment Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/virtual-machine-scale-set-sap-deployment-guide.md
Previously updated : 06/30/2023 Last updated : 09/25/2023 # Virtual Machine Scale Sets for SAP workload
az vmss create -n $VMSSName -g $RGName -l $Location --orchestration-mode flexibl
# Create flexible scale set for deployment of SAP workload in a single zone of a region with platform fault domain count set to 1 # Make sure you include --zones in a region with availability zones, even if you want to deploy all component on a single zone
-az vmss create -n $VMSSName -g $RGName -l $Location --orchestration-mode flexible --zones {1} --platform-fault-domain-count 1
+az vmss create -n $VMSSName -g $RGName -l $Location --orchestration-mode flexible --zones 1 --platform-fault-domain-count 1
# Create flexible scale set for deployment of SAP workload in a region with no zones with platform fault domain count set to 1 az vmss create -n $VMSSName -g $RGName -l $Location --orchestration-mode flexible --platform-fault-domain-count 1
search Search How To Create Search Index https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-how-to-create-search-index.md
Previously updated : 05/05/2023 Last updated : 09/25/2023 # Create an index in Azure Cognitive Search In Azure Cognitive Search, query requests target the searchable text in a [**search index**](search-what-is-an-index.md).
-In this article, learn the steps for defining and publishing a search index. Creating an index establishes the physical data structure (folders and files) on your search service. Once the index definition exists, [**loading the index**](search-what-is-data-import.md) follows as a separate task.
+In this article, learn the steps for defining and publishing a search index. Creating an index establishes the physical data structures on your search service. Once the index definition exists, [**loading the index**](search-what-is-data-import.md) follows as a separate task.
## Prerequisites
-+ Write permissions on the search service. Permission can be granted through an [admin API key](search-security-api-keys.md) on the request. Alternatively, if you're using [role-based access control](search-security-rbac.md), you can issue your request as a member of the Search Contributor role.
++ Write permissions. Permission can be granted through an [admin API key](search-security-api-keys.md) on the request. Alternatively, if you're using [role-based access control](search-security-rbac.md), send a request as a member of the Search Contributor role.
-+ An external data source that provides the content to be indexed. You should refer to the data source to understand the schema requirements of your search index. Index creation is largely a schema definition exercise. Before creating one, you should have:
++ An understanding of the data you want to index. Creating an index is a schema definition exercise, so you should have a clear idea of which source fields you want to make searchable, retrievable, filterable, facetable, and sortable (see the [schema checklist](#schema-checklist) for guidance).
- + A clear idea of which source fields you want to make searchable, retrievable, filterable, facetable, and sortable in the search index (see the [schema checklist](#schema-checklist) for guidance).
+ You must also have a unique field in source data that can be used as the [document key (or ID)](#document-keys) in the index.
- + A unique field in source data that can be used as the [document key (or ID)](#document-keys) in the index.
++ A stable index location. Moving an existing index to a different search service isn't supported out-of-the-box. Revisit application requirements and make sure that your existing search service, its capacity and location, are sufficient for your needs.
-+ A stable index location. Moving an existing index to a different search service is not supported out-of-the-box. Revisit application requirements and make sure that your existing search service, its capacity and location, are sufficient for your needs.
-
-+ Finally, all service tiers have [index limits](search-limits-quotas-capacity.md#index-limits) on the number of objects that you can create. For example, if you are experimenting on the Free tier, you can only have 3 indexes at any given time. Within the index itself, there are limits on the number of complex fields and collections.
++ Finally, all service tiers have [index limits](search-limits-quotas-capacity.md#index-limits) on the number of objects that you can create. For example, if you're experimenting on the Free tier, you can only have three indexes at any given time. Within the index itself, there are limits on the number of complex fields and collections. ## Document keys
-A search index has one required field: a document key. A document key is the unique identifier of a search document. In Azure Cognitive Search, it must be a string, and it must originate from unique values in the data source that's providing the content to be indexed. A search service does not generate key values, but in some scenarios (such as the [Azure Table indexer](search-howto-indexing-azure-tables.md)) it will synthesize existing values to create a unique key for the documents being indexed.
+A search index has one required field: a document key. A document key is the unique identifier of a search document. In Azure Cognitive Search, it must be a string, and it must originate from unique values in the data source that's providing the content to be indexed. A search service doesn't generate key values, but in some scenarios (such as the [Azure Table indexer](search-howto-indexing-azure-tables.md)) it synthesizes existing values to create a unique key for the documents being indexed.
-During incremental indexing, where just new and updated content is indexed, incoming documents with new keys are added, while incoming documents with existing keys are either merged or overwritten, depending on whether index fields are null or populated.
+During incremental indexing, where new and updated content is indexed, incoming documents with new keys are added, while incoming documents with existing keys are either merged or overwritten, depending on whether index fields are null or populated.
## Schema checklist
Use this checklist to assist the design decisions for your search index.
1. Review [naming conventions](/rest/api/searchservice/naming-rules) so that index and field names conform to the naming rules.
-1. Review [supported data types](/rest/api/searchservice/supported-data-types). The data type will impact how the field is used. For example, numeric content is filterable but not full text searchable. The most common data type is `Edm.String` for searchable text, which is tokenized and queried using the full text search engine.
+1. Review [supported data types](/rest/api/searchservice/supported-data-types). The data type affects how the field is used. For example, numeric content is filterable but not full text searchable. The most common data type is `Edm.String` for searchable text, which is tokenized and queried using the full text search engine.
-1. Identify a [document key](#document-keys). A document key is an index requirement. It's a single string field and it will be populated from a source data field that contains unique values. For example, if you're indexing from Blob Storage, the metadata storage path is often used as the document key because it uniquely identifies each blob in the container.
+1. Identify a [document key](#document-keys). A document key is an index requirement. It's a single string field and it's populated from a source data field that contains unique values. For example, if you're indexing from Blob Storage, the metadata storage path is often used as the document key because it uniquely identifies each blob in the container.
-1. Identify the fields in your data source that will contribute searchable content in the index. Searchable content includes short or long strings that are queried using the full text search engine. If the content is verbose (small phrases or bigger chunks), experiment with different analyzers to see how the text is tokenized.
+1. Identify the fields in your data source that contribute searchable content in the index. Searchable content includes short or long strings that are queried using the full text search engine. If the content is verbose (small phrases or bigger chunks), experiment with different analyzers to see how the text is tokenized.
- [Field attribute assignments](search-what-is-an-index.md#index-attributes) will determine both search behaviors and the physical representation of your index on the search service. Determining how fields should be specified is an iterative process for many customers. To speed up iterations, start with sample data so that you can drop and rebuild easily.
+ [Field attribute assignments](search-what-is-an-index.md#index-attributes) determine both search behaviors and the physical representation of your index on the search service. Determining how fields should be specified is an iterative process for many customers. To speed up iterations, start with sample data so that you can drop and rebuild easily.
1. Identify which source fields can be used as filters. Numeric content and short text fields, particularly those with repeating values, are good choices. When working with filters, remember:
Use this checklist to assist the design decisions for your search index.
+ Filterable fields are returned in arbitrary order, so consider making them sortable as well.
-1. Determine whether you'll use the default analyzer (`"analyzer": null`) or a different analyzer. [Analyzers](search-analyzers.md) are used to tokenize text fields during indexing and query execution. If strings are descriptive and semantically rich, or if you have translated strings, consider overriding the default with a [language analyzer](index-add-language-analyzers.md).
+1. Determine whether to use the default analyzer (`"analyzer": null`) or a different analyzer. [Analyzers](search-analyzers.md) are used to tokenize text fields during indexing and query execution. If strings are descriptive and semantically rich, or if you have translated strings, consider overriding the default with a [language analyzer](index-add-language-analyzers.md).
> [!NOTE] > Full text search is conducted over terms that are tokenized during indexing. If your queries fail to return the results you expect, [test for tokenization](/rest/api/searchservice/test-analyzer) to verify the string actually exists. You can try different analyzers on strings to see how tokens are produced for various analyzers.
For Cognitive Search, the Azure SDKs implement generally available features. As
## Set `corsOptions` for cross-origin queries
-Index schemas include a section for setting `corsOptions`. Client-side JavaScript cannot call any APIs by default since the browser will prevent all cross-origin requests. To allow cross-origin queries to your index, enable CORS (Cross-Origin Resource Sharing) by setting the **corsOptions** attribute. For security reasons, only [query APIs](search-query-create.md#choose-query-methods) support CORS.
+Index schemas include a section for setting `corsOptions`. By default, client-side JavaScript can't call any APIs because browsers prevent all cross-origin requests. To allow cross-origin queries through to your index, enable CORS (Cross-Origin Resource Sharing) by setting the **corsOptions** attribute. For security reasons, only [query APIs](search-query-create.md#choose-query-methods) support CORS.
```json "corsOptions": {
Index schemas include a section for setting `corsOptions`. Client-side JavaScrip
The following properties can be set for CORS:
-+ **allowedOrigins** (required): This is a list of origins that will be granted access to your index. This means that any JavaScript code served from those origins will be allowed to query your index (assuming it provides the correct api-key). Each origin is typically of the form `protocol://<fully-qualified-domain-name>:<port>` although `<port>` is often omitted. See [Cross-origin resource sharing (Wikipedia)](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) for more details.
++ **allowedOrigins** (required): This is a list of origins that are allowed access to your index. JavaScript code served from these origins is allowed to query your index (assuming the caller provides a valid key or has permissions). Each origin is typically of the form `protocol://<fully-qualified-domain-name>:<port>` although `<port>` is often omitted. For more information, see [Cross-origin resource sharing (Wikipedia)](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing).
- If you want to allow access to all origins, include `*` as a single item in the **allowedOrigins** array. *This is not a recommended practice for production search services* but it is often useful for development and debugging.
+ If you want to allow access to all origins, include `*` as a single item in the **allowedOrigins** array. *This isn't a recommended practice for production search services* but it's often useful for development and debugging.
-+ **maxAgeInSeconds** (optional): Browsers use this value to determine the duration (in seconds) to cache CORS preflight responses. This must be a non-negative integer. The larger this value is, the better performance will be, but the longer it will take for CORS policy changes to take effect. If it is not set, a default duration of 5 minutes will be used.
++ **maxAgeInSeconds** (optional): Browsers use this value to determine the duration (in seconds) to cache CORS preflight responses. This must be a non-negative integer. A longer cache period delivers better performance, but it extends the amount of time a CORS policy needs to take effect. If this value isn't set, a default duration of five minutes is used. ## Allowed updates on existing indexes
To minimize churn in the design process, the following table describes which ele
| Field names and types | No | | Field attributes (searchable, filterable, facetable, sortable) | No | | Field attribute (retrievable) | Yes |
-| [Analyzer](search-analyzers.md) | You can add and modify custom analyzers in the index. Regarding analyzer assignments on string fields, you can only modify "searchAnalyzer". All other assignments and modifications require a rebuild. |
+| [Analyzer](search-analyzers.md) | You can add and modify custom analyzers in the index. Regarding analyzer assignments on string fields, you can only modify `searchAnalyzer`. All other assignments and modifications require a rebuild. |
| [Scoring profiles](index-add-scoring-profiles.md) | Yes | | [Suggesters](index-add-suggesters.md) | No | | [cross-origin remote scripting (CORS)](#corsoptions) | Yes |
search Semantic How To Query Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/semantic-how-to-query-request.md
A *semantic configuration* is a section in your index that establishes field inp
You can only specify one title field, but you can specify as many content and keyword fields as you like. For content and keyword fields, list the fields in priority order because lower priority fields may get truncated.
-Across all configuration properties, fields must be:
+Across all semantic configuration properties, the fields you assign must be:
+ Attributed as `searchable` and `retrievable`. + Strings of type `Edm.String`, `Edm.ComplexType`, or `Collection(Edm.String)`.
security Customer Lockbox Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/customer-lockbox-overview.md
The following services are generally available for Customer Lockbox:
- Azure Kubernetes Service - Azure Logic Apps - Azure Monitor
+- Azure OpenAI
- Azure Spring Apps - Azure SQL Database - Azure SQL managed Instance
The following services are generally available for Customer Lockbox:
- Azure Unified Vision Service - Microsoft Azure Attestation - Azure Data Manager for Energy Preview-- OpenAI - Virtual machines in Azure (covering remote desktop access, access to memory dumps, and managed disks)
Customer Lockbox requests are also not triggered by external legal demands for d
Customer Lockbox is available for all customers who have an [Azure support plan](https://azure.microsoft.com/support/plans/) with a minimal level of **Developer**. You can enable Customer Lockbox from the [Administration module](https://aka.ms/customerlockbox/administration) in the Customer Lockbox blade.
-Customer Lockbox requests are initiated by a Microsoft engineer if this action is needed to progress a support case.
+Customer Lockbox requests are initiated by a Microsoft engineer if this action is needed to progress a support case.
sentinel Upload Indicators Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/upload-indicators-api.md
An upload indicators API call has five components:
In order to authenticate to Microsoft Sentinel, the request to the upload indicators API requires a valid Azure AD access token. For more information on application registration, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) or see the basic steps as part of the [upload indicators API data connector](connect-threat-intelligence-upload-api.md#register-an-azure-ad-application) setup.
+## Permissions
+
+This API requires the calling Azure AD application to be granted the Microsoft Sentinel contributor role at the workspace level.
+ ## Create the request This section covers the first three of the five components discussed earlier. You first need to acquire the access token from Azure AD, which you use to assemble your request message header.
Create the array of indicators using the STIX 2.1 indicator format specification
|`id` (required)| string | An ID used to identify the indicator. See section [2.9](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_64yvzeku5a5c) for specifications on how to create an `id`. The format looks something like `indicator--<UUID>`| |`spec_version` (optional) | string | STIX indicator version. This value is required in the STIX specification, but since this API only supports STIX 2.0 and 2.1, when this field isn't set, the API will default to `2.1`| |`type` (required)| string | The value of this property *must* be `indicator`.|
+|`created` (required) | timestamp | See section [3.2](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx) for specifications of this common property.|
+|`modified` (required) | timestamp | See section [3.2](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx) for specifications of this common property.|
|`name` (optional)| string | A name used to identify the indicator.<br><br>Producers *should* provide this property to help products and analysts understand what this indicator actually does.| |`description` (optional) | string | A description that provides more details and context about the indicator, potentially including its purpose and its key characteristics.<br><br>Producers *should* provide this property to help products and analysts understand what this indicator actually does. | |`indicator_types` (optional) | list of strings | A set of categorizations for this indicator.<br><br>The values for this property *should* come from the [indicator-type-ov](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_cvhfwe3t9vuo) |
service-bus-messaging Message Deferral https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/message-deferral.md
Try the samples in the language of your choice to explore Azure Service Bus feat
See samples for the older .NET and Java client libraries here: - [Azure Service Bus client library samples for .NET (legacy)](https://github.com/Azure/azure-service-bus/tree/master/samples/DotNet/Microsoft.Azure.ServiceBus/) - See the **Deferral** sample. - [Azure Service Bus client library samples for Java (legacy)](https://github.com/Azure/azure-service-bus/tree/master/samples/Java/azure-servicebus/MessageBrowse)+
+## Related resources
+
+- [Tutorial showing the use of message deferral as a part of a workflow, using NServiceBus](https://docs.particular.net/tutorials/nservicebus-sagas/2-timeouts/)
service-bus-messaging Monitor Service Bus Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/monitor-service-bus-reference.md
Last updated 10/11/2022 - # Monitoring Azure Service Bus data reference See [Monitoring Azure Service Bus](monitor-service-bus.md) for details on collecting and analyzing monitoring data for Azure Service Bus.
This section lists the types of resource logs you can collect for Azure Service
- Operational logs - Virtual network and IP filtering logs
+- Runtime Audit logs
+
+Azure Service Bus now has the capability to dispatch logs to either of two destination tables - Azure Diagnostic or [Resource specific tables](~/articles/azure-monitor/essentials/resource-logs.md) in Log Analytics. You could use the toggle available on Azure portal to choose destination tables.
+ ### Operational logs Operational log entries include elements listed in the following table:
-| Name | Description |
-| - | - |
-| `ActivityId` | Internal ID, used to identify the specified activity |
-| `EventName` | Operation name |
-| `ResourceId` | Azure Resource Manager resource ID |
-| `SubscriptionId` | Subscription ID |
-| `EventTimeString` | Operation time |
-| `EventProperties` | Operation properties |
-| `Status` | Operation status |
-| `Caller` | Caller of operation (the Azure portal or management client) |
-| `Category` | OperationalLogs |
+| Name | Description | Supported in AzureDiagnostics | Supported in AZMSOperationalLogs (Resource Specific table)|
+| - | - || |
+| `ActivityId` | Internal ID, used to identify the specified activity | Yes | Yes|
+| `EventName` | Operation name | Yes | Yes|
+| `ResourceId` | Azure Resource Manager resource ID | Yes | Yes|
+| `SubscriptionId` | Subscription ID | Yes | Yes|
+| `EventtimeString`| Operation Time | Yes | No|
+| `TimeGenerated [UTC]`|Time of executed operation (in UTC)| No | Yes|
+| `EventProperties` | Operation properties | Yes | Yes|
+| `Status` | Operation status | Yes | Yes|
+| `Caller` | Caller of operation (the Azure portal or management client) | Yes | Yes|
+| `Provider`|Name of Service emitting the logs e.g., ServiceBus | No | Yes|
+| `Type `| Type of logs emitted | No | Yes|
+| `Category`| Log Category | Yes | No|
Here's an example of an operational log JSON string:
+AzureDiagnostics:
+ ```json+ { "ActivityId": "0000000000-0000-0000-0000-00000000000000", "EventName": "Create Queue",
Here's an example of an operational log JSON string:
"Caller": "ServiceBus Client", "category": "OperationalLogs" }++
+```
+Resource specific table entry:
+
+```json
+
+{
+
+ "ActivityId": "0000000000-0000-0000-0000-00000000000000",
+ "EventName": "Retrieve Queue",
+ "resourceId": "/SUBSCRIPTIONS/<AZURE SUBSCRPTION ID>/RESOURCEGROUPS/<RESOURCE GROUP NAME>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<SERVICE BUS NAMESPACE NAME>",
+ "SubscriptionId": "0000000000-0000-0000-0000-00000000000000",
+ "TimeGenerated(UTC)": "9/28/2023 8:40:06 PM +00:00",
+ "EventProperties": "{\"SubscriptionId\":\"0000000000-0000-0000-0000-00000000000000\",\"Namespace\":\"mynamespace\",\"Via\":\"https://mynamespace.servicebus.windows.net/f8096791adb448579ee83d30e006a13e/?api-version=2016-07\",\"TrackingId\":\"5ee74c9e-72b5-4e98-97c4-08a62e56e221_G1\"}",
+ "Status": "Succeeded",
+ "Caller": "ServiceBus Client",
+ "type": "AZMSOperationalLogs",
+ "Provider" : "SERVICEBUS"
+
+}
+ ``` ### Events and operations captured in operational logs
Operational logs capture all management operations that are performed on the Azu
The following management operations are captured in operational logs:
-| Scope | Operation|
-|-| -- |
-| `Namespace` | <ul> <li> Create Namespace</li> <li> Update Namespace </li> <li> Delete Namespace </li> <li> Update Namespace SharedAccess Policy </li> </ul> |
-| `Queue` | <ul> <li> Create Queue</li> <li> Update Queue</li> <li> Delete Queue </li> <li> AutoDelete Delete Queue </li> </ul> |
-| `Topic` | <ul> <li> Create Topic </li> <li> Update Topic </li> <li> Delete Topic </li> <li> AutoDelete Delete Topic </li> </ul> |
-| `Subscription` | <ul> <li> Create Subscription </li> <li> Update Subscription </li> <li> Delete Subscription </li> <li> AutoDelete Delete Subscription </li> </ul> |
+| Scope | Operation |
+|-|--|
+| Namespace | - Create Namespace<br>- Update Namespace<br>- Delete Namespace<br>- Update Namespace<br>- Retrieve Namespace<br>- SharedAccess Policy |
+| Queue | - Create Queue<br>- Update Queue<br>- Delete Queue<br>- AutoDelete Delete Queue<br>- Retrieve Queue |
+| Topic | - Create Topic<br>- Update Topic<br>- Delete Topic<br>- AutoDelete Delete Topic<br>- Retrieve Topic |
+| Subscription | - Create Subscription<br>- Update Subscription<br>- Delete Subscription<br>- AutoDelete Delete Subscription<br>- Retrieve Subscription |
+ > [!NOTE] > Currently, *Read* operations aren't tracked in the operational logs.
The following management operations are captured in operational logs:
### Virtual network and IP filtering logs Service Bus virtual network (VNet) connection event JSON includes elements listed in the following table:
-| Name | Description |
-| | -- |
-| `SubscriptionId` | Azure subscription ID |
-| `NamespaceName` | Namespace name |
-| `IPAddress` | IP address of a client connecting to the Service Bus service |
-| `Action` | Action done by the Service Bus service when evaluating connection requests. Supported actions are **Accept Connection** and **Deny Connection**. |
-| `Reason` | Provides a reason why the action was done |
-| `Count` | Number of occurrences for the given action |
-| `ResourceId` | Azure Resource Manager resource ID. |
-| `Category` | ServiceBusVNetConnectionEvent |
+| Name | Description | Supported in Azure Diagnostics | Supported in AZMSVnetConnectionEvents (Resource specific table)
+| | -- || |
+| `SubscriptionId` | Azure subscription ID | Yes | Yes
+| `NamespaceName` | Namespace name | Yes | Yes
+| `IPAddress` | IP address of a client connecting to the Service Bus service | Yes | Yes
+| `AddressIP` | IP address of client connecting to service bus | Yes | Yes
+| `TimeGenerated [UTC]`|Time of executed operation (in UTC) | Yes | Yes
+| `Action` | Action done by the Service Bus service when evaluating connection requests. Supported actions are **Accept Connection** and **Deny Connection**. | Yes | Yes
+| `Reason` | Provides a reason why the action was done | Yes | Yes
+| `Count` | Number of occurrences for the given action | Yes | Yes
+| `ResourceId` | Azure Resource Manager resource ID. | Yes | Yes
+| `Category` | Log Category | Yes | No
+| `Provider`|Name of Service emitting the logs e.g., ServiceBus | No | Yes
+| `Type` | Type of Logs Emitted | No | Yes
> [!NOTE] > Virtual network logs are generated only if the namespace allows access from selected networks or from specific IP addresses (IP filter rules). Here's an example of a virtual network log JSON string:
+AzureDiagnostics;
```json { "SubscriptionId": "0000000-0000-0000-0000-000000000000",
Here's an example of a virtual network log JSON string:
"Category": "ServiceBusVNetConnectionEvent" } ```
+Resource specific table entry:
+```json
+{
+ "SubscriptionId": "0000000-0000-0000-0000-000000000000",
+ "NamespaceName": "namespace-name",
+ "AddressIp": "1.2.3.4",
+ "Action": "Accept Connection",
+ "Message": "IP is accepted by IPAddress filter.",
+ "Count": 1,
+ "ResourceId": "/SUBSCRIPTIONS/<AZURE SUBSCRPTION ID>/RESOURCEGROUPS/<RESOURCE GROUP NAME>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<SERVICE BUS NAMESPACE NAME>",
+ "Provider" : "SERVICEBUS",
+ "Type": "AZMSVNetConnectionEvents"
+}
+```
## Runtime audit logs Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.
Runtime audit logs capture aggregated diagnostic information for various data pl
Runtime audit logs include the elements listed in the following table:
-Name | Description
-- | -
-`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity.
-`ActivityName` | Runtime operation name.
-`ResourceId` | Resource associated with the activity.
-`Timestamp` | Aggregation time.
-`Status` | Status of the activity (success or failure).
-`Protocol` | Type of the protocol associated with the operation.
-`AuthType` | Type of authentication (Azure Active Directory or SAS Policy).
-`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource.
-`NetworkType` | Type of the network access: `Public` or`Private`.
-`ClientIP` | IP address of the client application.
-`Count` | Total number of operations performed during the aggregated period of 1 minute.
-`Properties` | Metadata that is specific to the data plane operation.
-`Category` | Log category
+Name | Description | Supported in Azure Diagnostics | Supported in AZMSRuntimeAuditLogs (Resource specific table)
+- | -| ||
+`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity. | Yes | Yes
+`ActivityName` | Runtime operation name. | Yes | Yes
+`ResourceId` | Resource associated with the activity. | Yes | Yes
+`Timestamp` | Aggregation time. | Yes | No
+`time Generated (UTC)` | Aggregated time | No | Yes
+`Status` | Status of the activity (success or failure).| Yes | Yes
+`Protocol` | Type of the protocol associated with the operation. | Yes | Yes
+`AuthType` | Type of authentication (Azure Active Directory or SAS Policy). | Yes | Yes
+`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource. | Yes | Yes
+`NetworkType` | Type of the network access: `Public` or`Private`. | yes | Yes
+`ClientIP` | IP address of the client application. | Yes | Yes
+`Count` | Total number of operations performed during the aggregated period of 1 minute. | Yes | Yes
+`Properties` | Metadata that is specific to the data plane operation. | yes | Yes
+`Category` | Log category | Yes | No
+ `Provider`|Name of Service emitting the logs e.g., ServiceBus | No | Yes
+ `Type` | Type of Logs emitted | No | Yes
Here's an example of a runtime audit log entry:
+AzureDiagnostics:
```json { "ActivityId": "<activity id>",
Here's an example of a runtime audit log entry:
} ```
+Resource specific table entry:
+```json
+{
+ "ActivityId": "<activity id>",
+ "ActivityName": "ConnectionOpen | Authorization | SendMessage | ReceiveMessage",
+ "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<Service Bus namespace>/servicebus/<service bus name>",
+ "TimeGenerated (UTC)": "1/1/2021 8:40:06 PM +00:00",
+ "Status": "Success | Failure",
+ "Protocol": "AMQP | HTTP | SBMP",
+ "AuthType": "SAS | AAD",
+ "AuthKey": "<AAD Application Name| SAS policy name>",
+ "NetworkType": "Public | Private",
+ "ClientIp": "x.x.x.x",
+ "Count": 1,
+ "Provider": "SERVICEBUS",
+ "Type" : "AZMSRuntimeAuditLogs"
+ }
+```
## Azure Monitor Logs tables Azure Service Bus uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#service-bus). ## Next steps - For details on monitoring Azure Service Bus, see [Monitoring Azure Service Bus](monitor-service-bus.md). - For details on monitoring Azure resources, see [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).+
spring-apps How To Configure Health Probes Graceful Termination https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-health-probes-graceful-termination.md
Use the following steps to customize your application using Azure CLI.
## Best practices
-Use the following best practices when adding your own persistent storage to Azure Spring Apps:
+Use the following best practices when adding health probes to Azure Spring Apps:
- Use liveness and readiness probes together. Azure Spring Apps provides two approaches for service discovery at the same time. When the readiness probe fails, the app instance is removed only from Kubernetes service discovery. A properly configured liveness probe can remove the issued app instance from Eureka service discovery to avoid unexpected cases. For more information about service discovery, see [Discover and register your Spring Boot applications](how-to-service-registration.md).
static-web-apps Apis Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/apis-functions.md
The following table contrasts the differences between using managed and existing
| Feature | Managed Functions | Bring your own Functions | ||||
-| Access to Azure Functions [triggers](../azure-functions/functions-triggers-bindings.md#supported-bindings) | HTTP only | All |
+| Access to Azure Functions [triggers and bindings](../azure-functions/functions-triggers-bindings.md#supported-bindings) | HTTP only | All |
| Supported Azure Functions [runtimes](../azure-functions/supported-languages.md#languages-by-runtime-version)<sup>1</sup> | Node.js 12<br>Node.js 14<br>Node.js 16<br>Node.js 18 (public preview)<br>.NET Core 3.1<br>.NET 6.0<br>.NET 7.0<br>Python 3.8<br>Python 3.9<br>Python 3.10 | All | | Supported Azure Functions [hosting plans](../azure-functions/functions-scale.md) | Consumption | Consumption<br>Premium<br>Dedicated | | [Integrated security](user-information.md) with direct access to user authentication and role-based authorization data | Γ£ö | Γ£ö |
In addition to the Static Web Apps API [constraints](apis-overview.md#constraint
| Managed functions | Bring your own functions | |||
-| <ul><li>Triggers are limited to [HTTP](../azure-functions/functions-bindings-http-webhook.md).</li><li>The Azure Functions app must either be in Node.js 12, Node.js 14, Node.js 16, Node.js 18 (public preview), .NET Core 3.1, .NET 6.0, Python 3.8, Python 3.9 or Python 3.10 .</li><li>Some application settings are managed by the service, therefore the following prefixes are reserved by the runtime:<ul><li>*APPSETTING\_, AZUREBLOBSTORAGE\_, AZUREFILESSTORAGE\_, AZURE_FUNCTION\_, CONTAINER\_, DIAGNOSTICS\_, DOCKER\_, FUNCTIONS\_, IDENTITY\_, MACHINEKEY\_, MAINSITE\_, MSDEPLOY\_, SCMSITE\_, SCM\_, WEBSITES\_, WEBSITE\_, WEBSOCKET\_, AzureWeb*</li></ul></li><li>Some application tags are internally used by the service. Therefore, the following tags are reserved:<ul><li> *AccountId, EnvironmentId, FunctionAppId*.</li></ul></li></ul> | <ul><li>You are responsible to manage the Functions app deployment.</li></ul> |
+| <ul><li>Triggers and bindings are limited to [HTTP](../azure-functions/functions-bindings-http-webhook.md).</li><li>The Azure Functions app must either be in Node.js 12, Node.js 14, Node.js 16, Node.js 18 (public preview), .NET Core 3.1, .NET 6.0, Python 3.8, Python 3.9 or Python 3.10 .</li><li>Some application settings are managed by the service, therefore the following prefixes are reserved by the runtime:<ul><li>*APPSETTING\_, AZUREBLOBSTORAGE\_, AZUREFILESSTORAGE\_, AZURE_FUNCTION\_, CONTAINER\_, DIAGNOSTICS\_, DOCKER\_, FUNCTIONS\_, IDENTITY\_, MACHINEKEY\_, MAINSITE\_, MSDEPLOY\_, SCMSITE\_, SCM\_, WEBSITES\_, WEBSITE\_, WEBSOCKET\_, AzureWeb*</li></ul></li><li>Some application tags are internally used by the service. Therefore, the following tags are reserved:<ul><li> *AccountId, EnvironmentId, FunctionAppId*.</li></ul></li></ul> | <ul><li>You are responsible to manage the Functions app deployment.</li></ul> |
## Next steps
storage Nfs Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/nfs-performance.md
description: Learn ways to improve the performance of NFS Azure file shares at s
Previously updated : 09/21/2023 Last updated : 09/25/2023
This article explains how you can improve performance for NFS Azure file shares.
| Standard file shares (GPv2), GRS/GZRS | ![No, this article doesn't apply to standard SMB Azure file shares GRS/GZRS.](../media/icons/no-icon.png) | ![NFS is only available in premium Azure file shares.](../media/icons/no-icon.png) | | Premium file shares (FileStorage), LRS/ZRS | ![No, this article doesn't apply to premium SMB Azure file shares.](../media/icons/no-icon.png) | ![Yes, this article applies to premium NFS Azure file shares.](../media/icons/yes-icon.png) |
+## Increase read-ahead size to improve read throughput
+
+The `read_ahead_kb` kernel parameter in Linux represents the amount of data that should be "read ahead" or prefetched during a sequential read operation. Linux kernel versions prior to 5.4 set the read-ahead value to the equivalent of 15 times the mounted file system's `rsize` (the client-side mount option for read buffer size). This sets the read-ahead value high enough to improve client sequential read throughput in most cases.
+
+However, beginning with Linux kernel version 5.4, the Linux NFS client uses a default `read_ahead_kb` value of 128 KiB. This small value might reduce the amount of read throughput for large files. Customers upgrading from Linux releases with the larger read-ahead value to those with the 128 KiB default might experience a decrease in sequential read performance.
+
+For Linux kernels 5.4 or later, we recommend persistently setting the `read_ahead_kb` to 15 MiB for improved performance.
+
+To change this value, set the read-ahead size by adding a rule in udev, a Linux kernel device manager. Follow these steps:
+
+1. In a text editor, create the */etc/udev/rules.d/99-nfs.rules* file by entering and saving the following text:
+
+ ```output
+ SUBSYSTEM=="bdi" \
+ , ACTION=="add" \
+ , PROGRAM="<absolute_path>/awk -v bdi=$kernel 'BEGIN{ret=1} {if ($4 == bdi) {ret=0}} END{exit ret}' /proc/fs/nfsfs/volumes" \
+ , ATTR{read_ahead_kb}="15360"
+ ```
+
+1. In a console, apply the udev rule by running the [udevadm](https://www.man7.org/linux/man-pages/man8/udevadm.8.html) command as a superuser:
+
+ ```bash
+ sudo udevadm control --reload
+ ```
+ ## `Nconnect` `Nconnect` is a client-side Linux mount option that increases performance at scale by allowing you to use more TCP connections between the client and the Azure Premium Files service for NFSv4.1, while maintaining the resiliency of platform as a service (PaaS).
storage Storage Files Identity Auth Hybrid Identities Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-auth-hybrid-identities-enable.md
description: Learn how to enable identity-based Kerberos authentication for hybr
Previously updated : 08/03/2023 Last updated : 09/25/2023 recommendations: false
Changes are not instant, and require a policy refresh or a reboot to take effect
If you want to enable client machines to connect to storage accounts that are configured for AD DS as well as storage accounts configured for Azure AD Kerberos, follow these steps. If you're only using Azure AD Kerberos, skip this section.
-Add an entry for each storage account that uses on-premises AD DS integration. Use one of the following three methods to configure Kerberos realm mappings:
+Add an entry for each storage account that uses on-premises AD DS integration. Use one of the following three methods to configure Kerberos realm mappings. Changes aren't instant, and require a policy refresh or a reboot to take effect.
- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/HostToRealm](/windows/client-management/mdm/policy-csp-admx-kerberos#hosttorealm) - Configure this group policy on the client(s): `Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings`-- Run the `ksetup` Windows command on the client(s): `ksetup /addhosttorealmmap <hostname> <realmname>`
- - For example, `ksetup /addhosttorealmmap <your storage account name>.file.core.windows.net contoso.local`
+- Run the `ksetup` Windows command on the client(s): `ksetup /addhosttorealmmap <hostname> <REALMNAME>`
+ - For example, `ksetup /addhosttorealmmap <your storage account name>.file.core.windows.net CONTOSO.LOCAL`
-Changes aren't instant, and require a policy refresh or a reboot to take effect.
+> [!IMPORTANT]
+> In Kerberos, realm names are case sensitive and upper case. Your Kerberos realm name is usually the same as your domain name, in upper-case letters.
## Undo the client configuration to retrieve Kerberos tickets
synapse-analytics Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/known-issues.md
To learn more about Azure Synapse Analytics, see the [Azure Synapse Analytics Ov
|Azure Synapse Component|Status|Issue| ||||
-|Azure Synapse serverless SQL pool|[Queries using Azure AD authentication fails after 1 hour](#queries-using-azure-ad-authentication-fails-after-1-hour)|Has Workaround|
|Azure Synapse serverless SQL pool|[Query failures from serverless SQL pool to Azure Cosmos DB analytical store](#query-failures-from-serverless-sql-pool-to-azure-cosmos-db-analytical-store)|Has Workaround| |Azure Synapse serverless SQL pool|[Azure Cosmos DB analytical store view propagates wrong attributes in the column](#azure-cosmos-db-analytical-store-view-propagates-wrong-attributes-in-the-column)|Has Workaround| |Azure Synapse dedicated SQL pool|[Queries failing with Data Exfiltration Error](#queries-failing-with-data-exfiltration-error)|Has Workaround|
To learn more about Azure Synapse Analytics, see the [Azure Synapse Analytics Ov
## Azure Synapse Analytics serverless SQL pool active known issues summary
-### Queries using Azure AD authentication fails after 1 hour
-
-SQL connections using Azure AD authentication that remain active for more than 1 hour will start to fail. This includes querying storage using Azure AD pass-through authentication and statements that interact with Azure AD, like CREATE EXTERNAL PROVIDER. This affects every tool that keeps connections active, like query editor in SSMS and ADS. Tools that open new connection to execute queries aren't affected, like Synapse Studio.
-
-**Workaround**: The engineering team is currently aware of this behavior and working on a fix. <br>
-Following steps can be followed to work around the problem.
-
-1) It's recommended switching to Service Principal, Managed Identity or Shared Access Signature instead of using user identity for long running queries.
-2) Restarting client (SSMS/ADS) acquires new token to establish the connection.
- ### Query failures from serverless SQL pool to Azure Cosmos DB analytical store Queries from a serverless SQL pool to Azure Cosmos DB analytical store might fail with one of the following error messages:
Deleting a Synapse workspace fails with the error message:
|Synapse Component|Issue|Status|Date Resolved |||||
+|Azure Synapse serverless SQL pool|[Queries using Azure AD authentication fails after 1 hour](#queries-using-azure-ad-authentication-fails-after-1-hour)|Resolved|August 2023
|Azure Synapse serverless SQL pool|[Query failures while reading Cosmos DB data using OPENROWSET](#query-failures-while-reading-azure-cosmos-db-data-using-openrowset)|Resolved|March 2023 |Azure Synapse Apache Spark pool|[Failed to write to SQL Dedicated Pool from Synapse Spark using Azure Synapse Dedicated SQL Pool Connector for Apache Spark when using notebooks in pipelines](#failed-to-write-to-sql-dedicated-pool-from-synapse-spark-using-azure-synapse-dedicated-sql-pool-connector-for-apache-spark-when-using-notebooks-in-pipelines)|Resolved|June 2023 ## Azure Synapse Analytics serverless SQL pool recently closed known issues summary
+### Queries using Azure AD authentication fails after 1 hour
+
+SQL connections using Azure AD authentication that remain active for more than 1 hour will start to fail. This includes querying storage using Azure AD pass-through authentication and statements that interact with Azure AD, like CREATE EXTERNAL PROVIDER. This affects every tool that keeps connections active, like query editor in SSMS and ADS. Tools that open new connection to execute queries aren't affected, like Synapse Studio.
+
+**Status**: Resolved
+ ### Query failures while reading Azure Cosmos DB data using OPENROWSET Queries from serverless SQL pool to Cosmos DB Analytical Store using OPENROWSET fails with the following error message:
synapse-analytics Synapse File Mount Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/synapse-file-mount-api.md
Title: Introduction to file APIs in Azure Synapse Analytics description: This tutorial describes how to use the file mount and file unmount APIs in Azure Synapse Analytics, for both Azure Data Lake Storage Gen2 and Azure Blob Storage.-+ Last updated 07/27/2022-+
mssparkutils.fs.mount(
> [!NOTE] > You might need to import `mssparkutils` if it's not available: > ```python
-> From notebookutils import mssparkutils
-> ```
+> from notebookutils import mssparkutils
+> ```
+> Mount parameters:
+> - fileCacheTimeout: Blobs will be cached in the local temp folder for 120 seconds by default. During this time, blobfuse won't check whether the file is up to date or not. The parameter could be set to change the default timeout time. When multiple clients modify files at the same time, in order to avoid inconsistencies between local and remote files, we recommend shortening the cache time, or even changing it to 0, and always getting the latest files from the server.
+> - timeout: The mount operation timeout is 120 seconds by default. The parameter could be set to change the default timeout time. When there are too many executors or when the mount times out, we recommend increasing the value.
+> - scope: The scope parameter is used to specify the scope of the mount. The default value is "job." If the scope is set to "job," the mount is visible only to the current cluster. If the scope is set to "workspace," the mount is visible to all notebooks in the current workspace, and the mount point is automatically created if it doesn't exist. Add the same parameters to the unmount API to unmount the mount point. The workspace level mount is only supported for linked service authentication.
+>
+> You can use these parameters like this:
+> ```python
+> mssparkutils.fs.mount(
+> "abfss://mycontainer@<accountname>.dfs.core.windows.net",
+> "/test",
+> {"linkedService":"mygen2account", "fileCacheTimeout": 120, "timeout": 120}
+> )
+> ```
+>
> We don't recommend that you mount a root folder, no matter which authentication method you use.
f.close()
``` >
-## Access files under the mount point by using the mssparktuils fs API
+## Access files under the mount point by using the mssparkutils fs API
The main purpose of the mount operation is to let customers access the data stored in a remote storage account by using a local file system API. You can also access the data by using the `mssparkutils fs` API with a mounted path as a parameter. The path format used here is a little different.
Assume that you mounted the Data Lake Storage Gen2 container `mycontainer` to `/
`/synfs/{jobId}/test/{filename}`
+We recommend using a `mssparkutils.fs.getMountPath()` to get the accurate path:
+
+```python
+path = mssparkutils.fs.getMountPath("/test") # equals to /synfs/{jobId}/test
+```
+ When you want to access the data by using the `mssparkutils fs` API, the path format is like this: `synfs:/{jobId}/test/{filename}`
df = spark.read.load("synfs:/49/test/myFile.csv", format='csv')
df.show() ```
+> [!NOTE]
+> When you mount the storage using a linked service, you should always explicitly set spark linked service configuration before using synfs schema to access the data. Refer to [ADLS Gen2 storage with linked services](./apache-spark-secure-credentials-with-tokenlibrary.md#adls-gen2-storage-without-linked-services) for details.
+ ### Read a file from a mounted Blob Storage account If you mounted a Blob Storage account and want to access it by using `mssparkutils` or the Spark API, you need to explicitly configure the SAS token via Spark configuration before you try to mount the container by using the mount API:
update-center Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-center/overview.md
description: This article tells what Azure Update Manager in Azure is and the sy
Previously updated : 09/21/2023 Last updated : 09/25/2023 # About Azure Update Manager > [!Important]
-> - Azure Update Manager is the v2 version of Automation Update Management and the future of update management in Azure.
-> - [Automation Update Management](../automation/update-management/overview.md) relies on the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) (also called MMA agent), which is on a deprecation path and won't be supported after **August 31, 2024**.
-> - Update Manager is a native service in Azure and doesn't rely on the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) or the [Azure Monitor agent](../azure-monitor/agents/agents-overview.md).
-> - Follow [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to migrate machines and schedules from Automation Update Management to Azure Update Manager.
-> - If you are using Automation Update Management, we recommend that you continue to use the Log Analytics agent and *not* migrate to the Azure Monitor agent until machines and schedules are migrated to Azure Update Manager.
-> - The Log Analytics agent wouldn't be deprecated before moving all Automation Update Management customers to Update Manager.
-> - Update Manager doesn't store any customer data.
+> Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update Management solution relies on this agent and may encounter issues once the agent is retired as it does not work with Azure Monitoring Agent (AMA). Therefore, if you are using the Azure Automation Update Management solution, we recommend that you move to Azure Update Manager for your software update needs. All the capabilities of Azure Automation Update management solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move your machines and schedules from Automation Update Management to Azure Update Manager.
Update Manager is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on other cloud platforms from a single dashboard. You can also use Update Manager to make real-time updates or schedule them within a defined maintenance window.
update-center Update Manager Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-center/update-manager-faq.md
Title: Azure Update Manager FAQ
description: This article gives answers to frequently asked questions about Azure Update Manager Previously updated : 09/14/2023 Last updated : 09/25/2023 #Customer intent: As an implementer, I want answers to various questions.
This FAQ is a list of commonly asked questions about Azure Update Manager. If you have any other questions about its capabilities, go to the discussion forum and post your questions. When a question is frequently asked, we add it to this article so that it's found quickly and easily.
-## What are the benefits of using Azure Update Manager over Automation Update Management?
+## Fundamentals
-Azure Update Manager offers several benefits over the Automation Update Management solution. [Learn more](overview.md#key-benefits).
-Following are few benefits:
-- Native experience with zero onboarding, no dependency on other services like Automation and Log Analytics.-- On-demand operations to enable you to take immediate actions like Patch Now and Assess Now.-- Enhanced flexibility with options like [Automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) in Azure, [hotpatching](/windows-server/get-started/hotpatch) or custom maintenance schedules.-- Granular access control at a VM level.-- Support for Azure Policy.
+### What are the benefits of using Azure Update Manager over Automation Update Management?
+Azure Update Manager provides a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multi-cloud environments.
+Following are the benefits of using Azure Update
+- Oversee update compliance for your entire fleet of machines in Azure (Azure VMs), on premises, and multi-cloud environments (Arc-enabled Servers).
+- View and deploy pending updates to secure your machines [instantly](updates-maintenance-schedules.md#update-nowone-time-update).
+- Manage [extended security updates (ESUs)](https://learn.microsoft.com/azure/azure-arc/servers/prepare-extended-security-updates) for your Azure Arc-enabled Windows Server 2012/2012 R2 machines. Get consistent experience for deployment of ESUs and other updates.
+- Define recurring time windows during which your machines receive updates and may undergo reboots using [scheduled patching](scheduled-patching.md). Enforce machines grouped together based on standard Azure constructs (Subscriptions, Location, Resource Group, Tags etc.) to have common patch schedules using [dynamic scoping](dynamic-scope-overview.md). Sync patch schedules for Windows machines in relation to patch Tuesday, the unofficial term for month.
+- Enable incremental rollout of updates to Azure VMs in off-peak hours using [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) and reduce reboots by enabling [hot patching](updates-maintenance-schedules.md#hot-patching).
+- Automatically [assess](assessment-options.md#periodic-assessment) machines for pending updates every 24 hours, and flag machines that are out of compliance. Enforce enabling periodic assessments on multiple machines at scale using [Azure Policy](periodic-assessment-at-scale.md).
+- Create [custom reports](workbooks.md) for deeper understanding of the updates data of the environment.
+- Granular access management to Azure resources with Azure roles and identity, to control who can perform update operations and edit schedules.
-## LA agent (also known as MMA) is retiring and will be replaced with AMA, can I continue to use Automation Update Management with AMA?
+### How does the new Azure Update Manager work on machines?
-You need to move from Automation Update Management to Azure Update Manager as LA agent is retiring (Automation Update Management won't work with AMA either). Azure Update Manager doesn't rely on MMA or AMA. However, ensure that you don't remove MMA agent from machines using Automation Update Management before migrating to Azure Update Manager or else Automation Update Management solution will not work.
-
+Whenever you trigger any Azure Update Manager operation on your machine, it pushes an extension on your machine that interacts with the VM agent (for Azure machine) or Arc agent (for Arc-enabled machines) to fetch and install updates.
-## Will I be charged if I migrate to Azure Update Manager?
-Azure Update Manager is free of charge for Azure machines. Azure Arc-enabled machines are charged up to $5/server/month prorated at a daily level (@0.167/server/day). Example: if your Arc machines are turned off (not connected to Azure) for 20 days out 30 days of a month, then you pay only for 10 days when periodic assessment runs on your machine. So, you will pay approximately 0.167*10=$1.67/server/month for those Arc machines.
+### Is enabling Azure Arc mandatory for patch management for machines not running on Azure?
-## How is Azure Update Manager price calculated for Arc-enabled machines?
-Azure Update Manager is free for machines hosted on Azure or Azure Stack HCI. For Arc-enabled servers, it's chargeable up to $5/server/month. It's charged at a daily prorated value of 0.16/server/day. It means that your Arc-enabled machine would only be charged for the days when it's considered managed by Azure Update Manager.
+Yes, machines that aren't running on Azure must be enabled for Arc, for management using Update Manager.
-> [!NOTE]
-> A machine is considered managed by Update Management in a day if the following two conditions are met:
->
-> 1. If the machine has **Connected** status for Arc at the time of operation (patched on demand or through a scheduled job/assessed on demand or through periodic assessment) or for a specific time of the day (in case it is associated with a schedule, even if no operations are performed on the day).
->
-> 1. **A patch now or assess now operation is triggered for the machine in the day** or **the machine is assessed for pending patches through periodic assessment on the day**, or **the machine is associated with an active schedule on the day either statically or dynamically**.
+### Is the new Azure Update Manager dependent on Azure Automation and Log Analytics?
-Following are the cases when Arc-enabled servers wouldn't be charged by Azure Update
+No, it's a native capability on a virtual machine.
-- As additional value added to the Arc ESUs, patch management using Azure Update Manager for machines enabled for extended support via Arc would be provided at no extra charge.-- Arc-enabled machines present in subscriptions enabled for Microsoft Defender for Servers Plan 2 would be provided at no additional charge. For all other Microsoft Defender for Cloud plans, Arc-enabled machines would be charged by Update Manager.
+### Where is updates data stored in Azure Update Manager?
-## If I migrate to AMA while I'm still using Automation Update Management, will my solution break?
+All Azure Update Manager data is stored in Azure Resource Graph (ARG). Custom reports can be generated on the updates data for deeper understanding and patterns using Azure Workbooks [Learn more](query-logs.md)
-Yes, MMA is a prerequisite for Automation Update Management to work. The ideal thing to do would be to migrate to the new Azure Update Manager and then make the move from MMA to AMA. The new Update Manager doesn't rely on MMA or AMA.
+### Are there programmatic ways to interact with Azure Update Manager?
-## How does the new Azure Update Manager work on machines?
+Yes, Azure Update Manager supports REST API, CLI and PowerShell for [Azure machines](manage-vms-programmatically.md) and [Arc-enabled machines](manage-arc-enabled-servers-programmatically.md).
-Whenever you trigger any Azure Update Manager operation on your machine, it pushes an extension on your machine that interacts with the VM agent (for Azure machine) or Arc agent (for Arc-enabled machines) to fetch and install updates.
+### Do I need MMA or AMA for using Azure Update Manager to manage my machines?
-## Can I configure my machines to fetch updates from WSUS (Windows) and private repository (Linux)?
+No, it's a native capability on a virtual machine and doesn't rely either on MMA or AMA.
-By default, Azure Update Manager relies on Windows Update (WU) client running on your machine to fetch updates. You can configure WU client to fetch updates from Windows Update/Microsoft Update repository. Updates for Microsoft first party products are published on Microsoft Update repository. For more information, see how to [enable updates for Microsoft first party updates](configure-wu-agent.md#enable-updates-for-other-microsoft-products).
+### Which operating systems are supported by Azure Update Manager?
-Similarly for Linux, you can fetch updates by pointing your machine to a public repository or clone a private repository that regularly pulls updates from the upstream. In a nutshell, Azure Update Manager honors machine settings and installs updates accordingly.
+For more information, see [Azure Update Manager OS support](support-matrix.md).
-## Where is updates data stored in Azure Update Manager?
+### Does Update Manager support Windows 10, 11?
-All Azure Update Manager data is stored in Azure Resource Graph (ARG) which is free of cost. It is unlike Automation Update Management that used to store data in Log Analytics and the customers had to pay for update data stored.
+Automation Update Management didn't provide support for patching Windows 10 and 11. The same is true for Azure Update Manager. We recommend that you use Microsoft Intune as the solution for keeping Windows 10 and 11 devices up to date.
-## Are all the operating systems supported in Automation Update Management supported by Azure Update Manager?
-We have tried our best to maintain the Operating Support parity. Read in detail about [Azure Update Manager OS support](support-matrix.md).
+## Impact of Log Analytics Agent retirement
-## Will I lose my Automation Update Management update related data if I migrate to Azure Update Manager?
+### How do I move from Automation Update Management to Azure Update Manager?
-We won't migrate updates related data to Azure Resource Graph, however you can refer to your historical data in Log Analytics workspace that you were using in Automation Update Management.
+Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move from Automation Update Management to Azure Update Manager.
-## Is the new Azure Update Manager dependent on Azure Automation and Log Analytics?
-No, it's a native capability on a virtual machine.
+### LA agent (also known as MMA) is retiring and will be replaced with AMA. Is it necessary to move to Update Manager or can I continue to use Automation Update Management with AMA?
-## Do I need AMA for the new Azure Update Manager?
+The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update management solution relies on this agent and may encounter issues once the agent is retired. It doesn't work with Azure Monitoring Agent (AMA) either.
-No, it's a native capability on a virtual machine and doesn't rely on MMA or AMA.
+Therefore, if you're using Azure Automation Update management solution, you're encouraged to move to Azure Update Manager for their software update needs. All capabilities of Azure Automation Update Management Solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move update management for your machines to Azure Update Manager.
+
-## If I have been using pre and post-script or alerting capability in Automation Update management, would I be provided with migration guidance?
+### If I move to AMA while I'm still using Automation Update Management, will my solution break?
-Yes, when these features become available in Azure Update Manager, we publish migration guidance for them as well.
+Yes. Automation Update Management isn't compatible with AMA. We recommend that you move the machine to Azure Update Manager before removing MMA from the machine. Update Manager doesn't rely either on MMA or AMA.
-## I have some reports/dashboards built for Automation Update Management, how do I migrate those?
-You can build dashboards/reports on Azure Resource Graph (ARG) data. For more information, see [how to query ARG data](query-logs.md) and [sample queries](sample-query-logs.md). You can build workbooks on ARG data. We have a few built-in workbooks that you can modify as per your use case or create a new one. For more information on [how to create reports using workbooks](manage-workbooks.md).
+### Will I lose my Automation Update Management update related data if I move to Azure Update Manager?
-## I have been using saved searches in Automation Update Management for schedules, how do I migrate to Azure Update Manager?
+Automation Update Management uses Log Analytics workspace for storing updates data. Azure Update Manager uses Azure Resource Graph for data storage. You can continue using the historical data in Log Analytics workspace for old data and use Azure Resource Graph for new data.
-You can resolve machines manually for those saved searches, Arc-enable them and then use dynamic scoping feature to define the same scope of machines. [Learn more](manage-dynamic-scoping.md)
+### I have some reports/dashboards built for Automation Update Management. How do I move those?
-## I'm a Defender for Server customer and use update recommendations powered by Azure Update Manager namely periodic assessment should be enabled on your machines and system updates should be installed on your machines. Would I be charged for Azure Update Manager?
+You can rebuild custom dashboards/reports on updates data from Azure Resource Graph (ARG). For more information, see [how to query ARG data](query-logs.md) and [sample queries](sample-query-logs.md). These are a few built-in workbooks that you can modify as per your needs to get started. For more information, see [how to create reports using workbooks](manage-workbooks.md).
-If you have purchased a Defender for Servers Plan 2, then you won't have to pay to remediate the unhealthy resources for the above two recommendations. But if you're using any other Defender for server plan for your Arc machines, then you would be charged for those machines at the daily prorated $0.167/server by Azure Update Manager.
+### I have been using saved searches in Automation Update Management for schedules. How do I migrate to Azure Update Manager?
-## I have been using Automation Update Management for free on Arc machines, would I have to pay to use Azure Update Manager on those machines?
+Arc-enabling of machines is a prerequisite for management with Update Manager. To move the saved searches. You can Arc-enable them and then use dynamic scoping feature to define the same scope of machines. [Learn more](manage-dynamic-scoping.md).
-We'll provide Azure Update Manager for free for one year (starting from when Azure Update Manager goes GA) to all subscriptions that were using Automation Update Management on Arc-enabled machines for free. Post this period, machines are charged.
-## Does Azure Update Manager support integration with Azure Lighthouse?
+### If I have been using pre and post-script or alerting capability in Automation Update management, how can I move to Azure Update Manager?
-Azure Update Manager doesn't support Azure Lighthouse integration officially. However, you can try to check if the integration works on your dev environment.
+These capabilities will be added to Azure Update Manager. For more information, see [guidance for moving from Automation Update management to Azure Update Manager](guidance-migration-automation-update-management-azure-update-manager.md).
-## I have been using Automation Update Management for client operating system like Windows 10, 11. Would I be able to migrate to Azure Update Manager?
+### I'm using Automation Update Management on sovereign clouds; will I get region support in the new Azure Update Manager?
-Automation Update Management never officially supported client devices. [Learn more](../automation/update-management/operating-system-requirements.md#unsupported-operating-systems) We maintain the same stance for the new Azure Update Manager. Intune is the suggested solution from Microsoft for client devices.
+Yes, Automation Update Manager will be rolled out to sovereign clouds soon.
-## I'm using Automation Update Management on sovereign clouds; will I get region support in the new Azure Update Manager?
+## Pricing
-Yes, support is made available for sovereign clouds supported in Automation Update Management.
+### What is the pricing for Azure Update Manager?
-## Is the new Azure Update Manager compatible with SCCM?
+Azure Update Manager is available at no extra charge for managing Azure VMs and Arc-enabled Azure Stack HCI VMs (for which Azure Benefits are enabled). For Arc-enabled Servers, the price is $5 per server per month (assuming 31 days of usage).
-Azure Update Manager isn't compatible with SCCM unlike Automation Update Management.
+### How is Azure Update Manager price calculated for Arc-enabled servers?
-## I have machines across multiple subscriptions in Automation Update Management, is this scenario supported in Azure Update Manager?
+For Arc-enabled servers, Azure Update Manager is charged $5/server/month (assuming 31 days of connected usage). It's charged at a daily prorated value of 0.16/server/day. An Arc-enabled machine would only be charged for the days when it's connected and managed by Azure Update Manager.
-Yes, Azure Update Manager supports multi-subscription scenarios.
+### When is an Arc-enabled server considered managed by Azure Update Manager?
-## Are there programmatic ways of onboarding Azure Update Manager?
+An Arc-enabled server is considered managed by Azure Update Manager for days on which the machine fulfills the following conditions:
+ - *Connected* status for Arc at any time during the day.
+ - An update operation (patched on demand or through a scheduled job, assessed on demand or through periodic assessment) is triggered on it, or it's associated with a schedule.
+
+### Are there scenarios in which Arc-enabled Server isn't charged for Azure Update Manager?
-Yes, Azure Update Manager supports REST API, CLI and PowerShell for [Azure machines](manage-vms-programmatically.md) and [Arc-enabled machines](manage-arc-enabled-servers-programmatically.md).
+An Arc-enabled server managed with Azure Update Manager is not charged in following scenarios:
+ - If the machine is enabled for delivery of Extended Security Updates (ESUs) enabled by Azure Arc.
+ - Microsoft Defender for Servers Plan 2 is enabled for the subscription hosting the Arc-enabled server.
-## Is Arc-connectivity a prerequisite for using Azure Update Manager on hybrid machines?
+### Will I be charged if I move from Automation Update Management to Update Manager?
-Yes, Arc connectivity is a prerequisite for using Azure Update Manager on hybrid machines.
+Customers using Automation Update Management moving to Azure Update Manager won't be charged till retirement of LA agent.
-## Does Azure Update Manager support Azure Policy?
+### I'm a Defender for Server customer and use update recommendations powered by Azure Update Manager namely "periodic assessment should be enabled on your machines" and "system updates should be installed on your machines". Would I be charged for Azure Update Manager?
-Yes, unlike Automation Update Management, the new Azure Update Manager supports update features via policies. For more information, see[how to enable periodic assessment at scale using policy](periodic-assessment-at-scale.md) and [how to enable schedules on your machines at scale using Policy](scheduled-patching.md#onboarding-to-schedule-using-policy)
-
+If you have purchased a Defender for Servers Plan 2, then you won't have to pay to remediate the unhealthy resources for the above two recommendations. But if you're using any other Defender for server plan for your Arc machines, then you would be charged for those machines at the daily prorated $0.16/server by Azure Update Manager.
+
+### Is Azure Update Manager chargeable on Azure Stack HCI?
+Azure Update Manager is not charged for machines hosted Azure Stack HCI clusters that have been enabled for Azure benefits and Azure Arc VM management. [Learn more](https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits?tabs=wac#azure-benefits-available-on-azure-stack-hci).
+
+## Update Manager support and integration
+
+### Does Azure Update Manager support integration with Azure Lighthouse?
+
+Azure Update Manager doesn't currently support Azure Lighthouse integration.
+
+### Does Azure Update Manager support Azure Policy?
+
+Yes, Azure Update Manager supports update features via policies. For more information, see [how to enable periodic assessment at scale using policy](periodic-assessment-at-scale.md) and [how to enable schedules on your machines at scale using Policy](scheduled-patching.md#onboarding-to-schedule-using-policy).
+
+### I have machines across multiple subscriptions in Automation Update Management. Is this scenario supported in Azure Update Manager?
+
+Yes, Azure Update Manager supports multi-subscription scenarios.
+
+### Is there guidance available to move VMs and schedules from SCCM to Azure Update Manager?
+
+Customers can follow this [guide](guidance-migration-azure.md) to move update configurations from SCCM to Azure Update Manager.
+
+## Miscellaneous
+
+### Can I configure my machines to fetch updates from WSUS (Windows) and private repository (Linux)?
+
+By default, Azure Update Manager relies on Windows Update (WU) client running on your machine to fetch updates. You can configure WU client to fetch updates from Microsoft Update/WSUS repository and manage patch schedules using Azure Update Manager.
+
+Similarly for Linux, you can fetch updates by pointing your machine to a public repository or clone a private repository that regularly pulls updates from the upstream.
+
+Azure Update Manager honors machine settings and installs updates accordingly.
+
+### Does Azure Update Manager store customer data?
+
+No, Azure Update Manager doesn't store any customer identifiable data outside of the Azure Resource Graph for the subscription.
+ ## Next steps - [An overview of Azure Update Manager](overview.md)
update-center Whats Upcoming https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-center/whats-upcoming.md
Expanded support for [specialized images](../virtual-machines/linux/imaging.md#s
## Prescript and postscript
-The prescript and postscript will be available soon.
-
-## SQL Server patching
-SQL Server patching using Update Manager will be available soon.
+The ability to execute Azure Automation runbook scripts before or after deploying scheduled updates to machines will be available by Q4, CY2023.
## Next steps
virtual-machine-scale-sets Virtual Machine Scale Sets Use Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md
You must register for four feature flags on your subscription:
### [Azure CLI](#tab/cli-1) + ```azurecli az feature register --namespace Microsoft.Compute --name VmssAllowRegionalToZonalMigration az feature register --namespace Microsoft.Compute --name VmssAllowExpansionOfAvailabilityZones
-az feature register --namespace Microsoft.Compute --name EnableVmssFlexExpansionOfAvailabilityZones
-az feature register --namespace Microsoft.Compute --name EnableVmssFlexRegionalToZonalMigration
+az feature register --namespace Microsoft.Compute --name VmssFlexAllowExpansionOfAvailabilityZones
+az feature register --namespace Microsoft.Compute --name VmssFlexAllowRegionalToZonalMigration
``` You can check the registration status of each feature by using:
az feature show --namespace Microsoft.Compute --name \<feature-name\>
### [Azure PowerShell](#tab/powershell-1) + ```powershell Register-AzProviderPreviewFeature -Name VmssAllowRegionalToZonalMigration -ProviderNamespace Microsoft.Compute Register-AzProviderPreviewFeature -Name VmssAllowExpansionOfAvailabilityZones -ProviderNamespace Microsoft.Compute
-Register-AzProviderPreviewFeature -Name EnableVmssFlexExpansionOfAvailabilityZones -ProviderNamespace Microsoft.Compute
-Register-AzProviderPreviewFeature -Name EnableVmssFlexRegionalToZonalMigration -ProviderNamespace Microsoft.Compute
+Register-AzProviderPreviewFeature -Name VmssFlexAllowExpansionOfAvailabilityZones -ProviderNamespace Microsoft.Compute
+Register-AzProviderPreviewFeature -Name VmssFlexAllowRegionalToZonalMigration -ProviderNamespace Microsoft.Compute
``` You can check the registration status of each feature by using:
You can update the scale set to scale out instances to one or more additional av
> [!IMPORTANT] > When you expand the scale set to additional zones, the original instances are not migrated or changed. When you scale out, new instances will be created and spread evenly across the selected availability zones. When you scale in the scale set, any regional instances will be priorized for removal first. After that, instances will be removed based on the [scale in policy](virtual-machine-scale-sets-scale-in-policy.md). + Expanding to a zonal scale set is done in 3 steps: 1. Prepare for zonal expansion
With [Rolling upgrades + MaxSurge](virtual-machine-scale-sets-upgrade-policy.md)
Now that you have created a scale set in an Availability Zone, you can learn how to [Deploy applications on Virtual Machine Scale Sets](tutorial-install-apps-cli.md) or [Use autoscale with Virtual Machine Scale Sets](tutorial-autoscale-cli.md). --------
virtual-wan Virtual Wan Global Transit Network Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-global-transit-network-architecture.md
Previously updated : 03/02/2023 Last updated : 09/25/2023
Branch-to-VNet is the primary path supported by Azure Virtual WAN. This path all
### ExpressRoute Global Reach and Virtual WAN
-ExpressRoute is a private and resilient way to connect your on-premises networks to the Microsoft Cloud. Virtual WAN supports Express Route circuit connections.
-The following ExpressRoute circuit SKUs can be connected to Virtual WAN: Local, Standard, and Premium.
+ExpressRoute is a private and resilient way to connect your on-premises networks to the Microsoft Cloud. Virtual WAN supports Express Route circuit connections. The following ExpressRoute circuit SKUs can be connected to Virtual WAN: Local, Standard, and Premium.
-ExpressRoute Global Reach is an add-on feature for ExpressRoute. With Global Reach, you can link ExpressRoute circuits together to make a private network between your on-premises networks. Branches that are connected to Azure Virtual WAN using ExpressRoute require the ExpressRoute Global Reach to communicate with each other. Global Reach is not required for transitivity between site-to-site VPN and ExpressRoute connected branches.
+There are two options to enable ExpressRoute to ExpressRoute transit connectivity when using Azure Virtual WAN:
-In this model, each branch that is connected to the virtual WAN hub using ExpressRoute can connect to VNets using the branch-to-VNet path. Branch-to-branch traffic won't transit the hub because ExpressRoute Global Reach enables a more optimal path over Azure WAN.
+* You can enable ExpressRoute to ExpressRoute transit connectivity by enabling ExpressRoute Global Reach on your ExpressRoute circuits. [Global Reach](../expressroute/expressroute-global-reach.md) is an ExpressRoute add-on feature that allows you to link ExpressRoute circuits in different peering locations together to make a private network. ExpressRoute to ExpressRoute transit connectivity between circuits with the Global Reach add-on will not transit the Virtual WAN hub because Global Reach enables a more optimal path over the global backbone.
+
+* You can use the Routing Intent feature with private traffic routing policies to enable ExpressRoute transit connectivity via a security appliance deployed in the Virtual WAN Hub. This option doesn't require Global Reach. For more information, see the [ExpressRoute section](how-to-routing-policies.md#expressroute) in routing intent documentation.
### Branch-to-branch (b) and Branch-to-Branch cross-region (f)
Orchestration of Azure Firewalls in virtual WAN hubs can be performed by Azure F
For more information on deploying and orchestrating Next-Generation Firewall Network Virtual Appliances in the Virtual WAN hub, see [Integrated Network Virtual Appliances in the Virtual Hub](about-nva-hub.md). For more information on SaaS security solutions that can be deployed in the Virtual WAN hub, see [software-as-a-service](how-to-palo-alto-cloud-ngfw.md). - :::image type="content" source="./media/virtual-wan-global-transit-network-architecture/secured-hub.png" alt-text="Diagram of secured virtual hub with Azure Firewall." lightbox="./media/virtual-wan-global-transit-network-architecture/secured-hub.png"::: **Figure 5: Secured virtual hub with Azure Firewall**