Updates from: 09/08/2021 03:08:40
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/azure-monitor.md
In this article, you learn how to transfer the logs to an Azure Log Analytics wo
> [!IMPORTANT] > When you plan to transfer Azure AD B2C logs to different monitoring solutions, or repository, consider the following. Azure AD B2C logs contain personal data. Such data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, using appropriate technical or organizational measures.
+Watch this video to learn how to configure monitoring for Azure AD B2C using Azure Monitor.
+[!Video https://www.youtube.com/embed/tF2JS6TGc3g]
+ ## Deployment overview Azure AD B2C leverages [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). Because an Azure AD B2C tenant, unlike Azure AD tenants, can't have a subscription associated with it, we need to take some additional steps to enable the integration between Azure AD B2C and Log Analytics, which is where we'll send the logs.
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
It helps to categorize between `/User` and `/Group` to map any default user attr
| Azure Active Directory group | urn:ietf:params:scim:schemas:core:2.0:Group | | | | | displayName |displayName |
-| mail |emails[type eq "work"].value |
-| mailNickname |displayName |
| members |members | | objectId |externalId |
-| proxyAddresses |emails[type eq "other"].Value |
**Example list of group attributes**
To help drive awareness and demand of our joint integration, we recommend you up
> [Writing expressions for attribute mappings](functions-for-customizing-application-data.md) > [Scoping filters for user provisioning](define-conditional-rules-for-provisioning-user-accounts.md) > [Account provisioning notifications](user-provisioning.md)
-> [List of tutorials on how to integrate SaaS apps](../saas-apps/tutorial-list.md)
+> [List of tutorials on how to integrate SaaS apps](../saas-apps/tutorial-list.md)
active-directory Authentication Flows App Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/authentication-flows-app-scenarios.md
However, there are also daemon apps. In these scenarios, applications acquire to
Security tokens can be acquired by multiple types of applications. These applications tend to be separated into the following three categories. Each is used with different libraries and objects. -- **Single-page applications**: Also known as SPAs, these are web apps in which tokens are acquired by a JavaScript or TypeScript app running in the browser. Many modern apps have a single-page application at the front end that's primarily written in JavaScript. The application often uses a framework like Angular, React, or Vue. MSAL.js is the only Microsoft authentication library that supports single-page applications.
+- **Single-page applications**: Also known as SPAs, these are web apps in which tokens are acquired by a JavaScript or TypeScript app running in the browser. Many modern apps have a single-page application at the front end that's primarily written in JavaScript. The application often uses a framework like Angular, React, or Vue. MSAL.js is the only Microsoft Authentication Library that supports single-page applications.
- **Public client applications**: Apps in this category, like the following types, always sign in users: - Desktop apps that call web APIs on behalf of signed-in users
Applications running on a device without a browser can still call an API on beha
![Device code flow](media/scenarios/device-code-flow-app.svg)
-Though we don't recommend that you use it, the [username/password flow](scenario-desktop-acquire-token.md#username-and-password) is available in public client applications. This flow is still needed in some scenarios like DevOps.
+Though we don't recommend that you use it, the [username/password flow](scenario-desktop-acquire-token-username-password.md) is available in public client applications. This flow is still needed in some scenarios like DevOps.
Using the username/password flow constrains your applications. For instance, applications can't sign in a user who needs to use multifactor authentication or the Conditional Access tool in Azure AD. Your applications also don't benefit from single sign-on. Authentication with the username/password flow goes against the principles of modern authentication and is provided only for legacy reasons.
-In desktop apps, if you want the token cache to persist, you can customize the [token cache serialization](scenario-desktop-acquire-token.md#file-based-token-cache). By implementing [dual token cache serialization](scenario-desktop-acquire-token.md#dual-token-cache-serialization-msal-unified-cache--adal-v3), you can use backward-compatible and forward-compatible token caches. These tokens support previous generations of authentication libraries. Specific libraries include Azure AD Authentication Library for .NET (ADAL.NET) version 3 and version 4.
+In desktop apps, if you want the token cache to persist, you can customize the [token cache serialization](msal-net-token-cache-serialization.md). By implementing [dual token cache serialization](msal-net-token-cache-serialization.md#dual-token-cache-serialization-msal-unified-cache-and-adal-v3), you can use backward-compatible and forward-compatible token caches. These tokens support previous generations of authentication libraries. Specific libraries include Azure AD Authentication Library for .NET (ADAL.NET) version 3 and version 4.
For more information, see [Desktop app that calls web APIs](scenario-desktop-overview.md).
Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flo
</tr> <tr>
- <td rowspan="3"><a href="scenario-desktop-overview.md"><img alt=Desktop app that calls web APIs" src="media/scenarios/desktop-app.svg"></a></td>
+ <td rowspan="3"><a href="scenario-desktop-overview.md"><img alt="Desktop app that calls web APIs" src="media/scenarios/desktop-app.svg"></a></td>
<td rowspan="4"><a href="scenario-desktop-overview.md">Desktop app that calls web APIs</a></td> <td>Interactive by using <a href="v2-oauth2-auth-code-flow.md">authorization code</a> with PKCE</td> <td>Work or school accounts, personal accounts, and Azure AD B2C</td>
Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flo
</tr> <tr>
- <td><a href="scenario-desktop-acquire-token.md#command-line-tool-without-a-web-browser"><img alt="Browserless application" src="media/scenarios/device-code-flow-app.svg"></a></td>
+ <td><a href="scenario-desktop-acquire-token-device-code-flow.md"><img alt="Browserless application" src="media/scenarios/device-code-flow-app.svg"></a></td>
<td><a href="v2-oauth2-device-code.md">Device code</a></td> <td>Work or school accounts, personal accounts, but not Azure AD B2C</td> </tr>
Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flo
## Scenarios and supported platforms and languages
-Microsoft authentication libraries support multiple platforms:
+Microsoft Authentication Libraries support multiple platforms:
- .NET Core - .NET Framework
active-directory Howto Add Branding In Azure Ad Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-add-branding-in-azure-ad-apps.md
-+ Last updated 08/31/2020
active-directory Howto Handle Samesite Cookie Changes Chrome Browser https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser.md
-+ Last updated 01/27/2020
active-directory Msal Authentication Flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-authentication-flows.md
The Microsoft Authentication Library (MSAL) supports several authentication flow
|--|--|--| | [Authorization code](#authorization-code) | Used in apps that are installed on a device to gain access to protected resources, such as web APIs. Enables you to add sign-in and API access to your mobile and desktop apps. | [Desktop apps](scenario-desktop-overview.md), [mobile apps](scenario-mobile-overview.md), [web apps](scenario-web-app-call-api-overview.md) | | [Client credentials](#client-credentials) | Allows you to access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. | [Daemon apps](scenario-daemon-overview.md) |
-| [Device code](#device-code) | Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. | [Desktop/mobile apps](scenario-desktop-acquire-token.md#command-line-tool-without-a-web-browser) |
+| [Device code](#device-code) | Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. | [Desktop/mobile apps](scenario-desktop-acquire-token-device-code-flow.md) |
| [Implicit grant](#implicit-grant) | Allows the app to get tokens without performing a back-end server credential exchange. Enables the app to sign in the user, maintain session, and get tokens to other web APIs, all within the client JavaScript code. | [Single-page applications (SPA)](scenario-spa-overview.md) | | [On-behalf-of](#on-behalf-of) | An application invokes a service or web API, which in turn needs to call another service or web API. The idea is to propagate the delegated user identity and permissions through the request chain. | [Web APIs](scenario-web-api-call-api-overview.md) |
-| [Username/password](#usernamepassword) | Allows an application to sign in the user by directly handling their password. This flow isn't recommended. | [Desktop/mobile apps](scenario-desktop-acquire-token.md#username-and-password) |
-| [Integrated Windows Authentication](#integrated-windows-authentication) | Allows applications on domain or Azure Active Directory (Azure AD) joined computers to acquire a token silently (without any UI interaction from the user). | [Desktop/mobile apps](scenario-desktop-acquire-token.md#integrated-windows-authentication) |
+| [Username/password](#usernamepassword) | Allows an application to sign in the user by directly handling their password. This flow isn't recommended. | [Desktop/mobile apps](scenario-desktop-acquire-token-username-password.md) |
+| [Integrated Windows Authentication](#integrated-windows-authentication) | Allows applications on domain or Azure Active Directory (Azure AD) joined computers to acquire a token silently (without any UI interaction from the user). | [Desktop/mobile apps](scenario-desktop-acquire-token-integrated-windows-authentication.md) |
## How each flow emits tokens and codes
active-directory Msal Net Differences Adal Net https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-differences-adal-net.md
Here are the grants supported in ADAL.NET and MSAL.NET for Desktop and Mobile ap
Grant | MSAL.NET | ADAL.NET | | - | - |
-Interactive | [Acquiring tokens interactively in MSAL.NET](scenario-desktop-acquire-token.md#acquire-a-token-interactively) | [Interactive Auth](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Acquiring-tokens-interactivelyPublic-client-application-flows) |
-Integrated Windows Authentication | [Integrated Windows Authentication](scenario-desktop-acquire-token.md#integrated-windows-authentication) | [Integrated authentication on Windows (Kerberos)](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-Integrated-authentication-on-Windows-(Kerberos)) |
-Username / Password | [Username Password Authentication](scenario-desktop-acquire-token.md#username-and-password) | [Acquiring tokens with username and password](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Acquiring-tokens-with-username-and-password) |
-Device code flow | [Device Code flow](scenario-desktop-acquire-token.md#command-line-tool-without-a-web-browser) | [Device profile for devices without web browsers](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Device-profile-for-devices-without-web-browsers) |
+Interactive | [Acquiring tokens interactively in MSAL.NET](scenario-desktop-acquire-token-interactive.md) | [Interactive Auth](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Acquiring-tokens-interactivelyPublic-client-application-flows) |
+Integrated Windows Authentication | [Integrated Windows Authentication](scenario-desktop-acquire-token-integrated-windows-authentication.md) | [Integrated authentication on Windows (Kerberos)](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-Integrated-authentication-on-Windows-(Kerberos)) |
+Username / Password | [Username Password Authentication](scenario-desktop-acquire-token-username-password.md) | [Acquiring tokens with username and password](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Acquiring-tokens-with-username-and-password) |
+Device code flow | [Device Code flow](scenario-desktop-acquire-token-device-code-flow.md) | [Device profile for devices without web browsers](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Device-profile-for-devices-without-web-browsers) |
### Confidential client applications
active-directory Msal Net Use Brokers With Xamarin Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-use-brokers-with-xamarin-apps.md
-+ Last updated 09/08/2019
active-directory Msal Net Web Browsers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-web-browsers.md
authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
#### .NET Core doesn't support interactive authentication with an embedded browser For .NET Core, acquisition of tokens interactively is only available through the system web browser, not with embedded web views. Indeed, .NET Core doesn't provide UI yet.
-If you want to customize the browsing experience with the system web browser, you can implement the [IWithCustomUI](scenario-desktop-acquire-token.md#withcustomwebui) interface and even provide your own browser.
+If you want to customize the browsing experience with the system web browser, you can implement the [IWithCustomUI](scenario-desktop-acquire-token-interactive.md#withcustomwebui) interface and even provide your own browser.
active-directory Scenario Desktop Acquire Token Device Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token-device-code-flow.md
+
+ Title: Acquire a token to call a web API using device code flow (desktop app) | Azure
+
+description: Learn how to build a desktop app that calls web APIs to acquire a token for the app using device code flow
++++++++ Last updated : 08/25/2021++
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
++
+# Desktop app that calls web APIs: Acquire a token using Device Code flow
+
+If you're writing a command-line tool that doesn't have web controls, and you can't or don't want to use the previous flows, use the device code flow.
+
+## Device code flow
+
+Interactive authentication with Azure AD requires a web browser. For more information, see [Usage of web browsers](https://aka.ms/msal-net-uses-web-browser). To authenticate users on devices or operating systems that don't provide a web browser, device code flow lets the user use another device such as a computer or a mobile phone to sign in interactively. By using the device code flow, the application obtains tokens through a two-step process that's designed for these devices or operating systems. Examples of such applications are applications that run on iOT or command-line tools (CLI). The idea is that:
+
+1. Whenever user authentication is required, the app provides a code for the user. The user is asked to use another device, such as an internet-connected smartphone, to go to a URL, for instance, `https://microsoft.com/devicelogin`. Then the user is prompted to enter the code. That done, the web page leads the user through a normal authentication experience, which includes consent prompts and multi-factor authentication, if necessary.
+
+2. Upon successful authentication, the command-line app receives the required tokens through a back channel and uses them to perform the web API calls it needs.
+
+## Use it
+
+# [.NET](#tab/dotnet)
+
+`IPublicClientApplication`contains a method named `AcquireTokenWithDeviceCode`.
+
+```csharp
+ AcquireTokenWithDeviceCode(IEnumerable<string> scopes,
+ Func<DeviceCodeResult, Task> deviceCodeResultCallback)
+```
+
+This method takes as parameters:
+
+- The `scopes` to request an access token for.
+- A callback that receives the [`DeviceCodeResult`](https://docs.microsoft.com/dotnet/api/microsoft.identity.client.devicecoderesult).
+
+The following sample code presents the synopsis of most current cases, with explanations of the kind of exceptions you can get and their mitigation. For a fully functional code sample, see [active-directory-dotnetcore-devicecodeflow-v2](https://github.com/azure-samples/active-directory-dotnetcore-devicecodeflow-v2) on GitHub.
+
+```csharp
+private const string ClientId = "<client_guid>";
+private const string Authority = "https://login.microsoftonline.com/contoso.com";
+private readonly string[] scopes = new string[] { "user.read" };
+
+static async Task<AuthenticationResult> GetATokenForGraph()
+{
+ IPublicClientApplication pca = PublicClientApplicationBuilder
+ .Create(ClientId)
+ .WithAuthority(Authority)
+ .WithDefaultRedirectUri()
+ .Build();
+
+ var accounts = await pca.GetAccountsAsync();
+
+ // All AcquireToken* methods store the tokens in the cache, so check the cache first
+ try
+ {
+ return await pca.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
+ .ExecuteAsync();
+ }
+ catch (MsalUiRequiredException ex)
+ {
+ // No token found in the cache or AAD insists that a form interactive auth is required (e.g. the tenant admin turned on MFA)
+ // If you want to provide a more complex user experience, check out ex.Classification
+
+ return await AcquireByDeviceCodeAsync(pca);
+ }
+}
+
+private static async Task<AuthenticationResult> AcquireByDeviceCodeAsync(IPublicClientApplication pca)
+{
+ try
+ {
+ var result = await pca.AcquireTokenWithDeviceCode(scopes,
+ deviceCodeResult =>
+ {
+ // This will print the message on the console which tells the user where to go sign-in using
+ // a separate browser and the code to enter once they sign in.
+ // The AcquireTokenWithDeviceCode() method will poll the server after firing this
+ // device code callback to look for the successful login of the user via that browser.
+ // This background polling (whose interval and timeout data is also provided as fields in the
+ // deviceCodeCallback class) will occur until:
+ // * The user has successfully logged in via browser and entered the proper code
+ // * The timeout specified by the server for the lifetime of this code (typically ~15 minutes) has been reached
+ // * The developing application calls the Cancel() method on a CancellationToken sent into the method.
+ // If this occurs, an OperationCanceledException will be thrown (see catch below for more details).
+ Console.WriteLine(deviceCodeResult.Message);
+ return Task.FromResult(0);
+ }).ExecuteAsync();
+
+ Console.WriteLine(result.Account.Username);
+ return result;
+ }
+
+ // TODO: handle or throw all these exceptions depending on your app
+ catch (MsalServiceException ex)
+ {
+ // Kind of errors you could have (in ex.Message)
+
+ // AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.
+ // Mitigation: as explained in the message from Azure AD, the authoriy needs to be tenanted. you have probably created
+ // your public client application with the following authorities:
+ // https://login.microsoftonline.com/common or https://login.microsoftonline.com/organizations
+
+ // AADSTS90133: Device Code flow is not supported under /common or /consumers endpoint.
+ // Mitigation: as explained in the message from Azure AD, the authority needs to be tenanted
+
+ // AADSTS90002: Tenant <tenantId or domain you used in the authority> not found. This may happen if there are
+ // no active subscriptions for the tenant. Check with your subscription administrator.
+ // Mitigation: if you have an active subscription for the tenant this might be that you have a typo in the
+ // tenantId (GUID) or tenant domain name.
+ }
+ catch (OperationCanceledException ex)
+ {
+ // If you use a CancellationToken, and call the Cancel() method on it, then this *may* be triggered
+ // to indicate that the operation was cancelled.
+ // See https://docs.microsoft.com/dotnet/standard/threading/cancellation-in-managed-threads
+ // for more detailed information on how C# supports cancellation in managed threads.
+ }
+ catch (MsalClientException ex)
+ {
+ // Possible cause - verification code expired before contacting the server
+ // This exception will occur if the user does not manage to sign-in before a time out (15 mins) and the
+ // call to `AcquireTokenWithDeviceCode` is not cancelled in between
+ }
+}
+```
+
+# [Java](#tab/java)
+
+This extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+
+```java
+private static IAuthenticationResult acquireTokenDeviceCode() throws Exception {
+
+ // Load token cache from file and initialize token cache aspect. The token cache will have
+ // dummy data, so the acquireTokenSilently call will fail.
+ TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
+
+ PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
+ .authority(AUTHORITY)
+ .setTokenCacheAccessAspect(tokenCacheAspect)
+ .build();
+
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ // Take first account in the cache. In a production application, you would filter
+ // accountsInCache to get the right account for the user authenticating.
+ IAccount account = accountsInCache.iterator().next();
+
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(SCOPE, account)
+ .build();
+
+ // try to acquire token silently. This call will fail since the token cache
+ // does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+
+ Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) ->
+ System.out.println(deviceCode.message());
+
+ DeviceCodeFlowParameters parameters =
+ DeviceCodeFlowParameters
+ .builder(SCOPE, deviceCodeConsumer)
+ .build();
+
+ // Try to acquire a token via device code flow. If successful, you should see
+ // the token and account information printed out to console, and the sample_cache.json
+ // file should have been updated with the latest tokens.
+ result = pca.acquireToken(parameters).join();
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
+ }
+ return result;
+}
+```
+
+# [macOS](#tab/macOS)
+
+This flow doesn't apply to macOS.
+
+# [Node.js](#tab/nodejs)
+
+This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/device-code).
+
+```javascript
+const msal = require('@azure/msal-node');
+
+const msalConfig = {
+ auth: {
+ clientId: "your_client_id_here",
+ authority: "your_authority_here",
+ }
+};
+
+const pca = new msal.PublicClientApplication(msalConfig);
+
+const deviceCodeRequest = {
+ deviceCodeCallback: (response) => (console.log(response.message)),
+ scopes: ["user.read"],
+ timeout: 20,
+};
+
+pca.acquireTokenByDeviceCode(deviceCodeRequest).then((response) => {
+ console.log(JSON.stringify(response));
+}).catch((error) => {
+ console.log(JSON.stringify(error));
+});
+```
+
+# [Python](#tab/python)
+
+This extract is from the [MSAL Python dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/).
+
+```python
+# Create a preferably long-lived app instance which maintains a token cache.
+app = msal.PublicClientApplication(
+ config["client_id"], authority=config["authority"],
+ # token_cache=... # Default cache is in memory only.
+ # You can learn how to use SerializableTokenCache from
+ # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
+ )
+
+# The pattern to acquire a token looks like this.
+result = None
+
+# Note: If your device-flow app does not have any interactive ability, you can
+# completely skip the following cache part. But here we demonstrate it anyway.
+# We now check the cache to see if we have some end users signed in before.
+accounts = app.get_accounts()
+if accounts:
+ logging.info("Account(s) exists in cache, probably with token too. Let's try.")
+ print("Pick the account you want to use to proceed:")
+ for a in accounts:
+ print(a["username"])
+ # Assuming the end user chose this one
+ chosen = accounts[0]
+ # Now let's try to find a token in cache for this account
+ result = app.acquire_token_silent(config["scope"], account=chosen)
+
+if not result:
+ logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
+
+ flow = app.initiate_device_flow(scopes=config["scope"])
+ if "user_code" not in flow:
+ raise ValueError(
+ "Fail to create device flow. Err: %s" % json.dumps(flow, indent=4))
+
+ print(flow["message"])
+ sys.stdout.flush() # Some terminal needs this to ensure the message is shown
+
+ # Ideally you should wait here, in order to save some unnecessary polling
+ # input("Press Enter after signing in from another device to proceed, CTRL+C to abort.")
+
+ result = app.acquire_token_by_device_flow(flow) # By default it will block
+ # You can follow this instruction to shorten the block time
+ # https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_device_flow
+ # or you may even turn off the blocking behavior,
+ # and then keep calling acquire_token_by_device_flow(flow) in your own customized loop
+```
+++
+## Next steps
+
+Move on to the next article in this scenario,
+[Call a web API from the desktop app](scenario-desktop-call-api.md).
active-directory Scenario Desktop Acquire Token Integrated Windows Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token-integrated-windows-authentication.md
+
+ Title: Acquire a token to call a web API using integrated windows auth (desktop app) | Azure
+
+description: Learn how to build a desktop app that calls web APIs to acquire a token for the app using integrated windows auth
++++++++ Last updated : 08/25/2021++
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
++
+# Desktop app that calls web APIs: Acquire a token using Integrated Windows Authentication
+
+To sign in a domain user on a domain or Azure AD joined machine, use Integrated Windows Authentication (IWA).
+
+## Constraints
+
+- Integrated Windows Authentication is usable for *federated+* users only, that is, users created in Active Directory and backed by Azure AD. Users created directly in Azure AD without Active Directory backing, known as *managed* users, can't use this authentication flow. This limitation doesn't affect the username and password flow.
+- IWA doesn't bypass [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md). If MFA is configured, IWA might fail if an MFA challenge is required, because MFA requires user interaction.
+
+ IWA is non-interactive, but MFA requires user interactivity. You don't control when the identity provider requests MFA to be performed, the tenant admin does. From our observations, MFA is required when you sign in from a different country/region, when not connected via VPN to a corporate network, and sometimes even when connected via VPN. Don't expect a deterministic set of rules. Azure AD uses AI to continuously learn if MFA is required. Fall back to a user prompt like interactive authentication or device code flow if IWA fails.
+
+- The authority passed in `PublicClientApplicationBuilder` needs to be:
+ - Tenanted of the form `https://login.microsoftonline.com/{tenant}/`, where `tenant` is either the GUID that represents the tenant ID or a domain associated with the tenant.
+ - For any work and school accounts: `https://login.microsoftonline.com/organizations/`.
+ - Microsoft personal accounts aren't supported. You can't use /common or /consumers tenants.
+
+- Because Integrated Windows Authentication is a silent flow:
+ - The user of your application must have previously consented to use the application.
+ - Or, the tenant admin must have previously consented to all users in the tenant to use the application.
+ - In other words:
+ - Either you as a developer selected the **Grant** button in the Azure portal for yourself.
+ - Or, a tenant admin selected the **Grant/revoke admin consent for {tenant domain}** button on the **API permissions** tab of the registration for the application. For more information, see [Add permissions to access your web API](quickstart-configure-app-access-web-apis.md#add-permissions-to-access-your-web-api).
+ - Or, you've provided a way for users to consent to the application. For more information, see [Requesting individual user consent](./v2-permissions-and-consent.md#requesting-individual-user-consent).
+ - Or, you've provided a way for the tenant admin to consent to the application. For more information, see [Admin consent](./v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant).
+
+- This flow is enabled for .NET desktop, .NET Core, and UWP apps.
+
+For more information on consent, see the [Microsoft identity platform permissions and consent](./v2-permissions-and-consent.md).
+
+## Learn how to use it
+
+# [.NET](#tab/dotnet)
+
+In MSAL.NET, use:
+
+```csharp
+AcquireTokenByIntegratedWindowsAuth(IEnumerable<string> scopes)
+```
+
+You normally need only one parameter (`scopes`). Depending on the way your Windows administrator set up the policies, applications on your Windows machine might not be allowed to look up the signed-in user. In that case, use a second method, `.WithUsername()`, and pass in the username of the signed-in user as a UPN format, for example, `joe@contoso.com`.
+
+The following sample presents the most current case, with explanations of the kind of exceptions you can get and their mitigations.
+
+```csharp
+static async Task GetATokenForGraph()
+{
+ string authority = "https://login.microsoftonline.com/contoso.com";
+ string[] scopes = new string[] { "user.read" };
+ IPublicClientApplication app = PublicClientApplicationBuilder
+ .Create(clientId)
+ .WithAuthority(authority)
+ .Build();
+
+ var accounts = await app.GetAccountsAsync();
+
+ AuthenticationResult result = null;
+ if (accounts.Any())
+ {
+ result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
+ .ExecuteAsync();
+ }
+ else
+ {
+ try
+ {
+ result = await app.AcquireTokenByIntegratedWindowsAuth(scopes)
+ .ExecuteAsync(CancellationToken.None);
+ }
+ catch (MsalUiRequiredException ex)
+ {
+ // MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application
+ // with ID '{appId}' named '{appName}'.Send an interactive authorization request for this user and resource.
+
+ // you need to get user consent first. This can be done, if you are not using .NET Core (which does not have any Web UI)
+ // by doing (once only) an AcquireToken interactive.
+
+ // If you are using .NET core or don't want to do an AcquireTokenInteractive, you might want to suggest the user to navigate
+ // to a URL to consent: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read
+
+ // AADSTS50079: The user is required to use multi-factor authentication.
+ // There is no mitigation - if MFA is configured for your tenant and AAD decides to enforce it,
+ // you need to fallback to an interactive flows such as AcquireTokenInteractive or AcquireTokenByDeviceCode
+ }
+ catch (MsalServiceException ex)
+ {
+ // Kind of errors you could have (in ex.Message)
+
+ // MsalServiceException: AADSTS90010: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
+ // you used common.
+ // Mitigation: as explained in the message from Azure AD, the authority needs to be tenanted or otherwise organizations
+
+ // MsalServiceException: AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.
+ // Explanation: this can happen if your application was not registered as a public client application in Azure AD
+ // Mitigation: in the Azure portal, edit the manifest for your application and set the `allowPublicClient` to `true`
+ }
+ catch (MsalClientException ex)
+ {
+ // Error Code: unknown_user Message: Could not identify logged in user
+ // Explanation: the library was unable to query the current Windows logged-in user or this user is not AD or AAD
+ // joined (work-place joined users are not supported).
+
+ // Mitigation 1: on UWP, check that the application has the following capabilities: Enterprise Authentication,
+ // Private Networks (Client and Server), User Account Information
+
+ // Mitigation 2: Implement your own logic to fetch the username (e.g. john@contoso.com) and use the
+ // AcquireTokenByIntegratedWindowsAuth form that takes in the username
+
+ // Error Code: integrated_windows_auth_not_supported_managed_user
+ // Explanation: This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure
+ // Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by
+ // AAD ("federated" users) can benefit from this non-interactive method of authentication.
+ // Mitigation: Use interactive authentication
+ }
+ }
+
+ Console.WriteLine(result.Account.Username);
+}
+```
+
+For the list of possible modifiers on AcquireTokenByIntegratedWindowsAuthentication, see [AcquireTokenByIntegratedWindowsAuthParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokenbyintegratedwindowsauthparameterbuilder#methods).
+
+# [Java](#tab/java)
+
+This extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+
+```java
+private static IAuthenticationResult acquireTokenIwa() throws Exception {
+
+ // Load token cache from file and initialize token cache aspect. The token cache will have
+ // dummy data, so the acquireTokenSilently call will fail.
+ TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
+
+ PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
+ .authority(AUTHORITY)
+ .setTokenCacheAccessAspect(tokenCacheAspect)
+ .build();
+
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ // Take first account in the cache. In a production application, you would filter
+ // accountsInCache to get the right account for the user authenticating.
+ IAccount account = accountsInCache.iterator().next();
+
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(SCOPE, account)
+ .build();
+
+ // try to acquire token silently. This call will fail since the token cache
+ // does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+
+ IntegratedWindowsAuthenticationParameters parameters =
+ IntegratedWindowsAuthenticationParameters
+ .builder(SCOPE, USER_NAME)
+ .build();
+
+ // Try to acquire a IWA. You will need to generate a Kerberos ticket.
+ // If successful, you should see the token and account information printed out to
+ // console
+ result = pca.acquireToken(parameters).join();
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
+ }
+ return result;
+}
+```
+
+# [macOS](#tab/macOS)
+
+This flow doesn't apply to macOS.
+
+# [Node.js](#tab/nodejs)
+
+This flow isn't yet supported in MSAL Node.
+
+# [Python](#tab/python)
+
+This flow isn't yet supported in MSAL Python.
++
+## Next steps
+
+Move on to the next article in this scenario,
+[Call a web API from the desktop app](scenario-desktop-call-api.md).
active-directory Scenario Desktop Acquire Token Interactive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token-interactive.md
+
+ Title: Acquire a token to call a web API interactively (desktop app) | Azure
+
+description: Learn how to build a desktop app that calls web APIs to acquire a token for the app interactively
++++++++ Last updated : 08/25/2021++
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
++
+# Desktop app that calls web APIs: Acquire a token interactively
+
+The following example shows minimal code to get a token interactively for reading the user's profile with Microsoft Graph.
+
+# [.NET](#tab/dotnet)
+
+### In MSAL.NET
+
+```csharp
+string[] scopes = new string[] {"user.read"};
+var app = PublicClientApplicationBuilder.Create(clientId).Build();
+var accounts = await app.GetAccountsAsync();
+AuthenticationResult result;
+try
+{
+ result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
+ .ExecuteAsync();
+}
+catch(MsalUiRequiredException)
+{
+ result = await app.AcquireTokenInteractive(scopes)
+ .ExecuteAsync();
+}
+```
+
+### Mandatory parameters
+
+`AcquireTokenInteractive` has only one mandatory parameter, ``scopes``, which contains an enumeration of strings that define the scopes for which a token is required. If the token is for Microsoft Graph, the required scopes can be found in the API reference of each Microsoft Graph API in the section named "Permissions." For instance, to [list the user's contacts](/graph/api/user-list-contacts), the scope "User.Read", "Contacts.Read" must be used. For more information, see [Microsoft Graph permissions reference](/graph/permissions-reference).
+
+On Android, you also need to specify the parent activity by using `.WithParentActivityOrWindow`, as shown, so that the token gets back to that parent activity after the interaction. If you don't specify it, an exception is thrown when calling `.ExecuteAsync()`.
+
+### Specific optional parameters in MSAL.NET
+
+#### WithParentActivityOrWindow
+
+The UI is important because it's interactive. `AcquireTokenInteractive` has one specific optional parameter that can specify, for platforms that support it, the parent UI. When used in a desktop application, `.WithParentActivityOrWindow` has a different type, which depends on the platform. Alternatively you can omit the optional parent window parameter to create a window, if you do not want to control where the sign-in dialog appears on the screen. This would be applicable for applications which are command line based, used to pass calls to any other backend service and do not need any windows for user interaction.
+
+```csharp
+// net45
+WithParentActivityOrWindow(IntPtr windowPtr)
+WithParentActivityOrWindow(IWin32Window window)
+
+// Mac
+WithParentActivityOrWindow(NSWindow window)
+
+// .NET Standard (this will be on all platforms at runtime, but only on NetStandard at build time)
+WithParentActivityOrWindow(object parent).
+```
+
+Remarks:
+
+- On .NET Standard, the expected `object` is `Activity` on Android, `UIViewController` on iOS, `NSWindow` on Mac, and `IWin32Window` or `IntPr` on Windows.
+- On Windows, you must call `AcquireTokenInteractive` from the UI thread so that the embedded browser gets the appropriate UI synchronization context. Not calling from the UI thread might cause messages to not pump properly and deadlock scenarios with the UI. One way of calling Microsoft Authentication Libraries (MSALs) from the UI thread if you aren't on the UI thread already is to use the `Dispatcher` on WPF.
+- If you're using WPF, to get a window from a WPF control, you can use the `WindowInteropHelper.Handle` class. Then the call is from a WPF control (`this`):
+
+ ```csharp
+ result = await app.AcquireTokenInteractive(scopes)
+ .WithParentActivityOrWindow(new WindowInteropHelper(this).Handle)
+ .ExecuteAsync();
+ ```
+
+#### WithPrompt
+
+`WithPrompt()` is used to control the interactivity with the user by specifying a prompt.
+
+![Image showing the fields in the Prompt structure. These constant values control interactivity with the user by defining the type of prompt displayed by the WithPrompt() method.](https://user-images.githubusercontent.com/34331512/112267137-3f1c3a00-8c32-11eb-97fb-33604311329a.png)
+
+The class defines the following constants:
+
+- ``SelectAccount`` forces the STS to present the account selection dialog box that contains accounts for which the user has a session. This option is useful when application developers want to let users choose among different identities. This option drives MSAL to send ``prompt=select_account`` to the identity provider. This option is the default. It does a good job of providing the best possible experience based on the available information, such as account and presence of a session for the user. Don't change it unless you have good reason to do it.
+- ``Consent`` enables the application developer to force the user to be prompted for consent, even if consent was granted before. In this case, MSAL sends `prompt=consent` to the identity provider. This option can be used in some security-focused applications where the organization governance demands that the user is presented with the consent dialog box each time the application is used.
+- ``ForceLogin`` enables the application developer to have the user prompted for credentials by the service, even if this user prompt might not be needed. This option can be useful to let the user sign in again if acquiring a token fails. In this case, MSAL sends `prompt=login` to the identity provider. Sometimes it's used in security-focused applications where the organization governance demands that the user re-signs in each time they access specific parts of an application.
+- ``Create`` triggers a sign-up experience, which is used for External Identities, by sending `prompt=create` to the identity provider. This prompt should not be sent for Azure AD B2C apps. For more information, see [Add a self-service sign-up user flow to an app](../external-identities/self-service-sign-up-user-flow.md).
+- ``Never`` (for .NET 4.5 and WinRT only) won't prompt the user, but instead tries to use the cookie stored in the hidden embedded web view. For more information, see web views in MSAL.NET. Using this option might fail. In that case, `AcquireTokenInteractive` throws an exception to notify that a UI interaction is needed. You'll need to use another `Prompt` parameter.
+- ``NoPrompt`` won't send any prompt to the identity provider which therefore will decide to present the best sign-in experience to the user (single-sign-on, or select account). This option is also mandatory for Azure Active Directory (Azure AD) B2C edit profile policies. For more information, see [Azure AD B2C specifics](https://aka.ms/msal-net-b2c-specificities).
+
+#### WithUseEmbeddedWebView
+
+This method enables you to specify if you want to force the usage of an embedded WebView or the system WebView (when available). For more information, see [Usage of web browsers](msal-net-web-browsers.md).
+
+```csharp
+var result = await app.AcquireTokenInteractive(scopes)
+ .WithUseEmbeddedWebView(true)
+ .ExecuteAsync();
+```
+
+#### WithExtraScopeToConsent
+
+This modifier is used in an advanced scenario where you want the user to pre-consent to several resources upfront, and you don't want to use incremental consent, which is normally used with MSAL.NET/the Microsoft identity platform. For more information, see [Have the user consent upfront for several resources](scenario-desktop-production.md#have-the-user-consent-upfront-for-several-resources).
+
+```csharp
+var result = await app.AcquireTokenInteractive(scopesForCustomerApi)
+ .WithExtraScopeToConsent(scopesForVendorApi)
+ .ExecuteAsync();
+```
+
+#### WithCustomWebUi
+
+A web UI is a mechanism to invoke a browser. This mechanism can be a dedicated UI WebBrowser control or a way to delegate opening the browser.
+MSAL provides web UI implementations for most platforms, but there are cases where you might want to host the browser yourself:
+
+- Platforms that aren't explicitly covered by MSAL, for example, Blazor, Unity, and Mono on desktops.
+- You want to UI test your application and use an automated browser that can be used with Selenium.
+- The browser and the app that run MSAL are in separate processes.
+
+##### At a glance
+
+To achieve this, you give to MSAL `start Url`, which needs to be displayed in a browser of choice so that the end user can enter items such as their username.
+After authentication finishes, your app needs to pass back to MSAL `end Url`, which contains a code provided by Azure AD.
+The host of `end Url` is always `redirectUri`. To intercept `end Url`, do one of the following things:
+
+- Monitor browser redirects until `redirect Url` is hit.
+- Have the browser redirect to a URL, which you monitor.
+
+##### WithCustomWebUi is an extensibility point
+
+`WithCustomWebUi` is an extensibility point that you can use to provide your own UI in public client applications. You can also let the user go through the /Authorize endpoint of the identity provider and let them sign in and consent. MSAL.NET can then redeem the authentication code and get a token. For example, it's used in Visual Studio to have electrons applications (for instance, Visual Studio Feedback) provide the web interaction, but leave it to MSAL.NET to do most of the work. You can also use it if you want to provide UI automation. In public client applications, MSAL.NET uses the Proof Key for Code Exchange (PKCE) standard to ensure that security is respected. Only MSAL.NET can redeem the code. For more information, see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636).
+
+ ```csharp
+ using Microsoft.Identity.Client.Extensions;
+ ```
+
+##### Use WithCustomWebUi
+
+To use `.WithCustomWebUI`, follow these steps.
+
+ 1. Implement the `ICustomWebUi` interface. For more information, see [this website](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/053a98d16596be7e9ca1ab916924e5736e341fe8/src/Microsoft.Identity.Client/Extensibility/ICustomWebUI.cs#L32-L70). Implement one `AcquireAuthorizationCodeAsync`method and accept the authorization code URL computed by MSAL.NET. Then let the user go through the interaction with the identity provider and return back the URL by which the identity provider would have called your implementation back along with the authorization code. If you have issues, your implementation should throw a `MsalExtensionException` exception to nicely cooperate with MSAL.
+ 2. In your `AcquireTokenInteractive` call, use the `.WithCustomUI()` modifier passing the instance of your custom web UI.
+
+ ```csharp
+ result = await app.AcquireTokenInteractive(scopes)
+ .WithCustomWebUi(yourCustomWebUI)
+ .ExecuteAsync();
+ ```
+
+##### Examples of implementation of ICustomWebUi in test automation: SeleniumWebUI
+
+The MSAL.NET team has rewritten the UI tests to use this extensibility mechanism. If you're interested, look at the [SeleniumWebUI](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/053a98d16596be7e9ca1ab916924e5736e341fe8/tests/Microsoft.Identity.Test.Integration/Infrastructure/SeleniumWebUI.cs#L15-L160) class in the MSAL.NET source code.
+
+##### Provide a great experience with SystemWebViewOptions
+
+From MSAL.NET 4.1 [`SystemWebViewOptions`](/dotnet/api/microsoft.identity.client.systemwebviewoptions), you can specify:
+
+- The URI to go to (`BrowserRedirectError`) or the HTML fragment to display (`HtmlMessageError`) in case of sign-in or consent errors in the system web browser.
+- The URI to go to (`BrowserRedirectSuccess`) or the HTML fragment to display (`HtmlMessageSuccess`) in case of successful sign-in or consent.
+- The action to run to start the system browser. You can provide your own implementation by setting the `OpenBrowserAsync` delegate. The class also provides a default implementation for two browsers: `OpenWithEdgeBrowserAsync` and `OpenWithChromeEdgeBrowserAsync` for Microsoft Edge and [Microsoft Edge on Chromium](https://www.windowscentral.com/faq-edge-chromium), respectively.
+
+To use this structure, write something like the following example:
+
+```csharp
+IPublicClientApplication app;
+...
+
+options = new SystemWebViewOptions
+{
+ HtmlMessageError = "<b>Sign-in failed. You can close this tab ...</b>",
+ BrowserRedirectSuccess = "https://contoso.com/help-for-my-awesome-commandline-tool.html"
+};
+
+var result = app.AcquireTokenInteractive(scopes)
+ .WithEmbeddedWebView(false) // The default in .NET Core
+ .WithSystemWebViewOptions(options)
+ .Build();
+```
+
+#### Other optional parameters
+
+To learn more about all the other optional parameters for `AcquireTokenInteractive`, see [AcquireTokenInteractiveParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokeninteractiveparameterbuilder#methods).
+
+# [Java](#tab/java)
+
+```java
+private static IAuthenticationResult acquireTokenInteractive() throws Exception {
+
+ // Load token cache from file and initialize token cache aspect. The token cache will have
+ // dummy data, so the acquireTokenSilently call will fail.
+ TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
+
+ PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
+ .authority(AUTHORITY)
+ .setTokenCacheAccessAspect(tokenCacheAspect)
+ .build();
+
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ // Take first account in the cache. In a production application, you would filter
+ // accountsInCache to get the right account for the user authenticating.
+ IAccount account = accountsInCache.iterator().next();
+
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(SCOPE, account)
+ .build();
+
+ // try to acquire token silently. This call will fail since the token cache
+ // does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+
+ InteractiveRequestParameters parameters = InteractiveRequestParameters
+ .builder(new URI("http://localhost"))
+ .scopes(SCOPE)
+ .build();
+
+ // Try to acquire a token interactively with system browser. If successful, you should see
+ // the token and account information printed out to console
+ result = pca.acquireToken(parameters).join();
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
+ }
+ return result;
+}
+```
+
+# [macOS](#tab/macOS)
+
+### In MSAL for iOS and macOS
+
+Objective-C:
+
+```objc
+MSALInteractiveTokenParameters *interactiveParams = [[MSALInteractiveTokenParameters alloc] initWithScopes:scopes webviewParameters:[MSALWebviewParameters new]];
+[application acquireTokenWithParameters:interactiveParams completionBlock:^(MSALResult *result, NSError *error) {
+ if (!error)
+ {
+ // You'll want to get the account identifier to retrieve and reuse the account
+ // for later acquireToken calls
+ NSString *accountIdentifier = result.account.identifier;
+
+ NSString *accessToken = result.accessToken;
+ }
+}];
+```
+
+Swift:
+
+```swift
+let interactiveParameters = MSALInteractiveTokenParameters(scopes: scopes, webviewParameters: MSALWebviewParameters())
+application.acquireToken(with: interactiveParameters, completionBlock: { (result, error) in
+
+ guard let authResult = result, error == nil else {
+ print(error!.localizedDescription)
+ return
+ }
+
+ // Get access token from result
+ let accessToken = authResult.accessToken
+})
+```
+
+# [Node.js](#tab/nodejs)
+
+In MSAL Node, you acquire tokens via authorization code flow with Proof Key for Code Exchange (PKCE). The process has two steps: first, the application obtains a URL that can be used to generate an authorization code. This URL can be opened in a browser of choice, where the user can input their credentials, and will be redirected back to the `redirectUri` (registered during the app registration) with an authorization code. Second, the application passes the authorization code received to the `acquireTokenByCode()` method which exchanges it for an access token.
+
+```javascript
+const msal = require("@azure/msal-node");
+
+const msalConfig = {
+ auth: {
+ clientId: "your_client_id_here",
+ authority: "your_authority_here",
+ }
+};
+
+const pca = new msal.PublicClientApplication(msalConfig);
+
+const {verifier, challenge} = await msal.cryptoProvider.generatePkceCodes();
+
+const authCodeUrlParameters = {
+ scopes: ["User.Read"],
+ redirectUri: "your_redirect_uri",
+ codeChallenge: challenge, // PKCE Code Challenge
+ codeChallengeMethod: "S256" // PKCE Code Challenge Method
+};
+
+// get url to sign user in and consent to scopes needed for application
+pca.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
+ console.log(response);
+
+ const tokenRequest = {
+ code: response["authorization_code"],
+ codeVerifier: verifier // PKCE Code Verifier
+ redirectUri: "your_redirect_uri",
+ scopes: ["User.Read"],
+ };
+
+ // acquire a token by exchanging the code
+ pca.acquireTokenByCode(tokenRequest).then((response) => {
+ console.log("\nResponse: \n:", response);
+ }).catch((error) => {
+ console.log(error);
+ });
+}).catch((error) => console.log(JSON.stringify(error)));
+```
+
+# [Python](#tab/python)
+
+MSAL Python 1.7+ provides an interactive acquire token method.
+
+```python
+result = None
+
+# Firstly, check the cache to see if this end user has signed in before
+accounts = app.get_accounts(username=config["username"])
+if accounts:
+ result = app.acquire_token_silent(config["scope"], account=accounts[0])
+
+if not result:
+ result = app.acquire_token_interactive( # It automatically provides PKCE protection
+ scopes=config["scope"])
+```
++
+### Next steps
+
+Move on to the next article in this scenario,
+[Call a web API from the desktop app](scenario-desktop-call-api.md).
active-directory Scenario Desktop Acquire Token Username Password https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token-username-password.md
+
+ Title: Acquire a token to call a web API using username password (desktop app) | Azure
+
+description: Learn how to build a desktop app that calls web APIs to acquire a token for the app using username password
++++++++ Last updated : 08/25/2021++
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
++
+# Desktop app that calls web APIs: Acquire a token using Username and Password
+
+You can also acquire a token by providing the username and password. This flow is limited and not recommended, but there are still use cases where it's necessary.
+
+## This flow isn't recommended
+
+The username and password flow is *not recommended* because having your application ask a user for their password isn't secure. For more information, see [What's the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/) The preferred flow for acquiring a token silently on Windows domain joined machines is [Integrated Windows Authentication](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication). You can also use [device code flow](https://aka.ms/msal-net-device-code-flow).
+
+Using a username and password is useful in some cases, such as DevOps scenarios. But if you want to use a username and password in interactive scenarios where you provide your own UI, think about how to move away from it. By using a username and password, you're giving up a number of things:
+
+- Core tenets of modern identity. A password can get phished and replayed because a shared secret can be intercepted. It's incompatible with passwordless.
+- Users who need to do MFA can't sign in because there's no interaction.
+- Users can't do single sign-on (SSO).
+
+## Constraints
+
+The following constraints also apply:
+
+- The username and password flow isn't compatible with conditional access and multi-factor authentication. As a consequence, if your app runs in an Azure AD tenant where the tenant admin requires multi-factor authentication, you can't use this flow. Many organizations do that.
+- It works only for work and school accounts (not MSA).
+- The flow is available on .NET desktop and .NET Core, but not on UWP.
+
+## B2C specifics
+
+For more information, see [Resource Owner Password Credentials (ROPC) with B2C](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics#resource-owner-password-credentials-ropc-with-b2c).
+
+## Use it
+
+# [.NET](#tab/dotnet)
+
+`IPublicClientApplication`contains the method `AcquireTokenByUsernamePassword`.
+
+The following sample presents a simplified case.
+
+```csharp
+static async Task GetATokenForGraph()
+{
+ string authority = "https://login.microsoftonline.com/contoso.com";
+ string[] scopes = new string[] { "user.read" };
+ IPublicClientApplication app;
+ app = PublicClientApplicationBuilder.Create(clientId)
+ .WithAuthority(authority)
+ .Build();
+ var accounts = await app.GetAccountsAsync();
+
+ AuthenticationResult result = null;
+ if (accounts.Any())
+ {
+ result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
+ .ExecuteAsync();
+ }
+ else
+ {
+ try
+ {
+ var securePassword = new SecureString();
+ foreach (char c in "dummy") // you should fetch the password
+ securePassword.AppendChar(c); // keystroke by keystroke
+
+ result = await app.AcquireTokenByUsernamePassword(scopes,
+ "joe@contoso.com",
+ securePassword)
+ .ExecuteAsync();
+ }
+ catch(MsalException)
+ {
+ // See details below
+ }
+ }
+ Console.WriteLine(result.Account.Username);
+}
+```
+
+The following sample presents the most current case, with explanations of the kind of exceptions you can get and their mitigations.
+
+```csharp
+static async Task GetATokenForGraph()
+{
+ string authority = "https://login.microsoftonline.com/contoso.com";
+ string[] scopes = new string[] { "user.read" };
+ IPublicClientApplication app;
+ app = PublicClientApplicationBuilder.Create(clientId)
+ .WithAuthority(authority)
+ .Build();
+ var accounts = await app.GetAccountsAsync();
+
+ AuthenticationResult result = null;
+ if (accounts.Any())
+ {
+ result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
+ .ExecuteAsync();
+ }
+ else
+ {
+ try
+ {
+ var securePassword = new SecureString();
+ foreach (char c in "dummy") // you should fetch the password keystroke
+ securePassword.AppendChar(c); // by keystroke
+
+ result = await app.AcquireTokenByUsernamePassword(scopes,
+ "joe@contoso.com",
+ securePassword)
+ .ExecuteAsync();
+ }
+ catch (MsalUiRequiredException ex) when (ex.Message.Contains("AADSTS65001"))
+ {
+ // Here are the kind of error messages you could have, and possible mitigations
+
+ //
+ // MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application
+ // with ID '{appId}' named '{appName}'. Send an interactive authorization request for this user and resource.
+
+ // Mitigation: you need to get user consent first. This can be done either statically (through the portal),
+ /// or dynamically (but this requires an interaction with Azure AD, which is not possible with
+ // the username/password flow)
+ // Statically: in the portal by doing the following in the "API permissions" tab of the application registration:
+ // 1. Click "Add a permission" and add all the delegated permissions corresponding to the scopes you want (for instance
+ // User.Read and User.ReadBasic.All)
+ // 2. Click "Grant/revoke admin consent for <tenant>") and click "yes".
+ // Dynamically, if you are not using .NET Core (which does not have any Web UI) by
+ // calling (once only) AcquireTokenInteractive.
+ // remember that Username/password is for public client applications that is desktop/mobile applications.
+ // If you are using .NET core or don't want to call AcquireTokenInteractive, you might want to:
+ // - use device code flow (See https://aka.ms/msal-net-device-code-flow)
+ // - or suggest the user to navigate to a URL to consent: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read
+ //
+
+ //
+ // ErrorCode: invalid_grant
+ // SubError: basic_action
+ // MsalUiRequiredException: AADSTS50079: The user is required to use multi-factor authentication.
+ // The tenant admin for your organization has chosen to oblige users to perform multi-factor authentication.
+ // Mitigation: none for this flow
+ // Your application cannot use the Username/Password grant.
+ // Like in the previous case, you might want to use an interactive flow (AcquireTokenInteractive()),
+ // or Device Code Flow instead.
+ // Note this is one of the reason why using username/password is not recommended;
+ //
+
+ //
+ // ex.ErrorCode: invalid_grant
+ // subError: null
+ // Message = "AADSTS70002: Error validating credentials.
+ // AADSTS50126: Invalid username or password
+ // In the case of a managed user (user from an Azure AD tenant opposed to a
+ // federated user, which would be owned
+ // in another IdP through ADFS), the user has entered the wrong password
+ // Mitigation: ask the user to re-enter the password
+ //
+
+ //
+ // ex.ErrorCode: invalid_grant
+ // subError: null
+ // MsalServiceException: ADSTS50034: To sign into this application the account must be added to
+ // the {domainName} directory.
+ // or The user account does not exist in the {domainName} directory. To sign into this application,
+ // the account must be added to the directory.
+ // The user was not found in the directory
+ // Explanation: wrong username
+ // Mitigation: ask the user to re-enter the username.
+ //
+ }
+ catch (MsalServiceException ex) when (ex.ErrorCode == "invalid_request")
+ {
+ //
+ // AADSTS90010: The grant type is not supported over the /common or /consumers endpoints.
+ // Please use the /organizations or tenant-specific endpoint.
+ // you used common.
+ // Mitigation: as explained in the message from Azure AD, the authority you use in the application needs
+ // to be tenanted or otherwise "organizations". change the
+ // "Tenant": property in the appsettings.json to be a GUID (tenant Id), or domain name (contoso.com)
+ // if such a domain is registered with your tenant
+ // or "organizations", if you want this application to sign-in users in any Work and School accounts.
+ //
+
+ }
+ catch (MsalServiceException ex) when (ex.ErrorCode == "unauthorized_client")
+ {
+ //
+ // AADSTS700016: Application with identifier '{clientId}' was not found in the directory '{domain}'.
+ // This can happen if the application has not been installed by the administrator of the tenant or consented
+ // to by any user in the tenant.
+ // You may have sent your authentication request to the wrong tenant
+ // Cause: The clientId in the appsettings.json might be wrong
+ // Mitigation: check the clientId and the app registration
+ //
+ }
+ catch (MsalServiceException ex) when (ex.ErrorCode == "invalid_client")
+ {
+ //
+ // AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.
+ // Explanation: this can happen if your application was not registered as a public client application in Azure AD
+ // Mitigation: in the Azure portal, edit the manifest for your application and set the `allowPublicClient` to `true`
+ //
+ }
+ catch (MsalServiceException)
+ {
+ throw;
+ }
+
+ catch (MsalClientException ex) when (ex.ErrorCode == "unknown_user_type")
+ {
+ // Message = "Unsupported User Type 'Unknown'. Please see https://aka.ms/msal-net-up"
+ // The user is not recognized as a managed user, or a federated user. Azure AD was not
+ // able to identify the IdP that needs to process the user
+ throw new ArgumentException("U/P: Wrong username", ex);
+ }
+ catch (MsalClientException ex) when (ex.ErrorCode == "user_realm_discovery_failed")
+ {
+ // The user is not recognized as a managed user, or a federated user. Azure AD was not
+ // able to identify the IdP that needs to process the user. That's for instance the case
+ // if you use a phone number
+ throw new ArgumentException("U/P: Wrong username", ex);
+ }
+ catch (MsalClientException ex) when (ex.ErrorCode == "unknown_user")
+ {
+ // the username was probably empty
+ // ex.Message = "Could not identify the user logged into the OS. See https://aka.ms/msal-net-iwa for details."
+ throw new ArgumentException("U/P: Wrong username", ex);
+ }
+ catch (MsalClientException ex) when (ex.ErrorCode == "parsing_wstrust_response_failed")
+ {
+ //
+ // In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant)
+ // ID3242: The security token could not be authenticated or authorized.
+ // The user does not exist or has entered the wrong password
+ //
+ }
+ }
+
+ Console.WriteLine(result.Account.Username);
+}
+```
+
+For more information on all the modifiers that can be applied to `AcquireTokenByUsernamePassword`, see [AcquireTokenByUsernamePasswordParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokenbyusernamepasswordparameterbuilder#methods).
+
+# [Java](#tab/java)
+
+The following extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+
+```java
+private static IAuthenticationResult acquireTokenUsernamePassword() throws Exception {
+
+ // Load token cache from file and initialize token cache aspect. The token cache will have
+ // dummy data, so the acquireTokenSilently call will fail.
+ TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
+
+ PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
+ .authority(AUTHORITY)
+ .setTokenCacheAccessAspect(tokenCacheAspect)
+ .build();
+
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ // Take first account in the cache. In a production application, you would filter
+ // accountsInCache to get the right account for the user authenticating.
+ IAccount account = accountsInCache.iterator().next();
+
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(SCOPE, account)
+ .build();
+ // try to acquire token silently. This call will fail since the token cache
+ // does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+
+ UserNamePasswordParameters parameters =
+ UserNamePasswordParameters
+ .builder(SCOPE, USER_NAME, USER_PASSWORD.toCharArray())
+ .build();
+ // Try to acquire a token via username/password. If successful, you should see
+ // the token and account information printed out to console
+ result = pca.acquireToken(parameters).join();
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
+ }
+ return result;
+}
+```
+
+# [macOS](#tab/macOS)
+
+This flow isn't supported on MSAL for macOS.
+
+# [Node.js](#tab/nodejs)
+
+This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/username-password). In the code snippet below, the username and password are hardcoded for illustration purposes only. This should be avoided in production. Instead, a basic UI prompting the user to enter her username/password would be recommended.
+
+```javascript
+const msal = require("@azure/msal-node");
+
+const msalConfig = {
+ auth: {
+ clientId: "your_client_id_here",
+ authority: "your_authority_here",
+ }
+};
+
+const pca = new msal.PublicClientApplication(msalConfig);
+
+// For testing, enter your username and password below.
+// In production, replace this with a UI prompt instead.
+const usernamePasswordRequest = {
+ scopes: ["user.read"],
+ username: "", // Add your username here
+ password: "", // Add your password here
+};
+
+pca.acquireTokenByUsernamePassword(usernamePasswordRequest).then((response) => {
+ console.log("acquired token by password grant");
+}).catch((error) => {
+ console.log(error);
+});
+```
+
+# [Python](#tab/python)
+
+This extract is from the [MSAL Python dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/).
+
+```python
+# Create a preferably long-lived app instance which maintains a token cache.
+app = msal.PublicClientApplication(
+ config["client_id"], authority=config["authority"],
+ # token_cache=... # Default cache is in memory only.
+ # You can learn how to use SerializableTokenCache from
+ # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
+ )
+
+# The pattern to acquire a token looks like this.
+result = None
+
+# Firstly, check the cache to see if this end user has signed in before
+accounts = app.get_accounts(username=config["username"])
+if accounts:
+ logging.info("Account(s) exists in cache, probably with token too. Let's try.")
+ result = app.acquire_token_silent(config["scope"], account=accounts[0])
+
+if not result:
+ logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
+ # See this page for constraints of Username Password Flow.
+ # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
+ result = app.acquire_token_by_username_password(
+ config["username"], config["password"], scopes=config["scope"])
+```
+++
+## Next steps
+
+Move on to the next article in this scenario,
+[Call a web API from the desktop app](scenario-desktop-call-api.md).
active-directory Scenario Desktop Acquire Token Wam https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token-wam.md
+
+ Title: Acquire a token to call a web API using web account manager (desktop app) | Azure
+
+description: Learn how to build a desktop app that calls web APIs to acquire a token for the app using web account manager
++++++++ Last updated : 08/25/2021++
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
++
+# Desktop app that calls web APIs: Acquire a token using WAM
+
+MSAL is able to call Web Account Manager, a Windows 10 component that ships with the OS. This component acts as an authentication broker and users of your app benefit from integration with accounts known from Windows, such as the account you signed-in with in your Windows session.
+
+## Availability
+
+MSAL 4.25+ supports WAM on UWP, .NET Classic, .NET Core 3.x, and .NET 5.
+
+For .NET Classic and .NET Core 3.x, WAM functionality is fully supported but you have to add a reference to [Microsoft.Identity.Client.Desktop](https://www.nuget.org/packages/Microsoft.Identity.Client.Desktop/) package, alongside MSAL, and instead of `WithBroker()`, call `.WithWindowsBroker()`.
+
+For .NET 5, target `net5.0-windows10.0.17763.0` (or higher) and not just `net5.0`. Your app will still run on older versions of Windows if you add `<SupportedOSPlatformVersion>7</SupportedOSPlatformVersion>` in the csproj. MSAL will use a browser when WAM is not available.
+
+## WAM value proposition
+
+Using an authentication broker such as WAM has numerous benefits.
+
+- Enhanced security (your app does not have to manage the powerful refresh token)
+- Better support for Windows Hello, Conditional Access and FIDO keys
+- Integration with Windows' "Email and Accounts" view
+- Better Single Sing-On (users don't have to reenter passwords)
+- Most bug fixes and enhancements will be shipped with Windows
+
+## WAM limitations
+
+- B2C authorities are not supported.
+- Available on Win10, Win Server 2016, Win Server 2019. On Mac, Linux and earlier Windows, MSAL will fallback to a browser.
+
+## WAM calling pattern
+
+You can use the following pattern to use WAM.
+
+```csharp
+// 1. Configuration - read below about redirect URI
+var pca = PublicClientApplicationBuilder.Create("client_id")
+ .WithBroker()
+ .Build();
+
+// Add a token cache, see https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop
+
+// 2. GetAccounts
+var accounts = await pca.GetAccountsAsync();
+var accountToLogin = // choose an account, or null, or use PublicClientApplication.OperatingSystemAccount for the default OS account
+
+try
+{
+ // 3. AcquireTokenSilent
+ var authResult = await pca.AcquireTokenSilent(new[] { "User.Read" }, accountToLogin)
+ .ExecuteAsync();
+}
+catch (MsalUiRequiredException) // no change in the pattern
+{
+ // 4. Specific: Switch to the UI thread for next call . Not required for console apps.
+ await SwitchToUiThreadAsync(); // not actual code, this is different on each platform / tech
+
+ // 5. AcquireTokenInteractive
+ var authResult = await pca.AcquireTokenInteractive(new[] { "User.Read" })
+ .WithAccount(accountToLogin) // this already exists in MSAL, but it is more important for WAM
+ .WithParentActivityOrWindow(myWindowHandle) // to be able to parent WAM's windows to your app (optional, but highly recommended; not needed on UWP)
+ .ExecuteAsync();
+}
+```
+
+Call `.WithBroker(true)`. If a broker is not present (e.g. Win8.1, Mac, or Linux), then MSAL will fallback to a browser! Redirect URI rules apply to the browser.
+
+## Redirect URI
+
+WAM redirect URIs do not need to be configured in MSAL, but they must be configured in the app registration.
+
+### Win32 (.NET framework / .NET 5)
+
+```
+ms-appx-web://microsoft.aad.brokerplugin/{client_id}
+```
+
+### UWP
+```csharp
+ // returns smth like S-1-15-2-2601115387-131721061-1180486061-1362788748-631273777-3164314714-2766189824
+ string sid = WebAuthenticationBroker.GetCurrentApplicationCallbackUri().Host.ToUpper();
+
+ // the redirect uri you need to register
+ string redirectUri = $"ms-appx-web://microsoft.aad.brokerplugin/{sid}";
+```
+
+## Token cache persistence
+
+It's important to persist MSAL's token cache because MSAL needs to save internal WAM account IDs there. Without it, restarting the app means that `GetAccounts` API will miss some of the accounts. Note that on UWP, MSAL knows where to save the token cache.
+
+## GetAccounts
+
+`GetAccounts` returns accounts of users who have previously logged in interactively into the app.
+
+In addition to this, WAM can list the OS-wide Work and School accounts configured in Windows (for Win32 apps but not for UWP apps). To opt-into this feature, set `ListWindowsWorkAndSchoolAccounts` in `WindowsBrokerOptions` to **true**. You can enable it as below.
+
+```csharp
+.WithWindowsBrokerOptions(new WindowsBrokerOptions()
+{
+ // GetAccounts will return Work and School accounts from Windows
+ ListWindowsWorkAndSchoolAccounts = true,
+
+ // Legacy support for 1st party apps only
+ MsaPassthrough = true
+})
+```
+
+>[!NOTE]
+> Microsoft (i.e. outlook.com etc.) accounts will not be listed in Win32 nor UWP for privacy reasons.
+
+Applications cannot remove accounts from Windows!
+
+## RemoveAsync
+
+- Removes all account information from MSAL's token cache (this includes MSA - i.e. personal accounts - account info and other account information copied by MSAL into its cache).
+- Removes app-only (not OS-wide) accounts.
+
+>[!NOTE]
+> Apps cannot remove OS accounts. Only users can do that. If an OS account is passed into `RemoveAsync`, and then `GetAccounts` is called with `ListWindowsWorkAndSchoolAccounts` enabled - the same OS account will still be returned.
+
+## Other considerations
+
+- WAM's interactive operations require being on the UI thread. MSAL throws a meaningful exception when not on UI thread. This does NOT apply to console apps.
+- `WithAccount` provides an accelerated authentication experience if the MSAL account was originally obtained via WAM, or, WAM can find a work and school account in Windows.
+- WAM is not able to pre-populate the username field with a login hint, unless an Work and School account with the same username is found in Windows.
+- If WAM is unable to offer an accelerated authentication experience, it will show an account picker. Users can add new accounts.
+
+!["WAM account picker"](media/scenario-desktop-acquire-token-wam/wam-account-picker.png)
+
+- New accounts are automatically remembered by Windows. Work and School have the option of joining the organization's directory or opting out completely, in which case the account will not appear under "Email & Accounts". Microsoft accounts are automatically added to Windows. Apps cannot list these accounts programmatically (but only through the Account Picker).
+
+## Troubleshooting
+
+When an app that uses MSAL is run as an elevated process, some of these calls within WAM may fail due to different process security levels. Internally MSAL.NET uses native Windows methods ([COM](/windows/win32/com/the-component-object-model)) to integrate with WAM. Starting with version 4.32.0, MSAL will display a descriptive error message when it detects that the app process is elevated and WAM returned no accounts.
+
+One solution is to not run the app as elevated, if possible. Another potential workaround is to call `WindowsNativeUtils.InitializeProcessSecurity` method when the app starts up. This will set the security of the processes used by WAM to the same levels. See [this sample app](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/tests/devapps/WAM/NetCoreWinFormsWam/Program.cs#L18-L21) for an example. However, note, that this workaround is not guaranteed to succeed to due external factors like the underlying CLR behavior. In that case, an `MsalClientException` will be thrown. See issue [#2560](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2560) for additional information.
+
+## Sample
+
+[WPF sample that uses WAM](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2)
+
+[UWP sample that uses WAM, along Xamarin](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/master/2-With-broker)
++
+## Next steps
+
+Move on to the next article in this scenario,
+[Call a web API from the desktop app](scenario-desktop-call-api.md).
active-directory Scenario Desktop Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token.md
Title: Acquire a token to call a web API (desktop app) | Azure
description: Learn how to build a desktop app that calls web APIs to acquire a token for the app -+ Previously updated : 01/06/2021- Last updated : 08/25/2021+ #Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
if not result:
-Here are the various ways to acquire tokens in a desktop application.
+There are various ways you can acquire tokens in a desktop application.
-## Acquire a token interactively
-
-The following example shows minimal code to get a token interactively for reading the user's profile with Microsoft Graph.
-
-# [.NET](#tab/dotnet)
-
-### In MSAL.NET
-
-```csharp
-string[] scopes = new string[] {"user.read"};
-var app = PublicClientApplicationBuilder.Create(clientId).Build();
-var accounts = await app.GetAccountsAsync();
-AuthenticationResult result;
-try
-{
- result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
- .ExecuteAsync();
-}
-catch(MsalUiRequiredException)
-{
- result = await app.AcquireTokenInteractive(scopes)
- .ExecuteAsync();
-}
-```
-
-### Mandatory parameters
-
-`AcquireTokenInteractive` has only one mandatory parameter, ``scopes``, which contains an enumeration of strings that define the scopes for which a token is required. If the token is for Microsoft Graph, the required scopes can be found in the API reference of each Microsoft Graph API in the section named "Permissions." For instance, to [list the user's contacts](/graph/api/user-list-contacts), the scope "User.Read", "Contacts.Read" must be used. For more information, see [Microsoft Graph permissions reference](/graph/permissions-reference).
-
-On Android, you also need to specify the parent activity by using `.WithParentActivityOrWindow`, as shown, so that the token gets back to that parent activity after the interaction. If you don't specify it, an exception is thrown when calling `.ExecuteAsync()`.
-
-### Specific optional parameters in MSAL.NET
-
-#### WithParentActivityOrWindow
-
-The UI is important because it's interactive. `AcquireTokenInteractive` has one specific optional parameter that can specify, for platforms that support it, the parent UI. When used in a desktop application, `.WithParentActivityOrWindow` has a different type, which depends on the platform. Alternatively you can omit the optional parent window parameter to create a window, if you do not want to control where the sign-in dialog appears on the screen. This would be applicable for applications which are command line based, used to pass calls to any other backend service and do not need any windows for user interaction.
-
-```csharp
-// net45
-WithParentActivityOrWindow(IntPtr windowPtr)
-WithParentActivityOrWindow(IWin32Window window)
-
-// Mac
-WithParentActivityOrWindow(NSWindow window)
-
-// .NET Standard (this will be on all platforms at runtime, but only on NetStandard at build time)
-WithParentActivityOrWindow(object parent).
-```
-
-Remarks:
--- On .NET Standard, the expected `object` is `Activity` on Android, `UIViewController` on iOS, `NSWindow` on Mac, and `IWin32Window` or `IntPr` on Windows.-- On Windows, you must call `AcquireTokenInteractive` from the UI thread so that the embedded browser gets the appropriate UI synchronization context. Not calling from the UI thread might cause messages to not pump properly and deadlock scenarios with the UI. One way of calling Microsoft Authentication Libraries (MSALs) from the UI thread if you aren't on the UI thread already is to use the `Dispatcher` on WPF.-- If you're using WPF, to get a window from a WPF control, you can use the `WindowInteropHelper.Handle` class. Then the call is from a WPF control (`this`):-
- ```csharp
- result = await app.AcquireTokenInteractive(scopes)
- .WithParentActivityOrWindow(new WindowInteropHelper(this).Handle)
- .ExecuteAsync();
- ```
-
-#### WithPrompt
-
-`WithPrompt()` is used to control the interactivity with the user by specifying a prompt.
-
-![Image showing the fields in the Prompt structure. These constant values control interactivity with the user by defining the type of prompt displayed by the WithPrompt() method.](https://user-images.githubusercontent.com/34331512/112267137-3f1c3a00-8c32-11eb-97fb-33604311329a.png)
-
-The class defines the following constants:
--- ``SelectAccount`` forces the STS to present the account selection dialog box that contains accounts for which the user has a session. This option is useful when application developers want to let users choose among different identities. This option drives MSAL to send ``prompt=select_account`` to the identity provider. This option is the default. It does a good job of providing the best possible experience based on the available information, such as account and presence of a session for the user. Don't change it unless you have good reason to do it.-- ``Consent`` enables the application developer to force the user to be prompted for consent, even if consent was granted before. In this case, MSAL sends `prompt=consent` to the identity provider. This option can be used in some security-focused applications where the organization governance demands that the user is presented with the consent dialog box each time the application is used.-- ``ForceLogin`` enables the application developer to have the user prompted for credentials by the service, even if this user prompt might not be needed. This option can be useful to let the user sign in again if acquiring a token fails. In this case, MSAL sends `prompt=login` to the identity provider. Sometimes it's used in security-focused applications where the organization governance demands that the user re-signs in each time they access specific parts of an application.-- ``Create`` triggers a sign-up experience, which is used for External Identities, by sending `prompt=create` to the identity provider. This prompt should not be sent for Azure AD B2C apps. For more information, see [Add a self-service sign-up user flow to an app](../external-identities/self-service-sign-up-user-flow.md).-- ``Never`` (for .NET 4.5 and WinRT only) won't prompt the user, but instead tries to use the cookie stored in the hidden embedded web view. For more information, see web views in MSAL.NET. Using this option might fail. In that case, `AcquireTokenInteractive` throws an exception to notify that a UI interaction is needed. You'll need to use another `Prompt` parameter.-- ``NoPrompt`` won't send any prompt to the identity provider which therefore will decide to present the best sign-in experience to the user (single-sign-on, or select account). This option is also mandatory for Azure Active Directory (Azure AD) B2C edit profile policies. For more information, see [Azure AD B2C specifics](https://aka.ms/msal-net-b2c-specificities).-
-#### WithUseEmbeddedWebView
-
-This method enables you to specify if you want to force the usage of an embedded WebView or the system WebView (when available). For more information, see [Usage of web browsers](msal-net-web-browsers.md).
-
-```csharp
-var result = await app.AcquireTokenInteractive(scopes)
- .WithUseEmbeddedWebView(true)
- .ExecuteAsync();
-```
-
-#### WithExtraScopeToConsent
-
-This modifier is used in an advanced scenario where you want the user to pre-consent to several resources upfront, and you don't want to use incremental consent, which is normally used with MSAL.NET/the Microsoft identity platform. For more information, see [Have the user consent upfront for several resources](scenario-desktop-production.md#have-the-user-consent-upfront-for-several-resources).
-
-```csharp
-var result = await app.AcquireTokenInteractive(scopesForCustomerApi)
- .WithExtraScopeToConsent(scopesForVendorApi)
- .ExecuteAsync();
-```
-
-#### WithCustomWebUi
-
-A web UI is a mechanism to invoke a browser. This mechanism can be a dedicated UI WebBrowser control or a way to delegate opening the browser.
-MSAL provides web UI implementations for most platforms, but there are cases where you might want to host the browser yourself:
--- Platforms that aren't explicitly covered by MSAL, for example, Blazor, Unity, and Mono on desktops.-- You want to UI test your application and use an automated browser that can be used with Selenium.-- The browser and the app that run MSAL are in separate processes.-
-##### At a glance
-
-To achieve this, you give to MSAL `start Url`, which needs to be displayed in a browser of choice so that the end user can enter items such as their username.
-After authentication finishes, your app needs to pass back to MSAL `end Url`, which contains a code provided by Azure AD.
-The host of `end Url` is always `redirectUri`. To intercept `end Url`, do one of the following things:
--- Monitor browser redirects until `redirect Url` is hit.-- Have the browser redirect to a URL, which you monitor.-
-##### WithCustomWebUi is an extensibility point
-
-`WithCustomWebUi` is an extensibility point that you can use to provide your own UI in public client applications. You can also let the user go through the /Authorize endpoint of the identity provider and let them sign in and consent. MSAL.NET can then redeem the authentication code and get a token. For example, it's used in Visual Studio to have electrons applications (for instance, Visual Studio Feedback) provide the web interaction, but leave it to MSAL.NET to do most of the work. You can also use it if you want to provide UI automation. In public client applications, MSAL.NET uses the Proof Key for Code Exchange (PKCE) standard to ensure that security is respected. Only MSAL.NET can redeem the code. For more information, see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636).
-
- ```csharp
- using Microsoft.Identity.Client.Extensions;
- ```
-
-##### Use WithCustomWebUi
-
-To use `.WithCustomWebUI`, follow these steps.
-
- 1. Implement the `ICustomWebUi` interface. For more information, see [this website](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/053a98d16596be7e9ca1ab916924e5736e341fe8/src/Microsoft.Identity.Client/Extensibility/ICustomWebUI.cs#L32-L70). Implement one `AcquireAuthorizationCodeAsync`method and accept the authorization code URL computed by MSAL.NET. Then let the user go through the interaction with the identity provider and return back the URL by which the identity provider would have called your implementation back along with the authorization code. If you have issues, your implementation should throw a `MsalExtensionException` exception to nicely cooperate with MSAL.
- 2. In your `AcquireTokenInteractive` call, use the `.WithCustomUI()` modifier passing the instance of your custom web UI.
-
- ```csharp
- result = await app.AcquireTokenInteractive(scopes)
- .WithCustomWebUi(yourCustomWebUI)
- .ExecuteAsync();
- ```
-
-##### Examples of implementation of ICustomWebUi in test automation: SeleniumWebUI
-
-The MSAL.NET team has rewritten the UI tests to use this extensibility mechanism. If you're interested, look at the [SeleniumWebUI](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/053a98d16596be7e9ca1ab916924e5736e341fe8/tests/Microsoft.Identity.Test.Integration/Infrastructure/SeleniumWebUI.cs#L15-L160) class in the MSAL.NET source code.
-
-##### Provide a great experience with SystemWebViewOptions
-
-From MSAL.NET 4.1 [`SystemWebViewOptions`](/dotnet/api/microsoft.identity.client.systemwebviewoptions), you can specify:
--- The URI to go to (`BrowserRedirectError`) or the HTML fragment to display (`HtmlMessageError`) in case of sign-in or consent errors in the system web browser.-- The URI to go to (`BrowserRedirectSuccess`) or the HTML fragment to display (`HtmlMessageSuccess`) in case of successful sign-in or consent.-- The action to run to start the system browser. You can provide your own implementation by setting the `OpenBrowserAsync` delegate. The class also provides a default implementation for two browsers: `OpenWithEdgeBrowserAsync` and `OpenWithChromeEdgeBrowserAsync` for Microsoft Edge and [Microsoft Edge on Chromium](https://www.windowscentral.com/faq-edge-chromium), respectively.-
-To use this structure, write something like the following example:
-
-```csharp
-IPublicClientApplication app;
-...
-
-options = new SystemWebViewOptions
-{
- HtmlMessageError = "<b>Sign-in failed. You can close this tab ...</b>",
- BrowserRedirectSuccess = "https://contoso.com/help-for-my-awesome-commandline-tool.html"
-};
-
-var result = app.AcquireTokenInteractive(scopes)
- .WithEmbeddedWebView(false) // The default in .NET Core
- .WithSystemWebViewOptions(options)
- .Build();
-```
-
-#### Other optional parameters
-
-To learn more about all the other optional parameters for `AcquireTokenInteractive`, see [AcquireTokenInteractiveParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokeninteractiveparameterbuilder#methods).
-
-# [Java](#tab/java)
-
-```java
-private static IAuthenticationResult acquireTokenInteractive() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
-
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- InteractiveRequestParameters parameters = InteractiveRequestParameters
- .builder(new URI("http://localhost"))
- .scopes(SCOPE)
- .build();
-
- // Try to acquire a token interactively with system browser. If successful, you should see
- // the token and account information printed out to console
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
- }
- }
- return result;
-}
-```
-
-# [macOS](#tab/macOS)
-
-### In MSAL for iOS and macOS
-
-Objective-C:
-
-```objc
-MSALInteractiveTokenParameters *interactiveParams = [[MSALInteractiveTokenParameters alloc] initWithScopes:scopes webviewParameters:[MSALWebviewParameters new]];
-[application acquireTokenWithParameters:interactiveParams completionBlock:^(MSALResult *result, NSError *error) {
- if (!error)
- {
- // You'll want to get the account identifier to retrieve and reuse the account
- // for later acquireToken calls
- NSString *accountIdentifier = result.account.identifier;
-
- NSString *accessToken = result.accessToken;
- }
-}];
-```
-
-Swift:
-
-```swift
-let interactiveParameters = MSALInteractiveTokenParameters(scopes: scopes, webviewParameters: MSALWebviewParameters())
-application.acquireToken(with: interactiveParameters, completionBlock: { (result, error) in
-
- guard let authResult = result, error == nil else {
- print(error!.localizedDescription)
- return
- }
-
- // Get access token from result
- let accessToken = authResult.accessToken
-})
-```
-
-# [Node.js](#tab/nodejs)
-
-In MSAL Node, you acquire tokens via authorization code flow with Proof Key for Code Exchange (PKCE). The process has two steps: first, the application obtains a URL that can be used to generate an authorization code. This URL can be opened in a browser of choice, where the user can input their credentials, and will be redirected back to the `redirectUri` (registered during the app registration) with an authorization code. Second, the application passes the authorization code received to the `acquireTokenByCode()` method which exchanges it for an access token.
-
-```javascript
-const msal = require("@azure/msal-node");
-
-const msalConfig = {
- auth: {
- clientId: "your_client_id_here",
- authority: "your_authority_here",
- }
-};
-
-const pca = new msal.PublicClientApplication(msalConfig);
-
-const {verifier, challenge} = await msal.cryptoProvider.generatePkceCodes();
-
-const authCodeUrlParameters = {
- scopes: ["User.Read"],
- redirectUri: "your_redirect_uri",
- codeChallenge: challenge, // PKCE Code Challenge
- codeChallengeMethod: "S256" // PKCE Code Challenge Method
-};
-
-// get url to sign user in and consent to scopes needed for application
-pca.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
- console.log(response);
-
- const tokenRequest = {
- code: response["authorization_code"],
- codeVerifier: verifier // PKCE Code Verifier
- redirectUri: "your_redirect_uri",
- scopes: ["User.Read"],
- };
-
- // acquire a token by exchanging the code
- pca.acquireTokenByCode(tokenRequest).then((response) => {
- console.log("\nResponse: \n:", response);
- }).catch((error) => {
- console.log(error);
- });
-}).catch((error) => console.log(JSON.stringify(error)));
-```
-
-# [Python](#tab/python)
-
-MSAL Python 1.7+ provides an interactive acquire token method.
-
-```python
-result = None
-
-# Firstly, check the cache to see if this end user has signed in before
-accounts = app.get_accounts(username=config["username"])
-if accounts:
- result = app.acquire_token_silent(config["scope"], account=accounts[0])
-
-if not result:
- result = app.acquire_token_interactive( # It automatically provides PKCE protection
- scopes=config["scope"])
-```
+- [Interactively](scenario-desktop-acquire-token-interactive.md)
+- [Integrated Windows Auth](scenario-desktop-acquire-token-integrated-windows-authentication.md)
+- [WAM](scenario-desktop-acquire-token-wam.md)
+- [Username Password](scenario-desktop-acquire-token-username-password.md)
+- [Device code flow](scenario-desktop-acquire-token-device-code-flow.md)
-
-## Integrated Windows Authentication
-
-To sign in a domain user on a domain or Azure AD joined machine, use Integrated Windows Authentication (IWA).
-
-### Constraints
--- Integrated Windows Authentication is usable for *federated+* users only, that is, users created in Active Directory and backed by Azure AD. Users created directly in Azure AD without Active Directory backing, known as *managed* users, can't use this authentication flow. This limitation doesn't affect the username and password flow.-- IWA doesn't bypass [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md). If MFA is configured, IWA might fail if an MFA challenge is required, because MFA requires user interaction.-
- IWA is non-interactive, but MFA requires user interactivity. You don't control when the identity provider requests MFA to be performed, the tenant admin does. From our observations, MFA is required when you sign in from a different country/region, when not connected via VPN to a corporate network, and sometimes even when connected via VPN. Don't expect a deterministic set of rules. Azure AD uses AI to continuously learn if MFA is required. Fall back to a user prompt like interactive authentication or device code flow if IWA fails.
--- The authority passed in `PublicClientApplicationBuilder` needs to be:
- - Tenanted of the form `https://login.microsoftonline.com/{tenant}/`, where `tenant` is either the GUID that represents the tenant ID or a domain associated with the tenant.
- - For any work and school accounts: `https://login.microsoftonline.com/organizations/`.
- - Microsoft personal accounts aren't supported. You can't use /common or /consumers tenants.
--- Because Integrated Windows Authentication is a silent flow:
- - The user of your application must have previously consented to use the application.
- - Or, the tenant admin must have previously consented to all users in the tenant to use the application.
- - In other words:
- - Either you as a developer selected the **Grant** button in the Azure portal for yourself.
- - Or, a tenant admin selected the **Grant/revoke admin consent for {tenant domain}** button on the **API permissions** tab of the registration for the application. For more information, see [Add permissions to access your web API](quickstart-configure-app-access-web-apis.md#add-permissions-to-access-your-web-api).
- - Or, you've provided a way for users to consent to the application. For more information, see [Requesting individual user consent](./v2-permissions-and-consent.md#requesting-individual-user-consent).
- - Or, you've provided a way for the tenant admin to consent to the application. For more information, see [Admin consent](./v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant).
--- This flow is enabled for .NET desktop, .NET Core, and UWP apps.-
-For more information on consent, see the [Microsoft identity platform permissions and consent](./v2-permissions-and-consent.md).
-
-### Learn how to use it
-
-# [.NET](#tab/dotnet)
-
-In MSAL.NET, use:
-
-```csharp
-AcquireTokenByIntegratedWindowsAuth(IEnumerable<string> scopes)
-```
-
-You normally need only one parameter (`scopes`). Depending on the way your Windows administrator set up the policies, applications on your Windows machine might not be allowed to look up the signed-in user. In that case, use a second method, `.WithUsername()`, and pass in the username of the signed-in user as a UPN format, for example, `joe@contoso.com`.
-
-The following sample presents the most current case, with explanations of the kind of exceptions you can get and their mitigations.
-
-```csharp
-static async Task GetATokenForGraph()
-{
- string authority = "https://login.microsoftonline.com/contoso.com";
- string[] scopes = new string[] { "user.read" };
- IPublicClientApplication app = PublicClientApplicationBuilder
- .Create(clientId)
- .WithAuthority(authority)
- .Build();
-
- var accounts = await app.GetAccountsAsync();
-
- AuthenticationResult result = null;
- if (accounts.Any())
- {
- result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
- .ExecuteAsync();
- }
- else
- {
- try
- {
- result = await app.AcquireTokenByIntegratedWindowsAuth(scopes)
- .ExecuteAsync(CancellationToken.None);
- }
- catch (MsalUiRequiredException ex)
- {
- // MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application
- // with ID '{appId}' named '{appName}'.Send an interactive authorization request for this user and resource.
-
- // you need to get user consent first. This can be done, if you are not using .NET Core (which does not have any Web UI)
- // by doing (once only) an AcquireToken interactive.
-
- // If you are using .NET core or don't want to do an AcquireTokenInteractive, you might want to suggest the user to navigate
- // to a URL to consent: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read
-
- // AADSTS50079: The user is required to use multi-factor authentication.
- // There is no mitigation - if MFA is configured for your tenant and AAD decides to enforce it,
- // you need to fallback to an interactive flows such as AcquireTokenInteractive or AcquireTokenByDeviceCode
- }
- catch (MsalServiceException ex)
- {
- // Kind of errors you could have (in ex.Message)
-
- // MsalServiceException: AADSTS90010: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
- // you used common.
- // Mitigation: as explained in the message from Azure AD, the authority needs to be tenanted or otherwise organizations
-
- // MsalServiceException: AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.
- // Explanation: this can happen if your application was not registered as a public client application in Azure AD
- // Mitigation: in the Azure portal, edit the manifest for your application and set the `allowPublicClient` to `true`
- }
- catch (MsalClientException ex)
- {
- // Error Code: unknown_user Message: Could not identify logged in user
- // Explanation: the library was unable to query the current Windows logged-in user or this user is not AD or AAD
- // joined (work-place joined users are not supported).
-
- // Mitigation 1: on UWP, check that the application has the following capabilities: Enterprise Authentication,
- // Private Networks (Client and Server), User Account Information
-
- // Mitigation 2: Implement your own logic to fetch the username (e.g. john@contoso.com) and use the
- // AcquireTokenByIntegratedWindowsAuth form that takes in the username
-
- // Error Code: integrated_windows_auth_not_supported_managed_user
- // Explanation: This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure
- // Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by
- // AAD ("federated" users) can benefit from this non-interactive method of authentication.
- // Mitigation: Use interactive authentication
- }
- }
-
- Console.WriteLine(result.Account.Username);
-}
-```
-
-For the list of possible modifiers on AcquireTokenByIntegratedWindowsAuthentication, see [AcquireTokenByIntegratedWindowsAuthParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokenbyintegratedwindowsauthparameterbuilder#methods).
-
-# [Java](#tab/java)
-
-This extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
-
-```java
-private static IAuthenticationResult acquireTokenIwa() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
-
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- IntegratedWindowsAuthenticationParameters parameters =
- IntegratedWindowsAuthenticationParameters
- .builder(SCOPE, USER_NAME)
- .build();
-
- // Try to acquire a IWA. You will need to generate a Kerberos ticket.
- // If successful, you should see the token and account information printed out to
- // console
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
- }
- }
- return result;
-}
-```
-
-# [macOS](#tab/macOS)
-
-This flow doesn't apply to macOS.
-
-# [Node.js](#tab/nodejs)
-
-This flow isn't yet supported in MSAL Node.
-
-# [Python](#tab/python)
-
-This flow isn't yet supported in MSAL Python.
---
-## Username and password
-
-You can also acquire a token by providing the username and password. This flow is limited and not recommended, but there are still use cases where it's necessary.
-
-### This flow isn't recommended
-
-The username and password flow is *not recommended* because having your application ask a user for their password isn't secure. For more information, see [What's the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/) The preferred flow for acquiring a token silently on Windows domain joined machines is [Integrated Windows Authentication](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication). You can also use [device code flow](https://aka.ms/msal-net-device-code-flow).
-
-Using a username and password is useful in some cases, such as DevOps scenarios. But if you want to use a username and password in interactive scenarios where you provide your own UI, think about how to move away from it. By using a username and password, you're giving up a number of things:
--- Core tenets of modern identity. A password can get phished and replayed because a shared secret can be intercepted. It's incompatible with passwordless.-- Users who need to do MFA can't sign in because there's no interaction.-- Users can't do single sign-on (SSO).-
-### Constraints
-
-The following constraints also apply:
--- The username and password flow isn't compatible with conditional access and multi-factor authentication. As a consequence, if your app runs in an Azure AD tenant where the tenant admin requires multi-factor authentication, you can't use this flow. Many organizations do that.-- It works only for work and school accounts (not MSA).-- The flow is available on .NET desktop and .NET Core, but not on UWP.-
-### B2C specifics
-
-For more information, see [Resource Owner Password Credentials (ROPC) with B2C](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics#resource-owner-password-credentials-ropc-with-b2c).
-
-### Use it
-
-# [.NET](#tab/dotnet)
-
-`IPublicClientApplication`contains the method `AcquireTokenByUsernamePassword`.
-
-The following sample presents a simplified case.
-
-```csharp
-static async Task GetATokenForGraph()
-{
- string authority = "https://login.microsoftonline.com/contoso.com";
- string[] scopes = new string[] { "user.read" };
- IPublicClientApplication app;
- app = PublicClientApplicationBuilder.Create(clientId)
- .WithAuthority(authority)
- .Build();
- var accounts = await app.GetAccountsAsync();
-
- AuthenticationResult result = null;
- if (accounts.Any())
- {
- result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
- .ExecuteAsync();
- }
- else
- {
- try
- {
- var securePassword = new SecureString();
- foreach (char c in "dummy") // you should fetch the password
- securePassword.AppendChar(c); // keystroke by keystroke
-
- result = await app.AcquireTokenByUsernamePassword(scopes,
- "joe@contoso.com",
- securePassword)
- .ExecuteAsync();
- }
- catch(MsalException)
- {
- // See details below
- }
- }
- Console.WriteLine(result.Account.Username);
-}
-```
-
-The following sample presents the most current case, with explanations of the kind of exceptions you can get and their mitigations.
-
-```csharp
-static async Task GetATokenForGraph()
-{
- string authority = "https://login.microsoftonline.com/contoso.com";
- string[] scopes = new string[] { "user.read" };
- IPublicClientApplication app;
- app = PublicClientApplicationBuilder.Create(clientId)
- .WithAuthority(authority)
- .Build();
- var accounts = await app.GetAccountsAsync();
-
- AuthenticationResult result = null;
- if (accounts.Any())
- {
- result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
- .ExecuteAsync();
- }
- else
- {
- try
- {
- var securePassword = new SecureString();
- foreach (char c in "dummy") // you should fetch the password keystroke
- securePassword.AppendChar(c); // by keystroke
-
- result = await app.AcquireTokenByUsernamePassword(scopes,
- "joe@contoso.com",
- securePassword)
- .ExecuteAsync();
- }
- catch (MsalUiRequiredException ex) when (ex.Message.Contains("AADSTS65001"))
- {
- // Here are the kind of error messages you could have, and possible mitigations
-
- //
- // MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application
- // with ID '{appId}' named '{appName}'. Send an interactive authorization request for this user and resource.
-
- // Mitigation: you need to get user consent first. This can be done either statically (through the portal),
- /// or dynamically (but this requires an interaction with Azure AD, which is not possible with
- // the username/password flow)
- // Statically: in the portal by doing the following in the "API permissions" tab of the application registration:
- // 1. Click "Add a permission" and add all the delegated permissions corresponding to the scopes you want (for instance
- // User.Read and User.ReadBasic.All)
- // 2. Click "Grant/revoke admin consent for <tenant>") and click "yes".
- // Dynamically, if you are not using .NET Core (which does not have any Web UI) by
- // calling (once only) AcquireTokenInteractive.
- // remember that Username/password is for public client applications that is desktop/mobile applications.
- // If you are using .NET core or don't want to call AcquireTokenInteractive, you might want to:
- // - use device code flow (See https://aka.ms/msal-net-device-code-flow)
- // - or suggest the user to navigate to a URL to consent: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read
- //
-
- //
- // ErrorCode: invalid_grant
- // SubError: basic_action
- // MsalUiRequiredException: AADSTS50079: The user is required to use multi-factor authentication.
- // The tenant admin for your organization has chosen to oblige users to perform multi-factor authentication.
- // Mitigation: none for this flow
- // Your application cannot use the Username/Password grant.
- // Like in the previous case, you might want to use an interactive flow (AcquireTokenInteractive()),
- // or Device Code Flow instead.
- // Note this is one of the reason why using username/password is not recommended;
- //
-
- //
- // ex.ErrorCode: invalid_grant
- // subError: null
- // Message = "AADSTS70002: Error validating credentials.
- // AADSTS50126: Invalid username or password
- // In the case of a managed user (user from an Azure AD tenant opposed to a
- // federated user, which would be owned
- // in another IdP through ADFS), the user has entered the wrong password
- // Mitigation: ask the user to re-enter the password
- //
-
- //
- // ex.ErrorCode: invalid_grant
- // subError: null
- // MsalServiceException: ADSTS50034: To sign into this application the account must be added to
- // the {domainName} directory.
- // or The user account does not exist in the {domainName} directory. To sign into this application,
- // the account must be added to the directory.
- // The user was not found in the directory
- // Explanation: wrong username
- // Mitigation: ask the user to re-enter the username.
- //
- }
- catch (MsalServiceException ex) when (ex.ErrorCode == "invalid_request")
- {
- //
- // AADSTS90010: The grant type is not supported over the /common or /consumers endpoints.
- // Please use the /organizations or tenant-specific endpoint.
- // you used common.
- // Mitigation: as explained in the message from Azure AD, the authority you use in the application needs
- // to be tenanted or otherwise "organizations". change the
- // "Tenant": property in the appsettings.json to be a GUID (tenant Id), or domain name (contoso.com)
- // if such a domain is registered with your tenant
- // or "organizations", if you want this application to sign-in users in any Work and School accounts.
- //
-
- }
- catch (MsalServiceException ex) when (ex.ErrorCode == "unauthorized_client")
- {
- //
- // AADSTS700016: Application with identifier '{clientId}' was not found in the directory '{domain}'.
- // This can happen if the application has not been installed by the administrator of the tenant or consented
- // to by any user in the tenant.
- // You may have sent your authentication request to the wrong tenant
- // Cause: The clientId in the appsettings.json might be wrong
- // Mitigation: check the clientId and the app registration
- //
- }
- catch (MsalServiceException ex) when (ex.ErrorCode == "invalid_client")
- {
- //
- // AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.
- // Explanation: this can happen if your application was not registered as a public client application in Azure AD
- // Mitigation: in the Azure portal, edit the manifest for your application and set the `allowPublicClient` to `true`
- //
- }
- catch (MsalServiceException)
- {
- throw;
- }
-
- catch (MsalClientException ex) when (ex.ErrorCode == "unknown_user_type")
- {
- // Message = "Unsupported User Type 'Unknown'. Please see https://aka.ms/msal-net-up"
- // The user is not recognized as a managed user, or a federated user. Azure AD was not
- // able to identify the IdP that needs to process the user
- throw new ArgumentException("U/P: Wrong username", ex);
- }
- catch (MsalClientException ex) when (ex.ErrorCode == "user_realm_discovery_failed")
- {
- // The user is not recognized as a managed user, or a federated user. Azure AD was not
- // able to identify the IdP that needs to process the user. That's for instance the case
- // if you use a phone number
- throw new ArgumentException("U/P: Wrong username", ex);
- }
- catch (MsalClientException ex) when (ex.ErrorCode == "unknown_user")
- {
- // the username was probably empty
- // ex.Message = "Could not identify the user logged into the OS. See https://aka.ms/msal-net-iwa for details."
- throw new ArgumentException("U/P: Wrong username", ex);
- }
- catch (MsalClientException ex) when (ex.ErrorCode == "parsing_wstrust_response_failed")
- {
- //
- // In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant)
- // ID3242: The security token could not be authenticated or authorized.
- // The user does not exist or has entered the wrong password
- //
- }
- }
-
- Console.WriteLine(result.Account.Username);
-}
-```
-
-For more information on all the modifiers that can be applied to `AcquireTokenByUsernamePassword`, see [AcquireTokenByUsernamePasswordParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokenbyusernamepasswordparameterbuilder#methods).
-
-# [Java](#tab/java)
-
-The following extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
-
-```java
-private static IAuthenticationResult acquireTokenUsernamePassword() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- UserNamePasswordParameters parameters =
- UserNamePasswordParameters
- .builder(SCOPE, USER_NAME, USER_PASSWORD.toCharArray())
- .build();
- // Try to acquire a token via username/password. If successful, you should see
- // the token and account information printed out to console
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
- }
- }
- return result;
-}
-```
-
-# [macOS](#tab/macOS)
-
-This flow isn't supported on MSAL for macOS.
-
-# [Node.js](#tab/nodejs)
-
-This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/username-password). In the code snippet below, the username and password are hardcoded for illustration purposes only. This should be avoided in production. Instead, a basic UI prompting the user to enter her username/password would be recommended.
-
-```javascript
-const msal = require("@azure/msal-node");
-
-const msalConfig = {
- auth: {
- clientId: "your_client_id_here",
- authority: "your_authority_here",
- }
-};
-
-const pca = new msal.PublicClientApplication(msalConfig);
-
-// For testing, enter your username and password below.
-// In production, replace this with a UI prompt instead.
-const usernamePasswordRequest = {
- scopes: ["user.read"],
- username: "", // Add your username here
- password: "", // Add your password here
-};
-
-pca.acquireTokenByUsernamePassword(usernamePasswordRequest).then((response) => {
- console.log("acquired token by password grant");
-}).catch((error) => {
- console.log(error);
-});
-```
-
-# [Python](#tab/python)
-
-This extract is from the [MSAL Python dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/).
-
-```python
-# Create a preferably long-lived app instance which maintains a token cache.
-app = msal.PublicClientApplication(
- config["client_id"], authority=config["authority"],
- # token_cache=... # Default cache is in memory only.
- # You can learn how to use SerializableTokenCache from
- # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
- )
-
-# The pattern to acquire a token looks like this.
-result = None
-
-# Firstly, check the cache to see if this end user has signed in before
-accounts = app.get_accounts(username=config["username"])
-if accounts:
- logging.info("Account(s) exists in cache, probably with token too. Let's try.")
- result = app.acquire_token_silent(config["scope"], account=accounts[0])
-
-if not result:
- logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
- # See this page for constraints of Username Password Flow.
- # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
- result = app.acquire_token_by_username_password(
- config["username"], config["password"], scopes=config["scope"])
-```
---
-## Command-line tool without a web browser
-
-### Device code flow
-
-If you're writing a command-line tool that doesn't have web controls, and you can't or don't want to use the previous flows, use the device code flow.
-
-Interactive authentication with Azure AD requires a web browser. For more information, see [Usage of web browsers](https://aka.ms/msal-net-uses-web-browser). To authenticate users on devices or operating systems that don't provide a web browser, device code flow lets the user use another device such as a computer or a mobile phone to sign in interactively. By using the device code flow, the application obtains tokens through a two-step process that's designed for these devices or operating systems. Examples of such applications are applications that run on iOT or command-line tools (CLI). The idea is that:
-
-1. Whenever user authentication is required, the app provides a code for the user. The user is asked to use another device, such as an internet-connected smartphone, to go to a URL, for instance, `https://microsoft.com/devicelogin`. Then the user is prompted to enter the code. That done, the web page leads the user through a normal authentication experience, which includes consent prompts and multi-factor authentication, if necessary.
-
-2. Upon successful authentication, the command-line app receives the required tokens through a back channel and uses them to perform the web API calls it needs.
-
-### Use it
-
-# [.NET](#tab/dotnet)
-
-`IPublicClientApplication`contains a method named `AcquireTokenWithDeviceCode`.
-
-```csharp
- AcquireTokenWithDeviceCode(IEnumerable<string> scopes,
- Func<DeviceCodeResult, Task> deviceCodeResultCallback)
-```
-
-This method takes as parameters:
--- The `scopes` to request an access token for.-- A callback that receives the `DeviceCodeResult`.-
- ![DeviceCodeResult properties](https://user-images.githubusercontent.com/13203188/56024968-7af1b980-5d11-11e9-84c2-5be2ef306dc5.png)
-
-The following sample code presents the synopsis of most current cases, with explanations of the kind of exceptions you can get and their mitigation. For a fully functional code sample, see [active-directory-dotnetcore-devicecodeflow-v2](https://github.com/azure-samples/active-directory-dotnetcore-devicecodeflow-v2) on GitHub.
-
-```csharp
-private const string ClientId = "<client_guid>";
-private const string Authority = "https://login.microsoftonline.com/contoso.com";
-private readonly string[] scopes = new string[] { "user.read" };
-
-static async Task<AuthenticationResult> GetATokenForGraph()
-{
- IPublicClientApplication pca = PublicClientApplicationBuilder
- .Create(ClientId)
- .WithAuthority(Authority)
- .WithDefaultRedirectUri()
- .Build();
-
- var accounts = await pca.GetAccountsAsync();
-
- // All AcquireToken* methods store the tokens in the cache, so check the cache first
- try
- {
- return await pca.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
- .ExecuteAsync();
- }
- catch (MsalUiRequiredException ex)
- {
- // No token found in the cache or AAD insists that a form interactive auth is required (e.g. the tenant admin turned on MFA)
- // If you want to provide a more complex user experience, check out ex.Classification
-
- return await AcquireByDeviceCodeAsync(pca);
- }
-}
-
-private static async Task<AuthenticationResult> AcquireByDeviceCodeAsync(IPublicClientApplication pca)
-{
- try
- {
- var result = await pca.AcquireTokenWithDeviceCode(scopes,
- deviceCodeResult =>
- {
- // This will print the message on the console which tells the user where to go sign-in using
- // a separate browser and the code to enter once they sign in.
- // The AcquireTokenWithDeviceCode() method will poll the server after firing this
- // device code callback to look for the successful login of the user via that browser.
- // This background polling (whose interval and timeout data is also provided as fields in the
- // deviceCodeCallback class) will occur until:
- // * The user has successfully logged in via browser and entered the proper code
- // * The timeout specified by the server for the lifetime of this code (typically ~15 minutes) has been reached
- // * The developing application calls the Cancel() method on a CancellationToken sent into the method.
- // If this occurs, an OperationCanceledException will be thrown (see catch below for more details).
- Console.WriteLine(deviceCodeResult.Message);
- return Task.FromResult(0);
- }).ExecuteAsync();
-
- Console.WriteLine(result.Account.Username);
- return result;
- }
-
- // TODO: handle or throw all these exceptions depending on your app
- catch (MsalServiceException ex)
- {
- // Kind of errors you could have (in ex.Message)
-
- // AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.
- // Mitigation: as explained in the message from Azure AD, the authoriy needs to be tenanted. you have probably created
- // your public client application with the following authorities:
- // https://login.microsoftonline.com/common or https://login.microsoftonline.com/organizations
-
- // AADSTS90133: Device Code flow is not supported under /common or /consumers endpoint.
- // Mitigation: as explained in the message from Azure AD, the authority needs to be tenanted
-
- // AADSTS90002: Tenant <tenantId or domain you used in the authority> not found. This may happen if there are
- // no active subscriptions for the tenant. Check with your subscription administrator.
- // Mitigation: if you have an active subscription for the tenant this might be that you have a typo in the
- // tenantId (GUID) or tenant domain name.
- }
- catch (OperationCanceledException ex)
- {
- // If you use a CancellationToken, and call the Cancel() method on it, then this *may* be triggered
- // to indicate that the operation was cancelled.
- // See https://docs.microsoft.com/dotnet/standard/threading/cancellation-in-managed-threads
- // for more detailed information on how C# supports cancellation in managed threads.
- }
- catch (MsalClientException ex)
- {
- // Possible cause - verification code expired before contacting the server
- // This exception will occur if the user does not manage to sign-in before a time out (15 mins) and the
- // call to `AcquireTokenWithDeviceCode` is not cancelled in between
- }
-}
-```
-
-# [Java](#tab/java)
-
-This extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
-
-```java
-private static IAuthenticationResult acquireTokenDeviceCode() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
-
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) ->
- System.out.println(deviceCode.message());
-
- DeviceCodeFlowParameters parameters =
- DeviceCodeFlowParameters
- .builder(SCOPE, deviceCodeConsumer)
- .build();
-
- // Try to acquire a token via device code flow. If successful, you should see
- // the token and account information printed out to console, and the sample_cache.json
- // file should have been updated with the latest tokens.
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
- }
- }
- return result;
-}
-```
-
-# [macOS](#tab/macOS)
-
-This flow doesn't apply to macOS.
-
-# [Node.js](#tab/nodejs)
-
-This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/device-code).
-
-```javascript
-const msal = require('@azure/msal-node');
-
-const msalConfig = {
- auth: {
- clientId: "your_client_id_here",
- authority: "your_authority_here",
- }
-};
-
-const pca = new msal.PublicClientApplication(msalConfig);
-
-const deviceCodeRequest = {
- deviceCodeCallback: (response) => (console.log(response.message)),
- scopes: ["user.read"],
- timeout: 20,
-};
-
-pca.acquireTokenByDeviceCode(deviceCodeRequest).then((response) => {
- console.log(JSON.stringify(response));
-}).catch((error) => {
- console.log(JSON.stringify(error));
-});
-```
-
-# [Python](#tab/python)
-
-This extract is from the [MSAL Python dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/).
-
-```python
-# Create a preferably long-lived app instance which maintains a token cache.
-app = msal.PublicClientApplication(
- config["client_id"], authority=config["authority"],
- # token_cache=... # Default cache is in memory only.
- # You can learn how to use SerializableTokenCache from
- # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
- )
-
-# The pattern to acquire a token looks like this.
-result = None
-
-# Note: If your device-flow app does not have any interactive ability, you can
-# completely skip the following cache part. But here we demonstrate it anyway.
-# We now check the cache to see if we have some end users signed in before.
-accounts = app.get_accounts()
-if accounts:
- logging.info("Account(s) exists in cache, probably with token too. Let's try.")
- print("Pick the account you want to use to proceed:")
- for a in accounts:
- print(a["username"])
- # Assuming the end user chose this one
- chosen = accounts[0]
- # Now let's try to find a token in cache for this account
- result = app.acquire_token_silent(config["scope"], account=chosen)
-
-if not result:
- logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
-
- flow = app.initiate_device_flow(scopes=config["scope"])
- if "user_code" not in flow:
- raise ValueError(
- "Fail to create device flow. Err: %s" % json.dumps(flow, indent=4))
-
- print(flow["message"])
- sys.stdout.flush() # Some terminal needs this to ensure the message is shown
-
- # Ideally you should wait here, in order to save some unnecessary polling
- # input("Press Enter after signing in from another device to proceed, CTRL+C to abort.")
-
- result = app.acquire_token_by_device_flow(flow) # By default it will block
- # You can follow this instruction to shorten the block time
- # https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_device_flow
- # or you may even turn off the blocking behavior,
- # and then keep calling acquire_token_by_device_flow(flow) in your own customized loop
-```
---
-## File-based token cache
-
-In MSAL.NET, an in-memory token cache is provided by default.
-
-### Serialization is customizable in Windows desktop apps and web apps or web APIs
-
-In the case of .NET Framework and .NET Core, if you don't do anything extra, the in-memory token cache lasts for the duration of the application. To understand why serialization isn't provided out of the box, remember that MSAL .NET desktop or .NET Core applications can be console or Windows applications (which would have access to the file system) *but also* web applications or web APIs. These web apps and web APIs might use some specific cache mechanisms like databases, distributed caches, and Redis caches. To have a persistent token cache application in .NET desktop or .NET Core, you'll need to customize the serialization.
-
-Classes and interfaces involved in token cache serialization are the following types:
--- ``ITokenCache``, which defines events to subscribe to token cache serialization requests, and methods to serialize or deserialize the cache at various formats (ADAL v3.0, MSAL 2.x, and MSAL 3.x = ADAL v5.0).-- ``TokenCacheCallback`` is a callback passed to the events so that you can handle the serialization. They'll be called with arguments of type ``TokenCacheNotificationArgs``.-- ``TokenCacheNotificationArgs`` only provides the application ``ClientId`` and a reference to the user for which the token is available.-
- ![Token cache serialization diagram](https://user-images.githubusercontent.com/13203188/56027172-d58d1480-5d15-11e9-8ada-c0292f1800b3.png)
-
-> [!IMPORTANT]
-> MSAL.NET creates token caches for you and provides you with the `IToken` cache when you call an application's `UserTokenCache` and `AppTokenCache` properties. You aren't supposed to implement the interface yourself. Your responsibility, when you implement a custom token cache serialization, is to:
->
-> - React to `BeforeAccess` and `AfterAccess` events, or their *Async* counterpart. The`BeforeAccess` delegate is responsible for deserializing the cache. The `AfterAccess` delegate is responsible for serializing the cache.
-> - Understand that part of these events store or load blobs, which are passed through the event argument to whatever storage you want.
-
-The strategies are different depending on if you're writing a token cache serialization for a public client application, such as a desktop, or a confidential client application, such as a web app or web API or a daemon app.
-
-Since MSAL v2.x, you have several options. Your choice depends on whether you want to serialize the cache only to the MSAL.NET format, which is a unified format cache that's common with MSAL but also across the platforms. Or, you might also want to support the [legacy](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Token-cache-serialization) token cache serialization of ADAL v3.
-
-The customization of token cache serialization to share the SSO state between ADAL.NET 3.x, ADAL.NET 5.x, and MSAL.NET is explained in part of the sample [active-directory-dotnet-v1-to-v2](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2).
-
-### Simple token cache serialization (MSAL only)
-
-The following example is a naive implementation of custom serialization of a token cache for desktop applications. Here, the user token cache is in a file in the same folder as the application or, in a per user per app folder in the case where the app is a [packaged desktop application](/windows/msix/desktop/desktop-to-uwp-behind-the-scenes). For the full code, see the following sample: [active-directory-dotnet-desktop-msgraph-v2](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2).
-
-After you build the application, you enable the serialization by calling ``TokenCacheHelper.EnableSerialization()`` and passing the application `UserTokenCache`.
-
-```csharp
-app = PublicClientApplicationBuilder.Create(ClientId)
- .Build();
-TokenCacheHelper.EnableSerialization(app.UserTokenCache);
-```
-
-This helper class looks like the following code snippet:
-
-```csharp
-static class TokenCacheHelper
- {
- public static void EnableSerialization(ITokenCache tokenCache)
- {
- tokenCache.SetBeforeAccess(BeforeAccessNotification);
- tokenCache.SetAfterAccess(AfterAccessNotification);
- try
- {
- // For packaged desktop apps (MSIX packages) the executing assembly folder is read-only.
- // In that case we need to use Windows.Storage.ApplicationData.Current.LocalCacheFolder.Path + "\msalcache.bin"
- // which is a per-app read/write folder for packaged apps.
- // See https://docs.microsoft.com/windows/msix/desktop/desktop-to-uwp-behind-the-scenes
- CacheFilePath = System.IO.Path.Combine(Windows.Storage.ApplicationData.Current.LocalCacheFolder.Path, "msalcache.bin3");
- }
- catch (System.InvalidOperationException)
- {
- // Fall back for an un-packaged desktop app
- CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + ".msalcache.bin";
- }
- }
-
- /// <summary>
- /// Path to the token cache
- /// </summary>
- public static string CacheFilePath { get; private set; }
-
- private static readonly object FileLock = new object();
-
- private static void BeforeAccessNotification(TokenCacheNotificationArgs args)
- {
- lock (FileLock)
- {
- args.TokenCache.DeserializeMsalV3(File.Exists(CacheFilePath)
- ? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath),
- null,
- DataProtectionScope.CurrentUser)
- : null);
- }
- }
-
- private static void AfterAccessNotification(TokenCacheNotificationArgs args)
- {
- // if the access operation resulted in a cache update
- if (args.HasStateChanged)
- {
- lock (FileLock)
- {
- // reflect changesgs in the persistent store
- File.WriteAllBytes(CacheFilePath,
- ProtectedData.Protect(args.TokenCache.SerializeMsalV3(),
- null,
- DataProtectionScope.CurrentUser)
- );
- }
- }
- }
- }
-```
-
-A preview of a product quality token cache file-based serializer for public client applications for desktop applications running on Windows, Mac, and Linux is available from the [Microsoft.Identity.Client.Extensions.Msal](https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/tree/master/src/Microsoft.Identity.Client.Extensions.Msal) open-source library. You can include it in your applications from the following NuGet package: [Microsoft.Identity.Client.Extensions.Msal](https://www.nuget.org/packages/Microsoft.Identity.Client.Extensions.Msal/).
-
-> [!NOTE]
-> Disclaimer: The Microsoft.Identity.Client.Extensions.Msal library is an extension over MSAL.NET. Classes in these libraries might make their way into MSAL.NET in the future, as is or with breaking changes.
-
-### Dual token cache serialization (MSAL unified cache + ADAL v3)
-
-You might want to implement token cache serialization with the Unified cache format. This format is common to ADAL.NET 4.x and MSAL.NET 2.x, and with other MSALs of the same generation or older, on the same platform. Get inspired by the following code:
-
-```csharp
-string appLocation = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location;
-string cacheFolder = Path.GetFullPath(appLocation) + @"..\..\..\..");
-string adalV3cacheFileName = Path.Combine(cacheFolder, "cacheAdalV3.bin");
-string unifiedCacheFileName = Path.Combine(cacheFolder, "unifiedCache.bin");
-
-IPublicClientApplication app;
-app = PublicClientApplicationBuilder.Create(clientId)
- .Build();
-FilesBasedTokenCacheHelper.EnableSerialization(app.UserTokenCache,
- unifiedCacheFileName,
- adalV3cacheFileName);
-```
-
-This time the helper class looks like the following code:
-
-```csharp
-using System;
-using System.IO;
-using System.Security.Cryptography;
-using Microsoft.Identity.Client;
-
-namespace CommonCacheMsalV3
-{
- /// <summary>
- /// Simple persistent cache implementation of the dual cache serialization (ADAL V3 legacy
- /// and unified cache format) for a desktop applications (from MSAL 2.x)
- /// </summary>
- static class FilesBasedTokenCacheHelper
- {
- /// <summary>
- /// Get the user token cache
- /// </summary>
- /// <param name="adalV3CacheFileName">File name where the cache is serialized with the
- /// ADAL V3 token cache format. Can
- /// be <c>null</c> if you don't want to implement the legacy ADAL V3 token cache
- /// serialization in your MSAL 2.x+ application</param>
- /// <param name="unifiedCacheFileName">File name where the cache is serialized
- /// with the Unified cache format, common to
- /// ADAL V4 and MSAL V2 and above, and also across ADAL/MSAL on the same platform.
- /// Should not be <c>null</c></param>
- /// <returns></returns>
- public static void EnableSerialization(ITokenCache cache, string unifiedCacheFileName, string adalV3CacheFileName)
- {
- UnifiedCacheFileName = unifiedCacheFileName;
- AdalV3CacheFileName = adalV3CacheFileName;
-
- cache.SetBeforeAccess(BeforeAccessNotification);
- cache.SetAfterAccess(AfterAccessNotification);
- }
-
- /// <summary>
- /// File path where the token cache is serialized with the unified cache format
- /// (ADAL.NET V4, MSAL.NET V3)
- /// </summary>
- public static string UnifiedCacheFileName { get; private set; }
-
- /// <summary>
- /// File path where the token cache is serialized with the legacy ADAL V3 format
- /// </summary>
- public static string AdalV3CacheFileName { get; private set; }
-
- private static readonly object FileLock = new object();
-
- public static void BeforeAccessNotification(TokenCacheNotificationArgs args)
- {
- lock (FileLock)
- {
- args.TokenCache.DeserializeAdalV3(ReadFromFileIfExists(AdalV3CacheFileName));
- try
- {
- args.TokenCache.DeserializeMsalV3(ReadFromFileIfExists(UnifiedCacheFileName));
- }
- catch(Exception ex)
- {
- // Compatibility with the MSAL v2 cache if you used one
- args.TokenCache.DeserializeMsalV2(ReadFromFileIfExists(UnifiedCacheFileName));
- }
- }
- }
-
- public static void AfterAccessNotification(TokenCacheNotificationArgs args)
- {
- // if the access operation resulted in a cache update
- if (args.HasStateChanged)
- {
- lock (FileLock)
- {
- WriteToFileIfNotNull(UnifiedCacheFileName, args.TokenCache.SerializeMsalV3());
- if (!string.IsNullOrWhiteSpace(AdalV3CacheFileName))
- {
- WriteToFileIfNotNull(AdalV3CacheFileName, args.TokenCache.SerializeAdalV3());
- }
- }
- }
- }
-
- /// <summary>
- /// Read the content of a file if it exists
- /// </summary>
- /// <param name="path">File path</param>
- /// <returns>Content of the file (in bytes)</returns>
- private static byte[] ReadFromFileIfExists(string path)
- {
- byte[] protectedBytes = (!string.IsNullOrEmpty(path) && File.Exists(path))
- ? File.ReadAllBytes(path) : null;
- byte[] unprotectedBytes = encrypt ?
- ((protectedBytes != null) ? ProtectedData.Unprotect(protectedBytes, null, DataProtectionScope.CurrentUser) : null)
- : protectedBytes;
- return unprotectedBytes;
- }
-
- /// <summary>
- /// Writes a blob of bytes to a file. If the blob is <c>null</c>, deletes the file
- /// </summary>
- /// <param name="path">path to the file to write</param>
- /// <param name="blob">Blob of bytes to write</param>
- private static void WriteToFileIfNotNull(string path, byte[] blob)
- {
- if (blob != null)
- {
- byte[] protectedBytes = encrypt
- ? ProtectedData.Protect(blob, null, DataProtectionScope.CurrentUser)
- : blob;
- File.WriteAllBytes(path, protectedBytes);
- }
- else
- {
- File.Delete(path);
- }
- }
-
- // Change if you want to test with an un-encrypted blob (this is a json format)
- private static bool encrypt = true;
- }
-}
-```
-
-## (Advanced) Accessing the user's cached tokens in background apps and services
-- ## Next steps Move on to the next article in this scenario,
active-directory Scenario Desktop App Registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-app-registration.md
Specify the redirect URI for your app by [configuring the platform settings](qui
- If you build a native Objective-C or Swift app for macOS, register the redirect URI based on your application's bundle identifier in the following format: `msauth.<your.app.bundle.id>://auth`. Replace `<your.app.bundle.id>` with your application's bundle identifier. - If you build a Node.js Electron app, use a custom file protocol instead of a regular web (https://) redirect URI in order to handle the redirection step of the authorization flow, for instance `msal://redirect`. The custom file protocol name shouldn't be obvious to guess and should follow the suggestions in the [OAuth2.0 specification for Native Apps](https://tools.ietf.org/html/rfc8252#section-7.1). - If your app uses only Integrated Windows Authentication or a username and a password, you don't need to register a redirect URI for your application. These flows do a round trip to the Microsoft identity platform v2.0 endpoint. Your application won't be called back on any specific URI.-- To distinguish [device code flow](scenario-desktop-acquire-token.md#device-code-flow), [Integrated Windows Authentication](scenario-desktop-acquire-token.md#integrated-windows-authentication), and a [username and a password](scenario-desktop-acquire-token.md#username-and-password) from a confidential client application using a client credential flow used in [daemon applications](scenario-daemon-overview.md), none of which requires a redirect URI, configure it as a public client application. To achieve this configuration:
+- To distinguish [device code flow](scenario-desktop-acquire-token-device-code-flow.md), [Integrated Windows Authentication](scenario-desktop-acquire-token-integrated-windows-authentication.md), and a [username and a password](scenario-desktop-acquire-token-username-password.md) from a confidential client application using a client credential flow used in [daemon applications](scenario-daemon-overview.md), none of which requires a redirect URI, configure it as a public client application. To achieve this configuration:
1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, select your app in **App registrations**, and then select **Authentication**. 1. In **Advanced settings** > **Allow public client flows** > **Enable the following mobile and desktop flows:**, select **Yes**.
active-directory Scenario Mobile App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-mobile-app-configuration.md
-+ Last updated 06/16/2020
active-directory Scenario Web App Call Api App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
The use of client assertions is an advanced scenario, detailed in [Client assert
## Token cache > [!IMPORTANT]
-> The token-cache implementation for web apps or web APIs is different from the implementation for desktop applications, which is often [file based](scenario-desktop-acquire-token.md#file-based-token-cache).
+> The token-cache implementation for web apps or web APIs is different from the implementation for desktop applications, which is often [file based](msal-net-token-cache-serialization.md).
> For security and performance reasons, it's important to ensure that for web apps and web APIs there is one token cache per user account. You must serialize the token cache for each account. # [ASP.NET Core](#tab/aspnetcore)
For details about the token-cache providers, see also Microsoft.Identity.Web's [
# [ASP.NET](#tab/aspnet)
-The token-cache implementation for web apps or web APIs is different from the implementation for desktop applications, which is often [file based](scenario-desktop-acquire-token.md#file-based-token-cache).
+The token-cache implementation for web apps or web APIs is different from the implementation for desktop applications, which is often [file based](msal-net-token-cache-serialization.md).
The web-app implementation can use the ASP.NET session or the server memory. For example, see how the cache implementation is hooked after the creation of the MSAL.NET application in [MsalAppBuilder.cs#L39-L51](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/79e3e1f084cd78f9170a8ca4077869f217735a1a/WebApp/Utils/MsalAppBuilder.cs#L57-L58): First, to use these implementations:-- add the Microsoft.Identity.Web Nuget package. These token cache serializers are not brought in MSAL.NET directly to avoid unwanted dependencies. In addition to a higher level for ASP.NET Core, Microsoft.Identity.Web brings classes that are helpers for MSAL.NET,
+- add the Microsoft.Identity.Web NuGet package. These token cache serializers are not brought in MSAL.NET directly to avoid unwanted dependencies. In addition to a higher level for ASP.NET Core, Microsoft.Identity.Web brings classes that are helpers for MSAL.NET,
- In your code, use the Microsoft.Identity.Web namespace: ```csharp
active-directory Tutorial Blazor Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-blazor-server.md
Every app that uses Azure Active Directory (Azure AD) for authentication must be
- For **Supported account types**, select **Accounts in this organizational directory only**. - Leave the **Redirect URI** drop down set to **Web** and enter `https://localhost:5001/signin-oidc`. The default port for an app running on Kestrel is 5001. If the app is available on a different port, specify that port number instead of `5001`.
-Under **Manage**, select **Authentication** > **Implicit grant and hybrid flows**. Select **Access tokens** and **ID tokens**, and then select **Save**.
+Under **Manage**, select **Authentication** > **Implicit grant and hybrid flows**. Select **ID tokens**, and then select **Save**.
Finally, because the app calls a protected API (in this case Microsoft Graph), it needs a client secret in order to verify its identity when it requests an access token to call that API.
Finally, because the app calls a protected API (in this case Microsoft Graph), i
Run the following command to download the templates for Microsoft.Identity.Web, which we will make use of in this tutorial. ```dotnetcli
-dotnet new --install Microsoft.Identity.Web.ProjectTemplates::0.4.0-preview
+dotnet new --install Microsoft.Identity.Web.ProjectTemplates
``` Then, run the following command to create the application. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name. ```dotnetcli
-dotnet new blazorserver2 --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}"
+dotnet new blazorserver2 --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}" --domain "{DOMAIN}"
``` | Placeholder | Azure portal name | Example |
dotnet new blazorserver2 --auth SingleOrg --calls-graph -o {APP NAME} --client-i
| `{APP NAME}` | &mdash; | `BlazorSample` | | `{CLIENT ID}` | Application (client) ID | `41451fa7-0000-0000-0000-69eff5a761fd` | | `{TENANT ID}` | Directory (tenant) ID | `e86c78e2-0000-0000-0000-918e0565a45e` |
+| `{DOMAIN}` | Primary domain | `tenantname.onmicrosoft.com` |
Now, navigate to your new Blazor app in your editor and add the client secret to the *appsettings.json* file, replacing the text "secret-from-app-registration".
active-directory Vs Active Directory Dotnet Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/vs-active-directory-dotnet-getting-started.md
ms.prod: visual-studio-windows ms.technology: vs-azure -+ Last updated 03/12/2018
active-directory Vs Active Directory Dotnet What Happened https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/vs-active-directory-dotnet-what-happened.md
ms.prod: visual-studio-windows ms.technology: vs-azure -+ Last updated 03/12/2018
active-directory Vs Active Directory Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/vs-active-directory-error.md
ms.prod: visual-studio-windows ms.technology: vs-azure -+ Last updated 03/12/2018
active-directory Vs Active Directory Webapi Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/vs-active-directory-webapi-getting-started.md
ms.prod: visual-studio-windows ms.technology: vs-azure -+ Last updated 03/12/2018
active-directory Vs Active Directory Webapi What Happened https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/vs-active-directory-webapi-what-happened.md
ms.prod: visual-studio-windows ms.technology: vs-azure-+ Last updated 03/12/2018
active-directory Hybrid Azuread Join Federated Domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-federated-domains.md
Here are 3 ways to locate and verify the device state:
3. Verify that both **AzureAdJoined** and **DomainJoined** are set to **YES**. 4. You can use the **DeviceId** and compare the status on the service using either the Azure portal or PowerShell.
+For downlevel devices see the article [Troubleshooting hybrid Azure Active Directory joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md#step-1-retrieve-the-registration-status)
+ ### Using the Azure portal 1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).
If you experience issues with completing hybrid Azure AD join for domain-joined
Learn how to [manage device identities by using the Azure portal](device-management-azure-portal.md). <!--Image references-->
-[1]: ./media/active-directory-conditional-access-automatic-device-registration-setup/12.png
+[1]: ./media/active-directory-conditional-access-automatic-device-registration-setup/12.png
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
# Product names and service plan identifiers for licensing
-When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products) or the [Microsoft 365 admin center](https://admin.microsoft.com), you see product names that look something like *Office 365 E3*. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific but less friendly name: *ENTERPRISEPACK*. When using PowerShell v2.0 cmdlets or Microsoft Graph, the same product is identified using a GUID value: *6fd2c87f-b296-42f0-b197-1e91e994b900*. The following table lists the most commonly used Microsoft online service products and provides their various ID values. These tables are for reference purposes and are accurate only as of the date when this article was last updated. Microsoft does not plan to update them for newly added services periodically.
+When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products) or the [Microsoft 365 admin center](https://admin.microsoft.com), you see product names that look something like *Office 365 E3*. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific but less friendly name: *ENTERPRISEPACK*. When using PowerShell v2.0 cmdlets or [Microsoft Graph](/graph/api/resources/subscribedsku), the same product is identified using a GUID value: *6fd2c87f-b296-42f0-b197-1e91e994b900*. The following table lists the most commonly used Microsoft online service products and provides their various ID values. These tables are for reference purposes and are accurate only as of the date when this article was last updated. Microsoft does not plan to update them for newly added services periodically.
- **Product name**: Used in management portals-- **String ID**: Used by PowerShell v1.0 cmdlets when performing operations on licenses-- **GUID**: GUID used by the Microsoft Graph API
+- **String ID**: Used by PowerShell v1.0 cmdlets when performing operations on licenses or by the **skuPartNumber** property of the **subscribedSku** Microsoft Graph API
+- **GUID**: GUID used by the **skuId** property of the **subscribedSku** Microsoft Graph API
- **Service plans included**: A list of service plans in the product that correspond to the string ID and GUID - **Service plans included (friendly names)**: A list of service plans (friendly names) in the product that correspond to the string ID and GUID
active-directory Services Support Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
Refer to the following list to configure managed identity for Azure App Service
- [Azure PowerShell](../../app-service/overview-managed-identity.md#using-azure-powershell) - [Azure Resource Manager template](../../app-service/overview-managed-identity.md#using-an-azure-resource-manager-template)
-### Azure Arc enabled Kubernetes
+### Azure Arc-enabled Kubernetes
| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet | | | :-: | :-: | :-: | :-: | | System assigned | Preview | Not available | Not available | Not available | | User assigned | Not available | Not available | Not available | Not available |
-Azure Arc enabled Kubernetes currently [supports system assigned identity](../../azure-arc/kubernetes/quickstart-connect-cluster.md). The managed service identity certificate is used by all Azure Arc enabled Kubernetes agents for communication with Azure.
+Azure Arc-enabled Kubernetes currently [supports system assigned identity](../../azure-arc/kubernetes/quickstart-connect-cluster.md). The managed service identity certificate is used by all Azure Arc-enabled Kubernetes agents for communication with Azure.
### Azure Arc-enabled servers
Azure Arc enabled Kubernetes currently [supports system assigned identity](../..
All Azure Arc-enabled servers have a system assigned identity. You cannot disable or change the system assigned identity on an Azure Arc-enabled server. Refer to the following resources to learn more about how to consume managed identities on Azure Arc-enabled servers: -- [Authenticate against Azure resources with Arc-enabled servers](../../azure-arc/servers/managed-identity-authentication.md)-- [Using a managed identity with Arc-enabled servers](../../azure-arc/servers/security-overview.md#using-a-managed-identity-with-arc-enabled-servers)
+- [Authenticate against Azure resources with Azure Arc-enabled servers](../../azure-arc/servers/managed-identity-authentication.md)
+- [Using a managed identity with Azure Arc-enabled servers](../../azure-arc/servers/security-overview.md#using-a-managed-identity-with-azure-arc-enabled-servers)
### Azure Automanage
Managed identity type | All Generally Available<br>Global Azure Regions | Azure
| System assigned | ![Available][check] | Not available | Not available | Not available | | User assigned | ![Available][check] | Not available | Not available | Not available | - > [!NOTE] > You can use Managed Identities to authenticate an [Azure Stream analytics job to Power BI](../../stream-analytics/powerbi-output-managed-identity.md).
active-directory Active And Thriving Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/active-and-thriving-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Active and Thriving | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Active and Thriving.
++++++++ Last updated : 09/03/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Active and Thriving
+
+In this tutorial, you'll learn how to integrate Active and Thriving with Azure Active Directory (Azure AD). When you integrate Active and Thriving with Azure AD, you can:
+
+* Control in Azure AD who has access to Active and Thriving.
+* Enable your users to be automatically signed-in to Active and Thriving with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Active and Thriving single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Active and Thriving supports **SP and IDP** initiated SSO.
+
+## Add Active and Thriving from the gallery
+
+To configure the integration of Active and Thriving into Azure AD, you need to add Active and Thriving from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Active and Thriving** in the search box.
+1. Select **Active and Thriving** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Active and Thriving
+
+Configure and test Azure AD SSO with Active and Thriving using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Active and Thriving.
+
+To configure and test Azure AD SSO with Active and Thriving, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Active and Thriving SSO](#configure-active-and-thriving-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Active and Thriving test user](#create-active-and-thriving-test-user)** - to have a counterpart of B.Simon in Active and Thriving that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Active and Thriving** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://app.activeandthriving.com.au/saml2/aad/login`
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Active and Thriving** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Active and Thriving.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Active and Thriving**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Active and Thriving SSO
+
+To configure single sign-on on **Active and Thriving** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Active and Thriving support team](mailto:support@activeandthriving.com.au). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Active and Thriving test user
+
+In this section, you create a user called Britta Simon in Active and Thriving. Work with [Active and Thriving support team](mailto:support@activeandthriving.com.au) to add the users in the Active and Thriving platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Active and Thriving Sign on URL where you can initiate the login flow.
+
+* Go to Active and Thriving Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Active and Thriving for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Active and Thriving tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Active and Thriving for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Active and Thriving you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Anaqua Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/anaqua-tutorial.md
Previously updated : 05/31/2019 Last updated : 08/31/2021
In this tutorial, you'll learn how to integrate ANAQUA with Azure Active Directo
* Enable your users to be automatically signed-in to ANAQUA with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. ANAQUA supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* ANAQUA supports **SP and IDP** initiated SSO.
+* ANAQUA supports **Just In Time** user provisioning.
-## Adding ANAQUA from the gallery
+## Add ANAQUA from the gallery
To configure the integration of ANAQUA into Azure AD, you need to add ANAQUA from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **ANAQUA** in the search box. 1. Select **ANAQUA** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for ANAQUA
Configure and test Azure AD SSO with ANAQUA using a test user called **B. Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ANAQUA.
-To configure and test Azure AD SSO with ANAQUA, complete the following building blocks:
+To configure and test Azure AD SSO with ANAQUA, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure ANAQUA](#configure-anaqua)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B. Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B. Simon to use Azure AD single sign-on.
-5. **[Create ANAQUA test user](#create-anaqua-test-user)** to have a counterpart of B. Simon in ANAQUA that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ANAQUA SSO](#configure-anaqua-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ANAQUA test user](#create-anaqua-test-user)** - to have a counterpart of B.Simon in ANAQUA that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **ANAQUA** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **ANAQUA** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.anaqua.com`
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.anaqua.com/anaqua/Public/login.aspx` 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.anaqua.com/anaqua/Public/login.aspx` > [!NOTE]
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure ANAQUA
-
-To configure single sign-on on **ANAQUA** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ANAQUA support team](https://go.anaqua.com/contact-us). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B. Simon.
In this section, you'll enable B. Simon to use Azure single sign-on by granting
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **ANAQUA**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure ANAQUA SSO
+
+To configure single sign-on on **ANAQUA** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ANAQUA support team](https://go.anaqua.com/contact-us). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create ANAQUA test user In this section, a user called Britta Simon is created in ANAQUA. ANAQUA supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in ANAQUA, a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to ANAQUA Sign on URL where you can initiate the login flow.
+
+* Go to ANAQUA Sign-on URL directly and initiate the login flow from there.
-When you select the ANAQUA tile in the Access Panel, you should be automatically signed in to the ANAQUA for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ANAQUA for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the ANAQUA tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ANAQUA for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure ANAQUA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Appaegis Isolation Access Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/appaegis-isolation-access-cloud-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Appaegis Isolation Access Cloud'
+description: Learn how to configure single sign-on between Azure Active Directory and Appaegis Isolation Access Cloud.
++++++++ Last updated : 09/07/2021++++
+# Tutorial: Azure AD SSO integration with Appaegis Isolation Access Cloud
+
+In this tutorial, you'll learn how to integrate Appaegis Isolation Access Cloud with Azure Active Directory (Azure AD). When you integrate Appaegis Isolation Access Cloud with Azure AD, you can:
+
+* Control in Azure AD who has access to Appaegis Isolation Access Cloud.
+* Enable your users to be automatically signed-in to Appaegis Isolation Access Cloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Appaegis Isolation Access Cloud single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Appaegis Isolation Access Cloud supports **SP and IDP** initiated SSO.
+* Appaegis Isolation Access Cloud supports **Just In Time** user provisioning.
+
+## Adding Appaegis Isolation Access Cloud from the gallery
+
+To configure the integration of Appaegis Isolation Access Cloud into Azure AD, you need to add Appaegis Isolation Access Cloud from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Appaegis Isolation Access Cloud** in the search box.
+1. Select **Appaegis Isolation Access Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Appaegis Isolation Access Cloud
+
+Configure and test Azure AD SSO with Appaegis Isolation Access Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Appaegis Isolation Access Cloud.
+
+To configure and test Azure AD SSO with Appaegis Isolation Access Cloud, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Appaegis Isolation Access Cloud SSO](#configure-appaegis-isolation-access-cloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Appaegis Isolation Access Cloud test user](#create-appaegis-isolation-access-cloud-test-user)** - to have a counterpart of B.Simon in Appaegis Isolation Access Cloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Appaegis Isolation Access Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode:
+
+ a. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.appaegis.net`
+
+ b. In the **Relay State** text box, type a value using the following pattern:
+ `<RelayState>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign-on URL and Relay State. Contact [Appaegis Isolation Access Cloud Client support team](mailto:support@appaegis.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Appaegis Isolation Access Cloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Appaegis Isolation Access Cloud application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre-populated but you can review them as per your requirements.
+
+ | Name | Source Attribute |
+ | | |
+ | email | user.userprincipalname |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Appaegis Isolation Access Cloud** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Appaegis Isolation Access Cloud.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Appaegis Isolation Access Cloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Appaegis Isolation Access Cloud SSO
+
+1. Log in to your Appaegis Isolation Access Cloud company site as an administrator.
+
+1. Go to **Setting** > **Customization**, type a **Tenant Domain URL** in the textbox and click **+IdP** button.
+
+ ![Screenshot shows the Account Customization.](./media/appaegis-isolation-access-cloud-tutorial/account.png "Account Customization")
+
+1. In the **Identity Provider Details** page, perform the following steps.
+
+ ![Screenshot shows the details of Identity Provider.](./media/appaegis-isolation-access-cloud-tutorial/details.png "Identity Provider")
+
+ 1. Select **Azure AD** from the dropdown in the **Identity Provider**.
+
+ 1. Copy **ACS URL** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration** section in the Azure portal.
+
+ 1. Copy **Entity ID** value, paste this value into the **Identifier** text box in the **Basic SAML Configuration** section in the Azure portal.
+
+ 1. Open the downloaded **Federation Metadata XML** from the Azure portal into Notepad and upload the file into the **SAML File Upload**.
+
+ 1. Enabled the **Status** checkbox and click **Save**.
+
+### Create Appaegis Isolation Access Cloud test user
+
+In this section, a user called Britta Simon is created in Appaegis Isolation Access Cloud. Appaegis Isolation Access Cloud supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Appaegis Isolation Access Cloud, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Appaegis Isolation Access Cloud Sign on URL where you can initiate the login flow.
+
+* Go to Appaegis Isolation Access Cloud Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Appaegis Isolation Access Cloud for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Appaegis Isolation Access Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Appaegis Isolation Access Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Appaegis Isolation Access Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Beyond Identity Admin Console Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/beyond-identity-admin-console-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Beyond Identity Admin Console | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Beyond Identity Admin Console.
++++++++ Last updated : 09/03/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Beyond Identity Admin Console
+
+In this tutorial, you'll learn how to integrate Beyond Identity Admin Console with Azure Active Directory (Azure AD). When you integrate Beyond Identity Admin Console with Azure AD, you can:
+
+* Control in Azure AD who has access to Beyond Identity Admin Console.
+* Enable your users to be automatically signed-in to Beyond Identity Admin Console with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Beyond Identity Admin Console single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Beyond Identity Admin Console supports **SP** initiated SSO.
+
+## Add Beyond Identity Admin Console from the gallery
+
+To configure the integration of Beyond Identity Admin Console into Azure AD, you need to add Beyond Identity Admin Console from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Beyond Identity Admin Console** in the search box.
+1. Select **Beyond Identity Admin Console** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Beyond Identity Admin Console
+
+Configure and test Azure AD SSO with Beyond Identity Admin Console using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Beyond Identity Admin Console.
+
+To configure and test Azure AD SSO with Beyond Identity Admin Console, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Beyond Identity Admin Console SSO](#configure-beyond-identity-admin-console-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Beyond Identity Admin Console test user](#create-beyond-identity-admin-console-test-user)** - to have a counterpart of B.Simon in Beyond Identity Admin Console that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Beyond Identity Admin Console** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://admin.byndid.com/auth/saml/<azure-tenant-id>/sso/metadata.xml`
+
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://admin.byndid.com/auth/?org_id=<bi-tenant-id>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Beyond Identity Admin Console Client support team](mailto:support@beyondidentity.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Beyond Identity Admin Console application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Beyond Identity Admin Console application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Namespace | Source Attribute|
+ | | | |
+ | immutableId | externalId | user.immutableId |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Beyond Identity Admin Console** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Beyond Identity Admin Console.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Beyond Identity Admin Console**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Beyond Identity Admin Console SSO
+
+To configure single sign-on on **Beyond Identity Admin Console** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Beyond Identity Admin Console support team](mailto:support@beyondidentity.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Beyond Identity Admin Console test user
+
+In this section, you create a user called Britta Simon in Beyond Identity Admin Console. Work with [Beyond Identity Admin Console support team](mailto:support@beyondidentity.com) to add the users in the Beyond Identity Admin Console platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Beyond Identity Admin Console Sign-on URL where you can initiate the login flow.
+
+* Go to Beyond Identity Admin Console Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Beyond Identity Admin Console tile in the My Apps, this will redirect to Beyond Identity Admin Console Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Beyond Identity Admin Console you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Chatwork Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/chatwork-tutorial.md
Previously updated : 07/21/2020 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Chatwork with Azure Active Direc
* Enable your users to be automatically signed-in to Chatwork with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Chatwork supports **SP** initiated SSO
-
-* Once you configure Chatwork you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Chatwork supports **SP** initiated SSO.
+* Chatwork supports [Automated user provisioning](chatwork-provisioning-tutorial.md).
## Adding Chatwork from the gallery To configure the integration of Chatwork into Azure AD, you need to add Chatwork from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Chatwork** in the search box. 1. Select **Chatwork** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Chatwork Configure and test Azure AD SSO with Chatwork using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Chatwork.
-To configure and test Azure AD SSO with Chatwork, complete the following building blocks:
+To configure and test Azure AD SSO with Chatwork, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Chatwork, complete the following buildin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Chatwork** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Chatwork** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://www.chatwork.com/s/<TENANT_NAME>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Chatwork**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
To configure single sign-on on **Chatwork** side, please read the [Chatwork Admi
In this section, you create a user called B.Simon in Chatwork. Access the [Chatwork Admin Guide](https://download.chatwork.com/Chatwork_AdminGuide.pdf) and add the user in the Chatwork platform.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+Chatwork also supports automatic user provisioning, you can find more details [here](./chatwork-provisioning-tutorial.md) on how to configure automatic user provisioning.
-When you click the Chatwork tile in the Access Panel, you should be automatically signed in to the Chatwork for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+## Test SSO
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to Chatwork Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to Chatwork Sign-on URL directly and initiate the login flow from there.
-- [Try Chatwork with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Chatwork tile in the My Apps, this will redirect to Chatwork Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Chatwork with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Chatwork you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Iauditor Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iauditor-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with iAuditor | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and iAuditor.
++++++++ Last updated : 09/01/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with iAuditor
+
+In this tutorial, you'll learn how to integrate iAuditor with Azure Active Directory (Azure AD). When you integrate iAuditor with Azure AD, you can:
+
+* Control in Azure AD who has access to iAuditor.
+* Enable your users to be automatically signed-in to iAuditor with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* iAuditor single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* iAuditor supports **SP and IDP** initiated SSO.
+
+## Add iAuditor from the gallery
+
+To configure the integration of iAuditor into Azure AD, you need to add iAuditor from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **iAuditor** in the search box.
+1. Select **iAuditor** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for iAuditor
+
+Configure and test Azure AD SSO with iAuditor using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iAuditor.
+
+To configure and test Azure AD SSO with iAuditor, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure iAuditor SSO](#configure-iauditor-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create iAuditor test user](#create-iauditor-test-user)** - to have a counterpart of B.Simon in iAuditor that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **iAuditor** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
+
+ a. In the **Identifier** text box, type a value using the following pattern:
+ `urn:auth0:safetyculture:<CustomerName>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://safetyculture.au.auth0.com/login/callback?connection=<CustomerName>`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using one of the following patterns:
+
+ | **Sign-on URL** |
+ ||
+ | `https://app.safetyculture.io/login.html` |
+ | `https://app.safetyculture.com/login.html` |
+ | `https://app.safetyculture.io/logged_out` |
+ | `https://app.safetyculture.com/logged_out` |
+ | `https://www.safetyculture.com/logged_out` |
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [iAuditor Client support team](mailto:support@safetyculture.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. iAuditor application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, iAuditor application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre-populated but you can review them as per your requirements.
+
+ | Name | Source Attribute |
+ | -| |
+ | firstname | user.givenname |
+ | lastname | user.surname |
+ | email | user.mail |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificate-base64-download.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to iAuditor.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **iAuditor**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure iAuditor SSO
+
+To configure single sign-on on **iAuditor** side, you need to send the **Certificate (PEM)** to [iAuditor support team](mailto:support@safetyculture.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create iAuditor test user
+
+In this section, you create a user called Britta Simon in iAuditor. Work with [iAuditor support team](mailto:support@safetyculture.com) to add the users in the iAuditor platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to iAuditor Sign on URL where you can initiate the login flow.
+
+* Go to iAuditor Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the iAuditor for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the iAuditor tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the iAuditor for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure iAuditor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Keeperpasswordmanager Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/keeperpasswordmanager-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Keeper Password Manager & Digital Vault | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Keeper Password Manager & Digital Vault.
+ Title: 'Tutorial: Azure Active Directory integration with Keeper Password Manager | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Keeper Password Manager.
Previously updated : 11/13/2020 Last updated : 09/03/2021
-# Tutorial: Azure Active Directory integration with Keeper Password Manager & Digital Vault
+# Tutorial: Azure Active Directory integration with Keeper Password Manager
-In this tutorial, you learn how to integrate Keeper Password Manager & Digital Vault with Azure Active Directory (Azure AD).
-This integration provides you with the following benefits:
-
-* You can control in Azure AD who has access to Keeper Password Manager & Digital Vault.
-* You can enable your users to be automatically signed in to Keeper Password Manager & Digital Vault (single sign-on) with their Azure AD accounts.
-* You can manage your accounts in one central location: the Azure portal.
+In this tutorial, you'll learn how to integrate Keeper Password Manager with Azure Active Directory (Azure AD). When you integrate Keeper Password Manager with Azure AD, you can:
+* Control in Azure AD who has access to Keeper Password Manager.
+* Enable your users to be automatically signed-in to Keeper Password Manager with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Keeper Password Manager & Digital Vault, you need:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
-* Keeper Password Manager & Digital Vault subscription, enabled for single sign-on (SSO).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Keeper Password Manager single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Keeper Password Manager & Digital Vault supports SP-initiated SSO.
+* Keeper Password Manager supports SP-initiated SSO.
* Keeper Password Manager supports [**Automated** user provisioning and deprovisioning](keeper-password-manager-digitalvault-provisioning-tutorial.md) (recommended).
-* Keeper Password Manager & Digital Vault supports just-in-time user provisioning.
+* Keeper Password Manager supports just-in-time user provisioning.
-## Add Keeper Password Manager & Digital Vault from the gallery
+## Add Keeper Password Manager from the gallery
-To configure the integration of Keeper Password Manager & Digital Vault into Azure AD, add the application from the gallery to your list of managed software as a service (SaaS) apps.
+To configure the integration of Keeper Password Manager into Azure AD, add the application from the gallery to your list of managed software as a service (SaaS) apps.
1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account. 1. On the left pane, select the **Azure Active Directory** service. 1. Go to **Enterprise Applications**, and then select **All Applications**. 1. To add a new application, select **New application**.
-1. In **Add from the gallery**, type **Keeper Password Manager & Digital Vault** in the search box.
-1. Select **Keeper Password Manager & Digital Vault** from results panel, and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In **Add from the gallery**, type **Keeper Password Manager** in the search box.
+1. Select **Keeper Password Manager** from results panel, and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Keeper Password Manager & Digital Vault
+## Configure and test Azure AD SSO for Keeper Password Manager
-Configure and test Azure AD SSO with Keeper Password Manager & Digital Vault by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in Keeper Password Manager & Digital Vault.
+Configure and test Azure AD SSO with Keeper Password Manager by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in Keeper Password Manager.
-To configure and test Azure AD SSO with Keeper Password Manager & Digital Vault:
+To configure and test Azure AD SSO with Keeper Password
1. [Configure Azure AD SSO](#configure-azure-ad-sso) to enable your users to use this feature.
- * [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon.
- * [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on.
+ 1. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon.
+ 1. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on.
-1. [Configure Keeper Password Manager & Digital Vault SSO](#configure-keeper-password-manager--digital-vault-sso) to configure the SSO settings on the application side.
- * [Create a Keeper Password Manager & Digital Vault test user](#create-a-keeper-password-manager--digital-vault-test-user) to have a counterpart of Britta Simon in Keeper Password Manager & Digital Vault linked to the Azure AD representation of the user.
+1. [Configure Keeper Password Manager SSO](#configure-keeper-password-manager-sso) to configure the SSO settings on the application side.
+ 1. [Create a Keeper Password Manager test user](#create-a-keeper-password-manager-test-user) to have a counterpart of Britta Simon in Keeper Password Manager linked to the Azure AD representation of the user.
1. [Test SSO](#test-sso) to verify whether the configuration works. ### Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Keeper Password Manager & Digital Vault** application integration page, find the **Manage** section. Select **single sign-on**.
+1. In the Azure portal, on the **Keeper Password Manager** application integration page, find the **Manage** section. Select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. In the **Basic SAML Configuration** section, perform the following steps:
- a. For **Sign on URL**, type a URL that uses the following pattern:
- * For cloud SSO: `https://keepersecurity.com/api/rest/sso/saml/sso/<CLOUD_INSTANCE_ID>`
- * For on-premises SSO: `https://<KEEPER_FQDN>/sso-connect/saml/login`
-
- b. For **Identifier (Entity ID)**, type a URL that uses the following pattern:
+ a. For **Identifier (Entity ID)**, type a URL using one of the following patterns:
* For cloud SSO: `https://keepersecurity.com/api/rest/sso/saml/<CLOUD_INSTANCE_ID>` * For on-premises SSO: `https://<KEEPER_FQDN>/sso-connect`
- c. For **Reply URL**, type a URL that uses the following pattern:
+ b. For **Reply URL**, type a URL using one of the following patterns:
* For cloud SSO: `https://keepersecurity.com/api/rest/sso/saml/sso/<CLOUD_INSTANCE_ID>` * For on-premises SSO: `https://<KEEPER_FQDN>/sso-connect/saml/sso`
+ c. For **Sign on URL**, type a URL using one of the following patterns:
+ * For cloud SSO: `https://keepersecurity.com/api/rest/sso/saml/sso/<CLOUD_INSTANCE_ID>`
+ * For on-premises SSO: `https://<KEEPER_FQDN>/sso-connect/saml/login`
+ > [!NOTE]
- > These values aren't real. Update these values with the actual sign-on URL, identifier, and reply URL. To get these values, contact the [Keeper Password Manager & Digital Vault Client support team](https://keepersecurity.com/contact.html). You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values aren't real. Update these values with the actual Identifier,Reply URL and Sign on URL. To get these values, contact the [Keeper Password Manager Client support team](https://keepersecurity.com/contact.html). You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. The Keeper Password Manager & Digital Vault application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+1. The Keeper Password Manager application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
![Screenshot of User Attributes & Claims.](common/default-attributes.png)
-1. In addition, the Keeper Password Manager & Digital Vault application expects a few more attributes to be passed back in SAML response. These are shown in the following table. These attributes are also pre-populated, but you can review them per your requirements.
+1. In addition, the Keeper Password Manager application expects a few more attributes to be passed back in SAML response. These are shown in the following table. These attributes are also pre-populated, but you can review them per your requirements.
| Name | Source attribute| | | |
Follow these steps to enable Azure AD SSO in the Azure portal.
5. On **Set up Single Sign-On with SAML**, in the **SAML Signing Certificate** section, select **Download**. This downloads **Federation Metadata XML** from the options per your requirement, and saves it on your computer.
- ![Screenshot of SAML Signing Certificate, with Download highlighted.](common/metadataxml.png)
+ ![Screenshot of SAML Signing Certificate with Download highlighted.](common/metadataxml.png)
-6. On **Set up Keeper Password Manager & Digital Vault**, copy the appropriate URLs, per your requirement.
+6. On **Set up Keeper Password Manager**, copy the appropriate URLs, per your requirement.
- ![Screenshot of Set up Keeper Password Manager & Digital Vault, with URLs highlighted.](common/copy-configuration-urls.png)
+ ![Screenshot of Set up Keeper Password Manager with URLs highlighted.](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you create a test user in the Azure portal called `B.Simon`.
### Assign the Azure AD test user
-In this section, you enable B.Simon to use Azure single sign-on by granting access to Keeper Password Manager & Digital Vault.
+In this section, you enable B.Simon to use Azure single sign-on by granting access to Keeper Password Manager.
1. In the Azure portal, select **Enterprise Applications** > **All applications**.
-1. In the applications list, select **Keeper Password Manager & Digital Vault**.
+1. In the applications list, select **Keeper Password Manager**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**. In **Add Assignment**, select **Users and groups**. 1. In **Users and groups**, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen. 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** list. If no role has been set up for this app, the **Default Access** role is selected. 1. In **Add Assignment**, select **Assign**. -
-## Configure Keeper Password Manager & Digital Vault SSO
+## Configure Keeper Password Manager SSO
To configure SSO for the app, see the guidelines in the [Keeper support guide](https://docs.keeper.io/sso-connect-guide/).
-### Create a Keeper Password Manager & Digital Vault test user
+### Create a Keeper Password Manager test user
-To enable Azure AD users to sign in to Keeper Password Manager & Digital Vault, you must provision them. The application supports just-in-time user provisioning, and after authentication users are created in the application automatically. If you want to set up users manually, contact [Keeper support](https://keepersecurity.com/contact.html).
+To enable Azure AD users to sign in to Keeper Password Manager, you must provision them. The application supports just-in-time user provisioning, and after authentication users are created in the application automatically. If you want to set up users manually, contact [Keeper support](https://keepersecurity.com/contact.html).
## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-* In the Azure portal, select **Test this application**. This redirects to the sign-on URL for Keeper Password Manager & Digital Vault, where you can initiate the sign-on.
-
-* You can go directly to the sign-on URL for the application, and initiate the sign-in from there.
+* Click on **Test this application** in Azure portal. This will redirect to Keeper Password Manager Sign-on URL where you can initiate the login flow.
-* You can use Microsoft Access Panel. When you select the **Keeper Password Manager & Digital Vault** tile in Access Panel, this redirects you to the sign-on URL for the application. For more information about Access Panel, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
+* Go to Keeper Password Manager Sign-on URL directly and initiate the login flow from there.
+* You can use Microsoft My Apps. When you click the Keeper Password Manager tile in the My Apps, this will redirect to Keeper Password Manager Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-After you configure Keeper Password Manager & Digital Vault, you can enforce session control. This protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+After you configure Keeper Password Manager, you can enforce session control. This protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mypolicies Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mypolicies-tutorial.md
Previously updated : 03/01/2019 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with myPolicies
-In this tutorial, you learn how to integrate myPolicies with Azure Active Directory (Azure AD).
-Integrating myPolicies with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate myPolicies with Azure Active Directory (Azure AD). When you integrate myPolicies with Azure AD, you can:
-* You can control in Azure AD who has access to myPolicies.
-* You can enable your users to be automatically signed-in to myPolicies (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to myPolicies.
+* Enable your users to be automatically signed-in to myPolicies with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with myPolicies, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* myPolicies single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* myPolicies single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* myPolicies supports **IDP** initiated SSO
-
-## Adding myPolicies from the gallery
-
-To configure the integration of myPolicies into Azure AD, you need to add myPolicies from the gallery to your list of managed SaaS apps.
-
-**To add myPolicies from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* myPolicies supports **IDP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+* myPolicies supports [Automated user provisioning](mypolicies-provisioning-tutorial.md).
-4. In the search box, type **myPolicies**, select **myPolicies** from result panel then click **Add** button to add the application.
+## Add myPolicies from the gallery
- ![myPolicies in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with myPolicies based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in myPolicies needs to be established.
-
-To configure and test Azure AD single sign-on with myPolicies, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure myPolicies Single Sign-On](#configure-mypolicies-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create myPolicies test user](#create-mypolicies-test-user)** - to have a counterpart of Britta Simon in myPolicies that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of myPolicies into Azure AD, you need to add myPolicies from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **myPolicies** in the search box.
+1. Select **myPolicies** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for myPolicies
-To configure Azure AD single sign-on with myPolicies, perform the following steps:
+Configure and test Azure AD SSO with myPolicies using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in myPolicies.
-1. In the [Azure portal](https://portal.azure.com/), on the **myPolicies** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with myPolicies, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure myPolicies SSO](#configure-mypolicies-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create myPolicies test user](#create-mypolicies-test-user)** - to have a counterpart of B.Simon in myPolicies that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **myPolicies** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![myPolicies Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<tenantname>.mypolicies.com/`
To configure Azure AD single sign-on with myPolicies, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure myPolicies Single Sign-On
-
-To configure single sign-on on **myPolicies** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [myPolicies support team](mailto:support@mypolicies.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to myPolicies.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to myPolicies.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **myPolicies**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **myPolicies**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure myPolicies SSO
-2. In the applications list, select **myPolicies**.
-
- ![The myPolicies link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **myPolicies** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [myPolicies support team](mailto:support@mypolicies.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create myPolicies test user In this section, you create a user called Britta Simon in myPolicies. Work with [myPolicies support team](mailto:support@mypolicies.com) to add the users in the myPolicies platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+myPolicies also supports automatic user provisioning, you can find more details [here](./mypolicies-provisioning-tutorial.md) on how to configure automatic user provisioning.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the myPolicies tile in the Access Panel, you should be automatically signed in to the myPolicies for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the myPolicies for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the myPolicies tile in the My Apps, you should be automatically signed in to the myPolicies for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure myPolicies you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Netsuite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netsuite-tutorial.md
Previously updated : 01/20/2021 Last updated : 08/27/2021
NetSuite supports:
* IDP-initiated SSO. * JIT (just-in-time) user provisioning.
+* NetSuite supports [Automated user provisioning](netsuite-provisioning-tutorial.md).
> [!NOTE] > Because the identifier of this application is a fixed string value, only one instance can be configured in one tenant.
To configure the integration of NetSuite into Azure AD, add NetSuite from the ga
1. In the **Add from the gallery** section, type **NetSuite** in the search box. 1. In the results pane, select **NetSuite**, and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for NetSuite
+## Configure and test Azure AD SSO for NetSuite
Configure and test Azure AD SSO with NetSuite by using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NetSuite.
-To configure and test Azure AD SSO with NetSuite, complete the following building blocks:
+To configure and test Azure AD SSO with NetSuite, perform the following steps:
1. [Configure Azure AD SSO](#configure-azure-ad-sso) to enable your users to use this feature. * [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with user B.Simon.
To enable Azure AD SSO in the Azure portal, do the following:
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. In the **Basic SAML Configuration** section, in the **Reply URL** text box, type a URL in one of the following formats:
-
- ```https
- https://<Instance ID>.NetSuite.com/saml2/acs
- https://<Instance ID>.na1.NetSuite.com/saml2/acs
- https://<Instance ID>.na2.NetSuite.com/saml2/acs
- https://<Instance ID>.sandbox.NetSuite.com/saml2/acs
- https://<Instance ID>.na1.sandbox.NetSuite.com/saml2/acs
- https://<Instance ID>.na2.sandbox.NetSuite.com/saml2/acs
- ```
-
- * You will get the **<`Instance ID`>** value in the Netsuite configuration section which is explained later in the tutorial at step 8 under Netsuite Configuration. You will find the exact domain (such as system.na0.netsuite.com in this case).
-
- ![Screenshot shows SAML Setup page where you can get the domain.](./media/NetSuite-tutorial/domain-value.png)
-
- > [!NOTE]
- > The values in the preceding URLs are not real. Update them with the actual Reply URL. To get the value, contact the [NetSuite Client support team](http://www.netsuite.com/portal/services/support-services/suitesupport.shtml). You can also refer to the formats shown in the **Basic SAML Configuration** section in the Azure portal.
+1. In the **Basic SAML Configuration** section, in the **Reply URL** text box, type the URL:
+`https://system.netsuite.com/saml2/acs`
1. NetSuite application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
In this section, you enable user B.Simon to use Azure single sign-on by granting
In this section, a user called B.Simon is created in NetSuite. NetSuite supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in NetSuite, a new one is created after authentication.
+NetSuite also supports automatic user provisioning, you can find more details [here](./netsuite-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure the NetSuite you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure the NetSuite you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
active-directory New Relic Limited Release Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/new-relic-limited-release-tutorial.md
Previously updated : 04/13/2021 Last updated : 08/31/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* New Relic supports SSO that's initiated by either the service provider or the identity provider.
+* New Relic supports [Automated user provisioning](new-relic-by-organization-provisioning-tutorial.md).
+ ## Add New Relic from the gallery To configure the integration of New Relic into Azure AD, you need to add **New Relic (By Organization)** from the gallery to your list of managed SaaS apps.
In this section, you create a user called B.Simon in New Relic.
1. To save the user, select **Add User**.
+> [!NOTE]
+> New Relic also supports automatic user provisioning, you can find more details [here](./new-relic-by-organization-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Olfeo Saas Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/olfeo-saas-tutorial.md
Previously updated : 01/27/2021 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Olfeo SAAS supports **SP** initiated SSO
+* Olfeo SAAS supports **SP** initiated SSO.
+
+* Olfeo SAAS supports [Automated user provisioning](olfeo-saas-provisioning-tutorial.md).
## Adding Olfeo SAAS from the gallery
To configure the integration of Olfeo SAAS into Azure AD, you need to add Olfeo
1. In the **Add from the gallery** section, type **Olfeo SAAS** in the search box. 1. Select **Olfeo SAAS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Olfeo SAAS Configure and test Azure AD SSO with Olfeo SAAS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Olfeo SAAS.
To configure single sign-on on **Olfeo SAAS** side, you need to send the **App F
In this section, you create a user called Britta Simon in Olfeo SAAS. Work with [Olfeo SAAS support team](mailto:equipe-rd@olfeo.com) to add the users in the Olfeo SAAS platform. Users must be created and activated before you use single sign-on.
+Olfeo SAAS also supports automatic user provisioning, you can find more details [here](./olfeo-saas-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
* You can use Microsoft My Apps. When you click the Olfeo SAAS tile in the My Apps, this will redirect to Olfeo SAAS Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure Olfeo SAAS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Opentext Directory Services Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/opentext-directory-services-tutorial.md
Previously updated : 06/22/2021 Last updated : 08/31/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* OpenText Directory Services supports **SP and IDP** initiated SSO. * OpenText Directory Services supports **Just In Time** user provisioning.
+* OpenText Directory Services supports [Automated user provisioning](open-text-directory-services-provisioning-tutorial.md).
## Add OpenText Directory Services from the gallery
To configure single sign-on on **OpenText Directory Services** side, you need to
In this section, a user called B.Simon is created in OpenText Directory Services. OpenText Directory Services supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in OpenText Directory Services, a new one is created after authentication.
+> [!NOTE]
+> OpenText Directory Services also supports automatic user provisioning, you can find more details [here](./open-text-directory-services-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Printerlogic Saas Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/printerlogic-saas-tutorial.md
Previously updated : 03/18/2021 Last updated : 08/31/2021
In this tutorial, you'll learn how to integrate PrinterLogic with Azure Active Directory (Azure AD). When you integrate PrinterLogic with Azure AD, you can: -- Control in Azure AD who has access to PrinterLogic.-- Enable your users to be automatically signed-in to PrinterLogic with their Azure AD accounts.-- Manage your accounts in one central location - the Azure portal.
+* Control in Azure AD who has access to PrinterLogic.
+* Enable your users to be automatically signed-in to PrinterLogic with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items: -- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).-- PrinterLogic single sign-on (SSO) enabled subscription.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* PrinterLogic single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment. -- PrinterLogic supports **SP and IDP** initiated SSO.-- PrinterLogic supports **Just In Time** user provisioning.
+* PrinterLogic supports **SP and IDP** initiated SSO.
+* PrinterLogic supports **Just In Time** user provisioning.
+
+* PrinterLogic supports [Automated user provisioning](printer-logic-saas-provisioning-tutorial.md).
## Add PrinterLogic from the gallery
To configure single sign-on on **PrinterLogic** side, you need to send the downl
In this section, a user called Britta Simon is created in PrinterLogic. PrinterLogic supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in PrinterLogic, a new one is created after authentication.
+PrinterLogic also supports automatic user provisioning, you can find more details [here](./printer-logic-saas-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options. #### SP initiated: -- Click on **Test this application** in Azure portal. This will redirect to PrinterLogic Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to PrinterLogic Sign on URL where you can initiate the login flow.
-- Go to PrinterLogic Sign-on URL directly and initiate the login flow from there.
+* Go to PrinterLogic Sign-on URL directly and initiate the login flow from there.
#### IDP initiated: -- Click on **Test this application** in Azure portal and you should be automatically signed in to the PrinterLogic for which you set up the SSO.
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the PrinterLogic for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the PrinterLogic tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PrinterLogic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can also use Microsoft My Apps to test the application in any mode. When you click the PrinterLogic tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PrinterLogic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure PrinterLogic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure PrinterLogic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Promapp Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/promapp-tutorial.md
Previously updated : 06/10/2021 Last updated : 08/31/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Nintex Promapp supports **SP and IDP** initiated SSO. * Nintex Promapp supports **Just In Time** user provisioning.
+* Nintex Promapp supports [Automated user provisioning](promapp-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Follow these steps to enable Azure AD SSO in the Azure portal.
In the **Sign on URL** box, type a URL using the following pattern: `https://<DOMAIN_NAME>.promapp.com/TENANTNAME/saml/authenticate` > [!NOTE]
- > These values are placeholders. You need to use the actual identifier, reply URL, and sign-on URL. Contact the [Nintex Promapp support team](https://www.promapp.com/about-us/contact-us/) to get the values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.
+ > These values are placeholders. You need to use the actual Identifier,Reply URL and Sign on URL. Contact the [Nintex Promapp support team](https://www.promapp.com/about-us/contact-us/) to get the values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called B.Simon is created in Nintex Promapp. Nintex Promapp supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Nintex Promapp, a new one is created after authentication.
+Nintex Promapp also supports automatic user provisioning, you can find more details [here](./promapp-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Proware Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/proware-tutorial.md
Previously updated : 12/16/2020 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Proware supports **SP and IDP** initiated SSO
+* Proware supports **SP and IDP** initiated SSO.
+
+* Proware supports [Automated user provisioning](proware-provisioning-tutorial.md).
## Adding Proware from the gallery
To configure the integration of Proware into Azure AD, you need to add Proware f
1. In the **Add from the gallery** section, type **Proware** in the search box. 1. Select **Proware** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Proware Configure and test Azure AD SSO with Proware using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Proware.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Proware** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Proware** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
To configure single sign-on on **Proware** side, you need to send the downloaded
In this section, you create a user called Britta Simon in Proware. Work with [Proware support team](mailto:helpdesk@metaware.nl) to add the users in the Proware platform. Users must be created and activated before you use single sign-on.
+Proware also supports automatic user provisioning, you can find more details [here](./proware-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Proware for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Proware for which you set up the SSO.
You can also use Microsoft My Apps to test the application in any mode. When you click the Proware tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Proware for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
active-directory Proxyclick Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/proxyclick-tutorial.md
Previously updated : 07/27/2021 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with Proxyclick
In this tutorial, you'll configure and test Azure AD single sign-on in a test en
* Proxyclick supports SP-initiated and IdP-initiated SSO.
+* Proxyclick supports [Automated user provisioning](proxyclick-provisioning-tutorial.md).
+ ## Add Proxyclick from the gallery To configure the integration of Proxyclick into Azure AD, you need to add Proxyclick from the gallery to your list of managed SaaS apps.
To create a user account, take these steps:
1. Select **Add User**.
+> [!NOTE]
+> Proxyclick also supports automatic user provisioning, you can find more details [here](./proxyclick-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Purecloud By Genesys Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md
Previously updated : 05/26/2021 Last updated : 08/31/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Genesys Cloud for Azure supports **SP and IDP**ΓÇôinitiated SSO.
+* Genesys Cloud for Azure supports **SP and IDP** initiated SSO.
+
+* Genesys Cloud for Azure supports [Automated user provisioning](purecloud-by-genesys-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To enable Azure AD users to sign in to Genesys Cloud for Azure, they must be pro
c. Select **Create**.
+> [!NOTE]
+> Genesys Cloud for Azure also supports automatic user provisioning, you can find more details [here](./purecloud-by-genesys-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Reward Gateway Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/reward-gateway-tutorial.md
Previously updated : 05/18/2021 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with Reward Gateway
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Reward Gateway supports **IDP** initiated SSO.
+* Reward Gateway supports [Automated user provisioning](reward-gateway-provisioning-tutorial.md).
+ ## Add Reward Gateway from the gallery To configure the integration of Reward Gateway into Azure AD, you need to add Reward Gateway from the gallery to your list of managed SaaS apps.
To configure single sign-on on **Reward Gateway** side, start setting up an Inte
In this section, you create a user called Britta Simon in Reward Gateway. Work with [Reward Gateway support team](mailto:clientsupport@rewardgateway.com) to add the users in the Reward Gateway platform. Users must be created and activated before you use single sign-on.
+Reward Gateway also supports automatic user provisioning, you can find more details [here](./reward-gateway-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Rfpio Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rfpio-tutorial.md
Previously updated : 07/27/2021 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with RFPIO
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* RFPIO supports **SP and IDP** initiated SSO.
+* RFPIO supports [Automated user provisioning](rfpio-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
> [!NOTE] > The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active.
+> [!NOTE]
+> RFPIO also supports automatic user provisioning, you can find more details [here](./rfpio-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Ringcentral Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ringcentral-tutorial.md
Previously updated : 02/09/2021 Last updated : 08/31/2021 # Tutorial: Integrate RingCentral with Azure Active Directory
In this tutorial, you configure and test Azure AD SSO in a test environment.
* RingCentral supports **IDP** initiated SSO.
+* RingCentral supports [Automated user provisioning](ringcentral-provisioning-tutorial.md).
+ ## Add RingCentral from the gallery To configure the integration of RingCentral into Azure AD, you need to add RingCentral from the gallery to your list of managed SaaS apps.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, you create a user called Britta Simon in RingCentral. Work with [RingCentral Client support team](https://success.ringcentral.com/RCContactSupp) to add the users in the RingCentral platform. Users must be created and activated before you use single sign-on.
+RingCentral also supports automatic user provisioning, you can find more details [here](./ringcentral-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Robin Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/robin-tutorial.md
Previously updated : 06/08/2021 Last updated : 08/31/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Robin supports **SP and IDP** initiated SSO. * Robin supports **Just In Time** user provisioning.
+* Robin supports [Automated user provisioning](robin-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Robin** side, you need to send the downloaded *
In this section, a user called Britta Simon is created in Robin. Robin supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Robin, a new one is created after authentication.
+Robin also supports automatic user provisioning, you can find more details [here](./robin-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Robin you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Robin you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Rollbar Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rollbar-tutorial.md
Previously updated : 05/28/2021 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with Rollbar
To configure Azure AD integration with Rollbar, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment. * Rollbar supports **SP and IDP** initiated SSO.
+* Rollbar supports [Automated user provisioning](rollbar-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
> [!NOTE] > In order to complete the following step, you must first add yourself as a user to the Rollbar app in Azure.
- >
-
+
a. If you want to require all users to authenticate via Azure, then click **log in via your identity provider** to re-authenticate via Azure. b. Once you're returned to the screen, select the **Require login via SAML Identity Provider** checkbox.
To enable Azure AD users to sign in to Rollbar, they must be provisioned into Ro
1. User receives an invitation and after accepting it they are created in the system.
+> [!NOTE]
+> Rollbar also supports automatic user provisioning, you can find more details [here](./rollbar-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Rollbar you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Rollbar you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Samanage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samanage-tutorial.md
Previously updated : 06/09/2021 Last updated : 08/31/2021 # Tutorial: Azure Active Directory integration with SolarWinds Service Desk (previously Samanage)
To get started, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment. * SolarWinds supports **SP** initiated SSO.
+* SolarWinds supports [Automated user provisioning](samanage-provisioning-tutorial.md).
## Add SolarWinds from the gallery
In the case of SolarWinds, provisioning is a manual task.
>[!NOTE] >The Azure Active Directory account holder will receive an email and follow a link to confirm their account before it becomes active. You can use any other SolarWinds user account creation tools or APIs provided by SolarWinds to provision Azure Active Directory user accounts.
+> [!NOTE]
+> SolarWinds also supports automatic user provisioning, you can find more details [here](./samanage-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure SolarWinds you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure SolarWinds you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Sap Hana Cloud Platform Identity Authentication Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md
Previously updated : 01/18/2021 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SAP Cloud Platform Identity Authentication supports **SP** and **IDP** initiated SSO
+* SAP Cloud Platform Identity Authentication supports **SP** and **IDP** initiated SSO.
+* SAP Cloud Platform Identity Authentication supports [Automated user provisioning](sap-cloud-platform-identity-authentication-provisioning-tutorial.md).
Before you dive into the technical details, it's vital to understand the concepts you're going to look at. The SAP Cloud Platform Identity Authentication and Active Directory Federation Services enable you to implement SSO across applications or services that are protected by Azure AD (as an IdP) with SAP applications and services that are protected by SAP Cloud Platform Identity Authentication.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **SAP Cloud Platform Identity Authentication** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, if you wish to configure in **IDP**-initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`<IAS-tenant-id>.accounts.ondemand.com` b. In the **Reply URL** text box, type a URL using the following pattern: `https://<IAS-tenant-id>.accounts.ondemand.com/saml2/idp/acs/<IAS-tenant-id>.accounts.ondemand.com` > [!NOTE]
- > These values are not real. Update these values with the actual identifier and Reply URL. Contact the [SAP Cloud Platform Identity Authentication Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) to get these values. If you don't understand Identifier value, read the SAP Cloud Platform Identity Authentication documentation about [Tenant SAML 2.0 configuration](https://help.hana.ondemand.com/cloud_identity/frameset.htm?e81a19b0067f4646982d7200a8dab3ca.html).
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact the [SAP Cloud Platform Identity Authentication Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) to get these values. If you don't understand Identifier value, read the SAP Cloud Platform Identity Authentication documentation about [Tenant SAML 2.0 configuration](https://help.hana.ondemand.com/cloud_identity/frameset.htm?e81a19b0067f4646982d7200a8dab3ca.html).
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP**-initiated mode: ![SAP Cloud Platform Identity Authentication Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type a value using the following pattern:
`{YOUR BUSINESS APPLICATION URL}` > [!NOTE]
The Identity Federation option is disabled by default. If Identity Federation is
For more information about how to enable or disable Identity Federation with SAP Cloud Platform Identity Authentication, see "Enable Identity Federation with SAP Cloud Platform Identity Authentication" in [Configure Identity Federation with the User Store of SAP Cloud Platform Identity Authentication](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/c029bbbaefbf4350af15115396ba14e2.html).
+> [!NOTE]
+> SAP Cloud Platform Identity Authentication also supports automatic user provisioning, you can find more details [here](./sap-cloud-platform-identity-authentication-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Sapboc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sapboc-tutorial.md
Previously updated : 02/11/2021 Last updated : 08/31/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* SAP Analytics Cloud supports **SP** initiated SSO.
+* SAP Analytics Cloud supports [Automated user provisioning](sap-analytics-cloud-provisioning-tutorial.md).
+ ## Add SAP Analytics Cloud from the gallery To configure the integration of SAP Analytics Cloud into Azure AD, you need to add SAP Analytics Cloud from the gallery to your list of managed SaaS apps.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using one of the following patterns:
-
- - `https://<sub-domain>.sapanalytics.cloud/`
- - `https://<sub-domain>.sapbusinessobjects.cloud/`
+ a. In the **Identifier (Entity ID)** text box, type a value using one of the following patterns:
- b. In the **Identifier (Entity ID)** text box, type a URL using one of the following patterns:
+ | **Identifier URL** |
+ |-|
+ | `<sub-domain>.sapbusinessobjects.cloud` |
+ | `<sub-domain>.sapanalytics.cloud` |
- - `<sub-domain>.sapbusinessobjects.cloud`
- - `<sub-domain>.sapanalytics.cloud`
+ b. In the **Sign on URL** text box, type a URL using one of the following patterns:
+
+ | **Sign on URL** |
+ ||
+ | `https://<sub-domain>.sapanalytics.cloud/` |
+ | `https://<sub-domain>.sapbusinessobjects.cloud/` |
> [!NOTE]
- > The values in these URLs are for demonstration only. Update the values with the actual sign-on URL and identifier URL. To get the sign-on URL, contact the [SAP Analytics Cloud Client support team](https://help.sap.com/viewer/product/SAP_BusinessObjects_Cloud/release/). You can get the identifier URL by downloading the SAP Analytics Cloud metadata from the admin console. This is explained later in the tutorial.
+ > The values in these URLs are for demonstration only. Update the values with the actual Identifier and Sign on URL. To get the sign-on URL, contact the [SAP Analytics Cloud Client support team](https://help.sap.com/viewer/product/SAP_BusinessObjects_Cloud/release/). You can get the identifier URL by downloading the SAP Analytics Cloud metadata from the admin console. This is explained later in the tutorial.
4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
To provision a user account:
1. Select the **Save** icon.
+> [!NOTE]
+> SAP Analytics Cloud also supports automatic user provisioning, you can find more details [here](./sap-analytics-cloud-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Schoolstream Asa Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/schoolstream-asa-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure SchoolStream ASA for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to SchoolStream ASA.
++
+writer: twimmers
+
+ms.assetid: ac594768-7b76-4e5a-b46e-8f1cb41f2754
++++ Last updated : 08/27/2021+++
+# Tutorial: Configure SchoolStream ASA for automatic user provisioning in SchoolStream ASA
+
+This tutorial describes the steps you need to perform in both SchoolStream ASA and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [SchoolStream ASA](https://www.ssk12.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in SchoolStream ASA
+> * Remove users in SchoolStream ASA when they do not require access anymore.
+> * Keep user attributes synchronized between Azure AD and SchoolStream ASA
+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to SchoolStream ASA (recommended).
++
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A SchoolStream Website. Please contact [SchoolStream support](mailto:support@rtresponse.com) if you do not have one.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and SchoolStream ASA](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure SchoolStream ASA to support provisioning with Azure AD
+
+1. Contact [SchoolStream support](mailto:support@rtresponse.com) to request SchoolStream ASA integration, you will need to provide your **Azure AD tenant Id** and your **SchoolStream Website URL**.
+
+1. You will get your **Secret Token** and SchoolStream ASA **Tenant URL** after SchoolStream has mapped your SchoolStream Website and Azure AD tenant ID.
+
+## Step 3. Add SchoolStream ASA from the Azure AD application gallery
+
+To start managing provisioning to SchoolStream ASA in your Azure AD, you need to add SchoolStream ASA from the Azure AD application gallery.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+2. On the left navigation pane, select the **Azure Active Directory** service.
+3. Navigate to **Enterprise Applications** and then select **All Applications**.
+4. To add new application, select **New application**.
+5. In the **Browse Azure AD Gallery** section, type **SchoolStream ASA** in the search box.
+6. Select **SchoolStream ASA** from results panel and then **Sign up for the app**. Wait a few seconds while the app is added to your tenant.
++
+If you have previously setup SchoolStream ASA for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* When assigning users and groups to SchoolStream ASA, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
++
+## Step 5. Configure automatic user provisioning to SchoolStream ASA
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in SchoolStream ASA based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for SchoolStream ASA in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **SchoolStream ASA**.
+
+ ![The SchoolStream ASA link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. If you are configuring provisioning for the first time, select **Get started**.
+
+ ![Provisioning get started](media/schoolstream-asa-provisioning-tutorial/provisioning-get-started.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](media/schoolstream-asa-provisioning-tutorial/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, input your SchoolStream ASA **Tenant URL** and **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to SchoolStream ASA. If the connection fails , ensure your SchoolStream ASA account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. Select **Save** to see the **Settings** section.
+
+1. In the **Notification Email** field of **Settings** section, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. In the **Mappings** section, select **Provision Azure Active Directory Users**.
+
+1. Select **Add New Mapping** at the bottom.
+
+1. In the dialog **Edit Attribute**:
+
+ * In the **Mapping type** field, select **Direct** from the dropdown,
+ * In the **Source attribute** field, select **extensionAttribute1** from the dropdown,
+ * Enter your **Azure AD tenant Id** in the field **Default value if null(optional)**,
+ * In the **Target attribute** field, select **urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization** from the dropdown,
+ * In the **Match objects using this attribute** field, select **No** from the dropdown,
+ * In the **Apply this mapping** field, select **Always** from the dropdown,
+ * Select **OK**.
+
+ ![Edit Attribute](media/schoolstream-asa-provisioning-tutorial/add-mappings-attribute.png)
+
+1. Review the user attributes that are synchronized from Azure AD to SchoolStream ASA in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in SchoolStream ASA for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the SchoolStream ASA API supports filtering users based on that attribute.
+++
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;
+ |active|Boolean|
+ |displayName|String|
+ |emails[type eq "work"].value|String|
+ |preferredLanguage|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |name.formatted|String|
+ |phoneNumbers[type eq "mobile"].value|String|
+ |externalId|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String|
+
+13. Select the **Save** button to commit any changes. You can go back to the **Application** tab and select **Edit provisioning** to continue.
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for SchoolStream ASA, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and/or groups that you would like to provision to SchoolStream ASA by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Screencast Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/screencast-tutorial.md
Previously updated : 11/15/2019 Last updated : 08/31/2021
In this tutorial, you'll learn how to integrate Screencast-O-Matic with Azure Ac
* Enable your users to be automatically signed-in to Screencast-O-Matic with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Screencast-O-Matic supports **SP** initiated SSO
-* Screencast-O-Matic supports **Just In Time** user provisioning
+* Screencast-O-Matic supports **SP** initiated SSO.
+* Screencast-O-Matic supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Screencast-O-Matic from the gallery
+## Add Screencast-O-Matic from the gallery
To configure the integration of Screencast-O-Matic into Azure AD, you need to add Screencast-O-Matic from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Screencast-O-Matic** in the search box. 1. Select **Screencast-O-Matic** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Screencast-O-Matic
+## Configure and test Azure AD SSO for Screencast-O-Matic
Configure and test Azure AD SSO with Screencast-O-Matic using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Screencast-O-Matic.
-To configure and test Azure AD SSO with Screencast-O-Matic, complete the following building blocks:
+To configure and test Azure AD SSO with Screencast-O-Matic, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Screencast-O-Matic SSO](#configure-screencast-o-matic-sso)** - to configure the single sign-on settings on application side.
- * **[Create Screencast-O-Matic test user](#create-screencast-o-matic-test-user)** - to have a counterpart of B.Simon in Screencast-O-Matic that is linked to the Azure AD representation of user.
+ 1. **[Create Screencast-O-Matic test user](#create-screencast-o-matic-test-user)** - to have a counterpart of B.Simon in Screencast-O-Matic that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Screencast-O-Matic** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Screencast-O-Matic** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://screencast-o-matic.com/<InstanceName>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Screencast-O-Matic**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
![My apps extension](common/install-myappssecure-extension.png)
-1. After adding extension to the browser, click on **Set up Screencast-O-Matic** will direct you to the Screencast-O-Matic application. From there, provide the admin credentials to sign into Screencast-O-Matic. The browser extension will automatically configure the application for you and automate steps 3-11.
+1. After adding extension to the browser, click on **Set up Screencast-O-Matic** will direct you to the Screencast-O-Matic application. From there, provide the admin credentials to sign into Screencast-O-Matic. The browser extension will automatically configure the application for you and automate steps 3-10.
![Setup configuration](common/setup-sso.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Subscription**.
- ![The Subscription](./media/screencast-tutorial/tutorial_screencast_sub.png)
+ ![Screenshot that shows the Subscription.](./media/screencast-tutorial/subscribe.png)
1. Under the **Access page** section, click **Setup**.
- ![Screenshot that shows the "Access Page" section with the "Setup" button selected.](./media/screencast-tutorial/tutorial_screencast_setup.png)
+ ![Screenshot that shows the "Access Page" section with the "Setup" button selected.](./media/screencast-tutorial/setup.png)
1. On the **Setup Access Page**, perform the following steps. 1. Under the **Access URL** section, type your instancename in the specified textbox.
- ![Screenshot that shows the "Access U R L" section with the instance name textbox highlighted.](./media/screencast-tutorial/tutorial_screencast_access.png)
+ ![Screenshot that shows the "Access U R L" section with the instance name textbox highlighted.](./media/screencast-tutorial/access-page.png)
1. Select **Require Domain User** under **SAML User Restriction (optional)** section.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click **OK**.
- ![The Access](./media/screencast-tutorial/tutorial_screencast_save.png)
+ ![Screenshot that shows the Access.](./media/screencast-tutorial/metadata.png)
### Create Screencast-O-Matic test user
In this section, a user called Britta Simon is created in Screencast-O-Matic. Sc
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Screencast-O-Matic tile in the Access Panel, you should be automatically signed in to the Screencast-O-Matic for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Screencast-O-Matic Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Screencast-O-Matic Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Screencast-O-Matic tile in the My Apps, this will redirect to Screencast-O-Matic Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Screencast-O-Matic with Azure AD](https://aad.portal.azure.com/)
+Once you configure Screencast-O-Matic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Securedeliver Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/securedeliver-tutorial.md
Previously updated : 04/14/2019 Last updated : 09/01/2021 # Tutorial: Azure Active Directory integration with SECURE DELIVER
-In this tutorial, you learn how to integrate SECURE DELIVER with Azure Active Directory (Azure AD).
-Integrating SECURE DELIVER with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SECURE DELIVER with Azure Active Directory (Azure AD). When you integrate SECURE DELIVER with Azure AD, you can:
-* You can control in Azure AD who has access to SECURE DELIVER.
-* You can enable your users to be automatically signed-in to SECURE DELIVER (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SECURE DELIVER.
+* Enable your users to be automatically signed-in to SECURE DELIVER with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with SECURE DELIVER, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* SECURE DELIVER single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* SECURE DELIVER single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SECURE DELIVER supports **SP** initiated SSO
-
-## Adding SECURE DELIVER from the gallery
-
-To configure the integration of SECURE DELIVER into Azure AD, you need to add SECURE DELIVER from the gallery to your list of managed SaaS apps.
-
-**To add SECURE DELIVER from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* SECURE DELIVER supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+* SECURE DELIVER supports [Automated user provisioning](secure-deliver-provisioning-tutorial.md).
-4. In the search box, type **SECURE DELIVER**, select **SECURE DELIVER** from result panel then click **Add** button to add the application.
+## Add SECURE DELIVER from the gallery
- ![SECURE DELIVER in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SECURE DELIVER based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SECURE DELIVER needs to be established.
-
-To configure and test Azure AD single sign-on with SECURE DELIVER, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SECURE DELIVER Single Sign-On](#configure-secure-deliver-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SECURE DELIVER test user](#create-secure-deliver-test-user)** - to have a counterpart of Britta Simon in SECURE DELIVER that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of SECURE DELIVER into Azure AD, you need to add SECURE DELIVER from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SECURE DELIVER** in the search box.
+1. Select **SECURE DELIVER** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for SECURE DELIVER
-To configure Azure AD single sign-on with SECURE DELIVER, perform the following steps:
+Configure and test Azure AD SSO with SECURE DELIVER using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SECURE DELIVER.
-1. In the [Azure portal](https://portal.azure.com/), on the **SECURE DELIVER** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with SECURE DELIVER, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SECURE DELIVER SSO](#configure-secure-deliver-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SECURE DELIVER test user](#create-secure-deliver-test-user)** - to have a counterpart of B.Simon in SECURE DELIVER that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **SECURE DELIVER** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![SECURE DELIVER Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<companyname>.i-securedeliver.jp/sd/<tenantname>/jsf/login/sso`
To configure Azure AD single sign-on with SECURE DELIVER, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure SECURE DELIVER Single Sign-On
-
-To configure single sign-on on **SECURE DELIVER** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SECURE DELIVER support team](mailto:iw-sd-support@fujifilm.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SECURE DELIVER.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SECURE DELIVER.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SECURE DELIVER**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SECURE DELIVER**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure SECURE DELIVER SSO
-2. In the applications list, select **SECURE DELIVER**.
-
- ![The SECURE DELIVER link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **SECURE DELIVER** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SECURE DELIVER support team](mailto:iw-sd-support@fujifilm.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create SECURE DELIVER test user In this section, you create a user called Britta Simon in SECURE DELIVER. Work with [SECURE DELIVER support team](mailto:iw-sd-support@fujifilm.com) to add the users in the SECURE DELIVER platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+SECURE DELIVER also supports automatic user provisioning, you can find more details [here](./secure-deliver-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SECURE DELIVER tile in the Access Panel, you should be automatically signed in to the SECURE DELIVER for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SECURE DELIVER Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to SECURE DELIVER Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SECURE DELIVER tile in the My Apps, this will redirect to SECURE DELIVER Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SECURE DELIVER you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Segment Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/segment-tutorial.md
Previously updated : 05/28/2021 Last updated : 09/01/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Segment supports **SP and IDP** initiated SSO. * Segment supports **Just In Time** user provisioning.
+* Segment supports [Automated user provisioning](segment-provisioning-tutorial.md).
## Add Segment from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`urn:auth0:segment-prod:samlp-<CUSTOMER_VALUE>` b. In the **Reply URL** text box, type a URL using the following pattern:
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://app.segment.com` > [!NOTE]
- > These values are placeholders. You need to use the actual identifier, reply URL, and sign-on URL. Steps for getting these values are described later in this tutorial.
+ > These values are placeholders. You need to use the actual Identifier and Reply URL. Steps for getting these values are described later in this tutorial.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called B.Simon is created in Segment. Segment supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Segment, a new one is created after authentication.
+Segment also supports automatic user provisioning, you can find more details [here](./segment-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Segment you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Segment you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Servicessosafe Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/servicessosafe-tutorial.md
Previously updated : 10/23/2020 Last updated : 09/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SoSafe supports **SP and IDP** initiated SSO
-* SoSafe supports **Just In Time** user provisioning
+* SoSafe supports **SP and IDP** initiated SSO.
+* SoSafe supports **Just In Time** user provisioning.
+* SoSafe supports [Automated user provisioning](sosafe-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant. - ## Adding SoSafe from the gallery To configure the integration of SoSafe into Azure AD, you need to add SoSafe from the gallery to your list of managed SaaS apps.
To configure the integration of SoSafe into Azure AD, you need to add SoSafe fro
1. In the **Add from the gallery** section, type SoSafe in the search box. 1. Select SoSafe from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for SoSafe Configure and test Azure AD SSO with SoSafe using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SoSafe.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the SoSafe application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the Set up SoSafe section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called Britta Simon is created in SoSafe. SoSafe supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in SoSafe, a new one is created after authentication.
+SoSafe also supports automatic user provisioning, you can find more details [here](./sosafe-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options. #### SP initiated:
-1. Click on **Test this application** in Azure portal. This will redirect to SoSafe Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to SoSafe Sign on URL where you can initiate the login flow.
-1. Go to SoSafe Sign-on URL directly and initiate the login flow from there.
+* Go to SoSafe Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the SoSafe for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SoSafe for which you set up the SSO.
-You can also use Microsoft Access Panel to test the application in any mode. When you click the SoSafe tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SoSafe for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the SoSafe tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SoSafe for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Shopify Plus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/shopify-plus-tutorial.md
Previously updated : 02/11/2021 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Shopify Plus supports **SP and IDP** initiated SSO.
+* Shopify Plus supports [Automated user provisioning](shopify-plus-provisioning-tutorial.md).
## Add Shopify Plus from the gallery
To configure single sign-on on the **Shopify Plus** side, copy the **App Federat
In this section, you create a user called B.Simon in Shopify Plus. Return to the **Users** section and add a user by entering their email and permissions. Users must be created and activated before you use single sign-on.
+> [!NOTE]
+> Shopify Plus also supports automatic user provisioning, you can find more details [here](./shopify-plus-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ### Enforce SAML authentication > [!NOTE]
active-directory Sigma Computing Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sigma-computing-tutorial.md
Previously updated : 01/27/2021 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Sigma Computing supports **SP and IDP** initiated SSO
-* Sigma Computing supports **Just In Time** user provisioning
+* Sigma Computing supports **SP and IDP** initiated SSO.
+* Sigma Computing supports **Just In Time** user provisioning.
+* Sigma Computing supports [Automated user provisioning](sigma-computing-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure the integration of Sigma Computing into Azure AD, you need to add S
1. In the **Add from the gallery** section, type **Sigma Computing** in the search box. 1. Select **Sigma Computing** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Sigma Computing Configure and test Azure AD SSO with Sigma Computing using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Sigma Computing.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Sigma Computing** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called Britta Simon is created in Sigma Computing. Sigma Computing supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Sigma Computing, a new one is created after authentication.
+Sigma Computing also supports automatic user provisioning, you can find more details [here](./sigma-computing-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Signagelive Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/signagelive-tutorial.md
Previously updated : 1/11/2019 Last updated : 09/01/2021 # Tutorial: Azure Active Directory integration with Signagelive
-In this tutorial, you learn how to integrate Signagelive with Azure Active Directory (Azure AD).
-Integrating Signagelive with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Signagelive with Azure Active Directory (Azure AD). When you integrate Signagelive with Azure AD, you can:
-* You can control in Azure AD who has access to Signagelive.
-* You can enable your users to be automatically signed in to Signagelive (single sign-on) with their Azure AD accounts.
-* You can manage your accounts in one central location: the Azure portal.
-
-For more information about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md). If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Signagelive.
+* Enable your users to be automatically signed-in to Signagelive with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Signagelive, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
-* A Signagelive single-sign-on-enabled subscription.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Signagelive single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. * Signagelive supports SP-initiated SSO.
+* Signagelive supports [Automated user provisioning](signagelive-provisioning-tutorial.md).
## Add Signagelive from the gallery
-To configure the integration of Signagelive into Azure AD, first add Signagelive from the gallery to your list of managed SaaS apps.
-
-To add Signagelive from the gallery, take the following steps:
-
-1. In the [Azure portal](https://portal.azure.com), in the left pane, select the **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Go to **Enterprise Applications**, and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, select the **New application** button at the top of the dialog box.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, enter **Signagelive**.
-
- ![Signagelive in the results list](common/search-new-app.png)
+To configure the integration of Signagelive into Azure AD, you need to add Signagelive from the gallery to your list of managed SaaS apps.
-5. Select **Signagelive** from the results pane, and then select the **Add** button to add the application.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Signagelive** in the search box.
+1. Select **Signagelive** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Signagelive
-In this section, you configure and test Azure AD single sign-on with Signagelive based on a test user called **Britta Simon**.
-For single sign-on to work, you must establish a link between an Azure AD user and the related user in Signagelive.
+Configure and test Azure AD SSO with Signagelive using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Signagelive.
-To configure and test Azure AD single sign-on with Signagelive, first complete the following building blocks:
+To configure and test Azure AD SSO with Signagelive, perform the following steps:
-1. [Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on) to enable your users to use this feature.
-2. [Configure Signagelive single sign-on](#configure-signagelive-single-sign-on) to configure the single sign-on settings on the application side.
-3. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with Britta Simon.
-4. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on.
-5. [Create a Signagelive test user](#create-a-signagelive-test-user) to have a counterpart of Britta Simon in Signagelive that is linked to the Azure AD representation of the user.
-6. [Test single sign-on](#test-single-sign-on) to verify that the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Signagelive SSO](#configure-signagelive-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Signagelive test user](#create-signagelive-test-user)** - to have a counterpart of B.Simon in Signagelive that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with Signagelive, take the following steps:
+1. In the Azure portal, on the **Signagelive** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **Signagelive** application integration page, select **Single sign-on**.
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Configure single sign-on link](common/select-sso.png)
-
-2. In the **Select a single sign-on method** dialog box, select **SAML** to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up single sign-on with SAML** page, select **Edit** to open the **Basic SAML Configuration** dialog box.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. In the **Basic SAML Configuration** section, take the following steps:
-
- ![Signagelive Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. In the **Basic SAML Configuration** section, take the following step:
In the **Sign-on URL** box, enter a URL that uses the following pattern: `https://login.signagelive.com/sso/<ORGANIZATIONALUNITNAME>`
To configure Azure AD single sign-on with Signagelive, take the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Signagelive Single sign-on
-
-To configure single sign-on on the Signagelive side, send the downloaded **Certificate (Raw)** and copied URLs from the Azure portal to the [Signagelive support team](mailto:support@signagelive.com). They ensure that the SAML SSO connection is set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user button](common/new-user.png)
-
-3. In the **User** dialog box, take the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, enter "brittasimon@yourcompanydomain.extension". For example, in this case, you might enter "BrittaSimon@contoso.com".
-
- c. Select the **Show password** check box, and then note the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Select **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Signagelive.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Signagelive.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, and then select **Signagelive**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Signagelive**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Signagelive SSO
-2. In the applications list, select **Signagelive**.
-
- ![The Signagelive link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Select the **Add user** button. Then, in the **Add Assignment** dialog box, select **Users and groups**.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog box, in the **Users** list, select **Britta Simon**. Then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting a role value in the SAML assertion, then, in the **Select Role** dialog box, select the appropriate role for the user from the list. Next, click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog box, select the **Assign** button.
+To configure single sign-on on the Signagelive side, send the downloaded **Certificate (Raw)** and copied URLs from the Azure portal to the [Signagelive support team](mailto:support@signagelive.com). They ensure that the SAML SSO connection is set properly on both sides.
-### Create a Signagelive test user
+### Create Signagelive test user
In this section, you create a user called Britta Simon in Signagelive. Work with the [Signagelive support team](mailto:support@signagelive.com) to add the users in the Signagelive platform. You must create and activate users before you use single sign-on.
-### Test single sign-on
+Signagelive also supports automatic user provisioning, you can find more details [here](./signagelive-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration by using the MyApps portal.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the **Signagelive** tile in the MyApps portal, you should be automatically signed in. For more information about the MyApps portal, see [What is the MyApps portal?](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Signagelive Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to Signagelive Sign-on URL directly and initiate the login flow from there.
-- [List of tutorials on how to integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Signagelive tile in the My Apps, this will redirect to Signagelive Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Signagelive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Smartfile Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smartfile-tutorial.md
Previously updated : 02/07/2019 Last updated : 09/01/2021 # Tutorial: Azure Active Directory integration with SmartFile
-In this tutorial, you learn how to integrate SmartFile with Azure Active Directory (Azure AD).
-Integrating SmartFile with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SmartFile with Azure Active Directory (Azure AD). When you integrate SmartFile with Azure AD, you can:
-* You can control in Azure AD who has access to SmartFile.
-* You can enable your users to be automatically signed-in to SmartFile (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SmartFile.
+* Enable your users to be automatically signed-in to SmartFile with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with SmartFile, you need the following items:
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* SmartFile single sign-on enabled subscription
+* SmartFile single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with SmartFile, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SmartFile supports **SP** initiated SSO
+* SmartFile supports **SP** initiated SSO.
+* SmartFile supports [Automated user provisioning](smartfile-provisioning-tutorial.md).
-## Adding SmartFile from the gallery
+## Add SmartFile from the gallery
To configure the integration of SmartFile into Azure AD, you need to add SmartFile from the gallery to your list of managed SaaS apps.
-**To add SmartFile from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SmartFile**, select **SmartFile** from result panel then click **Add** button to add the application.
-
- ![SmartFile in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SmartFile** in the search box.
+1. Select **SmartFile** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for SmartFile
-In this section, you configure and test Azure AD single sign-on with SmartFile based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SmartFile needs to be established.
+Configure and test Azure AD SSO with SmartFile using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SmartFile.
-To configure and test Azure AD single sign-on with SmartFile, you need to complete the following building blocks:
+To configure and test Azure AD SSO with SmartFile, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SmartFile Single Sign-On](#configure-smartfile-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SmartFile test user](#create-smartfile-test-user)** - to have a counterpart of Britta Simon in SmartFile that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SmartFile SSO](#configure-smartfile-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SmartFile test user](#create-smartfile-test-user)** - to have a counterpart of B.Simon in SmartFile that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with SmartFile, perform the following steps:
+1. In the Azure portal, on the **SmartFile** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **SmartFile** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![SmartFile Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.smartfile.com/ftp/login`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
`<SUBDOMAIN>.smartfile.com` > [!NOTE]
To configure Azure AD single sign-on with SmartFile, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure SmartFile Single Sign-On
-
-To configure single sign-on on **SmartFile** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [SmartFile support team](https://support.lumanox.com/hc/sections/360003453152-SAML-Authentication). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SmartFile.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SmartFile.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SmartFile**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SmartFile**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure SmartFile SSO
-2. In the applications list, select **SmartFile**.
-
- ![The SmartFile link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **SmartFile** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [SmartFile support team](https://support.lumanox.com/hc/sections/360003453152-SAML-Authentication). They set this setting to have the SAML SSO connection set properly on both sides.
### Create SmartFile test user In this section, you create a user called Britta Simon in SmartFile. Work with [SmartFile support team](https://support.lumanox.com/hc/sections/360003453152-SAML-Authentication) to add the users in the SmartFile platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+SmartFile also supports automatic user provisioning, you can find more details [here](./smartfile-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SmartFile tile in the Access Panel, you should be automatically signed in to the SmartFile for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SmartFile Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to SmartFile Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SmartFile tile in the My Apps, this will redirect to SmartFile Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SmartFile you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Soloinsight Cloudgate Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/soloinsight-cloudgate-sso-tutorial.md
Previously updated : 05/24/2021 Last updated : 09/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Soloinsight-CloudGate SSO supports **SP** initiated SSO.
+* Soloinsight-CloudGate SSO supports [Automated user provisioning](soloinsight-cloudgate-sso-provisioning-tutorial.md).
## Add Soloinsight-CloudGate SSO from the gallery
To configure and test Azure AD SSO with Soloinsight-CloudGate SSO, perform the f
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Soloinsight-CloudGate SSO** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Soloinsight-CloudGate SSO** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** page, enter the values for the following fields:
+1. On the **Basic SAML Configuration** page, perform the following steps:
1. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.sigateway.com/login`
To Create a test user, Select **Employees** from the main menu of your CloudGate
![Employee test](./media/soloinsight-cloudgate-sso-tutorial/employee-test.png)
+> [!NOTE]
+> Soloinsight-CloudGate SSO also supports automatic user provisioning, you can find more details [here](./soloinsight-cloudgate-sso-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Spaceiq Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/spaceiq-tutorial.md
Previously updated : 06/11/2021 Last updated : 09/02/2021 # Tutorial: Azure Active Directory integration with SpaceIQ
To configure Azure AD integration with SpaceIQ, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment. * SpaceIQ supports **IDP** initiated SSO.
+* SpaceIQ supports [Automated user provisioning](spaceiq-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, you create a user called Britta Simon in SpaceIQ. Work [SpaceIQ support team](mailto:eng@spaceiq.com) to add the users in the SpaceIQ platform. Users must be created and activated before you use single sign-on.
+SpaceIQ also supports automatic user provisioning, you can find more details [here](./spaceiq-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Templafy Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-tutorial.md
Previously updated : 06/03/2021 Last updated : 09/02/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Templafy SAML2 supports **SP** initiated SSO. * Templafy SAML2 supports **Just In Time** user provisioning.
+* Templafy SAML2 supports [Automated user provisioning](templafy-saml-2-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Templafy SAML2** side, you need to send the **A
In this section, a user called B.Simon is created in Templafy SAML2. Templafy SAML2 supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Templafy SAML2, a new one is created after authentication.
+Templafy SAML2 also supports automatic user provisioning, you can find more details [here](./templafy-saml-2-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Terratrue Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/terratrue-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with TerraTrue | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and TerraTrue.
++++++++ Last updated : 09/01/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with TerraTrue
+
+In this tutorial, you'll learn how to integrate TerraTrue with Azure Active Directory (Azure AD). When you integrate TerraTrue with Azure AD, you can:
+
+* Control in Azure AD who has access to TerraTrue.
+* Enable your users to be automatically signed-in to TerraTrue with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+
+* TerraTrue single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* TerraTrue supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add TerraTrue from the gallery
+
+To configure the integration of TerraTrue into Azure AD, you need to add TerraTrue from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TerraTrue** in the search box.
+1. Select **TerraTrue** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for TerraTrue
+
+Configure and test Azure AD SSO with TerraTrue using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TerraTrue.
+
+To configure and test Azure AD SSO with TerraTrue, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure TerraTrue SSO](#configure-terratrue-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create TerraTrue test user](#create-terratrue-test-user)** - to have a counterpart of B.Simon in TerraTrue that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **TerraTrue** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
+
+ In the **Reply URL** text box, type a URL using the following pattern:
+ `https://launch.terratrue.com/idp-sso-login/<CUSTOMER-ID>`
+
+ > [!NOTE]
+ > This value is not real. Update this value with the actual Reply URL. Contact [TerraTrue Client support team](mailto:hello@terratrue.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://launch.terratrue.com/`
+
+1. Your TerraTrue application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but TerraTrue expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TerraTrue.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TerraTrue**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure TerraTrue SSO
+
+To configure single sign-on on **TerraTrue** side, you need to send the **App Federation Metadata Url** to [TerraTrue support team](mailto:hello@terratrue.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create TerraTrue test user
+
+In this section, you create a user called Britta Simon in TerraTrue. Work with [TerraTrue support team](mailto:hello@terratrue.com) to add the users in the TerraTrue platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to TerraTrue Sign on URL where you can initiate the login flow.
+
+* Go to TerraTrue Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the TerraTrue for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the TerraTrue tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TerraTrue for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure TerraTrue you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Thrive Lxp Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/thrive-lxp-tutorial.md
Previously updated : 03/10/2021 Last updated : 09/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Thrive LXP supports **SP** initiated SSO.
+* Thrive LXP supports [Automated user provisioning](thrive-lxp-provisioning-tutorial.md).
## Adding Thrive LXP from the gallery
To configure the integration of Thrive LXP into Azure AD, you need to add Thrive
1. In the **Add from the gallery** section, type **Thrive LXP** in the search box. 1. Select **Thrive LXP** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Thrive LXP Configure and test Azure AD SSO with Thrive LXP using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Thrive LXP.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Thrive LXP** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
To configure single sign-on on **Thrive LXP** side, you need to send the downloa
In this section, you create a user called Britta Simon in Thrive LXP. Work with [Thrive LXP support team](mailto:support@thrivelearning.com) to add the users in the Thrive LXP platform. Users must be created and activated before you use single sign-on.
+Thrive LXP also supports automatic user provisioning, you can find more details [here](./thrive-lxp-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Timeclock 365 Saml Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/timeclock-365-saml-tutorial.md
Previously updated : 01/28/2021 Last updated : 09/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Timeclock 365 SAML supports **SP** initiated SSO
+* Timeclock 365 SAML supports **SP** initiated SSO.
+* Timeclock 365 SAML supports [Automated user provisioning](timeclock-365-provisioning-tutorial.md).
## Adding Timeclock 365 SAML from the gallery
To configure the integration of Timeclock 365 SAML into Azure AD, you need to ad
1. In the **Add from the gallery** section, type **Timeclock 365 SAML** in the search box. 1. Select **Timeclock 365 SAML** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Timeclock 365 SAML Configure and test Azure AD SSO with Timeclock 365 SAML using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Timeclock 365 SAML.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Create** button to create the test user.
+> [!NOTE]
+> Timeclock 365 SAML also supports automatic user provisioning, you can find more details [here](./timeclock-365-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
* You can use Microsoft My Apps. When you click the Timeclock 365 SAML tile in the My Apps, this will redirect to Timeclock 365 SAML Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps
-Once you configure Timeclock 365 SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Timeclock 365 SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Travelperk Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/travelperk-tutorial.md
Previously updated : 08/11/2021 Last updated : 09/02/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* TravelPerk supports **Just In Time** user provisioning.
+* TravelPerk supports [Automated user provisioning](travelperk-provisioning-tutorial.md).
+ ## Add TravelPerk from the gallery To configure the integration of TravelPerk into Azure AD, you need to add TravelPerk from the gallery to your list of managed SaaS apps.
To configure single sign-on on **TravelPerk** side, you need to send the downloa
In this section, a user called B.Simon is created in TravelPerk. TravelPerk supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in TravelPerk, a new one is created when you attempt to access TravelPerk.
+TravelPerk also supports automatic user provisioning, you can find more details [here](./travelperk-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Tribeloo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tribeloo-tutorial.md
Previously updated : 11/19/2020 Last updated : 09/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Tribeloo supports **SP** initiated SSO
+* Tribeloo supports **SP** initiated SSO.
+* Tribeloo supports [Automated user provisioning](tribeloo-provisioning-tutorial.md).
## Adding Tribeloo from the gallery
To configure the integration of Tribeloo into Azure AD, you need to add Tribeloo
1. In the **Add from the gallery** section, type **Tribeloo** in the search box. 1. Select **Tribeloo** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Tribeloo Configure and test Azure AD SSO with Tribeloo using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Tribeloo.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Tribeloo** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Tribeloo** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
To configure single sign-on on **Tribeloo** side, you need to send the downloade
In this section, you create a user called Britta Simon in Tribeloo. Work with [Tribeloo support team](mailto:support@tribeloo.com) to add the users in the Tribeloo platform. Users must be created and activated before you use single sign-on.
+Tribeloo also supports automatic user provisioning, you can find more details [here](./tribeloo-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
* You can use Microsoft My Apps. When you click the Tribeloo tile in the My Apps, this will redirect to Tribeloo Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure Tribeloo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Velpicsaml Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/velpicsaml-tutorial.md
Previously updated : 10/01/2019 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Velpic SAML with Azure Active Di
* Enable your users to be automatically signed-in to Velpic SAML with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Velpic SAML supports **SP** initiated SSO
+* Velpic SAML supports **SP** initiated SSO.
+* Velpic SAML supports [Automated user provisioning](velpic-provisioning-tutorial.md).
## Adding Velpic SAML from the gallery To configure the integration of Velpic SAML into Azure AD, you need to add Velpic SAML from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Velpic SAML** in the search box. 1. Select **Velpic SAML** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Velpic SAML
+## Configure and test Azure AD SSO for Velpic SAML
Configure and test Azure AD SSO with Velpic SAML using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Velpic SAML.
-To configure and test Azure AD SSO with Velpic SAML, complete the following building blocks:
+To configure and test Azure AD SSO with Velpic SAML, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Velpic SAML, complete the following buil
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Velpic SAML** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Velpic SAML** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<sub-domain>.velpicsaml.net`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Velpic SAML**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. Click on **Manage** tab and go to **Integration** section where you need to click on **Plugins** button to create new plugin for Sign-In.
- ![Screenshot shows the Integration page where you can select Plugins.](./media/velpicsaml-tutorial/velpic_1.png)
+ ![Screenshot shows the Integration page where you can select Plugins.](./media/velpicsaml-tutorial/plugin.png)
-5. Click on the **ΓÇÿAdd pluginΓÇÖ** button.
+5. Click on the **Add plugin** button.
- ![Screenshot shows the Add Plugin button selected.](./media/velpicsaml-tutorial/velpic_2.png)
+ ![Screenshot shows the Add Plugin button selected.](./media/velpicsaml-tutorial/add-button.png)
6. Click on the **SAML** tile in the Add Plugin page.
- ![Screenshot shows SAML selected in the Add Plugin page.](./media/velpicsaml-tutorial/velpic_3.png)
+ ![Screenshot shows SAML selected in the Add Plugin page.](./media/velpicsaml-tutorial/integration.png)
-7. Enter the name of the new SAML plugin and click the **ΓÇÿAddΓÇÖ** button.
+7. Enter the name of the new SAML plugin and click the **Add** button.
- ![Screenshot shows the Add new SAML plugin dialog box with Azure A D entered.](./media/velpicsaml-tutorial/velpic_4.png)
+ ![Screenshot shows the Add new SAML plugin dialog box with Azure A D entered.](./media/velpicsaml-tutorial/new-plugin.png)
8. Enter the details as follows:
- ![Screenshot shows the Azure A D page where you can enter the values described.](./media/velpicsaml-tutorial/velpic_5.png)
+ ![Screenshot shows the Azure A D page where you can enter the values described.](./media/velpicsaml-tutorial/details.png)
a. In the **Name** textbox, type the name of SAML plugin.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
c. In the **Provider Metadata Config** upload the Metadata XML file which you downloaded from Azure portal.
- d. You can also choose to enable SAML just in time provisioning by enabling the **ΓÇÿAuto create new usersΓÇÖ** checkbox. If a user doesnΓÇÖt exist in Velpic and this flag is not enabled, the login from Azure will fail. If the flag is enabled the user will automatically be provisioned into Velpic at the time of login.
+ d. You can also choose to enable SAML just in time provisioning by enabling the **Auto create new users** checkbox. If a user doesnΓÇÖt exist in Velpic and this flag is not enabled, the login from Azure will fail. If the flag is enabled the user will automatically be provisioned into Velpic at the time of login.
e. Copy the **Single sign on URL** from the text box and paste it in the Azure portal.
Sign into your Velpic SAML company site as an administrator and perform followin
1. Click on Manage tab and go to Users section, then click on New button to add users.
- ![add user](./media/velpicsaml-tutorial/velpic_7.png)
+ ![Add user](./media/velpicsaml-tutorial/new-user.png)
2. On the **ΓÇ£Create New UserΓÇ¥** dialog page, perform the following steps.
- ![user](./media/velpicsaml-tutorial/velpic_8.png)
+ ![User](./media/velpicsaml-tutorial/create-user.png)
a. In the **First Name** textbox, type the first name of B.
Sign into your Velpic SAML company site as an administrator and perform followin
f. Click **SAVE**.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+> [!NOTE]
+> Velpic SAML also supports automatic user provisioning, you can find more details [here](./velpic-provisioning-tutorial.md) on how to configure automatic user provisioning.
-1. When you click the Velpic SAML tile in the Access Panel, you should get login page of Velpic SAML application. You should see the **ΓÇÿLog In With Azure ADΓÇÖ** button on the sign in page.
-
- ![Screenshot shows the Learning Portal with Log In With Azure A D selected.](./media/velpicsaml-tutorial/velpic_6.png)
+## Test SSO
-1. Click on the **ΓÇÿLog In With Azure ADΓÇÖ** button to log in to Velpic using your Azure AD account.
+In this section, you test your Azure AD single sign-on configuration using the My Apps.
-## Additional resources
+1. When you click the Velpic SAML tile in the My Apps, you should get login page of Velpic SAML application. You should see the **Log In With Azure AD** button on the sign in page.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+ ![Screenshot shows the Learning Portal with Log In With Azure A D selected.](./media/velpicsaml-tutorial/login.png)
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+1. Click on the **Log In With Azure AD** button to log in to Velpic using your Azure AD account.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Velpic SAML with Azure AD](https://aad.portal.azure.com/)
+Once you configure Velpic SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Visibly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/visibly-tutorial.md
Previously updated : 08/14/2020 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Visibly with Azure Active Direct
* Enable your users to be automatically signed-in to Visibly with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Visibly supports **SP** initiated SSO
-
-* Once you configure Visibly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Visibly supports **SP** initiated SSO.
+* Visibly supports [Automated user provisioning](visibly-provisioning-tutorial.md).
-## Adding Visibly from the gallery
+## Add Visibly from the gallery
To configure the integration of Visibly into Azure AD, you need to add Visibly from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Visibly** in the search box. 1. Select **Visibly** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Visibly Configure and test Azure AD SSO with Visibly using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Visibly.
-To configure and test Azure AD SSO with Visibly, complete the following building blocks:
+To configure and test Azure AD SSO with Visibly, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Visibly, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Visibly** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Visibly** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
b. In the **Reply URL** text box, type the URL: `https://api.visibly.io/api/v1/verifyResponse` - 1. Visibly application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ![image](common/default-attributes.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Visibly** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Visibly**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Visibly SSO
-1. Login into Visibly using your credentials.
+1. Sign in to Visibly using your credentials.
-1. Navigate to the **settings** option from the navigation menu.
+1. Navigate to the **Settings** option from the navigation menu.
![Screenshot shows the settings option selected.](./media/visibly-tutorial/settings.png)
-1. Click on **Integrations** within Settings.
+1. Click **Integrations** within Settings.
![Screenshot shows Integrations selected from the Settings menu.](./media/visibly-tutorial/integrations.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
a. In the **Entity ID** textbox, paste the **Entity ID** value which you have copied from the Azure portal.
- b. In the **SSO URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+ b. In the **SSO url** textbox, paste the **Login URL** value which you have copied from the Azure portal.
c. In the **SSO name** textbox, give any valid name. d. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **Certificate** textbox or you can also upload the **Certificate** by selecting the **Upload Certificate**.
- e. Click on **Save**
+ e. Click **Save**.
### Create Visibly test user In this section, a user called B.Simon is created in Visibly. Visibly supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Visibly, a new one is created after authentication.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+Visibly also supports automatic user provisioning, you can find more details [here](./visibly-provisioning-tutorial.md) on how to configure automatic user provisioning.
-When you click the Visibly tile in the Access Panel, you should be automatically signed in to the Visibly for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+## Test SSO
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click **Test this application** in Azure portal. This will redirect to Visibly Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Visibly Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Visibly tile in the My Apps, this will redirect to Visibly Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Visibly with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Visibly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Visitly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/visitly-tutorial.md
Previously updated : 10/16/2019 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Visitly with Azure Active Direct
* Enable your users to be automatically signed-in to Visitly with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Visitly supports **IDP** initiated SSO
+* Visitly supports **IDP** initiated SSO.
+* Visitly supports [Automated user provisioning](visitly-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Visitly from the gallery
+## Add Visitly from the gallery
To configure the integration of Visitly into Azure AD, you need to add Visitly from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Visitly** in the search box. 1. Select **Visitly** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Visitly
+## Configure and test Azure AD SSO for Visitly
Configure and test Azure AD SSO with Visitly using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Visitly.
-To configure and test Azure AD SSO with Visitly, complete the following building blocks:
+To configure and test Azure AD SSO with Visitly, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Visitly, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Visitly** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Visitly** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Visitly**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
To configure single sign-on on **Visitly** side, you need to send the downloaded
In this section, you create a user called Britta Simon in Visitly. Work with [Visitly support team](mailto:support@visitly.io) to add the users in the Visitly platform. Users must be created and activated before you use single sign-on.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+Visitly also supports automatic user provisioning, you can find more details [here](./visitly-provisioning-tutorial.md) on how to configure automatic user provisioning.
-When you click the Visitly tile in the Access Panel, you should be automatically signed in to the Visitly for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+## Test SSO
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click **Test this application** in Azure portal and you should be automatically signed in to the Visitly for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Visitly tile in the My Apps, you should be automatically signed in to the Visitly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Visitly with Azure AD](https://aad.portal.azure.com/)
+Once you configure Visitly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Vonage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/vonage-tutorial.md
Previously updated : 11/24/2020 Last updated : 09/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. -
-* vonage supports **SP and IDP** initiated SSO
+* vonage supports **SP and IDP** initiated SSO.
+* vonage supports [Automated user provisioning](vonage-provisioning-tutorial.md).
## Adding vonage from the gallery
To configure the integration of vonage into Azure AD, you need to add vonage fro
1. In the **Add from the gallery** section, type **vonage** in the search box. 1. Select **vonage** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for vonage Configure and test Azure AD SSO with vonage using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in vonage.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **vonage** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`wso2is-<ENVIRONMENT>` b. In the **Reply URL** text box, type a URL using the following pattern:
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up vonage** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Go to the **Phone System > Users > Add New**.
- ![add user page](./media/vonage-tutorial/add-user.png)
+ ![Add user page](./media/vonage-tutorial/add-user.png)
+
+1. Add the required fields in the following page and click **Save**.
-1. Add the required fields in the following page and click on **Save**.
+ ![Add user form page](./media/vonage-tutorial/add-user-2.png)
- ![add user form page](./media/vonage-tutorial/add-user-2.png)
+> [!NOTE]
+> vonage also supports automatic user provisioning, you can find more details [here](./vonage-provisioning-tutorial.md) on how to configure automatic user provisioning.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to vonage Sign on URL where you can initiate the login flow.
+* Click **Test this application** in Azure portal. This will redirect to vonage Sign on URL where you can initiate the login flow.
* Go to vonage Sign-on URL directly and initiate the login flow from there. #### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the vonage for which you set up the SSO
+* Click **Test this application** in Azure portal and you should be automatically signed in to the vonage for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the vonage tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the vonage for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ## Next steps
-Once you configure vonage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure vonage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Wedo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wedo-tutorial.md
Previously updated : 01/22/2020 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate WEDO with Azure Active Directory
* Enable your users to be automatically signed-in to WEDO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* WEDO supports **SP and IDP** initiated SSO
-
-* [Once you configure the WEDO you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* WEDO supports **SP and IDP** initiated SSO.
+* WEDO supports [Automated user provisioning](wedo-provisioning-tutorial.md).
-## Adding WEDO from the gallery
+## Add WEDO from the gallery
To configure the integration of WEDO into Azure AD, you need to add WEDO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **WEDO** in the search box. 1. Select **WEDO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for WEDO
+## Configure and test Azure AD SSO for WEDO
Configure and test Azure AD SSO with WEDO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in WEDO.
-To configure and test Azure AD SSO with WEDO, complete the following building blocks:
+To configure and test Azure AD SSO with WEDO, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure WEDO SSO](#configure-wedo-sso)** - to configure the single sign-on settings on application side.
- * **[Create WEDO test user](#create-wedo-test-user)** - to have a counterpart of B.Simon in WEDO that is linked to the Azure AD representation of user.
+ 1. **[Create WEDO test user](#create-wedo-test-user)** - to have a counterpart of B.Simon in WEDO that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **WEDO** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **WEDO** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.wedo.swiss/sp/acs`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **WEDO**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
Follow these steps to enable Azure AD SSO in WEDO.
c. Open the downloaded **Federation Metadata XML** from Azure portal into Notepad and copy the content of metadata XML and paste it into **X.509 Certificate** textbox.
- d. Click on **Save**
+ d. Click **Save**.
### Create WEDO test user
-In this section, you'll create a test user in WEDO called Bob Simon. Information must matches from *Create an Azure AD test user*.
+In this section, you'll create a test user in WEDO called Bob Simon. Information must matches from **Create an Azure AD test user**.
-1. From the Profile setting in WEDO, select **Users** from *Network settings* section.
+1. From the Profile setting in WEDO, select **Users** from **Network settings** section.
1. Click **Add user**. 1. In the Add user popup, fill the user's information
In this section, you'll create a test user in WEDO called Bob Simon. Information
e. Click **Create user**.
- f. In the *Select teams* page, click **Save**.
+ f. In the **Select teams** page, click **Save**.
- g. In the *Invite user* page, click **Yes**.
+ g. In the **Invite user** page, click **Yes**.
1. Validate the user using the link you received by email > [!NOTE] > If you want to create a fake user (email above does not exist in your network), contact [our support](mailto:info@wedo.swiss) to validate the user*.
+> [!NOTE]
+> WEDO also supports automatic user provisioning, you can find more details [here](./wedo-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with the following options.
-When you click the WEDO tile in the Access Panel, you should be automatically signed in to the WEDO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click **Test this application** in Azure portal. This will redirect to WEDO Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to WEDO Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click **Test this application** in Azure portal and you should be automatically signed in to the WEDO for which you set up the SSO.
-- [Try WEDO with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the WEDO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the WEDO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect WEDO with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure WEDO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Workgrid Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workgrid-tutorial.md
Previously updated : 04/15/2019 Last updated : 09/02/2021 # Tutorial: Azure Active Directory integration with Workgrid
-In this tutorial, you learn how to integrate Workgrid with Azure Active Directory (Azure AD).
-Integrating Workgrid with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Workgrid with Azure Active Directory (Azure AD). When you integrate Workgrid with Azure AD, you can:
-* You can control in Azure AD who has access to Workgrid.
-* You can enable your users to be automatically signed-in to Workgrid (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Workgrid.
+* Enable your users to be automatically signed-in to Workgrid with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Workgrid, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Workgrid single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Workgrid single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Workgrid supports **SP** initiated SSO
-* Workgrid supports **Just In Time** user provisioning
+* Workgrid supports **SP** initiated SSO.
+* Workgrid supports **Just In Time** user provisioning.
+* Workgrid supports [Automated user provisioning](workgrid-provisioning-tutorial.md).
-## Adding Workgrid from the gallery
+## Add Workgrid from the gallery
To configure the integration of Workgrid into Azure AD, you need to add Workgrid from the gallery to your list of managed SaaS apps.
-**To add Workgrid from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Workgrid**, select **Workgrid** from result panel then click **Add** button to add the application.
-
- ![Workgrid in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Workgrid** in the search box.
+1. Select **Workgrid** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Workgrid based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Workgrid needs to be established.
+## Configure and test Azure AD SSO for Workgrid
-To configure and test Azure AD single sign-on with Workgrid, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Workgrid using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Workgrid.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Workgrid Single Sign-On](#configure-workgrid-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Workgrid test user](#create-workgrid-test-user)** - to have a counterpart of Britta Simon in Workgrid that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Workgrid, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Workgrid SSO](#configure-workgrid-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Workgrid test user](#create-workgrid-test-user)** - to have a counterpart of B.Simon in Workgrid that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Workgrid, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Workgrid** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Workgrid** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set-up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Workgrid Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<COMPANYCODE>.workgrid.com/console`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
`urn:amazon:cognito:sp:us-east-1_<poolid>` > [!NOTE]
To configure Azure AD single sign-on with Workgrid, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Workgrid Single Sign-On
-
-To configure single sign-on on **Workgrid** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Workgrid support team](mailto:support@workgrid.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Workgrid.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Workgrid**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Workgrid.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Workgrid**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Workgrid**.
+## Configure Workgrid SSO
- ![The Workgrid link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Workgrid** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Workgrid support team](mailto:support@workgrid.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Workgrid test user In this section, a user called Britta Simon is created in Workgrid. Workgrid supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Workgrid, a new one is created when you attempt to access Workgrid.
-### Test single sign-on
+Workgrid also supports automatic user provisioning, you can find more details [here](./workgrid-provisioning-tutorial.md) on how to configure automatic user provisioning.
+
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Workgrid tile in the Access Panel, you should be automatically signed in to the Workgrid for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Workgrid Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Workgrid Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Workgrid tile in the My Apps, this will redirect to Workgrid Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Workgrid you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Workteam Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workteam-tutorial.md
Previously updated : 09/19/2019 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Workteam with Azure Active Direc
* Enable your users to be automatically signed-in to Workteam with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Workteam supports **SP and IDP** initiated SSO
+* Workteam supports **SP and IDP** initiated SSO.
+* Workteam supports [Automated user provisioning](workteam-provisioning-tutorial.md).
-## Adding Workteam from the gallery
+## Add Workteam from the gallery
To configure the integration of Workteam into Azure AD, you need to add Workteam from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Workteam** in the search box. 1. Select **Workteam** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Workteam
+## Configure and test Azure AD SSO for Workteam
Configure and test Azure AD SSO with Workteam using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Workteam.
-To configure and test Azure AD SSO with Workteam, complete the following building blocks:
+To configure and test Azure AD SSO with Workteam, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Workteam, complete the following buildin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Workteam** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Workteam** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.workte.am` 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Workteam**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Workteam SSO
+## Configure Workteam SSO
1. To automate the configuration within Workteam, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. In the top right corner click on **profile logo** and then click on **Organization settings**.
- ![Workteam settings](./media/workteam-tutorial/tutorial_workteam_settings.png)
+ ![Screenshot shows the Workteam settings.](./media/workteam-tutorial/settings.png)
5. Under **AUTHENTICATION** section, click on **Settings logo**.
- ![Workteam azure](./media/workteam-tutorial/tutorial_workteam_azure.png)
+ ![Screenshot shows the Workteam azure.](./media/workteam-tutorial/azure.png)
6. On the **SAML Settings** page, perform the following steps:
- ![Workteam saml](./media/workteam-tutorial/tutorial_workteam_saml.png)
+ ![Screenshot shows the Workteam SAML.](./media/workteam-tutorial/certificate.png)
a. Select **SAML IdP** as **AD Azure**.
To enable Azure AD users to sign in to Workteam, they must be provisioned into W
2. On the top middle of the **Organization settings** page, click **USERS** and then click **NEW USER**.
- ![Workteam user](./media/workteam-tutorial/tutorial_workteam_user.png)
+ ![Screenshot shows the Workteam user.](./media/workteam-tutorial/user.png)
3. On the **New employee** page, perform the following steps:
- ![Workteam new user](./media/workteam-tutorial/tutorial_workteam_newuser.png)
+ ![Screenshot shows the Workteam new user.](./media/workteam-tutorial/new-user.png)
a. In the **Name** text box, enter the first name of user like **B.Simon**.
To enable Azure AD users to sign in to Workteam, they must be provisioned into W
c. Click **OK**.
+> [!NOTE]
+> Workteam also supports automatic user provisioning, you can find more details [here](./workteam-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Workteam Sign on URL where you can initiate the login flow.
-When you click the Workteam tile in the Access Panel, you should be automatically signed in to the Workteam for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Workteam Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Workteam for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Workteam tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Workteam for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Workteam with Azure AD](https://aad.portal.azure.com/)
+Once you configure Workteam you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Zip Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zip-tutorial.md
Previously updated : 04/28/2021 Last updated : 09/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Zip supports **SP and IDP** initiated SSO.
+* Zip supports [Automated user provisioning](zip-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure single sign-on on **Zip** side, you need to send the downloaded **C
In this section, you create a user called Britta Simon in Zip. Work with [Zip support team](mailto:support@tryevergreen.com) to add the users in the Zip platform. Users must be created and activated before you use single sign-on.
+Zip also supports automatic user provisioning, you can find more details [here](./zip-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
You can also use Microsoft My Apps to test the application in any mode. When you click the Zip tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Zip for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure Zip you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Zscaler Beta Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-beta-tutorial.md
Previously updated : 12/18/2020 Last updated : 09/02/2021
In this tutorial, you learn how to integrate Zscaler Beta with Azure Active Directory (Azure AD). When you integrate Zscaler Beta with Azure AD, you can: -- Control in Azure AD who has access to Zscaler Beta.-- Allow your users to be automatically signed in to Zscaler Beta with their Azure AD accounts. This access control is called single sign-on (SSO).-- Manage your accounts in one central location by using the Azure portal.
+* Control in Azure AD who has access to Zscaler Beta.
+* Allow your users to be automatically signed in to Zscaler Beta with their Azure AD accounts. This access control is called single sign-on (SSO).
+* Manage your accounts in one central location by using the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler Beta, you need the following items: -- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).-- A Zscaler Beta subscription that uses single sign-on.
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* A Zscaler Beta subscription that uses single sign-on.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. -- Zscaler Beta supports **SP** initiated SSO.-- Zscaler Beta supports **Just In Time** user provisioning.
+* Zscaler Beta supports **SP** initiated SSO.
+* Zscaler Beta supports **Just In Time** user provisioning.
+* Zscaler Beta supports [Automated user provisioning](zscaler-beta-provisioning-tutorial.md).
## Adding Zscaler Beta from the gallery
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. Go to **Administration** > **Authentication** > **Authentication Settings**, and follow these steps.
- ![Administration](./media/zscaler-beta-tutorial/ic800206.png "Administration")
+ ![Administration](./media/zscaler-beta-tutorial/settings.png "Administration")
a. Under **Authentication Type**, select **SAML**. b. Select **Configure SAML**. 5. In the **Edit SAML** window, follow these steps:
- ![Manage Users & Authentication](./media/zscaler-beta-tutorial/ic800208.png "Manage Users & Authentication")
+ ![Manage Users & Authentication](./media/zscaler-beta-tutorial/certificate.png "Manage Users & Authentication")
a. In the **SAML Portal URL** box, paste in the **Login URL** that you copied from the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
6. On the **Configure User Authentication** dialog page, follow these steps:
- ![Activation menu and Activate button](./media/zscaler-beta-tutorial/ic800207.png)
+ ![Activation menu and Activate button](./media/zscaler-beta-tutorial/status.png)
a. Hover over the **Activation** menu at the bottom left.
To configure the proxy settings in Internet Explorer, follow these steps.
2. Select **Internet options** from the **Tools** menu to open the **Internet Options** dialog box.
- ![Internet Options dialog box](./media/zscaler-beta-tutorial/ic769492.png "Internet Options")
+ ![Internet Options dialog box](./media/zscaler-beta-tutorial/connection.png "Internet Options")
3. Select the **Connections** tab.
- ![Connections tab](./media/zscaler-beta-tutorial/ic769493.png "Connections")
+ ![Connections tab](./media/zscaler-beta-tutorial/server.png "Connections")
4. Select **LAN settings** to open the **Local Area Network (LAN) Settings** dialog box. 5. In the **Proxy server** section, follow these steps:
- ![Proxy server section](./media/zscaler-beta-tutorial/ic769494.png "Proxy server")
+ ![Proxy server section](./media/zscaler-beta-tutorial/network.png "Proxy server")
a. Select the **Use a proxy server for your LAN** check box.
In this section, the user Britta Simon is created in Zscaler Beta. Zscaler Beta
> [!Note] > To create a user manually, contact the [Zscaler Beta support team](https://www.zscaler.com/company/contact).
+> [!NOTE]
+> Zscaler Beta also supports automatic user provisioning, you can find more details [here](./zscaler-beta-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options. -- Click on **Test this application** in Azure portal. This will redirect to Zscaler Beta Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Zscaler Beta Sign-on URL where you can initiate the login flow.
-- Go to Zscaler Beta Sign-on URL directly and initiate the login flow from there.
+* Go to Zscaler Beta Sign-on URL directly and initiate the login flow from there.
-- You can use Microsoft My Apps. When you click the Zscaler Beta tile in the My Apps, this will redirect to Zscaler Beta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Zscaler Beta tile in the My Apps, this will redirect to Zscaler Beta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler Beta you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Zscaler Beta you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Zscaler One Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-one-tutorial.md
Previously updated : 05/13/2021 Last updated : 09/02/2021
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Zscaler One supports **Just In Time** user provisioning.
+* Zscaler One supports [Automated user provisioning](zscaler-one-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, a user called Britta Simon is created in Zscaler One. Zscaler O
> [!Note] > If you need to create a user manually, contact [Zscaler One support team](https://www.zscaler.com/company/contact).
+> [!NOTE]
+> Zscaler One also supports automatic user provisioning, you can find more details [here](./zscaler-one-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Zscaler Three Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-three-tutorial.md
Previously updated : 05/11/2021 Last updated : 09/02/2021
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Zscaler Three supports **Just In Time** user provisioning.
+* Zscaler Three supports [Automated user provisioning](zscaler-three-provisioning-tutorial.md).
+ > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, a user called B.Simon is created in Zscaler Three. Zscaler Thre
> [!Note] > If you need to create a user manually, contact [Zscaler Three support team](https://www.zscaler.com/company/contact).
+> [!NOTE]
+> Zscaler Three also supports automatic user provisioning, you can find more details [here](./zscaler-three-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Zscaler Two Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-two-tutorial.md
Previously updated : 04/06/2021 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Zscaler Two with Azure Active Directory (Azure AD). When you integrate Zscaler Two with Azure AD, you can: -- Control in Azure AD who has access to Zscaler Two.-- Enable your users to be automatically signed-in to Zscaler Two with their Azure AD accounts.-- Manage your accounts in one central location - the Azure portal.
+* Control in Azure AD who has access to Zscaler Two.
+* Enable your users to be automatically signed-in to Zscaler Two with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler Two, you need the following items: -- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).-- Zscaler Two single sign-on enabled subscription.
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Zscaler Two single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. -- Zscaler Two supports **SP** initiated SSO.
+* Zscaler Two supports **SP** initiated SSO.
-- Zscaler Two supports **Just In Time** user provisioning.
+* Zscaler Two supports **Just In Time** user provisioning.
+
+* Zscaler Two supports [Automated user provisioning](zscaler-two-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this section, a user called Britta Simon is created in Zscaler Two. Zscaler T
> [!Note] > If you need to create a user manually, contact [Zscaler Two support team](https://www.zscaler.com/company/contact).
+> [!NOTE]
+> Zscaler Two also supports automatic user provisioning, you can find more details [here](./zscaler-two-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options. -- Click on **Test this application** in Azure portal. This will redirect to Zscaler Two Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Zscaler Two Sign-on URL where you can initiate the login flow.
-- Go to Zscaler Two Sign-on URL directly and initiate the login flow from there.
+* Go to Zscaler Two Sign-on URL directly and initiate the login flow from there.
-- You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler Two you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Zscaler Two you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Zscaler Zscloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-zscloud-tutorial.md
Previously updated : 12/21/2020 Last updated : 09/02/2021
In this tutorial, you'll learn how to integrate Zscaler ZSCloud with Azure Active Directory (Azure AD). When you integrate Zscaler ZSCloud with Azure AD, you can: -- Control in Azure AD who has access to Zscaler ZSCloud.-- Enable your users to be automatically signed-in to Zscaler ZSCloud with their Azure AD accounts.-- Manage your accounts in one central location - the Azure portal.
+* Control in Azure AD who has access to Zscaler ZSCloud.
+* Enable your users to be automatically signed-in to Zscaler ZSCloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler ZSCloud, you need the following items: -- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).-- Zscaler ZSCloud single sign-on enabled subscription.
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Zscaler ZSCloud single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. -- Zscaler ZSCloud supports **SP** initiated SSO
+* Zscaler ZSCloud supports **SP** initiated SSO.
-- Zscaler ZSCloud supports **Just In Time** user provisioning
+* Zscaler ZSCloud supports **Just In Time** user provisioning.
+
+* Zscaler ZSCloud supports [Automated user provisioning](zscaler-zscloud-provisioning-tutorial.md).
## Adding Zscaler ZSCloud from the gallery
In this section, you enable Britta Simon to use Azure single sign-on by granting
4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. 5. In the **Users and groups** dialog, select the user like **Britta Simon** from the list, then click the **Select** button at the bottom of the screen.
- ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_users.png)
+ ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-zscloud-tutorial/users.png)
6. From the **Select Role** dialog choose the appropriate user role in the list, then click the **Select** button at the bottom of the screen.
- ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_roles.png)
+ ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-zscloud-tutorial/roles.png)
7. In the **Add Assignment** dialog select the **Assign** button.
- ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_assign.png)
+ ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-zscloud-tutorial/assignment.png)
> [!NOTE] > Default access role is not supported as this will break provisioning, so the default role cannot be selected while assigning user.
In this section, you enable Britta Simon to use Azure single sign-on by granting
4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
- ![Screenshot shows the Zscaler site with steps as described.](./media/zscaler-zscloud-tutorial/ic800206.png "Administration")
+ ![Screenshot shows the Zscaler site with steps as described.](./media/zscaler-zscloud-tutorial/setting.png "Administration")
a. Under Authentication Type, choose **SAML**.
In this section, you enable Britta Simon to use Azure single sign-on by granting
5. On the **Edit SAML** window, perform the following steps: and click Save.
- ![Manage Users & Authentication](./media/zscaler-zscloud-tutorial/ic800208.png "Manage Users & Authentication")
+ ![Manage Users & Authentication](./media/zscaler-zscloud-tutorial/attributes.png "Manage Users & Authentication")
a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
In this section, you enable Britta Simon to use Azure single sign-on by granting
6. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-zscloud-tutorial/ic800207.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-zscloud-tutorial/active.png)
a. Hover over the **Activation** menu near the bottom left.
In this section, you enable Britta Simon to use Azure single sign-on by granting
2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
- ![Internet Options](./media/zscaler-zscloud-tutorial/ic769492.png "Internet Options")
+ ![Internet Options](./media/zscaler-zscloud-tutorial/network.png "Internet Options")
3. Click the **Connections** tab.
- ![Connections](./media/zscaler-zscloud-tutorial/ic769493.png "Connections")
+ ![Connections](./media/zscaler-zscloud-tutorial/server.png "Connections")
4. Click **LAN settings** to open the **LAN Settings** dialog. 5. In the Proxy server section, perform the following steps:
- ![Proxy server](./media/zscaler-zscloud-tutorial/ic769494.png "Proxy server")
+ ![Proxy server](./media/zscaler-zscloud-tutorial/internet-options.png "Proxy server")
a. Select **Use a proxy server for your LAN**.
In this section, a user called Britta Simon is created in Zscaler ZSCloud. Zscal
> [!Note] > If you need to create a user manually, contact [Zscaler ZSCloud support team](https://help.zscaler.com/).
+> [!NOTE]
+> Zscaler ZSCloud also supports automatic user provisioning, you can find more details [here](./zscaler-zscloud-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ### Test SSO In this section, you test your Azure AD single sign-on configuration with following options. -- Click on **Test this application** in Azure portal. This will redirect to Zscaler ZSCloud Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Zscaler ZSCloud Sign-on URL where you can initiate the login flow.
-- Go to Zscaler ZSCloud Sign-on URL directly and initiate the login flow from there.
+* Go to Zscaler ZSCloud Sign-on URL directly and initiate the login flow from there.
-- You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler ZSCloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Zscaler ZSCloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
aks Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-identity.md
If the identity making the request exists in Azure AD, Azure will team with Kube
In this scenario, you use Azure RBAC mechanisms and APIs to assign users built-in roles or create custom roles, just as you would with Kubernetes roles.
-With this feature, you not only give users permissions to the AKS resource across subscriptions, but you also configure the role and permissions for inside each of those clusters controlling Kubernetes API access. For example, you can grant the `Azure Kubernetes Service RBAC Viewer` role on the subscription scope. The role recipient will be able to list and get all Kubernetes objects from all clusters without modifying them.
+With this feature, you not only give users permissions to the AKS resource across subscriptions, but you also configure the role and permissions for inside each of those clusters controlling Kubernetes API access. For example, you can grant the `Azure Kubernetes Service RBAC Reader` role on the subscription scope. The role recipient will be able to list and get all Kubernetes objects from all clusters without modifying them.
> [!IMPORTANT] > You need to enable Azure RBAC for Kubernetes authorization before using this feature. For more details and step by step guidance, follow our [Use Azure RBAC for Kubernetes Authorization](manage-azure-rbac.md) how-to guide.
AKS provides the following four built-in roles. They are similar to the [Kuberne
| Role | Description | |-|--|
-| Azure Kubernetes Service RBAC Viewer | Allows read-only access to see most objects in a namespace. <br> Doesn't allow viewing roles or role bindings.<br> Doesn't allow viewing `Secrets`. Reading the `Secrets` contents enables access to `ServiceAccount` credentials in the namespace, which would allow API access as any `ServiceAccount` in the namespace (a form of privilege escalation). |
+| Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. <br> Doesn't allow viewing roles or role bindings.<br> Doesn't allow viewing `Secrets`. Reading the `Secrets` contents enables access to `ServiceAccount` credentials in the namespace, which would allow API access as any `ServiceAccount` in the namespace (a form of privilege escalation). |
| Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace. <br> Doesn't allow viewing or modifying roles, or role bindings. <br> Allows accessing `Secrets` and running pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. | | Azure Kubernetes Service RBAC Admin | Allows admin access, intended to be granted within a namespace. <br> Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. <br> Doesn't allow write access to resource quota or to the namespace itself. | | Azure Kubernetes Service RBAC Cluster Admin | Allows super-user access to perform any action on any resource. <br> Gives full control over every resource in the cluster and in all namespaces. |
aks Out Of Tree https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/out-of-tree.md
+
+ Title: Enable Cloud Controller Manager (Preview)
+description: Learn how to enable the Out of Tree cloud provider
++ Last updated : 8/25/2021++++
+# Enable Cloud Controller Manager (Preview)
+
+As a Cloud Provider, Microsoft Azure works closely with the Kubernetes community to support our infrastructure on behalf of users.
+
+Currently, Cloud provider integration within Kubernetes is "in-tree", where any changes to Cloud specific features must follow the standard Kubernetes release cycle. When we find, fix issues, or need to roll out enhancements, we must do this within the Kubernetes community's release cycle.
+
+The Kubernetes community is now adopting an "out-of-tree" model where the Cloud providers will control their releases independently of the core Kubernetes release schedule through the [cloud-provider-azure][cloud-provider-azure] component. We have already rolled out the Cloud Storage Interface (CSI) drivers to be the default in Kubernetes version 1.21 and above.
+
+> [!Note]
+> When enabling Cloud Controller Manager on your AKS cluster, this will also enable the out of tree CSI drivers.
+
+The Cloud Controller Manager will be the default controller from Kubernetes 1.22, supported by AKS.
+++
+## Before you begin
+
+You must have the following resource installed:
+
+* The Azure CLI
+* The `aks-preview` extension version 0.5.5 or later
+* Kubernetes version 1.20.x or above
++
+### Register the `EnableCloudControllerManager` feature flag
+
+To use the Cloud Controller Manager feature, you must enable the `EnableCloudControllerManager` feature flag on your subscription.
+
+```azurecli
+az feature register ΓÇôname EnableCloudControllerManager --namespace Microsoft.ContainerService
+```
+You can check on the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableCloudControllerManager')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+## Create an AKS cluster with Cloud Controller Manager
+
+To create a cluster using the Cloud Controller Manager, pass `EnableCloudControllerManager=True` as a customer header to the Azure API using the Azure CLI.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus
+az aks create -n aks -g myResourceGroup --aks-custom-headers EnableCloudControllerManager=True
+```
+
+## Upgrade an AKS cluster to Cloud Controller Manager
+
+To upgrade a cluster to use the Cloud Controller Manager, pass `EnableCloudControllerManager=True` as a customer header to the Azure API using the Azure CLI.
+
+```azurecli-interactive
+az aks upgrade -n aks -g myResourceGroup --aks-custom-headers EnableCloudControllerManager=True
+```
+
+## Next steps
+
+- For more information on CSI drivers, and the default behavior for Kubernetes versions above 1.21, please see our [documentation][csi-docs].
+
+- You can find more information about the Kubernetes community direction regarding Out of Tree providers on the [community blog post][community-blog].
++
+<!-- LINKS - internal -->
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[csi-docs]: csi-storage-drivers.md
+
+<!-- LINKS - External -->
+[community-blog]: https://kubernetes.io/blog/2019/04/17/the-future-of-cloud-providers-in-kubernetes
+[cloud-provider-azure]: https://github.com/kubernetes-sigs/cloud-provider-azure
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-managed-identity.md
az aks update -g <RGName> -n <AKSName> --enable-managed-identity
``` > [!NOTE] > After updating, your cluster's control plane and addon pods will switch to use managed identity, but kubelet will KEEP USING SERVICE PRINCIPAL until you upgrade your agentpool. Perform an `az aks nodepool upgrade --node-image-only` on your nodes to complete the update to managed identity. --
-> If your cluster was using --attach-acr to pull from image from ACR, after updating your cluster to Managed Identity, you need to rerun 'az aks update --attach-acr <ACR Resource ID>' to let the newly created kubelet used for managed identity get the permission to pull from ACR. Otherwise you will not be able to pull from ACR after the upgrade.
-
+>
+> If your cluster was using --attach-acr to pull from image from Azure Container Registry, after updating your cluster to Managed Identity, you need to rerun 'az aks update --attach-acr <ACR Resource ID>' to let the newly created kubelet used for managed identity get the permission to pull from ACR. Otherwise you will not be able to pull from ACR after the upgrade.
+>
+> The Azure CLI will ensure your addon's permission is correctly set after migrating, if you're not using the Azure CLI to perform the migrating operation, you will need to handle the addon identity's permission by yourself. Here is one example using [ARM](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-template).
## Obtain and use the system-assigned managed identity for your AKS cluster
api-management Api Management Howto Disaster Recovery Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md
Check out the following resources for different walkthroughs of the backup/resto
[api-management-aad-resources]: ./media/api-management-howto-disaster-recovery-backup-restore/api-management-aad-resources.png [api-management-arm-token]: ./media/api-management-howto-disaster-recovery-backup-restore/api-management-arm-token.png [api-management-endpoint]: ./media/api-management-howto-disaster-recovery-backup-restore/api-management-endpoint.png
-[control-plane-ip-address]: api-management-using-with-vnet.md#control-plane-ips
+[control-plane-ip-address]: api-management-using-with-vnet.md#control-plane-ip-addresses
[azure-storage-ip-firewall]: ../storage/common/storage-network-security.md#grant-access-from-an-internet-ip-range
api-management Api Management Howto Integrate Internal Vnet Appgateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
$apimAdminEmail = "admin@contoso.com" # administrator's email address
$apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer" ```
-It can take between 30 and 40 minutes to create and activate an API Management service in this tier. After the previous command succeeds, refer to [DNS Configuration required to access internal virtual network API Management service](api-management-using-with-internal-vnet.md#apim-dns-configuration) to confirm access it.
+It can take between 30 and 40 minutes to create and activate an API Management service in this tier. After the previous command succeeds, refer to [DNS Configuration required to access internal virtual network API Management service](api-management-using-with-internal-vnet.md#dns-configuration) to confirm access to it.
## Set up custom domain names in API Management
api-management Api Management Using With Internal Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-internal-vnet.md
- Title: Connect to an internal virtual network using Azure API Management-
-description: Learn how to set up and configure Azure API Management on an internal virtual network
-
+description: Learn how to set up and configure Azure API Management in a virtual network using internal mode
Previously updated : 06/08/2021 Last updated : 08/10/2021 -
-# Connect to an internal virtual network using Azure API Management
-With Azure Virtual Networks (VNETs), Azure API Management can manage internet-inaccessible APIs using several VPN technologies to make the connection. You can deploy API Management either via [external](./api-management-using-with-vnet.md) or internal modes. In this article, you'll learn how to deploy API Management in internal VNET mode.
-When API Management deploys in internal VNET mode, you can only view the following service endpoints within a VNET whose access you control.
-* The proxy gateway
+# Connect to a virtual network in internal mode using Azure API Management
+With Azure virtual networks (VNETs), Azure API Management can manage internet-inaccessible APIs using several VPN technologies to make the connection. You can deploy API Management either via [external](./api-management-using-with-vnet.md) or internal modes. For VNET connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).
+
+In this article, you'll learn how to deploy API Management in internal VNET mode. In this mode, you can only view the following service endpoints within a VNET whose access you control.
+* The API gateway
* The developer portal * Direct management * Git > [!NOTE]
-> None of the service endpoints are registered on the public DNS. The service endpoints will remain inaccessible until you [configure DNS](#apim-dns-configuration) for the VNET.
+> None of the service endpoints are registered on the public DNS. The service endpoints remain inaccessible until you [configure DNS](#dns-configuration) for the VNET.
Use API Management in internal mode to:
-* Make APIs hosted in your private datacenter securely accessible by third parties outside of it by using Azure VPN Connections or Azure ExpressRoute.
+* Make APIs hosted in your private datacenter securely accessible by third parties outside of it by using Azure VPN connections or Azure ExpressRoute.
* Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway. * Manage your APIs hosted in multiple geographic locations, using a single gateway endpoint. + [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] [!INCLUDE [premium-dev.md](../../includes/api-management-availability-premium-dev.md)] ## Prerequisites
-+ **An active Azure subscription**. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
+Some prerequisites differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) for your API Management instance.
+
+> [!TIP]
+> When you use the portal to create or update the network configuration of your API Management instance, the instance is hosted on then `stv2` compute platform.
-+ **An Azure API Management instance (supported SKUs: Developer, Premium and Isolated)**. For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
+### [stv2](#tab/stv2)
+++ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).+
+* **A virtual network and subnet** in the same region and subscription as your API Management instance. The subnet may contain other Azure resources.
[!INCLUDE [api-management-public-ip-for-vnet](../../includes/api-management-public-ip-for-vnet.md)]
-When an API Management service is deployed in a VNET, a [list of ports](./api-management-using-with-vnet.md#required-ports) are used and need to be opened.
+ > [!NOTE]
+ > When you deploy an API Management service in an internal virtual network on the `stv2` platform, it's hosted behind an internal load balancer in the [Standard SKU](../load-balancer/skus.md), using the public IP address resource.
-## <a name="enable-vpn"> </a>Creating an API Management in an internal VNET
-The API Management service in an internal virtual network is hosted behind an internal load balancer. The load balancer SKU depends on the management API used to create the service. For more information, see [Azure Load Balancer SKUs](../load-balancer/skus.md).
+### [stv1](#tab/stv1)
-| API version | Hosted behind |
-| -- | - |
-| 2020-12-01 | An internal load balancer in the Basic SKU |
-| 2020-01-01-preview, with a public IP address from your subscription | An internal load balancer Standard SKU |
++ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
-### Enable a VNET connection using the Azure portal
+* **A virtual network and subnet** in the same region and subscription as your API Management instance.
-1. Navigate to your Azure API Management instance in the [Azure portal](https://portal.azure.com/).
-1. Select **Virtual network**.
-1. Configure the **Internal** access type. For detailed steps, see [Enable VNET connectivity using the Azure portal](api-management-using-with-vnet.md#enable-vnet-connectivity-using-the-azure-portal).
+ The subnet must be dedicated to API Management instances. Attempting to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources will cause the deployment to fail.
+
+ > [!NOTE]
+ > When you deploy an API Management service in an internal virtual network on the `stv1` platform, it's hosted behind an internal load balancer in the [Basic SKU](../load-balancer/skus.md).
- ![Menu for setting up an Azure API Management in an internal VNET][api-management-using-internal-vnet-menu]
+
-4. Select **Save**.
+## Enable VNET connection
-After successful deployment, you should see your API Management service's **private** virtual IP address and **public** virtual IP address on the **Overview** blade.
+### Enable VNET connectivity using the Azure portal (`stv2` platform)
-| Virtual IP address | Description |
-| -- | -- |
-| **Private virtual IP address** | A load balanced IP address from within the API Management-delegated subnet, over which you can access `gateway`, `portal`, `management`, and `scm` endpoints. |
-| **Public virtual IP address** | Used for control plane traffic to `management` endpoint over `port 3443`. Can be locked down to the [ApiManagement][ServiceTags] service tag. In the none and external VNet configurations, they are used for incoming runtime API traffic. They are also used for outgoing runtime traffic on the internet in all VNet configurations. |
+1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
+1. Choose your API Management instance.
+1. Select **Virtual network**.
+1. Select the **Internal** access type.
+1. In the list of locations (regions) where your API Management service is provisioned:
+ 1. Choose a **Location**.
+ 1. Select **Virtual network**, **Subnet**, and **IP address**.
+ * The VNET list is populated with Resource Manager VNETs available in your Azure subscriptions, set up in the region you are configuring.
+1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new VNET and subnet choices.
+ :::image type="content" source="media/api-management-using-with-internal-vnet/api-management-using-with-internal-vnet.png" alt-text="Set up internal VNET in Azure portal":::
+1. Continue configuring VNET settings for the remaining locations of your API Management instance.
+1. In the top navigation bar, select **Save**, then select **Apply network configuration**.
+
+ It can take 15 to 45 minutes to update the API Management instance.
-![API Management dashboard with an internal VNET configured][api-management-internal-vnet-dashboard]
+After successful deployment, you should see your API Management service's **private** virtual IP address and **public** virtual IP address on the **Overview** blade. For more information about the IP addresses, see [Routing](#routing) in this article.
+ > [!NOTE]
-> Since the Gateway URL is not registered on the public DNS, the test console available on the Azure portal will not work for **Internal** VNET deployed service. Instead, use the test console provided on the **Developer portal**.
+> Since the gateway URL is not registered on the public DNS, the test console available on the Azure portal will not work for an **Internal** VNET deployed service. Instead, use the test console provided on the **Developer portal**.
+
+### Enable connectivity using a Resource Manager template
-### <a name="deploy-apim-internal-vnet"> </a>Deploy API Management into VNET
+#### API version 2021-01-01-preview (`stv2` platform)
-You can also enable VNET connectivity by using the following methods.
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip)
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-internal-vnet-publicip%2Fazuredeploy.json)
-### API version 2020-12-01
+#### API version 2020-12-01 (`stv1` platform)
* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet) [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-internal-vnet%2Fazuredeploy.json)
-* Azure PowerShell cmdlets - [Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a VNET
+### Enable connectivity using Azure PowerShell cmdlets (`stv1` platform)
+
+[Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a VNET.
+
+## DNS configuration
-## <a name="apim-dns-configuration"></a>DNS configuration
In external VNET mode, Azure manages the DNS. For internal VNET mode, you have to manage your own DNS. We recommend:
-1. Configuring an Azure DNS private zone.
-1. Linking the Azure DNS private zone to the VNET into which you've deployed your API Management service.
+1. Configure an Azure [DNS private zone](../dns/private-dns-overview.md).
+1. Link the Azure DNS private zone to the VNET into which you've deployed your API Management service.
Learn how to [set up a private zone in Azure DNS](../dns/private-dns-getstarted-portal.md). > [!NOTE]
-> API Management service does not listen to requests coming from IP addresses. It only responds to requests to the host name configured on its service endpoints. These endpoints include:
-> * Gateway
+> The API Management service does not listen to requests on its IP addresses. It only responds to requests to the host name configured on its service endpoints. These endpoints include:
+> * API gateway
> * The Azure portal > * The developer portal > * Direct management endpoint
When you create an API Management service (`contosointernalvnet`, for example),
| Endpoint | Endpoint configuration | | -- | -- |
-| Gateway or proxy | `contosointernalvnet.azure-api.net` |
+| API Gateway | `contosointernalvnet.azure-api.net` |
| Developer portal | `contosointernalvnet.portal.azure-api.net` | | The new developer portal | `contosointernalvnet.developer.azure-api.net` | | Direct management endpoint | `contosointernalvnet.management.azure-api.net` | | Git | `contosointernalvnet.scm.azure-api.net` |
-To access these API Management service endpoints, you can create a virtual machine in a subnet connected to the VNET in which API Management is deployed. Assuming the internal virtual IP address for your service is 10.1.0.5, you can map the hosts file, `%SystemDrive%\drivers\etc\hosts`, as follows:
+To access these API Management service endpoints, you can create a virtual machine in a subnet connected to the VNET in which API Management is deployed. Assuming the internal virtual IP address for your service is 10.1.0.5, you can map the hosts file as follows. On Windows, this file is at `%SystemDrive%\drivers\etc\hosts`.
| Internal virtual IP address | Endpoint configuration | | -- | -- |
To access these API Management service endpoints, you can create a virtual machi
| 10.1.0.5 | `contosointernalvnet.scm.azure-api.net` | You can then access all the service endpoints from the virtual machine you created.+ If you use a custom DNS server in a VNET, you can also create DNS A-records and access these endpoints from anywhere in your VNET. ### Access on custom domain names If you don't want to access the API Management service with the default host names:
-1. Set up custom domain names for all your service endpoints, as shown in the following image:
+1. Set up [custom domain names](configure-custom-domain.md) for all your service endpoints, as shown in the following image:
- ![Setting up a custom domain for API Management][api-management-custom-domain-name]
+ :::image type="content" source="media/api-management-using-with-internal-vnet/api-management-custom-domain-name.png" alt-text="Set up custom domain name":::
2. Create records in your DNS server to access the endpoints accessible from within your VNET.
-## <a name="routing"> </a> Routing
-
-* A load balanced *private* virtual IP address from the subnet range (DIP) will be reserved for access to the API Management service endpoints from within the VNET.
- * Find this private IP address on the service's Overview blade in the Azure portal.
- * Register this address with the DNS servers used by the VNET.
-* A load balanced *public* IP address (VIP) will also be reserved to provide access to the management service endpoint over `port 3443`.
- * Find this public IP address on the service's Overview blade in the Azure portal.
- * Only use the *public* IP address for control plane traffic to the `management` endpoint over `port 3443`.
- * This IP address can be locked down to the [ApiManagement][ServiceTags] service tag.
-* DIP addresses will be assigned to each virtual machine in the service and used to access resources *within* the VNET. A VIP address will be used to access resources *outside* the VNET. If IP restriction lists secure resources within the VNET, you must specify the entire subnet range where the API Management service is deployed to grant or restrict access from the service.
-* The load balanced public and private IP addresses can be found on the Overview blade in the Azure portal.
-* If you remove or add the service in the VNET, the IP addresses assigned for public and private access may change. You may need to update DNS registrations, routing rules, and IP restriction lists within the VNET.
-
-## <a name="related-content"> </a>Related content
-To learn more, see the following articles:
-* [Common network configuration problems while setting up Azure API Management in a VNET][Common network configuration problems]
+## Routing
+
+The following virtual IP addresses are configured for an API Management instance in an internal virtual network. Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md).
+
+| Virtual IP address | Description |
+| -- | -- |
+| **Private virtual IP address** | A load balanced IP address from within the API Management instance's subnet range (DIP), over which you can access the API gateway, developer portal, management, and Git endpoints.<br/><br/>Register this address with the DNS servers used by the VNET. |
+| **Public virtual IP address** | Used *only* for control plane traffic to the management endpoint over port 3443. Can be locked down to the [ApiManagement][ServiceTags] service tag. |
+
+The load-balanced public and private IP addresses can be found on the **Overview** blade in the Azure portal.
+
+> [!NOTE]
+> The VIP address(es) of the API Management instance will change when:
+> * The VNET is enabled or disabled.
+> * API Management is moved from **External** to **Internal** virtual network mode, or vice versa.
+> * [Zone redundancy](zone-redundancy.md) settings are enabled, updated, or disabled in a location for your instance (Premium SKU only).
+>
+> You may need to update DNS registrations, routing rules, and IP restriction lists within the VNET.
+
+### VIP and DIP addresses
+
+DIP addresses will be assigned to each underlying virtual machine in the service and used to access resources *within* the VNET. A VIP address will be used to access resources *outside* the VNET. If IP restriction lists secure resources within the VNET, you must specify the entire subnet range where the API Management service is deployed to grant or restrict access from the service.
+
+Learn more about the [recommended subnet size](virtual-network-concepts.md#subnet-size).
+
+#### Example
+
+if you deploy 1 [capacity unit](api-management-capacity.md) of API Management in the Premium tier in an internal VNET, 3 IP addresses will be used: 1 for the private VIP and one each for the DIPs for two VMs. If you scale out to 4 units, more IPs will be consumed for additional DIPs from the subnet.
+
+If the destination endpoint has allow-listed only a fixed set of DIPs, connection failures will result if you add new units in the future. For this reason and since the subnet is entirely in your control, we recommend allow-listing the entire subnet in the backend.
+
+## Next steps
+
+Learn more about:
+
+* [Network configuration when setting up Azure API Management in a VNET][Common network configuration problems]
* [VNET FAQs](../virtual-network/virtual-networks-faq.md) * [Creating a record in DNS](/previous-versions/windows/it-pro/windows-2000-server/bb727018(v=technet.10))
To learn more, see the following articles:
[api-management-custom-domain-name]: ./media/api-management-using-with-internal-vnet/updated-api-management-custom-domain-name.png [Create API Management service]: get-started-create-service-instance.md
-[Common network configuration problems]: api-management-using-with-vnet.md#network-configuration-issues
+[Common network configuration problems]: api-management-using-with-vnet.md#network-configuration
[ServiceTags]: ../virtual-network/network-security-groups-overview.md#service-tags+
api-management Api Management Using With Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-vnet.md
Previously updated : 07/23/2021 Last updated : 08/10/2021 # Connect to a virtual network using Azure API Management
-With Azure Virtual Networks (VNETs), you can place any of your Azure resources in a non-internet-routable network to which you control access. You can then connect VNETs to your on-premises networks using various VPN technologies. To learn more about Azure VNETs, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md).
-Azure API Management can be deployed inside the VNET to access backend services within the network. You can configure the developer portal and API gateway to be accessible either from the internet or only within the VNET.
+Azure API Management can be deployed inside an Azure virtual network (VNET) to access backend services within the network. For VNET connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).
-This article explains VNET connectivity options, settings, limitations, and troubleshooting steps for your API Management instance. For configurations specific to the internal mode, where the developer portal and API gateway are accessible only within the VNET, see [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).
+This article explains how to set up VNET connectivity for your API Management instance in the *external* mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet. For configurations specific to the *internal* mode, where the endpoints are accessible only within the VNET, see [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).
-> [!NOTE]
-> The API import document URL must be hosted on a publicly accessible internet address.
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
This article explains VNET connectivity options, settings, limitations, and trou
## Prerequisites
-+ **An active Azure subscription.** [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
+Some prerequisites differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
-+ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
+> [!TIP]
+> When you use the portal to create or update the network configuration of your API Management instance, the instance is hosted on the `stv2` compute platform.
+### [stv2](#tab/stv2)
-## <a name="enable-vpn"> </a>Enable VNET connection
++ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
-### Enable VNET connectivity using the Azure portal
+* **A virtual network and subnet** in the same region and subscription as your API Management instance. The subnet may contain other Azure resources.
-1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
-1. Choose your API Management instance.
+### [stv1](#tab/stv1)
-1. Select **Virtual network**.
-1. Configure the API Management instance to be deployed inside a VNET.
++ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
- :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select VNET in Azure portal.":::
+* **A virtual network and subnet** in the same region and subscription as your API Management instance.
-1. Select the desired access type:
+ The subnet must be dedicated to API Management instances. Attempting to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources will cause the deployment to fail.
- * **Off**: Default type. API Management is not deployed into a VNET.
+
- * **External**: The API Management gateway and developer portal are accessible from the public internet via an external load balancer. The gateway can access resources within the VNET.
+## Enable VNET connection
- ![Public peering][api-management-vnet-public]
+### Enable VNET connectivity using the Azure portal (`stv2` compute platform)
- * **Internal**: The API Management gateway and developer portal are accessible only from within the VNET via an internal load balancer. The gateway can access resources within the VNET.
+1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
+1. Choose your API Management instance.
- ![Private peering][api-management-vnet-private]
+1. Select **Virtual network**.
+1. Select the **External** access type.
+ :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select VNET in Azure portal.":::
-1. If you selected **External** or **Internal**, you will see a list of all locations (regions) where your API Management service is provisioned.
-1. Choose a **Location**.
-1. Pick **Virtual network**, **Subnet**, and **IP address**.
+1. In the list of locations (regions) where your API Management service is provisioned:
+ 1. Choose a **Location**.
+ 1. Select **Virtual network**, **Subnet**, and **IP address**.
* The VNET list is populated with Resource Manager VNETs available in your Azure subscriptions, set up in the region you are configuring. :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="VNET settings in the portal.":::
- > [!IMPORTANT]
- > * **If using API version 2020-12-01 or earlier to deploy an Azure API Management instance in a Resource Manager VNET:**
- > The service must be in a dedicated subnet that contains only Azure API Management instances. Attempting to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources will cause the deployment to fail.
- >
- > * **If using API version 2021-01-01-preview or later to deploy an Azure API Management instance in a VNET:**
- > Only a Resource Manager VNET is supported, but the subnet used may contain other resources. You don't have to use a subnet dedicated to API Management instances.
- 1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new VNET and subnet choices. 1. Continue configuring VNET settings for the remaining locations of your API Management instance.
This article explains VNET connectivity options, settings, limitations, and trou
It can take 15 to 45 minutes to update the API Management instance.
-> [!NOTE]
-> With clients using API version 2020-12-01 and earlier, the VIP address of the API Management instance will change when:
-> * The VNET is enabled or disabled.
-> * API Management is moved from **External** to **Internal** virtual network, or vice versa.
-
-> [!IMPORTANT]
-> * **If you are using API version 2018-01-01 and earlier:**
-> The VNET will lock for up to six hours if you remove API Management from a VNET or change the VNET. During these six hours, you can't delete the VNET or deploy a new resource to it.
->
-> * **If you are using API version 2019-01-01 and later:**
-> The VNET is available as soon as the associated API Management service is deleted.
+### Enable connectivity using a Resource Manager template
-### <a name="deploy-apim-external-vnet"> </a>Deploy API Management into External VNET
+Use the following templates to deploy an API Management instance and connect to a VNET. The templates differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance
-You can also enable VNET connectivity by using the following methods.
+### [stv2](#tab/stv2)
-### API version 2021-01-01-preview
+#### API version 2021-01-01-preview
* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip) [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet-publicip%2Fazuredeploy.json)
-### API version 2020-12-01
+### [stv1](#tab/stv1)
+
+#### API version 2020-12-01
* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet) [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet%2Fazuredeploy.json)
-* Azure PowerShell cmdlets - [Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a VNET
+### Enable connectivity using Azure PowerShell cmdlets
+
+[Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a VNET.
+++
+## Connect to a web service hosted within a virtual network
+Once you've connected your API Management service to the VNET, you can access backend services within it just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the VNET) of your web service into the **Web service URL** field.
-## <a name="connect-vnet"> </a>Connect to a web service hosted within a virtual network
-Once you've connected your API Management service to the VNET, you'll be able to access backend services within it just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the VNET) of your web service into the **Web service URL** field.
-![Add API from VPN][api-management-setup-vpn-add-api]
+## Network configuration
+Review the following sections for more network configuration settings.
-## <a name="network-configuration-issues"> </a>Common Network Configuration Issues
-Common misconfiguration issues that can occur while deploying API Management service into a VNET include:
+These settings address common misconfiguration issues that can occur while deploying API Management service into a VNET.
-* **Custom DNS server setup:**
- The API Management service depends on several Azure services. When API Management is hosted in a VNET with a custom DNS server, it needs to resolve the hostnames of those Azure services.
- * For guidance on custom DNS setup, see [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).
- * For reference, see the [ports table](#required-ports) and network requirements.
+### Custom DNS server setup
+In external VNET mode, Azure manages the DNS by default.The API Management service depends on several Azure services. When API Management is hosted in a VNET with a custom DNS server, it needs to resolve the hostnames of those Azure services.
+* For guidance on custom DNS setup, see [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).
+* For reference, see the [required ports](#required-ports) and network requirements.
- > [!IMPORTANT]
- > If you plan to use a Custom DNS server(s) for the VNET, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS Server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/2020-12-01/api-management-service/apply-network-configuration-updates).
+> [!IMPORTANT]
+> If you plan to use a Custom DNS server(s) for the VNET, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS Server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/2020-12-01/api-management-service/apply-network-configuration-updates).
-* **Ports required for API Management:**
- You can control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security groups][network security groups]. If any of the following ports are unavailable, API Management may not operate properly and may become inaccessible. Blocked ports are another common misconfiguration issue when using API Management with a VNET.
+### Required ports
-<a name="required-ports"> </a>
-When an API Management service instance is hosted in a VNET, the ports in the following table are used.
+You can control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security groups][NetworkSecurityGroups]. If any of the following ports are unavailable, API Management may not operate properly and may become inaccessible.
+
+When an API Management service instance is hosted in a VNET, the ports in the following table are used. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
+
+>[!IMPORTANT]
+> Bold items in the *Purpose* column are required for API Management service to be deployed successfully. Blocking the other ports, however, will cause **degradation** in the ability to use and **monitor the running service and provide the committed SLA**.
+
+#### [stv2](#tab/stv2)
| Source / Destination Port(s) | Direction | Transport protocol | [Service Tags](../virtual-network/network-security-groups-overview.md#service-tags) <br> Source / Destination | Purpose (\*) | VNET type | ||--|--||-|-| | * / [80], 443 | Inbound | TCP | INTERNET / VIRTUAL_NETWORK | Client communication to API Management | External | | * / 3443 | Inbound | TCP | ApiManagement / VIRTUAL_NETWORK | Management endpoint for Azure portal and PowerShell | External & Internal | | * / 443 | Outbound | TCP | VIRTUAL_NETWORK / Storage | **Dependency on Azure Storage** | External & Internal |
-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure KeyVault dependency | External & Internal |
+| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency | External & Internal |
| * / 1433 | Outbound | TCP | VIRTUAL_NETWORK / SQL | **Access to Azure SQL endpoints** | External & Internal |
-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureKeyVault | **Access to Azure KeyVault** | External & Internal |
-| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / EventHub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent | External & Internal |
+| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureKeyVault | **Access to Azure Key Vault** | External & Internal |
+| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / Event Hub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent | External & Internal |
| * / 445 | Outbound | TCP | VIRTUAL_NETWORK / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) | External & Internal | | * / 443, 12000 | Outbound | TCP | VIRTUAL_NETWORK / AzureCloud | Health and Monitoring Extension | External & Internal | | * / 1886, 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureMonitor | Publish [Diagnostics Logs and Metrics](api-management-howto-use-azure-monitor.md), [Resource Health](../service-health/resource-health-overview.md), and [Application Insights](api-management-howto-app-insights.md) | External & Internal | | * / 25, 587, 25028 | Outbound | TCP | VIRTUAL_NETWORK / INTERNET | Connect to SMTP Relay for sending e-mails | External & Internal | | * / 6381 - 6383 | Inbound & Outbound | TCP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines | External & Internal | | * / 4290 | Inbound & Outbound | UDP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Sync Counters for [Rate Limit](api-management-access-restriction-policies.md#LimitCallRateByKey) policies between machines | External & Internal |
-| * / * | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | Azure Infrastructure Load Balancer | External & Internal |
+| * / 6390 | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | Azure Infrastructure Load Balancer | External & Internal |
->[!IMPORTANT]
-> Bold items in the *Purpose* column are required for API Management service to be deployed successfully. Blocking the other ports, however, will cause **degradation** in the ability to use and **monitor the running service and provide the committed SLA**.
+#### [stv1](#tab/stv1)
-+ **TLS functionality:**
+| Source / Destination Port(s) | Direction | Transport protocol | [Service Tags](../virtual-network/network-security-groups-overview.md#service-tags) <br> Source / Destination | Purpose (\*) | VNET type |
+||--|--||-|-|
+| * / [80], 443 | Inbound | TCP | INTERNET / VIRTUAL_NETWORK | Client communication to API Management | External |
+| * / 3443 | Inbound | TCP | ApiManagement / VIRTUAL_NETWORK | Management endpoint for Azure portal and PowerShell | External & Internal |
+| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / Storage | **Dependency on Azure Storage** | External & Internal |
+| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) dependency | External & Internal |
+| * / 1433 | Outbound | TCP | VIRTUAL_NETWORK / SQL | **Access to Azure SQL endpoints** | External & Internal |
+| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / Event Hub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent | External & Internal |
+| * / 445 | Outbound | TCP | VIRTUAL_NETWORK / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) | External & Internal |
+| * / 443, 12000 | Outbound | TCP | VIRTUAL_NETWORK / AzureCloud | Health and Monitoring Extension | External & Internal |
+| * / 1886, 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureMonitor | Publish [Diagnostics Logs and Metrics](api-management-howto-use-azure-monitor.md), [Resource Health](../service-health/resource-health-overview.md), and [Application Insights](api-management-howto-app-insights.md) | External & Internal |
+| * / 25, 587, 25028 | Outbound | TCP | VIRTUAL_NETWORK / INTERNET | Connect to SMTP Relay for sending e-mails | External & Internal |
+| * / 6381 - 6383 | Inbound & Outbound | TCP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines | External & Internal |
+| * / 4290 | Inbound & Outbound | UDP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Sync Counters for [Rate Limit](api-management-access-restriction-policies.md#LimitCallRateByKey) policies between machines | External & Internal |
+| * / * | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | Azure Infrastructure Load Balancer | External & Internal |
+++
+### TLS functionality
To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity to `ocsp.msocsp.com`, `mscrl.microsoft.com`, and `crl.microsoft.com`. This dependency is not required if any certificate you upload to API Management contains the full chain to the CA root.
-+ **DNS Access:**
+### DNS access
Outbound access on `port 53` is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management.
-+ **Metrics and Health Monitoring:**
- Outbound network connectivity to Azure Monitoring endpoints, which resolve under the following domains, are represented under the AzureMonitor service tag for use with Network Security Groups.
+### Metrics and health monitoring
- | Azure Environment | Endpoints |
- |-||
- | Azure Public | <ul><li>gcs.prod.monitoring.core.windows.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.com</li></ul> |
- | Azure Government | <ul><li>fairfax.warmpath.usgovcloudapi.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.us</li></ul> |
- | Azure China 21Vianet | <ul><li>mooncake.warmpath.chinacloudapi.cn</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.cn</li></ul> |
+Outbound network connectivity to Azure Monitoring endpoints, which resolve under the following domains, are represented under the AzureMonitor service tag for use with Network Security Groups.
+| Azure Environment | Endpoints |
+ |-||
+| Azure Public | <ul><li>gcs.prod.monitoring.core.windows.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.com</li></ul> |
+| Azure Government | <ul><li>fairfax.warmpath.usgovcloudapi.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.us</li></ul> |
+| Azure China 21Vianet | <ul><li>mooncake.warmpath.chinacloudapi.cn</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.cn</li></ul> |
-+ **Regional Service Tags**: NSG rules allowing outbound connectivity to Storage, SQL, and Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, Storage.WestUS for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region.
+### Regional service tags
+
+NSG rules allowing outbound connectivity to Storage, SQL, and Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, Storage.WestUS for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region.
- > [!IMPORTANT]
- > Enable publishing the [developer portal](api-management-howto-developer-portal.md) for an API Management instance in a VNET by allowing outbound connectivity to blob storage in the West US region. For example, use the **Storage.WestUS** service tag in an NSG rule. Currently, connectivity to blob storage in the West US region is required to publish the developer portal for any API Management instance.
+> [!IMPORTANT]
+> Enable publishing the [developer portal](api-management-howto-developer-portal.md) for an API Management instance in a VNET by allowing outbound connectivity to blob storage in the West US region. For example, use the **Storage.WestUS** service tag in an NSG rule. Currently, connectivity to blob storage in the West US region is required to publish the developer portal for any API Management instance.
+
+### SMTP relay
+
+Allow outbound network connectivity for the SMTP Relay, which resolves under the host `smtpi-co1.msn.com`, `smtpi-ch1.msn.com`, `smtpi-db3.msn.com`, `smtpi-sin.msn.com`, and `ies.global.microsoft.com`
-+ **SMTP Relay:**
- Outbound network connectivity for the SMTP Relay, which resolves under the host `smtpi-co1.msn.com`, `smtpi-ch1.msn.com`, `smtpi-db3.msn.com`, `smtpi-sin.msn.com` and `ies.global.microsoft.com`
+> [!NOTE]
+> Only the SMTP relay provided in API Management may be used to send email from your instance.
-+ **Developer portal CAPTCHA:**
- Outbound network connectivity for the developer portal's CAPTCHA, which resolves under the hosts `client.hip.live.com` and `partner.hip.live.com`.
+### Developer portal CAPTCHA
+Allow outbound network connectivity for the developer portal's CAPTCHA, which resolves under the hosts `client.hip.live.com` and `partner.hip.live.com`.
-+ **Azure portal Diagnostics:**
+### Azure portal diagnostics
When using the API Management extension from inside a VNET, outbound access to `dc.services.visualstudio.com` on `port 443` is required to enable the flow of diagnostic logs from Azure portal. This access helps in troubleshooting issues you might face when using extension.
-+ **Azure Load Balancer:**
- You're not required to allow inbound request from service tag `AZURE_LOAD_BALANCER` for the `Developer` SKU, since only one compute unit is deployed behind it. But inbound from [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md) becomes critical when scaling to a higher SKU, like `Premium`, as failure of health probe from load balancer then fails a deployment.
+### Azure load balancer
+ You're not required to allow inbound requests from service tag `AZURE_LOAD_BALANCER` for the `Developer` SKU, since only one compute unit is deployed behind it. But inbound from [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md) becomes critical when scaling to a higher SKU, like `Premium`, as failure of health probe from load balancer then fails a deployment.
-+ **Application Insights:**
- If you've enabled [Azure Application Insights](api-management-howto-app-insights.md) monitoring on API Management, allow outbound connectivity to the [Telemetry endpoint](../azure-monitor/app/ip-addresses.md#outgoing-ports) from the VNET.
+### Application Insights
+ If you've enabled [Azure Application Insights](api-management-howto-app-insights.md) monitoring on API Management, allow outbound connectivity to the [telemetry endpoint](../azure-monitor/app/ip-addresses.md#outgoing-ports) from the VNET.
-+ **Force Tunneling Traffic to On-premises Firewall Using Express Route or Network Virtual Appliance:**
+### Force tunneling traffic to on-premises firewall Using ExpressRoute or Network Virtual Appliance
Commonly, you configure and define your own default route (0.0.0.0/0), forcing all traffic from the API Management-delegated subnet to flow through an on-premises firewall or to a network virtual appliance. This traffic flow breaks connectivity with Azure API Management, since outbound traffic is either blocked on-premises, or NAT'd to an unrecognizable set of addresses no longer working with various Azure endpoints. You can solve this issue via a couple of methods: * Enable [service endpoints][ServiceEndpoints] on the subnet in which the API Management service is deployed for:
- * Azure Sql
+ * Azure SQL
* Azure Storage
- * Azure EventHub, and
- * Azure KeyVault.
+ * Azure Event Hub
+ * Azure Key Vault (v2 platform)
- By enabling endpoints directly from API Management-delegated subnet to these services, you can use the Microsoft Azure backbone network, providing optimal routing for service traffic. If you use service endpoints with a force tunneled API Management, the above Azure services traffic isn't force tunneled. The other API Management service dependency traffic is force tunneled and can't be lost. If lost, the API Management service would not function properly.
+ By enabling endpoints directly from API Management subnet to these services, you can use the Microsoft Azure backbone network, providing optimal routing for service traffic. If you use service endpoints with a force tunneled API Management, the above Azure services traffic isn't force tunneled. The other API Management service dependency traffic is force tunneled and can't be lost. If lost, the API Management service would not function properly.
- * All the control plane traffic from the internet to the management endpoint of your API Management service is routed through a specific set of inbound IPs, hosted by API Management. When the traffic is force tunneled, the responses will not symmetrically map back to these inbound source IPs. To overcome the limitation, set the destination of the following user-defined routes ([UDRs][UDRs]) to the "Internet", to steer traffic back to Azure. Find the set of inbound IPs for control plane traffic documented in [Control Plane IP Addresses](#control-plane-ips).
+ * All the control plane traffic from the internet to the management endpoint of your API Management service is routed through a specific set of inbound IPs, hosted by API Management. When the traffic is force tunneled, the responses will not symmetrically map back to these inbound source IPs. To overcome the limitation, set the destination of the following user-defined routes ([UDRs][UDRs]) to the "Internet", to steer traffic back to Azure. Find the set of inbound IPs for control plane traffic documented in [Control Plane IP Addresses](#control-plane-ip-addresses).
* For other force tunneled API Management service dependencies, resolve the hostname and reach out to the endpoint. These include: - Metrics and Health Monitoring
When an API Management service instance is hosted in a VNET, the ports in the fo
- SMTP Relay - Developer portal CAPTCHA
-## <a name="troubleshooting"> </a>Troubleshooting
-* **Unsuccessful initial deployment of API Management service into a subnet:**
- * Deploy a virtual machine into the same subnet.
- * Remote desktop into the virtual machine and validate connectivity to one of each of the following resources in your Azure subscription:
- * Azure Storage blob
- * Azure SQL Database
- * Azure Storage Table
-
- > [!IMPORTANT]
- > After validating the connectivity, remove all the resources in the subnet before deploying API Management into the subnet.
-
-* **Verify network connectivity status:**
- * After deploying API Management into the subnet, use the portal to check the connectivity of your instance to dependencies, such as Azure Storage.
- * In the portal, in the left-hand menu, under **Deployment and infrastructure**, select **Network connectivity status**.
-
- :::image type="content" source="media/api-management-using-with-vnet/verify-network-connectivity-status.png" alt-text="Verify network connectivity status in the portal":::
-
- | Filter | Description |
- | -- | -- |
- | **Required** | Select to review the required Azure services connectivity for API Management. Failure indicates that the instance is unable to perform core operations to manage APIs |
- | **Optional** | Select to review the optional services connectivity. Failure indicates only that the specific functionality will not work (for example, SMTP). Failure may lead to degradation in using and monitoring the API Management instance and providing the committed SLA. |
-
- To address connectivity issues, review [Common network configuration issues](#network-configuration-issues) and fix required network settings.
-
-* **Incremental Updates:**
- When making changes to your network, refer to [NetworkStatus API](/rest/api/apimanagement/2020-12-01/network-status) to verify that the API Management service has not lost access to critical resources. The connectivity status should be updated every 15 minutes.
-
-* **Resource Navigation Links:**
- When deploying into a Resource Manager VNET subnet with API version 2020-12-01 and earlier, API Management reserves the subnet by creating a resource navigation link. If the subnet already contains a resource from a different provider, deployment will **fail**. Similarly, when you delete an API Management service, or move it to a different subnet, the resource navigation link will be removed.
-
-## <a name="subnet-size"> </a> Subnet Size Requirement
-Azure reserves some IP addresses within each subnet, which can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).
-
-In addition to the IP addresses used by the Azure VNET infrastructure, each API Management instance in the subnet uses:
-* Two IP addresses per unit of Premium SKU, or
-* One IP address for the Developer SKU.
-
-Each instance reserves an extra IP address for the external load balancer. When deploying into [internal VNET](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer.
+## Routing
-Given the calculation above, the minimum size of the subnet in which API Management can be deployed is /29, which gives three usable IP addresses. Each extra scale unit of API Management requires two more IP addresses.
-
-## <a name="routing"> </a> Routing
-+ A load balanced public IP address (VIP) will be reserved to provide access to all service endpoints and resources outside the VNET.
++ A load-balanced public IP address (VIP) is reserved to provide access to all service endpoints and resources outside the VNET. + Load balanced public IP addresses can be found on the **Overview/Essentials** blade in the Azure portal.
-+ An IP address from a subnet IP range (DIP) will be used to access resources within the VNET.
++ An IP address from a subnet IP range (DIP) is used to access resources within the VNET.
-## <a name="limitations"> </a>Limitations
-* For API version 2020-12-01 and earlier, a subnet containing API Management instances can't contain any other Azure resource types.
-* The subnet and the API Management service must be in the same subscription.
-* A subnet containing API Management instances cannot be moved across subscriptions.
-* For multi-region API Management deployments configured in internal VNET mode, users own the routing and are responsible for managing the load balancing across multiple regions.
-* Due to platform limitations, connectivity between a resource in a globally peered VNET in another region and an API Management service in internal mode will not work. For more information, see [Resources in one virtual network cannot communicate with Azure internal load balancer in peered virtual network](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).
+> [!NOTE]
+> The VIP address(es) of the API Management instance will change when:
+> * The VNET is enabled or disabled.
+> * API Management is moved from **External** to **Internal** virtual network mode, or vice versa.
+> * [Zone redundancy](zone-redundancy.md) settings are enabled, updated, or disabled in a location for your instance (Premium SKU only).
-## <a name="control-plane-ips"> </a> Control Plane IP Addresses
+## Control plane IP addresses
-The IP Addresses are divided by **Azure Environment**. When allowing inbound requests, IP addresses marked with **Global** must be permitted, along with the **Region**-specific IP address.
+The following IP addresses are divided by **Azure Environment**. When allowing inbound requests, IP addresses marked with **Global** must be permitted, along with the **Region**-specific IP address.
| **Azure Environment**| **Region**| **IP address**| |--|-||
The IP Addresses are divided by **Azure Environment**. When allowing inbound req
| Azure Government| USDoD Central| 52.182.32.132| | Azure Government| USDoD East| 52.181.32.192|
-## <a name="related-content"> </a>Related content
-* [Connecting a Virtual Network to backend using Vpn Gateway](../vpn-gateway/design.md#s2smulti)
-* [Connecting a Virtual Network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
-* [How to use the API Inspector to trace calls in Azure API Management](api-management-howto-api-inspector.md)
-* [Virtual Network Frequently asked Questions](../virtual-network/virtual-networks-faq.md)
+## Troubleshooting
+* **Unsuccessful initial deployment of API Management service into a subnet**
+ * Deploy a virtual machine into the same subnet.
+ * Connect to the virtual machine and validate connectivity to one of each of the following resources in your Azure subscription:
+ * Azure Storage blob
+ * Azure SQL Database
+ * Azure Storage Table
+ * Azure Key Vault (for an API Management instance hosted on the [`stv2` platform](compute-infrastructure.md))
+
+ > [!IMPORTANT]
+ > After validating the connectivity, remove all the resources in the subnet before deploying API Management into the subnet (required when API Management is hosted on the `stv1` platform).
+
+* **Verify network connectivity status**
+ * After deploying API Management into the subnet, use the portal to check the connectivity of your instance to dependencies, such as Azure Storage.
+ * In the portal, in the left-hand menu, under **Deployment and infrastructure**, select **Network connectivity status**.
+
+ :::image type="content" source="media/api-management-using-with-vnet/verify-network-connectivity-status.png" alt-text="Verify network connectivity status in the portal":::
+
+ | Filter | Description |
+ | -- | -- |
+ | **Required** | Select to review the required Azure services connectivity for API Management. Failure indicates that the instance is unable to perform core operations to manage APIs. |
+ | **Optional** | Select to review the optional services connectivity. Failure indicates only that the specific functionality will not work (for example, SMTP). Failure may lead to degradation in using and monitoring the API Management instance and providing the committed SLA. |
+
+ To address connectivity issues, review [network configuration settings](#network-configuration) and fix required network settings.
+
+* **Incremental updates**
+ When making changes to your network, refer to [NetworkStatus API](/rest/api/apimanagement/2020-12-01/network-status) to verify that the API Management service has not lost access to critical resources. The connectivity status should be updated every 15 minutes.
+
+* **Resource navigation links**
+ An APIM instance hosted on the [`stv1` compute platform](compute-infrastructure.md), when deployed into a Resource Manager VNET subnet, reserves the subnet by creating a resource navigation link. If the subnet already contains a resource from a different provider, deployment will **fail**. Similarly, when you delete an API Management service, or move it to a different subnet, the resource navigation link will be removed.
+
+## Next steps
+
+Learn more about:
+
+* [Connecting a virtual network to backend using VPN Gateway](../vpn-gateway/design.md#s2smulti)
+* [Connecting a virtual network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
+* [Debug your APIs using request tracing](api-management-howto-api-inspector.md)
+* [Virtual Network frequently asked questions](../virtual-network/virtual-networks-faq.md)
* [Service tags](../virtual-network/network-security-groups-overview.md#service-tags) [api-management-using-vnet-menu]: ./media/api-management-using-with-vnet/api-management-menu-vnet.png [api-management-setup-vpn-select]: ./media/api-management-using-with-vnet/api-management-using-vnet-select.png [api-management-setup-vpn-add-api]: ./media/api-management-using-with-vnet/api-management-using-vnet-add-api.png
-[api-management-vnet-private]: ./media/api-management-using-with-vnet/api-management-vnet-internal.png
[api-management-vnet-public]: ./media/api-management-using-with-vnet/api-management-vnet-external.png [Enable VPN connections]: #enable-vpn
The IP Addresses are divided by **Azure Environment**. When allowing inbound req
[Related content]: #related-content [UDRs]: ../virtual-network/virtual-networks-udr-overview.md
-[Network Security Group]: ../virtual-network/network-security-groups-overview.md
+[NetworkSecurityGroups]: ../virtual-network/network-security-groups-overview.md
[ServiceEndpoints]: ../virtual-network/virtual-network-service-endpoints-overview.md [ServiceTags]: ../virtual-network/network-security-groups-overview.md#service-tags
api-management Compute Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/compute-infrastructure.md
+
+ Title: Azure API Management compute platform
+description: Learn about the compute platform used to host your API Management service instance
+++ Last updated : 08/23/2021+++
+# Compute platform for Azure API Management
+
+As a cloud platform-as-a-service (PaaS), Azure API Management abstracts many details of the infrastructure used to host and run your service. You can create, manage, and scale most aspects of your API Management instance without needing to know about its underlying resources.
+
+To enhance service capabilities, we're upgrading the API Management compute platform version - the Azure compute resources that host the service - for instances in several [service tiers](api-management-features.md). This article gives you context about the upgrade and the major versions of API Management's compute platform: `stv1` and `stv2`.
+
+We've minimized impacts of this upgrade on your operation of your API Management instance. However, if your instance is connected to an [Azure virtual network](virtual-network-concepts.md), you'll need to change some network configuration settings when the instance upgrades to the `stv2` platform version.
+
+## Compute platform versions
+
+| Version | Description | Architecture | API Management tiers |
+| -| -| -- | - |
+| `stv2` | Single-tenant v2 | [Virtual machine scale sets](../virtual-machine-scale-sets/overview.md) | Developer, Basic, Standard, and Premium |
+| `stv1` | Single-tenant v1 | [Cloud Service (classic)](../cloud-services/cloud-services-choose-me.md) | Developer, Basic, Standard, and Premium |
+| `mtv1` | Multi-tenant v1 | [App service](../app-service/overview.md) | Consumption |
++
+## How do I know which platform hosts my API Management instance?
+
+### Developer, Basic, Standard, and Premium tiers
+
+* Instances with virtual network connections created or updated using the Azure portal after **April 2021**, or using the API Management REST API version **2021-01-01-preview** or later, are hosted on the `stv2` platform
+* If you enabled [zone redundancy](zone-redundancy.md) in your Premium tier instance, it's hosted on the `stv2` platform
+* Otherwise, the instance is hosted on the `stv1` platform
+
+> [!TIP]
+> Starting with API version `2021-04-01-preview`, the API Management instance has a read-only `PlatformVersion` property that shows this platform information.
+
+### Consumption tier
+
+* All instances are hosted on the `mtv1` platform
+
+## How do I upgrade to the `stv2` platform?
+
+Update is only possible for an instance in the Developer, Basic, Standard, or Premium tier.
+
+Create or update the virtual network connection, or availability zone configuration, in an API Management instance using:
+
+* [Azure portal](https://portal.azure.com)
+* Azure REST API, or ARM template, specifying API version **2021-01-01-preview** or later
+
+> [!IMPORTANT]
+> When you update the compute platform version of an instance connected to an Azure [virtual network](virtual-network-concepts.md):
+> * You must provide provide a Standard SKU [public IPv4 address](../virtual-network/public-ip-addresses.md#standard) resource
+> * The VIP address(es) of your API Management instance will change.
+
+## Next steps
+
+* Learn more about using a [virtual network](virtual-network-concepts.md) with API Management.
+* Learn more about [zone redundancy](zone-redundancy.md).
api-management Import And Publish https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/import-and-publish.md
This section shows how to import and publish an OpenAPI Specification backend AP
|Setting|Value|Description| |-|--|--|
- |**OpenAPI specification**|*https:\//conferenceapi.azurewebsites.net?format=json*|The service implementing the API. API Management forwards requests to this address.|
+ |**OpenAPI specification**|*https:\//conferenceapi.azurewebsites.net?format=json*|The service implementing the API. API Management forwards requests to this address. The service must be hosted at a publicly accessible internet address. |
|**Display name**|After you enter the preceding service URL, API Management fills out this field based on the JSON.|The name displayed in the [developer portal](api-management-howto-developer-portal.md).| |**Name**|After you enter the preceding service URL, API Management fills out this field based on the JSON.|A unique name for the API.| |**Description**|After you enter the preceding service URL, API Management fills out this field based on the JSON.|An optional description of the API.|
api-management Virtual Network Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/virtual-network-concepts.md
+
+ Title: Azure API Management with an Azure virtual network
+description: Learn about scenarios and requirements to connect you API Management instance to an Azure virtual network.
++++ Last updated : 08/19/2021+++
+# Use a virtual network with Azure API Management
+
+With Azure Virtual Networks (VNETs), you can place your Azure resources in a non-internet-routable network to which you control access. You can then connect VNETs to your on-premises networks using various VPN technologies. To learn more about Azure VNETs, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md).
+
+This article explains VNET connectivity options, requirements, and considerations for your API Management instance. You can use the Azure portal, Azure CLI, Azure Resource Manager templates, or other tools for the deployment. You control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security groups][NetworkSecurityGroups].
+
+For detailed deployment steps and network configuration, see:
+
+* [Connect to an external virtual network using Azure API Management](./api-management-using-with-vnet.md).
+* [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).
++
+## Access options
+
+By default, an API Management instance must be accessible from the internet. Using a virtual network, you can configure the developer portal, API gateway, and other API Management endpoints to be accessible either from the internet (external mode) or only within the VNET (internal mode).
+
+* **External** - The API Management endpoints are accessible from the public internet via an external load balancer. The gateway can access resources within the VNET.
+
+ :::image type="content" source="media/virtual-network-concepts/api-management-vnet-external.png" alt-text="Connect to external VNET":::
+
+ Use API Management in external mode to access backend services deployed in the virtual network.
+
+* **Internal** - The API Management endpoints are accessible only from within the VNET via an internal load balancer. The gateway can access resources within the VNET.
+
+ :::image type="content" source="media/virtual-network-concepts/api-management-vnet-internal.png" alt-text="Connect to internal VNET":::
+
+ Use API Management in internal mode to:
+
+ * Make APIs hosted in your private datacenter securely accessible by third parties by using Azure VPN connections or Azure ExpressRoute.
+ * Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway.
+ * Manage your APIs hosted in multiple geographic locations, using a single gateway endpoint.
++
+## Network resource requirements
+
+The following are virtual network resource requirements for API Management. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
+
+### [stv2](#tab/stv2)
+
+* An Azure Resource Manager virtual network is required.
+* You must provide a Standard SKU [public IPv4 address](../virtual-network/public-ip-addresses.md#standard) in addition to specifying a virtual network and subnet.
+* The subnet used to connect to the API Management instance may contain other Azure resource types.
+* The API Management service, virtual network and subnet, and public IP address resource must be in the same region and subscription.
+* For multi-region API Management deployments, you configure virtual network resources separately for each location.
+
+### [stv1](#tab/stv1)
+
+* An Azure Resource Manager virtual network is required.
+* The subnet used to connect to the API Management instance must be dedicated to API Management. It cannot contain other Azure resource types.
+* The API Management service, virtual network, and subnet resources must be in the same region and subscription.
+* For multi-region API Management deployments, you configure virtual network resources separately for each location.
+++
+## Subnet size
+
+The minimum size of the subnet in which API Management can be deployed is /29, which gives three usable IP addresses. Each extra scale unit of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:
+
+* Azure reserves some IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).
+
+* In addition to the IP addresses used by the Azure VNET infrastructure, each API Management instance in the subnet uses:
+ * Two IP addresses per unit of Premium SKU, or
+ * One IP address for the Developer SKU.
+
+* Each instance reserves an extra IP address for the external load balancer. When deploying into an [internal VNET](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer.
+
+## Routing
+
+See the Routing guidance when deploying your API Management instance into an [external VNET](./api-management-using-with-vnet.md#routing) or [internal VNET](./api-management-using-with-internal-vnet.md#routing).
+
+Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md).
+
+## DNS
+
+In external mode, the VNET enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) for your API Management endpoints and other Azure resources. It does not provide name resolution for on-premises resources.
+
+In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md).
+
+For more information, see:
+* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).
+* [Create an Azure private DNS zone](../dns/private-dns-getstarted-portal.md)
+
+> [!IMPORTANT]
+> If you plan to use a custom DNS solution for the VNET, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/2020-12-01/api-management-service/apply-network-configuration-updates).
+
+## Limitations
+
+Some limitations differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
+
+### [stv2](#tab/stv2)
+
+* A subnet containing API Management instances can't be moved across subscriptions.
+* For multi-region API Management deployments configured in internal VNET mode, users own the routing and are responsible for managing the load balancing across multiple regions.
+* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
+
+### [stv1](#tab/stv1)
+
+* A subnet containing API Management instances can't be movacross subscriptions.
+* For multi-region API Management deployments configured in internal VNET mode, users own the routing and are responsible for managing the load balancing across multiple regions.
+* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
+* Due to platform limitations, connectivity between a resource in a globally peered VNET in another region and an API Management service in internal mode will not work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).
+++
+## Next steps
+
+Learn more about:
+
+* [Connecting a virtual network to backend using VPN Gateway](../vpn-gateway/design.md#s2smulti)
+* [Connecting a virtual network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
+* [Virtual network frequently asked questions](../virtual-network/virtual-networks-faq.md)
+
+Connect to a virtual network:
+* [Connect to an external virtual network using Azure API Management](./api-management-using-with-vnet.md).
+* [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).
+
+Review the following topics
+
+* [Connecting a Virtual Network to backend using Vpn Gateway](../vpn-gateway/design.md#s2smulti)
+* [Connecting a Virtual Network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
+* [How to use the API Inspector to trace calls in Azure API Management](api-management-howto-api-inspector.md)
+* [Virtual Network Frequently asked Questions](../virtual-network/virtual-networks-faq.md)
+* [Service tags](../virtual-network/network-security-groups-overview.md#service-tags)
+
+[api-management-using-vnet-menu]: ./media/api-management-using-with-vnet/api-management-menu-vnet.png
+[api-management-setup-vpn-select]: ./media/api-management-using-with-vnet/api-management-using-vnet-select.png
+[api-management-setup-vpn-add-api]: ./media/api-management-using-with-vnet/api-management-using-vnet-add-api.png
+[api-management-vnet-private]: ./media/virtual-network-concepts/api-management-vnet-internal.png
+[api-management-vnet-public]: ./media/virtual-network-concepts/api-management-vnet-external.png
+
+[Enable VPN connections]: #enable-vpn
+[Connect to a web service behind VPN]: #connect-vpn
+[Related content]: #related-content
+
+[UDRs]: ../virtual-network/virtual-networks-udr-overview.md
+[NetworkSecurityGroups]: ../virtual-network/network-security-groups-overview.md
+[ServiceEndpoints]: ../virtual-network/virtual-network-service-endpoints-overview.md
+[ServiceTags]: ../virtual-network/network-security-groups-overview.md#service-tags
app-service Configure Ssl Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-ssl-certificate.md
The [free App Service managed certificate](#create-a-free-managed-certificate) a
* Exported as a [password-protected PFX file](https://en.wikipedia.org/w/index.php?title=X.509&section=4#Certificate_filename_extensions), encrypted using triple DES. * Contains private key at least 2048 bits long
-* Contains all intermediate certificates in the certificate chain
+* Contains all intermediate certificates and the root certificate in the certificate chain.
To secure a custom domain in a TLS binding, the certificate has additional requirements:
app-service Monitor App Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/monitor-app-service.md
Last updated 04/16/2021
When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by App Service and shipped to [Azure Monitor](../azure-monitor/overview.md). You can also use [built-in diagnostics to monitor resources](troubleshoot-diagnostic-logs.md) to assist with debugging an App Service app. If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md). > [!NOTE]
-> Azure Monitor integration with App Service is in [preview](https://aka.ms/appsvcblog-azmon).
+> Diagnostic settings integration with App Service is in [preview](https://aka.ms/appsvcblog-azmon).
> ## Monitoring data
The following table lists common and recommended alert rules for App Service.
- See [Monitoring App Service data reference](monitor-app-service-reference.md) for a reference of metrics, logs, and other important values created by App Service. -- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
+- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
app-service Overview Patch Os Runtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-patch-os-runtime.md
Stay current with critical security announcements in Azure by visiting [Azure Se
New stable versions of supported language runtimes (major, minor, or patch) are periodically added to App Service instances. Some updates overwrite the existing installation, while others are installed side by side with existing versions. An overwrite installation means that your app automatically runs on the updated runtime. A side-by-side installation means you must manually migrate your app to take advantage of a new runtime version. For more information, see one of the subsections.
-Runtime updates and deprecations are announced here:
--- https://azure.microsoft.com/updates/?product=app-service -- https://github.com/Azure/app-service-announcements/issues > [!NOTE] > Information here applies to language runtimes that are built into an App Service app. A custom runtime you upload to App Service, for example, remains unchanged unless you manually upgrade it.
az webapp config set --python-version 3.8 --resource-group <groupname> --name <a
az webapp config set --java-version 1.8 --java-container Tomcat --java-container-version 9.0 --resource-group <groupname> --name <appname> ```
-### Deprecated versions
-
-When an older version is deprecated, the removal date is announced so that you can plan your runtime version upgrade accordingly.
- ## How can I query OS and runtime update status on my instances? While critical OS information is locked down from access (see [Operating system functionality on Azure App Service](operating-system-functionality.md)), the [Kudu console](https://github.com/projectkudu/kudu/wiki/Kudu-console) enables you to query your App Service instance regarding the OS version and runtime versions.
app-service Tutorial Auth Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-auth-aad.md
You use Azure Active Directory as the identity provider. For more information, s
1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Azure AD identities.
-1. For **App registration** > **App registration type**, select **Create new app registration**.
-
-1. For **App registration** > **Supported account types**, select **Current tenant-single tenant**.
-
-1. In the **App Service authentication settings** section, leave **Authentication** set to **Require authentication** and **Unauthenticated requests** set to **HTTP 302 Found redirect: recommended for websites**.
-
-1. At the bottom of the **Add an identity provider** page, click **Add** to enable authentication for your web app.
+1. Accept the default settings and click **Add**.
:::image type="content" source="./media/tutorial-auth-aad/configure-auth-back-end.png" alt-text="Screenshot of the back-end app's left menu showing Authentication/Authorization selected and settings selected in the right menu.":::
If you stop here, you have a self-contained app that's already secured by the Ap
### Enable authentication and authorization for front-end app
-Follow the same steps for the front-end app, but skip the last step. You don't need the client ID for the front-end app.
+Follow the same steps for the front-end app, but skip the last step. You don't need the client ID for the front-end app. However, stay on the **Authentication** page for the front-end app because you'll use it in the next step.
If you like, navigate to `http://<front-end-app-name>.azurewebsites.net`. It should now direct you to a secured sign-in page. After you sign in, *you still can't access the data from the back-end app*, because the back-end app now requires Azure Active Directory sign-in from the front-end app. You need to do three things:
If you like, navigate to `http://<front-end-app-name>.azurewebsites.net`. It sho
Now that you've enabled authentication and authorization to both of your apps, each of them is backed by an AD application. In this step, you give the front-end app permissions to access the back end on the user's behalf. (Technically, you give the front end's _AD application_ the permissions to access the back end's _AD application_ on the user's behalf.)
-1. In the [Azure portal](https://portal.azure.com) menu, select **Azure Active Directory** or search for and select *Azure Active Directory* from any page.
-
-1. Select **App registrations** > **Owned applications** > **View all applications in this directory**. Select your front-end app name, then select **API permissions**.
+1. In the **Authentication** page for the front-end app, select your front-end app name under **Identity provider**. This app registration was automatically generated for you. Select **API permissions** in the left menu.
- :::image type="content" source="./media/tutorial-auth-aad/add-api-access-front-end.png" alt-text="Screenshot of Microsoft - App registrations window with Owned applications, a front-end app name, and API permissions selected.":::
-
-1. Select **Add a permission**, then select **APIs my organization uses** > **\<back-end-app-name>**.
+1. Select **Add a permission**, then select **My APIs** > **\<back-end-app-name>**.
1. In the **Request API permissions** page for the back-end app, select **Delegated permissions** and **user_impersonation**, then select **Add permissions**.
The front-end app now has the required permissions to access the back-end app as
:::image type="content" source="./media/tutorial-auth-aad/resources-enable-write.png" alt-text="Screenshot of the Read Only and Read/Write buttons at the top of the Azure Resource Explorer page, with the Read/Write button selected.":::
-1. In the left browser, drill down to **config** > **authsettings**.
+1. In the left browser, drill down to **config** > **authsettingsV2**.
-1. In the **authsettings** view, click **Edit**. Set `additionalLoginParams` to the following JSON string, using the client ID you copied.
+1. In the **authsettingsV2** view, click **Edit**. Drill down to `properties.identityProviders.azureActiveDirectory.login` and add `loginParameters` with the following JSON string, using the client ID you copied.
```json
- "additionalLoginParams": ["response_type=code id_token","resource=<back-end-client-id>"],
+ "loginParameters": ["response_type=code id_token","scope=openid api://<back-end-client-id>/user_impersonation"],
```
- :::image type="content" source="./media/tutorial-auth-aad/additional-login-params-front-end.png" alt-text="Screenshot of a code example in the authsettings view showing the additionalLoginParams string with an example of a client ID.":::
+ :::image type="content" source="./media/tutorial-auth-aad/add-loginparameters.png" alt-text="Screenshot of a code example in the authsettingsV2 view showing the loginParameters string with an example of a client ID.":::
+
+ > [!TIP]
+ > The scope `api://<back-end-client-id>/user_impersonation` is added by default to the app registration for the back-end app. To view it in the Azure portal, go to the **Authentication** page for the back-end app, click the link under **Identity provider**, then click **Expose an API** in the left menu.
+ >
+ > Note that the scope requires admin or user consent. This requirement causes the consent request page to be displayed when a user signs into the front-end app in the browser. To avoid this consent page, add the front end's app registration as an authorized client application in the **Expose an API** page by clicking **Add a client application** and supplying the client ID of the front end's app registration.
1. Save your settings by clicking **PUT**.
application-gateway Add Http Header Rewrite Rule Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/add-http-header-rewrite-rule-powershell.md
Title: Rewrite HTTP headers in Azure Application Gateway description: This article provides information on how to rewrite HTTP headers in Azure Application Gateway by using Azure PowerShell -+ Last updated 04/12/2019-+ # Rewrite HTTP request and response headers with Azure Application Gateway - Azure PowerShell
application-gateway Certificates For Backend Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/certificates-for-backend-authentication.md
Last updated 07/30/2021-+ # Create certificates to allow the backend with Azure Application Gateway
application-gateway End To End Ssl Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/end-to-end-ssl-portal.md
Last updated 11/14/2019-+
application-gateway How Application Gateway Works https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/how-application-gateway-works.md
Title: How an application gateway works description: This article provides information about how an application gateway accepts incoming requests and routes them to the backend. -+ Last updated 11/16/2019-+ # How an application gateway works
application-gateway How To Troubleshoot Application Gateway Session Affinity Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/how-to-troubleshoot-application-gateway-session-affinity-issues.md
Title: Troubleshoot session affinity issues
description: This article provides information on how to troubleshoot session affinity issues in Azure Application Gateway -+ Last updated 11/14/2019-+ # Troubleshoot Azure Application Gateway session affinity issues
application-gateway Rewrite Http Headers Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/rewrite-http-headers-portal.md
Title: Rewrite HTTP request and response headers in portal - Azure Application Gateway description: Learn how to use the Azure portal to configure an Azure Application Gateway to rewrite the HTTP headers in the requests and responses passing through the gateway -+ Last updated 11/13/2019-+ # Rewrite HTTP request and response headers with Azure Application Gateway - Azure portal
application-gateway Tutorial Http Header Rewrite Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-http-header-rewrite-powershell.md
Last updated 11/19/2019-+
azure-arc Concepts Distributed Postgres Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/concepts-distributed-postgres-hyperscale.md
Title: Concepts for distributing data and scaling out with Arc enabled PostgreSQL Hyperscale server group
+ Title: Concepts for distributing data and scaling out with Azure Arc-enabled PostgreSQL Hyperscale server group
-description: Concepts for distributing data with Arc enabled PostgreSQL Hyperscale server group
+description: Concepts for distributing data with Azure Arc-enabled PostgreSQL Hyperscale server group
-# Concepts for distributing data with Arc enabled PostgreSQL Hyperscale server group
+# Concepts for distributing data with Azure Arc-enabled PostgreSQL Hyperscale server group
This article explains key concepts that are important to benefit the most from Azure Arc-enabled PostgreSQL Hyperscale. The articles linked below point to the concepts explained for Azure Database for PostgreSQL Hyperscale (Citus). It is the same technology as Azure Arc-enabled PostgreSQL Hyperscale so the same concepts and perspectives apply.
The articles linked below point to the concepts explained for Azure Database for
This is the hyperscale form factor of the Postgres database engine available as database as a service in Azure (PaaS). It is powered by the the Citus extension that enables the Hyperscale experience. In this form factor the service runs in the Microsoft datacenters and is operated by Microsoft. -- _Azure Arc-enabled PostgreSQL Hyperscale_
+- _Azure Azure Arc-enabled PostgreSQL Hyperscale_
This is the hyperscale form factor of the Postgres database engine offered available with Azure Arc-enabled Data Service. In this form factor, our customers provide the infrastructure that host the systems and operate them.
See details at [Table colocation](../../postgresql/concepts-hyperscale-colocatio
- [Read about scaling out Azure Arc-enabled PostgreSQL Hyperscale server groups created in your Arc Data Controller](scale-out-in-postgresql-hyperscale-server-group.md) - [Read about Azure Arc-enabled Data Services](https://azure.microsoft.com/services/azure-arc/hybrid-data-services) - [Read about Azure Arc](https://aka.ms/azurearc)-
azure-arc Configure Security Postgres Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/configure-security-postgres-hyperscale.md
For audit scenarios please configure your server group to use the `pgaudit` exte
## Next steps - See [`pgcrypto` extension](https://www.postgresql.org/docs/current/pgcrypto.html) - See [Use PostgreSQL extensions](using-extensions-in-postgresql-hyperscale-server-group.md)-
azure-arc Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/connectivity.md
Azure Active Directory
> For now, all browser HTTPS/443 connections to the data controller for running the command `az arcdata dc export` and Grafana and Kibana dashboards are SSL encrypted using self-signed certificates. A feature will be available in the future that will allow you to provide your own certificates for encryption of these SSL connections. Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established. Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.-
azure-arc Create Data Controller Direct Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-direct-cli.md
az k8s-extension create -c "my-connected-cluster" -g "my-resource-group" --name
### Verify the Arc data services extension is created
-You can verify if the Arc enabled data services extension is created either from the portal or by connecting directly to the Arc enabled Kubernetes cluster.
+You can verify if the Azure Arc-enabled data services extension is created either from the portal or by connecting directly to the Azure Arc-enabled Kubernetes cluster.
#### Azure portal 1. Login to the Azure portal and browse to the resource group where the Kubernetes connected cluster resource is located.
-1. Select the Arc enabled kubernetes cluster (Type = "Kubernetes - Azure Arc") where the extension was deployed.
+1. Select the Azure Arc-enabled kubernetes cluster (Type = "Kubernetes - Azure Arc") where the extension was deployed.
1. In the navigation on the left side, under **Settings**, select "Extensions". 1. You should see the extension that was just created earlier in an "Installed" state.
azure-arc Create Data Controller Direct Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-direct-prerequisites.md
The SPN ClientID, TenantID, and Client Secret information will be required when
## 3. Create Azure Arc data services After you have completed these prerequisites, you can [Deploy Azure Arc data controller | Direct connect mode](create-data-controller-direct-azure-portal.md).--
azure-arc Create Data Controller Indirect Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-indirect-azure-portal.md
You can use the Azure portal to create an Azure Arc data controller, in indirect connectivity mode.
-Many of the creation experiences for Azure Arc start in the Azure portal even though the resource to be created or managed is outside of Azure infrastructure. The user experience pattern in these cases, especially when there is no direct connectivity between Azure and your environment, is to use the Azure portal to generate a script which can then be downloaded and executed in your environment to establish a secure connection back to Azure. For example, Azure Arc-enabled servers follows this pattern to [create Arc-enabled servers](../servers/onboard-portal.md).
+Many of the creation experiences for Azure Arc start in the Azure portal even though the resource to be created or managed is outside of Azure infrastructure. The user experience pattern in these cases, especially when there is no direct connectivity between Azure and your environment, is to use the Azure portal to generate a script which can then be downloaded and executed in your environment to establish a secure connection back to Azure. For example, Azure Arc-enabled servers follows this pattern to [create Azure Arc-enabled servers](../servers/onboard-portal.md).
When you use the indirect connect mode of Azure Arc-enabled data services, you can use the Azure portal to generate a notebook for you that can then be downloaded and run in Azure Data Studio against your Kubernetes cluster.
kubectl describe po/<pod name> --namespace arc
## Troubleshooting creation problems
-If you encounter any troubles with creation, please see the [troubleshooting guide](troubleshoot-guide.md).
+If you encounter any troubles with creation, please see the [troubleshooting guide](troubleshoot-guide.md).
azure-arc Create Postgresql Hyperscale Server Group Azure Data Studio https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-postgresql-hyperscale-server-group-azure-data-studio.md
While indicating 1 worker works, we do not recommend you use it. This deployment
- [Scale out your Azure Database for PostgreSQL Hyperscale server group](scale-out-in-postgresql-hyperscale-server-group.md) - [Storage configuration and Kubernetes storage concepts](storage-configuration.md) - [Kubernetes resource model](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/resources.md#resource-quantities)-
azure-arc Create Postgresql Hyperscale Server Group Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-postgresql-hyperscale-server-group-azure-portal.md
While indicating 1 worker works, we do not recommend you use it. This deployment
- [Storage configuration and Kubernetes storage concepts](storage-configuration.md) - [Expanding Persistent volume claims](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims) - [Kubernetes resource model](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/resources.md#resource-quantities)--
azure-arc Delete Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/delete-managed-instance.md
Learn more about [Features and Capabilities of Azure Arc-enabled SQL Managed Ins
[Start by creating a Data Controller](create-data-controller.md)
-Already created a Data Controller? [Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)
+Already created a Data Controller? [Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)
azure-arc Get Connection Endpoints And Connection Strings Postgres Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/get-connection-endpoints-and-connection-strings-postgres-hyperscale.md
Title: Get connection endpoints and form the connection strings for your Arc enabled PostgreSQL Hyperscale server group
+ Title: Get connection endpoints and form the connection strings for your Azure Arc-enabled PostgreSQL Hyperscale server group
-description: Get connection endpoints and form connection strings for your Arc enabled PostgreSQL Hyperscale server group
+description: Get connection endpoints and form connection strings for your Azure Arc-enabled PostgreSQL Hyperscale server group
Last updated 07/30/2021
-# Get connection endpoints and form the connection strings for your Arc enabled PostgreSQL Hyperscale server group
+# Get connection endpoints and form the connection strings for your Azure Arc-enabled PostgreSQL Hyperscale server group
This article explains how you can retrieve the connection endpoints for your server group and how you can form the connection strings which can be used with your applications and/or tools.
host=192.168.1.121; dbname=postgres user=postgres password={your_password_here}
## Next steps - Read about [scaling out (adding worker nodes)](scale-out-in-postgresql-hyperscale-server-group.md) your server group - Read about [scaling up or down (increasing/decreasing memory/vcores)](scale-up-down-postgresql-hyperscale-server-group-using-cli.md) your server group--
azure-arc Install Client Tools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/install-client-tools.md
# Install client tools for deploying and managing Azure Arc-enabled data services
-This article points you to resources to install the tools to manage Arc-enabled data services.
+This article points you to resources to install the tools to manage Azure Arc-enabled data services.
> [!IMPORTANT] > If you are updating to a new release, update to the latest version of Azure Data Studio, the Azure Arc extension for Azure Data Studio, Azure (`az`) command line interface (CLI), and the [!INCLUDE [azure-data-cli-azdata](../../../includes/azure-data-cli-azdata.md)]. > > [!INCLUDE [use-insider-azure-data-studio](includes/use-insider-azure-data-studio.md)]
-The [`arcdata` extension for Azure CLI (`az`)](reference/reference-az-arcdata-dc.md) replaces `azdata` for Arc-enabled data services.
+The [`arcdata` extension for Azure CLI (`az`)](reference/reference-az-arcdata-dc.md) replaces `azdata` for Azure Arc-enabled data services.
## Tools for creating and managing Azure Arc-enabled data services
The following table lists common tools required for creating and managing Azure
| Tool | Required | Description | Installation | |||||
-| Azure CLI (`az`)<sup>1</sup> | Yes | Modern command-line interface for managing Azure services. Used to manage Azure services in general and also specifically Arc-enabled data services using the CLI or in scripts for both indirectly connected mode (available now) and directly connected mode (available soon). ([More info](/cli/azure/)). | [Install](/cli/azure/install-azure-cli) |
-| `arcdata` extension for Azure (`az`) CLI | Yes | Command-line tool for managing Arc enabled data services as an extension to the Azure CLI (`az`) | [Install](install-arcdata-extension.md) |
+| Azure CLI (`az`)<sup>1</sup> | Yes | Modern command-line interface for managing Azure services. Used to manage Azure services in general and also specifically Azure Arc-enabled data services using the CLI or in scripts for both indirectly connected mode (available now) and directly connected mode (available soon). ([More info](/cli/azure/)). | [Install](/cli/azure/install-azure-cli) |
+| `arcdata` extension for Azure (`az`) CLI | Yes | Command-line tool for managing Azure Arc-enabled data services as an extension to the Azure CLI (`az`) | [Install](install-arcdata-extension.md) |
| Azure Data Studio | Yes | Rich experience tool for connecting to and querying a variety of databases including Azure SQL, SQL Server, PostrgreSQL, and MySQL. Extensions to Azure Data Studio provide an administration experience for Azure Arc-enabled data services. | [Install](/sql/azure-data-studio/download-azure-data-studio) | | Azure Arc extension for Azure Data Studio | Yes | Extension for Azure Data Studio that provides a management experience for Azure Arc-enabled data services.| Install from the extensions gallery in Azure Data Studio.| | PostgreSQL extension in Azure Data Studio | No | PostgreSQL extension for Azure Data Studio that provides management capabilities for PostgreSQL. | <!--{need link} [Install](../azure-data-studio/data-virtualization-extension.md) --> Install from extensions gallery in Azure Data Studio.|
azure-arc Managed Instance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-overview.md
Azure Arc-enabled SQL Managed Instance has near 100% compatibility with the late
To learn more about these capabilities, watch these introductory videos.
-### Azure Arc enabled SQL Managed Instance - indirect connected mode
+### Azure Arc-enabled SQL Managed Instance - indirect connected mode
> [!VIDEO https://channel9.msdn.com/Shows/Inside-Azure-for-IT/Azure-Arcenabled-data-services-in-disconnected-mode/player?format=ny]
-### Azure Arc enabled SQL Managed Instance - direct connected mode
+### Azure Arc-enabled SQL Managed Instance - direct connected mode
> [!VIDEO https://channel9.msdn.com/Shows/Inside-Azure-for-IT/Azure-Arcenabled-data-services-in-connected-mode/player?format=ny]
azure-arc Monitor Grafana Kibana https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/monitor-grafana-kibana.md
Kibana and Grafana web dashboards are provided to bring insight and clarity to t
## Monitor Azure SQL managed instances on Azure Arc
-To access the logs and monitoring dashboards for Arc enabled SQL Managed Instance, run the following `azdata` CLI command
+To access the logs and monitoring dashboards for Azure Arc-enabled SQL Managed Instance, run the following `azdata` CLI command
```azurecl az sql mi-arc endpoint list -n <name of SQL instance>
az network nsg rule create -n ports_30777 --nsg-name azurearcvmNSG --priority 60
- [Kibana guide](https://www.elastic.co/guide/en/kibana/current/https://docsupdatetracker.net/index.html) - [Introduction to dashboard drilldowns with data visualizations in Kibana](https://www.elastic.co/webinars/dashboard-drilldowns-with-data-visualizations-in-kibana/) - [How to build Kibana dashboards](https://www.elastic.co/webinars/how-to-build-kibana-dashboards/)-
azure-arc Offline Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/offline-deployment.md
The script will interactively prompt for the following information. Alternative
|Provide target container registry repository:|TARGET_DOCKER_REPOSITORY|The repository on the target registry to push the images to.| |Provide username for the target container registry - press enter for using none:|TARGET_DOCKER_USERNAME|The username, if any, that is used to log in to the target container registry.| |Provide password for the target container registry - press enter for using none:|TARGET_DOCKER_PASSWORD|The password, if any, that is used to log in to the target container registry. This is a masked password prompt. You will not see the password if you type or paste it in.|
-|Provide container image tag for the images at the target:|TARGET_DOCKER_TAG|Typically, you would use the same tag as the source to avoid confusion.|
+|Provide container image tag for the images at the target:|TARGET_DOCKER_TAG|Typically, you would use the same tag as the source to avoid confusion.|
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/overview.md
Currently, the following Azure Arc-enabled data services are available:
- SQL Managed Instance - PostgreSQL Hyperscale (preview)
-For an introduction to how Azure Arc enabled data services supports your hybrid work environment, see this introductory video:
+For an introduction to how Azure Arc-enabled data services supports your hybrid work environment, see this introductory video:
> [!VIDEO https://channel9.msdn.com/Shows//Inside-Azure-for-IT/Choose-the-right-data-solution-for-your-hybrid-environment/player?format=ny]
Many of the services such as self-service provisioning, automated backups/restor
## Supported regions
-The following table describes the scenarios that are currently supported for Arc enabled data services.
+The following table describes the scenarios that are currently supported for Azure Arc-enabled data services.
|Azure Regions |Direct connected mode |Indirect connected mode | ||||
azure-arc Plan Azure Arc Data Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/plan-azure-arc-data-services.md
Once the infrastructure is prepared, deploy Azure Arc-enabled data services in t
1. Create an Azure Arc-enabled data controller on one of the validated distributions of a Kubernetes cluster 1. Create an Azure Arc-enabled SQL managed instance and/or an Azure Arc-enabled PostgreSQL Hyperscale server group.
+> [!CAUTION]
+> Some of the data services tiers and modes are [generally available](release-notes.md) and some are in preview. We recommend that you don't mix GA and preview services on the same data controller. If you mix GA and preview services on the same data controller, you can't upgrade in place. In that scenario, when you want to upgrade, you must remove and re-create the data controller and data services.
+ ## Overview: Create the Azure Arc-enabled data controller You can create Azure Arc-enabled data services on multiple different types of Kubernetes clusters and managed Kubernetes services using multiple different approaches.
Regardless of the option you choose, during the creation process you will need t
- **Azure resource group name** - The name of the resource group where you want the data controller resource in Azure to be created. All Azure Arc-enabled SQL Managed Instances and PostgreSQL Hyperscale server groups will also be created in this resource group. - **Azure location** - The Azure location where the data controller resource metadata will be stored in Azure. For a list of available regions, see [Azure global infrastructure / Products by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc). The metadata and billing information about the Azure resources managed by the data controller that you are deploying will be stored only in the location in Azure that you specify as the location parameter. If you are deploying in the directly connected mode, the location parameter for the data controller will be the same as the location of the custom location resource that you target. - **Service Principal information** - as described in the [Upload prerequisites](upload-metrics-and-logs-to-azure-monitor.md) article, you will need the Service Principal information during Azure Arc data controller create when deploying in *direct* connectivity mode. For *indirect* connectivity mode, the Service Principal is still needed to export and upload manually but after the Azure Arc data controller is created.-- **Infrastructure** - For billing purposes, it is required to indicate the infrastructure on which you are running Arc enabled data services. The options are `alibaba`, `aws`, `azure`, `gcp`, `onpremises`, or `other`.
+- **Infrastructure** - For billing purposes, it is required to indicate the infrastructure on which you are running Azure Arc-enabled data services. The options are `alibaba`, `aws`, `azure`, `gcp`, `onpremises`, or `other`.
## Additional concepts for direct connected mode As described in the [connectivity modes](./connectivity.md), Azure Arc data controller can be deployed in **direct** or **indirect** connectivity modes. Deploying Azure Arc data services in **direct** connected mode requires understanding of some additional concepts and considerations.
-First, the Kubernetes cluster where the Arc enabled data services will be deployed needs to be an [Azure Arc-enabled Kubernetes cluster](../kubernetes/overview.md). Onboarding the Kubernetes cluster to Azure Arc provides Azure connectivity that is leveraged for capabilities such as automatic upload of usage information, logs, metrics etc. Connecting your Kubernetes cluster to Azure also allows you to deploy and manage Azure Arc data services to your cluster directly from the Azure portal.
+First, the Kubernetes cluster where the Azure Arc-enabled data services will be deployed needs to be an [Azure Arc-enabled Kubernetes cluster](../kubernetes/overview.md). Onboarding the Kubernetes cluster to Azure Arc provides Azure connectivity that is leveraged for capabilities such as automatic upload of usage information, logs, metrics etc. Connecting your Kubernetes cluster to Azure also allows you to deploy and manage Azure Arc data services to your cluster directly from the Azure portal.
Connecting your Kubernetes cluster to Azure involves the following steps: - [Connect your cluster to Azure](../kubernetes/quickstart-connect-cluster.md)
There are multiple options for creating the Azure Arc data controller:
- [Create a data controller in indirect connected mode with Azure Data Studio](create-data-controller-indirect-azure-data-studio.md) - [Create a data controller in indirect connected mode from the Azure portal via a Jupyter notebook in Azure Data Studio](create-data-controller-indirect-azure-portal.md) - [Create a data controller in indirect connected mode with Kubernetes tools such as kubectl or oc](create-data-controller-using-kubernetes-native-tools.md)-
azure-arc Point In Time Restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/point-in-time-restore.md
The backups are stored under ```/var/opt/mssql/backups/archived/<dbname>/<dateti
### Clean up If you need to delete older backups either to create space or no longer need them, any of the folders under ```/var/opt/mssql/backups/archived/``` folder can be removed. Removing folders in the middle of a timeline could impact the ability to restore to a point in time during that window. It is recommended to delete the oldest folders first allowing for a continuous timeline of restorability. --
azure-arc Privacy Data Collection And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/privacy-data-collection-and-reporting.md
Title: Data collection and reporting | Azure Arc-enabled data services
-description: Explains the type of data that is transmitted by Arc enabled Data services to Microsoft.
+description: Explains the type of data that is transmitted by Azure Arc-enabled Data services to Microsoft.
This section provides more details about the information included with the Azure
### Operational data
-Operational data is collected for all database instances and for the Arc enabled data services platform itself. There are two types of operational data:
+Operational data is collected for all database instances and for the Azure Arc-enabled data services platform itself. There are two types of operational data:
-- Metrics ΓÇô Performance and capacity related metrics, which are collected to an Influx DB provided as part of Arc enabled data services. You can view these metrics in the provided Grafana dashboard.
+- Metrics ΓÇô Performance and capacity related metrics, which are collected to an Influx DB provided as part of Azure Arc-enabled data services. You can view these metrics in the provided Grafana dashboard.
-- Logs ΓÇô logs emitted by all components including failure, warning, and informational events are collected to an Elasticsearch database provided as part of Arc enabled data services. You can view the logs in the provided Kibana dashboard.
+- Logs ΓÇô logs emitted by all components including failure, warning, and informational events are collected to an Elasticsearch database provided as part of Azure Arc-enabled data services. You can view the logs in the provided Kibana dashboard.
The operational data stored locally requires built in administrative privileges to view it in Grafana/Kibana.
Every database instance and the data controller itself will be reflected in Azur
There are three resource types: -- Arc enabled SQL Managed Instance -- Arc enabled PostgreSQL Hyperscale server group
+- Azure Arc-enabled SQL Managed Instance
+- Azure Arc-enabled PostgreSQL Hyperscale server group
- SQL Server on Azure Arc-enabled servers - Data controller
The following sections show the properties, types, and descriptions that are col
### SQL Server on Azure Arc-enabled servers - SQL Server edition. - `string: Edition` -- Resource ID of the container resource (Azure Arc for Servers).
+- Resource ID of the container resource (Azure Arc for Servers).
- `string: ContainerResourceId` - Time when the resource was created. - `string: CreateTime`
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/reference/overview.md
### Commands | Command | Description| | | |
-[az postgres arc-server](reference-az-postgres-arc-server.md) | Manage Azure Arc enabled PostgreSQL Hyperscale server groups.
+[az postgres arc-server](reference-az-postgres-arc-server.md) | Manage Azure Arc-enabled PostgreSQL Hyperscale server groups.
azure-arc Reference Az Postgres Arc Server Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/reference/reference-az-postgres-arc-server-endpoint.md
## Commands | Command | Description| | | |
-[az postgres arc-server endpoint list](#az-postgres-arc-server-endpoint-list) | List Azure Arc enabled PostgreSQL Hyperscale server group endpoints.
+[az postgres arc-server endpoint list](#az-postgres-arc-server-endpoint-list) | List Azure Arc-enabled PostgreSQL Hyperscale server group endpoints.
## az postgres arc-server endpoint list
-List Azure Arc enabled PostgreSQL Hyperscale server group endpoints.
+List Azure Arc-enabled PostgreSQL Hyperscale server group endpoints.
```bash az postgres arc-server endpoint list [--name -n] [--k8s-namespace -k]
az postgres arc-server endpoint list [--name -n]
[--use-k8s] ``` ### Examples
-List Azure Arc enabled PostgreSQL Hyperscale server group endpoints.
+List Azure Arc-enabled PostgreSQL Hyperscale server group endpoints.
```bash az postgres arc-server endpoint list --name postgres01 --k8s-namespace namespace --use-k8s ``` ### Optional Parameters #### `--name -n`
-Name of the Azure Arc enabled PostgreSQL Hyperscale server group.
+Name of the Azure Arc-enabled PostgreSQL Hyperscale server group.
#### `--k8s-namespace -k`
-The Kubernetes namespace where the Azure Arc enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
+The Kubernetes namespace where the Azure Arc-enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
#### `--use-k8s` Use local Kubernetes APIs to perform this action. ### Global Arguments
azure-arc Reference Az Postgres Arc Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/reference/reference-az-postgres-arc-server.md
## Commands | Command | Description| | | |
-[az postgres arc-server create](#az-postgres-arc-server-create) | Create an Azure Arc enabled PostgreSQL Hyperscale server group.
-[az postgres arc-server edit](#az-postgres-arc-server-edit) | Edit the configuration of an Azure Arc enabled PostgreSQL Hyperscale server group.
-[az postgres arc-server delete](#az-postgres-arc-server-delete) | Delete an Azure Arc enabled PostgreSQL Hyperscale server group.
-[az postgres arc-server show](#az-postgres-arc-server-show) | Show the details of an Azure Arc enabled PostgreSQL Hyperscale server group.
-[az postgres arc-server list](#az-postgres-arc-server-list) | List Azure Arc enabled PostgreSQL Hyperscale server groups.
-[az postgres arc-server endpoint](reference-az-postgres-arc-server-endpoint.md) | Manage Azure Arc enabled PostgreSQL Hyperscale server group endpoints.
+[az postgres arc-server create](#az-postgres-arc-server-create) | Create an Azure Arc-enabled PostgreSQL Hyperscale server group.
+[az postgres arc-server edit](#az-postgres-arc-server-edit) | Edit the configuration of an Azure Arc-enabled PostgreSQL Hyperscale server group.
+[az postgres arc-server delete](#az-postgres-arc-server-delete) | Delete an Azure Arc-enabled PostgreSQL Hyperscale server group.
+[az postgres arc-server show](#az-postgres-arc-server-show) | Show the details of an Azure Arc-enabled PostgreSQL Hyperscale server group.
+[az postgres arc-server list](#az-postgres-arc-server-list) | List Azure Arc-enabled PostgreSQL Hyperscale server groups.
+[az postgres arc-server endpoint](reference-az-postgres-arc-server-endpoint.md) | Manage Azure Arc-enabled PostgreSQL Hyperscale server group endpoints.
## az postgres arc-server create To set the password of the server group, please set the environment variable AZDATA_PASSWORD ```bash
az postgres arc-server create --name -n
[--use-k8s] ``` ### Examples
-Create an Azure Arc enabled PostgreSQL Hyperscale server group.
+Create an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server create -n pg1 --k8s-namespace namespace --use-k8s ```
-Create an Azure Arc enabled PostgreSQL Hyperscale server group with engine settings. Both below examples are valid.
+Create an Azure Arc-enabled PostgreSQL Hyperscale server group with engine settings. Both below examples are valid.
```bash az postgres arc-server create -n pg1 --engine-settings "key1=val1" --k8s-namespace namespace az postgres arc-server create -n pg1 --engine-settings "key2=val2" --k8s-namespace namespace --use-k8s
az postgres arc-server create -n pg1 --memory-limit "coordinator=2Gi,w=1Gi" --wo
``` ### Required Parameters #### `--name -n`
-Name of the Azure Arc enabled PostgreSQL Hyperscale server group.
+Name of the Azure Arc-enabled PostgreSQL Hyperscale server group.
### Optional Parameters #### `--path`
-The path to the source json file for the Azure Arc enabled PostgreSQL Hyperscale server group. This is optional.
+The path to the source json file for the Azure Arc-enabled PostgreSQL Hyperscale server group. This is optional.
#### `--k8s-namespace -k`
-The Kubernetes namespace where the Azure Arc enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
+The Kubernetes namespace where the Azure Arc-enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
#### `--cores-limit`
-The maximum number of CPU cores for Azure Arc enabled PostgreSQL Hyperscale server group that can be used per node. Fractional cores are supported. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
+The maximum number of CPU cores for Azure Arc-enabled PostgreSQL Hyperscale server group that can be used per node. Fractional cores are supported. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
#### `--cores-request` The minimum number of CPU cores that must be available per node to schedule the service. Fractional cores are supported. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group. #### `--memory-limit`
-The memory limit of the Azure Arc enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
+The memory limit of the Azure Arc-enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
#### `--memory-request`
-The memory request of the Azure Arc enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
+The memory request of the Azure Arc-enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
#### `--storage-class-data` The storage class to be used for data persistent volumes. #### `--storage-class-logs`
Name or ID of subscription. You can configure the default subscription using `az
#### `--verbose` Increase logging verbosity. Use --debug for full debug logs. ## az postgres arc-server edit
-Edit the configuration of an Azure Arc enabled PostgreSQL Hyperscale server group.
+Edit the configuration of an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server edit --name -n [--k8s-namespace -k]
az postgres arc-server edit --name -n
[--use-k8s] ``` ### Examples
-Edit the configuration of an Azure Arc enabled PostgreSQL Hyperscale server group.
+Edit the configuration of an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server edit --path ./spec.json -n pg1 --k8s-namespace namespace --use-k8s ```
-Edit an Azure Arc enabled PostgreSQL Hyperscale server group with engine settings for the coordinator node.
+Edit an Azure Arc-enabled PostgreSQL Hyperscale server group with engine settings for the coordinator node.
```bash az postgres arc-server edit -n pg1 --coordinator-settings "key2=val2" --k8s-namespace namespace ```
-Edits an Azure Arc enabled PostgreSQL Hyperscale server group and replaces existing engine settings with new setting key1=val1.
+Edits an Azure Arc-enabled PostgreSQL Hyperscale server group and replaces existing engine settings with new setting key1=val1.
```bash az postgres arc-server edit -n pg1 --engine-settings "key1=val1" --replace-settings --k8s-namespace namespace ``` ### Required Parameters #### `--name -n`
-Name of the Azure Arc enabled PostgreSQL Hyperscale server group that is being edited. The name under which your instance is deployed cannot be changed.
+Name of the Azure Arc-enabled PostgreSQL Hyperscale server group that is being edited. The name under which your instance is deployed cannot be changed.
### Optional Parameters #### `--k8s-namespace -k`
-The Kubernetes namespace where the Azure Arc enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
+The Kubernetes namespace where the Azure Arc-enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
#### `--path`
-The path to the source json file for the Azure Arc enabled PostgreSQL Hyperscale server group. This is optional.
+The path to the source json file for the Azure Arc-enabled PostgreSQL Hyperscale server group. This is optional.
#### `--workers -w` The number of worker nodes to provision in a server group. In Preview, reducing the number of worker nodes is not supported. Refer to documentation for additional details. #### `--cores-limit`
-The maximum number of CPU cores for Azure Arc enabled PostgreSQL Hyperscale server group that can be used per node, fractional cores are supported. To remove the cores_limit, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
+The maximum number of CPU cores for Azure Arc-enabled PostgreSQL Hyperscale server group that can be used per node, fractional cores are supported. To remove the cores_limit, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
#### `--cores-request` The minimum number of CPU cores that must be available per node to schedule the service, fractional cores are supported. To remove the cores_request, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group. #### `--memory-limit`
-The memory limit for Azure Arc enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). To remove the memory_limit, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
+The memory limit for Azure Arc-enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). To remove the memory_limit, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
#### `--memory-request`
-The memory request for Azure Arc enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). To remove the memory_request, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
+The memory request for Azure Arc-enabled PostgreSQL Hyperscale server group as a number followed by Ki (kilobytes), Mi (megabytes), or Gi (gigabytes). To remove the memory_request, specify its value as empty string. Optionally a comma-separated list of roles with values can be specified in format <role>=<value>. Valid roles are: "coordinator" or "c", "worker" or "w". If no roles are specified, settings will apply to all nodes of the PostgreSQL Hyperscale server group.
#### `--extensions` A comma-separated list of the Postgres extensions that should be loaded on startup. Please refer to the postgres documentation for supported values. #### `--port`
A comma separated list of Postgres engine settings in the format 'key1=val1, key
#### `--worker-settings` A comma separated list of Postgres engine settings in the format 'key1=val1, key2=val2' to be applied to 'worker' node role. When node role specific settings are specified, default settings will be ignored and overridden with the settings provided here. #### `--admin-password`
-If given, the Azure Arc enabled PostgreSQL Hyperscale server group's admin password will be set to the value of the AZDATA_PASSWORD environment variable if present and a prompted value otherwise.
+If given, the Azure Arc-enabled PostgreSQL Hyperscale server group's admin password will be set to the value of the AZDATA_PASSWORD environment variable if present and a prompted value otherwise.
#### `--use-k8s` Use local Kubernetes APIs to perform this action. ### Global Arguments
Name or ID of subscription. You can configure the default subscription using `az
#### `--verbose` Increase logging verbosity. Use --debug for full debug logs. ## az postgres arc-server delete
-Delete an Azure Arc enabled PostgreSQL Hyperscale server group.
+Delete an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server delete --name -n [--k8s-namespace -k]
az postgres arc-server delete --name -n
[--use-k8s] ``` ### Examples
-Delete an Azure Arc enabled PostgreSQL Hyperscale server group.
+Delete an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server delete -n pg1 --k8s-namespace namespace --use-k8s ``` ### Required Parameters #### `--name -n`
-Name of the Azure Arc enabled PostgreSQL Hyperscale server group.
+Name of the Azure Arc-enabled PostgreSQL Hyperscale server group.
### Optional Parameters #### `--k8s-namespace -k`
-The Kubernetes namespace where the Azure Arc enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
+The Kubernetes namespace where the Azure Arc-enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
#### `--force -f`
-Force delete the Azure Arc enabled PostgreSQL Hyperscale server group without confirmation.
+Force delete the Azure Arc-enabled PostgreSQL Hyperscale server group without confirmation.
#### `--use-k8s` Use local Kubernetes APIs to perform this action. ### Global Arguments
Name or ID of subscription. You can configure the default subscription using `az
#### `--verbose` Increase logging verbosity. Use --debug for full debug logs. ## az postgres arc-server show
-Show the details of an Azure Arc enabled PostgreSQL Hyperscale server group.
+Show the details of an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server show --name -n [--k8s-namespace -k]
az postgres arc-server show --name -n
[--use-k8s] ``` ### Examples
-Show the details of an Azure Arc enabled PostgreSQL Hyperscale server group.
+Show the details of an Azure Arc-enabled PostgreSQL Hyperscale server group.
```bash az postgres arc-server show -n pg1 --k8s-namespace namespace --use-k8s ``` ### Required Parameters #### `--name -n`
-Name of the Azure Arc enabled PostgreSQL Hyperscale server group.
+Name of the Azure Arc-enabled PostgreSQL Hyperscale server group.
### Optional Parameters #### `--k8s-namespace -k`
-The Kubernetes namespace where the Azure Arc enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
+The Kubernetes namespace where the Azure Arc-enabled PostgreSQL Hyperscale server group is deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
#### `--path`
-A path where the full specification for the Azure Arc enabled PostgreSQL Hyperscale server group should be written. If omitted, the specification will be written to standard output.
+A path where the full specification for the Azure Arc-enabled PostgreSQL Hyperscale server group should be written. If omitted, the specification will be written to standard output.
#### `--use-k8s` Use local Kubernetes APIs to perform this action. ### Global Arguments
Name or ID of subscription. You can configure the default subscription using `az
#### `--verbose` Increase logging verbosity. Use --debug for full debug logs. ## az postgres arc-server list
-List Azure Arc enabled PostgreSQL Hyperscale server groups.
+List Azure Arc-enabled PostgreSQL Hyperscale server groups.
```bash az postgres arc-server list [--k8s-namespace -k] [--use-k8s] ``` ### Examples
-List Azure Arc enabled PostgreSQL Hyperscale server groups.
+List Azure Arc-enabled PostgreSQL Hyperscale server groups.
```bash az postgres arc-server list --k8s-namespace namespace --use-k8s ``` ### Optional Parameters #### `--k8s-namespace -k`
-The Kubernetes namespace where the Azure Arc enabled PostgreSQL Hyperscale server groups are deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
+The Kubernetes namespace where the Azure Arc-enabled PostgreSQL Hyperscale server groups are deployed. If no namespace is specified, then the namespace defined in the kubeconfig will be used.
#### `--use-k8s` Use local Kubernetes APIs to perform this action. ### Global Arguments
azure-arc Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/release-notes.md
Use the following tools:
#### Data controller -- When Azure Arc data controller is deleted from Azure portal, validation is done to block the delete if there any Azure Arc enabled SQL managed instances deployed on this Arc data controller. Currently, this validation is applied only when the delete is performed from the Overview page of the Azure Arc data controller.
+- When Azure Arc data controller is deleted from Azure portal, validation is done to block the delete if there any Azure Arc-enabled SQL managed instances deployed on this Arc data controller. Currently, this validation is applied only when the delete is performed from the Overview page of the Azure Arc data controller.
#### Azure Arc-enabled PostgreSQL Hyperscale
Use the following tools:
##### Point-in-time restore(PITR) supportability and limitations: -- Doesn't support restore from one Azure Arc-enabled SQL managed instance to another Azure Arc enabled SQL managed instance. The database can only be restored to the same Arc-enabled SQL Managed Instance where the backups were created.
+- Doesn't support restore from one Azure Arc-enabled SQL managed instance to another Azure Arc-enabled SQL managed instance. The database can only be restored to the same Azure Arc-enabled SQL Managed Instance where the backups were created.
- Renaming of a databases is currently not supported, for point in time restore purposes. - Currently there is no CLI command or an API to provide the allowed time window information for point-in-time restore. You can provide a time within a reasonable window, since the time the database was created, and if the timestamp is valid the restore would work. If the timestamp is not valid, the allowed time window will be provided via an error message. - No support for restoring a TDE enabled database.
To update your scripts for managed instance, replace `azdata arc sql mi...` with
For Azure Arc-enabled PostgreSQL Hyperscale, replace `azdata arc sql postgres...` with `az postgres arc-server...`.
-In addition to the parameters that have historically existed on the `azdata` commands, the same commands in the `arcdata` Azure CLI extension have some new parameters such as `--k8s-namespace` and `--use-k8s` are now required. The `--use-k8s` parameter will be used to differentiate when the command should be sent to the Kubernetes API or to the ARM API. For now all Azure CLI commands for Arc-enabled data services target only the Kubernetes API.
+In addition to the parameters that have historically existed on the `azdata` commands, the same commands in the `arcdata` Azure CLI extension have some new parameters such as `--k8s-namespace` and `--use-k8s` are now required. The `--use-k8s` parameter will be used to differentiate when the command should be sent to the Kubernetes API or to the ARM API. For now all Azure CLI commands for Azure Arc-enabled data services target only the Kubernetes API.
Some of the short forms of the parameter names (e.g. `--core-limit` as `-cl`) have either been removed or changed. Use the new parameter short names or the long name.
The OpenDistro security pack has been removed. Log in to Kibana is now done thro
#### CRD version bump to `v1beta1`
-All CRDs have had the version bumped from `v1alpha1` to `v1beta1` for this release. Be sure to delete all CRDs as part of the uninstall process if you have deployed a version of Arc-enabled data services prior to the June 2021 release. The new CRDs deployed with the June 2021 release will have v1beta1 as the version.
+All CRDs have had the version bumped from `v1alpha1` to `v1beta1` for this release. Be sure to delete all CRDs as part of the uninstall process if you have deployed a version of Azure Arc-enabled data services prior to the June 2021 release. The new CRDs deployed with the June 2021 release will have v1beta1 as the version.
#### Azure Arc-enabled SQL Managed Instance
This release introduces `az` CLI extensions for Azure Arc-enabled data services.
#### Data controller -- Streamlined user experience for deploying a data controller in the direct connected mode from the Azure portal. Once a Kubernetes cluster has been Arc-enabled, you can deploy the data controller entirely from the portal with the Arc data controller create wizard in one motion. This deployment also creates the custom location and Arc-enabled data services extension (bootstrapper). You can also pre-create the custom location and/or extension and configure the data controller deployment to use them.
+- Streamlined user experience for deploying a data controller in the direct connected mode from the Azure portal. Once a Kubernetes cluster has been Azure Arc-enabled, you can deploy the data controller entirely from the portal with the Arc data controller create wizard in one motion. This deployment also creates the custom location and Azure Arc-enabled data services extension (bootstrapper). You can also pre-create the custom location and/or extension and configure the data controller deployment to use them.
- New `Infrastructure` property is a required property when you deploy an Arc data controller. This property will be required for billing purposes. More information will be provided at general availability. - Various usability improvements in the data controller user experience in the Azure portal including the ability to better see the deployment status of resources that are in the deployment process on the Kubernetes cluster. - Data controller automatically uploads logs (optionally) and now also metrics to Azure in direct connected mode. - The monitoring stack (metrics and logs databases/dashboards) has now been packaged into its own custom resource definition (CRD) - `monitors.arcdata.microsoft.com`. When this custom resource is created the monitoring stack pods are created. When it is deleted the monitoring stack pods are deleted. When the data controller is created the monitor custom resource is automatically created. - New regions supported for direct connected mode (preview): East US 2, West US 2, South Central US, UK South, France Central, Southeast Asia, Australia East.-- The custom location resource chart on the overview blade now shows Arc-enabled data services resources that are deployed to it.
+- The custom location resource chart on the overview blade now shows Azure Arc-enabled data services resources that are deployed to it.
- Diagnostics and solutions have been added to the Azure portal for data controller. - Added new `Observed Generation` property to all Arc related custom resources. - Credential manager service is now included and handles the automated distribution of certificates to all services managed by the data controller.
This release introduces `az` CLI extensions for Azure Arc-enabled data services.
- Azure Arc PostgreSQL Hyperscale deployments now supports Kubernetes pods to nodes assignments strategies with nodeSelector, nodeAffinity and anti-affinity. - You can now configure compute parameters (vCore & memory) per role (Coordinator or Worker) when you deploy a PostgreSQL Hyperscale server group or after deployment from Azure Data Studio and from the Azure portal. - From the Azure portal, you can now view the list of PostgreSQL extensions created on your PostgreSQL Hyperscale server group.-- From the Azure portal, you can delete Arc-enabled PostgreSQL Hyperscale groups on a data controller that is directly connected to Azure.
+- From the Azure portal, you can delete Azure Arc-enabled PostgreSQL Hyperscale groups on a data controller that is directly connected to Azure.
#### Azure Arc-enabled SQL Managed Instance
As a preview feature, the technology presented in this article is subject to [Su
- Create and delete data controller, SQL managed instance, and PostgreSQL Hyperscale server groups from Azure portal. - Validate portal actions when deleting Azure Arc data services. For instance, the portal alerts when you attempt to delete the data controller when there are SQL Managed Instances deployed using the data controller.-- Create custom configuration profiles to support custom settings when you deploy Arc-enabled data controller using the Azure portal.
+- Create custom configuration profiles to support custom settings when you deploy Azure Arc-enabled data controller using the Azure portal.
- Optionally, automatically upload your logs to Azure Log analytics workspace in the directly connected mode. #### Azure Arc-enabled PostgreSQL Hyperscale
This release introduces the following features or capabilities:
#### Azure Arc-enabled SQL Managed Instance -- New [Azure CLI extension](/cli/azure/azure-cli-extensions-overview) for Arc-enabled SQL Managed Instance has the same commands as `az sql mi-arc <command>`. All Arc-enabled SQL Managed Instance commands are located at `az sql mi-arc`. All Arc related `azdata` commands will be deprecated and moved to Azure CLI in a future release.
+- New [Azure CLI extension](/cli/azure/azure-cli-extensions-overview) for Azure Arc-enabled SQL Managed Instance has the same commands as `az sql mi-arc <command>`. All Azure Arc-enabled SQL Managed Instance commands are located at `az sql mi-arc`. All Arc related `azdata` commands will be deprecated and moved to Azure CLI in a future release.
To add the extension:
This release introduces the following breaking changes:
## September 2020
-Azure Arc-enabled data services is released for public preview. Arc-enabled data services allow you to manage data services anywhere.
+Azure Arc-enabled data services is released for public preview. Azure Arc-enabled data services allow you to manage data services anywhere.
- SQL Managed Instance - PostgreSQL Hyperscale
azure-arc Show Configuration Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/show-configuration-postgresql-hyperscale-server-group.md
Title: Show the configuration of an Arc enabled PostgreSQL Hyperscale server group
+ Title: Show the configuration of an Azure Arc-enabled PostgreSQL Hyperscale server group
-description: Show the configuration of an Arc enabled PostgreSQL Hyperscale server group
+description: Show the configuration of an Azure Arc-enabled PostgreSQL Hyperscale server group
-# Show the configuration of an Arc enabled PostgreSQL Hyperscale server group
+# Show the configuration of an Azure Arc-enabled PostgreSQL Hyperscale server group
This article explains how to display the configuration of your server group(s). It does so by anticipating some questions you may be asking to yourself and it answers them. At times there may be several valid answers. This article pitches the most common or useful ones. It groups those questions by theme:
azure-arc Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/troubleshoot-guide.md
This article identifies troubleshooting resources for Azure Arc-enabled data ser
## Next steps
-[Scenario: View inventory of your instances in the Azure portal](view-arc-data-services-inventory-in-azure-portal.md)
+[Scenario: View inventory of your instances in the Azure portal](view-arc-data-services-inventory-in-azure-portal.md)
azure-arc Troubleshoot Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/troubleshoot-postgresql-hyperscale-server-group.md
Implement the steps described in [033-manage-Postgres-with-AzureDataStudio.md](
:::image type="content" source="media/postgres-hyperscale/ads-controller-postgres-troubleshooting-notebook.jpg" alt-text="Azure Data Studio - Open PostgreSQL troubleshooting Notebook":::
-The **TSG100 - The Azure Arc-enabled PostgreSQL Hyperscale troubleshooter notebook** opens up:
+The **TSG100 - The Azure ArcΓÇôenabled PostgreSQL Hyperscale troubleshooter notebook** opens up:
:::image type="content" source="media/postgres-hyperscale/ads-controller-postgres-troubleshooting-notebook2.jpg" alt-text="Azure Data Studio - Use PostgreSQL troubleshooting notebook"::: #### Run the scripts
azure-arc Troubleshooting Get Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/troubleshooting-get-logs.md
The following folder hierarchy is an example. It's organized by pod name, then c
Γö£ΓöÇΓöÇΓöÇjournal ΓööΓöÇΓöÇΓöÇopenvpn ```-
azure-arc Upload Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/upload-logs.md
With the environment variables set, you can upload logs to the log workspace.
## Upload logs to Azure Monitor
- To upload logs for your Azure Arc-enabled SQL managed instances and AzureArc enabled PostgreSQL Hyperscale server groups run the following CLI commands-
+ To upload logs for your Azure Arc-enabled SQL managed instances and Azure Arc-enabled PostgreSQL Hyperscale server groups run the following CLI commands-
1. Log in to to the Azure Arc data controller with Azure (`az`) CLI with the `arcdata` extension.
azure-arc Using Extensions In Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/using-extensions-in-postgresql-hyperscale-server-group.md
See the [pg_cron README](https://github.com/citusdata/pg_cron) for full details
## Next steps - Read documentation on [`plv8`](https://plv8.github.io/) - Read documentation on [`PostGIS`](https://postgis.net/)-- Read documentation on [`pg_cron`](https://github.com/citusdata/pg_cron)
+- Read documentation on [`pg_cron`](https://github.com/citusdata/pg_cron)
azure-arc Validation Program https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/validation-program.md
To see how all Azure Arc-enabled components are validated, see [Validation progr
## Data services validation process
-The Sonobuoy Arc-enabled data services plug-in automates the provisioning and testing of Azure Arc enabled data services on a Kubernetes cluster.
+The Sonobuoy Azure Arc-enabled data services plug-in automates the provisioning and testing of Azure Arc-enabled data services on a Kubernetes cluster.
### Prerequisites
azure-arc What Is Azure Arc Enabled Postgres Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/what-is-azure-arc-enabled-postgres-hyperscale.md
This is the hyperscale form factor of the Postgres database engine available as
## Azure Arc-enabled PostgreSQL Hyperscale This is the hyperscale form factor of the Postgres database engine that is available with Azure Arc-enabled data services. It is also powered by the Citus extension that enables the hyperscale experience. In this form factor, our customers provide the infrastructure that hosts the systems and operate them.
azure-arc Agent Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/agent-upgrade.md
Title: "Upgrading Azure Arc enabled Kubernetes agents"
+ Title: "Upgrading Azure Arc-enabled Kubernetes agents"
Last updated 03/03/2021
-description: "Control agent upgrades for Azure Arc enabled Kubernetes"
+description: "Control agent upgrades for Azure Arc-enabled Kubernetes"
keywords: "Kubernetes, Arc, Azure, K8s, containers, agent, upgrade"
-# Upgrading Azure Arc enabled Kubernetes agents
+# Upgrading Azure Arc-enabled Kubernetes agents
-Azure Arc enabled Kubernetes provides auto-upgrade and manual-upgrade capabilities for its agents. If use disable auto-upgrade and instead rely on manual-upgrade, version support policy is applicable for Arc agents and the underlying Kubernetes cluster.
+Azure Arc-enabled Kubernetes provides auto-upgrade and manual-upgrade capabilities for its agents. If use disable auto-upgrade and instead rely on manual-upgrade, version support policy is applicable for Arc agents and the underlying Kubernetes cluster.
## Toggle auto-upgrade on or off when connecting cluster to Azure Arc
-Azure Arc enabled Kubernetes provides its agents with out- of-the-box auto-upgrade capabilities.
+Azure Arc-enabled Kubernetes provides its agents with out- of-the-box auto-upgrade capabilities.
The following command connects a cluster to Azure Arc with auto-upgrade **enabled**:
az connectedk8s connect --name AzureArcTest1 --resource-group AzureArcTest --dis
``` > [!TIP]
-> If you plan to disable auto-upgrade, please refer to the [version support policy](#version-support-policy) for Azure Arc enabled Kubernetes.
+> If you plan to disable auto-upgrade, please refer to the [version support policy](#version-support-policy) for Azure Arc-enabled Kubernetes.
## Toggle auto-upgrade on/off after connecting cluster to Azure Arc
If you have disabled auto-upgrade for agents, you can manually initiate upgrades
az connectedk8s upgrade -g AzureArcTest1 -n AzureArcTest --agent-version 1.1.0 ```
-Azure Arc enabled Kubernetes follows the standard [semantic versioning scheme](https://semver.org/) of `MAJOR.MINOR.PATCH` for versioning its agents.
+Azure Arc-enabled Kubernetes follows the standard [semantic versioning scheme](https://semver.org/) of `MAJOR.MINOR.PATCH` for versioning its agents.
Each number in the version indicates general compatibility with the previous version:
Each number in the version indicates general compatibility with the previous ver
## Version support policy
-When you create support issues, Azure Arc enabled Kubernetes practices the following version support policy:
+When you create support issues, Azure Arc-enabled Kubernetes practices the following version support policy:
-* Azure Arc enabled Kubernetes agents have a support window of "N-2" where 'N' is the latest minor release of agents.
- * For example, if Azure Arc enabled Kubernetes introduces 0.28.a today, versions 0.28.a, 0.28.b, 0.27.c, 0.27.d, 0.26.e, and 0.26.f are supported by Azure Arc.
+* Azure Arc-enabled Kubernetes agents have a support window of "N-2" where 'N' is the latest minor release of agents.
+ * For example, if Azure Arc-enabled Kubernetes introduces 0.28.a today, versions 0.28.a, 0.28.b, 0.27.c, 0.27.d, 0.26.e, and 0.26.f are supported by Azure Arc.
* Kubernetes clusters connecting to Azure Arc have a support window of "N-2", where 'N' is the latest stable minor release of [upstream Kubernetes](https://github.com/kubernetes/kubernetes/releases). * For example, if Kubernetes introduces 1.20.a today, versions 1.20.a, 1.20.b, 1.19.c, 1.19.d, 1.18.e, and 1.18.f are supported.
-### How often are minor version releases of Azure Arc enabled Kubernetes available?
+### How often are minor version releases of Azure Arc-enabled Kubernetes available?
-One minor version of Azure Arc enabled Kubernetes agents is released approximately once a month.
+One minor version of Azure Arc-enabled Kubernetes agents is released approximately once a month.
### What happens if I'm using an agent version or a Kubernetes version outside the official support window?
One minor version of Azure Arc enabled Kubernetes agents is released approximate
## Next steps * Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* Already have a Kubernetes cluster connected Azure Arc? [Create configurations on your Arc enabled Kubernetes cluster](./tutorial-use-gitops-connected-cluster.md).
-* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).
+* Already have a Kubernetes cluster connected Azure Arc? [Create configurations on your Azure Arc-enabled Kubernetes cluster](./tutorial-use-gitops-connected-cluster.md).
+* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).
azure-arc Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/azure-rbac.md
Title: "Azure RBAC for Azure Arc enabled Kubernetes clusters"
+ Title: "Azure RBAC for Azure Arc-enabled Kubernetes clusters"
Last updated 04/05/2021
-description: "Use Azure RBAC for authorization checks on Azure Arc enabled Kubernetes clusters."
+description: "Use Azure RBAC for authorization checks on Azure Arc-enabled Kubernetes clusters."
-# Integrate Azure Active Directory with Azure Arc enabled Kubernetes clusters
+# Integrate Azure Active Directory with Azure Arc-enabled Kubernetes clusters
Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. By using this feature, you can use Azure Active Directory (Azure AD) and role assignments in Azure to control authorization checks on the cluster. This implies that you can now use Azure role assignments to granularly control who can read, write, and delete Kubernetes objects like deployment, pod, and service.
-A conceptual overview of this feature is available in the [Azure RBAC on Azure Arc enabled Kubernetes](conceptual-azure-rbac.md) article.
+A conceptual overview of this feature is available in the [Azure RBAC on Azure Arc-enabled Kubernetes](conceptual-azure-rbac.md) article.
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
A conceptual overview of this feature is available in the [Azure RBAC on Azure A
az extension update --name connectedk8s ``` -- Connect an existing Azure Arc enabled Kubernetes cluster:
+- Connect an existing Azure Arc-enabled Kubernetes cluster:
- If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md). - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version 1.1.0 or later.
The server application needs the `Microsoft.Authorization/*/read` permissions to
## Enable Azure RBAC on the cluster
-Enable Azure role-based access control (RBAC) on your Arc enabled Kubernetes cluster by running the following command:
+Enable Azure role-based access control (RBAC) on your Azure Arc-enabled Kubernetes cluster by running the following command:
```console az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features azure-rbac --app-id "${SERVER_APP_ID}" --app-secret "${SERVER_APP_SECRET}"
az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --featur
## Create role assignments for users to access the cluster
-Owners of the Azure Arc enabled Kubernetes resource can use either built-in roles or custom roles to grant other users access to the Kubernetes cluster.
+Owners of the Azure Arc-enabled Kubernetes resource can use either built-in roles or custom roles to grant other users access to the Kubernetes cluster.
### Built-in roles
Owners of the Azure Arc enabled Kubernetes resource can use either built-in role
| [Azure Arc Kubernetes Admin](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-admin) | Allows admin access. It's intended to be granted within a namespace through `RoleBinding`. If you use it in `RoleBinding`, it allows read/write access to most resources in a namespace, including the ability to create roles and role bindings within the namespace. This role doesn't allow write access to resource quota or to the namespace itself. | | [Azure Arc Kubernetes Cluster Admin](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-cluster-admin) | Allows superuser access to execute any action on any resource. When you use it in `ClusterRoleBinding`, it gives full control over every resource in the cluster and in all namespaces. When you use it in `RoleBinding`, it gives full control over every resource in the role binding's namespace, including the namespace itself.|
-You can create role assignments scoped to the Arc enabled Kubernetes cluster in the Azure portal, on the **Access Control (IAM)** pane of the cluster resource. You can also use the following Azure CLI commands:
+You can create role assignments scoped to the Azure Arc-enabled Kubernetes cluster in the Azure portal, on the **Access Control (IAM)** pane of the cluster resource. You can also use the following Azure CLI commands:
```azurecli az role assignment create --role "Azure Arc Kubernetes Cluster Admin" --assignee <AZURE-AD-ENTITY-ID> --scope $ARM_ID
Copy the following JSON object into a file called *custom-role.json*. Replace th
There are two ways to get the *kubeconfig* file that you need to access the cluster: -- You use the [Cluster Connect](cluster-connect.md) feature (`az connectedk8s proxy`) of the Azure Arc enabled Kubernetes cluster.
+- You use the [Cluster Connect](cluster-connect.md) feature (`az connectedk8s proxy`) of the Azure Arc-enabled Kubernetes cluster.
- The cluster admin shares the *kubeconfig* file with every other user. ### If you're accessing the cluster by using the Cluster Connect feature
After the proxy process is running, you can open another tab in your console to
## Use Conditional Access with Azure AD
-When you're integrating Azure AD with your Arc enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster.
+When you're integrating Azure AD with your Azure Arc-enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster.
> [!NOTE] > Azure AD Conditional Access is an Azure AD Premium capability.
azure-arc Cluster Connect https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/cluster-connect.md
Title: "Use Cluster Connect to connect to Azure Arc enabled Kubernetes clusters"
+ Title: "Use Cluster Connect to connect to Azure Arc-enabled Kubernetes clusters"
Last updated 04/05/2021
-description: "Use Cluster Connect to securely connect to Azure Arc enabled Kubernetes clusters"
+description: "Use Cluster Connect to securely connect to Azure Arc-enabled Kubernetes clusters"
-# Use Cluster Connect to connect to Azure Arc enabled Kubernetes clusters
+# Use Cluster Connect to connect to Azure Arc-enabled Kubernetes clusters
-With Cluster Connect, you can securely connect to Azure Arc enabled Kubernetes clusters without requiring any inbound port to be enabled on the firewall. Access to the `apiserver` of the Arc enabled Kubernetes cluster enables the following scenarios:
+With Cluster Connect, you can securely connect to Azure Arc-enabled Kubernetes clusters without requiring any inbound port to be enabled on the firewall. Access to the `apiserver` of the Azure Arc-enabled Kubernetes cluster enables the following scenarios:
* Enable interactive debugging and troubleshooting. * Provide cluster access to Azure services for [custom locations](custom-locations.md) and other resources created on top of it.
-A conceptual overview of this feature is available in [Cluster connect - Azure Arc enabled Kubernetes](conceptual-cluster-connect.md) article.
+A conceptual overview of this feature is available in [Cluster connect - Azure Arc-enabled Kubernetes](conceptual-cluster-connect.md) article.
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
A conceptual overview of this feature is available in [Cluster connect - Azure A
az extension update --name connectedk8s ``` -- An existing Azure Arc enabled Kubernetes connected cluster.
+- An existing Azure Arc-enabled Kubernetes connected cluster.
- If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md). - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version >= 1.1.0. -- Enable the Cluster Connect on any Azure Arc enabled Kubernetes cluster by running the following command on a machine where the `kubeconfig` file is pointed to the cluster of concern:
+- Enable the Cluster Connect on any Azure Arc-enabled Kubernetes cluster by running the following command on a machine where the `kubeconfig` file is pointed to the cluster of concern:
```azurecli az connectedk8s enable-features --features cluster-connect -n <clusterName> -g <resourceGroupName>
To get past this error:
## Next steps > [!div class="nextstepaction"]
-> Set up [Azure AD RBAC](azure-rbac.md) on your clusters
+> Set up [Azure AD RBAC](azure-rbac.md) on your clusters
azure-arc Conceptual Agent Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-agent-architecture.md
Title: "Azure Arc enabled Kubernetes Agent Architecture"
+ Title: "Azure Arc-enabled Kubernetes Agent Architecture"
Last updated 03/03/2021
-description: "This article provides an architectural overview of Azure Arc enabled Kubernetes agents"
+description: "This article provides an architectural overview of Azure Arc-enabled Kubernetes agents"
keywords: "Kubernetes, Arc, Azure, containers"
-# Azure Arc enabled Kubernetes Agent Architecture
+# Azure Arc-enabled Kubernetes Agent Architecture
-On its own, [Kubernetes](https://kubernetes.io/) can deploy containerized workloads consistently on hybrid and multi-cloud environments. Azure Arc enabled Kubernetes, however, works as a centralized, consistent control plane that manages policy, governance, and security across heterogenous environments. This article provides:
+On its own, [Kubernetes](https://kubernetes.io/) can deploy containerized workloads consistently on hybrid and multi-cloud environments. Azure Arc-enabled Kubernetes, however, works as a centralized, consistent control plane that manages policy, governance, and security across heterogenous environments. This article provides:
* An architectural overview of connecting a cluster to Azure Arc. * The connectivity pattern followed by agents.
On its own, [Kubernetes](https://kubernetes.io/) can deploy containerized worklo
## Deploy agents to your cluster
-Most on-prem datacenters enforce strict network rules that prevent inbound communication on the network boundary firewall. Azure Arc enabled Kubernetes works with these restrictions by not requiring inbound ports on the firewall and only enabling selective egress endpoints for outbound communication. Azure Arc enabled Kubernetes agents initiate this outbound communication.
+Most on-prem datacenters enforce strict network rules that prevent inbound communication on the network boundary firewall. Azure Arc-enabled Kubernetes works with these restrictions by not requiring inbound ports on the firewall and only enabling selective egress endpoints for outbound communication. Azure Arc-enabled Kubernetes agents initiate this outbound communication.
![Architectural overview](./media/architectural-overview.png)
Most on-prem datacenters enforce strict network rules that prevent inbound commu
1. Create a Kubernetes cluster on your choice of infrastructure (VMware vSphere, Amazon Web Services, Google Cloud Platform, etc.). > [!NOTE]
- > Since Azure Arc enabled Kubernetes currently only supports attaching existing Kubernetes clusters to Azure Arc, customers are required to create and manage the lifecycle of the Kubernetes cluster themselves.
+ > Since Azure Arc-enabled Kubernetes currently only supports attaching existing Kubernetes clusters to Azure Arc, customers are required to create and manage the lifecycle of the Kubernetes cluster themselves.
1. Start the Azure Arc registration for your cluster using Azure CLI. * Azure CLI uses Helm to deploy the agent Helm chart on the cluster.
Most on-prem datacenters enforce strict network rules that prevent inbound commu
| Agent | Description | | -- | -- |
- | `deployment.apps/clusteridentityoperator` | Azure Arc enabled Kubernetes currently supports only [system assigned identities](../../active-directory/managed-identities-azure-resources/overview.md). `clusteridentityoperator` initiates the first outbound communication. This first communication fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure. |
+ | `deployment.apps/clusteridentityoperator` | Azure Arc-enabled Kubernetes currently supports only [system assigned identities](../../active-directory/managed-identities-azure-resources/overview.md). `clusteridentityoperator` initiates the first outbound communication. This first communication fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure. |
| `deployment.apps/config-agent` | Watches the connected cluster for source control configuration resources applied on the cluster. Updates the compliance state. | | `deployment.apps/controller-manager` | An operator of operators that orchestrates interactions between Azure Arc components. | | `deployment.apps/metrics-agent` | Collects metrics of other Arc agents to verify optimal performance. |
Most on-prem datacenters enforce strict network rules that prevent inbound commu
| `deployment.apps/clusterconnect-agent` | Reverse proxy agent that enables cluster connect feature to provide access to `apiserver` of cluster. This is an optional component deployed only if `cluster-connect` feature is enabled on the cluster | | `deployment.apps/guard` | Authentication and authorization webhook server used for AAD RBAC feature. This is an optional component deployed only if `azure-rbac` feature is enabled on the cluster |
-1. Once all the Azure Arc enabled Kubernetes agent pods are in `Running` state, verify that your cluster connected to Azure Arc. You should see:
- * An Azure Arc enabled Kubernetes resource in [Azure Resource Manager](../../azure-resource-manager/management/overview.md). Azure tracks this resource as a projection of the customer-managed Kubernetes cluster, not the actual Kubernetes cluster itself.
- * Cluster metadata (like Kubernetes version, agent version, and number of nodes) appears on the Azure Arc enabled Kubernetes resource as metadata.
+1. Once all the Azure Arc-enabled Kubernetes agent pods are in `Running` state, verify that your cluster connected to Azure Arc. You should see:
+ * An Azure Arc-enabled Kubernetes resource in [Azure Resource Manager](../../azure-resource-manager/management/overview.md). Azure tracks this resource as a projection of the customer-managed Kubernetes cluster, not the actual Kubernetes cluster itself.
+ * Cluster metadata (like Kubernetes version, agent version, and number of nodes) appears on the Azure Arc-enabled Kubernetes resource as metadata.
## Data exchange between cluster environment and Azure
Most on-prem datacenters enforce strict network rules that prevent inbound commu
| Status | Description | | | -- |
-| Connecting | Azure Arc enabled Kubernetes resource is created in Azure Resource Manager, but service hasn't received the agent heartbeat yet. |
-| Connected | Azure Arc enabled Kubernetes service received an agent heartbeat sometime within the previous 15 minutes. |
-| Offline | Azure Arc enabled Kubernetes resource was previously connected, but the service hasn't received any agent heartbeat for 15 minutes. |
-| Expired | MSI certificate has an expiration window of 90 days after it is issued. Once this certificate expires, the resource is considered `Expired` and all features such as configuration, monitoring, and policy stop working on this cluster. More information on how to address expired Azure Arc enabled Kubernetes resources can be found [in the FAQ article](./faq.md#how-to-address-expired-azure-arc-enabled-kubernetes-resources). |
+| Connecting | Azure Arc-enabled Kubernetes resource is created in Azure Resource Manager, but service hasn't received the agent heartbeat yet. |
+| Connected | Azure Arc-enabled Kubernetes service received an agent heartbeat sometime within the previous 15 minutes. |
+| Offline | Azure Arc-enabled Kubernetes resource was previously connected, but the service hasn't received any agent heartbeat for 15 minutes. |
+| Expired | MSI certificate has an expiration window of 90 days after it is issued. Once this certificate expires, the resource is considered `Expired` and all features such as configuration, monitoring, and policy stop working on this cluster. More information on how to address expired Azure Arc-enabled Kubernetes resources can be found [in the FAQ article](./faq.md#how-to-address-expired-azure-arc-enabled-kubernetes-resources). |
## Understand connectivity modes | Connectivity mode | Description | | -- | -- | | Fully connected | Agents can consistently communicate with Azure with little delay in propagating GitOps configurations, enforcing Azure Policy and Gatekeeper policies, and collecting workload metrics and logs in Azure Monitor. |
-| Semi-connected | The MSI certificate pulled down by the `clusteridentityoperator` is valid for up to 90 days before the certificate expires. Upon expiration, the Azure Arc enabled Kubernetes resource stops working. To reactivate all Azure Arc features on the cluster, delete and recreate the Azure Arc enabled Kubernetes resource and agents. During the 90 days, connect the cluster at least once every 30 days. |
-| Disconnected | Kubernetes clusters in disconnected environments unable to access Azure are currently unsupported by Azure Arc enabled Kubernetes. If this capability is of interest to you, submit or up-vote an idea on [Azure Arc's UserVoice forum](https://feedback.azure.com/forums/925690-azure-arc).
+| Semi-connected | The MSI certificate pulled down by the `clusteridentityoperator` is valid for up to 90 days before the certificate expires. Upon expiration, the Azure Arc-enabled Kubernetes resource stops working. To reactivate all Azure Arc features on the cluster, delete and recreate the Azure Arc-enabled Kubernetes resource and agents. During the 90 days, connect the cluster at least once every 30 days. |
+| Disconnected | Kubernetes clusters in disconnected environments unable to access Azure are currently unsupported by Azure Arc-enabled Kubernetes. If this capability is of interest to you, submit or up-vote an idea on [Azure Arc's UserVoice forum](https://feedback.azure.com/forums/925690-azure-arc).
## Next steps * Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* Learn more about the creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc enabled Kubernetes](./conceptual-configurations.md).
+* Learn more about the creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-configurations.md).
azure-arc Conceptual Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-azure-rbac.md
Title: "Azure RBAC - Azure Arc enabled Kubernetes"
+ Title: "Azure RBAC - Azure Arc-enabled Kubernetes"
Last updated 04/05/2021
-description: "This article provides a conceptual overview of Azure RBAC capability on Azure Arc enabled Kubernetes"
+description: "This article provides a conceptual overview of Azure RBAC capability on Azure Arc-enabled Kubernetes"
-# Azure RBAC on Azure Arc enabled Kubernetes
+# Azure RBAC on Azure Arc-enabled Kubernetes
Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. With Azure RBAC, you can use Azure Active Directory (Azure AD) and role assignments in Azure to control authorization checks on the cluster.
-With this feature, all the benefits of Azure role assignments, such as activity logs showing all Azure RBAC changes to an Azure resource, now become applicable for your Azure Arc enabled Kubernetes cluster.
+With this feature, all the benefits of Azure role assignments, such as activity logs showing all Azure RBAC changes to an Azure resource, now become applicable for your Azure Arc-enabled Kubernetes cluster.
-## Architecture - Azure RBAC on Azure Arc enabled Kubernetes
+## Architecture - Azure RBAC on Azure Arc-enabled Kubernetes
[ ![Azure RBAC architecture](./media/conceptual-azure-rbac.png) ](./media/conceptual-azure-rbac.png#lightbox)
If a role in assignment permitting this access doesn't exist, then a `denied` re
## Next steps * Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Set up Azure RBAC](./azure-rbac.md) on your Azure Arc enabled Kubernetes cluster cluster.
+* [Set up Azure RBAC](./azure-rbac.md) on your Azure Arc-enabled Kubernetes cluster cluster.
azure-arc Conceptual Cluster Connect https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-cluster-connect.md
Title: "Cluster Connect - Azure Arc enabled Kubernetes"
+ Title: "Cluster Connect - Azure Arc-enabled Kubernetes"
Last updated 04/05/2021
-description: "This article provides a conceptual overview of Cluster Connect capability of Azure Arc enabled Kubernetes"
+description: "This article provides a conceptual overview of Cluster Connect capability of Azure Arc-enabled Kubernetes"
-# Cluster connect on Azure Arc enabled Kubernetes
+# Cluster connect on Azure Arc-enabled Kubernetes
-The Azure Arc enabled Kubernetes *cluster connect* feature provides connectivity to the `apiserver` of the cluster without requiring any inbound port to be enabled on the firewall. A reverse proxy agent running on the cluster can securely start a session with the Azure Arc service in an outbound manner.
+The Azure Arc-enabled Kubernetes *cluster connect* feature provides connectivity to the `apiserver` of the cluster without requiring any inbound port to be enabled on the firewall. A reverse proxy agent running on the cluster can securely start a session with the Azure Arc service in an outbound manner.
Cluster connect allows developers to access their clusters from anywhere for interactive development and debugging. It also lets cluster users and administrators access or manage their clusters from anywhere. You can even use hosted agents/runners of Azure Pipelines, GitHub Actions, or any other hosted CI/CD service to deploy applications to on-prem clusters, without requiring self-hosted agents.
On the cluster side, a reverse proxy agent called `clusterconnect-agent` deploye
When the user calls `az connectedk8s proxy`: 1. Azure Arc proxy binary is downloaded and spun up as a process on the client machine.
-1. Azure Arc proxy fetches a `kubeconfig` file associated with the Azure Arc enabled Kubernetes cluster on which the `az connectedk8s proxy` is invoked.
+1. Azure Arc proxy fetches a `kubeconfig` file associated with the Azure Arc-enabled Kubernetes cluster on which the `az connectedk8s proxy` is invoked.
* Azure Arc proxy uses the caller's Azure access token and the Azure Resource Manager ID name. 1. The `kubeconfig` file, saved on the machine by Azure Arc proxy, points the server URL to an endpoint on the Azure Arc proxy process.
When a user sends a request using this `kubeconfig` file:
## Next steps * Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Access your cluster](./cluster-connect.md) securely from anywhere using Cluster connect.
+* [Access your cluster](./cluster-connect.md) securely from anywhere using Cluster connect.
azure-arc Conceptual Configurations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-configurations.md
Title: "Configurations and GitOps - Azure Arc enabled Kubernetes"
+ Title: "Configurations and GitOps - Azure Arc-enabled Kubernetes"
Last updated 03/02/2021
-description: "This article provides a conceptual overview of GitOps and configurations capability of Azure Arc enabled Kubernetes."
+description: "This article provides a conceptual overview of GitOps and configurations capability of Azure Arc-enabled Kubernetes."
keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps"
-# Configurations and GitOps with Azure Arc enabled Kubernetes
+# Configurations and GitOps with Azure Arc-enabled Kubernetes
In relation to Kubernetes, GitOps is the practice of declaring the desired state of Kubernetes cluster configurations (deployments, namespaces, etc.) in a Git repository. This declaration is followed by a polling and pull-based deployment of these cluster configurations using an operator. The Git repository can contain: * YAML-format manifests describing any valid Kubernetes resources, including Namespaces, ConfigMaps, Deployments, DaemonSets, etc.
In relation to Kubernetes, GitOps is the practice of declaring the desired state
[ ![Configurations architecture](./media/conceptual-configurations.png) ](./media/conceptual-configurations.png#lightbox)
-The connection between your cluster and a Git repository is created as a configuration resource (`Microsoft.KubernetesConfiguration/sourceControlConfigurations`) on top of the Azure Arc enabled Kubernetes resource (represented by `Microsoft.Kubernetes/connectedClusters`) in Azure Resource Manager.
+The connection between your cluster and a Git repository is created as a configuration resource (`Microsoft.KubernetesConfiguration/sourceControlConfigurations`) on top of the Azure Arc-enabled Kubernetes resource (represented by `Microsoft.Kubernetes/connectedClusters`) in Azure Resource Manager.
The configuration resource properties are used to deploy Flux operator on the cluster with the appropriate parameters, such as the Git repo from which to pull manifests and the polling interval at which to pull them. The configuration resource data is stored encrypted at rest in an Azure Cosmos DB database to ensure data confidentiality. The `config-agent` running in your cluster is responsible for:
-* Tracking new or updated configuration resources on the Azure Arc enabled Kubernetes resource.
+* Tracking new or updated configuration resources on the Azure Arc-enabled Kubernetes resource.
* Deploying a Flux operator to watch the Git repository for each configuration resource. * Applying any updates made to any configuration resource.
-You can create multiple namespace-scoped configuration resources on the same Azure Arc enabled Kubernetes cluster to achieve multi-tenancy.
+You can create multiple namespace-scoped configuration resources on the same Azure Arc-enabled Kubernetes cluster to achieve multi-tenancy.
> [!NOTE]
-> * `config-agent` monitors for new or updated configuration resources to be available on the Arc enabled Kubernetes resource. Thus agents require connectivity for the desired state to be pulled down to the cluster. If agents are unable to connect to Azure, there is a delay in propagating the desired state to the cluster.
-> * Sensitive customer inputs like private key, known hosts content, HTTPS username, and token/password are not stored for more than 48 hours in the Azure Arc enabled Kubernetes services. If you are using sensitive inputs for configurations, bring the clusters online as regularly as possible.
+> * `config-agent` monitors for new or updated configuration resources to be available on the Azure Arc-enabled Kubernetes resource. Thus agents require connectivity for the desired state to be pulled down to the cluster. If agents are unable to connect to Azure, there is a delay in propagating the desired state to the cluster.
+> * Sensitive customer inputs like private key, known hosts content, HTTPS username, and token/password are not stored for more than 48 hours in the Azure Arc-enabled Kubernetes services. If you are using sensitive inputs for configurations, bring the clusters online as regularly as possible.
## Apply configurations at scale
-Since Azure Resource Manager manages your configurations, you can automate creating the same configuration across all Azure Arc enabled Kubernetes resources using Azure Policy, within scope of a subscription or a resource group.
+Since Azure Resource Manager manages your configurations, you can automate creating the same configuration across all Azure Arc-enabled Kubernetes resources using Azure Policy, within scope of a subscription or a resource group.
-This at-scale enforcement ensures a common baseline configuration (containing configurations like ClusterRoleBindings, RoleBindings, and NetworkPolicy) can be applied across an entire fleet or inventory of Azure Arc enabled Kubernetes clusters.
+This at-scale enforcement ensures a common baseline configuration (containing configurations like ClusterRoleBindings, RoleBindings, and NetworkPolicy) can be applied across an entire fleet or inventory of Azure Arc-enabled Kubernetes clusters.
## Next steps * Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Create configurations](./tutorial-use-gitops-connected-cluster.md) on your Azure Arc enabled Kubernetes cluster.
-* [Use Azure Policy to apply configurations at scale](./use-azure-policy.md).
+* [Create configurations](./tutorial-use-gitops-connected-cluster.md) on your Azure Arc-enabled Kubernetes cluster.
+* [Use Azure Policy to apply configurations at scale](./use-azure-policy.md).
azure-arc Conceptual Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-custom-locations.md
Title: "Custom Locations - Azure Arc enabled Kubernetes"
+ Title: "Custom Locations - Azure Arc-enabled Kubernetes"
Last updated 05/25/2021
-description: "This article provides a conceptual overview of Custom Locations capability of Azure Arc enabled Kubernetes"
+description: "This article provides a conceptual overview of Custom Locations capability of Azure Arc-enabled Kubernetes"
-# Custom locations on top of Azure Arc enabled Kubernetes
+# Custom locations on top of Azure Arc-enabled Kubernetes
-As an extension of the Azure location construct, *Custom Locations* provides a way for tenant administrators to use their Azure Arc enabled Kubernetes clusters as target locations for deploying Azure services instances. Azure resources examples include Azure Arc enabled SQL Managed Instance and Azure Arc enabled PostgreSQL Hyperscale.
+As an extension of the Azure location construct, *Custom Locations* provides a way for tenant administrators to use their Azure Arc-enabled Kubernetes clusters as target locations for deploying Azure services instances. Azure resources examples include Azure Arc-enabled SQL Managed Instance and Azure Arc-enabled PostgreSQL Hyperscale.
Similar to Azure locations, end users within the tenant with access to Custom Locations can deploy resources there using their company's private compute. [ ![Arc platform layers](./media/conceptual-arc-platform-layers.png) ](./media/conceptual-arc-platform-layers.png#lightbox)
-You can visualize Custom Locations as an abstraction layer on top of Azure Arc enabled Kubernetes cluster, cluster connect, and cluster extensions. Custom Locations creates the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the cluster. These other Azure services require cluster access to manage resources the customer wants to deploy on their clusters.
+You can visualize Custom Locations as an abstraction layer on top of Azure Arc-enabled Kubernetes cluster, cluster connect, and cluster extensions. Custom Locations creates the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the cluster. These other Azure services require cluster access to manage resources the customer wants to deploy on their clusters.
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
When the admin enables the Custom Locations feature on the cluster, a ClusterRol
When the user creates a data service instance on the cluster: 1. The PUT request is sent to Azure Resource Manager.
-1. The PUT request is forwarded to the Azure Arc enabled Data Services RP.
-1. The RP fetches the `kubeconfig` file associated with the Azure Arc enabled Kubernetes cluster, on which the Custom Location exists.
+1. The PUT request is forwarded to the Azure Arc-enabled Data Services RP.
+1. The RP fetches the `kubeconfig` file associated with the Azure Arc-enabled Kubernetes cluster, on which the Custom Location exists.
* Custom Location is referenced as `extendedLocation` in the original PUT request.
-1. Azure Arc enabled Data Services RP uses the `kubeconfig` to communicate with the cluster to create a custom resource of the Azure Arc enabled Data Services type on the namespace mapped to the Custom Location.
- * The Azure Arc enabled Data Services operator was deployed via cluster extension creation before the Custom Location existed.
-1. The Azure Arc enabled Data Services operator reads the new custom resource created on the cluster and creates the data controller, translating into realization of the desired state on the cluster.
+1. Azure Arc-enabled Data Services RP uses the `kubeconfig` to communicate with the cluster to create a custom resource of the Azure Arc-enabled Data Services type on the namespace mapped to the Custom Location.
+ * The Azure Arc-enabled Data Services operator was deployed via cluster extension creation before the Custom Location existed.
+1. The Azure Arc-enabled Data Services operator reads the new custom resource created on the cluster and creates the data controller, translating into realization of the desired state on the cluster.
The sequence of steps to create the SQL managed instance and PostgreSQL instance are identical to the sequence of steps described above. ## Next steps * Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Create a custom location](./custom-locations.md) on your Azure Arc enabled Kubernetes cluster.
+* [Create a custom location](./custom-locations.md) on your Azure Arc-enabled Kubernetes cluster.
azure-arc Conceptual Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-extensions.md
Title: "Cluster extensions - Azure Arc enabled Kubernetes"
+ Title: "Cluster extensions - Azure Arc-enabled Kubernetes"
Last updated 04/05/2021
-description: "This article provides a conceptual overview of cluster extensions capability of Azure Arc enabled Kubernetes"
+description: "This article provides a conceptual overview of cluster extensions capability of Azure Arc-enabled Kubernetes"
-# Cluster extensions on Azure Arc enabled Kubernetes
+# Cluster extensions on Azure Arc-enabled Kubernetes
[Helm charts](https://helm.sh/) help you manage Kubernetes applications by providing the building blocks needed to define, install, and upgrade even the most complex Kubernetes applications. Cluster extension feature seeks to build on top of the packaging components of Helm. It does so by providing an Azure Resource Manager driven experience for installation and lifecycle management of cluster extensions such as Azure Monitor and Azure Defender for Kubernetes. The cluster extensions feature provide the following extra benefits over and above what is already available natively with Helm charts:
description: "This article provides a conceptual overview of cluster extensions
[ ![Cluster extensions architecture](./media/conceptual-extensions.png) ](./media/conceptual-extensions.png#lightbox)
-The cluster extension instance is created as an extension Azure Resource Manager resource (`Microsoft.KubernetesConfiguration/extensions`) on top of the Azure Arc enabled Kubernetes resource (represented by `Microsoft.Kubernetes/connectedClusters`) in Azure Resource Manager. Representation in Azure Resource Manager allows you to author a policy that checks for all the Azure Arc enabled Kubernetes resources with or without a specific cluster extension. Once you've determined which clusters lack cluster extensions with desired property values, you can remediate these non-compliant resources using Azure Policy.
+The cluster extension instance is created as an extension Azure Resource Manager resource (`Microsoft.KubernetesConfiguration/extensions`) on top of the Azure Arc-enabled Kubernetes resource (represented by `Microsoft.Kubernetes/connectedClusters`) in Azure Resource Manager. Representation in Azure Resource Manager allows you to author a policy that checks for all the Azure Arc-enabled Kubernetes resources with or without a specific cluster extension. Once you've determined which clusters lack cluster extensions with desired property values, you can remediate these non-compliant resources using Azure Policy.
-The `config-agent` running in your cluster tracks new or updated extension resources on the Azure Arc enabled Kubernetes resource. The `extensions-manager` running in your cluster pulls the Helm chart from Azure Container Registry or Microsoft Container Registry and installs it on the cluster.
+The `config-agent` running in your cluster tracks new or updated extension resources on the Azure Arc-enabled Kubernetes resource. The `extensions-manager` running in your cluster pulls the Helm chart from Azure Container Registry or Microsoft Container Registry and installs it on the cluster.
Both the `config-agent` and `extensions-manager` components running in the cluster handle version updates and extension instance deletion. > [!NOTE]
-> * `config-agent` monitors for new or updated extension resources to be available on the Arc enabled Kubernetes resource. Thus, agents require connectivity for the desired state to be pulled down to the cluster. If agents are unable to connect to Azure, propagation of the desired state to the cluster is delayed.
-> * Protected configuration settings for an extension are stored for up to 48 hours in the Azure Arc enabled Kubernetes services. As a result, if the cluster remains disconnected during the 48 hours after the extension resource was created on Azure, the extension transitions from a `Pending` state to `Failed` state. We advise bringing the clusters online as regularly as possible.
+> * `config-agent` monitors for new or updated extension resources to be available on the Azure Arc-enabled Kubernetes resource. Thus, agents require connectivity for the desired state to be pulled down to the cluster. If agents are unable to connect to Azure, propagation of the desired state to the cluster is delayed.
+> * Protected configuration settings for an extension are stored for up to 48 hours in the Azure Arc-enabled Kubernetes services. As a result, if the cluster remains disconnected during the 48 hours after the extension resource was created on Azure, the extension transitions from a `Pending` state to `Failed` state. We advise bringing the clusters online as regularly as possible.
## Next steps * Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Deploy cluster extensions](./extensions.md) on your Azure Arc enabled Kubernetes cluster.
+* [Deploy cluster extensions](./extensions.md) on your Azure Arc-enabled Kubernetes cluster.
azure-arc Conceptual Gitops Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-gitops-ci-cd.md
Title: "CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes"
+ Title: "CI/CD Workflow using GitOps - Azure Arc-enabled Kubernetes"
Last updated 03/03/2021
description: "This article provides a conceptual overview of a CI/CD workflow using GitOps" keywords: "GitOps, Kubernetes, K8s, Azure, Helm, Arc, AKS, Azure Kubernetes Service, containers, CI, CD, Azure DevOps"
-# CI/CD workflow using GitOps - Azure Arc enabled Kubernetes
+# CI/CD workflow using GitOps - Azure Arc-enabled Kubernetes
Modern Kubernetes deployments house multiple applications, clusters, and environments. With GitOps, you can manage these complex setups more easily, tracking the desired state of the Kubernetes environments declaratively with Git. Using common Git tooling to track cluster state, you can increase accountability, facilitate fault investigation, and enable automation to manage environments.
The CD pipeline is automatically triggered by successful CI builds. It uses the
### GitOps repo The GitOps repo represents the current desired state of all environments across clusters. Any change to this repo is picked up by the Flux service in each cluster and deployed. PRs are created with changes to the desired state, reviewed, and merged. These PRs contain changes to both deployment templates and the resulting rendered Kubernetes manifests. Low-level rendered manifests allow more careful inspection of changes typically unseen at the template-level. ### Kubernetes clusters
-At least one Azure Arc enabled Kubernetes clusters serves the different environments needed by the application. For example, a single cluster can serve both a dev and QA environment through different namespaces. A second cluster can provide easier separation of environments and more fine-grained control.
+At least one Azure Arc-enabled Kubernetes clusters serves the different environments needed by the application. For example, a single cluster can serve both a dev and QA environment through different namespaces. A second cluster can provide easier separation of environments and more fine-grained control.
## Example workflow As an application developer, Alice: * Writes application code.
Suppose Alice wants to make an application change that alters the Docker image u
8. Once all the environments have received successful deployments, the pipeline completes. ## Next steps
-Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc enabled Kubernetes](./conceptual-configurations.md)
+Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-configurations.md)
azure-arc Conceptual Inner Loop Gitops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-inner-loop-gitops.md
Suppose Alice wants to update, run, and debug the application either in local or
> [!NOTE] > Find the sample code for above workflow at this [GitHub repo](https://github.com/Azure/arc-cicd-demo-src) - ## Next steps
-Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc enabled Kubernetes](./conceptual-configurations.md)
+
+Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure ArcΓÇôenabled Kubernetes](./conceptual-configurations.md)
azure-arc Create Onboarding Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/create-onboarding-service-principal.md
Title: "Create an onboarding service principal for Azure Arc enabled Kubernetes"
+ Title: "Create an onboarding service principal for Azure Arc-enabled Kubernetes"
#
Last updated 03/03/2021
-description: "Create an Azure Arc enabled onboarding service principal "
+description: "Create an Azure Arc-enabled onboarding service principal "
keywords: "Kubernetes, Arc, Azure, containers"
-# Create an onboarding service principal for Azure Arc enabled Kubernetes
+# Create an onboarding service principal for Azure Arc-enabled Kubernetes
## Overview
azure-arc Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/custom-locations.md
Title: "Create and manage custom locations on Azure Arc enabled Kubernetes"
+ Title: "Create and manage custom locations on Azure Arc-enabled Kubernetes"
Last updated 05/25/2021
-description: "Use custom locations to deploy Azure PaaS services on Azure Arc enabled Kubernetes clusters"
+description: "Use custom locations to deploy Azure PaaS services on Azure Arc-enabled Kubernetes clusters"
-# Create and manage custom locations on Azure Arc enabled Kubernetes
+# Create and manage custom locations on Azure Arc-enabled Kubernetes
-As an Azure location extension, *Custom Locations* provides a way for tenant administrators to use their Azure Arc enabled Kubernetes clusters as target locations for deploying Azure services instances. Azure resources examples include Azure Arc enabled SQL Managed Instance and Azure Arc enabled PostgreSQL Hyperscale.
+As an Azure location extension, *Custom Locations* provides a way for tenant administrators to use their Azure Arc-enabled Kubernetes clusters as target locations for deploying Azure services instances. Azure resources examples include Azure Arc-enabled SQL Managed Instance and Azure Arc-enabled PostgreSQL Hyperscale.
Similar to Azure locations, end users within the tenant with access to Custom Locations can deploy resources there using their company's private compute. In this article, you learn how to: > [!div class="checklist"]
-> * Enable custom locations on your Azure Arc enabled Kubernetes cluster.
+> * Enable custom locations on your Azure Arc-enabled Kubernetes cluster.
> * Deploy the Azure service cluster extension of the Azure service instance on your cluster.
-> * Create a custom location on your Azure Arc enabled Kubernetes cluster.
+> * Create a custom location on your Azure Arc-enabled Kubernetes cluster.
-A conceptual overview of this feature is available in [Custom locations - Azure Arc enabled Kubernetes](conceptual-custom-locations.md) article.
+A conceptual overview of this feature is available in [Custom locations - Azure Arc-enabled Kubernetes](conceptual-custom-locations.md) article.
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
A conceptual overview of this feature is available in [Custom locations - Azure
Once registered, the `RegistrationState` state will have the `Registered` value. -- Verify you have an existing [Azure Arc enabled Kubernetes connected cluster](quickstart-connect-cluster.md).
+- Verify you have an existing [Azure Arc-enabled Kubernetes connected cluster](quickstart-connect-cluster.md).
- [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version 1.1.0 or later. ## Enable custom locations on cluster
If you are logged into Azure CLI using a service principal, to enable this featu
1. Deploy the Azure service cluster extension of the Azure service instance you eventually want on your cluster:
- * [Azure Arc enabled Data Services](../dat#create-the-arc-data-services-extension)
+ * [Azure Arc-enabled Data Services](../dat#create-the-arc-data-services-extension)
> [!NOTE]
- > Outbound proxy without authentication and outbound proxy with basic authentication are supported by the Arc enabled Data Services cluster extension. Outbound proxy that expects trusted certificates is currently not supported.
+ > Outbound proxy without authentication and outbound proxy with basic authentication are supported by the Azure Arc-enabled Data Services cluster extension. Outbound proxy that expects trusted certificates is currently not supported.
* [Azure App Service on Azure Arc](../../app-service/manage-create-arc-environment.md#install-the-app-service-extension) * [Event Grid on Kubernetes](../../event-grid/kubernetes/install-k8s-extension.md)
-1. Get the Azure Resource Manager identifier of the Azure Arc enabled Kubernetes cluster, referenced in later steps as `connectedClusterId`:
+1. Get the Azure Resource Manager identifier of the Azure Arc-enabled Kubernetes cluster, referenced in later steps as `connectedClusterId`:
```azurecli az connectedk8s show -n <clusterName> -g <resourceGroupName> --query id -o tsv ```
-1. Get the Azure Resource Manager identifier of the cluster extension deployed on top of Azure Arc enabled Kubernetes cluster, referenced in later steps as `extensionId`:
+1. Get the Azure Resource Manager identifier of the cluster extension deployed on top of Azure Arc-enabled Kubernetes cluster, referenced in later steps as `extensionId`:
```azurecli az k8s-extension show --name <extensionInstanceName> --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --query id -o tsv ```
-1. Create custom location by referencing the Azure Arc enabled Kubernetes cluster and the extension:
+1. Create custom location by referencing the Azure Arc-enabled Kubernetes cluster and the extension:
```azurecli az customlocation create -n <customLocationName> -g <resourceGroupName> --namespace arc --host-resource-id <connectedClusterId> --cluster-extension-ids <extensionId>
If you are logged into Azure CLI using a service principal, to enable this featu
- Securely connect to the cluster using [Cluster Connect](cluster-connect.md). - Continue with [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) for end-to-end instructions on installing extensions, creating custom locations, and creating the App Service Kubernetes environment. - Create an Event Grid topic and an event subscription for [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md).-- Learn more about currently available [Azure Arc enabled Kubernetes extensions](extensions.md#currently-available-extensions).
+- Learn more about currently available [Azure Arc-enabled Kubernetes extensions](extensions.md#currently-available-extensions).
azure-arc Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/extensions.md
Title: "Azure Arc enabled Kubernetes cluster extensions"
+ Title: "Azure Arc-enabled Kubernetes cluster extensions"
Last updated 06/18/2021
-description: "Deploy and manage lifecycle of extensions on Azure Arc enabled Kubernetes"
+description: "Deploy and manage lifecycle of extensions on Azure Arc-enabled Kubernetes"
-# Deploy and manage Azure Arc enabled Kubernetes cluster extensions
+# Deploy and manage Azure Arc-enabled Kubernetes cluster extensions
-The Kubernetes extensions feature enables the following on Azure Arc enabled Kubernetes clusters:
+The Kubernetes extensions feature enables the following on Azure Arc-enabled Kubernetes clusters:
* Azure Resource Manager-based deployment of cluster extension. * Lifecycle management of extension Helm charts. In this article, you learn: > [!div class="checklist"]
-> * Current available Azure Arc enabled Kubernetes cluster extensions.
+> * Current available Azure Arc-enabled Kubernetes cluster extensions.
> * How to create extension instances. > * Required and optional parameters. > * How to view, list, update, and delete extension instances.
-A conceptual overview of this feature is available in [Cluster extensions - Azure Arc enabled Kubernetes](conceptual-extensions.md) article.
+A conceptual overview of this feature is available in [Cluster extensions - Azure Arc-enabled Kubernetes](conceptual-extensions.md) article.
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
A conceptual overview of this feature is available in [Cluster extensions - Azur
az extension update --name k8s-extension ``` -- An existing Azure Arc enabled Kubernetes connected cluster.
+- An existing Azure Arc-enabled Kubernetes connected cluster.
- If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md). - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version >= 1.1.0.
A conceptual overview of this feature is available in [Cluster extensions - Azur
| | -- | | [Azure Monitor](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json) | Provides visibility into the performance of workloads deployed on the Kubernetes cluster. Collects memory and CPU utilization metrics from controllers, nodes, and containers. | | [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json) | Gathers information related to security like audit log data from the Kubernetes cluster. Provides recommendations and threat alerts based on gathered data. |
-| [Azure Arc enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md) | Deploys Open Service Mesh on the cluster and enables capabilities like mTLS security, fine grained access control, traffic shifting, monitoring with Azure Monitor or with open source add-ons of Prometheus and Grafana, tracing with Jaeger, integration with external certification management solution. |
-| [Azure Arc enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-prem, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. |
-| [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) | Allows you to provision an App Service Kubernetes environment on top of Azure Arc enabled Kubernetes clusters. |
-| [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc enabled Kubernetes clusters. |
-| [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md) | Deploy and manage API Management gateway on Azure Arc enabled Kubernetes clusters. |
-| [Azure Arc enabled Machine Learning](../../machine-learning/how-to-attach-arc-kubernetes.md) | Deploy and run Azure Machine Learning on Azure Arc-enabled Kubernetes clusters. |
+| [Azure Arc-enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md) | Deploys Open Service Mesh on the cluster and enables capabilities like mTLS security, fine grained access control, traffic shifting, monitoring with Azure Monitor or with open source add-ons of Prometheus and Grafana, tracing with Jaeger, integration with external certification management solution. |
+| [Azure Arc-enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-prem, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. |
+| [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) | Allows you to provision an App Service Kubernetes environment on top of Azure Arc-enabled Kubernetes clusters. |
+| [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc-enabled Kubernetes clusters. |
+| [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md) | Deploy and manage API Management gateway on Azure Arc-enabled Kubernetes clusters. |
+| [Azure Arc-enabled Machine Learning](../../machine-learning/how-to-attach-arc-kubernetes.md) | Deploy and run Azure Machine Learning on Azure Arc-enabled Kubernetes clusters. |
## Usage of cluster extensions ### Create extensions instance
-Create a new extension instance with `k8s-extension create`, passing in values for the mandatory parameters. The below command creates an Azure Monitor for containers extension instance on your Azure Arc enabled Kubernetes cluster:
+Create a new extension instance with `k8s-extension create`, passing in values for the mandatory parameters. The below command creates an Azure Monitor for containers extension instance on your Azure Arc-enabled Kubernetes cluster:
```azurecli az k8s-extension create --name azuremonitor-containers --extension-type Microsoft.AzureMonitor.Containers --scope cluster --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type connectedClusters
az k8s-extension create --name azuremonitor-containers --extension-type Microso
``` > [!NOTE]
-> * The service is unable to retain sensitive information for more than 48 hours. If Azure Arc enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.
+> * The service is unable to retain sensitive information for more than 48 hours. If Azure Arc-enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.
> * Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md). **Required parameters**
az k8s-extension create --name azuremonitor-containers --extension-type Microso
| `--name` | Name of the extension instance | | `--extension-type` | The type of extension you want to install on the cluster. For example: Microsoft.AzureMonitor.Containers, microsoft.azuredefender.kubernetes | | `--scope` | Scope of installation for the extension - `cluster` or `namespace` |
-| `--cluster-name` | Name of the Azure Arc enabled Kubernetes resource on which the extension instance has to be created |
-| `--resource-group` | The resource group containing the Azure Arc enabled Kubernetes resource |
-| `--cluster-type` | The cluster type on which the extension instance has to be created. Current only `connectedClusters`, which corresponds to Azure Arc enabled Kubernetes, is an accepted value |
+| `--cluster-name` | Name of the Azure Arc-enabled Kubernetes resource on which the extension instance has to be created |
+| `--resource-group` | The resource group containing the Azure Arc-enabled Kubernetes resource |
+| `--cluster-type` | The cluster type on which the extension instance has to be created. Current only `connectedClusters`, which corresponds to Azure Arc-enabled Kubernetes, is an accepted value |
**Optional parameters**
az k8s-extension delete --name azuremonitor-containers --cluster-name <clusterNa
## Next steps
-Learn more about the cluster extensions currently available for Azure Arc enabled Kubernetes:
+Learn more about the cluster extensions currently available for Azure Arc-enabled Kubernetes:
> [!div class="nextstepaction"] > [Azure Monitor](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json) > [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json)
-> [Azure Arc enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md)
+> [Azure Arc-enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md)
> > [!div class="nextstepaction"] > [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json)
Learn more about the cluster extensions currently available for Azure Arc enable
> [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) > > [!div class="nextstepaction"]
-> [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md)
+> [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md)
azure-arc Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/faq.md
Title: "Azure Arc enabled Kubernetes frequently asked questions"
+ Title: "Azure Arc-enabled Kubernetes frequently asked questions"
Last updated 02/19/2021
-description: "This article contains a list of frequently asked questions related to Azure Arc enabled Kubernetes"
+description: "This article contains a list of frequently asked questions related to Azure Arc-enabled Kubernetes"
keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps, faq"
-# Frequently Asked Questions - Azure Arc enabled Kubernetes
+# Frequently Asked Questions - Azure Arc-enabled Kubernetes
-This article addresses frequently asked questions about Azure Arc enabled Kubernetes.
+This article addresses frequently asked questions about Azure Arc-enabled Kubernetes.
-## What is the difference between Azure Arc enabled Kubernetes and Azure Kubernetes Service (AKS)?
+## What is the difference between Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS)?
AKS is the managed Kubernetes offering by Azure. AKS simplifies deploying a managed Kubernetes cluster in Azure by offloading much of the complexity and operational overhead to Azure. Since the Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes.
-Azure Arc enabled Kubernetes allows you to extend AzureΓÇÖs management capabilities (like Azure Monitor and Azure Policy) by connecting Kubernetes clusters to Azure. You maintain the underlying Kubernetes cluster itself.
+Azure Arc-enabled Kubernetes allows you to extend AzureΓÇÖs management capabilities (like Azure Monitor and Azure Policy) by connecting Kubernetes clusters to Azure. You maintain the underlying Kubernetes cluster itself.
## Do I need to connect my AKS clusters running on Azure to Azure Arc?
-Connecting an Azure Kubernetes Service (AKS) cluster to Azure Arc is only required for running Arc enabled services like App Services and Data Services on top of the cluster. This can be done using the [custom locations](custom-locations.md) feature of Arc enabled Kubernetes. This is a point in time limitation for now till cluster extensions and custom locations are introduced natively on top of AKS clusters.
+Connecting an Azure Kubernetes Service (AKS) cluster to Azure Arc is only required for running Azure Arc-enabled services like App Services and Data Services on top of the cluster. This can be done using the [custom locations](custom-locations.md) feature of Azure Arc-enabled Kubernetes. This is a point in time limitation for now till cluster extensions and custom locations are introduced natively on top of AKS clusters.
If you don't want to use custom locations and just want to use management features like Azure Monitor and Azure Policy (Gatekeeper), they are available natively on AKS and connection to Azure Arc is not required in such cases.
If you don't want to use custom locations and just want to use management featur
Yes, connecting your AKS-HCI cluster or Kubernetes clusters on Azure Stack Edge or Azure Stack Hub to Azure Arc provides clusters with resource representation in Azure Resource Manager. This resource representation extends capabilities like Cluster Configuration, Azure Monitor, and Azure Policy (Gatekeeper) to connected Kubernetes clusters.
-If the Azure Arc enabled Kubernetes cluster is on Azure Stack Edge, AKS on Azure Stack HCI (>= April 2021 update), or AKS on Windows Server 2019 Datacenter (>= April 2021 update), then the Kubernetes configuration is included at no charge.
+If the Azure Arc-enabled Kubernetes cluster is on Azure Stack Edge, AKS on Azure Stack HCI (>= April 2021 update), or AKS on Windows Server 2019 Datacenter (>= April 2021 update), then the Kubernetes configuration is included at no charge.
-## How to address expired Azure Arc enabled Kubernetes resources?
+## How to address expired Azure Arc-enabled Kubernetes resources?
-The system assigned managed identity associated with your Azure Arc enabled Kubernetes cluster is only used by the Arc agents to communicate with the Azure Arc services. The certificate associated with this system assigned managed identity has an expiration window of 90 days and the agents keep attempting to renew this certificate between Day 46 to Day 90. Once this certificate expires, the resource is considered `Expired` and all features (such as configuration, monitoring, and policy) stop working on this cluster and you'll then need to delete and connect the cluster to Azure Arc once again. It is thus advisable to have the cluster come online at least once between Day 46 to Day 90 time window to ensure renewal of the managed identity certificate.
+The system assigned managed identity associated with your Azure Arc-enabled Kubernetes cluster is only used by the Azure Arc agents to communicate with the Azure Arc services. The certificate associated with this system assigned managed identity has an expiration window of 90 days and the agents keep attempting to renew this certificate between Day 46 to Day 90. Once this certificate expires, the resource is considered `Expired` and all features (such as configuration, monitoring, and policy) stop working on this cluster and you'll then need to delete and connect the cluster to Azure Arc once again. It is thus advisable to have the cluster come online at least once between Day 46 to Day 90 time window to ensure renewal of the managed identity certificate.
To check when the certificate is about to expire for any given cluster, run the following command:
In the output, the value of the `managedIdentityCertificateExpirationTime` indic
If the value of `managedIdentityCertificateExpirationTime` indicates a timestamp from the past, then the `connectivityStatus` field in the above output will be set to `Expired`. In such cases, to get your Kubernetes cluster working with Azure Arc again:
-1. Delete Azure Arc enabled Kubernetes resource and agents on the cluster.
+1. Delete Azure Arc-enabled Kubernetes resource and agents on the cluster.
```console az connectedk8s delete -n <name> -g <resource-group> ```
-1. Recreate the Azure Arc enabled Kubernetes resource by deploying agents on the cluster.
+1. Recreate the Azure Arc-enabled Kubernetes resource by deploying agents on the cluster.
```console az connectedk8s connect -n <name> -g <resource-group>
If the value of `managedIdentityCertificateExpirationTime` indicates a timestamp
> [!NOTE] > `az connectedk8s delete` will also delete configurations and cluster extensions on top of the cluster. After running `az connectedk8s connect`, recreate the configurations and cluster extensions on the cluster, either manually or using Azure Policy.
-## If I am already using CI/CD pipelines, can I still use Azure Arc enabled Kubernetes and configurations?
+## If I am already using CI/CD pipelines, can I still use Azure Arc-enabled Kubernetes and configurations?
Yes, you can still use configurations on a cluster receiving deployments via a CI/CD pipeline. Compared to traditional CI/CD pipelines, configurations feature two extra benefits:
The CI/CD pipeline applies changes only once during pipeline run. However, the G
CI/CD pipelines are useful for event-driven deployments to your Kubernetes cluster (for example, a push to a Git repository). However, if you want to deploy the same configuration to all of your Kubernetes clusters, you would need to manually configure each Kubernetes cluster's credentials to the CI/CD pipeline.
-For Azure Arc enabled Kubernetes, since Azure Resource Manager manages your configurations, you can automate creating the same configuration across all Azure Arc enabled Kubernetes resources using Azure Policy, within scope of a subscription or a resource group. This capability is even applicable to Azure Arc enabled Kubernetes resources created after the policy assignment.
+For Azure Arc-enabled Kubernetes, since Azure Resource Manager manages your configurations, you can automate creating the same configuration across all Azure Arc-enabled Kubernetes resources using Azure Policy, within scope of a subscription or a resource group. This capability is even applicable to Azure Arc-enabled Kubernetes resources created after the policy assignment.
This feature applies baseline configurations (like network policies, role bindings, and pod security policies) across the entire Kubernetes cluster inventory to meet compliance and governance requirements. ## Next steps * Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* Already have a Kubernetes cluster connected Azure Arc? [Create configurations on your Arc enabled Kubernetes cluster](./tutorial-use-gitops-connected-cluster.md).
-* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).
+* Already have a Kubernetes cluster connected Azure Arc? [Create configurations on your Azure Arc-enabled Kubernetes cluster](./tutorial-use-gitops-connected-cluster.md).
+* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/overview.md
Title: "Overview of Azure Arc enabled Kubernetes"
+ Title: "Overview of Azure Arc-enabled Kubernetes"
#
Last updated 05/25/2021
-description: "This article provides an overview of Azure Arc enabled Kubernetes."
+description: "This article provides an overview of Azure Arc-enabled Kubernetes."
keywords: "Kubernetes, Arc, Azure, containers"
-# What is Azure Arc enabled Kubernetes?
+# What is Azure Arc-enabled Kubernetes?
-With Azure Arc enabled Kubernetes, you can attach and configure Kubernetes clusters located either inside or outside Azure. When you connect a Kubernetes cluster to Azure Arc, it will:
+With Azure Arc-enabled Kubernetes, you can attach and configure Kubernetes clusters located either inside or outside Azure. When you connect a Kubernetes cluster to Azure Arc, it will:
* Appear in the Azure portal with an Azure Resource Manager ID and a managed identity. * Be placed in an Azure subscription and resource group. * Receive tags just like any other Azure resource.
To connect a Kubernetes cluster to Azure, the cluster administrator needs to dep
* Collect Azure Arc logs and metrics. * Watch for configuration requests.
-Azure Arc enabled Kubernetes supports industry-standard SSL to secure data in transit. Also, data at rest is stored encrypted in an Azure Cosmos DB database to ensure data confidentiality.
+Azure Arc-enabled Kubernetes supports industry-standard SSL to secure data in transit. Also, data at rest is stored encrypted in an Azure Cosmos DB database to ensure data confidentiality.
## Supported Kubernetes distributions
-Azure Arc enabled Kubernetes works with any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. The Azure Arc team has worked with [key industry partners to validate conformance](./validation-program.md) of their Kubernetes distributions with Azure Arc enabled Kubernetes.
+Azure Arc-enabled Kubernetes works with any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. The Azure Arc team has worked with [key industry partners to validate conformance](./validation-program.md) of their Kubernetes distributions with Azure Arc-enabled Kubernetes.
## Supported scenarios
-Azure Arc enabled Kubernetes supports the following scenarios:
+Azure Arc-enabled Kubernetes supports the following scenarios:
* Connect Kubernetes running outside of Azure for inventory, grouping, and tagging.
Azure Arc enabled Kubernetes supports the following scenarios:
* Apply policy definitions using Azure Policy for Kubernetes.
-* Create [custom locations](./custom-locations.md) as target locations for deploying Azure Arc enabled Data Services, [App Services on Azure Arc](../../app-service/overview-arc-integration.md) (including web, function, and logic apps) and [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md).
+* Create [custom locations](./custom-locations.md) as target locations for deploying Azure Arc-enabled Data Services, [App Services on Azure Arc](../../app-service/overview-arc-integration.md) (including web, function, and logic apps) and [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md).
[!INCLUDE [azure-lighthouse-supported-service](../../../includes/azure-lighthouse-supported-service.md)]
Azure Arc enabled Kubernetes supports the following scenarios:
Learn how to connect a cluster to Azure Arc. > [!div class="nextstepaction"]
-> [Connect a cluster to Azure Arc](./quickstart-connect-cluster.md)
+> [Connect a cluster to Azure Arc](./quickstart-connect-cluster.md)
azure-arc Plan At Scale Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/plan-at-scale-deployment.md
Title: How to plan and deploy Azure Arc enabled Kubernetes
+ Title: How to plan and deploy Azure Arc-enabled Kubernetes
Last updated 04/12/2021
-description: Onboard large number of clusters to Azure Arc enabled Kubernetes for configuration management
+description: Onboard large number of clusters to Azure Arc-enabled Kubernetes for configuration management
-# Plan and deploy Azure Arc enabled Kubernetes
+# Plan and deploy Azure Arc-enabled Kubernetes
Deployment of an IT infrastructure service or business application is a challenge for any company. To prevent any unwelcome surprises or unplanned costs, you need to thoroughly plan for it to ensure you're as ready as possible. Such a plan should identify design and deployment criteria that needs to be met to complete the tasks.
For the deployment to continue smoothly, your plan should establish a clear unde
* How to avoid disruption during deployment. * What's the escalation path when a significant issue occurs?
-The purpose of this article is to ensure you're prepared for a successful deployment of Azure Arc enabled Kubernetes across multiple production clusters in your environment.
+The purpose of this article is to ensure you're prepared for a successful deployment of Azure Arc-enabled Kubernetes across multiple production clusters in your environment.
## Prerequisites
The purpose of this article is to ensure you're prepared for a successful deploy
* Your machines have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server. More details can be found under [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements). * A `kubeconfig` file pointing to the cluster you want to connect to Azure Arc.
-* 'Read' and 'Write' permissions for the user or service principal creating the Azure Arc enabled Kubernetes resource type of `Microsoft.Kubernetes/connectedClusters`.
+* 'Read' and 'Write' permissions for the user or service principal creating the Azure Arc-enabled Kubernetes resource type of `Microsoft.Kubernetes/connectedClusters`.
## Pilot
Establish a formal plan describing the scope and details of the pilot. The follo
## Phase 1: Build a foundation
-In this phase, system engineers or administrators perform the core activities such creation of resource groups, tags, role assignments so that the Azure Arc enabled Kubernetes resources can then be created and operated.
+In this phase, system engineers or administrators perform the core activities such creation of resource groups, tags, role assignments so that the Azure Arc-enabled Kubernetes resources can then be created and operated.
|Task |Detail |Duration | |--|-||
-| [Create a resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups) | A dedicated resource group to include only Azure Arc enabled Kubernetes resources and centralize management and monitoring of these resources. | One hour |
-| Apply [Tags](../../azure-resource-manager/management/tag-resources.md) to help organize machines. | Evaluate and develop an IT-aligned [tagging strategy](/azure/cloud-adoption-framework/decision-guides/resource-tagging/). This can help reduce the complexity of managing your Azure Arc enabled Kubernetes resources and simplify making management decisions. | One day |
+| [Create a resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups) | A dedicated resource group to include only Azure Arc-enabled Kubernetes resources and centralize management and monitoring of these resources. | One hour |
+| Apply [Tags](../../azure-resource-manager/management/tag-resources.md) to help organize machines. | Evaluate and develop an IT-aligned [tagging strategy](/azure/cloud-adoption-framework/decision-guides/resource-tagging/). This can help reduce the complexity of managing your Azure Arc-enabled Kubernetes resources and simplify making management decisions. | One day |
| Identify [configurations](tutorial-use-gitops-connected-cluster.md) for GitOps | Identify the application or baseline configurations such as `PodSecurityPolicy`, `NetworkPolicy` that you want to deploy to your clusters | One day |
-| [Develop an Azure Policy](../../governance/policy/overview.md) governance plan | Determine how you'll implement governance of Azure Arc enabled Kubernetes clusters at the subscription or resource group scope with Azure Policy. | One day |
+| [Develop an Azure Policy](../../governance/policy/overview.md) governance plan | Determine how you'll implement governance of Azure Arc-enabled Kubernetes clusters at the subscription or resource group scope with Azure Policy. | One day |
| Configure [Role based access control](../../role-based-access-control/overview.md) (RBAC) | Develop an access plan to identify who has read/write/all permissions on your clusters | One day |
-## Phase 2: Deploy Azure Arc enabled Kubernetes
+## Phase 2: Deploy Azure Arc-enabled Kubernetes
In this phase, we connect your Kubernetes clusters to Azure:
In this phase, we deploy applications and baseline configurations to your Kubern
|Task |Detail |Duration | |--|-||
-|[Create configurations](tutorial-use-gitops-connected-cluster.md) on your clusters | Create configurations for deploying your applications on your Azure Arc enabled Kubernetes resource. | 15 minutes |
+|[Create configurations](tutorial-use-gitops-connected-cluster.md) on your clusters | Create configurations for deploying your applications on your Azure Arc-enabled Kubernetes resource. | 15 minutes |
|[Use Azure Policy](use-azure-policy.md) for at-scale enforcement of configurations | Create policy assignments to automate the deployment of baseline configurations across all your clusters under a subscription or resource group scope. | 15 minutes | | [Upgrade Azure Arc agents](agent-upgrade.md) | If you have disabled auto-upgrade of agents on your clusters, update your agents manually to the latest version to make sure you have the most recent security and bug fixes. | 15 minutes | ## Next steps * Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Create configurations](./tutorial-use-gitops-connected-cluster.md) on your Azure Arc enabled Kubernetes cluster.
-* [Use Azure Policy to apply configurations at scale](./use-azure-policy.md).
+* [Create configurations](./tutorial-use-gitops-connected-cluster.md) on your Azure Arc-enabled Kubernetes cluster.
+* [Use Azure Policy to apply configurations at scale](./use-azure-policy.md).
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/policy-reference.md
Title: Built-in policy definitions for Azure Arc enabled Kubernetes
-description: Lists Azure Policy built-in policy definitions for Azure Arc enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources.
+ Title: Built-in policy definitions for Azure Arc-enabled Kubernetes
+description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources.
Last updated 09/03/2021 #
-# Azure Policy built-in definitions for Azure Arc enabled Kubernetes
+# Azure Policy built-in definitions for Azure Arc-enabled Kubernetes
This page is an index of [Azure Policy](../../governance/policy/overview.md) built-in policy
-definitions for Azure Arc enabled Kubernetes. For additional Azure Policy built-ins for other
+definitions for Azure Arc-enabled Kubernetes. For additional Azure Policy built-ins for other
services, see [Azure Policy built-in definitions](../../governance/policy/samples/built-in-policies.md).
The name of each built-in policy definition links to the policy definition in th
the link in the **Version** column to view the source on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
-## Arc enabled Kubernetes
+## Azure Arc-enabled Kubernetes
[!INCLUDE [azure-policy-reference-rp-aks-kubernetes](../../../includes/policy/reference/byrp/microsoft.kubernetes.md)]
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Title: 'Quickstart: Connect an existing Kubernetes cluster to Azure Arc'
-description: "In this quickstart, learn how to connect an Azure Arc enabled Kubernetes cluster."
+description: "In this quickstart, learn how to connect an Azure Arc-enabled Kubernetes cluster."
keywords: "Kubernetes, Arc, Azure, cluster"
# Quickstart: Connect an existing Kubernetes cluster to Azure Arc
-In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes and how to connect an existing Kubernetes cluster to Azure Arc. For a conceptual look at connecting clusters to Azure Arc, see the [Azure Arc enabled Kubernetes Agent Architecture article](./conceptual-agent-architecture.md).
+In this quickstart, you'll learn the benefits of Azure Arc-enabled Kubernetes and how to connect an existing Kubernetes cluster to Azure Arc. For a conceptual look at connecting clusters to Azure Arc, see the [Azure Arc-enabled Kubernetes Agent Architecture article](./conceptual-agent-architecture.md).
[!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes an
> The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported. * A `kubeconfig` file and context pointing to your cluster.
-* 'Read' and 'Write' permissions on the Azure Arc enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
+* 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
* Install the [latest release of Helm 3](https://helm.sh/docs/intro/install). ### [Azure PowerShell](#tab/azure-powershell) - * [Azure PowerShell version 5.9.0 or later](/powershell/azure/install-az-ps) * Install the **Az.ConnectedKubernetes** PowerShell module:
In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes an
> The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported. * A `kubeconfig` file and context pointing to your cluster.
-* 'Read' and 'Write' permissions on the Azure Arc enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
+* 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
* Install the [latest release of Helm 3](https://helm.sh/docs/intro/install).
In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes an
| `https://*.his.arc.azure.com` (for Azure Cloud), `https://usgv.his.arc.azure.us` (for Azure US Government) | Required to pull system-assigned Managed Service Identity (MSI) certificates. | |`*.servicebus.windows.net`, `guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`, `sts.windows.net` | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |
-## 1. Register providers for Azure Arc enabled Kubernetes
+## 1. Register providers for Azure Arc-enabled Kubernetes
### [Azure CLI](#tab/azure-cli)
Helm release deployment succeeded
</pre> > [!TIP]
-> The above command without the location parameter specified creates the Azure Arc enabled Kubernetes resource in the same location as the resource group. To create the Azure Arc enabled Kubernetes resource in a different location, specify either `--location <region>` or `-l <region>` when running the `az connectedk8s connect` command.
+> The above command without the location parameter specified creates the Azure Arc-enabled Kubernetes resource in the same location as the resource group. To create the Azure Arc-enabled Kubernetes resource in a different location, specify either `--location <region>` or `-l <region>` when running the `az connectedk8s connect` command.
> [!NOTE] > If you are logged into Azure CLI using a service principal, an [additional parameter](troubleshooting.md#enable-custom-locations-using-service-principal) needs to be set for enabling the custom location feature on the cluster.
eastus AzureArcTest1 microsoft.kubernetes/connectedclusters
### [Azure CLI](#tab/azure-cli)
-If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc enabled Kubernetes agents need to route their requests via the outbound proxy server.
+If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc-enabled Kubernetes agents need to route their requests via the outbound proxy server.
1. Set the environment variables needed for Azure CLI to use the outbound proxy server:
If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc
### [Azure PowerShell](#tab/azure-powershell)
-If your cluster is behind an outbound proxy server, Azure PowerShell and the Azure Arc enabled Kubernetes agents need to route their requests via the outbound proxy server.
+If your cluster is behind an outbound proxy server, Azure PowerShell and the Azure Arc-enabled Kubernetes agents need to route their requests via the outbound proxy server.
1. Set the environment variables needed for Azure PowerShell to use the outbound proxy server:
eastus AzureArcTest1 microsoft.kubernetes/connectedclusters
> [!NOTE]
-> After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes, etc.) to surface on the overview page of the Azure Arc enabled Kubernetes resource in Azure portal.
+> After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes, etc.) to surface on the overview page of the Azure Arc-enabled Kubernetes resource in Azure portal.
## 6. View Azure Arc agents for Kubernetes
-Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namespace.
+Azure Arc-enabled Kubernetes deploys a few operators into the `azure-arc` namespace.
1. View these deployments and pods using:
Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namesp
### [Azure CLI](#tab/azure-cli)
-You can delete the Azure Arc enabled Kubernetes resource, any associated configuration resources, *and* any agents running on the cluster using Azure CLI using the following command:
+You can delete the Azure Arc-enabled Kubernetes resource, any associated configuration resources, *and* any agents running on the cluster using Azure CLI using the following command:
```azurecli az connectedk8s delete --name AzureArcTest1 --resource-group AzureArcTest ``` >[!NOTE]
-> Deleting the Azure Arc enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc enabled Kubernetes resource using `az connectedk8s delete` instead of Azure portal.
+> Deleting the Azure Arc-enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc-enabled Kubernetes resource using `az connectedk8s delete` instead of Azure portal.
### [Azure PowerShell](#tab/azure-powershell)
-You can delete the Azure Arc enabled Kubernetes resource, any associated configuration resources, *and* any agents running on the cluster using Azure PowerShell using the following command:
+You can delete the Azure Arc-enabled Kubernetes resource, any associated configuration resources, *and* any agents running on the cluster using Azure PowerShell using the following command:
```azurepowershell Remove-AzConnectedKubernetes -ClusterName AzureArcTest1 -ResourceGroupName AzureArcTest ``` >[!NOTE]
-> Deleting the Azure Arc enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc enabled Kubernetes resource using `Remove-AzConnectedKubernetes` instead of Azure portal.
+> Deleting the Azure Arc-enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc-enabled Kubernetes resource using `Remove-AzConnectedKubernetes` instead of Azure portal.
azure-arc Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/troubleshooting.md
Title: "Troubleshoot common Azure Arc enabled Kubernetes issues"
+ Title: "Troubleshoot common Azure Arc-enabled Kubernetes issues"
#
Last updated 05/21/2021
-description: "Troubleshooting common issues with Arc enabled Kubernetes clusters."
+description: "Troubleshooting common issues with Azure Arc-enabled Kubernetes clusters."
keywords: "Kubernetes, Arc, Azure, containers"
-# Azure Arc enabled Kubernetes troubleshooting
+# Azure Arc-enabled Kubernetes troubleshooting
This document provides troubleshooting guides for issues with connectivity, permissions, and agents.
az account show
### Azure Arc agents
-All agents for Azure Arc enabled Kubernetes are deployed as pods in the `azure-arc` namespace. All pods should be running and passing their health checks.
+All agents for Azure Arc-enabled Kubernetes are deployed as pods in the `azure-arc` namespace. All pods should be running and passing their health checks.
First, verify the Azure Arc helm release:
If `az connectedk8s connect` is timing out and failing when connecting an OpenSh
### Installation timeouts
-Connecting a Kubernetes cluster to Azure Arc enabled Kubernetes requires installation of Azure Arc agents on the cluster. If the cluster is running over a slow internet connection, the container image pull for agents may take longer than the Azure CLI timeouts.
+Connecting a Kubernetes cluster to Azure Arc-enabled Kubernetes requires installation of Azure Arc agents on the cluster. If the cluster is running over a slow internet connection, the container image pull for agents may take longer than the Azure CLI timeouts.
```azurecli $ az connectedk8s connect --resource-group AzureArc --name AzureArcCluster
ValidationError: Unable to install helm release: Error: customresourcedefinition
To recover from this issue, follow these steps:
-1. Delete the Azure Arc enabled Kubernetes resource in the Azure portal.
+1. Delete the Azure Arc-enabled Kubernetes resource in the Azure portal.
2. Run the following commands on your machine: ```console
az k8s-configuration create <parameters> --debug
### Create configurations
-Write permissions on the Azure Arc enabled Kubernetes resource (`Microsoft.Kubernetes/connectedClusters/Write`) are necessary and sufficient for creating configurations on that cluster.
+Write permissions on the Azure Arc-enabled Kubernetes resource (`Microsoft.Kubernetes/connectedClusters/Write`) are necessary and sufficient for creating configurations on that cluster.
### Configuration remains `Pending`
The above warning is observed when you have used a service principal to log into
az connectedk8s connect -n <cluster-name> -g <resource-group-name> --custom-locations-oid <objectId> ```
- - If you are enabling custom locations feature on an existing Arc enabled Kubernetes cluster, run the following command:
+ - If you are enabling custom locations feature on an existing Azure Arc-enabled Kubernetes cluster, run the following command:
```console az connectedk8s enable-features -n <cluster-name> -g <resource-group-name> --custom-locations-oid <objectId> --features cluster-connect custom-locations
The above warning is observed when you have used a service principal to log into
Once above permissions are granted, you can now proceed to [enabling the custom location feature](custom-locations.md#enable-custom-locations-on-cluster) on the cluster.
-## Arc enabled Open Service Mesh
+## Azure Arc-enabled Open Service Mesh
The following troubleshooting steps provide guidance on validating the deployment of all the Open Service Mesh extension components on your cluster.
azure-arc Tutorial Arc Enabled Open Service Mesh https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/tutorial-arc-enabled-open-service-mesh.md
Title: Azure Arc-enabled Open Service Mesh (Preview)
-description: Open Service Mesh (OSM) extension on Arc enabled Kubernetes cluster
+description: Open Service Mesh (OSM) extension on Azure Arc-enabled Kubernetes cluster
Last updated 07/23/2021
OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI](https://smi-spec.io/) APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. [Read more](https://docs.openservicemesh.io/#features) on the service mesh scenarios enabled by Open Service Mesh.
-### Support limitations for Arc enabled Open Service Mesh
+### Support limitations for Azure Arc-enabled Open Service Mesh
-- Only one instance of Open Service Mesh can be deployed on an Arc connected Kubernetes cluster
+- Only one instance of Open Service Mesh can be deployed on an Azure Arc-connected Kubernetes cluster.
- Public preview is available for Open Service Mesh version v0.8.4 and above. Find out the latest version of the release [here](https://github.com/Azure/osm-azure/releases). The supported release versions are appended with notes. Ignore the tags associated with intermediate releases. -- Following Kubernetes distributions are currently supported
+- The following Kubernetes distributions are currently supported:
- AKS Engine - AKS on HCI - Cluster API Azure
OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI
- Rancher Kubernetes Engine - OpenShift Kubernetes Distribution - Amazon Elastic Kubernetes Service-- Azure Monitor integration with Azure Arc enabled Open Service Mesh is available with [limited support](https://github.com/microsoft/Docker-Provider/blob/ci_dev/Documentation/OSMPrivatePreview/ReadMe.md).-
+- Azure Monitor integration with Azure Arc-enabled Open Service Mesh is available with [limited support](https://github.com/microsoft/Docker-Provider/blob/ci_dev/Documentation/OSMPrivatePreview/ReadMe.md).
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI
- Ensure you have met all the common prerequisites for cluster extensions listed [here](extensions.md#prerequisites). - Use az k8s-extension CLI version >= v0.4.0
-## Install Arc enabled Open Service Mesh (OSM) on an Arc enabled Kubernetes cluster
+## Install Azure Arc-enabled Open Service Mesh (OSM) on an Azure Arc-enabled Kubernetes cluster
The following steps assume that you already have a cluster with supported Kubernetes distribution connected to Azure Arc.
export CLUSTER_NAME=<arc-cluster-name>
export RESOURCE_GROUP=<resource-group-name> ```
-While Arc enabled Open Service Mesh is in preview, the `az k8s-extension create` command only accepts `pilot` for the `--release-train` flag. `--auto-upgrade-minor-version` is always set to `false` and a version must be provided. If you have an OpenShift cluster, use the steps in the [section](#install-a-specific-version-of-osm-on-openshift-cluster).
+While Azure Arc-enabled Open Service Mesh is in preview, the `az k8s-extension create` command only accepts `pilot` for the `--release-train` flag. `--auto-upgrade-minor-version` is always set to `false` and a version must be provided. If you have an OpenShift cluster, use the steps in the [section](#install-a-specific-version-of-osm-on-openshift-cluster).
```azurecli-interactive az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.openservicemesh --scope cluster --release-train pilot --name osm --version $VERSION
It may take 3-5 minutes for the actual OSM helm chart to get deployed to the clu
To ensure that the privileged init container setting is not reverted to the default, pass in the "osm.OpenServiceMesh.enablePrivilegedInitContainer" : "true" configuration setting to all subsequent az k8s-extension create commands.
-### Install Arc enabled OSM using ARM template
+### Install Azure Arc-enabled OSM using ARM template
After connecting your cluster to Azure Arc, create a json file with the following format, making sure to update the <cluster-name> value:
az deployment group create --name $DEPLOYMENT_NAME --resource-group $RESOURCE_GR
Now, you should be able to view the OSM resources and use the OSM extension in your cluster.
-## Validate the Arc enabled Open Service Mesh installation
+## Validate the Azure Arc-enabled Open Service Mesh installation
Run the following command.
To make changes to the OSM ConfigMap for version v0.8.4, use the following guida
> [!NOTE] > To ensure that the ConfigMap changes are not reverted to the default, pass in the same configuration settings to all subsequent az k8s-extension create commands.
-## Using the Arc enabled Open Service Mesh
+## Using the Azure Arc-enabled Open Service Mesh
To start using OSM capabilities, you need to first onboard the application namespaces to the service mesh. Download the OSM CLI from [OSM GitHub releases page](https://github.com/openservicemesh/osm/releases/). Once the namespaces are added to the mesh, you can configure the SMI policies to achieve the desired OSM capability.
The OSM extension does not install add-ons like [Jaeger](https://www.jaegertraci
Both Azure Monitor and Azure Application Insights helps you maximize the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
-Arc enabled Open Service Mesh will have deep integrations into both of these Azure services, and provide a seemless Azure experience for viewing and responding to critical KPIs provided by OSM metrics. Follow the steps below to allow Azure Monitor to scrape prometheus endpoints for collecting application metrics.
+Azure Arc-enabled Open Service Mesh will have deep integrations into both of these Azure services, and provide a seemless Azure experience for viewing and responding to critical KPIs provided by OSM metrics. Follow the steps below to allow Azure Monitor to scrape prometheus endpoints for collecting application metrics.
1. Ensure that the application namespaces that you wish to be monitored are onboarded to the mesh. Follow the guidance [available here](#onboard-namespaces-to-the-service-mesh).
Read more about integration with Azure Monitor [here](https://github.com/microso
### Navigating the OSM dashboard
-1. Access your Arc connected Kubernetes cluster using this [link](https://aka.ms/azmon/osmarcux).
+1. Access your Azure Arc-connected Kubernetes cluster using this [link](https://aka.ms/azmon/osmarcux).
2. Go to Azure Monitor and navigate to the Reports tab to access the OSM workbook. 3. Select the time-range & namespace to scope your services.
Make sure to back up your Custom Resources prior to deleting the CRDs so that th
5. Recreate Custom Resources using new CRDs
-## Uninstall Arc enabled Open Service Mesh
+## Uninstall Azure Arc-enabled Open Service Mesh
Use the following command:
When you use the az k8s-extension command to delete the OSM extension, the arc-o
## Troubleshooting
-Refer to the troubleshooting guide [available here](troubleshooting.md#arc-enabled-open-service-mesh).
+Refer to the troubleshooting guide [available here](troubleshooting.md#azure-arc-enabled-open-service-mesh).
## Next steps
azure-arc Tutorial Gitops Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/tutorial-gitops-ci-cd.md
Title: 'Tutorial: Implement CI/CD with GitOps using Azure Arc-enabled Kubernetes clusters'
-description: This tutorial walks through setting up a CI/CD solution using GitOps with Azure Arc enabled Kubernetes clusters. For a conceptual take on this workflow, see the CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes article.
+description: This tutorial walks through setting up a CI/CD solution using GitOps with Azure Arc-enabled Kubernetes clusters. For a conceptual take on this workflow, see the CI/CD Workflow using GitOps - Azure Arc-enabled Kubernetes article.
# Tutorial: Implement CI/CD with GitOps using Azure Arc-enabled Kubernetes clusters -
-In this tutorial, you'll set up a CI/CD solution using GitOps with Azure Arc enabled Kubernetes clusters. Using the sample Azure Vote app, you'll:
+In this tutorial, you'll set up a CI/CD solution using GitOps with Azure Arc-enabled Kubernetes clusters. Using the sample Azure Vote app, you'll:
> [!div class="checklist"]
-> * Create an Azure Arc enabled Kubernetes cluster.
+> * Create an Azure Arc-enabled Kubernetes cluster.
> * Connect your application and GitOps repos to Azure Repos. > * Import CI/CD pipelines. > * Connect your Azure Container Registry (ACR) to Azure DevOps and Kubernetes.
This tutorial assumes familiarity with Azure DevOps, Azure Repos and Pipelines,
* Complete the [previous tutorial](./tutorial-use-gitops-connected-cluster.md) to learn how to deploy GitOps for your CI/CD environment. * Understand the [benefits and architecture](./conceptual-configurations.md) of this feature. * Verify you have:
- * A [connected Azure Arc enabled Kubernetes cluster](./quickstart-connect-cluster.md#3-connect-an-existing-kubernetes-cluster) named **arc-cicd-cluster**.
+ * A [connected Azure Arc-enabled Kubernetes cluster](./quickstart-connect-cluster.md#3-connect-an-existing-kubernetes-cluster) named **arc-cicd-cluster**.
* A connected Azure Container Registry (ACR) with either [AKS integration](../../aks/cluster-container-registry-integration.md) or [non-AKS cluster authentication](../../container-registry/container-registry-auth-kubernetes.md). * "Build Admin" and "Project Admin" permissions for [Azure Repos](/azure/devops/repos/get-started/what-is-repos) and [Azure Pipelines](/azure/devops/pipelines/get-started/pipelines-get-started).
-* Install the following Azure Arc enabled Kubernetes CLI extensions of versions >= 1.0.0:
+* Install the following Azure Arc-enabled Kubernetes CLI extensions of versions >= 1.0.0:
```azurecli az extension add --name connectedk8s
If you're not going to continue to use this application, delete any resources wi
In this tutorial, you have set up a full CI/CD workflow that implements DevOps from application development through deployment. Changes to the app automatically trigger validation and deployment, gated by manual approvals.
-Advance to our conceptual article to learn more about GitOps and configurations with Azure Arc enabled Kubernetes.
+Advance to our conceptual article to learn more about GitOps and configurations with Azure Arc-enabled Kubernetes.
> [!div class="nextstepaction"]
-> [CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes](./conceptual-gitops-ci-cd.md)
+> [CI/CD Workflow using GitOps - Azure Arc-enabled Kubernetes](./conceptual-gitops-ci-cd.md)
azure-arc