Updates from: 07/27/2021 03:05:47
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Customize Ui https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/customize-ui.md
Last updated 06/27/2021-+ zone_pivot_groups: b2c-policy-type
Classic:
```xml <ContentDefinitions> <ContentDefinition Id="api.error">
- <LoadUri>~/tenant/templates/default/exception.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/exception.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.idpselections">
- <LoadUri>~/tenant/templates/default/idpSelector.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/idpSelector.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.idpselections.signup">
- <LoadUri>~/tenant/templates/default/idpSelector.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/idpSelector.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.signuporsignin">
- <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/unified.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.selfasserted">
- <LoadUri>~/tenant/templates/default/selfAsserted.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.selfasserted.profileupdate">
- <LoadUri>~/tenant/templates/default/selfAsserted.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.localaccountsignup">
- <LoadUri>~/tenant/templates/default/selfAsserted.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.localaccountpasswordreset">
- <LoadUri>~/tenant/templates/default/selfAsserted.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
</ContentDefinition> <ContentDefinition Id="api.phonefactor">
- <LoadUri>~/tenant/templates/default/multifactor-1.0.0.cshtml</LoadUri>
+ <LoadUri>~/tenant/default/multifactor-1.0.0.cshtml</LoadUri>
</ContentDefinition> </ContentDefinitions> ```
active-directory-b2c Partner Bloksec https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-bloksec.md
To get started, you'll need:
| Name |Azure AD B2C or your desired application name| |SSO type | OIDC| |Logo URI |[https://bloksec.io/assets/AzureB2C.png/](https://bloksec.io/assets/AzureB2C.png/) a link to the image of your choice|
- |Redirect URIs | https://**your-B2C-tenant-name**.b2clogin.com/**your-B2C-tenant-name**.onmicrosoft.com/oauth2/authresp<BR>**For Example**: [https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp](https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp) <BR><BR>If you use a custom domain, enter https://**your-domain-name**/**your-tenant-name**.onmicrosoft.com/oauth2/authresp. <BR> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
+ |Redirect URIs | https://**your-B2C-tenant-name**.b2clogin.com/**your-B2C-tenant-name**.onmicrosoft.com/oauth2/authresp<BR>**For Example**: 'https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp' <BR><BR>If you use a custom domain, enter https://**your-domain-name**/**your-tenant-name**.onmicrosoft.com/oauth2/authresp. <BR> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
|Post log out redirect URIs |https://**your-B2C-tenant-name**.b2clogin.com/**your-B2C-tenant-name**.onmicrosoft.com/**{policy}**/oauth2/v2.0/logout <BR> [Send a sign-out request](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect#send-a-sign-out-request). | 4. Once saved, select the newly created Azure AD B2C application to open the application configuration, select **Generate App Secret**.
active-directory-domain-services Concepts Forest Trust https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/concepts-forest-trust.md
Previously updated : 07/06/2020 Last updated : 06/18/2021
Before you can create a forest trust, you need to verify you have the correct Do
To create a forest trust, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory. Each trust is assigned a password that the administrators in both forests must know. Members of Enterprise Admins in both forests can create the trusts in both forests at once and, in this scenario, a password that is cryptographically random is automatically generated and written for both forests.
-The outbound forest trust for Azure AD Domain Services is created in the Azure portal. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory.
+A managed domain resource forest supports up to five one-way outbound forest trusts to on-premises forests. The outbound forest trust for Azure AD Domain Services is created in the Azure portal. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory.
## Trust processes and interactions
active-directory-domain-services Manage Dns https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/manage-dns.md
Previously updated : 07/06/2020 Last updated : 06/18/2021 # Administer DNS and create conditional forwarders in an Azure Active Directory Domain Services managed domain
-In Azure Active Directory Domain Services (Azure AD DS), a key component is DNS (Domain Name Resolution). Azure AD DS includes a DNS server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.
+Azure AD DS includes a Domain Name System (DNS) server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.
As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Azure AD DS managed domain and can create and edit custom DNS records.
In a hybrid environment, DNS zones and records configured in other DNS namespace
This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Azure AD DS.
+>[!NOTE]
+>Creating or changing server-level DNS forwarders is not supported and will cause issues for the Azure AD DS managed domain.
+ ## Before you begin To complete this article, you need the following resources and privileges:
active-directory-domain-services Manage Group Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/manage-group-policy.md
Previously updated : 07/06/2020 Last updated : 07/26/2021
To complete this article, you need the following resources and privileges:
> You can use Group Policy Administrative Templates by copying the new templates to the management workstation. Copy the *.admx* files into `%SYSTEMROOT%\PolicyDefinitions` and copy the locale-specific *.adml* files to `%SYSTEMROOT%\PolicyDefinitions\[Language-CountryRegion]`, where `Language-CountryRegion` matches the language and region of the *.adml* files. > > For example, copy the English, United States version of the *.adml* files into the `\en-us` folder.
->
-> Alternatively, you can centrally store your Group Policy Administrative Template on the domain controllers that are part of the managed domain. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
## Install Group Policy Management tools
active-directory-domain-services Tutorial Create Forest Trust https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/tutorial-create-forest-trust.md
Previously updated : 01/21/2021 Last updated : 07/26/2021 #Customer intent: As an identity administrator, I want to create a one-way outbound forest from an Azure Active Directory Domain Services resource forest to an on-premises Active Directory Domain Services forest to provide authentication and resource access between forests.
To complete this tutorial, you need the following resources and privileges:
## Sign in to the Azure portal
-In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).
+In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com). Global administrator permissions are required to modify an Azure AD DS instance.
## Networking considerations
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
The Azure portal is a convenient way to configure provisioning for individual ap
1. Upon successful sign-in, you'll see the user account details in the left-hand pane. ### Retrieve the gallery application template identifier
-Applications in the Azure AD application gallery each have an [application template](/graph/api/applicationtemplate-list?tabs=http&view=graph-rest-beta) that describes the metadata for that application. Using this template, you can create an instance of the application and service principal in your tenant for management.
+Applications in the Azure AD application gallery each have an [application template](/graph/api/applicationtemplate-list?tabs=http&view=graph-rest-beta) that describes the metadata for that application. Using this template, you can create an instance of the application and service principal in your tenant for management. Retrieve the identifier of the application template for **AWS Single-Account Access** and from the response, record the value of the **id** property to use later in this tutorial.
#### Request ```msgraph-interactive
-GET https://graph.microsoft.com/beta/applicationTemplates
+GET https://graph.microsoft.com/beta/applicationTemplates?$filter=displayName eq 'AWS Single-Account Access'
``` #### Response
Content-type: application/json
"developerServices" ], "publisher": "Amazon",
- "description": null
+ "description": "Federate to a single AWS account and use SAML claims to authorize access to AWS IAM roles. If you have many AWS accounts, consider using the AWS Single Sign-On gallery application instead."
} ```
Content-type: application/json
## See also - [Review the synchronization Microsoft Graph documentation](/graph/api/resources/synchronization-overview?view=graph-rest-beta)-- [Integrating a custom SCIM app with Azure AD](./use-scim-to-provision-users-and-groups.md)
+- [Integrating a custom SCIM app with Azure AD](./use-scim-to-provision-users-and-groups.md)
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Previously updated : 05/11/2021 Last updated : 07/26/2021
TLS 1.2 Cipher Suites minimum bar:
### IP Ranges The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. Note that you will need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).
+Azure AD also supports an agent based solution to provide connectivity to applications in private networks (on-premises, hosted in Azure, hosted in AWS, etc.). Customers can deploy a lightweight agent, which provides connectivity to Azure AD without opening an inbound ports, on a server in their private network. Learn more [here](/app-provisioning/on-premises-scim-provisioning).
+ ## Build a SCIM endpoint Now that you have designed your schema and understood the Azure AD SCIM implementation, you can get started developing your SCIM endpoint. Rather than starting from scratch and building the implementation completely on your own, you can rely on a number of open source SCIM libraries published by the SCIM community.
active-directory Concept Authentication Oath Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-oath-tokens.md
Previously updated : 03/31/2021 Last updated : 07/26/2021
Some OATH TOTP hardware tokens are programmable, meaning they don't come with a
## OATH hardware tokens (Preview)
-Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice.
+Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice. For a list of security token providers that are compatible with passwordless authentication, see [FIDO2 security key providers](concept-authentication-passwordless.md#fido2-security-key-providers).
OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. These keys must be input into Azure AD as described in the following steps. Secret keys are limited to 128 characters, which may not be compatible with all tokens. The secret key can only contain the characters *a-z* or *A-Z* and digits *2-7*, and must be encoded in *Base32*.
active-directory How To Nudge Authenticator App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/how-to-nudge-authenticator-app.md
Previously updated : 06/01/2021 Last updated : 07/26/2021
In addition to choosing who can be nudged, you can define how many days a user c
## Enable the nudge policy
-To enable the nudge, you must use the Authentication Methods Policy using Graph APIs or PowerShell commands. **Global administrators** and **Authentication Method Policy administrators** can update the policy.
+To enable the nudge, you must use the Authentication Methods Policy using Graph APIs. **Global administrators** and **Authentication Method Policy administrators** can update the policy.
To configure the policy using Graph Explorer:
active-directory Howto Authentication Passwordless Phone https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-passwordless-phone.md
Previously updated : 05/20/2021 Last updated : 07/02/2021
People who enabled phone sign-in from the Microsoft Authenticator app see a mess
To use passwordless phone sign-in with the Microsoft Authenticator app, the following prerequisites must be met: -- Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method.
+- Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Azure Multi-Factor Auth Connector must be enabled to allow users to register for push notifications for phone sign-in.
+
+ ![Screenshot of Azure Multi-Factor Auth Connector enabled.](media/howto-authentication-passwordless-phone/connector.png)
+ - Latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater, or Android 6.0 or greater. - The device on which the Microsoft Authenticator app is installed must be registered within the Azure AD tenant to an individual user.
active-directory Troubleshoot Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/troubleshoot-sspr-writeback.md
Previously updated : 08/26/2020 Last updated : 07/26/2021
A best practice when you troubleshoot problems with password writeback is to ins
| 31017| AuthTokenSuccess| This event indicates that we successfully retrieved an authorization token for the global admin specified during Azure AD Connect setup to start the offboarding or onboarding process.| | 31018| KeyPairCreationSuccess| This event indicates that we successfully created the password encryption key. This key is used to encrypt passwords from the cloud to be sent to your on-premises environment.| | 31034| ServiceBusListenerError| This event indicates that there was an error connecting to your tenant's Service Bus listener. If the error message includes "The remote certificate is invalid", check to make sure that your Azure AD Connect server has all the required Root CAs as described in [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md). |
+| 31044| PasswordResetService| This event indicates that password writeback is not working. The Service Bus listens for requests on two separate relays for redundancy. Each relay connection is managed by a unique Service Host. The writeback client returns an error if either Service Host is not running.|
| 32000| UnknownError| This event indicates an unknown error occurred during a password management operation. Look at the exception text in the event for more details. If you're having problems, try disabling and then re-enabling password writeback. If this doesn't help, include a copy of your event log along with the tracking ID specified when you open a support request.| | 32001| ServiceError| This event indicates there was an error connecting to the cloud password reset service. This error generally occurs when the on-premises service was unable to connect to the password-reset web service.| | 32002| ServiceBusError| This event indicates there was an error connecting to your tenant's Service Bus instance. This can happen if you're blocking outbound connections in your on-premises environment. Check your firewall to ensure that you allow connections over TCP 443 and to https://ssprdedicatedsbprodncu.servicebus.windows.net, and then try again. If you're still having problems, try disabling and then re-enabling password writeback.|
active-directory Tutorial Enable Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md
Previously updated : 05/19/2021 Last updated : 07/26/2021
To enable SSPR writeback, first enable the writeback option in Azure AD Connect.
![Configure Azure AD Connect for password writeback](media/tutorial-enable-sspr-writeback/enable-password-writeback.png)
+1. On the **Directory extensions** page, select **Next**.
1. On the **Ready to configure** page, select **Configure** and wait for the process to finish. 1. When you see the configuration finish, select **Exit**.
active-directory Refresh Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/refresh-tokens.md
# Microsoft identity platform refresh tokens
-When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant. This allows a client to use a refresh token to acquire access tokens across any combination of resource and tenant where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them.
+When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant. As such, a client can use a refresh token to acquire access tokens across any combination of resource and tenant where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them.
## Prerequisites
Before reading through this article, it's recommended that you go through the fo
## Refresh token lifetime
-Refresh tokens have a significantly longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. This means that whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.
+Refresh tokens have a longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. As such, whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.
## Refresh token expiration
Refresh tokens can be revoked at any time, because of timeouts and revocations.
### Token timeouts
-Using [token lifetime configuration](active-directory-configurable-token-lifetimes.md#refresh-and-session-token-lifetime-policy-properties), the lifetime of refresh tokens can be reduced or lengthened. This setting changes the length of time that a refresh token can go without use. For example, consider a scenario where a user doesn't open an app for more than 90 days. When the app attempts to use that 90+ day old refresh token, it will find that it has expired. Additionally, an admin can require that second factors be used on a regular cadence, forcing the user to manually sign in at specific intervals. These scenarios include:
+You can't configure the lifetime of a refresh token. You can't reduce or lengthen their lifetime. Configure sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again. Learn more about [Configuring authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).
-* Inactivity: refresh tokens are only valid for a period dictated by the `MaxInactiveTime`. If the token isn't used (and replaced by the new token) within that time period, it will no longer be usable.
-* Session age-out: If `MaxAgeSessionMultiFactor` or `MaxAgeSessionSingleFactor` have been set to something other than their default (Until-revoked), then reauthentication will be required after the time set in the MaxAgeSession* elapses. This is used to force users to reauthenticate with a first or second factor periodically.
-* Examples:
- * The tenant has a MaxInactiveTime of five days, and the user went on vacation for a week. As such, Azure AD hasn't seen a new token request from the user in seven days. The next time the user requests a new token, they'll find their Refresh Token has been revoked, and they must enter their credentials again.
- * A sensitive application has a `MaxAgeSessionMultiFactor` of one day. A user will be required to go through MFA once more through an interactive prompt if they sign in again after a period of one day. For example, if a user logs in on Monday, and on Tuesday after 25 hours have elapsed.
-
-Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in [single page apps](reference-third-party-cookies-spas.md) are always limited to 24 hours of activity, as if they have a `MaxAgeSessionSingleFactor` policy of 24 hours applied to them.
+Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in [single page apps](reference-third-party-cookies-spas.md) are always fixed to 24 hours of activity, as if they have a `MaxAgeSessionSingleFactor` policy of 24 hours applied to them.
### Revocation
active-directory Howto Device Identity Virtual Desktop Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md
Before configuring device identities in Azure AD for your VDI environment, famil
| | Managed<sup>4</sup> | Windows current and Windows down-level | Persistent | Yes | | | | Windows current | Non-Persistent | No | | | | Windows down-level | Non-Persistent | Yes<sup>6</sup> |
-| Azure AD joined | Federated | Windows current | Persistent | No |
+| Azure AD joined | Federated | Windows current | Persistent | Limited<sup>7</sup> |
| | | | Non-Persistent | No |
-| | Managed | Windows current | Persistent | No |
+| | Managed | Windows current | Persistent | Limited<sup>7</sup> |
| | | | Non-Persistent | No | | Azure AD registered | Federated/Managed | Windows current/Windows down-level | Persistent/Non-Persistent | Not Applicable |
Before configuring device identities in Azure AD for your VDI environment, famil
<sup>6</sup> **Non-Persistence support for Windows down-level** requires additional consideration as documented below in guidance section.
+<sup>7</sup> **Azure AD join support** is only available with Azure Virtual Desktop and Windows 365
## MicrosoftΓÇÖs guidance
active-directory Howto Vm Sign In Azure Ad Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md
Previously updated : 06/30/2021 Last updated : 07/26/2021
Ensure your VM is configured with the following functionality:
Ensure your client meets the following requirements: -- SSH client must support OpenSSH based certificates for authentication. You can use Az CLI (2.21.1 or higher) or Azure Cloud Shell to meet this requirement. -- SSH extension for Az CLI. You can install this using az. You do not need to install this extension when using Azure Cloud Shell as it comes pre-installed.-- If you are using any other SSH client other than Az CLI or Azure Cloud Shell that supports OpenSSH, you will still need to use Az CLI with SSH extension to retrieve ephemeral SSH cert in a config file and then use the config file with your SSH client.
+- SSH client must support OpenSSH based certificates for authentication. You can use Az CLI (2.21.1 or higher) with OpenSSH (included in Windows 10 version 1803 or hiher) or Azure Cloud Shell to meet this requirement.
+- SSH extension for Az CLI. You can install this using `az extension add --name ssh`. You do not need to install this extension when using Azure Cloud Shell as it comes pre-installed.
+- If you are using any other SSH client other than Az CLI or Azure Cloud Shell that supports OpenSSH certificates, you will still need to use Az CLI with SSH extension to retrieve ephemeral SSH cert and optionally a config file and then use the config file with your SSH client.
+- TCP connectivity from the client to either the public or private IP of the VM (ProxyCommand or SSH forwarding to a machine with connectivity also works).
## Enabling Azure AD login in for Linux VM in Azure
Login to Azure Linux VMs with Azure AD supports exporting the OpenSSH certificat
az ssh config --file ~/.ssh/config -n myVM -g AzureADLinuxVMPreview ```
-Alternatively, you can export the config by specifying just the IP address. Replace the IP address in the example with the public or private IP address for your VM. Type `az ssh config -h` for help on this command.
+Alternatively, you can export the config by specifying just the IP address. Replace the IP address in the example with the public or private IP address (you must bring your own connectivity for private IPs) for your VM. Type `az ssh config -h` for help on this command.
```azurecli az ssh config --file ~/.ssh/config --ip 10.11.123.456
Install the Azure AD extension on your virtual machine scale set.
az vmss extension set --publisher Microsoft.Azure.ActiveDirectory --name Azure ADSSHLoginForLinux --resource-group AzureADLinuxVMPreview --vmss-name myVMSS ```
-Virtual machine scale set usually do not have public IP addresses, so you must have connectivity to them from another machine that can reach their Azure Virtual Network. This example shows how to use the private IP of a virtual machine scale set VM to connect.
+Virtual machine scale set usually do not have public IP addresses, so you must have connectivity to them from another machine that can reach their Azure Virtual Network. This example shows how to use the private IP of a virtual machine scale set VM to connect from a machine in the same virtual network.
```azurecli az ssh vm --ip 10.11.123.456
active-directory User Properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/user-properties.md
Previously updated : 05/27/2021 Last updated : 07/26/2021
For guest users in State 2, the **Source** is **Microsoft Account**.
![State 2 guest user after offer redemption](media/user-properties/after-redemption-state2.png)
-For guest users in State 3 and State 4, the **Source** property is set to **Azure Active Directory** or **Windows Server Active Directory**, as described in the next section.
+For guest users in State 3 and State 4, the **Source** property is set to **Azure Active Directory** or **Windows Server AD**, as described in the next section.
## Key properties of the Azure AD B2B collaboration user ### UserType
This property indicates how the user signs in.
- Microsoft account: This user is homed in a Microsoft account and authenticates by using a Microsoft account. This type of sign-in corresponds to State 2. -- Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization. This type of sign-in corresponds to State 3.
+- Windows Server AD: This user is signed in from on-premises Active Directory that belongs to this organization. This type of sign-in corresponds to State 3.
- Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this organization. This type of sign-in corresponds to State 4. > [!NOTE]
active-directory Security Operations User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-user-accounts.md
The log files you use for investigation and monitoring are:
* [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)
-* .[Risky Users log].(../../identity-protection/howto-identity-protection-investigate-risk.md)
+* [Risky Users log](../identity-protection/howto-identity-protection-investigate-risk.md)
-* .[UserRiskEvents log].(../../identity-protection/howto-identity-protection-investigate-risk.md)
+* [UserRiskEvents log](../identity-protection/howto-identity-protection-investigate-risk.md)
From the Azure portal you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
active-directory Service Accounts Group Managed https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/service-accounts-group-managed.md
Get-ADServiceAccount -Filter *
# To filter results to only gMSAs:
-Get-ADServiceAccount ΓÇôFilter * | where $_.ObjectClass -eq "msDS-GroupManagedServiceAccount"}
+Get-ADServiceAccount ΓÇôFilter * | where-object {$_.ObjectClass -eq "msDS-GroupManagedServiceAccount"}
``` ## Manage gMSAs
active-directory Migrate From Federation To Cloud Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/migrate-from-federation-to-cloud-authentication.md
To learn how to configure staged rollout, see the [staged rollout interactive gu
## Prerequisites
-Before you begin your migration, ensure that you meet these prerequisites:
+Before you begin your migration, ensure that you meet these prerequisites.
### Required roles
active-directory Manage Certificates For Federated Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md
Azure AD will send an email notification 60, 30, and 7 days before the SAML cert
You can add up to 5 email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
-You will receive the notification email from aadnotification@microsoft.com. To avoid the email going to your spam location, add this email to your contacts.
+You will receive the notification email from azure-noreply@microsoft.com. To avoid the email going to your spam location, add this email to your contacts.
## Renew a certificate that will soon expire
active-directory My Apps Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/my-apps-deployment-plan.md
Previously updated : 02/29/2020 Last updated : 07/25/2021
active-directory Tutorial Linux Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm.md
ms.devlang: na
na Previously updated : 11/03/2020 Last updated : 07/26/2021
You learn how to:
- An understanding of Managed identities. If you're not familiar with the managed identities for Azure resources feature, see this [overview](overview.md). - An Azure account, [sign up for a free account](https://azure.microsoft.com/free/).-- You also need a Linux Virtual machine that has system assigned managed identities enabled.
+- You also need a Linux Virtual machine that has system assigned managed identities enabled. If you have a VM but need to enable [system assigned managed identities](qs-configure-portal-windows-vm.md) you can do it in the identity section of the virtual machine's properties.
- If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine) ## Grant access
active-directory Pim Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-deployment-plan.md
Title: Deploy Privileged Identity Management (PIM) - Azure AD | Microsoft Docs
-description: Describes how to plan the deployment of Azure AD Privileged Identity Management (PIM).
+ Title: Plan a Privileged Identity Management deployment? - Azure AD | Microsoft Docs
+description: Learn how to deploy Privileged Identity Management (PIM) in your Azure AD organization.
documentationcenter: ''--++ editor: '' - Previously updated : 06/03/2021--+ Last updated : 07/26/2021++
-# Deploy Azure AD Privileged Identity Management (PIM)
+# Plan a Privileged Identity Management deployment
-This article is a step-by-step guide describing how to plan the deployment of Privileged Identity Management (PIM) in your Azure Active Directory (Azure AD) organization. You'll reassign users in high-privileged roles to less powerful built-in or custom roles where possible, and plan for just-in-time role assignments for your most privileged roles. In this article, we make recommendations for both deployment planning and implementation.
+**Privileged Identity Management (PIM)** provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure Active Directory (Azure AD), Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. You can also use PIM with service (SaaS) applications.
-> [!TIP]
-> Throughout this article, you will see items marked as:
->
-> :heavy_check_mark: **Microsoft recommends**
->
-> These are general recommendations, and you should implement them only when they apply to your specific enterprise needs.
+PIM enables you to allow a specific set of actions at a particular scope. Key features include:
-## Licensing requirements
+* Provide **just-in-time** privileged access to resources
-To use Privileged Identity Management, your directory must have one of the following paid or trial licenses. For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md).
+* Assign **eligibility for membership or ownership** of privileged access groups
-- Azure AD Premium P2-- Enterprise Mobility + Security (EMS) E5-- Microsoft 365 Education A5-- Microsoft 365 Enterprise E5
+* Assign **time-bound** access to resources using start and end dates
-## How PIM works
+* Require **approval** to activate privileged roles
-This section provides a review for planning purposes of the relevant portions of the Privileged Identity Management process. For more information, see [What is Azure AD Privileged Identity Management?](pim-configure.md)
+* Enforce **multifactor authentication** to activate any role
-1. Start using Privileged Identity Management so that users are eligible for privileged roles.
-1. When an eligible user needs to use their privileged role, they activate the role using Privileged Identity Management.
-1. The user can be required in settings to:
+* Use **justification** to understand why users activate
- - Use multi-factor authentication
- - Request approval for activation
- - Provide a business reason for activation
+* Get **notifications** when privileged roles are activated
-1. After the user successfully activates their role, they'll have the role permissions for a set duration.
-1. Administrators can view a history of all Privileged Identity Management activities in the audit log. They can also further secure their Azure AD organizations and meet compliance using Privileged Identity Management features such as access reviews and alerts.
+* Conduct **access reviews** to ensure users still need roles
-## Roles that can be managed by PIM
+* Download **audit history** for internal or external audit
-**Azure AD roles** are all in Azure Active Directory (such as Global Administrator, Exchange Administrator, and Security Administrator). You can read more about the roles and their functionality in [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md). For help with determining which roles to assign your administrators, see [least privileged roles by task](../roles/delegate-by-task.md).
+To gain the most from this deployment plan, itΓÇÖs important that you get a complete overview of [What is Privileged Identity Management](pim-configure.md).
-**Azure roles** are roles that are linked to an Azure resource, resource group, subscription, or management group. You can use PIM to provide just-in-time access to built-in Azure roles like Owner, User Access Administrator, and Contributor, and also to [custom roles](../../role-based-access-control/custom-roles.md). For more information about Azure roles, see [Azure role-based access control](../../role-based-access-control/overview.md).
+## Understand PIM
-For more information, see [Roles you can't manage in Privileged Identity Management](pim-roles.md).
+The PIM concepts in this section will help you understand your organizationΓÇÖs privileged identity requirements.
-## Deployment plan
+### What can you manage in PIM
-Before you deploy Privileged Identity Management in your organization, follow the instructions and understand the concepts in this section to help you create a plan tailored to your organizationΓÇÖs privileged identity requirements.
+Today, you can use PIM with:
-### Identify your stakeholders
+* **Azure AD roles** ΓÇô Sometimes referred to as directory roles, Azure AD roles include built-in and custom roles to manage Azure AD and other Microsoft 365 online services.
-The following section helps you identify all the stakeholders that are involved in the project and need to sign out, review, or stay informed. It includes separate tables for deploying PIM for Azure AD roles and PIM for Azure roles. Add stakeholders to the following table as appropriate for your organization.
+* **Azure roles** ΓÇô The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources.
-- SO = Sign off on this project-- R = Review this project and provide input-- I = Informed of this project
+* **Privileged Access Groups** ΓÇô To set up just-in-time access to member and owner role of an Azure AD security group. Privileged Access Groups not only gives you an alternative way to set up PIM for Azure AD roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection.
-#### Stakeholders: Privileged Identity Management For Azure AD roles
+You can assign the following to these roles or groups:
-| Name | Role | Action |
-| | | |
-| Name and email | **Identity architect or Azure Global Administrator**<br/>A representative from the identity management team in charge of defining how to align this change with the core identity management infrastructure in your organization. | SO/R/I |
-| Name and email | **Service owner / Line manager**<br/>A representative from the IT owners of a service or a group of services. They're key in making decisions and helping to roll out Privileged Identity Management for their team. | SO/R/I |
-| Name and email | **Security owner**<br/>A representative from the security team who can sign off that the plan meets the security requirements of your organization. | SO/R |
-| Name and email | **IT support manager / Helpdesk**<br/>A representative from the IT support organization who can provide feedback on the supportability of this change from a helpdesk perspective. | R/I |
-| Name and email for pilot users | **Privileged role users**<br/>The group of users for which privileged identity management is implemented. They'll need to know how to activate their roles once Privileged Identity Management is implemented. | I |
+* **Users**- To get just-in-time access to Azure AD roles, Azure roles, and Privileged Access Groups.
-#### Stakeholders: Privileged Identity Management For Azure roles
+* **Groups**- Anyone in a group to get just-in-time access to Azure AD roles and Azure roles. For Azure AD roles, the group must be a newly created cloud group thatΓÇÖs marked as assignable to a role while for Azure roles, the group can be any Azure AD security group. We do not recommend assigning/nesting a group to a Privileged Access Groups.
-| Name | Role | Action |
-| | | |
-| Name and email | **Subscription / Resource owner**<br/>A representative from the IT owners of each subscription or resource that you want to deploy Privileged Identity Management for | SO/R/I |
-| Name and email | **Security owner**<br/>A representative from the security team that can sign off that the plan meets the security requirements of your organization. | SO/R |
-| Name and email | **IT support manager / Helpdesk**<br/>A representative from the IT support organization who can provide feedback on the supportability of this change from a helpdesk perspective. | R/I |
-| Name and email for pilot users | **Azure role users**<br/>The group of users for which privileged identity management is implemented. They'll need to know how to activate their roles once Privileged Identity Management is implemented. | I |
+> [!NOTE]
+>You cannot assign service principals as eligible to Azure AD roles, Azure roles, and Privileged Access groups but you can grant a time limited active assignment to all three.
-### Start using Privileged Identity Management
+### Principle of least privilege
-As part of the planning process, you should prepare Privileged Identity Management by following our [start using Privileged Identity Management](pim-getting-started.md) article. Privileged Identity Management gives you access to some features that are designed to help with your deployment.
+You assign users the role with the [least privileges necessary to perform their tasks](../roles/delegate-by-task.md). This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios.
-If your goal is to deploy Privileged Identity Management for Azure resources, you should follow our [discover Azure resources to manage in Privileged Identity Management](pim-resource-roles-discover-resources.md) article. Only owners of subscriptions and management groups can bring these resources under management by Privileged Identity Management. After it is under management, the PIM functionality is available for owners at all levels including management group, subscription, resource group, and resource. If you're a Global Administrator trying to deploy Privileged Identity Management for your Azure resources, you can [elevate access to manage all Azure subscriptions](../../role-based-access-control/elevate-access-global-admin.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json) to give yourself access to all Azure resources in the directory for discovery. However, we advise that you get approval from each of your subscription owners before managing their resources with Privileged Identity Management.
+> [!NOTE]
+> Microsoft has very few Global Administrators. Learn more at [how Microsoft uses Privileged Identity Management](https://www.microsoft.com/itshowcase/Article/Content/887/Using-Azure-AD-Privileged-Identity-Management-for-elevated-access).
-### Enforce principle of least privilege
+### Type of assignments
-It's important to make sure that you've enforced the principle of least privilege in your organization for both your Azure AD and your Azure roles.
+There are two types of assignment ΓÇô **eligible** and **active**. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks.
-#### Plan least privilege delegation
+You can also set a start and end time for each type of assignment. This addition gives you four possible types of assignments:
-For Azure AD roles, it's common for organizations to assign the Global Administrator role to a number of administrators when most administrators only need one or two specific and less-powerful administrator roles. With a large number of Global Administrators or other high-privilege roles, it's hard to track your privileged role assignments closely enough.
+* Permanent eligible
-Follow these steps to implement the principle of least privilege for your Azure AD roles.
+* Permanent active
-1. Understand the granularity of the roles by reading and understanding the available [Azure AD built-in roles](../roles/permissions-reference.md). You and your team should also reference [administrator roles by identity task in Azure AD](../roles/delegate-by-task.md), which explains the least privileged role for specific tasks.
+* Time-bound eligible, with specified start and end dates for assignment
-1. List who has privileged roles in your organization. You can use the Privileged Identity Management [Discovery and insights (preview)](pim-security-wizard.md) to get to reduce your exposure.
+* Time-bound active, with specified start and end dates for assignment
- ![Discovery and insights (preview) page to reduce exposure via privileged roles](./media/pim-deployment-plan/new-preview-page.png)
+In case the role expires, you can **extend** or **renew** these assignments.
-1. For all Global Administrators in your organization, find out why they need the role. Then remove them from the Global Administrator role and assign built-in roles or custom roles with lower privilege inside Azure Active Directory. FYI, Microsoft currently only has about 10 administrators with the Global Administrator role. Learn more at [how Microsoft uses Privileged Identity Management](https://www.microsoft.com/itshowcase/Article/Content/887/Using-Azure-AD-Privileged-Identity-Management-for-elevated-access).
+**We recommend** you keep zero permanently active assignments for roles other than the recommended [two break-glass emergency access accounts](../roles/security-emergency-access.md), which should have the permanent Global Administrator role.
-1. For all other Azure AD roles, review the list of assignments, identify administrators who no longer need the role, and remove them from their assignments.
+## Plan the project
-To automate the last two steps, you can use access reviews in Privileged Identity Management. Following the steps in [start an access review for Azure AD roles in Privileged Identity Management](pim-how-to-start-security-review.md), you can set up an access review for every Azure AD role that has one or more members.
+When technology projects fail, itΓÇÖs typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that youΓÇÖre engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md#include-the-right-stakeholders) and that stakeholder roles in the project are well understood.
-![Create an access review pane for Azure AD roles](./media/pim-deployment-plan/create-access-review.png)
+### Plan a pilot
-Set the reviewers to **Members (self)**. All users in the role will receive an email asking them to confirm that they need the access. Also, turn on **Require reason on approval** in the advanced settings so that users must state why they need the role. Based on this information, you can remove users from unnecessary roles or delegate them to more granular administrator roles.
+At each stage of your deployment ensure that you are evaluating that the results are as expected. See [best practices for a pilot](../fundamentals/active-directory-deployment-plans.md#best-practices-for-a-pilot).
-Access reviews rely on emails to notify people to review their access to the roles. If you have privileged accounts that donΓÇÖt have emails linked, be sure to populate the secondary email field on those accounts. For more information, see [proxyAddresses attribute in Azure AD](https://support.microsoft.com/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad).
+* Start with a small set of users (pilot group) and verify that the PIM behaves as expected.
-#### Plan Azure resource role delegation
+* Verify whether all the configuration you set up for the roles or privileged access groups are working correctly.
-For Azure subscriptions and resources, you can set up a similar Access review process to review the roles in each subscription or resource. The goal of this process is to minimize Owner and User Access Administrator assignments attached to each subscription or resource and to remove unnecessary assignments. However, organizations often delegate such tasks to the owner of each subscription or resource because they have a better understanding of the specific roles (especially custom roles).
+* Roll it to production only after itΓÇÖs thoroughly tested.
-If you're in the Global Administrator role trying to deploy PIM for Azure roles in your organization, you can [elevate access to manage all Azure subscriptions](../../role-based-access-control/elevate-access-global-admin.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json) to get access to each subscription. You can then find each subscription owner and work with them to remove unnecessary assignments and minimize owner role assignment.
+### Plan communications
-Users with the Owner role for an Azure subscription can also use [access reviews for Azure resources](pim-resource-roles-start-access-review.md) to audit and remove unnecessary role assignments similar to the process described earlier for Azure AD roles.
+Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
-### Decide which role assignments should be protected by Privileged Identity Management
+Set up time with your internal IT support to walk them through the PIM workflow. Provide them with the appropriate documentations and your contact information.
-After cleaning up privileged role assignments in your organization, you'll need to decide which roles to protect with Privileged Identity Management.
+## Plan testing and rollback
-If a role is protected by Privileged Identity Management, eligible users assigned to it must elevate to use the privileges granted by the role. The elevation process might also include obtaining approval, using multi-factor authentication, and providing a reason why they're activating. Privileged Identity Management can also track elevations through notifications and the Privileged Identity Management and Azure AD audit event logs.
+> [!NOTE]
+> For Azure AD roles, organizations often test and roll out Global Administrators first, while for Azure resources, they usually test PIM one Azure subscription at a time.
-Choosing which roles to protect with Privileged Identity Management can be difficult and will be different for each organization. This section provides our best practice advice for Azure AD and Azure roles.
+### Plan testing
-#### Azure AD roles
+Create test users to verify PIM settings work as expected before you impact real users and potentially disrupt their access to apps and resources. Build a test plan to have a comparison between the expected results and the actual results.
-It's important to prioritize protecting Azure AD roles that have the most permissions. Based on usage patterns among all Privileged Identity Management customers, the top 10 Azure AD roles managed by Privileged Identity Management are:
+The following table shows an example test case:
-1. Global administrator
-1. Security administrator
-1. User administrator
-1. Exchange administrator
-1. SharePoint administrator
-1. Intune administrator
-1. Security reader
-1. Service administrator
-1. Billing administrator
-1. Skype for Business administrator
+| Role| Expected behavior during activation| Actual results |
+| | | |
+|Global Administrator| <li> Require MFA <br><li> Require Approval <br><li> Approver receives notification and can approve <br><li> Role expires after preset time|
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you manage all your Global Administrators and Security Administrators using Privileged Identity Management as a first step because they are the users who can do the most harm when compromised.
+For both Azure AD and Azure resource role, make sure that youΓÇÖve users represented who will take those roles. In addition, consider the following roles when you test PIM in your staged environment:
-It's important to consider what data and permission are most sensitive for your organization. As an example, some organizations may want to protect their Power BI Administrator role or their Teams Administrator role using Privileged Identity Management as they can access data and change core workflows.
+| Roles| Azure AD roles| Azure Resource roles| Privileged Access Groups |
+| | | | |
+| Member of a group| | | x |
+| Members of a role| x| x| |
+| IT service owner| x| | x |
+| Subscription or resource owner| | x| x |
+| Privileged access group owner| | | x |
-If there are any roles with guest users assigned, they're vulnerable to attack.
+### Plan rollback
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you manage all roles with guest users using Privileged Identity Management to reduce risk associated with compromised guest user accounts.
+If PIM fails to work as desired in the production environment, you can change the role assignment from eligible to active once again. For each role that you’ve configured, select the ellipsis (…) for all users with assignment type as **eligible**. You can then select the **Make active** option to go back and make the role assignment **active**.
-Reader roles like the Directory Reader, Message Center Reader, and Security Reader are sometimes regarded as less important than other roles because they donΓÇÖt have write permission. However, we have some customers who also protect these roles because attackers with access to these accounts might be able to read sensitive data, such as personal data. Take this risk into consideration when deciding whether you want reader roles in your organization to be managed using Privileged Identity Management.
+## Plan and implement PIM for Azure AD roles
-#### Azure roles
+Follow these tasks to prepare PIM to manage Azure AD roles.
-When deciding which role assignments should be managed using Privileged Identity Management for Azure resource, you must first identify the subscriptions/resources that are most vital for your organization. Examples of such subscriptions/resources are:
+### Discover and mitigate privileged roles
-- Resources that host the most sensitive data-- Resources that core, customer-facing applications depend on
+List who has privileged roles in your organization. Review the users assigned, identify administrators who no longer need the role, and remove them from their assignments.
-If you're a Global Administrator having trouble deciding which subscriptions and resources are most important, you should contact subscription owners in your organization to gather a list of resources managed by each subscription. Then, work with the subscription owners to group the resources based on severity level in the case they're compromised (low, medium, high). Prioritize managing resources with Privileged Identity Management based on this severity level.
+You can use [Azure AD roles access reviews](pim-how-to-start-security-review.md) to automate the discovery, review, and approval or removal of assignments.
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you work with subscription/resource owners of critical services to set up Privileged Identity Management workflow for all roles inside sensitive subscriptions/resources.
+### Determine roles to be managed by PIM
-Privileged Identity Management for Azure resources supports time-bound service accounts. You should treat service accounts exactly the same as how you would treat a regular user account.
+Prioritize protecting Azure AD roles that have the most permissions. ItΓÇÖs also important to consider what data and permission are most sensitive for your organization.
-For subscriptions/resources that are not as critical, you wonΓÇÖt need to set up Privileged Identity Management for all roles. However, you should still protect the Owner and User Access Administrator roles with Privileged Identity Management.
+First, ensure that all Global and Security admin roles are managed using PIM because theyΓÇÖre the users who can do the most harm when compromised. Then consider more roles that should be managed that could be vulnerable to attack.
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** that you manage Owner roles and User Access Administrator roles of all subscriptions/resources using Privileged Identity Management.
+### Configure PIM settings for Azure AD roles
-### Decide whether to use a group to assign roles
+[Draft and configure your PIM settings](pim-how-to-change-default-settings.md) for every privileged Azure AD role that your organization uses.
-Whether to assign a role to a group instead of to individual users is a strategic decision. When planning, consider assigning a role to a group to manage role assignments when:
+The following table shows example settings:
-- Many users are assigned to a role-- You want to delegate assigning the role
+| Role| Require MFA| Notification| Incident ticket| Require approval| Approver| Activation duration| Perm admin |
+| | | | | | | | |
+| Global Admin| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other Global Admin| 1 Hour| Emergency access accounts |
+| Exchange Admin| :heavy_check_mark:| :heavy_check_mark:| :x:| :x:| None| 2 Hour| None |
+| Helpdesk Admin| :x:| :x:| :heavy_check_mark:| :x:| None| 8 Hour| None |
-#### Many users are assigned to a role
-Keeping track of who is assigned to a role and managing their assignments based on when they need it can take time when done manually. To assign a group to a role, first [create a role assignable group](../roles/groups-create-eligible.md) and then assign the group as eligible for a role. This action subjects everyone in the group to the same activation process as individual users who are eligible to elevate into the role. Group members activate their assignments to the group individually using the Privileged Identity Management activation request and approval process. The group isn't activated, just the user's group membership.
+### Assign and activate Azure AD roles
-#### You want to delegate assigning the role
+For Azure AD roles in PIM, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in PIM.
-A group owner can manage membership for a group. For Azure AD role-assignable groups, only the Privileged Role Administrator, the Global Administrator, and the group owners can manage group membership. By adding new members to the group, the member gets access to the roles to which the group is assigned whether the assignment is eligible or active. Use group owners to delegate the management of group membership for an assigned role to reduce the breadth of privilege required. For more information about assigning an owner to a group when creating the group, see [Create a role-assignable group in Azure AD](../roles/groups-create-eligible.md).
+Follow the instructions in the links below:
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** that you bring Azure AD role-assignable groups under management by Privileged Identity Management. After a role-assignable group is brought under management by PIM, it's called a privileged access group. Use PIM to require group owners to activate their Owner role assignment before they can manage group membership. For more information about bringing groups under PIM management, see [Bring privileged access groups (preview) into Privileged Identity Management](groups-discover-groups.md).
+1.[Give eligible assignments](pim-how-to-add-role-to-user.md).
-### Decide which role assignments should be permanent or eligible
+2.[Allow eligible users to activate their Azure AD role just-in-time](pim-how-to-activate-role.md)
-Once you have decided the list of roles to be managed by Privileged Identity Management, you must decide which users should get the eligible role versus the permanently active role. Permanently active roles are the normal roles assigned through Azure Active Directory and Azure resources while eligible roles can only be assigned in Privileged Identity Management.
+When role nears its expiration, use [PIM to extend or renew the roles](pim-resource-roles-renew-extend.md). Both user-initiated actions require an approval from a Global administrator or Privileged role administrator. Both user-initiated actions require an approval from a Global administrator or Privileged role administrator.
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you have zero permanently active assignments for both Azure AD roles and Azure roles other than the recommended [two break-glass emergency access accounts](../roles/security-emergency-access.md), which should have the permanent Global Administrator role.
+When these important events occur in Azure AD roles, PIM [sends email notifications and weekly digest emails](pim-email-notifications.md) to privilege administrators depending on the role, event, and notification settings. These emails might also include links to relevant tasks, such activating or renewing a role.
-Even though we recommend zero standing administrator, it is sometimes difficult for organizations to achieve this right away. Here are things to consider when making this decision:
+> [!NOTE]
+>You can also perform these PIM tasks [using the Microsoft Graph APIs for Azure AD roles](pim-apis.md).
-- Frequency of elevation ΓÇô If the user only needs the privileged assignment once, they shouldnΓÇÖt have the permanent assignment. On the other hand, if the user needs the role for their day-to-day job and using Privileged Identity Management would greatly reduce their productivity, they can be considered for the permanent role.-- Cases specific to your organization ΓÇô If the person being given the eligible role is from a distant team or a high-ranking executive to the point that communicating and enforcing the elevation process is difficult, they can be considered for the permanent role.
+### Approve or deny PIM activation requests
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you to set up recurring access reviews for users with permanent role assignments (should you have any). Learn more about recurring access review in the final section of this deployment plan
+A delegated approver receives an email notification when a request is pending for approval. Follow these steps to [approve or deny requests to activate an Azure resource role](pim-resource-roles-approval-workflow.md).
-### Draft your Privileged Identity Management settings
+### View audit history for Azure AD roles
-Before you implement your Privileged Identity Management solution, it is good practice to draft your Privileged Identity Management settings for every privileged role your organization uses. This section has some examples of Privileged Identity Management settings for particular roles (they are only for reference and might be different for your organization). Each of these settings is explained in detail with MicrosoftΓÇÖs recommendations after the tables.
+[View audit history for all role assignments and activations](pim-how-to-use-audit-log.md) within past 30 days for Azure AD roles. You can access the audit logs if you are a Global Administrator or a privileged role administrator.
-#### Privileged Identity Management settings for Azure AD roles
+**We recommend** youΓÇÖve at least one administrator read through all audit events on a weekly basis and export your audit events on a monthly basis.
-| Role | Require MFA | Notification | Incident ticket | Require approval | Approver | Activation Duration | Permanent admin |
-| | :: | :: | :: | :: | :: | :: | :: |
-| Global Administrator | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other Global Administrators | 1 Hour | Emergency access accounts |
-| Exchange Administrator | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | None | 2 Hour | None |
-| Helpdesk Administrator | :x: | :x: | :heavy_check_mark: | :x: | None | 8 Hour | None |
+### Security alerts for Azure AD roles
-#### Privileged Identity Management settings for Azure roles
+[Configure security alerts for the Azure AD roles](pim-how-to-configure-security-alerts.md) which will trigger an alert in case of suspicious and unsafe activity.
-| Role | Require MFA | Notification | Require approval | Approver | Activation duration | Active admin | Active expiration | Eligible expiration |
-| | :: | :: | :: | :: | :: | :: | :: | :: |
-| Owner of critical subscriptions | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other owners of the subscription | 1 Hour | None | n/a | 3 month |
-| User Access Administrator of less critical subscriptions | :heavy_check_mark: | :heavy_check_mark: | :x: | None | 1 Hour | None | n/a | 3 month |
-| Virtual Machine Contributor | :x: | :heavy_check_mark: | :x: | None | 3 Hour | None | n/a | 6 month |
+## Plan and implement PIM for Azure Resource roles
-The following table describes each of the settings.
+Follow these tasks to prepare PIM to manage Azure resource roles.
-| Setting | Description |
-| | |
-| Role | Name of the role you are defining the settings for. |
-| Require MFA | Whether the eligible user needs to perform MFA before activating the role.<br/><br/> :heavy_check_mark: **Microsoft recommends** you enforce MFA for all administrator roles, especially if the roles have guest users. |
-| Notification | If set to true, Global Administrator, Privileged Role Administrator, and Security Administrator in the organization will receive an email notification when an eligible user activates the role.<br/><br/>**Note:** Some organizations donΓÇÖt have an email address tied to their administrator accounts, to get these email notifications, you should go set an alternative email address so administrators will receive these emails. |
-| Incident ticket | Whether the eligible user needs to record an incident ticket number when activating their role. This setting helps an organization identify each activation with an internal incident number to mitigate unwanted activations.<br/><br/> :heavy_check_mark: **Microsoft recommends** taking advantage of incident ticket numbers to tie Privileged Identity Management into your internal system. This method can be useful for approvers who need context for the activation. |
-| Require approval | Whether the eligible user needs to get approval to activate the role.<br/><br/> :heavy_check_mark: **Microsoft recommends** you to set up approval for roles with the most permission. Based on usage patterns of all Privileged Identity Management customers, Global Administrator, User Administrator, Exchange Administrator, Security Administrator, and Password Administrator are the most common roles with approval setup. |
-| Approver | If approval is required to activate the eligible role, list out the people who should approve the request. By default, Privileged Identity Management sets the approver to be all users who are a privileged role administrator whether they are permanent or eligible.<br/><br/>**Note:** If a user is both eligible for an Azure AD role and an approver of the role, they will not be able to approve themselves.<br/><br/> :heavy_check_mark: **Microsoft recommends** that you choose approvers to be users who are most knowledgeable about the role and its frequent users rather than a Global Administrator. |
-| Activation duration | The length of time a user will be activated in the role before it will expire. |
-| Permanent admin | List of users who will be a permanent administrator for the role (never have to activate).<br/><br/> :heavy_check_mark: **Microsoft recommends** you have zero standing administrator for all roles except for Global Administrators. Read more about it in the who should be made eligible and who should be permanently active section of this plan. |
-| Active admin | For Azure resources, active administrator is the list of users who will never have to activate to use the role. This list is not referred to as permanent administrator like in Azure AD roles because you can set an expiration time for when the user will lose this role. |
-| Active expiration | Active role assignments for Azure roles expire after the configured duration. You can choose from 15 days, 1 month, 3 month, 6 month, 1 year or permanently active. |
-| Eligible expiration | Eligible role assignments for Azure roles expire after this duration. You can choose from 15 days, 1 month, 3 month, 6 month, 1 year or permanently eligible. |
+### Discover and mitigate privileged roles
-## Implementation plan
+Minimize Owner and User Access Administrator assignments attached to each subscription or resource and remove unnecessary assignments.
-The foundation of proper planning is the basis upon which you can deploy an application successfully with Azure Active Directory. It provides intelligent security and integration that simplifies onboarding while reducing the time for successful deployments. This combination ensures that your application is integrated with ease while mitigating down time for your end users.
+As a Global Administrator you can [elevate access to manage all Azure subscriptions](/azure/role-based-access-control/elevate-access-global-admin). You can then find each subscription owner and work with them to remove unnecessary assignments within their subscriptions.
-### Identify test users
+Use [access reviews for Azure resources](pim-resource-roles-start-access-review.md) to audit and remove unnecessary role assignments.
-Use this section to identify a set of users and or groups of users to validate the implementation. Based on the settings that you selected in the planning section, identify the users that you want to test for each role.
+### Determine roles to be managed by PIM
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you make service owners of each Azure AD role to be the test users so they can become familiar with the process and become an internal advocator for the roll out.
+When deciding which role assignments should be managed using PIM for Azure resource, you must first identify the [management groups](/azure/governance/management-groups/overview), subscriptions, resource groups, and resources that are most vital for your organization. Consider using management groups to organize all their resources within their organization.
-In this table, identify the test users who will verify that the settings for the roles are working.
+**We recommend** you manage all Subscription Owner and User Access Administrator roles using PIM.
-| Role name | Test users |
-| | |
-| &lt;Role name&gt; | &lt;Users to test the role&gt; |
-| &lt;Role name&gt; | &lt;Users to test the role&gt; |
+Work with Subscription owners to document resources managed by each subscription and classify the risk level of each resource if compromised. Prioritize managing resources with PIM based on risk level. This also includes custom resources attached to the subscription.
-### Test implementation
+**We also recommend** you work with Subscription or Resource owners of critical services to set up PIM workflow for all the roles inside sensitive subscriptions or resources.
-Now that you have identified the test users, use this step to configure Privileged Identity Management for your test users. If your organization wants to incorporate Privileged Identity Management workflow into your own internal application instead of using Privileged Identity Management in the Azure portal, all the operations in Privileged Identity Management are also supported through our [graph API](/graph/api/resources/privilegedidentitymanagement-root).
+For subscriptions or resources that arenΓÇÖt as critical, you wonΓÇÖt need to set up PIM for all roles. However, you should still protect the Owner and User Access Administrator roles with PIM.
-#### Configure Privileged Identity Management for Azure AD roles
+### Configure PIM settings for Azure Resource roles
-1. [Configure the Azure AD role settings](pim-how-to-change-default-settings.md) based on what you planned.
+[Draft and configure settings](pim-resource-roles-configure-role-settings.md) for the Azure Resource roles that youΓÇÖve planned to protect with PIM.
-1. Navigate to **Azure AD roles**, select **Roles**, and then select the role you configured.
+The following table shows example settings:
-1. For the group of test users, if they are already a permanent administrator, you can make them eligible by searching for them and converting them from permanent to eligible by selecting the three dots on their row. If they donΓÇÖt have the role assignments yet, you can [make a new eligible assignment](pim-how-to-add-role-to-user.md).
+| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration|
+| | | | | | | |||
+| Owner of critical subscriptions| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the subscription| 1 Hour| None| n/a| 3 months |
+| User Access Administrator of less critical subscriptions| :heavy_check_mark:| :heavy_check_mark:| :x:| None| 1 Hour| None| n/a| 3 months |
-1. Repeat steps 1-3 for each role that you want to test.
+### Assign and activate Azure Resource role
-1. Once you have set up the test users, you should send them the link for how to [activate their Azure AD role](pim-how-to-activate-role.md).
+For Azure resource roles in PIM, only an owner or User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles.
-#### Configure Privileged Identity Management for Azure roles
+Follow the instructions in the links below:
-1. [Configure the Azure resource role settings](pim-resource-roles-configure-role-settings.md) for a role inside a subscription or resource that you want to test.
+1.[Give eligible assignments](pim-resource-roles-assign-roles.md)
-1. Navigate to **Azure resources** for that subscription and select **Roles**, select the role you configured.
+2.[Allow eligible users to activate their Azure roles just-in-time](pim-resource-roles-activate-your-roles.md)
-1. For the group of test users, if they are already an active administrator, you can make them eligible by searching for them and [update their role assignment](pim-resource-roles-assign-roles.md#update-or-remove-an-existing-role-assignment). If they donΓÇÖt have the role yet, you can [assign a new role](pim-resource-roles-assign-roles.md#assign-a-role).
+When privileged role assignment nears its expiration, [use PIM to extend or renew the roles](pim-resource-roles-renew-extend.md). Both user-initiated actions require an approval from the resource owner or User Access administrator.
-1. Repeat steps 1-3 for all the roles you want to test.
+When these important events occur in Azure resource roles, PIM sends [email notifications](pim-email-notifications.md) to Owners and Users Access Administrators. These emails might also include links to relevant tasks, such activating or renewing a role.
-1. Once you have set up the test users, you should send them the link for how to [activate their Azure resource role](pim-resource-roles-activate-your-roles.md).
+>[!NOTE]
+>You can also perform these PIM tasks [using the Microsoft Azure Resource Manager APIs for Azure resource roles](pim-apis.md).
-You should use this stage to verify whether all the configuration you set up for the roles are working correctly. Use the following table to document your tests. You should also use this stage to optimize the communication with affected users.
+### Approve or deny PIM activation requests
-| Role | Expected behavior during activation | Actual results |
-| | | |
-| Global Administrator | (1) Require MFA<br/>(2) Require Approval<br/>(3) Approver receives notification and can approve<br/>(4) Role expires after preset time | |
-| Owner of subscription *X* | (1) Require MFA<br/>(2) eligible assignment expires after configured time period | |
+[Approve or deny activation requests for Azure AD role](azure-ad-pim-approval-workflow.md)- A delegated approver receives an email notification when a request is pending for approval.
-### Communicate Privileged Identity Management to affected stakeholders
+### View audit history for Azure Resource roles
-Deploying Privileged Identity Management will introduce additional steps for users of privileged roles. Although Privileged Identity Management greatly reduces security issues associated with privileged identities, the change needs to be effectively communicated before the organization-wide deployment. Depending on the number of impacted administrators, organizations often elect to create an internal document, a video, or an email about the change. Frequently included in these communications include:
+[View audit history for all assignments and activations](azure-pim-resource-rbac.md) within past 30 days for Azure resource roles.
-- What is PIM-- What is the benefit for the organization-- Who will be affected-- When will PIM be rolled out-- What additional steps will be required for users to activate their role
- - You should send links to our documentation:
- - [Activate Azure AD roles](pim-how-to-activate-role.md)
- - [Activate Azure roles](pim-resource-roles-activate-your-roles.md)
-- Contact information or helpdesk link for any issues associated with PIM
+### Security alerts for Azure Resource roles
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you to set up time with your helpdesk/support team to walk them through the Privileged Identity Management workflow (if your organization has an internal IT support team). Provide them with the appropriate documentations as well as your contact information.
+[Configure security alerts for the Azure resource roles](pim-resource-roles-configure-alerts.md) which will trigger an alert in case of any suspicious and unsafe activity.
-### Move to production
+## Plan and implement PIM for privileged access groups
-Once your testing is complete and successful, move Privileged Identity Management to production by repeating all the steps in the testing phases for all the users of each role you defined in your Privileged Identity Management configuration. For Privileged Identity Management for Azure AD roles, organizations often test and roll out Privileged Identity Management for Global Administrators before testing and rolling out Privileged Identity Management for other roles. Meanwhile for Azure resource, organizations normally test and roll out Privileged Identity Management one Azure subscription at a time.
+Follow these tasks to prepare PIM to manage privileged access groups.
-### If a rollback is needed
+### Discover privileged access groups
-If Privileged Identity Management failed to work as desired in the production environment, the following rollback steps can assist you to revert back to a known good state before setting up Privileged Identity Management:
+It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They will have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.
-#### Azure AD roles
+In this case, you should use privileged access groups. Create a privileged access group and grant it permanent active access to multiple roles. See [privileged access groups management capabilities](groups-features.md).
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Open **Azure AD Privileged Identity Management**.
-1. Select **Azure AD roles** and then select **Roles**.
-1. For each role that you have configured, select the ellipsis (**...**) for all users with an eligible assignment.
-1. Select the **Make permanent** option to make the role assignment permanent.
+To manage an Azure AD role-assignable group as a privileged access group, you must [bring it under management in PIM](groups-discover-groups.md).
-#### Azure roles
+### Configure PIM settings for privileged access groups
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Open **Azure AD Privileged Identity Management**.
-1. Select **Azure resources** and then select a subscription or resource you want to roll back.
-1. Select **Roles**.
-1. For each role that you have configured, select the ellipsis (**...**) for all users with an eligible assignment.
-1. Select the **Make permanent** option to make the role assignment permanent.
+[Draft and configure settings](groups-role-settings.md) for the privileged access groups that youΓÇÖve planned to protect with PIM.
-## Next steps after deploying
+The following table shows example settings:
-Successfully deploying Privileged Identity Management in production is a significant step forward in terms of securing your organizationΓÇÖs privileged identities. With the deployment of Privileged Identity Management comes additional Privileged Identity Management features that you should use for security and compliance.
+| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration |
+| | | | | | | |||
+| Owner| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the resource| 1 Hour| None| n/a| 3 months |
+| Member| :heavy_check_mark:| :heavy_check_mark:| :x:| None| 5 Hour| None| n/a| 3 months |
-### Use Privileged Identity Management alerts to safeguard your privileged access
+### Assign eligibility for privileged access groups
-For more information on using Privileged Identity ManagementΓÇÖs built-in alerting functionality to safeguard your organization, see [security alerts](pim-how-to-configure-security-alerts.md#security-alerts). These alerts include: administrators arenΓÇÖt using privileged roles, roles are being assigned outside of Privileged Identity Management, roles are being activated too frequently and more. To fully protect your organization, you should regularly go through your list of alerts and fix the issues. You can view and fix your alerts the following way:
+You can [assign eligibility to members or owners of the privileged access groups.](groups-assign-member-owner.md) With just one activation, they will have access to all the linked resources.
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Open **Azure AD Privileged Identity Management**.
-1. Select **Azure AD roles** and then select **Alerts**.
+>[!NOTE]
+>You can assign the privileged group to one or more Azure AD and Azure resource roles in the same way as you assign roles to users. A maximum of 250 role-assignable groups can be created in a single Azure AD organization (tenant).
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you deal with all alerts marked with high severity immediately. For medium and low severity alerts, you should stay informed and make changes if you believe there is a security threat.
+![Assign eligibility for privileged access groups](media/pim-deployment-plan/privileged-access-groups.png)
-If any of the specific alerts arenΓÇÖt useful or does not apply to your organization, you can always dismiss the alert on the alerts page. You can always revert this dismissal later in the Azure AD settings page.
-### Set up recurring access reviews to regularly audit your organizationΓÇÖs privileged identities
+When privileged group assignment nears its expiration, use [PIM to extend or renew the group assignment](groups-renew-extend.md). YouΓÇÖll require an approval from the group owner.
-Access reviews are the best way for you to ask users assigned with privileged roles or specific reviewers whether each user need the privileged identity. Access reviews are great if you want to reduce attack surface and stay compliant. For more information about starting an access review, see [Azure AD roles access reviews](pim-how-to-start-security-review.md) and [Azure roles access reviews](pim-resource-roles-start-access-review.md). For some organizations, performing periodic access review is required to stay compliant with laws and regulations while for others, access review is the best way to enforce the principal of least privilege throughout your organization.
+### Approve or deny PIM activation request
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you set up quarterly access reviews for all your Azure AD and Azure roles.
+Configure privileged access group members and owners to require approval for activation and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each group to reduce workload for the privileged role administrator.
-In most cases, the reviewer for Azure AD roles is the users themselves while the reviewer for Azure roles is the owner of the subscription, which the role is in. However, it is often the case where companies have privileged accounts that are not linked with any particular personΓÇÖs email address. In those cases, no one reads and reviews the access.
+[Approve or deny role activation requests for Privileged Access groups](groups-approval-workflow.md). As a delegated approver, you'll receive an email notification when a request is pending for your approval.
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you add a secondary email address for all accounts with privileged role assignments that are not linked to a regularly checked email address
+### View audit history for privileged access groups
-### Get the most out of your audit log to improve security and compliance
+[View audit history for all assignments and activations](groups-audit.md) within past 30 days for privileged access groups.
-The Audit log is the place where you can stay up-to-date and be compliant with regulations. Privileged Identity Management currently stores a 30-day history of all your organizationΓÇÖs history inside its audit log including:
+## Next steps
-- Activation/deactivation of eligible roles-- Role assignment activities inside and outside of Privileged Identity Management-- Changes in role settings-- Request/approve/deny activities for role activation with approval setup-- Update to alerts
+* If there is PIM-related issues, see [Troubleshooting a problem with PIM](pim-troubleshoot.md).
-You can access the audit logs if you are a Global Administrator or a privileged role administrator. For more information, see [audit history for Azure AD roles](pim-how-to-use-audit-log.md) and [audit history for Azure roles](azure-pim-resource-rbac.md).
+* [Deploy other identity features](../fundamentals/active-directory-deployment-plans.md)
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you to have at least one administrator read through all audit events on a weekly basis and export your audit events on a monthly basis.
+
-If you want to automatically store your audit events for a longer period of time, Privileged Identity ManagementΓÇÖs audit log is automatically synced into the [Azure AD audit logs](../reports-monitoring/concept-audit-logs.md).
+
-> [!TIP]
-> :heavy_check_mark: **Microsoft recommends** you to set up [Azure log monitoring](../reports-monitoring/concept-activity-logs-azure-monitor.md) to archive audit events in an Azure storage account for greater security and compliance.
active-directory Alertops Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/alertops-tutorial.md
Previously updated : 05/20/2019 Last updated : 07/23/2021
In this tutorial, you'll learn how to integrate AlertOps with Azure Active Direc
* Enable your users to be automatically signed-in to AlertOps with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. AlertOps supports **SP and IDP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* AlertOps supports **SP and IDP** initiated SSO.
-## Adding AlertOps from the gallery
+## Add AlertOps from the gallery
To configure the integration of AlertOps into Azure AD, you need to add AlertOps from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **AlertOps** in the search box. 1. Select **AlertOps** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for AlertOps
-Configure and test Azure AD SSO with AlertOps using a test user called **Britta Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AlertOps.
+Configure and test Azure AD SSO with AlertOps using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AlertOps.
-To configure and test Azure AD SSO with AlertOps, complete the following building blocks:
+To configure and test Azure AD SSO with AlertOps, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure AlertOps](#configure-alertops)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create AlertOps test user](#create-alertops-test-user)** to have a counterpart of Britta Simon in AlertOps that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure AlertOps SSO](#configure-alertops-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create AlertOps test user](#create-alertops-test-user)** - to have a counterpart of B.Simon in AlertOps that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **AlertOps** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **AlertOps** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure AlertOps
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called Britta Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `Britta Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to AlertOps.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **AlertOps**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **Britta Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure AlertOps SSO
1. To automate the configuration within AlertOps, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. Click on the **Account settings** from the left navigation panel.
- ![Screenshot shows the AlertOps menu with Account Settings called out.](./media/alertops-tutorial/configure1.png)
+ ![Screenshot shows the AlertOps menu with Account Settings called out.](./media/alertops-tutorial/settings.png)
5. On the **Subscription Settings** page select **SSO** and perform the following steps:
- ![Screenshot shows the Subscription Settings window for S S O with values entered as described in this step.](./media/alertops-tutorial/configure2.png)
+ ![Screenshot shows the Subscription Settings window for S S O with values entered as described in this step.](./media/alertops-tutorial/configuration.png)
a. Select **Use Single Sign-On(SSO)** checkbox.
Follow these steps to enable Azure AD SSO in the Azure portal.
g. Open your downloaded Certificate(Base64) file in Notepad. Copy the content of it into your clipboard, and then paste it to the X.509 Certificate text box.
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called Britta Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `Britta Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to AlertOps.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **AlertOps**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **Britta Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create AlertOps test user 1. In a different browser window, sign in to your AlertOps company site as administrator. 2. Click on the **Users** from the left navigation panel.
- ![Screenshot shows the AlertOps menu with Users called out.](./media/alertops-tutorial/user1.png)
+ ![Screenshot shows the AlertOps menu with Users called out.](./media/alertops-tutorial/user.png)
3. Select **Add User**.
- ![Screenshot shows the Users window with the Add User button.](./media/alertops-tutorial/user2.png)
+ ![Screenshot shows the Users window with the Add User button.](./media/alertops-tutorial/add-user.png)
4. On the **Add User** dialog, perform the following steps:
- ![Screenshot shows the Add Users pane with values entered as described in this step.](./media/alertops-tutorial/user3.png)
+ ![Screenshot shows the Add Users pane with values entered as described in this step.](./media/alertops-tutorial/add-values.png)
a. In the **Login User Name** textbox, enter the user name of the user like **Brittasimon**.
In this section, you'll enable Britta Simon to use Azure single sign-on by grant
g. Select **Add**.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to AlertOps Sign on URL where you can initiate the login flow.
+
+* Go to AlertOps Sign-on URL directly and initiate the login flow from there.
-When you select the AlertOps tile in the Access Panel, you should be automatically signed in to the AlertOps for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the AlertOps for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the AlertOps tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AlertOps for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure AlertOps you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Citrix Cloud Saml Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/citrix-cloud-saml-sso-tutorial.md
Previously updated : 07/16/2021 Last updated : 07/22/2021
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
a. In the **Entity ID** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.
- b. In the **Sign Authentication Request**, select **Yes** to allow Citrix Cloud to Sign authentication requests.
+ b. In the **Sign Authentication Request**, select **No**.
c. In the **SSO Service URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
f. Upload the **Certificate (PEM)** from the Azure portal into the **X.509 Certificate** section.
- g. In the **Authentication Context**, select **Unspecified** and **Minimum** from the dropdown.
+ g. In the **Authentication Context**, select **Unspecified** and **Exact** from the dropdown.
h. Click **Test and Finish**.
active-directory Fortigate Ssl Vpn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal:
1. On the **Set up Single Sign-On with SAML** page, enter the following values: a. In the **Sign on URL** box, enter a URL in the pattern
- `https://<FQDN>/remote/login`.
+ `https://<FQDN>/remote/saml/login`.
b. In the **Identifier** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/metadata/`.
+ `https://<FQDN>/remote/saml/metadata`.
c. In the **Reply URL** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/login/`.
+ `https://<FQDN>/remote/saml/login`.
d. In the **Logout URL** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/logout/`.
+ `https://<FQDN>/remote/saml/logout`.
> [!NOTE] > These values are just patterns. You need to use the actual **Sign on URL**, **Identifier**, **Reply URL**, and **Logout URL**. Contact [Fortinet support](https://support.fortinet.com) for guidance. You can also refer to the example patterns shown in the Fortinet documentation and the **Basic SAML Configuration** section in the Azure portal.
active-directory Hornbill Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hornbill-tutorial.md
Previously updated : 02/15/2019 Last updated : 07/23/2021 # Tutorial: Azure Active Directory integration with Hornbill
-In this tutorial, you learn how to integrate Hornbill with Azure Active Directory (Azure AD).
-Integrating Hornbill with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Hornbill with Azure Active Directory (Azure AD). When you integrate Hornbill with Azure AD, you can:
-* You can control in Azure AD who has access to Hornbill.
-* You can enable your users to be automatically signed-in to Hornbill (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Hornbill.
+* Enable your users to be automatically signed-in to Hornbill with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Hornbill, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Hornbill single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Hornbill single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Hornbill, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Hornbill supports **SP** initiated SSO
-* Hornbill supports **Just In Time** user provisioning
+* Hornbill supports **SP** initiated SSO.
+* Hornbill supports **Just In Time** user provisioning.
-## Adding Hornbill from the gallery
+## Add Hornbill from the gallery
To configure the integration of Hornbill into Azure AD, you need to add Hornbill from the gallery to your list of managed SaaS apps.
-**To add Hornbill from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Hornbill** in the search box.
+1. Select **Hornbill** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-4. In the search box, type **Hornbill**, select **Hornbill** from result panel then click **Add** button to add the application.
+## Configure and test Azure AD SSO for Hornbill
- ![Hornbill in the results list](common/search-new-app.png)
+Configure and test Azure AD SSO with Hornbill using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Hornbill.
-## Configure and test Azure AD single sign-on
+To configure and test Azure AD SSO with Hornbill, perform the following steps:
-In this section, you configure and test Azure AD single sign-on with Hornbill based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Hornbill needs to be established.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Hornbill SSO](#configure-hornbill-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Hornbill test user](#create-hornbill-test-user)** - to have a counterpart of B.Simon in Hornbill that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure and test Azure AD single sign-on with Hornbill, you need to complete the following building blocks:
+## Configure Azure AD SSO
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Hornbill Single Sign-On](#configure-hornbill-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Hornbill test user](#create-hornbill-test-user)** - to have a counterpart of Britta Simon in Hornbill that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-### Configure Azure AD single sign-on
+1. In the Azure portal, on the **Hornbill** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
-To configure Azure AD single sign-on with Hornbill, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **Hornbill** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
+4. On the **Basic SAML Configuration** section, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/lib/saml/auth/simplesaml/module.php/saml/sp/metadata.php/saml`
- ![Single sign-on select mode](common/select-saml-option.png)
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/`
-3. On the **Set-up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Hornbill Client support team](https://www.hornbill.com/support/?request/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![The Certificate download link](common/copy-metadataurl.png)
- ![Hornbill Domain and URLs single sign-on information](common/sp-identifier.png)
+### Create an Azure AD test user
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/`
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/lib/saml/auth/simplesaml/module.php/saml/sp/metadata.php/saml`
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Hornbill Client support team](https://www.hornbill.com/support/?request/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+### Assign the Azure AD test user
-5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Hornbill.
- ![The Certificate download link](common/copy-metadataurl.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Hornbill**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Hornbill Single Sign-On
+## Configure Hornbill SSO
1. In a different web browser window, log in to Hornbill as a Security Administrator. 2. On the Home page, click **System**.
- ![Hornbill system](./media/hornbill-tutorial/tutorial_hornbill_system.png)
+ ![Hornbill system](./media/hornbill-tutorial/system.png "Hornbill system")
3. Navigate to **Security**.
- ![Hornbill security](./media/hornbill-tutorial/tutorial_hornbill_security.png)
+ ![Hornbill security](./media/hornbill-tutorial/security.png "Hornbill security")
4. Click **SSO Profiles**.
- ![Hornbill single](./media/hornbill-tutorial/tutorial_hornbill_sso.png)
+ ![Hornbill single](./media/hornbill-tutorial/profile.png "Hornbill single")
5. On the right side of the page, click on **Add logo**.
- ![Hornbill add](./media/hornbill-tutorial/tutorial_hornbill_addlogo.png)
+ ![Hornbill add](./media/hornbill-tutorial/add-logo.png "Hornbill add")
6. On the **Profile Details** bar, click on **Import SAML Meta logo**.
- ![Hornbill logo](./media/hornbill-tutorial/tutorial_hornbill_logo.png)
+ ![Hornbill logo](./media/hornbill-tutorial/logo.png "Hornbill logo")
7. On the Pop-up page in the **URL** text box, paste the **App Federation Metadata Url**, which you have copied from Azure portal and click **Process**.
- ![Hornbill process](./media/hornbill-tutorial/tutorial_hornbill_process.png)
+ ![Hornbill process](./media/hornbill-tutorial/process.png "Hornbill process")
8. After clicking process the values get auto populated automatically under **Profile Details** section.
- ![Hornbill page1](./media/hornbill-tutorial/tutorial_hornbill_ssopage.png)
+ ![Hornbill page1](./media/hornbill-tutorial/page.png "Hornbill page1")
- ![Hornbill page2](./media/hornbill-tutorial/tutorial_hornbill_ssopage1.png)
+ ![Hornbill page2](./media/hornbill-tutorial/services.png "Hornbill page2")
- ![Hornbill page3](./media/hornbill-tutorial/tutorial_hornbill_ssopage2.png)
+ ![Hornbill page3](./media/hornbill-tutorial/details.png "Hornbill page3")
9. Click **Save Changes**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Hornbill.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Hornbill**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Hornbill**.
-
- ![The Hornbill link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Hornbill test user In this section, a user called Britta Simon is created in Hornbill. Hornbill supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hornbill, a new one is created after authentication.
In this section, a user called Britta Simon is created in Hornbill. Hornbill sup
> [!Note] > If you need to create a user manually, contact [Hornbill Client support team](https://www.hornbill.com/support/?request/).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Hornbill tile in the Access Panel, you should be automatically signed in to the Hornbill for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Hornbill Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Hornbill Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Hornbill tile in the My Apps, this will redirect to Hornbill Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Hornbill you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Icims Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/icims-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
`icims.com` c. In the **Reply URL** text box, type the URL:
- `https://.icims.com/`
+ `https://*.icims.com/*`
> [!NOTE] > The Sign on URL value is not real. Update this value with the actual Sign on URL. Contact [ICIMS Client support team](https://www.icims.com/contact-us) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure ICIMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure ICIMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Kallidus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kallidus-tutorial.md
Previously updated : 07/05/2019 Last updated : 07/23/2021
In this tutorial, you'll learn how to integrate Kallidus with Azure Active Direc
* Enable your users to be automatically signed-in to Kallidus with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Kallidus supports **IDP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Kallidus supports **IDP** initiated SSO.
-## Adding Kallidus from the gallery
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Kallidus from the gallery
To configure the integration of Kallidus into Azure AD, you need to add Kallidus from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Kallidus** in the search box. 1. Select **Kallidus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Kallidus
Configure and test Azure AD SSO with Kallidus using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kallidus.
-To configure and test Azure AD SSO with Kallidus, complete the following building blocks:
+To configure and test Azure AD SSO with Kallidus, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure Kallidus](#configure-kallidus)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
-5. **[Create Kallidus test user](#create-kallidus-test-user)** to have a counterpart of B.Simon in Kallidus that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Kallidus SSO](#configure-kallidus-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Kallidus test user](#create-kallidus-test-user)** - to have a counterpart of B.Simon in Kallidus that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Kallidus** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Kallidus** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/copy-metadataurl.png)
-### Configure Kallidus
-
-To configure single sign-on on **Kallidus** side, you need to send the **App Federation Metadata Url** and a copy of the **Signing Certificate (Public)** to [Kallidus support team](https://kallidus.zendesk.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Kallidus**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure Kallidus SSO
+
+To configure single sign-on on **Kallidus** side, you need to send the **App Federation Metadata Url** and a copy of the **Signing Certificate (Public)** to [Kallidus support team](https://kallidus.zendesk.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create Kallidus test user In this section, you create a user called Britta Simon in Kallidus. Work with [Kallidus support team](https://kallidus.zendesk.com) to add the users in the Kallidus platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
-When you select the Kallidus tile in the Access Panel, you should be automatically signed in to the Kallidus for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Kallidus for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Kallidus tile in the My Apps, you should be automatically signed in to the Kallidus for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Kallidus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Klue Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/klue-tutorial.md
Previously updated : 02/13/2020 Last updated : 07/22/2021
In this tutorial, you'll learn how to integrate Klue with Azure Active Directory
* Enable your users to be automatically signed-in to Klue with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Klue supports **SP and IDP** initiated SSO
-* Klue supports **Just In Time** user provisioning
-* Once you configure the Klue you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Klue supports **SP and IDP** initiated SSO.
+* Klue supports **Just In Time** user provisioning.
-## Adding Klue from the gallery
+## Add Klue from the gallery
To configure the integration of Klue into Azure AD, you need to add Klue from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Klue** in the search box. 1. Select **Klue** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Klue
+## Configure and test Azure AD SSO for Klue
Configure and test Azure AD SSO with Klue using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Klue.
-To configure and test Azure AD SSO with Klue, complete the following building blocks:
+To configure and test Azure AD SSO with Klue, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Klue, complete the following building bl
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Klue** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Klue** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`urn:klue:<Customer ID>` b. In the **Reply URL** text box, type a URL using the following pattern:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Klue**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, a user called B.Simon is created in Klue. Klue supports just-in
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the Klue tile in the Access Panel, you should be automatically signed in to the Klue for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Klue Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to Klue Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Klue for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Klue tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Klue for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Klue with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Klue you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Leapsome Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/leapsome-tutorial.md
Previously updated : 12/17/2019 Last updated : 07/22/2021
In this tutorial, you'll learn how to integrate Leapsome with Azure Active Direc
* Enable your users to be automatically signed-in to Leapsome with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Leapsome supports **SP and IDP** initiated SSO
+* Leapsome supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Leapsome from the gallery
+## Add Leapsome from the gallery
To configure the integration of Leapsome into Azure AD, you need to add Leapsome from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Leapsome** in the search box. 1. Select **Leapsome** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Leapsome
+## Configure and test Azure AD SSO for Leapsome
Configure and test Azure AD SSO with Leapsome using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Leapsome.
-To configure and test Azure AD SSO with Leapsome, complete the following building blocks:
+To configure and test Azure AD SSO with Leapsome, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Leapsome SSO](#configure-leapsome-sso)** - to configure the single sign-on settings on application side.
- * **[Create Leapsome test user](#create-leapsome-test-user)** - to have a counterpart of B.Simon in Leapsome that is linked to the Azure AD representation of user.
+ 1. **[Create Leapsome test user](#create-leapsome-test-user)** - to have a counterpart of B.Simon in Leapsome that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Leapsome** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Leapsome** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL: `https://www.leapsome.com`
+ a. In the **Identifier** text box, type the URL: `https://www.leapsome.com`
b. In the **Reply URL** text box, type a URL using the following pattern: `https://www.leapsome.com/api/users/auth/saml/<CLIENTID>/assert`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Leapsome**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. On the top right, Click on Settings logo and then click **Admin Settings**.
- ![Leapsome set](./media/leapsome-tutorial/tutorial_leapsome_admin.png)
+ ![Leapsome set](./media/leapsome-tutorial/admin.png)
1. On the left menu bar click **Single Sign On (SSO)**, and on the **SAML-based single sign-on (SSO)** page perform the following steps:
- ![Leapsome saml](./media/leapsome-tutorial/tutorial_leapsome_samlsettings.png)
+ ![Leapsome saml](./media/leapsome-tutorial/settings.png)
a. Select **Enable SAML-based single sign-on**.
In this section, you create a user called Britta Simon in Leapsome. Work with [L
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Leapsome Sign on URL where you can initiate the login flow.
-When you click the Leapsome tile in the Access Panel, you should be automatically signed in to the Leapsome for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Leapsome Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Leapsome for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Leapsome tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Leapsome for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Leapsome with Azure AD](https://aad.portal.azure.com/)
+Once you configure Leapsome you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mixpanel Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mixpanel-tutorial.md
Previously updated : 02/28/2019 Last updated : 07/23/2021 # Tutorial: Azure Active Directory integration with Mixpanel
-In this tutorial, you learn how to integrate Mixpanel with Azure Active Directory (Azure AD).
-Integrating Mixpanel with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Mixpanel with Azure Active Directory (Azure AD). When you integrate Mixpanel with Azure AD, you can:
-* You can control in Azure AD who has access to Mixpanel.
-* You can enable your users to be automatically signed-in to Mixpanel (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Mixpanel.
+* Enable your users to be automatically signed-in to Mixpanel with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Mixpanel, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Mixpanel single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Mixpanel single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Mixpanel supports **SP** initiated SSO
-
-## Adding Mixpanel from the gallery
-
-To configure the integration of Mixpanel into Azure AD, you need to add Mixpanel from the gallery to your list of managed SaaS apps.
-
-**To add Mixpanel from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Mixpanel**, select **Mixpanel** from result panel then click **Add** button to add the application.
+* Mixpanel supports **SP** initiated SSO.
- ![Mixpanel in the results list](common/search-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Configure and test Azure AD single sign-on
+## Add Mixpanel from the gallery
-In this section, you configure and test Azure AD single sign-on with Mixpanel based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Mixpanel needs to be established.
-
-To configure and test Azure AD single sign-on with Mixpanel, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Mixpanel Single Sign-On](#configure-mixpanel-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Mixpanel test user](#create-mixpanel-test-user)** - to have a counterpart of Britta Simon in Mixpanel that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Mixpanel into Azure AD, you need to add Mixpanel from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Mixpanel** in the search box.
+1. Select **Mixpanel** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Mixpanel, perform the following steps:
+## Configure and test Azure AD SSO for Mixpanel
-1. In the [Azure portal](https://portal.azure.com/), on the **Mixpanel** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Mixpanel using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mixpanel.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Mixpanel, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Mixpanel SSO](#configure-mixpanel-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Mixpanel test user](#create-mixpanel-test-user)** - to have a counterpart of B.Simon in Mixpanel that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Mixpanel** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Mixpanel Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type the URL:
`https://mixpanel.com/login/` > [!NOTE]
To configure Azure AD single sign-on with Mixpanel, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mixpanel.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Mixpanel**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Mixpanel Single Sign-On
+## Configure Mixpanel SSO
1. In a different browser window, sign-on to your Mixpanel application as an administrator. 2. On bottom of the page, click the little **gear** icon in the left corner.
- ![Mixpanel Single Sign-On](./media/mixpanel-tutorial/tutorial_mixpanel_06.png)
+ ![Mixpanel Single Sign-On](./media/mixpanel-tutorial/gear-icon.png)
3. Click the **Access security** tab, and then click **Change settings**.
- ![Screenshot shows the Access security tab where you can change settings.](./media/mixpanel-tutorial/tutorial_mixpanel_08.png)
+ ![Screenshot shows the Access security tab where you can change settings.](./media/mixpanel-tutorial/settings.png)
4. On the **Change your certificate** dialog page, click **Choose file** to upload your downloaded certificate, and then click **NEXT**.
- ![Screenshot shows the Change your certificate dialog box where you can choose a certificate file.](./media/mixpanel-tutorial/tutorial_mixpanel_09.png)
+ ![Screenshot shows the Change your certificate dialog box where you can choose a certificate file.](./media/mixpanel-tutorial/certificate.png)
5. In the authentication URL textbox on the **Change your authentication URL** dialog page, paste the value of **Login URL** which you have copied from Azure portal, and then click **NEXT**.
- ![Screenshot shows the Change your authentication U R L pane where you can copy your Login U R L.](./media/mixpanel-tutorial/tutorial_mixpanel_10.png)
+ ![Screenshot shows the Change your authentication U R L pane where you can copy your Login U R L.](./media/mixpanel-tutorial/authentication.png)
6. Click **Done**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Mixpanel.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Mixpanel**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Mixpanel**.
-
- ![The Mixpanel link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Mixpanel test user The objective of this section is to create a user called Britta Simon in Mixpanel.
The objective of this section is to create a user called Britta Simon in Mixpane
4. In the **team member** textbox, type Britta's email address in the Azure.
- ![Screenshot shows the Team tab where you add an address to Invite.](./media/mixpanel-tutorial/tutorial_mixpanel_11.png)
+ ![Screenshot shows the Team tab where you add an address to Invite.](./media/mixpanel-tutorial/member.png)
5. Click **Invite**. > [!Note] > The user will get an email to set up the profile.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Mixpanel tile in the Access Panel, you should be automatically signed in to the Mixpanel for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Mixpanel Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Mixpanel Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Mixpanel tile in the My Apps, this will redirect to Mixpanel Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Mixpanel you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Oracle Cloud Infrastructure Console Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oracle-cloud-infrastructure-console-provisioning-tutorial.md
The scenario outlined in this tutorial assumes that you already have the followi
![Oracle token generation](./media/oracle-cloud-infratstructure-console-provisioning-tutorial/general-information.png)
-6. To generate a secret token Base64 encode the client ID and client secret in the format **client ID:Client Secret**. Save the secret token. This value will be entered in the **Secret Token** field in the provisioning tab of your Oracle Cloud Infrastructure Console application in the Azure portal.
+6. To generate a secret token, encode the client ID and client secret as Base64 in the format **client ID:Client Secret**. Note - this value must be generated with line wrapping disabled (base64 -w 0). Save the secret token. This value will be entered in the **Secret Token** field in the provisioning tab of your Oracle Cloud Infrastructure Console application in the Azure portal.
## Step 3. Add Oracle Cloud Infrastructure Console from the Azure AD application gallery
active-directory Prezi Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/prezi-tutorial.md
Previously updated : 08/20/2020 Last updated : 07/23/2021
In this tutorial, you learn how to integrate Prezi with Azure Active Directory (
* Enable your users to be automatically signed in to Prezi with their Azure AD accounts. * Manage your accounts in the Azure portal.
-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Prezi supports SP- and IDP-initiated SSO.
+* Prezi supports SP and IDP initiated SSO.
* Prezi supports just-in-time user provisioning.
-* After you configure Prezi, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
In this tutorial, you configure and test Azure AD SSO in a test environment.
To configure the integration of Prezi into Azure AD, you need to add Prezi from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account or a personal Microsoft account.
+1. Sign in to the Azure portal by using either a work or school account or a personal Microsoft account.
1. On the leftmost pane, select **Azure Active Directory**. 1. Go to **Enterprise applications**, and then select **All applications**. 1. To add a new application, select **New application**.
To configure the integration of Prezi into Azure AD, you need to add Prezi from
Configure and test Azure AD SSO with Prezi by using a test user called B.Simon. For SSO to work, you establish a link relationship between an Azure AD user and the related user in Prezi.
-To configure and test Azure AD SSO with Prezi, complete these building blocks:
+To configure and test Azure AD SSO with Prezi, perform the following steps:
1. [Configure Azure AD SSO](#configure-azure-ad-sso) to enable your users to use this feature. 1. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD SSO with B.Simon.
To configure and test Azure AD SSO with Prezi, complete these building blocks:
To enable Azure AD SSO in the Azure portal:
-1. In the [Azure portal](https://portal.azure.com/), on the **Prezi** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Prezi** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, select the **Edit** icon to edit the settings on **Basic SAML Configuration**.
+1. On the **Set up Single Sign-On with SAML** page, select the pencil icon to edit the settings on **Basic SAML Configuration**.
![Edit Basic SAML Configuration settings](common/edit-urls.png)
To enable Azure AD SSO in the Azure portal:
1. Select **Set additional URLs**, and do the following step if you want to configure the application in **SP**-initiated mode:
- In the **Sign-on URL** box, enter the URL: `https://prezi.com/login/sso/`.
+ In the **Sign-on URL** box, type the URL:
+ `https://prezi.com/login/sso/`.
1. Select **Save**.
In this section, you enable B.Simon to use Azure SSO by granting access to Prezi
1. In the Azure portal, select **Enterprise applications** > **All applications**. 1. In the applications list, select **Prezi**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The Users and groups link](common/users-groups-blade.png)
- 1. Select **Add user**, and then select **Users and groups** in the **Add Assignment** dialog box.-
- ![The Add user link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog box, select **B.Simon** from the users list, and click **Select** at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list and then click **Select** at the bottom of the screen. 1. In the **Add Assignment** dialog box, select **Assign**.
In this section, you enable B.Simon to use Azure SSO by granting access to Prezi
1. Go to the **Single Sign-On (SSO)** section, and turn on the toggle to enable SSO.
- ![Single Sign-On (SSO) toggle](./media/prezi-tutorial/single-signon.png)
+ ![Single Sign-On (SSO) toggle](./media/prezi-tutorial/single-sign-on.png)
1. In the **Single sign-on (SSO)** section, follow these steps:
In this section, a user called Britta Simon is created in Prezi. Prezi supports
## Test SSO
-In this section, you test your Azure AD SSO configuration by using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Prezi Sign on URL where you can initiate the login flow.
+
+* Go to Prezi Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Prezi for which you set up the SSO.
-When you select the Prezi tile in the Access Panel, you should be automatically signed in to the Prezi account for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Prezi tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Prezi for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-## Additional resources
+## Next steps
-- [List of tutorials on how to integrate SaaS apps with Azure Active Directory](./tutorial-list.md)-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)-- [Try Prezi with Azure AD](https://aad.portal.azure.com/)-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)-- [How to protect Prezi with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Prezi you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Productboard Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/productboard-tutorial.md
Previously updated : 10/21/2019 Last updated : 07/23/2021
In this tutorial, you'll learn how to integrate productboard with Azure Active D
* Enable your users to be automatically signed-in to productboard with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* productboard single sign-on (SSO) enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* productboard supports **SP and IDP** initiated SSO
-* productboard supports **Just In Time** user provisioning
+* productboard supports **SP and IDP** initiated SSO.
+* productboard supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding productboard from the gallery
+## Add productboard from the gallery
To configure the integration of productboard into Azure AD, you need to add productboard from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **productboard** in the search box. 1. Select **productboard** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for productboard
Configure and test Azure AD SSO with productboard using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in productboard.
-To configure and test Azure AD SSO with productboard, complete the following building blocks:
+To configure and test Azure AD SSO with productboard, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure productboard SSO](#configure-productboard-sso)** - to configure the single sign-on settings on application side.
- * **[Create productboard test user](#create-productboard-test-user)** - to have a counterpart of B.Simon in productboard that is linked to the Azure AD representation of user.
+ 1. **[Create productboard test user](#create-productboard-test-user)** - to have a counterpart of B.Simon in productboard that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **productboard** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **productboard** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
In the **Reply URL** text box, type a URL using the following pattern:
- `https://<projectname>.productboard.com/users/auth/saml/callback`
+ `https://<PROJECTNAME>.productboard.com/users/auth/saml/callback`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<projectname>.productboard.com/`
+ `https://<PROJECTNAME>.productboard.com/`
> [!NOTE] > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [productboard Client support team](mailto:support@productboard.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **productboard**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called Britta Simon is created in productboard. productboard supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in productboard, a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to productboard Sign on URL where you can initiate the login flow.
-When you click the productboard tile in the Access Panel, you should be automatically signed in to the productboard for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to productboard Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the productboard for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the productboard tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the productboard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try productboard with Azure AD](https://aad.portal.azure.com/)
+Once you configure productboard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Snowflake Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/snowflake-provisioning-tutorial.md
The scenario outlined in this tutorial assumes that you already have the followi
## Step 1: Plan your provisioning deployment 1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
-2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-3. Determine what data to [map between Azure AD and Snowflake](../app-provisioning/customize-application-attributes.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Snowflake](../app-provisioning/customize-application-attributes.md).
## Step 2: Configure Snowflake to support provisioning with Azure AD
Before you configure Snowflake for automatic user provisioning with Azure AD, yo
1. Sign in to your Snowflake admin console. Enter the following query in the highlighted worksheet, and then select **Run**.
- ![Screenshot of the Snowflake admin console with query and Run button.](media/Snowflake-provisioning-tutorial/image00.png)
+ ![Screenshot of the Snowflake admin console with query and Run button.](media/Snowflake-provisioning-tutorial/image00.png)
+
+ ```
+ use role accountadmin;
+
+ create or replace role aad_provisioner;
+ grant create user on account to aad_provisioner;
+ grant create role on account to aad_provisioner;
+ grant role aad_provisioner to role accountadmin;
+ create or replace security integration aad_provisioning type=scim scim_client=azure run_as_role='AAD_PROVISIONER';
+
+ select SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('AAD_PROVISIONING');
+ ```
-2. A SCIM access token is generated for your Snowflake tenant. To retrieve it, select the link highlighted in the following screenshot.
+1. A SCIM access token is generated for your Snowflake tenant. To retrieve it, select the link highlighted in the following screenshot.
- ![Screenshot of a worksheet in the Snowflake U I with the S C I M access token called out.](media/Snowflake-provisioning-tutorial/image01.png)
+ ![Screenshot of a worksheet in the Snowflake U I with the S C I M access token called out.](media/Snowflake-provisioning-tutorial/image01.png)
-3. Copy the generated token value and select **Done**. This value is entered in the **Secret Token** box on the **Provisioning** tab of your Snowflake application in the Azure portal.
+1. Copy the generated token value and select **Done**. This value is entered in the **Secret Token** box on the **Provisioning** tab of your Snowflake application in the Azure portal.
- ![Screenshot of the Details section, showing the token copied into the text field and the Done option called out.](media/Snowflake-provisioning-tutorial/image02.png)
+ ![Screenshot of the Details section, showing the token copied into the text field and the Done option called out.](media/Snowflake-provisioning-tutorial/image02.png)
## Step 3: Add Snowflake from the Azure AD application gallery
active-directory Walkme Saml Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/walkme-saml-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with WalkMe SAML2.0 | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and WalkMe SAML2.0.
++++++++ Last updated : 07/22/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with WalkMe SAML2.0
+
+In this tutorial, you'll learn how to integrate WalkMe SAML2.0 with Azure Active Directory (Azure AD). When you integrate WalkMe SAML2.0 with Azure AD, you can:
+
+* Control in Azure AD who has access to WalkMe SAML2.0.
+* Enable your users to be automatically signed-in to WalkMe SAML2.0 with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* WalkMe SAML2.0 single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* WalkMe SAML2.0 supports **IDP** initiated SSO.
+
+* WalkMe SAML2.0 supports **Just In Time** user provisioning.
+
+## Add WalkMe SAML2.0 from the gallery
+
+To configure the integration of WalkMe SAML2.0 into Azure AD, you need to add WalkMe SAML2.0 from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **WalkMe SAML2.0** in the search box.
+1. Select **WalkMe SAML2.0** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for WalkMe SAML2.0
+
+Configure and test Azure AD SSO with WalkMe SAML2.0 using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in WalkMe SAML2.0.
+
+To configure and test Azure AD SSO with WalkMe SAML2.0, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure WalkMe SAML2.0 SSO](#configure-walkme-saml20-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create WalkMe SAML2.0 test user](#create-walkme-saml20-test-user)** - to have a counterpart of B.Simon in WalkMe SAML2.0 that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **WalkMe SAML2.0** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.walkme.com`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.walkme.com/ic/idp/p/saml/callback`
+
+ c. In the **Relay State** textbox, type the value:
+ `{ "loginType": "azureSAMLApp"}`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [WalkMe SAML2.0 Client support team](mailto:support@walkme.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up WalkMe SAML2.0** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to WalkMe SAML2.0.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **WalkMe SAML2.0**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure WalkMe SAML2.0 SSO
+
+To configure single sign-on on **WalkMe SAML2.0** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [WalkMe SAML2.0 support team](mailto:support@walkme.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create WalkMe SAML2.0 test user
+
+In this section, a user called Britta Simon is created in WalkMe SAML2.0. WalkMe SAML2.0 supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in WalkMe SAML2.0, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the WalkMe SAML2.0 for which you set up the SSO.
+
+* You can use Microsoft My Apps. When you click the WalkMe SAML2.0 tile in the My Apps, you should be automatically signed in to the WalkMe SAML2.0 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure WalkMe SAML2.0 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory My Applications Portal Workspaces https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/my-applications-portal-workspaces.md
Previously updated : 10/19/2020 Last updated : 07/26/2021
active-directory Introduction To Verifiable Credentials Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/introduction-to-verifiable-credentials-architecture.md
ItΓÇÖs important to plan your verifiable credential solution so that in addition
This architectural overview introduces the capabilities and components of the Azure Active Directory Verifiable Credentials service. For more detailed information on issuance and validation, see
-* Plan your Azure AD Verifiable Credentials issuance solution
-
-* Plan your Azure AD Verifiable Credentials validation solution
+* [Plan your issuance solution](plan-issuance-solution.md)
+* [Plan your verification solution](plan-verification-solution.md)
## Approaches to identity
In centralized identity systems, the identity provider (IDP) controls the lifecy
![Example of a centralized identity system](./media/introduction-to-verifiable-credentials-architecture/centralized-identity-architecture.png)
-However, there are scenarios where using a decentralized architecture using verifiable credentials can provide value by augmenting key scenarios such as
+However, there are scenarios where using a decentralized architecture with verifiable credentials can provide value by augmenting key scenarios such as
* secure onboarding of employeesΓÇÖ and othersΓÇÖ identities, including remote scenarios.
VCs can add value to centralized systems by augmenting the credential distributi
In the onboarding use case, the trust relationship roles are distributed between the issuer, the verifier, and the holder.
-* The issuer is responsible for validating the claims that are part of the VC they issue. Adatum validates AliceΓÇÖs identity to issue the VCVCs are issued without the consideration of a verifier or relying party.
+* The issuer is responsible for validating the claims that are part of the VC they issue. Adatum validates AliceΓÇÖs identity to issue the VC. In this case, VCs are issued without the consideration of a verifier or relying party.
-* The holder possesses the VC and must initiate use of the VC for verification. Only Alice can present the VCs she holds.
+* The holder possesses the VC and initiates the presentation of the VC for verification. Only Alice can present the VCs she holds.
* The verifier accepts the claims in the VC from issuers they trust and validate the VC using the decentralized ledger capability described in the verifiable credentials data model. Woodgrove trusts AdatumΓÇÖs claims about AliceΓÇÖs identity.
Woodgrove will add and end business relationships with other organizations and w
By combining centralized and decentralized identity architectures, the responsibility and effort associated with identity and proof of identity is distributed, risk is reduced, and the user does not risk releasing their private information as often or to as many unknown verifiers. Specifically:
-* In centralized identity architectures, the IDP issues credentials and performs verification of issued those issued credentials. Information about all identities is processed by the IDP, either storing them in or retrieving them from a directory. IDPs may also dynamically accept security tokens from other IDP systems, such as social sign-ins or business partners. For a relying party to use identities in the IDP trust boundary, they must be configured to accept the tokens issued by the IDP.
+* In centralized identity architectures, the IDP issues credentials and performs verification of those issued credentials. Information about all identities is processed by the IDP, either storing them in or retrieving them from a directory. IDPs may also dynamically accept security tokens from other IDP systems, such as social sign-ins or business partners. For a relying party to use identities in the IDP trust boundary, they must be configured to accept the tokens issued by the IDP.
## How decentralized identity systems work In decentralized identity architectures, the issuer, user, and relying party (RP) each have a role in establishing and ensuring ongoing trusted exchange of each otherΓÇÖs credentials. The public keys of the actorsΓÇÖ DIDs are resolvable in ION, which allows signature validation and therefore trust of any artifact, including a verifiable credential. Relying parties can consume verifiable credentials without establishing trust relationships with the issuer. Instead, the issuer provides the subject a credential to present as proof to relying parties. All messages between actors are signed with the actorΓÇÖs DID; DIDs from issuers and verifiers also need to own the DNS domains that generated the requests.
-For example: When the holder of a VC wants to use it to access a resource, they must present the VC to that relying party. They do so by using the wallet application to read the RPΓÇÖs request to present a VC. As a part of reading that request, the wallet application uses the RPΓÇÖs DID to find the RPs public keys using ION, validating that the request to present the VC has not been tampered with. The wallet also checks that the DID is referenced in a metadata document that is hosted in the DNS domain of the RP, to prove domain ownership.
+For example: When VC holders needs to access a resource, they must present the VC to that relying party. They do so by using a wallet application to read the RPΓÇÖs request to present a VC. As a part of reading the request, the wallet application uses the RPΓÇÖs DID to find the RPs public keys using ION, validating that the request to present the VC has not been tampered with. The wallet also checks that the DID is referenced in a metadata document that is hosted in the DNS domain of the RP, to prove domain ownership.
In this flow, the credential holder interacts with the issuer to request a verif
1. Validates that the DNS domain referenced in the issuerΓÇÖs DID document is owned by the issuer.
- 1. Depending on the VC contract requirements, the wallet guides the holder to collect additional information, for example asking for self-issued attributes, or navigating through an OIDC flow to obtain an id_token.
+ 1. Depending on the VC contract requirements, the wallet might require the holder to collect additional information, for example asking for self-issued attributes, or navigating through an OIDC flow to obtain an id_token.
1. Submits the artifacts required by the contract to the Azure AD VC Service. The Azure AD VC service returns the VC, signed with the issuerΓÇÖs DID key and the wallet securely stores the VC.
active-directory Plan Issuance Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/plan-issuance-solution.md
Microsoft uses the [Identity Overlay Network (ION)](https://identity.foundation/
### Microsoft Authenticator application
-![Microsoft Authenticator application](media/plan-issuance-solution/plan-issuance-solution-microsoft-authenticator.png)
+![Microsoft Authenticator application](media/plan-issuance-solution/plan-issuance-solution-authenticator.png)
Microsoft Authenticator is the mobile application that orchestrates the interactions between the user, the Azure AD Verifiable Credentials service, and dependencies that are described in the contract used to issue VCs. It acts as a digital wallet in which the holder of the VC stores the VC, including the private key of the subject of the VC. Authenticator is also the mechanism used to present VCs for verification.
active-directory Plan Verification Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/plan-verification-solution.md
Verifiable credentials can be used as additional proof to access to sensitive ap
#### Additional elements
-Relying party web fronted: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential SDK or API calls for VC presentation and validation, based on your business requirements.
+**Relying party web frontend**: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential SDK or API calls for VC presentation and validation, based on your business requirements.
-User access authorization logic: Logic layer in the application that authorizes user access and is enhanced to consume the user attributes inside the VC to make authorization decisions.
+**User access authorization logic**: Logic layer in the application that authorizes user access and is enhanced to consume the user attributes inside the VC to make authorization decisions.
-Other backend services and dependencies: Represents the rest of the logic of the application, which typically is unchanged by the inclusion of identity proofing through VCs.
+**Other backend services and dependencies**: Represents the rest of the logic of the application, which typically is unchanged by the inclusion of identity proofing through VCs.
#### Design Considerations
The decentralized nature of verifiable credentials enables this scenario without
#### Additional elements
-Relying party web fronted: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential SDK or API calls for VC presentation and validation, based on your business requirements.
+**Relying party web frontend**: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential SDK or API calls for VC presentation and validation, based on your business requirements.
-User access authorization logic: Logic layer in the application that authorizes user access and is enhanced to consume the user attributes inside the VC to make authorization decisions.
+**User access authorization logic**: Logic layer in the application that authorizes user access and is enhanced to consume the user attributes inside the VC to make authorization decisions.
-Other backend services and dependencies: Represents the rest of the logic of the application, which typically is unchanged by the inclusion of identity proofing through VCs.
+**Other backend services and dependencies**: Represents the rest of the logic of the application, which typically is unchanged by the inclusion of identity proofing through VCs.
#### Design Considerations
api-management How To Deploy Self Hosted Gateway Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md
This article describes the steps for deploying the self-hosted gateway component
### Access token Without a valid access token, a self-hosted gateway can't access and download configuration data from the endpoint of the associated API Management service. The access token can be valid for a maximum of 30 days. It must be regenerated, and the cluster configured with a fresh token, either manually or via automation before it expires.
-When you're automating token refresh, use [this management API operation](/rest/api/apimanagement/2019-12-01/gateway/generatetoken) to generate a new token. For information on managing Kubernetes secrets, see the [Kubernetes website](https://kubernetes.io/docs/concepts/configuration/secret).
+When you're automating token refresh, use [this management API operation](/rest/api/apimanagement/2020-12-01/gateway/generate-token) to generate a new token. For information on managing Kubernetes secrets, see the [Kubernetes website](https://kubernetes.io/docs/concepts/configuration/secret).
### Namespace Kubernetes [namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) help with dividing a single cluster among multiple teams, projects, or applications. Namespaces provide a scope for resources and names. They can be associated with a resource quota and access control policies.
api-management How To Event Grid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-event-grid.md
In Event Grid, you subscribe to a *topic* to tell it which events you want to tr
Now that the sample app is up and running and you've subscribed to your API Management instance with Event Grid, you're ready to generate events.
-As an example, [create a product](/api-management-howto-add-products.md) in your API Management instance. If your event subscription includes the **Microsoft.APIManagement.ProductCreated** event, creating the product triggers an event that is pushed to your web app endpoint.
+As an example, [create a product](/azure/api-management/api-management-howto-add-products) in your API Management instance. If your event subscription includes the **Microsoft.APIManagement.ProductCreated** event, creating the product triggers an event that is pushed to your web app endpoint.
Navigate to your Event Grid Viewer web app, and you should see the `ProductCreated` event. Select the button next to the event to show the details.
api-management Howto Use Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/howto-use-analytics.md
Use the Azure portal to review analytics data at a glance for your API Managemen
## Analytics - REST API
-Use [Reports](/rest/api/apimanagement/2019-12-01/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance.
+Use [Reports](/rest/api/apimanagement/2020-12-01/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance.
Available operations return report records by API, geography, API operations, product, request, subscription, time, or user.
application-gateway Redirect Http To Https Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/redirect-http-to-https-portal.md
In this example, you create a virtual machine scale set to provide servers for t
3. In the search box, type *scale set* and press Enter. 4. Select **Virtual machine scale set**, and then select **Create**. 5. For **Virtual machine scale set name**, type *myvmss*.
-6. For Operating system disk image,** ensure **Windows Server 2016 Datacenter** is selected.
+6. For **Operating system disk image**, ensure **Windows Server 2016 Datacenter** is selected.
7. For **Resource group**, select **myResourceGroupAG**. 8. For **User name**, type *azureuser*. 9. For **Password**, type *Azure123456!* and confirm the password.
azure-arc Create Data Controller https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller.md
Azure Arc-enabled data services can be created on multiple different types of Ku
Currently, the supported list of Kubernetes services and distributions are the following: - Azure Kubernetes Service (AKS)-- Azure Kubernetes Service Engine (AKS Engine) on Azure Stack - Azure Kubernetes Service on Azure Stack HCI - Azure RedHat OpenShift (ARO) - OpenShift Container Platform (OCP)
azure-government Documentation Government Impact Level 5 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-impact-level-5.md
ms.devlang: na
na Previously updated : 04/14/2021 ++ Last updated : 07/23/2021 #Customer intent: As a DoD mission owner, I want to know how to implement a workload at Impact Level 5 in Microsoft Azure Government. # Isolation guidelines for Impact Level 5 workloads
You need to address two key areas for Azure services in IL5 scope: storage isola
### Compute isolation
-IL5 separation requirements are stated in the SRG [Section 5.2.2.3](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/index.html#5.2LegalConsiderations). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines should be isolated via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/) or [isolated virtual machines](../virtual-machines/isolation.md). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
+IL5 separation requirements are stated in the SRG [Section 5.2.2.3](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/index.html#5.2LegalConsiderations). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, **all IL5 virtual machines and virtual machine scale sets** should be isolated via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/) or [isolated virtual machines](../virtual-machines/isolation.md). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed. ### Storage isolation
-In a recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140-2 validated Hardware Security Modules (HSMs). The keys are owned and managed by the IL5 system owner (also known as customer-managed keys).
+In a recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in [FIPS 140 validated](/azure/compliance/offerings/offering-fips-140-2) Hardware Security Modules (HSMs). The keys are owned and managed by the IL5 system owner (also known as customer-managed keys).
Here's how this approach applies to
The DoD requirements for encrypting data at rest are provided in the SRG [Sectio
IL5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The following configurations are required *in addition* to any other configurations or controls needed to meet IL5 requirements. Network isolation, access controls, and other necessary security measures aren't necessarily addressed in this article.
+> [!NOTE]
+> This article tracks Azure services that have received DoD IL5 PA and that require extra configuration options to meet IL5 isolation requirmements. Services with IL5 PA that do not require any extra configuration options are not mentioned in this article. For a list of services in scope for DoD IL5 PA, see **[Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).**
+ Be sure to review the entry for each service you're using and ensure that all isolation requirements are implemented. ## AI + machine learning For AI and machine learning services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=project-bonsai,genomics,search,bot-service,databricks,machine-learning-service,cognitive-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-### [Azure Bot Services](https://azure.microsoft.com/services/bot-services/)
-
-Azure Bot Services supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Azure Cognitive Search](https://azure.microsoft.com/services/search/) Azure Cognitive Search supports Impact Level 5 workloads in Azure Government with this configuration:
Azure Machine Learning supports Impact Level 5 workloads in Azure Government wit
- Configure encryption at rest of content in Azure Machine Learning by using customer-managed keys in Azure Key Vault. Azure Machine Learning stores snapshots, output, and logs in the Azure Blob Storage account that's associated with the Azure Machine Learning workspace and customer subscription. All the data stored in Azure Blob Storage is [encrypted at rest with Microsoft-managed keys](../machine-learning/concept-enterprise-security.md). Customers can use their own keys for data stored in Azure Blob Storage. See [Configure encryption with customer-managed keys stored in Azure Key Vault](../storage/common/customer-managed-keys-configure-key-vault.md).
-### [Cognitive
-
-Computer Vision supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Cognitive The Azure Cognitive Services Content Moderator service supports Impact Level 5 workloads in Azure Government with this configuration:
The Azure Cognitive Services Content Moderator service supports Impact Level 5 w
Custom Vision supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Cognitive Services Custom Vision [using customer-managed keys in Azure Key Vault](../cognitive-services/custom-vision-service/encrypt-data-at-rest.md#customer-managed-keys-with-azure-key-vault)
+- Configure encryption at rest of content in Cognitive Services Custom Vision [using customer-managed keys in Azure Key Vault](../cognitive-services/custom-vision-service/encrypt-data-at-rest.md#customer-managed-keys-with-azure-key-vault).
### [Cognitive
The Cognitive Services Language Understanding service supports Impact Level 5 wo
Personalizer supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Cognitive Services Personalizer [using customer-managed keys in Azure Key Vault](../cognitive-services/personalizer/encrypt-data-at-rest.md)
+- Configure encryption at rest of content in Cognitive Services Personalizer [using customer-managed keys in Azure Key Vault](../cognitive-services/personalizer/encrypt-data-at-rest.md).
### [Cognitive Cognitive Services QnA Maker supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Cognitive Services QnA Maker [using customer-managed keys in Azure Key Vault](../cognitive-services/qnamaker/encrypt-data-at-rest.md)-
-### [Cognitive
-
-The Cognitive Services Text Analytics service supports Impact Level 5 workloads in Azure Government with no extra configuration required.
+- Configure encryption at rest of content in Cognitive Services QnA Maker [using customer-managed keys in Azure Key Vault](../cognitive-services/qnamaker/encrypt-data-at-rest.md).
### [Cognitive
Cognitive Services Speech Services supports Impact Level 5 workloads in Azure Go
For Analytics services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share,power-bi-embedded,analysis-services,event-hubs,data-lake-analytics,storage,data-catalog,monitor,data-factory,synapse-analytics,stream-analytics,databricks,hdinsight&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-### [Azure Analysis Services](https://azure.microsoft.com/services/analysis-services/)
-
-Azure Analysis Services supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Azure Databricks](https://azure.microsoft.com/services/databricks/) Azure Databricks supports Impact Level 5 workloads in Azure Government with this configuration: -- Azure Databricks can be deployed to existing storage accounts that have enabled appropriate [Storage Encryption with Key Vault Managed Keys](#storage-encryption-with-key-vault-managed-keys).-- Use [Isolated Virtual Machines](../security/fundamentals/isolation-choices.md#isolated-virtual-machine-sizes) as the 'Worker Type' when launching Azure Databricks clusters. When deployed, Isolated VM types consume the entire physical host for that VM providing the necessary level of isolation required to support IL5 workloads.-- Configure Customer-Managed Keys (CMK) for your [Azure Databricks Workspace](/azure/databricks/security/keys/customer-managed-key-notebook) and [Databricks File System](/azure/databricks/security/keys/customer-managed-keys-dbfs/) (DBFS). -
-### [Azure Data Share](https://azure.microsoft.com/services/data-share/)
-
-Azure Data Share supports Impact Level 5 workloads in Azure Government with no extra configuration required.
+- Azure Databricks can be deployed to existing storage accounts that have enabled appropriate [Storage encryption with Key Vault managed keys](#storage-encryption-with-key-vault-managed-keys).
+- Configure customer-managed Keys (CMK) for your [Azure Databricks Workspace](/azure/databricks/security/keys/customer-managed-key-notebook) and [Databricks File System](/azure/databricks/security/keys/customer-managed-keys-dbfs/) (DBFS).
### [Azure Data Explorer](https://azure.microsoft.com/services/data-explorer/)
Azure Data Factory supports Impact Level 5 workloads in Azure Government with th
### [Event Hubs](https://azure.microsoft.com/services/event-hubs/)
-Azure Event Hubs supports Impact Level 5 workloads in Azure Government.
+Azure Event Hubs supports Impact Level 5 workloads in Azure Government with this configuration:
-> [!IMPORTANT]
-> Use client-side encryption to encrypt data before using Azure Event Hubs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
+- Use client-side encryption to encrypt data before using Azure Event Hubs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
### [HDInsight](https://azure.microsoft.com/services/hdinsight/) Azure HDInsight supports Impact Level 5 workloads in Azure Government with these configurations: - Azure HDInsight can be deployed to existing storage accounts that have enabled appropriate [Storage service encryption](#storage-encryption-with-key-vault-managed-keys), as discussed in the guidance for Azure Storage.-- Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for TDE is enabled on the option you choose. This process is discussed in the guidance for [Azure SQL Database](#azure-sql-database).-
-### [Power Automate](https://flow.microsoft.com/)
+- Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for transparent data encryption (TDE) is enabled on the option you choose. This process is discussed in the guidance for [Azure SQL Database](#azure-sql-database).
-Power Automate (formerly Microsoft Flow) supports Impact Level 5 workloads in Azure Government with no extra configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government regions.
-
-### [Power BI Embedded](https://azure.microsoft.com/services/power-bi-embedded/)
-
-Power BI Embedded supports Impact Level 5 workloads in Azure Government with no extra configuration required.
## Compute
Azure Batch supports Impact Level 5 workloads in Azure Government with this conf
- Enable user subscription mode, which will require a Key Vault instance for proper encryption and key storage. For more information, see the documentation on [batch account configurations](../batch/batch-account-create-portal.md).
-### [Cloud Services](https://azure.microsoft.com/services/cloud-services/)
-
-Azure Cloud Services supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Service Fabric](https://azure.microsoft.com/services/service-fabric/)
-
-Azure Service Fabric supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) and [virtual machine scale sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/)
+### [Virtual machines](https://azure.microsoft.com/services/virtual-machines/) and [virtual machine scale sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/)
You can use Azure virtual machines with multiple deployment mediums. You can do so for single virtual machines and for virtual machines deployed via the Azure virtual machine scale sets feature.
These VMs provide the necessary level of isolation required to support IL5 workl
Current Dedicated Host SKUs (VM series and Host Type) that offer the required compute isolation include SKUs in the VM families listed on the [Dedicated Host pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/dedicated-host/).
-#### Isolated virtual machines
-
-Virtual machine scale sets aren't currently supported on Azure Dedicated Host. But specific VM types, when deployed, consume the entire physical host for the VM. Each of the following VM types can be deployed via virtual machine scale sets to provide proper compute isolation with all the benefits of virtual machine scale sets in place. When you configure your scale set, select the appropriate SKU. To encrypt the data at rest, see the next section for supportable encryption options.
+#### [Isolated virtual machines](../virtual-machines/isolation.md)
-Current VM SKUs that offer the required compute isolation include SKUs in these VM families:
-
-| **VM family** | **VM SKU** |
-| | |
-| D-Series (general purpose) | Standard\_DS15\_v2Standard\_D15\_v2 |
-| Memory optimized | Standard\_E64is\_v3Standard\_E64i\_v3 |
-| Compute optimized | Standard\_F72s\_v2 |
-| Large memory optimized | Standard\_M128ms |
-| GPU-enabled | Standard\_NV24 |
+Virtual machine scale sets aren't currently supported on Azure Dedicated Host. But specific VM types, when deployed, consume the entire physical host for the VM. Isolated VM types can be deployed via virtual machine scale sets to provide proper compute isolation with all the benefits of virtual machine scale sets in place. When you configure your scale set, select the appropriate SKU. To encrypt the data at rest, see the next section for supportable encryption options.
> [!IMPORTANT]
-> As new hardware generations become available, some VM types might require reconfiguration (scale up or migration to a new VM SKU) to ensure they remain on properly dedicated hardware. This document will be updated to reflect any changes.
+> As new hardware generations become available, some VM types might require reconfiguration (scale up or migration to a new VM SKU) to ensure they remain on properly dedicated hardware. For more information, see **[Virtual machine isolation in Azure](../virtual-machines/isolation.md).**
#### Disk Encryption for virtual machines
For Containers services availability in Azure Government, see [Products availabl
### [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/)
-Azure Kubernetes Service (AKS) supports Impact Level 5 workloads in Azure Government with these configurations:
+Azure Kubernetes Service (AKS) supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in AKS by [using customer-managed keys in Azure Key Vault](../aks/azure-disk-customer-managed-keys.md).-- For workloads that require isolation from other customer workloads, you can use [Isolated virtual machines](../aks/concepts-security.md#compute-isolation) as the agent nodes in an AKS cluster. ### [Container Instances](https://azure.microsoft.com/services/container-instances/)
Azure Container Instances supports Impact Level 5 workloads in Azure Government
- Azure Container Instances automatically encrypts data related to your containers when it's persisted in the cloud. Data in Container Instances is encrypted and decrypted with 256-bit AES encryption and enabled for all Container Instances deployments. You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption by using your own keys. For more information, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).
-The Container Instances Dedicated SKU provides an [isolated and dedicated compute environment](../container-instances/container-instances-dedicated-hosts.md) for running containers with increased security. When you use the Dedicated SKU, each container group has a dedicated physical server in an Azure datacenter.
- ### [Container Registry](https://azure.microsoft.com/services/container-registry/) Azure Container Registry supports Impact Level 5 workloads in Azure Government with this configuration:
For Databases services availability in Azure Government, see [Products available
Azure API for FHIR supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure API for FHIR [using customer-managed keys in Azure Key Vault](../healthcare-apis/fhir/customer-managed-key.md)-
-### [Azure Cache for Redis](https://azure.microsoft.com/services/cache/)
-
-Azure Cache for Redis supports Impact Level 5 workloads in Azure Government with no extra configuration required.
+- Configure encryption at rest of content in Azure API for FHIR [using customer-managed keys in Azure Key Vault](../healthcare-apis/fhir/customer-managed-key.md).
### [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/)
-Azure Cosmos DB supports Impact Level 5 workloads in Azure Government with no extra configuration required.
+Azure Cosmos DB supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Data stored in your Azure Cosmos account is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Optionally, you can choose to add a second layer of encryption with keys you manage (customer-managed keys). For more information, see [Configure customer-managed keys for your Azure Cosmos account with Azure Key Vault](../cosmos-db/how-to-setup-cmk.md).
### [Azure Database for MySQL](https://azure.microsoft.com/services/mysql/)
SQL Server Stretch Database supports Impact Level 5 workloads in Azure Governmen
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption](../azure-sql/database/transparent-data-encryption-byok-overview.md).
-## Developer tools
-
-For Developer tools availability in Azure Government, see [Products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=app-configuration,devtest-lab,lab-services,azure-devops&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-
-### [Azure DevTest Labs](https://azure.microsoft.com/services/devtest-lab/)
-
-Azure DevTest Labs supports Impact Level 5 workloads in Azure Government with no extra configuration required.
## Hybrid
Azure Stack Edge supports Impact Level 5 workloads in Azure Government with this
- You can protect data at rest via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. You can configure your storage account to use data encryption with customer-managed keys stored in Azure Key Vault. For more information, see [Protect data in storage accounts](../databox-online/azure-stack-edge-pro-r-security.md#protect-data-in-storage-accounts).
-## Identity
-
-For Identity services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=information-protection,active-directory-ds,active-directory&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-
-### [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
-
-Azure Active Directory supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Active Directory Domain Services](https://azure.microsoft.com/services/active-directory-ds/)
-
-Azure Active Directory Domain Services supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md)
-
-Multifactor authentication supports Impact Level 5 workloads in Azure Government with no extra configuration required.
## Integration For Integration services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=event-grid,api-management,service-bus,logic-apps&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-### [API Management](https://azure.microsoft.com/services/api-management/)
-
-Azure API Management supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-<a name="logic-apps"></a>
- ### [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/) Azure Logic Apps supports Impact Level 5 workloads in Azure Government. To meet these requirements, Logic Apps supports the capability for you to create and run workflows in an environment with dedicated resources so that you can avoid sharing computing resources with other tenants. For more information, see [Secure access and data in Azure Logic Apps: Isolation guidance](../logic-apps/logic-apps-securing-a-logic-app.md#isolation-logic-apps).
-### [Event Grid](https://azure.microsoft.com/services/event-grid/)
-
-Azure Event Grid can persist customer content for no more than 24 hours. For more information, see [Authenticate event delivery to event handlers](../event-grid/security-authentication.md). All data written to disk is encrypted with Microsoft-managed keys.
-
-Azure Event Grid supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Service Bus](https://azure.microsoft.com/services/service-bus/)
-Azure Service Bus supports Impact Level 5 workloads in Azure Government.
+Azure Service Bus supports Impact Level 5 workloads in Azure Government with this configuration:
-> [!IMPORTANT]
-> Use client-side encryption to encrypt data before using Azure Service Bus in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
+- Use client-side encryption to encrypt data before using Azure Service Bus in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
## Internet of Things
Azure IoT Hub supports Impact Level 5 workloads in Azure Government with this co
- IoT Hub supports encryption of data at rest with customer-managed keys, also known as "bring your own key" (BYOK). Azure IoT Hub provides encryption of data at rest and in transit. By default, Azure IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables customers to encrypt data at rest by using an [encryption key that they manage via Azure Key Vault](../iot-hub/iot-hub-customer-managed-keys.md).
-### [Notification Hubs](https://azure.microsoft.com/services/notification-hubs/)
-
-Azure Notification Hubs supports Impact Level 5 workloads in Azure Government with no extra configuration required.
## Management and governance
For Management and governance services availability in Azure Government, see [Pr
### [Automation](https://azure.microsoft.com/services/automation/)
-Automation supports Impact Level 5 workloads in Azure Government with these configurations:
+Automation supports Impact Level 5 workloads in Azure Government with this configuration:
-- Use the [Hybrid Runbook Worker](../automation/automation-hybrid-runbook-worker.md) feature of Azure Automation to run runbooks directly on the VM that's hosting the role and against resources in your environment. Runbooks are stored and managed in Azure Automation. They are then delivered to one or more assigned computers known as "Hybrid Runbook Workers." Use Azure Dedicated Host or isolated virtual machine types for the Hybrid Worker role. When deployed, [isolated VM types](#isolated-virtual-machines) consume the entire physical host for the VM, providing the level of isolation required to support IL5 workloads.-
- [Azure Dedicated Host](#azure-dedicated-host) provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription.
- By default, your Azure Automation account uses Microsoft-managed keys. You can manage the encryption of secure assets for your Automation account by using your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. For more information, see [Encryption of secure assets in Azure Automation](../automation/automation-secure-asset-encryption.md).
-### [Azure Advisor](https://azure.microsoft.com/services/advisor/)
-
-Azure Advisor supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Backup](https://azure.microsoft.com/services/backup/)
-
-Azure Backup supports all impact levels in Azure Government with no extra configuration required.
-
-### [Azure Blueprints](https://azure.microsoft.com/services/blueprints/)
-
-Azure Blueprints supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Cost Management and Billing](https://azure.microsoft.com/services/cost-management/)
-
-Azure Cost Management and Billing supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)
-
-Azure Lighthouse supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Azure Managed Applications](https://azure.microsoft.com/services/managed-applications/) Azure Managed Applications supports Impact Level 5 workloads in Azure Government with this configuration: - You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs. For more information, see [Bring your own storage](../azure-resource-manager/managed-applications/publish-service-catalog-app.md#bring-your-own-storage-for-the-managed-application-definition).
-### [Azure Monitor](https://azure.microsoft.com/services/monitor/)
-
-Azure Monitor supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-> [!IMPORTANT]
-> See additional guidance for **[Log Analytics](#log-analytics)**, which is a feature of Azure Monitor.
-
-### [Azure Policy](https://azure.microsoft.com/services/azure-policy/)
-
-Azure Policy supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Policy Guest Configuration](../governance/policy/concepts/guest-configuration.md)
-
-Azure Policy Guest Configuration supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure portal](https://azure.microsoft.com/features/azure-portal/)
-
-The Azure portal supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-You can add a markdown tile to your Azure dashboards to display custom static content. For example, you can show basic instructions, an image, or a set of hyperlinks on a [markdown tile](../azure-portal/azure-portal-markdown-tile.md).
-
-### [Azure Resource Graph](../governance/resource-graph/overview.md)
-
-Azure Resource Graph supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/)
-
-Azure Resource Manager supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### Azure Scheduler
-
-Azure Scheduler is being retired and replaced by [Azure Logic Apps](#logic-apps). To continue working with the jobs that you set up in Scheduler, [migrate to Azure Logic Apps](../scheduler/migrate-from-scheduler-to-logic-apps.md) as soon as you can.
-
-### [Azure Service Health](https://azure.microsoft.com/features/service-health/)
-
-Azure Service Health supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Azure Site Recovery](https://azure.microsoft.com/services/site-recovery/) Azure Site Recovery supports Impact Level 5 workloads in Azure Government with this configuration: - You can replicate Azure VMs with managed disks enabled for customer-managed keys from one Azure region to another. For more information, see [Replicate machines with customer-managed key disks](../site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks.md).
-### [Cloud Shell](https://azure.microsoft.com/features/cloud-shell/)
-
-Azure Cloud Shell supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-<a name="log-analytics"></a>
- ### [Log Analytics](../azure-monitor/logs/data-platform-logs.md) Log Analytics is intended to be used for monitoring the health and status of services and infrastructure. The monitoring data and logs primarily store [logs and metrics](../azure-monitor/logs/data-security.md#data-retention) that are service generated. When used in this primary capacity, Log Analytics supports Impact Level 5 workloads in Azure Government with no extra configuration required.
Log Analytics may also be used to ingest additional customer-provided logs. Thes
Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required. Line-of-business apps should be evaluated for IL5 restrictions prior to [uploading to Intune storage](/mem/intune/apps/apps-add). While Intune does encrypt applications that are uploaded to the service for distribution, it does not support customer-managed keys.
-## Media
-
-For Media services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=media-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-
-### [Azure Media Services](https://azure.microsoft.com/services/media-services/)
-
-Azure Media Services supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Content Delivery Network](https://azure.microsoft.com/services/cdn/)
-
-Content Delivery Network supports Impact Level 5 workloads in Azure Government with no extra configuration required.
## Migration
For Migration services availability in Azure Government, see [Products available
Azure Data Box supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure Data Box [using customer-managed keys in Azure Key Vault](../databox/data-box-customer-managed-encryption-key-portal.md)
+- Configure encryption at rest of content in Azure Data Box [using customer-managed keys in Azure Key Vault](../databox/data-box-customer-managed-encryption-key-portal.md).
### [Azure Migrate](https://azure.microsoft.com/services/azure-migrate/)
Azure Migrate supports Impact Level 5 workloads in Azure Government with this co
- Configure encryption at rest of content in Azure Migrate by [using customer-managed keys in Azure Key Vault](../migrate/how-to-migrate-vmware-vms-with-cmk-disks.md).
-### [Azure Database Migration Service](https://azure.microsoft.com/services/database-migration/)
-
-Azure Database Migration Service supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-## Networking
-
-For Networking services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=internet-analyzer,private-link,azure-bastion,frontdoor,virtual-wan,dns,ddos-protection,cdn,azure-firewall,network-watcher,load-balancer,vpn-gateway,expressroute,application-gateway,virtual-network&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-
-### [Application Gateway](https://azure.microsoft.com/services/application-gateway/)
-
-Azure Application Gateway supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/)
-
-Azure Bastion supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)
-
-Azure DDoS Protection supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure DNS](https://azure.microsoft.com/services/dns/)
-
-Azure DNS supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/)
-
-ExpressRoute supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)
-
-Azure Firewall supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Front Door](https://azure.microsoft.com/services/frontdoor/)
-
-Azure Front Door supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Peering Service](../peering-service/about.md)
-
-Microsoft Peering Service supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Azure Private Link](https://azure.microsoft.com/services/private-link/)
-
-Azure Private Link supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Load Balancer](https://azure.microsoft.com/services/load-balancer/)
-
-Azure Load Balancer supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Network Watcher](https://azure.microsoft.com/services/network-watcher/)
-
-Azure Network Watcher and Network Watcher traffic analytics support Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Traffic Manager](https://azure.microsoft.com/services/traffic-manager/)
-
-Azure Traffic Manager supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Virtual Network](https://azure.microsoft.com/services/virtual-network/)
-
-Azure Virtual Network supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Virtual NAT](../virtual-network/nat-gateway/nat-overview.md)
-
-Virtual NAT supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/)
-
-Azure VPN Gateway supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)
-
-Web Application Firewall supports Impact Level 5 workloads in Azure Government with no extra configuration required.
## Security For Security services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sentinel,azure-dedicated-hsm,security-center,key-vault&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-### [Azure Dedicated HSM](https://azure.microsoft.com/services/azure-dedicated-hsm/)
-
-Azure Dedicated HSM supports Impact Level 5 workloads in Azure Government with no extra configuration required.
- ### [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) Azure Information Protection supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure Information Protection [using customer-managed keys in Azure Key Vault](/azure/information-protection/byok-price-restrictions)
+- Configure encryption at rest of content in Azure Information Protection [using customer-managed keys in Azure Key Vault](/azure/information-protection/byok-price-restrictions).
### [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
Azure Sentinel supports Impact Level 5 workloads in Azure Government with this c
- Configure encryption at rest of content in Azure Sentinel by [using customer-managed keys in Azure Key Vault](../sentinel/customer-managed-keys.md).
-### [Key Vault](https://azure.microsoft.com/services/key-vault/)
-
-Azure Key Vault supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Security Center](https://azure.microsoft.com/services/security-center/)
-
-Azure Security Center supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md)
-
-Customer Lockbox for Microsoft Azure supports Impact Level 5 workloads in Azure Government with no extra configuration required. It is available and authorized at IL5 in Azure Government US Gov Arizona, US Gov Texas, and US Gov Virginia regions.
- ### [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) Microsoft Cloud App Security supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Microsoft Cloud App Security [using customer-managed keys in Azure Key Vault](/cloud-app-security/cas-compliance-trust#security)-
-### [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
-
-Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, also known as Microsoft Defender ATP) supports Impact Level 5 workloads in Azure Government with no extra configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government and Azure Government for DoD regions.
-
-### [Microsoft Defender for Identity](/defender-for-identity/what-is)
-
-Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) supports Impact Level 5 workloads in Azure Government with no extra configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government regions.
+- Configure encryption at rest of content in Microsoft Cloud App Security [using customer-managed keys in Azure Key Vault](/cloud-app-security/cas-compliance-trust#security).
-### [Microsoft Graph](/graph/overview)
-
-Microsoft Graph supports Impact Level 5 workloads in Azure Government with no extra configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government and Azure Government for DoD regions.
## Storage
For Storage services availability in Azure Government, see [Products available b
Azure Archive Storage can be used in Azure Government to support Impact Level 5 data. Azure Archive Storage is a tier of Azure Storage. It automatically helps secure data at rest by using 256-bit AES encryption. Just like hot and cool tiers, Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point customers can enforce customer-managed keys that are in place for their online storage tiers. When you create a target storage account for Impact Level 5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see the [storage services section](#storage-encryption-with-key-vault-managed-keys).
-The target storage account for Archive Storage can be located in any Azure Government or Azure Government for DoD region.
+The target storage account for Archive Storage can be located in any Azure Government region.
### [Azure File Sync](../storage/file-sync/file-sync-planning.md)
Azure HPC Cache supports Impact Level 5 workloads in Azure Government with this
Azure Import/Export service can be used in Azure Government to import and export Impact Level 5 data. By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of Impact Level 5 data, add storage encryption via customer-managed keys. For more information, see the [storage services section](#storage-encryption-with-key-vault-managed-keys) of this document.
-The target storage account for import and source storage account for export can be located in any Azure Government or Azure Government for DoD regions.
+The target storage account for import and source storage account for export can be located in any Azure Government region.
### [Azure NetApp Files](https://azure.microsoft.com/services/netapp/)
When you use an Azure Storage account, you must follow the steps for [storage en
#### Storage encryption with Key Vault managed keys
-To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. The customer-managed key option is also known as "bring your own key."
+To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. The customer-managed key option is also known as *bring your own key.*
For more information about how to enable this Azure Storage encryption feature, see the documentation for [Azure Storage](../storage/common/customer-managed-keys-configure-key-vault.md).
For more information about how to enable this Azure Storage encryption feature,
StorSimple supports Impact Level 5 workloads in Azure Government with this configuration: - To help ensure the security and integrity of data moved to the cloud, StorSimple allows you to [define cloud storage encryption keys](../storsimple/storsimple-8000-security.md#storsimple-data-protection). You specify the cloud storage encryption key when you create a volume container. -
-## Web
-
-For Web services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud,signalr-service,app-service-linux,app-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-
-### [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service/)
-
-Azure SignalR Service supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-
-### [Web Apps feature of Azure App Service](https://azure.microsoft.com/services/app-service/web/)
-
-Web Apps supports Impact Level 5 workloads in Azure Government with this configuration:
--- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the [App Service plan documentation](../app-service/overview-hosting-plans.md).
azure-maps Set Drawing Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/set-drawing-options.md
# Use the drawing tools module
-The Azure Maps Web SDK provides a *drawing tools module*. This module makes it easy to draw and edit shapes on the map using an input device such as a mouse or touch screen. The core class of this module is the [drawing manager](/javascript/api/azure-maps-drawing-tools/atlas.drawing.drawingmanager#setoptions-drawingmanageroptions-). The drawing manager provides all the capabilities needed to draw and edit shapes on the map. It can be used directly, and it's integrated with a custom toolbar UI. You can also use the built-in [drawing toolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar) class.
+The Azure Maps Web SDK provides a *drawing tools module*. This module makes it easy to draw and edit shapes on the map using an input device such as a mouse or touch screen. The core class of this module is the [drawing manager](/javascript/api/azure-maps-drawing-tools/atlas.drawing.drawingmanager#setoptions-drawingmanageroptions-). The drawing manager provides all the capabilities needed to draw and edit shapes on the map. It can be used directly, and it's integrated with a custom toolbar UI. You can also use the built-in [drawing toolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar) class.
## Loading the drawing tools module in a webpage
The Azure Maps Web SDK provides a *drawing tools module*. This module makes it e
- Use the globally hosted, Azure Content Delivery Network version of the Azure Maps services module. Add reference to the JavaScript and CSS stylesheet in the `<head>` element of the file: ```html
- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/drawing/0/atlas-drawing.min.css" type="text/css" />
- <script src="https://atlas.microsoft.com/sdk/javascript/drawing/0/atlas-drawing.min.js"></script>
+ <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/drawing/1/atlas-drawing.min.css" type="text/css" />
+ <script src="https://atlas.microsoft.com/sdk/javascript/drawing/1/atlas-drawing.min.js"></script>
``` - Or, you can load the drawing tools module for the Azure Maps Web SDK source code locally by using the [azure-maps-drawing-tools](https://www.npmjs.com/package/azure-maps-drawing-tools) npm package, and then host it with your app. This package also includes TypeScript definitions. Use this command:
-
+ > **npm install azure-maps-drawing-tools**
-
+ Then, add a reference to the JavaScript and CSS stylesheet in the `<head>` element of the file: ```html
var source = drawingManager.getSource();
//Add your shape. source.add(shape);+
+//Alternatively, load in a GeoJSON feed using the sources importDataFromUrl function.
+source.importDataFromUrl('yourFeatures.json');
```
+The following table lists the type of editing supported by different types of shape features.
+
+| Shape feature | Edit points | Rotate | Delete shape |
+||:--:|::|::|
+| Point | Γ£ô | | Γ£ô |
+| LineString | Γ£ô | Γ£ô | Γ£ô |
+| Polygon | Γ£ô | Γ£ô | Γ£ô |
+| MultiPoint | | Γ£ô | Γ£ô |
+| MultiLineString | | Γ£ô | Γ£ô |
+| MultiPolygon | | Γ£ô | Γ£ô |
+| Circle | Γ£ô | | Γ£ô |
+| Rectangle | Γ£ô | Γ£ô | Γ£ô |
+ ## Next steps Learn how to use additional features of the drawing tools module:
Learn more about the classes and methods used in this article:
> [Drawing manager](/javascript/api/azure-maps-drawing-tools/atlas.drawing.drawingmanager) > [!div class="nextstepaction"]
-> [Drawing toolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar)
+> [Drawing toolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar)
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agents-overview.md
Use the Azure Monitor agent if you need to:
--> Limitations of the Azure Monitor Agent include: - Cannot use the Log Analytics solutions in production (only available in preview, [see what's supported](../faq.yml#which-log-analytics-solutions-are-supported-on-the-new-azure-monitor-agent-)).-- No support yet for networking scenarios involving private links or direct proxies (Log Analytics/OMS gateway).
+- No support yet for networking scenarios involving private links.
- No support yet collecting custom logs (files) or IIS log files. - No support yet for Event Hubs and Storage accounts as destinations. - No support for Hybrid Runbook workers.
azure-monitor Om Agents https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/om-agents.md
During initial registration of your Operations Manager management group with a L
1. Open an elevated command-prompt. a. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select Run as administrator**.
+ b. Right-click **Command prompt** and select **Run as administrator**.
1. Enter the following command and press **Enter**: `netsh winhttp set proxy <proxy>:<port>`
In the future if you plan on reconnecting your management group to a Log Analyti
## Next steps
-To add functionality and gather data, see [Add Azure Monitor solutions from the Solutions Gallery](../insights/solutions.md).
+To add functionality and gather data, see [Add Azure Monitor solutions from the Solutions Gallery](../insights/solutions.md).
azure-monitor Logicapp Flow Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logicapp-flow-connector.md
For example, you can create a logic app to use Azure Monitor log data in an emai
## Connector limits The Azure Monitor Logs connector has these limits:
-* Max data size: 16 MB
-* Max query response size 100 MB
+* Max query response size ~16.7 MB MB (16 MiB)
* Max number of records: 500,000 * Max query timeout 110 second. * Chart visualizations could be available in Logs page and missing in the connector since the connector and Logs page don't use the same charting libraries currently.
azure-monitor Logs Data Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-data-export.md
Log Analytics workspace data export continuously exports data from a Log Analyti
- Supported tables currently are limited those specified in the [supported tables](#supported-tables) section below. For example, custom log tables currently aren't supported. - If the data export rule includes an unsupported table, the operation will succeed, but no data will be exported for that table until the table gets supported. - If the data export rule includes a table that doesn't exist, it will fail with error `Table <tableName> does not exist in the workspace`.-- Data export will be available in all regions, but currently not available in the following: Switzerland North, Switzerland West, Germany West Central, Australia Central 2, UAE Central, UAE North, Japan West, Brazil Southeast, Norway East, Norway West, France South, South India, Korea South, Jio India Central, Jio India West, Canada East, West US 3, Sweden Central, Sweden South.
+- Data export will be available in all regions, but currently not available in the following: Switzerland North, Switzerland West, Germany West Central, Australia Central 2, UAE Central, UAE North, Japan West, Brazil Southeast, Norway East, Norway West, France South, South India, Korea South, Jio India Central, Jio India West, Canada East, West US 3, Sweden Central, Sweden South, Government clouds, China.
- You can define up to 10 enabled rules in your workspace. Additional rules are allowed but in disable state. - Destination must be unique across all export rules in your workspace. - The destination storage account or event hub must be in the same region as the Log Analytics workspace.
If the data export rule includes a table that doesn't exist, it will fail with t
## Supported tables
-Supported tables currently are limited to those specified below. All data from the table will be exported unless limitations are specified. This list will be updated as support for additional tables is added.
+Supported tables are currently limited to those specified below. All data from the table will be exported unless limitations are specified. This list is updated as support for additional tables added.
| Table | Limitations | |:|:|
azure-monitor Workbooks Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualize/workbooks-overview.md
Here is a video walkthrough on creating workbooks.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4B4Ap]
+> [!NOTE]
+> Legacy and private workbooks have been removed. Use the the [workbook retrieval tool](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Documentation/LegacyAI/DeprecatedWorkbookRetrievalTool.md) to retrieve the contents of your old workbook.
+ ## Data sources Workbooks can query data from multiple sources within Azure. Authors of workbooks can transform this data to provide insights into the availability, performance, usage, and overall health of the underlying components. For instance, analyzing performance logs from virtual machines to identify high CPU or low memory instances and displaying the results as a grid in an interactive report.
Workbooks provide a rich set of capabilities for visualizing your data. For deta
* [Trees](../visualize/workbooks-tree-visualizations.md) * [Graphs](../visualize/workbooks-graph-visualizations.md) * [Composite bar](../visualize/workbooks-composite-bar.md)
+* [Honey comb](workbooks-honey-comb.md)
+* [Map](workbooks-map-visualizations.md)
:::image type="content" source="./media/workbooks-overview/visualizations.png" alt-text="Example of workbook visualizations." border="false" lightbox="./media/workbooks-overview/visualizations.png":::
Workbooks provide a rich set of capabilities for visualizing your data. For deta
Text, query, and metrics steps in a workbook can be pinned by using the pin button on those items while the workbook is in pin mode, or if the workbook author has enabled settings for that element to make the pin icon visible.
-To access pin mode, click **Edit** to enter editing mode, and select the blue pin icon in the top bar. An individual pin icon will then appear above each corresponding workbook part's *Edit* box on the right-hand side of your screen.
+To access pin mode, select **Edit** to enter editing mode, and select the blue pin icon in the top bar. An individual pin icon will then appear above each corresponding workbook part's *Edit* box on the right-hand side of your screen.
:::image type="content" source="./media/workbooks-overview/pin-experience.png" alt-text="Screenshot of the pin experience." border="false":::
If a pinned step has an explicitly set time range (does not use a time range par
Once you start creating your own workbook templates you might want to share it with the wider community. To learn more, and to explore other templates that aren't part of the default Azure Monitor gallery view visit our [GitHub repository](https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/README.md). To browse existing workbooks, visit the [Workbook library](https://github.com/microsoft/Application-Insights-Workbooks/tree/master/Workbooks) on GitHub. + ## Next step * [Get started](#visualizations) learning more about workbooks many rich visualizations options.
azure-percept How To Troubleshoot Setup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-troubleshoot-setup.md
Refer to the table below for workarounds to common issues found during the [Azur
|The Azure Percept DK Wi-Fi access point (scz-xxxx or apd-xxxx) appears in the network list but fails to connect.|It could be because of a temporary corruption of the dev kit's Wi-Fi access point.|Reboot the dev kit and try again.| |Unable to connect to a Wi-Fi network during the setup experience.|The Wi-Fi network must currently have internet connectivity to communicate with Azure. EAP[PEAP/MSCHAP], captive portals, and enterprise EAP-TLS connectivity is currently not supported.|Ensure your Wi-Fi network type is supported and has internet connectivity.| |After using the Device Code and signing into Azure, you're presented with an error about policy permissions or compliance issues and will be unable to continue. Here are some of the errors you may see:<br>**BlockedByConditionalAccessOnSecurityPolicy** The tenant admin has configured a security policy that blocks this request. Check the security policies defined at the tenant level to determine if your request meets the policy. <br>**DevicePolicyError** The user tried to sign into a device from a platform that's currently not supported through Conditional Access policy.<br>**DeviceNotCompliant** - Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune<br>**BlockedByConditionalAccess** Access has been blocked by Conditional Access policies. The access policy doesn't allow token issuance. |Some Azure tenants may block the usage of ΓÇ£Device CodesΓÇ¥ for manipulating Azure resources as a Security precaution. It's usually the result of your organization's IT policies. As a result, the Azure Percept Setup experience can't create any Azure resources for you. |Work with your organization to navigate their IT policies. |
+|You see the following errors when trying to receive the device code while setting up a new device: <br>**In the setup experience UI** - *Unable to get device code. Make sure the device is connected to internet*; <br>**In the browser Web Developer Mode** - *Failed to load resource: the server responded with a status of 503 (Service Unavailable)* <br><br>or <br><br>*Certificate not yet valid*. | There's an issue with your Wi-Fi network or your host computer's date/time is incorrect. | Try plugging in an Ethernet cable to the devkit or connecting to a different Wi-Fi network and try again. Less common causes could be your host computer's date/time are off.|
azure-percept Quickstart Percept Dk Set Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/quickstart-percept-dk-set-up.md
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. Go to the [Azure portal](https://portal.azure.com/) and log in with the same Azure account you intend to use with Azure Percept.
-1. Click on the **Subscriptions** icon (it looks like a yellow key).
+1. Select the **Subscriptions** icon (it looks like a yellow key).
1. Select your subscription from the list. If you do not see your subscription, make sure you are signed in with the correct Azure account. If you wish to create a new subscription, follow [these steps](../cost-management-billing/manage/create-subscription.md). 1. From the Subscription menu, select **Access control (IAM)**.
-1. Click **View my access**.
+1. Select **View my access**.
1. Check the role: - If your role is listed as **Reader** or if you get a message that says you do not have permission to see roles, you will need to follow the necessary process in your organization to elevate your account role. - If your role is listed as **owner** or **contributor**, your account will work with Azure Percept, and you may proceed with the setup experience. ## Launch the Azure Percept DK Setup Experience
-1. Connect your host computer directly to the dev kitΓÇÖs Wi-Fi access point. Like connecting to any other Wi-Fi network, open the network and internet settings on your computer, click on the following network, and enter the network password when prompted:
+1. Connect your host computer directly to the dev kitΓÇÖs Wi-Fi access point. Like connecting to any other Wi-Fi network, open the network and internet settings on your computer, select the following network, and enter the network password when prompted:
- **Network name**: depending on your dev kit's operating system version, the name of the Wi-Fi access point is either **scz-xxxx** or **apd-xxxx** (where ΓÇ£xxxxΓÇ¥ is the last four digits of the dev kitΓÇÖs MAC address) - **Password**: can be found on the Welcome Card that came with the dev kit
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
## Complete the Azure Percept DK Setup Experience
-1. Click **Next** on the **Welcome** screen.
+1. Select **Next** on the **Welcome** screen.
-1. On the **Network connection** page, click **Connect to a new WiFi network**.
+1. On the **Network connection** page, select **Connect to a new WiFi network**.
- If you have already connected your dev kit to your Wi-Fi network, click **Skip**.
+ If you have already connected your dev kit to your Wi-Fi network, select **Skip**.
-1. Select your Wi-Fi network from the list of available networks and click **connect**. Enter your network password when prompted.
+1. Select your Wi-Fi network from the list of available networks and select **connect**. Enter your network password when prompted.
> [!NOTE] > **Mac users** - When going through the setup experience on a Mac, it initially opens in a window rather than a web browser. The window isn't persisted once the connection switches from the device's access point to Wi-Fi. Open a web browser and go to https://10.1.1.1, which will allow you to complete the setup experience.
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
> [!NOTE] > The IP address may change with each device boot.
-1. Read through the License Agreement, select **I have read and agree to the License Agreement** (you must scroll to the bottom of the agreement), and click **Next**.
+1. Read through the License Agreement, select **I have read and agree to the License Agreement** (you must scroll to the bottom of the agreement), and select **Next**.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-05-eula.png" alt-text="Accept EULA.":::
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
> [!NOTE] > SSH (Secure Shell) is a network protocol that enables you to connect to the dev kit remotely via a host computer.
-1. On the next page, click **Setup as a new device** to create a new device within your Azure account.
+1. On the next page, select **Setup as a new device** to create a new device within your Azure account.
-1. Click **Copy** to copy your device code. Afterward, click **Login to Azure**.
+1. Select **Copy** to copy your device code. Afterward, select **Login to Azure**.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-08-copy-code.png" alt-text="Copy device code.":::
-1. A new browser tab will open with a window that says **Enter code**. Paste the code into the window and click **Next**. Do NOT close the **Welcome** tab with the setup experience.
+ > [!NOTE]
+ > If you receive this error message when trying to receive the Device Code: *Unable to get device code. Please make sure the device is connected to internet*. The most common cause is your on-site network. Try plugging in an Ethernet cable to the dev kit or connecting to a different Wi-Fi network and try again. Less common causes could be your host computer's date/time are off.
+
+1. A new browser tab will open with a window that says **Enter code**. Paste the code into the window and select **Next**. Do NOT close the **Welcome** tab with the setup experience.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-09-enter-code.png" alt-text="Enter device code.":::
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. When the **Assign your device to your Azure IoT Hub** page appears on the **Welcome** tab, take one of the following actions: - If you already have an IoT Hub you would like to use with Azure Percept and it is listed on this page, select it and jump to step 15.
- - If you do not have an IoT Hub or would like to create a new one, click **Create a new Azure IoT Hub**.
+ - If you do not have an IoT Hub or would like to create a new one, select **Create a new Azure IoT Hub**.
> [!IMPORTANT] > If you have an IoT Hub, but it is not appearing in the list, you may have signed into Azure Percept with the wrong credentials. See the [setup troubleshooting guide](./how-to-troubleshoot-setup.md) for help.
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. To create a new IoT Hub, complete the following fields: - Select the Azure subscription you will use with Azure Percept.
- - Select an existing Resource Group. If one does not exist, click **Create new** and follow the prompts.
+ - Select an existing Resource Group. If one does not exist, select **Create new** and follow the prompts.
- Select the Azure region closest to your physical location. - Give your new IoT Hub a name. - Select the S1 (standard) pricing tier.
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
> [!NOTE] > If you end up needing a higher [message throughput](../iot-hub/iot-hub-scaling.md#message-throughput) for your edge AI applications, you may [upgrade your IoT Hub to a higher standard tier](../iot-hub/iot-hub-upgrade.md) in the Azure Portal at any time. B and F tiers do NOT support Azure Percept.
-1. IoT Hub deployment may take a few minutes. When the deployment is complete, click **Register**.
+1. IoT Hub deployment may take a few minutes. When the deployment is complete, select **Register**.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-16-iot-hub-success.png" alt-text="IoT Hub successfully deployed.":::
-1. Enter a device name for your dev kit and click **Next**.
+1. Enter a device name for your dev kit and select **Next**.
1. Wait for the device modules to download ΓÇô this will take a few minutes.
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. Connect your host computer to the Wi-Fi network your devkit connected to in Step 2.
-1. Click **Continue to the Azure portal**.
+1. Select **Continue to the Azure portal**.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-20-Azure-portal-continue.png" alt-text="Go to Azure Percept Studio."::: ## View your dev kit video stream and deploy a sample model
-1. The [Azure Percept Studio Overview page](https://go.microsoft.com/fwlink/?linkid=2135819) is your launch point for accessing many different workflows for both beginning and advanced edge AI solution development. To get started, click on **Devices** from the left menu.
+1. The [Azure Percept Studio Overview page](https://go.microsoft.com/fwlink/?linkid=2135819) is your launch point for accessing many different workflows for both beginning and advanced edge AI solution development. To get started, select **Devices** from the left menu.
:::image type="content" source="./media/quickstart-percept-dk-setup/portal-01-get-device-list.png" alt-text="View your list of devices.":::
-1. Verify your dev kit is listed as **Connected** and click on it to view the device page.
+1. Verify your dev kit is listed as **Connected** and select it to view the device page.
:::image type="content" source="./media/quickstart-percept-dk-setup/portal-02-select-device.png" alt-text="Select your device.":::
-1. Click **View your device stream**. If this is the first time viewing the video stream of your device, you will see a notification that a new model is being deployed in the upper right-hand corner. This may take a few minutes.
+1. Select **View your device stream**. If this is the first time viewing the video stream of your device, you will see a notification that a new model is being deployed in the upper right-hand corner. This may take a few minutes.
:::image type="content" source="./media/quickstart-percept-dk-setup/view-stream.png" alt-text="View your video stream.":::
- Once the model has deployed, you will get another notification with a **View stream** link. Click on the link to view the video stream from your Azure Percept Vision camera in a new browser window. The dev kit is preloaded with an AI model that automatically performs object detection of many common objects.
+ Once the model has deployed, you will get another notification with a **View stream** link. Select the link to view the video stream from your Azure Percept Vision camera in a new browser window. The dev kit is preloaded with an AI model that automatically performs object detection of many common objects.
:::image type="content" source="./media/quickstart-percept-dk-setup/portal-03-2-object-detection.png" alt-text="See object detection.":::
-1. Azure Percept Studio also has a number of sample AI models. To deploy a sample model to your dev kit, navigate back to your device page and click **Deploy a sample model**.
+1. Azure Percept Studio also has a number of sample AI models. To deploy a sample model to your dev kit, navigate back to your device page and select **Deploy a sample model**.
:::image type="content" source="./media/quickstart-percept-dk-setup/deploy-sample-model.png" alt-text="Explore pre-built models.":::
-1. Select a sample model from the library and click **Deploy to device**.
+1. Select a sample model from the library and select **Deploy to device**.
:::image type="content" source="./media/quickstart-percept-dk-setup/portal-05-2-select-journey.png" alt-text="See object detection in action.":::
-1. Once the model has successfully deployed, you will see a notification with a **View stream** link in the upper right corner of the screen. To view the model inferencing in action, click the link in the notification or return to the device page and click **View your device stream**. Any models previously running on the dev kit will now be replaced with the new model.
+1. Once the model has successfully deployed, you will see a notification with a **View stream** link in the upper right corner of the screen. To view the model inferencing in action, select the link in the notification or return to the device page and select **View your device stream**. Any models previously running on the dev kit will now be replaced with the new model.
## Video walkthrough
azure-sql Audit Write Storage Account Behind Vnet Firewall https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/audit-write-storage-account-behind-vnet-firewall.md
For audit to write to a storage account behind a VNet or firewall, the following
> [!div class="checklist"] > > * A general-purpose v2 storage account. If you have a general-purpose v1 or blob storage account, [upgrade to a general-purpose v2 storage account](../../storage/common/storage-account-upgrade.md). For more information, see [Types of storage accounts](../../storage/common/storage-account-overview.md#types-of-storage-accounts).
-> * The storage account must be on the same subscription and at the same location as the [logical SQL Server](logical-servers.md).
+> * The storage account must be on the same tenant and at the same location as the [logical SQL server](logical-servers.md) (it's OK to be on different subscriptions).
> * The Azure Storage account requires `Allow trusted Microsoft services to access this storage account`. Set this on the Storage Account **Firewalls and Virtual networks**. > * You must have `Microsoft.Authorization/roleAssignments/write` permission on the selected storage account. For more information, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md).
azure-sql Migrate Dtu To Vcore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/migrate-dtu-to-vcore.md
Previously updated : 02/09/2021 Last updated : 07/26/2021 # Migrate Azure SQL Database from the DTU-based model to the vCore-based model [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
To choose the service objective, or compute size, for the migrated database in t
> [!TIP] > This rule is approximate because it does not consider the hardware generation used for the DTU database or elastic pool.
-In the DTU model, any available [hardware generation](purchasing-models.md#hardware-generations-in-the-dtu-based-purchasing-model) can be used for your database or elastic pool. Further, you have only indirect control over the number of vCores (logical CPUs), by choosing higher or lower DTU or eDTU values.
+In the DTU model, the system may select any available [hardware generation](purchasing-models.md#hardware-generations-in-the-dtu-based-purchasing-model) for your database or elastic pool. Further, in the DTU model you have only indirect control over the number of vCores (logical CPUs) by choosing higher or lower DTU or eDTU values.
-With the vCore model, customers must make an explicit choice of both the hardware generation and the number of vCores (logical CPUs). The DTU model does not offer these choices, however the hardware generation and the number of logical CPUs used for every database and elastic pool are exposed via dynamic management views. This makes it possible to determine the matching vCore service objective more precisely.
+In the vCore model, customers must make an explicit choice of both the hardware generation and the number of vCores (logical CPUs). While DTU model does not offer these choices, the hardware generation and the number of logical CPUs used for every database and elastic pool are exposed via dynamic management views. This makes it possible to determine the matching vCore service objective more precisely.
The following approach uses this information to determine a vCore service objective with a similar allocation of resources, to obtain a similar level of performance after migration to the vCore model. ### DTU to vCore mapping
-A T-SQL query below, when executed in the context of a DTU database to be migrated, will return a matching (possibly fractional) number of vCores in each hardware generation in the vCore model. By rounding this number to the closest number of vCores available for [databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md) in each hardware generation in the vCore model, customers can choose the vCore service objective that is the closest match for their DTU database or elastic pool.
+A T-SQL query below, when executed in the context of a DTU database to be migrated, returns a matching (possibly fractional) number of vCores in each hardware generation in the vCore model. By rounding this number to the closest number of vCores available for [databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md) in each hardware generation in the vCore model, customers can choose the vCore service objective that is the closest match for their DTU database or elastic pool.
Sample migration scenarios using this approach are described in the [Examples](#dtu-to-vcore-migration-examples) section.
SELECT rg.slo_name,
FROM sys.dm_user_db_resource_governance AS rg CROSS JOIN (SELECT COUNT(1) AS scheduler_count FROM sys.dm_os_schedulers WHERE status = 'VISIBLE ONLINE') AS s CROSS JOIN sys.dm_os_job_object AS jo
-WHERE dtu_limit > 0
+WHERE rg.dtu_limit > 0
AND DB_NAME() <> 'master' AND
FROM dtu_vcore_map;
Besides the number of vCores (logical CPUs) and the hardware generation, several other factors may influence the choice of vCore service objective: - The mapping T-SQL query matches DTU and vCore service objectives in terms of their CPU capacity, therefore the results will be more accurate for CPU-bound workloads.-- For the same hardware generation and the same number of vCores, IOPS and transaction log throughput resource limits for vCore databases are often higher than for DTU databases. For IO-bound workloads, it may be possible to lower the number of vCores in the vCore model to achieve the same level of performance. Resource limits for DTU and vCore databases in absolute values are exposed in the [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database) view. Comparing these values between the DTU database to be migrated and a vCore database using an approximately matching service objective will help you select the vCore service objective more precisely.
+- For the same hardware generation and the same number of vCores, IOPS and transaction log throughput resource limits for vCore databases are often higher than for DTU databases. For IO-bound workloads, it may be possible to lower the number of vCores in the vCore model to achieve the same level of performance. Actual resource limits for DTU and vCore databases are exposed in the [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database) view. Comparing these values between the DTU database or pool to be migrated, and a vCore database or pool with an approximately matching service objective will help you select the vCore service objective more precisely.
- The mapping query also returns the amount of memory per core for the DTU database or elastic pool to be migrated, and for each hardware generation in the vCore model. Ensuring similar or higher total memory after migration to vCore is important for workloads that require a large memory data cache to achieve sufficient performance, or workloads that require large memory grants for query processing. For such workloads, depending on actual performance, it may be necessary to increase the number of vCores to get sufficient total memory. - The [historical resource utilization](/sql/relational-databases/system-catalog-views/sys-resource-stats-azure-sql-database) of the DTU database should be considered when choosing the vCore service objective. DTU databases with consistently under-utilized CPU resources may need fewer vCores than the number returned by the mapping query. Conversely, DTU databases where consistently high CPU utilization causes inadequate workload performance may require more vCores than returned by the query.-- If migrating databases with intermittent or unpredictable usage patterns, consider the use of [Serverless](serverless-tier-overview.md) compute tier. Note that the max number of concurrent workers (requests) in serverless is 75% the limit in provisioned compute for the same number of max vCores configured. Also, the max memory available in serverless is 3 GB times the maximum number of vCores configured; for example, max memory is 120 GB when 40 max vCores are configured.
+- If migrating databases with intermittent or unpredictable usage patterns, consider the use of [Serverless](serverless-tier-overview.md) compute tier. Note that the max number of concurrent workers (requests) in serverless is 75% the limit in provisioned compute for the same number of max vCores configured. Also, the max memory available in serverless is 3 GB times the maximum number of vCores configured, which is less than the per-core memory for provisioned compute. For example, on Gen5 max memory is 120 GB when 40 max vCores are configured in serverless, vs. 204 GB for a 40 vCore provisioned compute.
- In the vCore model, the supported maximum database size may differ depending on hardware generation. For large databases, check supported maximum sizes in the vCore model for [single databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md). - For elastic pools, the [DTU](resource-limits-dtu-elastic-pools.md) and [vCore](resource-limits-vcore-elastic-pools.md) models have differences in the maximum supported number of databases per pool. This should be considered when migrating elastic pools with many databases.-- Some hardware generations may not be available in every region. Check availability under [Hardware generations for SQL Database](./service-tiers-sql-database-vcore.md#hardware-generations) or [Hardware generations for SQL Managed Instance](../managed-instance/service-tiers-managed-instance-vcore.md#hardware-generations).
+- Some hardware generations may not be available in every region. Check availability under [Hardware generations for SQL Database](./service-tiers-sql-database-vcore.md#hardware-generations).
> [!IMPORTANT] > The DTU to vCore sizing guidelines above are provided to help in the initial estimation of the target database service objective. >
-> The optimal configuration of the target database is workload-dependent. Thus, achieving the optimal price/performance ratio after migration may require leveraging the flexibility of the vCore model to adjust the number of vCores, the hardware generation, the service and compute tiers, as well as tuning of other database configuration parameters, such as [maximum degree of parallelism](/sql/relational-databases/query-processing-architecture-guide#parallel-query-processing).
+> The optimal configuration of the target database is workload-dependent. Thus, to achieve the optimal price/performance ratio after migration, you may need to leverage the flexibility of the vCore model to adjust the number of vCores, hardware generation, and service and compute tiers. You may also need to adjust database configuration parameters, such as [maximum degree of parallelism](configure-max-degree-of-parallelism.md), and/or change the database [compatibility level](/sql/t-sql/statements/alter-database-transact-sql-compatibility-level) to enable recent improvements in the database engine.
> ### DTU to vCore migration examples
If you're creating a geo-secondary in the elastic pool for a single primary data
## Use database copy to migrate from DTU to vCore
-You can copy any database with a DTU-based compute size to a database with a vCore-based compute size without restrictions or special sequencing as long as the target compute size supports the maximum database size of the source database. The database copy creates a snapshot of the data as of the starting time of the copy operation and doesn't synchronize data between the source and the target.
+You can copy any database with a DTU-based compute size to a database with a vCore-based compute size without restrictions or special sequencing as long as the target compute size supports the maximum database size of the source database. Database copy creates a transactionally consistent snapshot of the data as of a point in time after the copy operation starts. It doesn't synchronize data between the source and the target after that point in time.
## Next steps
azure-video-analyzer Video Indexer Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-overview.md
The following list shows the insights you can retrieve from your videos using Vi
* **Rolling credits**: Identifies the beginning and end of the rolling credits in the end of TV shows and movies. * **Animated characters detection** (preview): Detection, grouping, and recognition of characters in animated content via integration with [Cognitive Services custom vision](https://azure.microsoft.com/services/cognitive-services/custom-vision-service/). For more information, see [Animated character detection](animated-characters-recognition.md). * **Editorial shot type detection**: Tagging shots based on their type (like wide shot, medium shot, close up, extreme close up, two shot, multiple people, outdoor and indoor, and so on). For more information, see [Editorial shot type detection](scenes-shots-keyframes.md#editorial-shot-type-detection).
-* **Observed People Tracing**: detects observed people in videos and provides information such as the location of the person in the video frame (using bounding boxes) and the exact timestamp (start, end) and confidence when a person appears. For more information, see [Trace observed people in a video](observed-people-tracing.md).
+* **Observed People Tracking**: detects observed people in videos and provides information such as the location of the person in the video frame (using bounding boxes) and the exact timestamp (start, end) and confidence when a person appears. For more information, see [Trace observed people in a video](observed-people-tracing.md).
### Audio insights
azure-vmware Azure Vmware Solution Platform Updates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/azure-vmware-solution-platform-updates.md
Title: Platform updates for Azure VMware Solution description: Learn about the platform updates to Azure VMware Solution. Previously updated : 07/20/2021 Last updated : 07/23/2021 # Platform updates for Azure VMware Solution Azure VMware Solution will apply important updates starting in March 2021. You'll receive a notification through Azure Service Health that includes the timeline of the maintenance. For more information, see [Host maintenance and lifecycle management](concepts-private-clouds-clusters.md#host-maintenance-and-lifecycle-management).
-## July 20, 2021
+## July 23, 2021
All new Azure VMware Solution private clouds are now deployed with NSX-T version 3.1.2. NSX-T version in existing private clouds will be upgraded through September, 2021 to NSX-T 3.1.2 release.
azure-vmware Concepts Api Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-api-management.md
The traffic flow goes through the API Management instance, which abstracts the b
API Management has an Azure Public API, and activating Azure DDOS Protection Service is recommended. ## Internal deployment
In an internal deployment, APIs get exposed to the same API Management instance.
* External traffic enters Azure through Application Gateway, which uses the external protection layer for API Management.
azure-vmware Fix Deployment Failures https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/fix-deployment-failures.md
+
+ Title: Support for Azure VMware Solution deployment or provisioning failure
+description: Get information from your Azure VMware Solution private cloud to file a service request for an Azure VMware Solution deployment or provisioning failure.
+ Last updated : 10/28/2020++
+# Open a support request for an Azure VMware Solution deployment or provisioning failure
+
+This article shows you how to open a [support request](https://rc.portal.azure.com/#create/Microsoft.Support) and provide key information for an Azure VMware Solution deployment or provisioning failure.
+
+When you have a failure on your private cloud, you need to open a support request in the Azure portal. To open a support request, first get some key information in the Azure portal:
+
+- Correlation ID
+- Azure ExpressRoute circuit ID
+- Error messages
+
+## Get the correlation ID
+
+When you create a private cloud or any resource in Azure, a correlation ID for the resource is automatically generated for the resource. Include the private cloud correlation ID in your support request to more quickly open and resolve the request.
+
+In the Azure portal, you can get the correlation ID for a resource in two ways:
+
+* **Overview** pane
+* Deployment logs
+
+ ### Get the correlation ID from the resource overview
+
+Here's an example of the operation details of a failed private cloud deployment, with the correlation ID selected:
++
+To access deployment results in a private cloud **Overview** pane:
+
+1. In the Azure portal, select your private cloud.
+
+1. In the left menu, select **Overview**.
+
+After a deployment is initiated, the results of the deployment are shown in the private cloud **Overview** pane.
+
+Copy and save the private cloud deployment correlation ID to include in the service request.
+
+### Get the correlation ID from the deployment log
+
+You can get the correlation ID for a failed deployment by searching the deployment activity log in the Azure portal.
+
+To access the deployment log:
+
+1. In the Azure portal, select your private cloud, and then select the notifications icon.
+
+ :::image type="content" source="media/fix-deployment-failures/open-notifications.png" alt-text="Screenshot that shows the notifications icon in the Azure portal.":::
+
+1. In the **Notifications** pane, select **More events in the activity log**:
+
+ :::image type="content" source="media/fix-deployment-failures/more-events-in-activity-log.png" alt-text="Screenshot that shows the More events in the activity log link selected in the Notifications pane.":::
+
+1. To find the failed deployment and its correlation ID, search for the name of the resource or other information that you used to create the resource.
+
+ The following example shows search results for a private cloud resource named pc03.
+
+ :::image type="content" source="media/fix-deployment-failures/find-past-deployments.png" alt-text="Screenshot that shows search results for an example private cloud resource and the Create or update a PrivateCloud pane.":::
+
+1. In the search results in the **Activity log** pane, select the operation name of the failed deployment.
+
+1. In the **Create or update a PrivateCloud** pane, select the **JSON** tab, and then look for `correlationId` in the log that is shown. Copy the `correlationId` value to include it in your support request.
+
+## Copy error messages
+
+To help resolve your deployment issue, include any error messages that are shown in the Azure portal. Select a warning message to see a summary of errors:
+
+
+To copy the error message, select the copy icon. Save the copied message to include in your support request.
+
+## Get the ExpressRoute ID (URI)
+
+Perhaps you're trying to scale or peer an existing private cloud with the private cloud ExpressRoute circuit, and it fails. In that scenario, you need the ExpressRoute ID to include in your support request.
+
+To copy the ExpressRoute ID:
+
+1. In the Azure portal, select your private cloud.
+1. In the left menu, under **Manage**, select **Connectivity**.
+1. In the right pane, select the **ExpressRoute** tab.
+1. Select the copy icon for **ExpressRoute ID** and save the value to use in your support request.
+
+
+## Pre-validation failures
+
+If your private cloud pre-validation check failed (before deployment), a correlation ID won't have been generated. In this scenario, you can provide the following information in your support request:
+
+- Error and failure messages. These messages can be helpful in many failures, for example, for quota-related issues. It's important to copy these messages and include them in the support request, as described in this article.
+- Information you used to create the Azure VMware Solution private cloud, including:
+ - Location
+ - Resource group
+ - Resource name
+
+## Create your support request
+
+For general information about creating a support request, see [How to create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).
+
+To create a support request for an Azure VMware Solution deployment or provisioning failure:
+
+1. In the Azure portal, select the **Help** icon, and then select **New support request**.
+
+ :::image type="content" source="media/fix-deployment-failures/open-support-request.png" alt-text="Screenshot of the New support request pane in the Azure portal.":::
+
+1. Enter or select the required information:
+
+ 1. On the **Basics** tab:
+
+ 1. For **Problem type**, select **Configuration and Setup Issues**.
+
+ 1. For **Problem subtype**, select **Provision a private cloud**.
+
+ 1. On the **Details** tab:
+
+ 1. Enter or select the required information.
+
+ 1. Paste your Correlation ID or ExpressRoute ID where this information is requested. If you don't see a specific text box for these values, paste them in the **Provide details about the issue** text box.
+
+ 1. Paste any error details, including the error or failure messages you copied, in the **Provide details about the issue** text box.
+
+1. Review your entries, and then select **Create** to create your support request.
azure-vmware Move Azure Vmware Solution Across Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/move-azure-vmware-solution-across-regions.md
This article helps you plan and migrate Azure VMware Solution from one Azure reg
The diagram shows the recommended ExpressRoute connectivity between the two Azure VMware Solution environments. An HCX site pairing and service mesh are created between the two environments. The HCX migration traffic and Layer-2 extension moves (depicted by the red line) between the two environments. For VMware recommended HCX planning, see [Planning an HCX Migration](https://vmc.techzone.vmware.com/vmc-solutions/docs/deploy/planning-an-hcx-migration#section1). >[!NOTE] >You don't need to migrate any workflow back to on-premises because the traffic will flow between the private clouds (source and target):
The diagram shows the recommended ExpressRoute connectivity between the two Azur
The diagram shows the connectivity between both Azure VMware Solution environments. In this article, we'll walk you through the steps to:
azure-vmware Protect Azure Vmware Solution With Application Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/protect-azure-vmware-solution-with-application-gateway.md
This article shows you how to use Application Gateway in front of a web server f
## Topology The diagram shows how Application Gateway is used to protect Azure IaaS virtual machines (VMs), Azure virtual machine scale sets, or on-premises servers. Application Gateway treats Azure VMware Solution VMs as on-premises servers. > [!IMPORTANT] > Azure Application Gateway is currently the only supported method to expose web apps running on Azure VMware Solution VMs.
The Application Gateway instance is deployed on the hub in a dedicated subnet. I
2. Provide the basic details as in the following figure; then select **Next: Frontends>**.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/create-app-gateway.png" alt-text="Screenshot showing Create application gateway page in Azure portal.":::
+ :::image type="content" source="media/application-gateway/create-app-gateway.png" alt-text="Screenshot showing Create application gateway page in Azure portal.":::
3. Choose the frontend IP address type. For public, choose an existing public IP address or create a new one. Select **Next: Backends>**.
This procedure shows you how to define backend address pools using VMs running o
1. In your private cloud, create two different pools of VMs. One represents Contoso and the second Fabrikam.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-multi-backend-pool.png" alt-text="Screenshot showing summary of a web server's details in VSphere Client.":::
+ :::image type="content" source="media/application-gateway/app-gateway-multi-backend-pool.png" alt-text="Screenshot showing summary of a web server's details in VSphere Client.":::
We've used Windows Server 2016 with the Internet Information Services (IIS) role installed. Once the VMs are installed, run the following PowerShell commands to configure IIS on each of the VMs.
This procedure shows you how to define backend address pools using VMs running o
2. In an existing application gateway instance, select **Backend pools** from the left menu, select **Add**, and enter the new pools' details. Select **Add** in the right pane.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-multi-backend-pool-02.png" alt-text="Screenshot of Backend pools page for adding backend pools." lightbox="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-multi-backend-pool-02.png":::
+ :::image type="content" source="media/application-gateway/app-gateway-multi-backend-pool-02.png" alt-text="Screenshot of Backend pools page for adding backend pools." lightbox="media/application-gateway/app-gateway-multi-backend-pool-02.png":::
3. In the **Listeners** section, create a new listener for each website. Enter the details for each listener and select **Add**. 4. On the left, select **HTTP settings** and select **Add** in the left pane. Fill in the details to create a new HTTP setting and select **Save**.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-multi-backend-pool-03.png" alt-text="Screenshot of HTTP settings page to create a new HTTP setting." lightbox="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-multi-backend-pool-03.png":::
+ :::image type="content" source="media/application-gateway/app-gateway-multi-backend-pool-03.png" alt-text="Screenshot of HTTP settings page to create a new HTTP setting." lightbox="media/application-gateway/app-gateway-multi-backend-pool-03.png":::
5. Create the rules in the **Rules** section of the left menu. Associate each rule with the corresponding listener. Select **Add**.
This procedure shows you how to define backend address pools using VMs running o
7. Test the connection. Open your preferred browser and navigate to the different websites hosted on your Azure VMware Solution environment, for example, http://www.fabrikam.com.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-multi-backend-pool-07.png" alt-text="Screenshot of browser page showing successful test the connection.":::
+ :::image type="content" source="media/application-gateway/app-gateway-multi-backend-pool-07.png" alt-text="Screenshot of browser page showing successful test the connection.":::
### Routing by URL
The following steps define backend address pools using VMs running on an Azure V
1. In your private cloud, create a virtual machine pool to represent the web farm.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool.png" alt-text="Screenshot of page in VMSphere Client showing summary of another VM.":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool.png" alt-text="Screenshot of page in VMSphere Client showing summary of another VM.":::
Windows Server 2016 with IIS role installed has been used to illustrate this tutorial. Once the VMs are installed, run the following PowerShell commands to configure IIS for each VM tutorial.
The following steps define backend address pools using VMs running on an Azure V
1. Select **Add**. 1. Repeat this process for **contoso-images** and **contoso-video**, adding one unique VM as the target.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-02.png" alt-text="Screenshot of Backend pools page showing the addition of three new backend pools." lightbox="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-02.png":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool-02.png" alt-text="Screenshot of Backend pools page showing the addition of three new backend pools." lightbox="media/application-gateway/app-gateway-url-route-backend-pool-02.png":::
3. In the **Listeners** section, create a new listener of type Basic using port 8080. 4. On the left navigation, select **HTTP settings** and select **Add** in the left pane. Fill in the details to create a new HTTP setting and select **Save**.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-04.png" alt-text="Screenshot of Add HTTP setting page showing HTTP settings configuration.":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool-04.png" alt-text="Screenshot of Add HTTP setting page showing HTTP settings configuration.":::
5. Create the rules in the **Rules** section of the left menu. Associate each rule with the previously created listener. Then configure the main backend pool and HTTP settings. Select **Add**.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-07.png" alt-text="Screenshot of Add a routing rule page to configure routing rules to a backend target.":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool-07.png" alt-text="Screenshot of Add a routing rule page to configure routing rules to a backend target.":::
6. Test the configuration. Access the application gateway on the Azure portal and copy the public IP address in the **Overview** section. 1. Open a new browser window and enter the URL `http://<app-gw-ip-address>:8080`.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-08.png" alt-text="Screenshot of browser page showing successful test of the configuration.":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool-08.png" alt-text="Screenshot of browser page showing successful test of the configuration.":::
1. Change the URL to `http://<app-gw-ip-address>:8080/images/test.htm`.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-09.png" alt-text="Screenshot of another successful test with the new URL.":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool-09.png" alt-text="Screenshot of another successful test with the new URL.":::
1. Change the URL again to `http://<app-gw-ip-address>:8080/video/test.htm`.
- :::image type="content" source="media/protect-azure-vmware-solution-with-application-gateway/app-gateway-url-route-backend-pool-10.png" alt-text="Screenshot of successful test with the final URL.":::
+ :::image type="content" source="media/application-gateway/app-gateway-url-route-backend-pool-10.png" alt-text="Screenshot of successful test with the final URL.":::
## Next Steps
azure-vmware Request Host Quota Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/request-host-quota-azure-vmware-solution.md
Access the Azure portal using the **Admin On Behalf Of** (AOBO) procedure from P
1. In **Partner Center**, select **CSP** to access the **Customers** area.
- :::image type="content" source="media/enable-azure-vmware-solution/csp-customers-screen.png" alt-text="Screenshot showing the Microsoft Partner Center customer area." lightbox="media/enable-azure-vmware-solution/csp-customers-screen.png":::
+ :::image type="content" source="media/pre-deployment/csp-customers-screen.png" alt-text="Screenshot showing the Microsoft Partner Center customer area." lightbox="media/pre-deployment/csp-customers-screen.png":::
1. Select your customer and then select **Add products**.
- :::image type="content" source="media/enable-azure-vmware-solution/csp-partner-center.png" alt-text="Screenshot showing Azure plan selected in the Microsoft Partner Center." lightbox="media/enable-azure-vmware-solution/csp-partner-center.png":::
+ :::image type="content" source="media/pre-deployment/csp-partner-center.png" alt-text="Screenshot showing Azure plan selected in the Microsoft Partner Center." lightbox="media/pre-deployment/csp-partner-center.png":::
1. Select **Azure plan** and then select **Add to cart**.
cloud-shell Persisting Shell Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-shell/persisting-shell-storage.md
Cloud Shell uses an Azure File Share in a storage account, inside a specified su
Users should lock down access to their files by setting the permissions at the storage account or the subscription level.
+The Cloud Shell storage account will contain files created by the Cloud Shell user in their home directory, which may include sensitive information including access tokens or credentials.
+ ## Supported storage regions To find your current region you may run `env` in Bash and locate the variable `ACC_LOCATION`, or from PowerShell run `$env:ACC_LOCATION`. File shares receive a 5-GB image created for you to persist your `$Home` directory.
For example: . .\MyFunctions.ps1
## Next steps [Cloud Shell Quickstart](quickstart.md) <br> [Learn about Microsoft Azure Files storage](../storage/files/storage-files-introduction.md) <br>
-[Learn about storage tags](../azure-resource-manager/management/tag-resources.md) <br>
+[Learn about storage tags](../azure-resource-manager/management/tag-resources.md) <br>
cognitive-services Conversation Transcription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/conversation-transcription.md
Title: Conversation Transcription (Preview) - Speech service
description: Conversation Transcription is a solution for meetings, that combines recognition, speaker ID, and diarization to provide transcription of any conversation. -+ Last updated 03/26/2021-+ # What is Conversation Transcription (Preview)?
cognitive-services Custom Keyword Basics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/custom-keyword-basics.md
Title: Create Keyword quickstart - Speech service
description: Your device is always listening for a keyword (or phrase). When the user says the keyword, the device sends all subsequent audio to the cloud, until the user stops speaking. Customizing your keyword is an effective way to differentiate your device and strengthen your branding. -+ Last updated 11/03/2020-+ zone_pivot_groups: keyword-quickstart
cognitive-services Custom Neural Voice https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/custom-neural-voice.md
Title: Custom neural voice overview - Speech service
description: Custom Neural Voice is a text-to-Speech feature that allows you to create a one-of-a-kind customized synthetic voice for your applications by providing your own audio data as a sample. -+ Last updated 05/18/2021-+ # What is Custom Neural Voice?
cognitive-services Custom Speech Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/custom-speech-overview.md
Title: "Custom Speech overview - Speech service"
description: Custom Speech is a set of online tools that allow you to evaluate and improve the Microsoft speech-to-text accuracy for your applications, tools, and products. -+ Last updated 02/12/2021-+
cognitive-services Direct Line Speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/direct-line-speech.md
Title: Direct Line Speech - Speech service
description: An overview of the features, capabilities, and restrictions for Voice assistants using Direct Line Speech with the Speech Software Development Kit (SDK). -+ Last updated 03/11/2020-+ # What is Direct Line Speech?
cognitive-services Get Started Speaker Recognition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/get-started-speaker-recognition.md
Title: "Speaker Recognition quickstart - Speech service"
description: Learn how to use Speaker Recognition from the Speech SDK to answer the question, "who is speaking". In this quickstart, you learn about common design patterns for working with both speaker verification and identification, which both use voice biometry to identify unique voices. -+ Last updated 09/02/2020-+ zone_pivot_groups: programming-languages-set-twenty-five keywords: speaker recognition, voice biometry
cognitive-services Get Started Speech To Text https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/get-started-speech-to-text.md
Title: "Speech-to-text quickstart - Speech service"
description: Learn how to use the Speech SDK to convert speech-to-text. In this quickstart, you learn about object construction, supported audio input formats, and configuration options for speech recognition. -+ Last updated 09/15/2020-+ zone_pivot_groups: programming-languages-set-twenty-three keywords: speech to text, speech to text software
cognitive-services Get Started Speech Translation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/get-started-speech-translation.md
Title: Speech translation quickstart - Speech service
description: Learn how to use the Speech SDK to translate speech. In this quickstart, you learn about object construction, supported audio input formats, and configuration options for speech translation. -+ Last updated 09/01/2020-+ zone_pivot_groups: programming-languages-set-two-with-js-spx keywords: speech translation
cognitive-services Get Started Text To Speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/get-started-text-to-speech.md
Title: "Text-to-speech quickstart - Speech service"
description: Learn how to use the Speech SDK to convert text-to-speech. In this quickstart, you learn about object construction and design patterns, supported audio output formats, the Speech CLI, and custom configuration options for speech synthesis. -+ Last updated 05/17/2021-+ zone_pivot_groups: programming-languages-set-twenty-four keywords: text to speech
cognitive-services How To Audio Content Creation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-audio-content-creation.md
Title: Audio Content Creation - Speech service
description: Audio Content Creation is an online tool that allows you to customize and fine-tune Microsoft's text-to-speech output for your apps and products. -+ Last updated 01/31/2020-+ # Improve synthesis with the Audio Content Creation tool
cognitive-services How To Automatic Language Detection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-automatic-language-detection.md
Title: How to use language identification
description: Language identification is used to determine the language being spoken in audio passed to the Speech SDK when compared against a list of provided languages. -+ Last updated 05/21/2021-+ zone_pivot_groups: programming-languages-speech-services-nomore-variant
cognitive-services How To Custom Speech Evaluate Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-evaluate-data.md
Title: "Evaluate and improve Custom Speech accuracy - Speech service"
description: "In this document you learn how to quantitatively measure and improve the quality of our speech-to-text model or your custom model. Audio + human-labeled transcription data is required to test accuracy, and 30 minutes to 5 hours of representative audio should be provided." -+ Last updated 02/12/2021-+ # Evaluate and improve Custom Speech accuracy
cognitive-services How To Custom Speech Test And Train https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-test-and-train.md
Title: "Prepare data for Custom Speech - Speech service"
description: "When testing the accuracy of Microsoft speech recognition or training your custom models, you'll need audio and text data. On this page, we cover the types of data, how to use, and manage them." -+ Last updated 02/12/2021-+ # Prepare data for Custom Speech
cognitive-services How To Custom Speech Train Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-train-model.md
Title: Train and deploy a Custom Speech model - Speech service
description: Learn how to train and deploy Custom Speech models. Training a speech-to-text model can improve recognition accuracy for the Microsoft baseline model or a for custom model. -+ Last updated 02/12/2021-+ # Train and deploy a Custom Speech model
cognitive-services How To Custom Voice https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-voice.md
Title: "Get started with Custom Neural Voice - Speech service"
description: "Custom Neural Voice is a set of online tools that allow you to create a recognizable, one-of-a-kind voice for your brand. All it takes to get started are a handful of audio files and the associated transcriptions." -+ Last updated 05/18/2021-+ # Get started with Custom Neural Voice
cognitive-services How To Develop Custom Commands Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-develop-custom-commands-application.md
Title: 'How-to: Develop Custom Commands applications - Speech service'
description: Learn how to develop and customize Custom Commands applications. These voice-command apps are best suited for task completion or command-and-control scenarios. - + Last updated 12/15/2020-+ # Develop Custom Commands applications
cognitive-services How To Recognize Intents From Speech Csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-recognize-intents-from-speech-csharp.md
Title: How to recognize intents from speech using the Speech SDK C#
description: In this guide, you learn how to recognize intents from speech using the Speech SDK for C#. -+ Last updated 02/10/2020-+
cognitive-services How To Use Conversation Transcription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-use-conversation-transcription.md
Title: Real-time Conversation Transcription quickstart - Speech service
description: Learn how to use real-time Conversation Transcription with the Speech SDK. Conversation Transcription allows you to transcribe meetings and other conversations with the ability to add, remove, and identify multiple participants by streaming audio to the Speech service. -+ Last updated 10/20/2020-+ zone_pivot_groups: acs-js-csharp
cognitive-services How To Use Simple Language Pattern Matching https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-use-simple-language-pattern-matching.md
+
+ Title: How to use simple language pattern matching with the C++ Speech SDK
+
+description: In this guide, you learn how to recognize intents and entities from simple patterns.
++++++ Last updated : 07/14/2021++++
+# How to use simple language pattern matching with the C++ Speech SDK
+
+The Cognitive Services [Speech SDK](speech-sdk.md) has a built-in feature to provide **intent recognition** with **simple language pattern matching**. An intent is something the user wants to do: close a window, mark a checkbox, insert some text, etc.
+
+In this guide, you use the Speech SDK to develop a C++ console application that derives intents from user utterances through your device's microphone. You'll learn how to:
+
+> [!div class="checklist"]
+>
+> - Create a Visual Studio project referencing the Speech SDK NuGet package
+> - Create a speech configuration and get an intent recognizer
+> - Add intents and patterns via the Speech SDK API
+> - Recognize speech from a file
+> - Use asynchronous, event-driven continuous recognition
+
+## When should you use this?
+
+Use this sample code if:
+* You are only interested in matching very strictly what the user said. These patterns match more aggressively than LUIS.
+* You do not have access to a LUIS app, but still want intents. This can be helpful since it is embedded within the SDK.
+* You cannot or do not want to create a LUIS app but you still want some voice commanding capability.
+
+If you do not have access to a LUIS app, but still want intents, this can be helpful since it is embedded within the SDK.
++
+## Prerequisites
+
+Be sure you have the following items before you begin this guide:
+
+- A [Cognitive Services Azure resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices) or a [Unified Speech resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices)
+- [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) (any edition).
+
+## Speech and simple patterns
+
+The simple patterns are a feature of the Speech SDK and need a Cognitive Services resource or a Unified Speech resource.
+
+A pattern is a phrase that includes an Entity somewhere within it. An Entity is defined by wrapping a word in curly brackets. For example:
+
+```
+ Take me to the {floorName}
+```
+
+This defines an Entity with the ID "floorName" which is case sensitive.
+
+All other special characters and punctuation will be ignored.
+
+Intents will be added using calls to the IntentRecognizer->AddIntent() API.
+
+## Create a speech project in Visual Studio
++
+Open your project in Visual Studio
+Next, open your project in Visual Studio.
+
+Launch Visual Studio 2019.
+Load your project and open helloworld.cpp.
+Start with some boilerplate code
+Let's add some code that works as a skeleton for our project. Make note that you've created an async method called recognizeIntent().
+
+## Open your project in Visual Studio
+
+Next, open your project in Visual Studio.
+
+1. Launch Visual Studio 2019.
+2. Load your project and open `helloworld.cpp`.
+
+## Start with some boilerplate code
+
+Let's add some code that works as a skeleton for our project.
+
+```cpp
+ #include <iostream>
+ #include <speechapi_cxx.h>
+
+ using namespace Microsoft::Cognitive
+ using namespace Microsoft::Cognitive
+
+ int main()
+ {
+ std::cout << "Hello World!\n";
+
+ auto config = SpeechConfig::FromSubscription("YOUR_SUBSCRIPTION_KEY", "YOUR_SUBSCRIPTION_REGION");
+ }
+```
+
+## Create a Speech configuration
+
+Before you can initialize an `IntentRecognizer` object, you need to create a configuration that uses the key and location for your Cognitive Services prediction resource.
+
+* Replace `"YOUR_SUBSCRIPTION_KEY"` with your Cognitive Services prediction key.
+* Replace `"YOUR_SUBSCRIPTION_REGION"` with your Cognitive Services resource region.
+
+This sample uses the `FromSubscription()` method to build the `SpeechConfig`. For a full list of available methods, see [SpeechConfig Class](/cpp/cognitive-services/speech/speechconfig).
+
+## Initialize an IntentRecognizer
+
+Now create an `IntentRecognizer`. Insert this code right below your Speech configuration.
+
+```cpp
+ auto intentRecognizer = IntentRecognizer::FromConfig(config);
+```
+
+## Add some intents
+
+You need to associate some patterns with the `IntentRecognizer` by calling `AddIntent()`.
+We will add 2 intents with the same ID for changing floors, and another intent with a separate ID for opening and closing doors.
+
+```cpp
+ intentRecognizer->AddIntent("Take me to floor {floorName}.", "ChangeFloors");
+ intentRecognizer->AddIntent("Go to floor {floorName}.", "ChangeFloors");
+ intentRecognizer->AddIntent("{action} the door.", "OpenCloseDoor");
+```
+
+> [!NOTE]
+> There is no limit to the number of entities you can declare, but they will be loosely matched. If you add a phrase like "{action} door" it will match any time there is text before the word "door". Intents are evaluated based on their number of entities. If two patterns would match, the one with more defined entities is returned.
+
+## Recognize an intent
+
+From the `IntentRecognizer` object, you're going to call the `RecognizeOnceAsync()` method. This method asks the Speech service to recognize speech in a single phrase, and stop recognizing speech once the phrase is identified. For simplicity we'll wait on the future returned to complete.
+
+Insert this code below your intents:
+
+```cpp
+ std::cout << "Say something ..." << std::endl;
+ auto result = intentRecognizer->RecognizeOnceAsync().get();
+```
+
+## Display the recognition results (or errors)
+
+When the recognition result is returned by the Speech service, let's just print the result.
+
+Insert this code below `auto result = intentRecognizer->RecognizeOnceAsync().get();`:
+
+```cpp
+auto entities = result->GetEntities();
+
+switch (result->Reason)
+{
+case ResultReason::RecognizedSpeech:
+case ResultReason::RecognizedIntent:
+ std::cout << "RECOGNIZED: Text = " << result->Text.c_str() << std::endl;
+ std::cout << " Intent Id = " << result->IntentId.c_str() << std::endl;
+ if (entities.find("floorName") != entities.end())
+ {
+ std::cout << " Floor name: = " << entities["floorName"].c_str() << std::endl;
+ }
+
+ if (entities.find("action") != entities.end())
+ {
+ std::cout << " Action: = " << entities["action"].c_str() << std::endl;
+ }
+
+ break;
+case ResultReason::NoMatch:
+{
+ auto noMatch = NoMatchDetails::FromResult(result);
+ switch (noMatch->Reason)
+ {
+ case NoMatchReason::NotRecognized:
+ std::cout << "NOMATCH: Speech was detected, but not recognized." << std::endl;
+ break;
+ case NoMatchReason::InitialSilenceTimeout:
+ std::cout << "NOMATCH: The start of the audio stream contains only silence, and the service timed out waiting for speech." << std::endl;
+ break;
+ case NoMatchReason::InitialBabbleTimeout:
+ std::cout << "NOMATCH: The start of the audio stream contains only noise, and the service timed out waiting for speech." << std::endl;
+ break;
+ case NoMatchReason::KeywordNotRecognized:
+ std::cout << "NOMATCH: Keyword not recognized" << std::endl;
+ break;
+ }
+ break;
+}
+case ResultReason::Canceled:
+{
+ auto cancellation = CancellationDetails::FromResult(result);
+
+ if (!cancellation->ErrorDetails.empty())
+ {
+ std::cout << "CANCELED: ErrorDetails=" << cancellation->ErrorDetails.c_str() << std::endl;
+ std::cout << "CANCELED: Did you update the subscription info?" << std::endl;
+ }
+}
+default:
+ break;
+}
+```
+
+## Check your code
+
+At this point, your code should look like this:
+
+```cpp
+#include <iostream>
+#include <speechapi_cxx.h>
+
+using namespace Microsoft::Cognitive
+using namespace Microsoft::Cognitive
+
+int main()
+{
+ auto config = SpeechConfig::FromSubscription("YOUR_SUBSCRIPTION_KEY", "YOUR_SUBSCRIPTION_REGION");
+ auto intentRecognizer = IntentRecognizer::FromConfig(config);
+
+ intentRecognizer->AddIntent("Take me to floor {floorName}.", "ChangeFloors");
+ intentRecognizer->AddIntent("Go to floor {floorName}.", "ChangeFloors");
+ intentRecognizer->AddIntent("{action} the door.", "OpenCloseDoor");
+
+ std::cout << "Say something ..." << std::endl;
+
+ auto result = intentRecognizer->RecognizeOnceAsync().get();
+ auto entities = result->GetEntities();
+
+ switch (result->Reason)
+ {
+ case ResultReason::RecognizedSpeech:
+ case ResultReason::RecognizedIntent:
+ std::cout << "RECOGNIZED: Text = " << result->Text.c_str() << std::endl;
+ std::cout << " Intent Id = " << result->IntentId.c_str() << std::endl;
+ if (entities.find("floorName") != entities.end())
+ {
+ std::cout << " Floor name: = " << entities["floorName"].c_str() << std::endl;
+ }
+
+ if (entities.find("action") != entities.end())
+ {
+ std::cout << " Action: = " << entities["action"].c_str() << std::endl;
+ }
+
+ break;
+ case ResultReason::NoMatch:
+ {
+ auto noMatch = NoMatchDetails::FromResult(result);
+ switch (noMatch->Reason)
+ {
+ case NoMatchReason::NotRecognized:
+ std::cout << "NOMATCH: Speech was detected, but not recognized." << std::endl;
+ break;
+ case NoMatchReason::InitialSilenceTimeout:
+ std::cout << "NOMATCH: The start of the audio stream contains only silence, and the service timed out waiting for speech." << std::endl;
+ break;
+ case NoMatchReason::InitialBabbleTimeout:
+ std::cout << "NOMATCH: The start of the audio stream contains only noise, and the service timed out waiting for speech." << std::endl;
+ break;
+ case NoMatchReason::KeywordNotRecognized:
+ std::cout << "NOMATCH: Keyword not recognized." << std::endl;
+ break;
+ }
+ break;
+ }
+ case ResultReason::Canceled:
+ {
+ auto cancellation = CancellationDetails::FromResult(result);
+
+ if (!cancellation->ErrorDetails.empty())
+ {
+ std::cout << "CANCELED: ErrorDetails=" << cancellation->ErrorDetails.c_str() << std::endl;
+ std::cout << "CANCELED: Did you update the subscription info?" << std::endl;
+ }
+ }
+ default:
+ break;
+ }
+}
+```
+## Build and run your app
+
+Now you're ready to build your app and test our speech recognition using the Speech service.
+
+1. **Compile the code** - From the menu bar of Visual Studio, choose **Build** > **Build Solution**.
+2. **Start your app** - From the menu bar, choose **Debug** > **Start Debugging** or press <kbd>F5</kbd>.
+3. **Start recognition** - It will prompt you to say something. The default language is English. Your speech is sent to the Speech service, transcribed as text, and rendered in the console.
+
+For example if you say "Take me to floor 7", this should be the output:
+
+```
+Say something ...
+RECOGNIZED: Text = Take me to floor 7.
+ Intent Id = ChangeFloors
+ Floor name: = seven
+```
cognitive-services Intent Recognition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/intent-recognition.md
keywords: intent recognition
[!INCLUDE [TLS 1.2 enforcement](../../../includes/cognitive-services-tls-announcement.md)]
-In this overview, you learn about the benefits and capabilities of intent recognition. The Cognitive Services Speech SDK integrates with the Language Understanding service (LUIS) to provide intent recognition. An intent is something the user wants to do: book a flight, check the weather, or make a call.
-Using intent recognition, your applications, tools, and devices can determine what the user wishes to initiate or do based on options you define in LUIS.
+In this overview, you will learn about the benefits and capabilities of intent recognition. The Cognitive Services Speech SDK provides two ways to recognize intents, both described below. An intent is something the user wants to do: book a flight, check the weather, or make a call. Using intent recognition, your applications, tools, and devices can determine what the user wants to initiate or do based on options you define in the Intent Recognizer or LUIS.
-## LUIS key required
+## Pattern matching
+The SDK provides an embedded pattern matcher that you can use to recognize intents in a very strict way. This is useful for when you need a quick offline solution. This works especially well when the user is going to be trained in some way or can be expected to use specific phrases to trigger intents. For example: "Go to floor seven", or "Turn on the lamp" etc. It is recommended to start here and if it no longer meets your needs, switch to using LUIS or a combination of the two.
+
+## LUIS (Language Understanding Intent Service)
+The Microsoft LUIS service is available as a complete AI intent service that works well when your domain of possible intents is large and you are not really sure what the user will say. It supports many complex scenarios, intents, and entities.
+
+### LUIS key required
* LUIS integrates with the Speech service to recognize intents from speech. You don't need a Speech service subscription, just LUIS.
-* Speech intent recognition is integrated with the SDK. You can use a LUIS key with the Speech service.
-* Intent recognition through the Speech SDK is [offered at a subset of regions supported by LUIS](./regions.md#intent-recognition).
+* Speech intent recognition is integrated with the Speech SDK. You can use a LUIS key with the Speech service.
+* Intent recognition through the Speech SDK is [offered in a subset of regions supported by LUIS](./regions.md#intent-recognition).
## Get started
+See this [how-to](how-to-use-simple-language-pattern-matching.md) to get started with pattern matching.
-See the [quickstart](get-started-intent-recognition.md) to get started with intent recognition.
+See this [quickstart](get-started-intent-recognition.md) to get started with LUIS intent recognition.
## Sample code
Sample code for intent recognition:
* Complete the intent recognition [quickstart](get-started-intent-recognition.md) * [Get a Speech service subscription key for free](overview.md#try-the-speech-service-for-free)
-* [Get the Speech SDK](speech-sdk.md)
+* [Get the Speech SDK](speech-sdk.md)
cognitive-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/language-support.md
Title: Language support - Speech service
description: The Speech service supports numerous languages for speech-to-text and text-to-speech conversion, along with speech translation. This article provides a comprehensive list of language support by service feature. -+ Last updated 01/07/2021-+
cognitive-services Long Audio Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/long-audio-api.md
Title: Long Audio API - Speech service
description: Learn how the Long Audio API is designed for asynchronous synthesis of long-form text to speech. -+ Last updated 08/11/2020-+ # Long Audio API
cognitive-services Multi Device Conversation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/multi-device-conversation.md
Title: Multi-device Conversation (Preview) - Speech Service
description: Multi-device conversation makes it easy to create a speech or text conversation between multiple clients and coordinate the messages that are sent between them. -+ Last updated 03/11/2020-+ # What is Multi-device Conversation (Preview)?
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/overview.md
Title: What is the Speech service?
description: The Speech service is the unification of speech-to-text, text-to-speech, and speech translation into a single Azure subscription. Add speech to your applications, tools, and devices with the Speech SDK, Speech Devices SDK, or REST APIs. -+ Last updated 11/23/2020-+ # What is the Speech service?
cognitive-services Setup Platform https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/quickstarts/setup-platform.md
Title: 'Quickstart: Set up development environment'
description: In this quickstart, you'll learn how to install the Speech SDK for your preferred platform and programming language combination. -+ Last updated 10/15/2020-+ zone_pivot_groups: programming-languages-speech-services-one-nomore
cognitive-services Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/regions.md
Keep in mind the following points when considering regions:
* If your application uses one of the Speech service's [REST APIs](./overview.md#reference-docs), the region is part of the endpoint URI you use when making requests. * Keys created for a region are valid only in that region. Attempting to use them with other regions will result in authentication errors.
+> [!NOTE]
+> Speech Services doesn't store/process customer data outside the region the customer deploys the service instance in.
+ ## Speech SDK In the [Speech SDK](speech-sdk.md), regions are specified as a string
cognitive-services Releasenotes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/releasenotes.md
#### New features -- **C++**: Simple Language Pattern matching with the Intent Recognizer now makes it easier to implement simple intent recognition scenarios. See documentation [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/get-started-intent-recognition?pivots=programming-language-cpp).
+- **C++**: Simple Language Pattern matching with the Intent Recognizer now makes it easier to [implement simple intent recognition scenarios](/azure/cognitive-services/speech-service/get-started-intent-recognition?pivots=programming-language-cpp).
- **C++/C#/Java**: We added a new API, `GetActivationPhrasesAsync()` to the `VoiceProfileClient` class for receiving a list of valid activation phrases in speaker recognition enrollment phase for independent recognition scenarios. - **Important**: The Speaker Recognition feature is in Preview. All voice profiles created in Preview will be discontinued 90 days after the Speaker Recognition feature is moved out of Preview into General Availability. At that point the Preview voice profiles will stop functioning.--**Python**: Added support for continuous Language Identification (LID) on the existing `SpeechRecognizer` and `TranslationRecognizer` objects. See documentation [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/how-to-automatic-language-detection?pivots=programming-language-python).-- **Python**: Added a new Python object named `SourceLanguageRecognizer` to do one-time or continuous LID (without recognition or translation). See documentation [here](https://docs.microsoft.com/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.sourcelanguagerecognizer?view=azure-python).--Support AAD authentication and User assigned Managed Identity
+- **Python**: Added [support for continuous Language Identification (LID)](/azure/cognitive-services/speech-service/how-to-automatic-language-detection?pivots=programming-language-python) on the existing `SpeechRecognizer` and `TranslationRecognizer` objects.
+- **Python**: Added a [new Python object](/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.sourcelanguagerecognizer?view=azure-python) named `SourceLanguageRecognizer` to do one-time or continuous LID (without recognition or translation).
+- Support AAD authentication and User assigned Managed Identity
- **JavaScript** `getActivationPhrasesAsync` API added to `VoiceProfileClient` class for receiving a list of valid activation phrases in speaker recognition enrollment phase for independent recognition scenarios. - **JavaScript** `VoiceProfileClient`'s `enrollProfileAsync` API is now async awaitable. See this independent identification code for example usage.
+#### Improvements
+
+- **AutoCloseable** support added to many Java objects. Now the try-with-resources model is supported to release resources. See [this sample that uses try-with-resources](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/quickstart/java/jre/intent-recognition/src/speechsdk/quickstart/Main.java#L28). Also see the Oracle Java documentation tutorial for [The try-with-resources Statement](https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html) to learn about this pattern.
+- SDK size reductions.
+ #### Bug fixes - **Java**: Fixed synthesis error when the synthesis text contains surrogate characters. Details [here](https://github.com/Azure-Samples/cognitive-services-speech-sdk/issues/1118).
cognitive-services Rest Speech To Text https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/rest-speech-to-text.md
Title: Speech-to-text API reference (REST) - Speech service
description: Learn how to use the speech-to-text REST API. In this article, you'll learn about authorization options, query options, how to structure a request and receive a response. -+ Last updated 07/01/2021-+
cognitive-services Rest Text To Speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/rest-text-to-speech.md
Title: Text-to-speech API reference (REST) - Speech service
description: Learn how to use the text-to-speech REST API. In this article, you'll learn about authorization options, query options, how to structure a request and receive a response. -+ Last updated 07/01/2021-+
cognitive-services Speaker Recognition Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speaker-recognition-overview.md
Title: Speaker Recognition overview - Speech service
description: Speaker Recognition provides algorithms that verify and identify speakers by their unique voice characteristics using voice biometry. Speaker Recognition is used to answer the question ΓÇ£who is speaking?ΓÇ¥. This article is an overview of the benefits and capabilities of the Speaker Recognition service. -+ Last updated 09/02/2020-+ keywords: speaker recognition, voice biometry
cognitive-services Speech Devices Sdk Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-devices-sdk-quickstart.md
Title: 'Quickstart: Run the Speech Devices SDK on Windows, Linux or Android - Sp
description: This article contains the prerequisites and instructions for getting started with a Windows, Linux or Android Speech Devices SDK. -+ Last updated 06/25/2020-+ zone_pivot_groups: platforms-set-of-three
cognitive-services Speech Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-sdk.md
Title: About the Speech SDK - Speech service
description: The Speech software development kit (SDK) exposes many of the Speech service capabilities, making it easier to develop speech-enabled applications. -+ Last updated 04/03/2020-+ # About the Speech SDK
cognitive-services Speech Studio Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-studio-overview.md
Title: "Speech Studio overview - Speech service"
description: Speech Studio is a set of UI-based tools for building and integrating features from Azure Speech service in your applications. -+ Last updated 05/07/2021-+ # What is Speech Studio?
cognitive-services Speech Synthesis Markup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-synthesis-markup.md
Title: Speech Synthesis Markup Language (SSML) - Speech service
description: Using the Speech Synthesis Markup Language to control pronunciation and prosody in text-to-speech. -+ Last updated 03/23/2020-+
cognitive-services Speech To Text https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-to-text.md
Title: Speech-to-text overview - Speech service
description: Speech-to-text software enables real-time transcription of audio streams into text. Your applications, tools, or devices can consume, display, and take action on this text input. This article is an overview of the benefits and capabilities of the speech-to-text service. -+ Last updated 09/01/2020-+ keywords: speech to text, speech to text software
cognitive-services Spx Basics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/spx-basics.md
Title: "Speech CLI quickstart - Speech service"
description: Get started with the Azure Speech CLI. You can interact with Speech services like speech to text, text to speech, and speech translation without writing code. -+ Last updated 04/28/2021-+ # Get started with the Azure Speech CLI
cognitive-services Spx Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/spx-overview.md
Title: The Azure Speech CLI
description: The Speech CLI is a command-line tool for using the Speech service without writing any code. The Speech CLI requires minimal setup, and it's easy to immediately start experimenting with key features of the Speech service to see if your use-cases can be met. -+ Last updated 01/13/2021-+
cognitive-services Text To Speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/text-to-speech.md
Title: Text-to-speech overview - Speech service
description: The text-to-speech feature in the Speech service enables your applications, tools, or devices to convert text into natural human-like synthesized speech. This article is an overview of the benefits and capabilities of the text-to-speech service. -+ Last updated 09/01/2020-+ keywords: text to speech
cognitive-services Tutorial Voice Enable Your Bot Speech Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/tutorial-voice-enable-your-bot-speech-sdk.md
Title: "Tutorial: Voices enable your bot using Speech SDK - Speech service"
description: In this tutorial, you'll create an Echo Bot using Microsoft Bot Framework, deploy it to Azure, and register it with the Bot Framework Direct Line Speech channel. Then you'll configure a sample client app for Windows that lets you speak to your bot and hear it respond back to you. -+ Last updated 02/25/2020-+
communication-services Teams Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/teams-endpoint.md
Optionally, you can also use custom Teams endpoints to integrate chat capabiliti
| Permission | Display string | Description | Admin consent required | Microsoft account supported | |: |: |: |: |: |
-| _https://auth.msft.communication.azure.com/VoIP_ | Manage calls in Teams | Start, join, forward, transfer, or leave Teams calls and update call properties. | No | No |
+| _`https://auth.msft.communication.azure.com/VoIP`_ | Manage calls in Teams | Start, join, forward, transfer, or leave Teams calls and update call properties. | No | No |
### Application permissions
communication-services Download Recording File Sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/download-recording-file-sample.md
We'll then subscribe this webhook to the `recording` event:
2. Select `Event Subscription` as shown below. ![Screenshot showing event grid UI](./media/call-recording/image1-event-grid.png) 3. Configure the event subscription and select `Call Recording File Status Update` as the `Event Type`. Select `Webhook` as the `Endpoint type`.
-![Create Event Subscription](./media/call-recording/image2-create-subscription.png)
+![Create Event Subscription](./media/call-recording/image2-create-event-subscription.png)
4. Input your webhook's URL into `Subscriber Endpoint`. ![Subscribe to Event](./media/call-recording/image3-subscribe-to-event.png)
cosmos-db Cassandra Spark Generic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/cassandra-spark-generic.md
As an example, if we have 5 workers and a value of `spark.cassandra.output.concu
Increasing the number of executors can increase the number of threads in a given job, which can in turn increase throughput. However, the exact impact of this can be variable depending on the job, while controlling throughput with number of workers is more deterministic. You can also determine the exact cost of a given request by profiling it to get the Request Unit (RU) charge. This will help you to be more accurate when provisioning throughput for your table or keyspace. Have a look at our article [here](./find-request-unit-charge-cassandra.md) to understand how to get request unit charges at a per request level.
+### Scaling throughput in the database
+
+The Cassandra Spark connector will saturate throughput in Azure Cosmos DB very efficiently. As a result, even with effective retries, you will need to ensure you have sufficient throughput (RUs) provisioned at the table or keyspace level to prevent rate limiting related errors. The minimum setting of 400 RUs in a given table or keyspace will not be sufficient. Even at minimum throughput configuration settings, the Spark connector can write at a rate corresponding to around **6000 request units** or more.
+
+If the RU setting required for data movement using Spark is higher than what is required for your steady state workload, you can easily scale throughput up and down systematically in Azure Cosmos DB to meet the needs of your workload for a given time period. Read our article on [elastic scale in Cassandra API](manage-scale-cassandra.md) to understand the different options for scaling programmatically and dynamically.
+ > [!NOTE] > The guidance above assumes a reasonably uniform distribution of data. If you have a significant skew in the data (that is, an inordinately large number of reads/writes to the same partition key value), then you might still experience bottlenecks, even if you have a large number of [request units](./request-units.md) provisioned in your table. Request units are divided equally among physical partitions, and heavy data skew can cause a bottleneck of requests to a single partition.
cosmos-db Configure Spring Data Apache Cassandra With Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/configure-spring-data-apache-cassandra-with-cosmos-db.md
+
+ Title: How to use Spring Data Apache Cassandra API with Azure Cosmos DB
+description: Learn how to use Spring Data Apache Cassandra API with Azure Cosmos DB.
++++
+ms.devlang: java
+ Last updated : 07/17/2021++
+# How to use Spring Data Apache Cassandra API with Azure Cosmos DB
+
+This article demonstrates creating a sample application that uses [Spring Data] to store and retrieve information using the [Azure Cosmos DB Cassandra API](/azure/cosmos-db/cassandra-introduction).
+
+## Prerequisites
+
+The following prerequisites are required in order to complete the steps in this article:
+
+* An Azure subscription; if you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits] or sign up for a [free Azure account].
+* A supported Java Development Kit (JDK). For more information about the JDKs available for use when developing on Azure, see [Java support on Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure).
+* [Apache Maven](http://maven.apache.org/), version 3.0 or later.
+* [Curl](https://curl.haxx.se/) or similar HTTP utility to test functionality.
+* A [Git](https://git-scm.com/downloads) client.
+
+> [!NOTE]
+> The samples mentioned below implement custom extensions for a better experience when using Azure Cosmos DB Cassandra API. They include custom retry and load balancing policies, as well as implementing recommended connection settings. For a more extensive exploration of how the custom policies are used, see Java samples for [version 3](https://github.com/Azure-Samples/azure-cosmos-cassandra-extensions-java-sample) and [version 4](https://github.com/Azure-Samples/azure-cosmos-cassandra-extensions-java-sample-v4).
+
+## Create a Cosmos DB Cassandra API account
++
+## Configure the sample application
+
+The following procedure configures the test application.
+
+1. Open a command shell and clone either of the following examples:
+
+ For Java [version 3 driver](https://github.com/datastax/java-driver/tree/3.x) and corresponding Spring version:
+
+ ```shell
+ git clone https://github.com/Azure-Samples/spring-data-cassandra-on-azure-extension-v3.git
+ ```
+
+ For Java [version 4 driver](https://github.com/datastax/java-driver/tree/4.x) and corresponding Spring version:
+
+ ```shell
+ git clone https://github.com/Azure-Samples/spring-data-cassandra-on-azure-extension-v4.git
+ ```
+
+ > [!NOTE]
+ > Although the usage described below is identical for both Java version 3 and version 4 samples above, the way in which they have been implemented in order to include custom retry and load balancing policies is different. We recommend reviewing the code to understand how to implement custom policies if you are making changes to an existing spring java application.
+
+1. Locate the *application.properties* file in the *resources* directory of the sample project, or create the file if it does not already exist.
+
+1. Open the *application.properties* file in a text editor, and add or configure the following lines in the file, and replace the sample values with the appropriate values from earlier:
+
+ ```yaml
+ spring.data.cassandra.contact-points=<Account Name>.cassandra.cosmos.azure.com
+ spring.data.cassandra.port=10350
+ spring.data.cassandra.username=<Account Name>
+ spring.data.cassandra.password=********
+ ```
+
+ Where:
+
+ | Parameter | Description |
+ |||
+ | `spring.data.cassandra.contact-points` | Specifies the **Contact Point** from earlier in this article. |
+ | `spring.data.cassandra.port` | Specifies the **Port** from earlier in this article. |
+ | `spring.data.cassandra.username` | Specifies your **Username** from earlier in this article. |
+ | `spring.data.cassandra.password` | Specifies your **Primary Password** from earlier in this article. |
+
+1. Save and close the *application.properties* file.
+
+## Package and test the sample application
+
+Browse to the directory that contains the .pom file to build and test the application.
+
+1. Build the sample application with Maven; for example:
+
+ ```shell
+ mvn clean package
+ ```
+
+1. Start the sample application; for example:
+
+ ```shell
+ java -jar target/spring-data-cassandra-on-azure-0.1.0-SNAPSHOT.jar
+ ```
+
+1. Create new records using `curl` from a command prompt like the following examples:
+
+ ```shell
+ curl -s -d "{\"name\":\"dog\",\"species\":\"canine\"}" -H "Content-Type: application/json" -X POST http://localhost:8080/pets
+
+ curl -s -d "{\"name\":\"cat\",\"species\":\"feline\"}" -H "Content-Type: application/json" -X POST http://localhost:8080/pets
+ ```
+
+ Your application should return values like the following:
+
+ ```shell
+ Added Pet{id=60fa8cb0-0423-11e9-9a70-39311962166b, name='dog', species='canine'}.
+
+ Added Pet{id=72c1c9e0-0423-11e9-9a70-39311962166b, name='cat', species='feline'}.
+ ```
+
+1. Retrieve all of the existing records using `curl` from a command prompt like the following examples:
+
+ ```shell
+ curl -s http://localhost:8080/pets
+ ```
+
+ Your application should return values like the following:
+
+ ```json
+ [{"id":"60fa8cb0-0423-11e9-9a70-39311962166b","name":"dog","species":"canine"},{"id":"72c1c9e0-0423-11e9-9a70-39311962166b","name":"cat","species":"feline"}]
+ ```
+
+## Clean up resources
++
+## Next steps
+
+To learn more about Spring and Azure, continue to the Spring on Azure documentation center.
+
+> [!div class="nextstepaction"]
+> [Spring on Azure](./index.yml)
+
+### Additional Resources
+
+For more information about using Azure with Java, see the [Azure for Java Developers] and the [Working with Azure DevOps and Java].
+
+<!-- URL List -->
+
+[Azure for Java Developers]: ../index.yml
+[free Azure account]: https://azure.microsoft.com/pricing/free-trial/
+[Working with Azure DevOps and Java]: /azure/devops/
+[MSDN subscriber benefits]: https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/
+[Spring Boot]: http://projects.spring.io/spring-boot/
+[Spring Data]: https://spring.io/projects/spring-data
+[Spring Initializr]: https://start.spring.io/
+[Spring Framework]: https://spring.io/
+
+<!-- IMG List -->
+
+[COSMOSDB01]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-01.png
+[COSMOSDB02]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-02.png
+[COSMOSDB03]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-03.png
+[COSMOSDB04]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-04.png
+[COSMOSDB05]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-05.png
+[COSMOSDB05-1]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-05-1.png
+[COSMOSDB06]: media/configure-spring-data-apache-cassandra-with-cosmos-db/create-cosmos-db-06.png
cosmos-db Create Cassandra Java V4 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-cassandra-java-v4.md
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
- A [Maven binary archive](https://maven.apache.org/download.cgi). On Ubuntu, run `apt-get install maven` to install Maven. - [Git](https://www.git-scm.com/downloads). On Ubuntu, run `sudo apt-get install git` to install Git.
+> [!NOTE]
+> This is a simple quickstart which uses [version 4](https://github.com/datastax/java-driver/tree/4.x) of the open-source Apache Cassandra driver for Java. In most cases, you should be able to connect an existing Apache Cassandra dependent Java application to Azure Cosmos DB Cassandra API without any changes to your existing code. However, we recommend adding our [custom Java extension](https://github.com/Azure/azure-cosmos-cassandra-extensions/tree/release/java-driver-4/1.0.1), which includes custom retry and load balancing policies, as well as recommended connection settings, for a better overall experience. This is to handle [rate limiting](manage-scale-cassandra.md#handling-rate-limiting-429-errors) and application level failover in Azure Cosmos DB where required. You can find a comprehensive sample which implements the extension [here](https://github.com/Azure-Samples/azure-cosmos-cassandra-extensions-java-sample-v4).
+ ## Create a database account Before you can create a document database, you need to create a Cassandra account with Azure Cosmos DB.
cosmos-db Create Cassandra Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-cassandra-java.md
ms.devlang: java Previously updated : 05/18/2020 Last updated : 07/17/2021
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
- A [Maven binary archive](https://maven.apache.org/download.cgi). On Ubuntu, run `apt-get install maven` to install Maven. - [Git](https://www.git-scm.com/downloads). On Ubuntu, run `sudo apt-get install git` to install Git.
+> [!NOTE]
+> This is a simple quickstart which uses [version 3](https://github.com/datastax/java-driver/tree/3.x) of the open-source Apache Cassandra driver for Java. In most cases, you should be able to connect an existing Apache Cassandra dependent Java application to Azure Cosmos DB Cassandra API without any changes to your existing code. However, we recommend adding our [custom Java extension](https://github.com/Azure/azure-cosmos-cassandra-extensions/tree/feature/java-driver-3%2F1.0.0), which includes custom retry and load balancing policies, for a better overall experience. This is to handle [rate limiting](/manage-scale-cassandra.md#handling-rate-limiting-429-errors) and application level failover in Azure Cosmos DB respectively. You can find a comprehensive sample which implements the extension [here](https://github.com/Azure-Samples/azure-cosmos-cassandra-extensions-java-sample).
+ ## Create a database account Before you can create a document database, you need to create a Cassandra account with Azure Cosmos DB.
cosmos-db Graph Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/graph-introduction.md
description: Learn how you can use Azure Cosmos DB to store, query, and traverse
Previously updated : 03/22/2021 Last updated : 07/26/2021
cosmos-db Manage Scale Cassandra https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/manage-scale-cassandra.md
For the Cassandra API, you can retrieve the Request Unit charge for individual q
Azure Cosmos DB will return rate-limited (429) errors if clients consume more resources (RU/s) than the amount that you have provisioned. The Cassandra API in Azure Cosmos DB translates these exceptions to overloaded errors on the Cassandra native protocol.
-If your system is not sensitive to latency, it may be sufficient to handle the throughput rate-limiting by using retries. See the [Java code sample](https://github.com/Azure-Samples/azure-cosmos-cassandra-java-retry-sample) for how to handle rate limiting transparently by using the [Azure Cosmos DB extension](https://github.com/Azure/azure-cosmos-cassandra-extensions) for [Cassandra retry policy](https://docs.datastax.com/en/developer/java-driver/4.4/manual/core/retries/) in Java. You can also use the [Spark extension](https://mvnrepository.com/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper) to handle rate-limiting.
+If your system is not sensitive to latency, it may be sufficient to handle the throughput rate-limiting by using retries. See Java code samples for [version 3](https://github.com/Azure-Samples/azure-cosmos-cassandra-extensions-java-sample) and [version 4](https://github.com/Azure-Samples/azure-cosmos-cassandra-extensions-java-sample-v4) of the Apache Cassandra Java drivers for how to handle rate limiting transparently. These samples implements a custom version of the default [Cassandra retry policy](https://docs.datastax.com/en/developer/java-driver/4.4/manual/core/retries/) in Java. You can also use the [Spark extension](https://mvnrepository.com/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper) to handle rate-limiting. When using Spark, ensure you follow our guidance on [Optimizing Spark connector throughput configuration](cassandra-spark-generic.md#optimizing-spark-connector-throughput-configuration).
## Manage scaling
cost-management-billing Tutorial Export Acm Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/tutorial-export-acm-data.md
Title: Tutorial - Create and manage exported data from Azure Cost Management
description: This article shows you how you can create and manage exported Azure Cost Management data so that you can use it in external systems. Previously updated : 05/06/2021 Last updated : 07/26/2021
Each export creates a new file, so older exports aren't overwritten.
#### Create an export for multiple subscriptions
-If you have an Enterprise Agreement, then you can use a management group to aggregate subscription cost information in a single container. Then you can export cost management data for the management group.
+If you have an Enterprise Agreement, then you can use a management group to aggregate subscription cost information in a single container. Then you can export cost management data for the management group. Exports for management groups only support actual costs.
Exports for management groups of other subscription types aren't supported.
cost-management-billing Ea Portal Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/ea-portal-troubleshoot.md
Title: Troubleshoot Azure EA portal access
description: This article describes some common issues that can occur with an Azure Enterprise Agreement (EA) in the Azure EA portal. Previously updated : 03/26/2021 Last updated : 07/26/2021
This article describes some common issues that can occur with an Azure Enterprise Agreement (EA). The Azure EA portal is used to manage enterprise agreement users and costs. You might come across these issues when you're configuring or updating Azure EA portal access.
-## Issues adding an admin to an enrollment
+## Issues adding a user to an enrollment
There are different types of authentication levels for enterprise enrollments. When authentication levels are applied incorrectly, you might have issues when you try to sign in to the Azure EA portal.
cost-management-billing Mca Request Billing Ownership https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/mca-request-billing-ownership.md
tags: billing
Previously updated : 04/29/2021 Last updated : 07/26/2021
Azure Marketplace products transfer along with their respective subscriptions.
### Azure Reservations transfer
-If you're transferring Enterprise Agreement (EA) subscriptions or Microsoft Customer Agreements, Azure Reservations don't automatically move with the subscriptions. [Contact Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to move Reservations.
+If you're transferring Enterprise Agreement (EA) subscriptions or Microsoft Customer Agreements, Azure Reservations automatically move with the subscriptions.
### Access to Azure services
cost-management-billing Mca Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/understand/mca-faq.md
+
+ Title: Microsoft Customer Agreement FAQ - Azure
+description: Get answers to frequently asked questions about signing the Microsoft Customer Agreement.
++
+tags: billing
Last updated : 07/26/2021++++++
+# Microsoft Customer Agreement frequently asked questions (FAQ)
+
+This article provides answers to frequently asked questions about the Microsoft Customer Agreement.
+
+## Can I sign the Microsoft Customer Agreement today?
+
+- **If you work through a Microsoft seller**, the Microsoft Customer Agreement is currently available in Argentina, Australia, Austria, Canada, Chile, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Puerto Rico, South Africa, Spain, Sweden, Switzerland, United Kingdom, United States, and Uruguay.
+- **If you are a new customer purchasing Azure services directly from Azure.com,** today the Microsoft Customer Agreement is available in the countries below all of which are transacted in US dollars (USD). In 2021, we began the rollout for the new customers in other regions with the goal of making Microsoft Customer Agreement available worldwide.
+- The Microsoft Customer Agreement is also available through Cloud Solution Providers (CSP) around the world. You can find a partner in the CSP program [**here**](https://www.microsoft.com/solution-providers/home).
+
+ | Countries/regions | Countries/regions | Countries/regions | Countries/regions |
+ |-|||--|
+ | Afghanistan | C├┤te d'Ivoire | Moldova | Sri Lanka |
+ | Albania | Curaçao | Mongolia | Tajikistan |
+ | Algeria | Dominican Republic | Montenegro | Tanzania |
+ | Angola | Egypt | Morocco | Thailand |
+ | Armenia | Ethiopia | Namibia | Trinidad and Tobago |
+ | Azerbaijan | Georgia | Nepal | Tunisia |
+ | Bahrain | Ghana | Nicaragua | Turkmenistan |
+ | Bangladesh | Guatemala | Nigeria | Virgin Islands of the United States |
+ | Barbados | Honduras | Oman | Uganda |
+ | Belarus | Iraq | Pakistan | Ukraine |
+ | Belize | Israel | Palestinian Authority | United Arab Emirates |
+ | Bermuda | Jamaica | Panama | United States |
+ | Bolivia | Jordan | Paraguay | Uruguay |
+ | Bosnia and Herzegovina | Kazakhstan | Peru | Uzbekistan |
+ | Botswana | Kenya | Philippines | Venezuela |
+ | Brunei Darussalam | Kuwait | Puerto Rico | Vietnam |
+ | Cameroon | Kyrgyzstan | Qatar | Yemen |
+ | Cabo Verde | Lebanon | Rwanda | Zambia |
+ | Cayman Islands | Libya | Saint Kitts and Nevis | Zimbabwe |
+ | Chile | Macao | Senegal | Ecuador |
+ | Colombia | Macedonia (FYRO) | Serbia | El Salvador |
+ | Costa Rica | Mauritius | Singapore | |
+
+## What if I am an existing customer purchasing Azure directly from Azure.com?
+
+Microsoft will share a notice directly with you at least 30 days before the transition to the Microsoft Customer Agreement.
+
+## Which Azure Services are available through the Microsoft Customer Agreement?
+
+All Azure services are available through Microsoft Customer Agreement. Once you accept the Microsoft Customer Agreement, you get the benefit of more free enterprise-grade management tools including new invoice and cost management capabilities through the same portal where you manage your Azure services.
+
+## How is Azure priced under the Microsoft Customer Agreement?
+
+Azure is priced in US dollars (USD) worldwide under the Microsoft Customer Agreement.
+
+If you transact in one of the other supported currencies listed below, your monthly cost is first calculated in US dollars (USD). For payment, the total is then converted to the local currency.
+
+| Code | Currency |
+||--|
+| AUD | Australian Dollar |
+| BRL | Brazilian Real |
+| GBP | British Pound |
+| CAD | Canadian Dollar |
+| CNY | Chinese Yuan |
+| DKK | Danish Krone |
+| EUR | Euro |
+| INR | Indian Rupee |
+| JPY | Japanese Yen |
+| KRW | Korean Won |
+| NZD | New Zealand Dollar |
+| NOK | Norwegian Krone |
+| RUB | Russian Ruble |
+| SEK | Swedish Krona |
+| CHF | Swiss Franc |
+| TWD | Taiwan Dollar |
+
+## What exchange rate will be used and how does it work with my bill?
+
+We use Thomson Reuters benchmark rates that are captured at the end of the previous month and go into effect on the first day of the next calendar month. This rate applies to all transactions during the upcoming month.
+
+For example, the exchange rate for January transactions is first captured in the final days of December. This rate will be applied to all Azure purchases made in January and all Azure consumption in January. The January exchange rate and local currency billed amount will appear in the January invoice, which is available at the beginning of February.
+
+## Under the Microsoft Customer Agreement, in which currency will my payment be processed?
+
+The legal address you provide at the time of signing will determine your billing geography and currency based on the table below:
+
+| **Country/Region** | **Billing currency** |
+|-|-|
+| Afghanistan | US Dollar (\$) |
+| Albania | US Dollar (\$) |
+| Algeria | US Dollar (\$) |
+| Angola | US Dollar (\$) |
+| Argentina | US Dollar (\$) |
+| Armenia | US Dollar (\$) |
+| Australia | Australian Dollar (\$) |
+| Austria | Euro (Γé¼) |
+| Azerbaijan | US Dollar (\$) |
+| Bahamas | US Dollar (\$) |
+| Bahrain | US Dollar (\$) |
+| Bangladesh | US Dollar (\$) |
+| Barbados | US Dollar (\$) |
+| Belarus | US Dollar (\$) |
+| Belgium | Euro (Γé¼) |
+| Belize | US Dollar (\$) |
+| Bermuda | US Dollar (\$) |
+| Bolivia | US Dollar (\$) |
+| Bosnia and Herzegovina | US Dollar (\$) |
+| Botswana | US Dollar (\$) |
+| Brazil | Brazilian Real (R\$) |
+| Brunei Darussalam | US Dollar (\$) |
+| Bulgaria | Euro (Γé¼) |
+| Republic of Cabo Verde | US Dollar (\$) |
+| Cameroon | US Dollar (\$) |
+| Canada | Canadian Dollar (\$) |
+| Cayman Islands | US Dollar (\$) |
+| Chile | US Dollar (\$) |
+| China | Chinese yuan (¥) |
+| Colombia | US Dollar (\$) |
+| Republic of the Congo | US Dollar (\$) |
+| Costa Rica | US Dollar (\$) |
+| C├┤te d'Ivoire | US Dollar (\$) |
+| Croatia | Euro (Γé¼) |
+| Curaçao | US Dollar (\$) |
+| Cyprus | Euro (Γé¼) |
+| Czech Republic | Euro (Γé¼) |
+| Denmark | Danish Krone (kr) |
+| Dominican Republic | US Dollar (\$) |
+| Ecuador | US Dollar (\$) |
+| Egypt | US Dollar (\$) |
+| El Salvador | US Dollar (\$) |
+| Estonia | Euro (Γé¼) |
+| Ethiopia | US Dollar (\$) |
+| Faroe Islands | Danish Krone (kr) |
+| Fiji | Australian Dollar (\$) |
+| Finland | Euro (Γé¼) |
+| France | Euro (Γé¼) |
+| Georgia | US Dollar (\$) |
+| Germany | Euro (Γé¼) |
+| Ghana | US Dollar (\$) |
+| Greece | Euro (Γé¼) |
+| Guatemala | US Dollar (\$) |
+| Honduras | US Dollar (\$) |
+| Hong Kong | US Dollar (\$) |
+| Hungary | Euro (Γé¼) |
+| Iceland | Euro (Γé¼) |
+| India | Indian Rupee (₹) |
+| Indonesia | US Dollar (\$) |
+| Iraq | US Dollar (\$) |
+| Ireland | Euro (Γé¼) |
+| Israel | US Dollar (\$) |
+| Italy | Euro (Γé¼) |
+| Jamaica | US Dollar (\$) |
+| Japan | Japanese Yen (¥) |
+| Jordan | US Dollar (\$) |
+| Kazakhstan | US Dollar (\$) |
+| Kenya | US Dollar (\$) |
+| Korea | Korean Won (₩) |
+| Kuwait | US Dollar (\$) |
+| Kyrgyzstan | US Dollar (\$) |
+| Latvia | Euro (Γé¼) |
+| Lebanon | US Dollar (\$) |
+| Libya | US Dollar (\$) |
+| Liechtenstein | Swiss Franc. (chf) |
+| Lithuania | Euro (Γé¼) |
+| Luxembourg | Euro (Γé¼) |
+| Macao | US Dollar (\$) |
+| Macedonia (FYRO) | US Dollar (\$) |
+| Malaysia | US Dollar (\$) |
+| Malta | Euro (Γé¼) |
+| Mauritius | US Dollar (\$) |
+| Mexico | US Dollar (\$) |
+| Moldova | US Dollar (\$) |
+| Monaco | Euro (Γé¼) |
+| Mongolia | US Dollar (\$) |
+| Montenegro | US Dollar (\$) |
+| Morocco | US Dollar (\$) |
+| Namibia | US Dollar (\$) |
+| Nepal | US Dollar (\$) |
+| Netherlands | Euro (Γé¼) |
+| New Zealand | New Zealand Dollar (\$) |
+| Nicaragua | US Dollar (\$) |
+| Nigeria | US Dollar (\$) |
+| Norway | Norwegian Krone (kr) |
+| Oman | US Dollar (\$) |
+| Pakistan | US Dollar (\$) |
+| Palestinian Authority | US Dollar (\$) |
+| Panama | US Dollar (\$) |
+| Paraguay | US Dollar (\$) |
+| Peru | US Dollar (\$) |
+| Philippines | US Dollar (\$) |
+| Poland | Euro (Γé¼) |
+| Portugal | Euro (Γé¼) |
+| Puerto Rico | US Dollar (\$) |
+| Qatar | US Dollar (\$) |
+| Romania | Euro (Γé¼) |
+| Russia | Russian Ruble (руб) |
+| Rwanda | US Dollar (\$) |
+| Saint Kitts and Nevis | US Dollar (\$) |
+| Saudi Arabia | US Dollar (\$) |
+| Senegal | US Dollar (\$) |
+| Serbia | US Dollar (\$) |
+| Singapore | US Dollar (\$) |
+| Slovakia | Euro (Γé¼) |
+| Slovenia | Euro (Γé¼) |
+| South Africa | US Dollar (\$) |
+| Spain | Euro (Γé¼) |
+| Sri Lanka | US Dollar (\$) |
+| Sweden | Swedish Krona (kr) |
+| Switzerland | Swiss Franc. (chf) |
+| Taiwan | Taiwanese Dollar (NT\$) |
+| Tajikistan | US Dollar (\$) |
+| Tanzania | US Dollar (\$) |
+| Thailand | US Dollar (\$) |
+| Trinidad and Tobago | US Dollar (\$) |
+| Tunisia | US Dollar (\$) |
+| Turkey | US Dollar (\$) |
+| Turkmenistan | US Dollar (\$) |
+| Uganda | US Dollar (\$) |
+| Ukraine | US Dollar (\$) |
+| United Arab Emirates | US Dollar (\$) |
+| United Kingdom | British Pound (£) |
+| United States | US Dollar (\$) |
+| Uruguay | US Dollar (\$) |
+| Uzbekistan | US Dollar (\$) |
+| Venezuela | US Dollar (\$) |
+| Vietnam | US Dollar (\$) |
+| Virgin Islands of the United States | US Dollar (\$) |
+| Yemen | US Dollar (\$) |
+| Zambia | US Dollar (\$) |
+| Zimbabwe | US Dollar (\$) |
+
+If you purchase Azure services through a Microsoft partner, contact them for questions regarding your payment currency.
+
+## How will I get my invoice?
+
+- If youΓÇÖre buying directly from Azure.com, you will find your invoice details in the **Cost Management and Billing** service in the [Azure portal](https://portal.azure.com).
+- If you are buying through a Microsoft sales representative, you will receive your invoices from Microsoft. You can also access your invoices in the **Cost Management and Billing** service in the [Azure portal](https://portal.azure.com).
+- If you are purchasing through a cloud solution provider under the Microsoft Customer Agreement, you will receive your invoice from the partner.
+
+## Where can I review the Microsoft Customer Agreement?
+
+You can review the Microsoft Customer Agreement at [Microsoft Licensing](https://www.microsoft.com/licensing/docs/customeragreement).
+
+## How do these changes affect my organization if we already have a Microsoft Enterprise Agreement?
+
+Azure usage and purchases made under an existing Enterprise Agreement are not affected by this change.
databox-online Azure Stack Edge Deploy Prep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-deploy-prep.md
Title: Tutorial to prepare to deploy deploy Azure Stack Edge Pro FPGA via Azure portal in your datacenter
+ Title: Tutorial to prepare to deploy Azure Stack Edge Pro FPGA via Azure portal in your datacenter
description: The first tutorial about deploying Azure Stack Edge Pro FPGA involves preparing the Azure portal.
Previously updated : 03/16/2021 Last updated : 07/23/2021 + # Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Pro FPGA so I can use it to transfer data to Azure. # Tutorial: Prepare to deploy Azure Stack Edge Pro FPGA
Before you begin, make sure that:
* Your Microsoft Azure subscription is enabled for an Azure Stack Edge resource. Make sure that you used a supported subscription such as [Microsoft Enterprise Agreement (EA)](https://azure.microsoft.com/overview/sales-number/), [Cloud Solution Provider (CSP)](/partner-center/azure-plan-lp), or [Microsoft Azure Sponsorship](https://azure.microsoft.com/offers/ms-azr-0036p/). Pay-as-you-go subscriptions aren't supported.
-* You have owner or contributor access at resource group level for the Azure Stack Edge / Data Box Gateway, IoT Hub, and Azure Storage resources.
+* RBAC roles: You have the following role assignments in Azure role-based access control (RBAC):
- * You should be an **Owner** at the subscription level to grant contributor access. To give contributor access to someone else, in Azure portal, go to **All Services** > **Subscriptions** > **Access control (IAM)** > **+Add** > **Add role assignment**. For more information, see [Tutorial: Grant a user access to Azure resources using the Azure portal](../role-based-access-control/quickstart-assign-role-user-portal.md).
+ * To create Azure Stack Edge, IoT Hub, and Azure storage resources, a user must have the Contributor or Owner role at resource group scope.
+
+ * To assign the Contributor role to a user at resource group scope, you must have the Owner role at subscription scope.
+
+ For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+
+* Resource providers: The following resource providers are registered:
+
+ * To create an Azure Stack Edge/Data Box Gateway resource, make sure the `Microsoft.DataBoxEdge`provider is registered.
+
+ * To create an IoT Hub resource, make sure the `Microsoft.Devices` provider is registered.
+
+ * To create an Azure Storage resource, make sure Azure Storage is registered. The Azure Storage Resource Provider (SRP) is by default a registered resource provider, but in some cases registration may be needed.
+
+ **To register a resource provider, you must have been assigned the related RBAC role, above.**
+
+ For information on how to register, see [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
- * To create any Azure Stack Edge / Data Box Gateway resource, you should have permissions as a contributor (or higher) scoped at resource group level. You also need to make sure that the `Microsoft.DataBoxEdge` resource provider is registered. For information on how to register a resource provider, see [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
- * To create any IoT Hub resource, make sure that the Microsoft.Devices provider is registered. For information on how to register, go to [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
- * To create a Storage account resource, again you need contributor or higher access scoped at the resource group level. Azure Storage is by default a registered resource provider.
* You have admin or user access to Azure Active Directory Graph API. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).+ * You have your Microsoft Azure storage account with access credentials.+ * You are not blocked by any Azure policy set up by your system administrator. For more information about policies, see [Quickstart: Create a policy assignment to identify non-compliant resources](../governance/policy/assign-policy-portal.md). + ### For the Azure Stack Edge Pro FPGA device Before you deploy a physical device, make sure that:
databox Data Box Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-overview.md
Previously updated : 04/19/2021 Last updated : 07/22/2021 #Customer intent: As an IT admin, I need to understand what Data Box is and how it works so I can use it to import on-premises data into Azure or export data from Azure.
The Data Box device has the following features in this release.
| Weight | < 50 lbs. | | Dimensions | Device - Width: 309.0 mm Height: 430.4 mm Depth: 502.0 mm | | Rack space | 7 U when placed in the rack on its side (cannot be rack-mounted)|
-| Cables required | 1 X power cable (included) <br> 2 RJ45 cables <br> 2 X SFP+ Twinax copper cables|
+| Cables required | 1 X power cable (included) <br> 2 RJ45 cables (not included)<br> 2 X SFP+ Twinax copper cables (not included)|
| Storage capacity | 100-TB device has 80 TB or usable capacity after RAID 5 protection| | Power rating | The power supply unit is rated for 700 W. <br> Typically, the unit draws 375 W.| | Network interfaces | 2 X 1-GbE interface - MGMT, DATA 3. <br> MGMT - for management, not user configurable, used for initial setup <br> DATA3 - for data, user configurable, and is dynamic by default <br> MGMT and DATA 3 can also work as 10 GbE <br> 2 X 10-GbE interface - DATA 1, DATA 2 <br> Both are for data, can be configured as dynamic (default) or static |
A typical import flow includes the following steps:
1. **Order** - Create an order in the Azure portal, provide shipping information, and the destination Azure storage account for your data. If the device is available, Azure prepares and ships the device with a shipment tracking ID.
-2. **Receive** - Once the device is delivered, cable the device for network and power using the specified cables. Turn on and connect to the device. Configure the device network and mount shares on the host computer from where you want to copy the data.
+2. **Receive** - Once the device is delivered, cable the device for network and power using the specified cables. (The power cable is included with the device. You'll need to procure the data cables.) Turn on and connect to the device. Configure the device network and mount shares on the host computer from where you want to copy the data.
3. **Copy data** - Copy data to Data Box shares.
A typical export flow includes the following steps:
1. **Order** - Create an export order in the Azure portal, provide shipping information, and the source Azure storage account for your data. If the device is available, Azure prepares a device. Data is copied from your Azure Storage account to the Data Box. Once the data copy is complete, Microsoft ships the device with a shipment tracking ID.
-2. **Receive** - Once the device is delivered, cable the device for network and power using the specified cables. Turn on and connect to the device. Configure the device network and mount shares on the host computer to which you want to copy the data.
+2. **Receive** - Once the device is delivered, cable the device for network and power using the specified cables. (The power cable is included with the device. You'll need to procure the data cables.) Turn on and connect to the device. Configure the device network and mount shares on the host computer to which you want to copy the data.
3. **Copy data** - Copy data from Data Box shares to the on-premises data servers.
databox Data Box Quickstart Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-quickstart-portal.md
Previously updated : 03/05/2021 Last updated : 07/22/2021 ms.localizationpriority: high #Customer intent: As an IT admin, I need to quickly deploy Data Box so as to import data into Azure.
Before you begin:
- Review the [safety guidelines for your Data Box](data-box-safety.md). - You have a host computer that has the data that you want to copy over to Data Box. Your host computer must - Run a [Supported operating system](data-box-system-requirements.md).
- - Be connected to high-speed network. We strongly recommend that you have at least one 10 GbE connection. If a 10 GbE connection isn't available, a 1 GbE data link can be used but the copy speeds are impacted.
+ - Be connected to high-speed network. We strongly recommend that you have at least one 10-GbE connection. If a 10-GbE connection isn't available, a 1-GbE data link can be used but the copy speeds are impacted.
- You must have access to a flat surface where you can place the Data Box. If you want to place the device on a standard rack shelf, you need a 7U slot in your datacenter rack. You can place the device flat or upright in the rack. - You have procured the following cables to connect your Data Box to the host computer.
- - Two 10 GbE SFP+ Twinax copper cables (use with DATA 1, DATA 2 network interfaces)
+ - Two 10-GbE SFP+ Twinax copper cables (use with DATA 1, DATA 2 network interfaces)
- One RJ-45 CAT 6 network cable (use with MGMT network interface) - One RJ-45 CAT 6A OR one RJ-45 CAT 6 network cable (use with DATA 3 network interface configured as 10 Gbps or 1 Gbps respectively)
When you receive the Data Box, do the following steps to cable, connect to and t
2. Before you cable your device, ensure that you have the following cables: - (Included) grounded power cord rated at 10 A or greater with an IEC60320 C-13 connector at one end to connect to the device.
- - One RJ-45 CAT 6 network cable (use with MGMT network interface)
- - Two 10 GbE SFP+ Twinax copper cables (use with 10 Gbps DATA 1, DATA 2 network interfaces)
- - One RJ-45 CAT 6A OR one RJ-45 CAT 6 network cable (use with DATA 3 network interface configured as 10 Gbps or 1 Gbps respectively)
+ - (Not included) One RJ-45 CAT 6 network cable (use with MGMT network interface)
+ - (Not included) Two 10-GbE SFP+ Twinax copper cables (use with 10 Gbps DATA 1, DATA 2 network interfaces)
+ - (Not included) One RJ-45 CAT 6A OR one RJ-45 CAT 6 network cable (use with DATA 3 network interface configured as 10 Gbps or 1 Gbps respectively)
3. Remove and place the device on a flat surface.
defender-for-iot Tutorial Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/tutorial-servicenow.md
+
+ Title: Integrate ServiceNow with Azure Defender for IoT
+description: In this tutorial, learn how to integrate ServiceNow with Azure Defender for IoT.
+++ Last updated : 07/26/2021+++
+# Tutorial: Integrate ServiceNow with Azure Defender for IoT
+
+This tutorial will help you learn how to integrate, and use ServiceNow with Azure Defender for IoT.
+
+The Defender for IoT integration with ServiceNow provides a new level of centralized visibility, monitoring, and control for the IoT and OT landscape. These bridged platforms enable automated device visibility and threat management to previously unreachable ICS & IoT devices.
+
+The ServiceNow Configuration Management Database (CMDB) is enriched, and supplemented with a rich set of device attributes that are pushed by the Defender for IoT platform. This ensures a comprehensive, and continuous visibility into the device landscape. This visibility lets you monitor, and respond from a single-pane-of-glass.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> * Download the Defender for IoT application in ServiceNow
+> * Set up Defender for IoT to communicate with ServiceNow
+> * Create access tokens in ServiceNow
+> * Send Defender for IoT device attributes to ServiceNow
+> * Set up the integration using a HTTPS proxy
+> * View Defender for IoT detections in ServiceNow
+> * View connected devices
+
+## Prerequisites
+
+### Software Requirements
+
+Access to ServiceNow and Defender for IoT
+
+- ServiceNow Service Management version 3.0.2.
+
+- Defender for IoT patch 2.8.11.1 or above.
+
+> [!Note]
+> If you are already working with a Defender for IoT and ServiceNow integration, and upgrade using the on-premises management console, pervious data received from Defender for IoT sensors should be cleared from ServiceNow.
+
+### Architecture
+
+- **On-premises management console architecture**: Set up an on-premises management console to communicate with one instance of ServiceNow. The on-premises management console pushes sensor data to the Defender for IoT application using REST API.
+
+ To set up your system to work with an on-premises management console, you will need to disable the ServiceNow Sync, Forwarding Rules, and Proxy configurations on any sensors where they were set up.
+
+- **Sensor architecture**: If you want to set up your environment to include direct communication between sensors and ServiceNow, for each sensor define the ServiceNow Sync, Forwarding rules, and proxy configuration (if a proxy is needed).
+
+## Download the Defender for IoT application in ServiceNow
+
+To access the Defender for IoT application within ServiceNow, you will need to download the application form the ServiceNow application store.
+
+**To access the Defender for IoT application in ServiceNow**:
+
+1. Navigate to the [ServiceNow application store](https://store.servicenow.com/).
+
+1. Search for `Defender for IoT` or `CyberX IoT/ICS Management`.
+
+ :::image type="content" source="media/tutorial-servicenow/search-results.png" alt-text="Search for CyberX in the search bar.":::
+
+1. Select the application.
+
+ :::image type="content" source="media/tutorial-servicenow/cyberx-app.png" alt-text="Select the application from the list.":::
+
+1. Select **Request App**.
+
+ :::image type="content" source="media/tutorial-servicenow/sign-in.png" alt-text="Sign in to the application with your credentials.":::
+
+1. Sign in, and download the application.
+
+## Set up Defender for IoT to communicate with ServiceNow
+
+Configure Defender for IoT to push alert information to the ServiceNow tables. Defender for IoT alerts will appear in ServiceNow as security incidents. This can be done by defining a Defender for IoT forwarding rule to send alert information to ServiceNow.
+
+**To push alert information to the ServiceNow tables**:
+
+1. Sign in to the on-premises management console.
+
+1. Select **Forwarding**, in the left side pane.
+
+1. Select the :::image type="icon" source="media/tutorial-servicenow/plus-icon.png" border="false"::: button.
+
+ :::image type="content" source="media/tutorial-servicenow/forwarding-rule.png" alt-text="Create Forwarding Rule":::
+
+1. Add a rule name.
+
+1. Define criteria under which Defender for IoT will trigger the forwarding rule. Working with Forwarding rule criteria helps pinpoint and manage the volume of information sent from Defender for IoT to ServiceNow. The following options are available:
+
+ - **Severity levels:** This is the minimum-security level incident to forward. For example, if **Minor** is selected, minor alerts, and any alert above this severity level will be forwarded. Levels are pre-defined by Defender for IoT.
+
+ - **Protocols:** Only trigger the forwarding rule if the traffic detected was running over specific protocols. Select the required protocols from the drop-down list or choose them all.
+
+ - **Engines:** Select the required engines or choose them all. Alerts from selected engines will be sent.
+
+1. Verify that **Report Alert Notifications** is selected.
+
+1. In the Actions section, select **Add** and then select **ServiceNow**.
+
+ :::image type="content" source="media/tutorial-servicenow/select-servicenow.png" alt-text="Select ServiceNow from the dropdown options.":::
+
+1. Enter the ServiceNow action parameters:
+
+ :::image type="content" source="media/tutorial-servicenow/parameters.png" alt-text="Fill in the ServiceNow action parameters":::
+
+1. In the **Actions** pane, set the following parameters:
+
+ | Parameter | Description |
+ |--|--|
+ | Domain | Enter the ServiceNow server IP address. |
+ | Username | Enter the ServiceNow server username. |
+ | Password | Enter the ServiceNow server password. |
+ | Client ID | Enter the Client ID you received for Defender for IoT in the **Application Registries** page in ServiceNow. |
+ | Client Secret | Enter the client secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |
+ | Report Type | **Incidents**: Forward a list of alerts that are presented in ServiceNow with an incident ID and short description of each alert.<br /><br />**Defender for IoT Application**: Forward full alert information, including the sensor details, the engine, the source, and destination addresses. The information is forwarded to the Defender for IoT on the ServiceNow application. |
+
+1. Select **SAVE**.
+
+Defender for IoT alerts will now appear as incidents in ServiceNow.
+
+## Create access tokens in ServiceNow
+
+A token is needed in order to allow ServiceNow to communicate with Defender for IoT.
+
+You will need the `Client ID` and `Client Secret` that you entered when creating the Defender for IoT Forwarding rules. The Forwarding rules forward alert information to ServiceNow, and when configuring Defender for IoT to push device attributes to ServiceNow tables.
+
+## Send Defender for IoT device attributes to ServiceNow
+
+Configure Defender for IoT to push an extensive range of device attributes to the ServiceNow tables. To send attributes to ServiceNow, you must map your on-premises management console to a ServiceNow instance. This ensures that the Defender for IoT platform can communicate and authenticate with the instance.
+
+**To add a ServiceNow instance**:
+
+1. Sign in to your Defender for IoT on-premises management console.
+
+1. Select **System Settings**, and then **ServiceNow** from the on-premises management console Integration section.
+
+ :::image type="content" source="media/tutorial-servicenow/servicenow.png" alt-text="Select the ServiceNow button.":::
+
+1. Enter the following sync parameters in the ServiceNow Sync dialog box.
+
+ :::image type="content" source="media/tutorial-servicenow/sync.png" alt-text="The ServiceNow sync dialog box.":::
+
+ Parameter | Description |
+ |--|--|
+ | Enable Sync | Enable and disable the sync after defining parameters. |
+ | Sync Frequency (minutes) | By default, information is pushed to ServiceNow every 60 minutes. The minimum is 5 minutes. |
+ | ServiceNow Instance | Enter the ServiceNow instance URL. |
+ | Client ID | Enter the Client ID you received for Defender for IoT in the **Application Registries** page in ServiceNow. |
+ | Client Secret | Enter the Client Secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |
+ | Username | Enter the username for this instance. |
+ | Password | Enter the password for this instance. |
+
+1. Select **SAVE**.
+
+Verify that the on-premises management console is connected to the ServiceNow instance by reviewing the Last Sync date.
++
+## Set up the integrations using a HTTPS proxy
+
+When setting up the Defender for IoT and ServiceNow integration, the on-premises management console and the ServiceNow server communicate using port 443. If the ServiceNow server is behind a proxy, the default port cannot be used.
+
+Defender for IoT supports an HTTPS proxy in the ServiceNow integration by enabling the change of the default port used for integration.
+
+**To configure the proxy**:
+
+1. Edit the global properties on the on-premises management console using the following command:
+
+ ```bash
+ sudo vim /var/cyberx/properties/global.properties
+ ```
+
+2. Add the following parameters:
+
+ - `servicenow.http_proxy.enabled=1`
+
+ - `servicenow.http_proxy.ip=1.179.148.9`
+
+ - `servicenow.http_proxy.port=59125`
+
+3. Select **Save and Exit**.
+
+4. Reset the on-premises management console using the following command:
+
+ ```bash
+ sudo monit restart all
+ ```
+
+After the configurations are set, all the ServiceNow data is forwarded using the configured proxy.
+
+## View Defender for IoT detections in ServiceNow
+
+This article describes the device attributes and alert information presented in ServiceNow.
+
+**To view device attributes**:
+
+1. Sign in to ServiceNow.
+
+2. Navigate to **CyberX Platform**.
+
+3. Navigate to **Inventory**, or **Alert**.
+
+ [:::image type="content" source="media/tutorial-servicenow/alert-list.png" alt-text="Inventory or Alert":::](media/tutorial-servicenow/alert-list.png#lightbox)
+
+## View connected devices
+
+To view connected devices:
+
+1. Select a device, and then select the **Appliance** listed in for that device.
+
+ :::image type="content" source="media/tutorial-servicenow/appliance.png" alt-text="Select the desired appliance from the list.":::
+
+1. In the **Device Details** dialog box, select **Connected Devices**.
+
+## Clean up resources
+
+There are no resources to clean up.
+
+## Next steps
+
+In this tutorial, you learned how to get started with the ServiceNow integration. Continue on to learn about our [Cisco integration](integration-cisco-ise-pxgrid.md).
+
+> [!div class="nextstepaction"]
+> [Next steps button](integration-cisco-ise-pxgrid.md)
digital-twins Concepts Twins Graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-twins-graph.md
Here is an example of a relationship formatted as a JSON object:
See how to manage graph elements with Azure Digital Twin APIs: * [Manage digital twins](how-to-manage-twin.md)
-* [Manage the twin graph with relationships](how-to-manage-graph.md)
+* [Manage the twin graph and relationships](how-to-manage-graph.md)
Or, learn about querying the Azure Digital Twins twin graph for information: * [Query language](concepts-query-language.md)
digital-twins How To Manage Graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-graph.md
# Mandatory fields. Title: Manage the twin graph with relationships
+ Title: Manage the twin graph and relationships
description: See how to manage a graph of digital twins by connecting them with relationships.
digital-twins How To Manage Twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-twin.md
Entities in your environment are represented by [digital twins](concepts-twins-graph.md). Managing your digital twins may include creation, modification, and removal.
-This article focuses on managing digital twins; to work with relationships and the [twin graph](concepts-twins-graph.md) as a whole, see [Manage the twin graph with relationships](how-to-manage-graph.md).
+This article focuses on managing digital twins; to work with relationships and the [twin graph](concepts-twins-graph.md) as a whole, see [Manage the twin graph and relationships](how-to-manage-graph.md).
> [!TIP] > All SDK functions come in synchronous and asynchronous versions.
Here is the console output of the above program:
## Next steps See how to create and manage relationships between your digital twins:
-* [Manage the twin graph with relationships](how-to-manage-graph.md)
+* [Manage the twin graph and relationships](how-to-manage-graph.md)
event-hubs Authenticate Shared Access Signature https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/authenticate-shared-access-signature.md
Title: Authenticate access to Azure Event Hubs with shared access signatures description: This article shows you how to authenticate access to Event Hubs resources using shared access signatures. Previously updated : 06/23/2020 Last updated : 07/26/2021 # Authenticate access to Event Hubs resources using shared access signatures (SAS)
To authenticate back-end applications that consume from the data generated by Ev
See the following articles: - [Authorize using SAS](authenticate-shared-access-signature.md)-- [Authorize using Azure role-based access control (Azure RBAC)](authenticate-shared-access-signature.md)
+- [Authorize using Azure role-based access control (Azure RBAC)](authorize-access-azure-active-directory.md)
- [Learn more about Event Hubs](event-hubs-about.md) See the following related articles:
expressroute Expressroute Locations Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations-providers.md
The following table shows connectivity locations and the service providers for e
| **Dubai** | [PCCS](https://www.pacificcontrols.net/cloudservices/index.html) | 3 | UAE North | n/a | Etisalat UAE | | **Dubai2** | [du datamena](http://datamena.com/solutions/data-centre) | 3 | UAE North | n/a | DE-CIX, du datamena, Equinix, Megaport, Orange, Orixcom | | **Dublin** | [Equinix DB3](https://www.equinix.com/locations/europe-colocation/ireland-colocation/dublin-data-centers/db3/) | 1 | North Europe | 10G, 100G | CenturyLink Cloud Connect, Colt, eir, Equinix, GEANT, euNetworks, Interxion, Megaport |
+| **Dublin2** | [Interxion DUB2](https://www.interxion.com/locations/europe/dublin) | 1 | North Europe | 10G, 100G | |
| **Frankfurt** | [Interxion FRA11](https://www.interxion.com/Locations/frankfurt/) | 1 | Germany West Central | 10G, 100G | AT&T NetBond, British Telecom, CenturyLink Cloud Connect, Colt, DE-CIX, Equinix, euNetworks, GEANT, InterCloud, Interxion, Megaport, Orange, Telia Carrier, T-Systems | | **Frankfurt2** | [Equinix FR7](https://www.equinix.com/locations/europe-colocation/germany-colocation/frankfurt-data-centers/fr7/) | 1 | Germany West Central | 10G, 100G | Deutsche Telekom AG, Equinix | | **Geneva** | [Equinix GV2](https://www.equinix.com/locations/europe-colocation/switzerland-colocation/geneva-data-centers/gv2/) | 1 | Switzerland West | 10G, 100G | Colt, Equinix, Megaport, Swisscom |
The following table shows connectivity locations and the service providers for e
| **Rio de Janeiro** | [Equinix-RJ2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/rio-de-janeiro-data-centers/rj2/) | 3 | Brazil Southeast | 10G | Equinix | | **San Antonio** | [CyrusOne SA1](https://cyrusone.com/locations/texas/san-antonio-texas/) | 1 | South Central US | 10G, 100G | CenturyLink Cloud Connect, Megaport | | **Sao Paulo** | [Equinix SP2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/sao-paulo-data-centers/sp2/) | 3 | Brazil South | 10G, 100G | Aryaka Networks, Ascenty Data Centers, British Telecom, Equinix, Level 3 Communications, Neutrona Networks, Orange, Tata Communications, Telefonica, UOLDIVEO |
+| **Sao Paulo2** | [TIVIT TSM](https://www.tivit.com/en/tivit/) | 3 | Brazil South | 10G, 100G | |
| **Seattle** | [Equinix SE2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/seattle-data-centers/se2/) | 1 | West US 2 | 10G, 100G | Aryaka Networks, Equinix, Level 3 Communications, Megaport, Telus, Zayo | | **Seoul** | [KINX Gasan IDC](https://www.kinx.net/?lang=en) | 2 | Korea Central | 10G, 100G | KINX, KT, LG CNS, LGUplus, Equinix, Sejong Telecom, SK Telecom | | **Silicon Valley** | [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) | 1 | West US | 10G, 100G | Aryaka Networks, AT&T NetBond, British Telecom, CenturyLink Cloud Connect, Colt, Comcast, Coresite, Equinix, InterCloud, Internet2, IX Reach, Packet, PacketFabric, Level 3 Communications, Megaport, Orange, Sprint, Tata Communications, Telia Carrier, Verizon, Zayo |
healthcare-apis Autoscale Azure Api Fhir https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/autoscale-azure-api-fhir.md
+
+ Title: Autoscale for Azure API for FHIR
+description: This article describes the autoscale feature for Azure API for FHIR.
++++ Last updated : 07/26/2021+++
+# Autoscale for Azure API for FHIR
+
+The Azure API for FHIR as a managed service allows customers to persist with FHIR compliant healthcare data and exchange it securely through the service API. To accommodate different transaction workloads, customers can use manual scale or autoscale.
+
+## What is autoscale?
+
+By default, the Azure API for FHIR is set to manual scale. This option works well when the transaction workloads are known and consistent. Customers can adjust the throughput `RU/s` through the portal up to 10,000 and submit a request to increase the limit.
+
+With autoscale, customers can run various workloads and the throughput `RU/s` are scaled up and down automatically without manual adjustments.
+
+## How to enable autoscale?
+
+To enable the autoscale feature, you can create a one-time support ticket to request it. The Microsoft support team will enable the autoscale feature based on the support priority.
+
+> [!NOTE]
+> The autoscale feature isn't available from the Azure portal.
+
+## How to adjust the maximum throughput RU/s?
+
+When autoscale is enabled, the system calculates and sets the initial `Tmax` value. The scalability is governed by the maximum throughput `RU/s` value, or `Tmax`, and runs between `0.1 *Tmax` (or 10% `Tmax`) and `Tmax RU/s`.
+
+You can increase the max `RU/s` or `Tmax` value and go as high as the service supports. When the service is busy, the throughput `RU/s` are scaled up to the `Tmax` value. When the service is idle, the throughput `RU/s` are scaled down to 10% `Tmax` value.
+
+You can also decrease the max `RU/s` or `Tmax` value. When you lower the max `RU/s`, the minimum value you can set it to is: `MAX (4000, highest max RU/s ever provisioned / 10, current storage in GB * 400)`, rounded to the nearest 1000 `RU/s`.
+
+* **Example 1**: You have 1-GB data and the highest provisioned `RU/s` is 10,000. The minimum value is Max (**4000**, 10,000/10, 1x400) = 4000. The first number, **4000**, is used.
+* **Example 2**: You have 20-GB data and the highest provisioned `RU/s` is 100,000. The minimum value is Max (4000, **100,000/10**, 20x400) = 10,000. The second number, **100,000/10 =10,000**, is used.
+* **Example 3**: You have 80-GB data and the highest provisioned RU/s is 300,000. The minimum value is Max (4000, 300,000/10, **80x400**) = 32,000. The third number, **80x400=32,000**, is used.
+
+You can adjust the max `RU/s` or `Tmax` value through the portal if it is a valid number, and it is no greater than 10,000 `RU/s`. You can create a support ticket to request `Tmax` value larger than 10,000.
+
+## What is the cost impact of autoscale?
+
+The autoscale feature incurs costs because of managing the provisioned throughput units automatically. This cost increase doesn't apply to storage and runtime costs. For information about pricing, see [Azure API for FHIR pricing](https://azure.microsoft.com/pricing/details/azure-api-for-fhir/).
+
+>[!div class="nextstepaction"]
+>[About Azure API for FHIR](overview.md)
iot-develop Quickstart Send Telemetry Central https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-send-telemetry-central.md
zone_pivot_groups: iot-develop-set1
**Applies to**: [Device application developers](about-iot-develop.md#device-application-development)
-In this quickstart, you learn a basic Azure IoT application development workflow. First you create an Azure IoT Central application for hosting devices. Then you use an Azure IoT device SDK sample to run a simulated temperature controller, connect it securely to IoT Central, and send telemetry.
- :::zone pivot="programming-language-ansi-c" [!INCLUDE [iot-develop-send-telemetry-central-c](../../includes/iot-develop-send-telemetry-central-c.md)]
iot-develop Quickstart Send Telemetry Iot Hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-send-telemetry-iot-hub.md
zone_pivot_groups: iot-develop-set1
**Applies to**: [Device application developers](about-iot-develop.md#device-application-development)
-In this quickstart, you learn a basic Azure IoT application development workflow. You use the Azure CLI to create an Azure IoT hub and a device. Then you use an Azure IoT device SDK sample to run a simulated temperature controller, connect it securely to the hub, and send telemetry.
- :::zone pivot="programming-language-ansi-c" [!INCLUDE [iot-develop-send-telemetry-iot-hub-c](../../includes/iot-develop-send-telemetry-iot-hub-c.md)]
iot-dps How To Send Additional Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-dps/how-to-send-additional-data.md
Title: How to transfer a payload between device and Azure Device Provisioning Service description: This document describes how to transfer a payload between device and Device Provisioning Service (DPS)--++ Last updated 02/11/2020
iot-dps Iot Dps Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-dps/iot-dps-customer-managed-keys.md
Title: Azure Device Provisioning Service data encryption at rest via customer-managed keys| Microsoft Docs description: Encryption of data at rest with customer-managed keys for Device Provisioning Service-+ Last updated 02/24/2020-+ # Encryption of data at rest with customer-managed keys for Device Provisioning Service
iot-hub Iot Hub C C Module Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-c-c-module-twin-getstarted.md
Title: Get started with Azure IoT Hub module identity & module twin (C) description: Learn how to create module identity and update module twin using IoT SDKs for C.-+ ms.devlang: c Last updated 06/25/2018-+
iot-hub Iot Hub Csharp Csharp Module Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-csharp-csharp-module-twin-getstarted.md
Title: Get started w/ Azure IoT Hub module identity & module twin (.NET) description: Learn how to create module identity and update module twin using IoT SDKs for .NET.-+ ms.devlang: csharp Last updated 08/07/2019-+
iot-hub Iot Hub Device Management Iot Extension Azure Cli 2 0 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-device-management-iot-extension-azure-cli-2-0.md
Title: Azure IoT device management with IoT extension for Azure CLI | Microsoft Docs description: Use the IoT extension for Azure CLI tool for Azure IoT Hub device management, featuring the Direct methods and the TwinΓÇÖs desired properties management options.-+ keywords: azure iot device management, azure iot hub device management, device management iot, iot hub device management Last updated 01/16/2018-+ # Use the IoT extension for Azure CLI for Azure IoT Hub device management
iot-hub Iot Hub Python Python Module Twin Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-python-python-module-twin-getstarted.md
Title: Azure IoT Hub module identity and module twin (Python) description: Learn how to create module identity and update module twin using IoT SDKs for Python.-+ ms.devlang: python Last updated 04/03/2020-+
iot-hub Iot Hub Python Python Schedule Jobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-python-python-schedule-jobs.md
In this section, you create a Python console app that responds to a direct metho
3. Add the following `import` statements and variables at the start of the **simDevice.py** file. Replace `deviceConnectionString` with the connection string of the device you created above: ```python
- import threading
- import time
from azure.iot.device import IoTHubDeviceClient, MethodResponse CONNECTION_STRING = "{deviceConnectionString}"
+ client = IoTHubDeviceClient.create_from_connection_string(CONNECTION_STRING)
```
-4. Add the following function callback to handle the **lockDoor** method:
+4. Define the following handler function that will be used to respond to the **lockDoor** method:
```python
- def lockdoor_listener(client):
- while True:
- # Receive the direct method request
- method_request = client.receive_method_request("lockDoor") # blocking call
- print( "Locking Door!" )
+ def method_request_handler(method_request):
+ if method_request.name == "lockDoor":
+ print("Locking Door!")
resp_status = 200 resp_payload = {"Response": "lockDoor called successfully"}
- method_response = MethodResponse(method_request.request_id, resp_status, resp_payload)
+ method_response = MethodResponse.create_from_method_request(
+ method_request=method_request,
+ status=resp_status,
+ payload=resp_payload
+ )
client.send_method_response(method_response) ```
-5. Add another function callback to handle device twins updates:
+5. Add another handler function for receiving device twins updates:
```python
- def twin_update_listener(client):
- while True:
- patch = client.receive_twin_desired_properties_patch() # blocking call
- print ("")
- print ("Twin desired properties patch received:")
- print (patch)
+ def twin_patch_handler(twin_patch):
+ print("")
+ print("Twin desired properties patch received:")
+ print(twin_patch)
```
-6. Add the following code to register the handler for the **lockDoor** method. Also include the `main` routine:
+6. Add the following code to register the handlers for the **lockDoor** method as well as twin patches. Also include the `main` routine:
```python def iothub_jobs_sample_run():
+ print("Beginning to listen for 'lockDoor' direct method invocations...")
+ client.on_method_request_received = method_request_handler
+ print("Beginning to listen for updates to the Twin desired properties...")
+ client.on_twin_desired_properties_patch_received = twin_patch_handler
+
+ client.connect()
+ try:
- client = IoTHubDeviceClient.create_from_connection_string(CONNECTION_STRING)
-
- print( "Beginning to listen for 'lockDoor' direct method invocations...")
- lockdoor_listener_thread = threading.Thread(target=lockdoor_listener, args=(client,))
- lockdoor_listener_thread.daemon = True
- lockdoor_listener_thread.start()
-
- # Begin listening for updates to the Twin desired properties
- print ( "Beginning to listen for updates to Twin desired properties...")
- twin_update_listener_thread = threading.Thread(target=twin_update_listener, args=(client,))
- twin_update_listener_thread.daemon = True
- twin_update_listener_thread.start()
-
while True:
- time.sleep(1000)
-
+ import time
+ time.sleep(100)
except KeyboardInterrupt:
- print ( "IoTHubDeviceClient sample stopped" )
+ print("IoTHubDeviceClient sample stopped!")
+ client.shutdown()
if __name__ == '__main__': print ( "Starting the IoT Hub Python jobs sample..." )
logic-apps Logic Apps Enterprise Integration Liquid Transform https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/logic-apps-enterprise-integration-liquid-transform.md
Title: Convert JSON and XML with Liquid templates
-description: Transform JSON and XML by using Liquid templates as maps in Azure Logic Apps
+description: Transform JSON and XML by using Liquid templates as maps in Azure Logic Apps.
ms.suite: integration Previously updated : 07/31/2020 Last updated : 07/25/2021 # Customer intent: As a developer, I want to convert JSON and XML by using Liquid templates as maps in Azure Logic Apps
This article shows you how to complete these tasks:
## Test your logic app
-By using [Postman](https://www.getpostman.com/postman) or a similar tool, post JSON input to your logic app. The transformed JSON output from your logic app looks like this example:
+1. By using [Postman](https://www.getpostman.com/postman) or a similar tool and the `POST` method, send a call to the Request trigger's URL and include the JSON input to transform, for example:
-![Example output](./media/logic-apps-enterprise-integration-liquid-transform/example-output-jsontojson.png)
+ ```json
+ {
+ "devices": "Surface, Windows Phone, Desktop computer, Monitors",
+ "firstName": "Dean",
+ "lastName": "Ledet",
+ "phone": "(111)5551111"
+ }
+ ```
+
+1. After your workflow finishes running, go to the workflow's run history, and examine the **Transform JSON to JSON** action's inputs and outputs, for example:
+
+ ![Example output](./media/logic-apps-enterprise-integration-liquid-transform/example-output-jsontojson.png)
<a name="template-considerations"></a>
machine-learning Concept Automated Ml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-automated-ml.md
With Azure Machine Learning, you can use automated ML to build a Python model an
See how to convert to ONNX format [in this Jupyter notebook example](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/automated-machine-learning/classification-bank-marketing-all-features/auto-ml-classification-bank-marketing-all-features.ipynb). Learn which [algorithms are supported in ONNX](how-to-configure-auto-train.md#select-your-experiment-type).
-The ONNX runtime also supports C#, so you can use the model built automatically in your C# apps without any need for recoding or any of the network latencies that REST endpoints introduce. Learn more about [using an AutoML ONNX model in a .NET application with ML.NET](./how-to-use-automl-onnx-model-dotnet.md) and [inferencing ONNX models with the ONNX runtime C# API](https://github.com/plaidml/onnxruntime/blob/plaidml/docs/CSharp_API.md).
+The ONNX runtime also supports C#, so you can use the model built automatically in your C# apps without any need for recoding or any of the network latencies that REST endpoints introduce. Learn more about [using an AutoML ONNX model in a .NET application with ML.NET](./how-to-use-automl-onnx-model-dotnet.md) and [inferencing ONNX models with the ONNX runtime C# API](https://www.onnxruntime.ai/docs/reference/api/csharp-api.html).
## Next steps
machine-learning How To Enable Studio Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-enable-studio-virtual-network.md
Use the following steps to enable access to data stored in Azure Blob and File s
> [!TIP] > The first step is not required for the default storage account for the workspace. All other steps are required for *any* storage account behind the VNet and used by the workspace, including the default storage account.
-1. **If the storage account is the *default* storage for your workspace, skip this step**. If it is not the default, **Grant the workspace managed identity the 'Blob Data Reader' role** for the Azure storage account so that it can read data from blob storage.
+1. **If the storage account is the *default* storage for your workspace, skip this step**. If it is not the default, **Grant the workspace managed identity the 'Storage Blob Data Reader' role** for the Azure storage account so that it can read data from blob storage.
For more information, see the [Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader) built-in role.
machine-learning How To Prebuilt Docker Images Inference Python Extensibility https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-prebuilt-docker-images-inference-python-extensibility.md
The [prebuilt Docker images for model inference](concept-prebuilt-docker-images-
* [Pre-installed python packages](#preinstalled): You provide a directory containing preinstalled Python packages. During deployment, this directory is mounted into the container for your entry script (`score.py`) to use.
- Use this approach __for production deployments__. Since the directory containing the packages is mounted to the image, it can be used even when your deployments don't have public internet access. We For example, when deployed into a secured Azure Virtual Network.
+ Use this approach __for production deployments__. Since the directory containing the packages is mounted to the image, it can be used even when your deployments don't have public internet access. For example, when deployed into a secured Azure Virtual Network.
> [!IMPORTANT] > Using prebuilt docker images with Azure Machine Learning is currently in preview. Preview functionality is provided "as-is", with no guarantee of support or service level agreement. For more information, see the [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Here are some things that may cause this problem:
* For more information on how to load a registered or local model, see [Where and how to deploy](how-to-deploy-and-where.md?tabs=azcli#define-a-dummy-entry-script).
+## Bug Fixes
+
+### 2021-07-26
+
+* `AZUREML_EXTRA_REQUIREMENTS_TXT` and `AZUREML_EXTRA_PYTHON_LIB_PATH` are now always relative to the directory of the score script.
+For example, if the both the requirements.txt and score script is in **my_folder**, then `AZUREML_EXTRA_REQUIREMENTS_TXT` will need to be set to requirements.txt. No longer will `AZUREML_EXTRA_REQUIREMENTS_TXT` be set to **my_folder/requirements.txt**.
+ ## Next steps To learn more about deploying a model, see [How to deploy a model](how-to-deploy-and-where.md).
-To learn how to troubleshoot prebuilt docker image deployments, see [how to troubleshoot prebuilt Docker image deployments](how-to-troubleshoot-prebuilt-docker-image-inference.md).
+To learn how to troubleshoot prebuilt docker image deployments, see [how to troubleshoot prebuilt Docker image deployments](how-to-troubleshoot-prebuilt-docker-image-inference.md).
marketplace Azure Vm Create Plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-plans.md
Previously updated : 07/05/2021 Last updated : 07/26/2021 # Create plans for a virtual machine offer
Add open public or private ports on a deployed virtual machine.
### Properties
-Select if your VM **Supports Accelerated Networking**. For details, see [Accelerated Networking](https://go.microsoft.com/fwlink/?linkid=2124513).
+Here is a list of properties that can be selected for your VM.
+
+- **Supports backup**: Enable this property if your images support Azure VM backup. Learn more about [Azure VM backup](https://go.microsoft.com/fwlink/?linkid=2155616).
+
+- **Supports accelerated networking**: Enable this property if the VM images for this plan support single root I/O virtualization (SR-IOV) to a VM, enabling low latency and high throughput on the network interface. Learn more about [accelerated networking](https://go.microsoft.com/fwlink/?linkid=2124513).
+
+- **Supports cloud-init configuration**: Enable this property if the images in this plan support cloud-init post deployment scripts. Learn more about [cloud-init configuration](https://go.microsoft.com/fwlink/?linkid=2128218).
+
+- **Supports hotpatch**: Windows Server Azure Editions supports Hot Patch. Learn more about [Hot Patch](https://go.microsoft.com/fwlink/?linkid=2155371).
+
+- **Supports extensions**: Enable this property if the images in this plan support extensions. Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Learn more about [Azure virtual machine extensions](https://go.microsoft.com/fwlink/?linkid=2155372).
+
+- **Is a network virtual appliance**: Enable this property if this product is a Network Virtual Appliance. A network virtual appliance is a product that performs one or more network functions, such as a Load Balancer, VPN Gateway, Firewall or Application Gateway. Learn more about [network virtual appliances](https://go.microsoft.com/fwlink/?linkid=2155373).
+
+- **Remote desktop or SSH disabled**: Enable this property if virtual Machines deployed with these images do not allow customers to access it using Remote Desktop or SSH. Learn more about [locked VM images](https://go.microsoft.com/fwlink/?linkid=2155374).
+
+- **Requires custom ARM template for deployment**: Enable this property if the images in this plan can only be deployed using a custom ARM template. To learn more see the [Custom templates section of Troubleshoot virtual machine certification](https://go.microsoft.com/fwlink/?linkid=2155274).
### Generations
media-services Analyze Videos Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/analyze-videos-tutorial.md
Previously updated : 05/25/2021 Last updated : 07/23/2021
As an important reminder, you must comply with all applicable laws in your use o
## Prerequisites -- If you don't have Visual Studio installed, get [Visual Studio Community 2019](https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15).-- [Create a Media Services account](./account-create-how-to.md).<br/>Make sure to remember the values that you used for the resource group name and Media Services account name.-- Follow the steps in [Access Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You'll need to use them to access the API.
+- Install [Visual Studio Code for Windows/macOS/Linux](https://code.visualstudio.com/) or [Visual Studio 2019 for Windows or Mac](https://visualstudio.microsoft.com/).
+- Install [.NET 5.0 SDK](https://dotnet.microsoft.com/download)
+- [Create a Media Services account](./account-create-how-to.md). Be sure to copy the **API Access** details in JSON format or store the values needed to connect to the Media Services account in the *.env* file format used in this sample.
+- Follow the steps in [Access the Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You'll need to use them to access the API in this sample, or enter them into the *.env* file format.
## Download and configure the sample
Clone a GitHub repository that contains the .NET sample to your machine using th
The sample is located in the [AnalyzeVideos](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/tree/main/AMSV3Tutorials/AnalyzeVideos) folder.
-Open [appsettings.json](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/main/AMSV3Tutorials/AnalyzeVideos/appsettings.json) in your downloaded project. Replace the values with the credentials you got from [accessing APIs](./access-api-howto.md).
## Examine the code that analyzes the specified video
media-services Drm Protect With Aes128 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/drm-protect-with-aes128-tutorial.md
The following are required to complete the tutorial.
* Install Visual Studio Code or Visual Studio. * [Create a Media Services account](./account-create-how-to.md). * Get credentials needed to use Media Services APIs by following [Access APIs](./access-api-howto.md).
+* Set the appropriate values in the app configuration file (appsettings.json or .env file).
-## Download code
+## Download and configure the sample
Clone a GitHub repository that contains the full .NET sample discussed in this article to your machine using the following command:
Clone a GitHub repository that contains the full .NET sample discussed in this a
The "Encrypt with AES-128" sample is located in the [EncryptWithAES](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/main/AMSV3Tutorials/EncryptWithAES) folder. + > [!NOTE] > The sample creates unique resources every time you run the app. Typically, you'll reuse existing resources like transforms and policies (if existing resource have required configurations).
media-services Drm Protect With Drm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/drm-protect-with-drm-tutorial.md
The following items are required to complete the tutorial:
* Install Visual Studio Code or Visual Studio. * Create a new Azure Media Services account, as described in [this quickstart](./account-create-how-to.md). * Get credentials needed to use Media Services APIs by following [Access APIs](./access-api-howto.md)
-* Set the appropriate values in the app configuration file (appsettings.json).
+* Set the appropriate values in the app configuration file (appsettings.json or .env file).
-## Download code
+## Download the code and configure the sample
Clone a GitHub repository that contains the full .NET sample discussed in this article to your machine using the following command:
Clone a GitHub repository that contains the full .NET sample discussed in this a
The "Encrypt with DRM" sample is located in the [EncryptWithDRM](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/main/AMSV3Tutorials/EncryptWithDRM) folder. + > [!NOTE] > The sample creates unique resources every time you run the app. Typically, you'll reuse existing resources like transforms and policies (if existing resource have required configurations).
media-services Migrate V 2 V 3 Migration Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/migrate-v-2-v-3-migration-introduction.md
The Media Services migration guide helps you migrate from Media Services V2 APIs to V3 APIs based on a migration that takes advantage of the new features and functions that are now available. You should use your best judgment and determine what best fits your scenario. + ## How to use this guide ### Navigating
media-services Stream Files Dotnet Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/stream-files-dotnet-quickstart.md
Previously updated : 08/31/2020 Last updated : 07/23/2021 #Customer intent: As a developer, I want to create a Media Services account so that I can store, encrypt, encode, manage, and stream media content in Azure.
By the end of the tutorial you will be able to stream a video.
## Prerequisites -- If you do not have Visual Studio installed, you can get [Visual Studio Community 2017](https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15).-- [Create a Media Services account](./account-create-how-to.md).<br/>Make sure to remember the values that you used for the resource group name and Media Services account name.-- Follow the steps in [Access Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You will need to use them to access the API.
+- Install [Visual Studio Code for Windows/macOS/Linux](https://code.visualstudio.com/) or [Visual Studio 2019 for Windows or Mac](https://visualstudio.microsoft.com/).
+- Install [.NET 5.0 SDK](https://dotnet.microsoft.com/download)
+- [Create a Media Services account](./account-create-how-to.md). Be sure to copy the **API Access** details in JSON format or store the values needed to connect to the Media Services account in the *.env* file format used in this sample.
+- Follow the steps in [Access the Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You'll need to use them to access the API in this sample, or enter them into the *.env* file format.
## Download and configure the sample
Clone a GitHub repository that contains the streaming .NET sample to your machin
The sample is located in the [EncodeAndStreamFiles](https://github.com/Azure-Samples/media-services-v3-dotnet-quickstarts/tree/master/AMSV3Quickstarts/EncodeAndStreamFiles) folder.
-Open [appsettings.json](https://github.com/Azure-Samples/media-services-v3-dotnet-quickstarts/blob/master/AMSV3Quickstarts/EncodeAndStreamFiles/appsettings.json) in your downloaded project. Replace the values with credentials that you got from [accessing APIs](./access-api-howto.md).
The sample performs the following actions:
media-services Stream Files Tutorial With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/stream-files-tutorial-with-api.md
Previously updated : 05/25/2021 Last updated : 07/23/2021
This tutorial shows you how to:
## Prerequisites -- If you don't have Visual Studio installed, you can get [Visual Studio Community 2019](https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15).-- [Create a Media Services account](./account-create-how-to.md).<br/>Make sure to remember the values that you used for the resource group name and Media Services account name.-- Follow the steps in [Access Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You'll need to use them to access the API.
+- Install [Visual Studio Code for Windows/macOS/Linux](https://code.visualstudio.com/) or [Visual Studio 2019 for Windows or Mac](https://visualstudio.microsoft.com/).
+- Install [.NET 5.0 SDK](https://dotnet.microsoft.com/download)
+- [Create a Media Services account](./account-create-how-to.md). Be sure to copy the **API Access** details in JSON format or store the values needed to connect to the Media Services account in the *.env* file format used in this sample.
+- Follow the steps in [Access the Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You'll need to use them to access the API in this sample, or enter them into the *.env* file format.
-## Download and set up the sample
+## Download and configure the sample
Clone a GitHub repository that has the streaming .NET sample to your machine using the following command:
Clone a GitHub repository that has the streaming .NET sample to your machine usi
The sample is located in the [UploadEncodeAndStreamFiles](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/tree/main/AMSV3Tutorials/UploadEncodeAndStreamFiles) folder.
-Open [appsettings.json](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/main/AMSV3Tutorials/UploadEncodeAndStreamFiles/appsettings.json) in your downloaded project. Replace the values with credentials that you got from [accessing APIs](./access-api-howto.md).
## Examine the code that uploads, encodes, and streams
media-services Media Rest Apis With Postman https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-rest-apis-with-postman.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This tutorial shows you how to configure **Postman** so it can be used to call Azure Media Services (AMS) REST APIs. The tutorial shows how to import environment and collection files into **Postman**. The collection contains grouped definitions of HTTP requests that call Azure Media Services (AMS) REST APIs. The environment file contains variables that are used by the collection.
media-services Media Services Check Job Progress https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-check-job-progress.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
When you run jobs, you often require a way to track job progress. You can check the progress by defining a StateChanged event handler (as described in this topic) or using Azure Queue storage to monitor Media Services job notifications (as described in [this](media-services-dotnet-check-job-progress-with-queues.md) topic).
media-services Media Services Cli Create And Configure Aad App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-cli-create-and-configure-aad-app.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This topic shows you how to use the Azure CLI to create an Azure Active Directory (Azure AD) application and service principal to access Azure Media Services resources.
media-services Media Services Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-concepts.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This topic gives an overview of the most important Media Services concepts.
media-services Media Services Content Protection Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-content-protection-overview.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
You can use Azure Media Services to secure your media from the time it leaves your computer through storage, processing, and delivery. With Media Services, you can deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the three major digital rights management (DRM) systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay. Media Services also provides a service for delivering AES keys and DRM (PlayReady, Widevine, and FairPlay) licenses to authorized clients.
media-services Media Services Copying Existing Blob https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-copying-existing-blob.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This article shows how to copy blobs from a storage account into a new Azure Media Services (AMS) asset using [Azure Media Services .NET SDK Extensions](https://github.com/Azure/azure-sdk-for-media-services-extensions/).
media-services Media Services Deliver Keys And Licenses https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-deliver-keys-and-licenses.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Azure Media Services enables you to ingest, encode, add content protection, and stream your content. For more information, see [Use PlayReady and/or Widevine dynamic common encryption](media-services-protect-with-playready-widevine.md). Some customers want to use Media Services only to deliver licenses and/or keys and encode, encrypt, and stream by using their on-premises servers. This article describes how you can use Media Services to deliver PlayReady and/or Widevine licenses but do the rest with your on-premises servers.
media-services Media Services Dotnet Check Job Progress With Queues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-check-job-progress-with-queues.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
When you run encoding jobs, you often require a way to track job progress. You can configure Media Services to deliver notifications to [Azure Queue storage](../../storage/queues/storage-dotnet-how-to-use-queues.md). You can monitor job progress by getting notifications from the Queue storage.
media-services Media Services Dotnet Check Job Progress With Webhooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-check-job-progress-with-webhooks.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
When you run jobs, you often require a way to track job progress. You can monitor Media Services job notifications by using Azure Webhooks or [Azure Queue storage](media-services-dotnet-check-job-progress-with-queues.md). This article shows how to work with webhooks.
media-services Media Services Dotnet Get Started With Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-get-started-with-aad.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Starting with windowsazure.mediaservices 4.0.0.4, Azure Media Services supports authentication based on Azure Active Directory (Azure AD). This topic shows you how to use Azure AD authentication to access Azure Media Services API with Microsoft .NET.
media-services Media Services Dotnet How To Use https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-how-to-use.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This article discusses how to start developing Media Services applications using .NET.
media-services Media Services Dotnet Live Encode With Onpremises Encoders https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-live-encode-with-onpremises-encoders.md
> >
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This tutorial walks you through the steps of using the Azure Media Services .NET SDK to create a **Channel** that is configured for a pass-through delivery.
media-services Media Services Dotnet Manage Entities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-manage-entities.md
> >
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This topic shows how to manage Azure Media Services entities with .NET.
media-services Media Services Dotnet Upload Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dotnet-upload-files.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
In Media Services, you upload (or ingest) your digital files into an asset. The **Asset** entity can contain video, audio, images, thumbnail collections, text tracks and closed caption files (and the metadata about these files.) Once the files are uploaded, your content is stored securely in the cloud for further processing and streaming.
media-services Media Services Dynamic Packaging Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-dynamic-packaging-overview.md
> * [Version 3](../latest/encode-dynamic-packaging-concept.md) > * [Version 2](media-services-dynamic-packaging-overview.md)
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Microsoft Azure Media Services can be used to deliver many media source file formats, media streaming formats, and content protection formats to a variety of client technologies (for example, iOS, XBOX, Silverlight, Windows 8). These clients understand different protocols, for example iOS requires an HTTP Live Streaming (HLS) V4 format and Silverlight and Xbox require Smooth Streaming. If you have a set of adaptive bitrate (multi-bitrate) MP4 (ISO Base Media 14496-12) files or a set of adaptive bitrate Smooth Streaming files that you want to serve to clients that understand MPEG DASH, HLS or Smooth Streaming, you should take advantage of Media Services dynamic packaging.
media-services Media Services Encode Asset https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-encode-asset.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Azure Media Services provides multiple options for the encoding of media in the cloud.
media-services Media Services Java How To Use https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-java-how-to-use.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This tutorial walks you through the steps of implementing a basic video content delivery service with Azure Media Services using the Java client SDK.
media-services Media Services Manage Channels Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-manage-channels-overview.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
## Overview
media-services Media Services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-overview.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!div class="op_single_selector" title1="Select the version of Media Services that you are using:"]
-> * [Version 3](../latest/media-services-overview.md)
-> * [Version 2](media-services-overview.md)
-
-> [!NOTE]
-> No new features are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Microsoft Azure Media Services (AMS) is an extensible cloud-based platform that enables developers to build scalable media management and delivery applications. Media Services is based on REST APIs that enable you to securely upload, store, encode, and package video or audio content for both on-demand and live streaming delivery to various clients (for example, TV, PC, and mobile devices).
media-services Media Services Portal Check Job Progress https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-portal-check-job-progress.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
## Overview
media-services Media Services Portal Create Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-portal-create-account.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
The Azure portal provides a way to quickly create an Azure Media Services (AMS) account. You can use your account to access Media Services that enable you to store, encrypt, encode, manage, and stream media content in Azure. At the time you create a Media Services account, you also create an associated storage account (or use an existing one). If you delete a Media Services account, the blobs in your related storage account are not deleted.
media-services Media Services Portal Creating Live Encoder Enabled Channel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-portal-creating-live-encoder-enabled-channel.md
> * [REST API](/rest/api/media/operations/channel) >
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This tutorial walks you through the steps of creating a **Channel** that receives a single-bitrate live stream and encodes it to multi-bitrate stream.
media-services Media Services Portal Get Started With Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-portal-get-started-with-aad.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Learn how to use the Azure portal to access Azure Active Directory (Azure AD) authentication to access the Azure Media Services API.
media-services Media Services Portal Live Passthrough Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-portal-live-passthrough-get-started.md
> >
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This tutorial walks you through the steps of using the Azure portal to create a **Channel** that is configured for a pass-through delivery.
media-services Media Services Portal Vod Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-portal-vod-get-started.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This tutorial walks you through the steps of implementing a basic video-on-demand content delivery service with an Azure Media Services application in the Azure portal.
media-services Media Services Powershell Create And Configure Aad App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-powershell-create-and-configure-aad-app.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Learn how to use a PowerShell script to create an Azure Active Directory (Azure AD) application and service principal to access Azure Media Services resources.
media-services Media Services Protect Hls With Offline Fairplay https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-protect-hls-with-offline-fairplay.md
> * [Version 3](../latest/drm-offline-fairplay-for-ios-concept.md) > * [Version 2](media-services-protect-hls-with-offline-fairplay.md)
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Azure Media Services provides a set of well-designed [content protection services](https://azure.microsoft.com/services/media-services/content-protection/) that cover:
media-services Media Services Protect With Aes128 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-protect-with-aes128.md
> * [PHP](https://github.com/Azure/azure-sdk-for-php/tree/master/examples/MediaServices) >
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
You can use Media Services to deliver HTTP Live Streaming (HLS) and Smooth Streaming encrypted with the AES by using 128-bit encryption keys. Media Services also provides the key delivery service that delivers encryption keys to authorized users. If you want Media Services to encrypt an asset, you associate an encryption key with the asset and also configure authorization policies for the key. When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES encryption. To decrypt the stream, the player requests the key from the key delivery service. To determine whether the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key.
media-services Media Services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-release-notes.md
These release notes for Azure Media Services summarize changes from previous releases and known issues.
-> [!NOTE]
-> No new features are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
We want to hear from our customers so that we can focus on fixing problems that affect you. To report a problem or ask questions, submit a post in the [Azure Media Services MSDN Forum].
media-services Media Services Rest Check Job Progress https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-rest-check-job-progress.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
When you run jobs, you often require a way to track job progress. You can find out the Job status by using the Job's State property. For more information on the State property, see [Job Entity Properties](/rest/api/media/operations/job#job_entity_properties).
media-services Media Services Rest Connect With Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-rest-connect-with-aad.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
When you're using Azure AD authentication with Azure Media Services, you can authenticate in one of two ways:
media-services Media Services Rest Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-rest-get-started.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
This quickstart walks you through the steps of implementing a Video-on-Demand (VoD) content delivery application using Azure Media Services (AMS) REST APIs.
media-services Media Services Rest How To Use https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-rest-how-to-use.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
The **Media Services Operations REST** API is used for creating Jobs, Assets, Live Channels and other resources in a Media Services account. For more information, see [Media Services Operations REST API reference](/rest/api/media/operations/azure-media-services-rest-api-reference).
media-services Media Services Set Up Computer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-set-up-computer.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
The following steps describe prerequisites required for developing with Azure Media Services.
media-services Media Services Static Packaging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-static-packaging.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
## Overview
media-services Media Services Streaming Endpoints Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-streaming-endpoints-overview.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
In Microsoft Azure Media Services (AMS), a **Streaming Endpoint** represents a streaming service that can deliver content directly to a client player application, or to a Content Delivery Network (CDN) for further distribution. Media Services also provides seamless Azure CDN integration. The outbound stream from a StreamingEndpoint service can be a live stream, a video on demand, or progressive download of your asset in your Media Services account. Each Azure Media Services account includes a default StreamingEndpoint. Additional StreamingEndpoints can be created under the account. There are two versions of StreamingEndpoints, 1.0 and 2.0. Starting with January 10th 2017, any newly created AMS accounts will include version 2.0 **default** StreamingEndpoint. Additional streaming endpoints that you add to this account will also be version 2.0. This change will not impact the existing accounts; existing StreamingEndpoints will be version 1.0 and can be upgraded to version 2.0. With this change there will be behavior, billing and feature changes (for more information, see the **Streaming types and versions** section documented below).
media-services Media Services Telemetry Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-telemetry-overview.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Azure Media Services (AMS) enables you to access telemetry/metrics data for its services. The current version of AMS lets you collect telemetry data for live **Channel**, **StreamingEndpoint**, and live **Archive** entities.
media-services Media Services Upload Files From Storsimple https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-upload-files-from-storsimple.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
> > > Azure StorSimple Data Manager is currently in private preview.
media-services Media Services Use Aad Auth To Access Ams Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/media-services-use-aad-auth-to-access-ams-api.md
[!INCLUDE [media services api v2 logo](./includes/v2-hr.md)]
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
The Azure Media Services API is a RESTful API. You can use it to perform operations on media resources by using a REST API or by using available client SDKs. Azure Media Services offers a Media Services client SDK for Microsoft .NET. To be authorized to access Media Services resources and the Media Services API, you must first be authenticated.
media-services Offline Playready Streaming Windows 10 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/offline-playready-streaming-windows-10.md
> * [Version 3](../latest/drm-offline-playready-streaming-for-windows-10.md) > * [Version 2](offline-playready-streaming-windows-10.md)
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
Azure Media Services support offline download/playback with DRM protection. This article covers offline support of Azure Media Services for Windows 10/PlayReady clients. You can read about the offline mode support for iOS/FairPlay and Android/Widevine devices in the following articles:
media-services Offline Widevine For Android https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/previous/offline-widevine-for-android.md
> * [Version 3](../latest/drm-offline-widevine-for-android.md) > * [Version 2](offline-widevine-for-android.md)
-> [!NOTE]
-> No new features or functionality are being added to Media Services v2. <br/>Check out the latest version, [Media Services v3](../latest/index.yml). Also, see [migration guidance from v2 to v3](../latest/migrate-v-2-v-3-migration-introduction.md)
In addition to protecting content for online streaming, media content subscription and rental services offer downloadable content that works when you are not connected to the internet. You might need to download content onto your phone or tablet for playback in airplane mode when flying disconnected from the network. Additional scenarios, in which you might want to download content:
object-anchors Sdk Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/concepts/sdk-overview.md
Title: Runtime SDK Overview description: Get familiar with the Object Anchors Runtime SDK. -+ Previously updated : 03/02/2021 Last updated : 07/23/2021 # Runtime SDK Overview
-This section provides a high-level overview of the Object Anchors Runtime SDK, which is used to detect objects using an Object Anchors model. You'll gain an understanding of how an object is represented and what the various components are used for.
+This section provides a high-level overview of the Object Anchors Runtime SDK, which is used to detect objects using an
+Object Anchors model. You'll gain an understanding of how an object is represented and what the various components are
+used for.
-All of the types described below can be found in the **Microsoft.MixedReality.ObjectAnchors** namespace.
+All of the types described below can be found in one of the following namespaces: **Microsoft.Azure.ObjectAnchors**,
+**Microsoft.Azure.ObjectAnchors.Diagnostics**, and **Microsoft.Azure.ObjectAnchors.SpatialGraph**.
## Types ### ObjectModel
-An [ObjectModel](/dotnet/api/microsoft.azure.objectanchors.objectmodel) represents a physical object's geometry and encodes necessary parameters for detection and pose estimation. It must be created using the [Object Anchors service](../quickstarts/get-started-model-conversion.md). Then an application can load the generated model file using the Object Anchors API and query the mesh embedded in that model for visualization.
+An [ObjectModel](/dotnet/api/microsoft.azure.objectanchors.objectmodel) represents a physical object's geometry and
+encodes necessary parameters for detection and pose estimation. It must be created using the
+[Object Anchors service](../quickstarts/get-started-model-conversion.md). Then an application can load the generated
+model file using the Object Anchors API and query the mesh embedded in that model for visualization.
### ObjectSearchArea
-An [ObjectSearchArea](/dotnet/api/microsoft.azure.objectanchors.objectsearcharea) specifies the space to look for one or multiple objects. It's defined by a spatial graph node ID and spatial bounds in the coordinate system represented by the spatial graph node ID. The Object Anchors Runtime SDK supports four types of bounds, namely, **field of view**, **bounding box**, **sphere**, and a **location**.
+An [ObjectSearchArea](/dotnet/api/microsoft.azure.objectanchors.objectsearcharea) specifies the space to look for one or
+multiple objects. It's defined by a spatial graph node ID and spatial bounds in the coordinate system represented by the
+spatial graph node ID. The Object Anchors Runtime SDK supports four types of bounds, namely, **field of view**,
+**bounding box**, **sphere**, and a **location**.
### AccountInformation
-An [AccountInformation](/dotnet/api/microsoft.azure.objectanchors.accountinformation) stores the ID, Key and Domain for your Azure Object Anchors account.
+An [AccountInformation](/dotnet/api/microsoft.azure.objectanchors.accountinformation) stores the ID, Key and Domain for
+your Azure Object Anchors account.
### ObjectAnchorsSession
-An [ObjectAnchorsSession](/dotnet/api/microsoft.azure.objectanchors.objectanchorssession) represents an Azure Object Anchors session that is used to create ObjectObserver instances used to detect objects in the physical world.
+An [ObjectAnchorsSession](/dotnet/api/microsoft.azure.objectanchors.objectanchorssession) represents an Azure Object
+Anchors session that is used to create ObjectObserver instances used to detect objects in the physical world.
### ObjectObserver
-An [ObjectObserver](/dotnet/api/microsoft.azure.objectanchors.objectobserver) loads object models, detects their instances, and reports 6-DoF poses of each instance in HoloLens coordinate system.
+An [ObjectObserver](/dotnet/api/microsoft.azure.objectanchors.objectobserver) loads object models, detects their
+instances, and reports 6-DoF poses of each instance in HoloLens coordinate system.
-Although any object model or instance is created from an **observer**, their lifetimes are independent. An application can dispose an observer and continue to use the object model or instance.
+Although any object model or instance is created from an **observer**, their lifetimes are independent. An application
+can dispose an observer and continue to use the object model or instance.
### ObjectQuery
-An [ObjectQuery](/dotnet/api/microsoft.azure.objectanchors.objectquery) tells an **object observer** how to find objects of a given model. It provides the following tunable parameters, whose default values can be retrieved from an object model.
+An [ObjectQuery](/dotnet/api/microsoft.azure.objectanchors.objectquery) tells an **object observer** how to find objects
+of a given model. It provides the following tunable parameters, whose default values can be retrieved from an object
+model.
#### MinSurfaceCoverage
-The [MinSurfaceCoverage](/dotnet/api/microsoft.azure.objectanchors.objectquery.minsurfacecoverage) property indicates the value to consider an instance as detected.
+The [MinSurfaceCoverage](/dotnet/api/microsoft.azure.objectanchors.objectquery.minsurfacecoverage) property indicates
+the value to consider an instance as detected.
-For each object candidate, an **observer** computes the ratio of overlapped surfaces between transformed object model and the scene, then it reports that candidate to application only when the coverage ratio is above a given threshold.
+For each object candidate, an **observer** computes the ratio of overlapped surfaces between transformed object model
+and the scene, then it reports that candidate to application only when the coverage ratio is above a given threshold.
#### IsExpectedToBeStandingOnGroundPlane
-The [IsExpectedToBeStandingOnGroundPlane](/dotnet/api/microsoft.azure.objectanchors.objectquery.isexpectedtobestandingongroundplane) property indicates if the target object is expected to stand on the ground plane.
+The [IsExpectedToBeStandingOnGroundPlane](/dotnet/api/microsoft.azure.objectanchors.objectquery.isexpectedtobestandingongroundplane)
+property indicates if the target object is expected to stand on the ground plane.
-A ground plane is the lowest horizontal floor in the search area. It provides good constraint on the possible object poses. Turning on this flag will guide the **observer** to estimate the pose in a limited space and could improve the accuracy. This parameter will be ignored if the model isn't supposed to stand on the ground plane.
+A ground plane is the lowest horizontal floor in the search area. It provides good constraint on the possible object
+poses. Turning on this flag will guide the **observer** to estimate the pose in a limited space and could improve the
+accuracy. This parameter will be ignored if the model isn't supposed to stand on the ground plane.
#### ExpectedMaxVerticalOrientationInDegrees
-The [ExpectedMaxVerticalOrientationInDegrees](/dotnet/api/microsoft.azure.objectanchors.objectquery.expectedmaxverticalorientationindegrees) property indicates the expected maximum angle in degrees between up direction of an object instance and gravity.
+The [ExpectedMaxVerticalOrientationInDegrees](/dotnet/api/microsoft.azure.objectanchors.objectquery.expectedmaxverticalorientationindegrees)
+property indicates the expected maximum angle in degrees between up direction of an object instance and gravity.
-This parameter provides another constraint on the up direction of an estimated pose. For example, if an object is up-right, this parameter can be 0. Object Anchors isn't supposed to detect objects that are different from the model. If a model is up-right, then it won't detect an instance laid side-down. A new model would be used for side-down layout. Same rule applies for articulation.
+This parameter provides another constraint on the up direction of an estimated pose. For example, if an object is
+up-right, this parameter can be 0. Object Anchors isn't supposed to detect objects that are different from the model. If
+a model is up-right, then it won't detect an instance laid side-down. A new model would be used for side-down layout.
+Same rule applies for articulation.
#### MaxScaleChange
-The [MaxScaleChange](/dotnet/api/microsoft.azure.objectanchors.objectquery.maxscalechange) property indicates the maximum object scale change (within 0 ~ 1) with respect to spatial mapping. The estimated scale is applied to transformed object vertices centered at origin and axis-aligned. Estimated scales may not be the actual scale between a CAD model and its physical representation, but some values that allow the app to render an object model close to spatial mapping on the physical object.
+The [MaxScaleChange](/dotnet/api/microsoft.azure.objectanchors.objectquery.maxscalechange) property indicates the
+maximum object scale change (within 0 ~ 1) with respect to spatial mapping. The estimated scale is applied to
+transformed object vertices centered at origin and axis-aligned. Estimated scales may not be the actual scale between a
+CAD model and its physical representation, but some values that allow the app to render an object model close to spatial
+mapping on the physical object.
#### SearchAreas
-The [SearchAreas](/dotnet/api/microsoft.azure.objectanchors.objectquery.searchareas) property indicates an array of spatial bounds where to find object(s).
+The [SearchAreas](/dotnet/api/microsoft.azure.objectanchors.objectquery.searchareas) property indicates an array of
+spatial bounds where to find object(s).
-The **observer** will look for objects in the union space of all search areas specified in a query. In this release, we will return at most one object with highest confidence to reduce the latency.
+The **observer** will look for objects in the union space of all search areas specified in a query. In this release, we
+will return at most one object with highest confidence to reduce the latency.
### ObjectInstance
-An [ObjectInstance](/dotnet/api/microsoft.azure.objectanchors.objectinstance) represents a hypothetical position where an instance of a given model could be in the HoloLens coordinate system. Each instance comes with a `SurfaceCoverage` property to indicate how good the estimated pose is.
+An [ObjectInstance](/dotnet/api/microsoft.azure.objectanchors.objectinstance) represents a hypothetical position where
+an instance of a given model could be in the HoloLens coordinate system. Each instance comes with a `SurfaceCoverage`
+property to indicate how good the estimated pose is.
-An instance is created by calling `ObjectObserver.DetectAsync` method, then updated automatically in the background when alive. An application can listen to the state changed event on a particular instance or change the tracking mode to pause/resume the update. An instance will automatically be removed from the **observer** when tracking is lost.
+An instance is created by calling `ObjectObserver.DetectAsync` method, then updated automatically in the background when
+alive. An application can listen to the state changed event on a particular instance or change the tracking mode to
+pause/resume the update. An instance will automatically be removed from the **observer** when tracking is lost.
### ObjectDiagnosticsSession
-The [ObjectDiagnosticSession](/dotnet/api/microsoft.azure.objectanchors.diagnostics.objectdiagnosticssession) records diagnostics and writes data to an archive.
+The [ObjectDiagnosticSession](/dotnet/api/microsoft.azure.objectanchors.diagnostics.objectdiagnosticssession) records
+diagnostics and writes data to an archive.
-A diagnostics archive includes the scene point cloud, observer's status, and information about the models. This information is useful to identify possible runtime issues. For more information, see the [FAQ](../faq.md).
+A diagnostics archive includes the scene point cloud, observer's status, and information about the models. This
+information is useful to identify possible runtime issues. For more information, see the [FAQ](../faq.md).
## Runtime SDK usage and details
-This section should provide you with the basics of how to use the Runtime SDK. It should give you enough context to browse through the sample applications to see how Object Anchors is used holistically.
+This section should provide you with the basics of how to use the Runtime SDK. It should give you enough context to
+browse through the sample applications to see how Object Anchors is used holistically.
### Initialization
-Applications need to call the `ObjectObserver.IsSupported()` API to determine if Object Anchors is supported on the device before using it. If the `ObjectObserver.IsSupported()` API returns `false`, check that the application has enabled the **spatialPerception** capability and\or upgrade to the latest HoloLens OS.
+Applications need to call the `ObjectObserver.IsSupported()` API to determine if Object Anchors is supported on the
+device before using it. If the `ObjectObserver.IsSupported()` API returns `false`, check that the application has
+enabled the **spatialPerception** capability and\or upgrade to the latest HoloLens OS.
```cs
+using Microsoft.Azure.ObjectAnchors;
+ if (!ObjectObserver.IsSupported()) { // Handle the error } // This call should grant the access we need.
-var status = await ObjectObserver.RequestAccessAsync();
-if(status != ObjectObserverStatus.Allowed)
+ObjectObserverAccessStatus status = await ObjectObserver.RequestAccessAsync();
+if (status != ObjectObserverAccessStatus.Allowed)
{ // Handle the error } ```
-Next, the application creates an object observer and loads necessary models generated by the [Object Anchors model conversion service](../quickstarts/get-started-model-conversion.md).
+Next, the application creates an object observer and loads necessary models generated by the
+[Object Anchors model conversion service](../quickstarts/get-started-model-conversion.md).
```cs
-// Note that you need to provide the Id, Key and Domain for your Azure Object Anchors account
-var accountInformation = new AccountInformation([yourAccountId], [yourAccountKey], [yourAccountDomain]);
-var session = new ObjectAnchorsSession(accountInformation);
-var observer = session.CreateObjectObserver();
-
-byte[] modelAsBytes; // Load a model into a byte array. Model could be a file, an embedded resource, or a network stream.
-var model = await observer.LoadObjectModelAsync(modelAsBytes);
-
-// Note that after a model is loaded, its vertices and normals are transformed into a centered coordinate system for the
-// ease of computing the object pose. The rigid transform can be retrieved through the `OriginToCenterTransform` property.
+using Microsoft.Azure.ObjectAnchors;
+
+// Note that you need to provide the Id, Key and Domain for your Azure Object
+// Anchors account.
+Guid accountId = new Guid("[your account id]");
+string accountKey = "[your account key]";
+string accountDomain = "[your account domain]";
+
+AccountInformation accountInformation = new AccountInformation(accountId, accountKey, accountDomain);
+ObjectAnchorsSession session = new ObjectAnchorsSession(accountInformation);
+ObjectObserver observer = session.CreateObjectObserver();
+
+// Load a model into a byte array. The model could be a file, an embedded
+// resource, or a network stream.
+byte[] modelAsBytes;
+ObjectModel model = await observer.LoadObjectModelAsync(modelAsBytes);
+
+// Note that after a model is loaded, its vertices and normals are transformed
+// into a centered coordinate system for the ease of computing the object pose.
+// The rigid transform can be retrieved through the `OriginToCenterTransform`
+// property.
``` The application creates a query to detect instances of that model within a space. ```cs
-var coordinateSystem = default(SpatialGraphCoordinateSystem);
-var searchAreaAsBox = ObjectSearchArea.FromOrientedBox(coordinateSystem, default(SpatialOrientedBox));
+using Microsoft.Azure.ObjectAnchors;
+using Microsoft.Azure.ObjectAnchors.SpatialGraph;
+using Microsoft.Azure.ObjectAnchors.Unity;
+using UnityEngine;
+
+// Get the coordinate system.
+SpatialGraphCoordinateSystem? coordinateSystem = null;
-// Optionally change the parameters, otherwise use the default values embedded in the model.
-var query = new ObjectQuery(model);
+#if WINDOWS_UWP
+SpatialCoordinateSystem worldOrigin = ObjectAnchorsWorldManager.WorldOrigin;
+if (worldOrigin != null)
+{
+ coordinateSystem = await Task.Run(() => worldOrigin.TryToSpatialGraph());
+}
+#endif
+
+if (!coordinateSystem.HasValue)
+{
+ Debug.LogError("no coordinate system?");
+ return;
+}
+
+// Get the search area.
+SpatialFieldOfView fieldOfView = new SpatialFieldOfView
+{
+ Position = Camera.main.transform.position.ToSystem(),
+ Orientation = Camera.main.transform.rotation.ToSystem(),
+ FarDistance = 4.0f, // Far distance in meters of object search frustum.
+ HorizontalFieldOfViewInDegrees = 75.0f, // Horizontal field of view in
+ // degrees of object search frustum.
+ AspectRatio = 1.0f // Aspect ratio (horizontal / vertical) of object search
+ // frustum.
+};
+
+ObjectSearchArea searchArea = ObjectSearchArea.FromFieldOfView(coordinateSystem.Value, fieldOfView);
+
+// Optionally change the parameters, otherwise use the default values embedded
+// in the model.
+ObjectQuery query = new ObjectQuery(model);
query.MinSurfaceCoverage = 0.2f; query.ExpectedMaxVerticalOrientationInDegrees = 1.5f; query.MaxScaleChange = 0.1f;
-query.SearchAreas.Add(searchAreaAsBox);
+query.SearchAreas.Add(searchArea);
-// Detection could take long, run in a background thread.
-var detectedObjects = await observer.DetectAsync(query);
+// Detection could take a while, so we run it in a background thread.
+IList<ObjectInstance> detectedObjects = await observer.DetectAsync(query);
```
-By default, each detected instance will be tracked automatically by the **observer**. We can optionally manipulate these instances by changing their tracking mode or listening to their state changed event.
+By default, each detected instance will be tracked automatically by the **observer**. We can optionally manipulate these
+instances by changing their tracking mode or listening to their state changed event.
```cs
-foreach (var instance in detectedObjects)
+using Microsoft.Azure.ObjectAnchors;
+
+foreach (ObjectInstance instance in detectedObjects)
{ // Supported modes:
- // "LowLatencyCoarsePosition" - consumes less CPU cycles thus fast to update the state.
- // "HighLatencyAccuratePosition" - (not yet implemented) consumes more CPU cycles thus potentially taking longer time to update the state.
- // "Paused" - stops to update the state until mode changed to low or high.
+ // "LowLatencyCoarsePosition" - Consumes less CPU cycles thus fast to
+ // update the state.
+ // "HighLatencyAccuratePosition" - (Not yet implemented) Consumes more CPU
+ // cycles thus potentially taking longer
+ // time to update the state.
+ // "Paused" - Stops to update the state until mode
+ // changed to low or high.
instance.Mode = ObjectInstanceTrackingMode.LowLatencyCoarsePosition; // Listen to state changed event on this instance. instance.Changed += InstanceChangedHandler; // Optionally dispose an instance if not interested in it.
- //instance.Dispose();
+ // instance.Dispose();
} ``` In the state changed event, we can query the latest state or dispose an instance if it lost tracking. ```cs
+using Microsoft.Azure.ObjectAnchors;
+ var InstanceChangedHandler = new Windows.Foundation.TypedEventHandler<ObjectInstance, ObjectInstanceChangedEventArgs>((sender, args) => { // Try to query the current instance state.
- var state = sender.TryGetCurrentState();
+ ObjectInstanceState? state = sender.TryGetCurrentState();
if (state.HasValue) { // Process latest state via state.Value.
- // An object pose includes scale, rotation and translation, applied in the same order
- // to the object model in the centered coordinate system.
+ // An object pose includes scale, rotation and translation, applied in
+ // the same order to the object model in the centered coordinate system.
} else { // This object instance is lost for tracking, and will never be recovered.
- // The caller can detach the Changed event handler from this instance and dispose it.
+ // The caller can detach the Changed event handler from this instance
+ // and dispose it.
sender.Dispose(); } });
var InstanceChangedHandler = new Windows.Foundation.TypedEventHandler<ObjectInst
Also, an application can optionally record one or multiple diagnostics sessions for offline debugging. ```cs
+using Microsoft.Azure.ObjectAnchors;
+using Microsoft.Azure.ObjectAnchors.Diagnostics;
+ string diagnosticsFolderPath = Windows.Storage.ApplicationData.Current.TemporaryFolder.Path; const uint maxSessionSizeInMegaBytes = uint.MaxValue; // Recording starts on the creation of a diagnostics session.
-var diagnostics = new ObjectDiagnosticsSession(observer, maxSessionSizeInMegaBytes);
+ObjectDiagnosticsSession diagnostics = new ObjectDiagnosticsSession(observer, maxSessionSizeInMegaBytes);
// Wait for the observer to do a job.
-// Application can report some **pseudo ground-truth** pose for an instance acquired from other means.
+// Application can report some **pseudo ground-truth** pose for an instance
+// acquired from other means.
diagnostics.ReportActualInstanceLocation(instance, coordinateSystem, Vector3.Zero, Quaternion.Identity); // Close a session and write the diagnostics into an archive at specified location.
await diagnostics.CloseAsync(System.IO.Path.Combine(diagnosticsFolderPath, "diag
Finally we release resources by disposing all objects. ```cs
-foreach(var instance in activeInstances)
+using Microsoft.Azure.ObjectAnchors;
+
+foreach (ObjectInstance instance in activeInstances)
{ instance.Changed -= InstanceChangedHandler; instance.Dispose();
object-anchors Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/faq.md
For smaller objects within 2 meters in each dimension, detection can occur withi
**Q: Can Object Anchors handle moving objects?**
-**A:** We don't support **continuously moving** or **dynamic** objects.
+**A:** We don't support **continuously moving** or **dynamic** objects. We do support objects in an entirely new position in the space once they have been physically moved there, but cannot track it while it is being moved.
**Q: Can Object Anchors handle deformation or articulations?**
For smaller objects within 2 meters in each dimension, detection can occur withi
## Privacy FAQ **Q: How does Azure Object Anchors store data?**
-**A:** We only store System Metadata, which is encrypted at rest with a Microsoft managed data encryption key.
+**A:** We only store System Metadata, which is encrypted at rest with a Microsoft managed data encryption key.
postgresql Concepts Hyperscale Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/concepts-hyperscale-monitoring.md
Previously updated : 11/04/2019 Last updated : 07/26/2021 # Monitor and tune Azure Database for PostgreSQL - Hyperscale (Citus)
insight into the behavior of nodes in a server group.
## Metrics
-Hyperscale (Citus) provides metrics for each node in a server group. The
-metrics give insight into the behavior of supporting resources. Each metric is
-emitted at a one-minute frequency, and has up to 30 days of history.
+Hyperscale (Citus) provides metrics for nodes in a server group, and aggregate
+metrics for the group as a whole. The metrics give insight into the behavior of
+supporting resources. Each metric is emitted at a one-minute frequency, and has
+up to 30 days of history.
In addition to viewing graphs of the metrics, you can configure alerts. For
-step by step guidance, see [How to set up
+step-by-step guidance, see [How to set up
alerts](howto-hyperscale-alert-on-metric.md). Other tasks include setting up automated actions, running advanced analytics, and archiving history. For more information, see the [Azure Metrics Overview](../azure-monitor/data-platform.md).
+### Per node vs aggregate
+
+By default, the Azure portal aggregates Hyperscale (Citus) metrics across nodes
+in a server group. However, some metrics, such as disk usage percentage, are
+more informative on a per-node basis. To see metrics for nodes displayed
+individually, use Azure Monitor [metric
+splitting](../azure-monitor/essentials/metrics-charts.md#metric-splitting) by
+server name.
+
+> [!NOTE]
+>
+> Some Hyperscale (Citus) server groups do not support metric splitting. On
+> these server groups, you can view metrics for individual nodes by clicking
+> the node name in the server group **Overview** page. Then open the
+> **Metrics** page for the node.
+ ### List of metrics These metrics are available for Hyperscale (Citus) nodes:
multiple nodes can be placed on the same graph.
## Next steps - See [how to set up alerts](howto-hyperscale-alert-on-metric.md) for guidance
- on creating an alert on a metric.
+ on creating an alert on a metric.
+- Learn how to do [metric
+ splitting](../azure-monitor/essentials/metrics-charts.md#metric-splitting) to
+ inspect metrics per node in a server group.
private-link Private Endpoint Dns https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/private-endpoint-dns.md
For Azure services, use the recommended zone names as described in the following
| Azure Automation / (Microsoft.Automation/automationAccounts) / Webhook, DSCAndHybridWorker | privatelink.azure-automation.net | azure-automation.net | | Azure SQL Database (Microsoft.Sql/servers) / sqlServer | privatelink.database.windows.net | database.windows.net | | Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Sql | privatelink.sql.azuresynapse.net | sql.azuresynapse.net |
-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) / SqlOnDemand | privatelink.sqlondemand.azuresynapse.net | sqlondemand.azuresynapse.net |
+| Azure Synapse Analytics (Microsoft.Synapse/workspaces) / SqlOnDemand | privatelink.sql.azuresynapse.net | sqlondemand.azuresynapse.net |
| Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Dev | privatelink.dev.azuresynapse.net | dev.azuresynapse.net | | Storage account (Microsoft.Storage/storageAccounts) / Blob (blob, blob_secondary) | privatelink.blob.core.windows.net | blob.core.windows.net | | Storage account (Microsoft.Storage/storageAccounts) / Table (table, table_secondary) | privatelink.table.core.windows.net | table.core.windows.net |
private-link Private Endpoint Export Dns https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/private-endpoint-export-dns.md
+
+ Title: Export DNS records for a private endpoint using the Azure portal
+
+description: In this tutorial, learn how to export the DNS records for a private endpoint in the Azure portal.
++++ Last updated : 07/25/2021+++
+# Export DNS records for a private endpoint using the Azure portal
+
+A private endpoint in Azure requires DNS records for name resolution of the endpoint. The DNS record resolves the private IP address of the endpoint for the configured resource. To export the DNS records of the endpoint, use the Private Link center in the portal.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free ](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- A private endpoint configured in your subscription. For the example in this article, a private endpoint to an Azure Web App is used. For more information on creating a private endpoint for a web app, see [Tutorial: Connect to a web app using an Azure Private endpoint](tutorial-private-endpoint-webapp-portal.md).
+
+## Export endpoint DNS records
+
+In this section, you'll sign in to the Azure portal and search for the private link center.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. In the search box at the top of the portal, enter **Private Link**.
+
+3. Select **Private link**.
+
+4. In the Private Link center, select **Private endpoints**.
+
+ :::image type="content" source="./media/private-endpoint-export-dns/private-link-center.png" alt-text="Select private endpoints in Private Link center":::
+
+5. In **Private endpoints**, select the endpoint you want to export the DNS records for. Select **Download host file** to download the endpoint DNS records in a host file format.
+
+ :::image type="content" source="./media/private-endpoint-export-dns/download-host-file.png" alt-text="Download endpoint DNS records":::
+
+6. The downloaded host file records will look similar to below:
+
+ ```text
+ # Exported from the Azure portal "2021-07-26 11:26:03Z"
+ # Private IP FQDN Private Endpoint Id
+ 10.1.0.4 mywebapp8675.scm.azurewebsites.net #/subscriptions/7cc654c6-760b-442f-bd02-1a8a64b17413/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/mywebappendpoint
+ 10.1.0.4 mywebapp8675.azurewebsites.net #/subscriptions/7cc654c6-760b-442f-bd02-1a8a64b17413/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/mywebappendpoint
+ ```
+
+## Next steps
+
+To learn more about Azure Private link and DNS, see [Azure Private Endpoint DNS configuration](private-endpoint-dns.md).
+
+For more information on Azure Private link, see:
+
+* [What is Azure Private Link?](private-link-overview.md)
+* [What is Azure Private Link service?](private-link-service-overview.md)
+* [Azure Private Link frequently asked questions (FAQ)](private-link-faq.yml)
role-based-access-control Built In Roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/role-based-access-control/built-in-roles.md
Previously updated : 07/13/2021 Last updated : 07/23/2021
The following table provides a brief description of each built-in role. Click th
> | [API Management Service Reader Role](#api-management-service-reader-role) | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d | > | [App Configuration Data Owner](#app-configuration-data-owner) | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | > | [App Configuration Data Reader](#app-configuration-data-reader) | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 |
+> | [Azure Relay Listener](#azure-relay-listener) | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d |
+> | [Azure Relay Owner](#azure-relay-owner) | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 |
+> | [Azure Relay Sender](#azure-relay-sender) | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d |
> | [Azure Service Bus Data Owner](#azure-service-bus-data-owner) | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 | > | [Azure Service Bus Data Receiver](#azure-service-bus-data-receiver) | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | > | [Azure Service Bus Data Sender](#azure-service-bus-data-sender) | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
Allows read access to App Configuration data. [Learn more](../azure-app-configur
} ```
+### Azure Relay Listener
+
+Allows for listen access to Azure Relay resources.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/wcfRelays/read | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/hybridConnections/read | |
+> | **NotActions** | |
+> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/listen/action | |
+> | **NotDataActions** | |
+> | *none* | |
+
+```json
+{
+ "assignableScopes": [
+ "/"
+ ],
+ "description": "Allows for listen access to Azure Relay resources.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
+ "name": "26e0b698-aa6d-4085-9386-aadae190014d",
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.Relay/*/wcfRelays/read",
+ "Microsoft.Relay/*/hybridConnections/read"
+ ],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.Relay/*/listen/action"
+ ],
+ "notDataActions": []
+ }
+ ],
+ "roleName": "Azure Relay Listener",
+ "roleType": "BuiltInRole",
+ "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+### Azure Relay Owner
+
+Allows for full access to Azure Relay resources.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/* | |
+> | **NotActions** | |
+> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/* | |
+> | **NotDataActions** | |
+> | *none* | |
+
+```json
+{
+ "assignableScopes": [
+ "/"
+ ],
+ "description": "Allows for full access to Azure Relay resources.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
+ "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.Relay/*"
+ ],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.Relay/*"
+ ],
+ "notDataActions": []
+ }
+ ],
+ "roleName": "Azure Relay Owner",
+ "roleType": "BuiltInRole",
+ "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+### Azure Relay Sender
+
+Allows for send access to Azure Relay resources.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/wcfRelays/read | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/hybridConnections/read | |
+> | **NotActions** | |
+> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/send/action | |
+> | **NotDataActions** | |
+> | *none* | |
+
+```json
+{
+ "assignableScopes": [
+ "/"
+ ],
+ "description": "Allows for send access to Azure Relay resources.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
+ "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.Relay/*/wcfRelays/read",
+ "Microsoft.Relay/*/hybridConnections/read"
+ ],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.Relay/*/send/action"
+ ],
+ "notDataActions": []
+ }
+ ],
+ "roleName": "Azure Relay Sender",
+ "roleType": "BuiltInRole",
+ "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+ ### Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
Role allows user or principal to read and export FHIR Data [Learn more](../healt
> | **DataActions** | | > | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | > | Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). |
+> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |
+> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | Export operation ($export). |
> | **NotDataActions** | | > | *none* | |
Role allows user or principal to read and export FHIR Data [Learn more](../healt
"notActions": [], "dataActions": [ "Microsoft.HealthcareApis/services/fhir/resources/read",
- "Microsoft.HealthcareApis/services/fhir/resources/export/action"
+ "Microsoft.HealthcareApis/services/fhir/resources/export/action",
+ "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
+ "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
], "notDataActions": [] }
View permissions for Security Center. Can view recommendations, alerts, a securi
> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/*/read | Read security components and policies | > | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/*/read | | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/*/read | |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/downloadManagerActivation/action | Download manager activation file with subscription quota data |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotSensors/downloadResetPassword/action | Downloads reset password file for IoT Sensors |
+> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/packageDownloads/action | |
+> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/downloadManagerActivation/action | |
+> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotSensors/downloadResetPassword/action | |
> | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/defenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information | > | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/defenderSettings/downloadManagerActivation/action | Download manager activation file | > | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/sensors/* | |
Can view costs and manage cost configuration (e.g. budgets, exports) [Learn more
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/configurations/read | |
-> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/recommendations/read | |
+> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/configurations/read | Get configurations |
+> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/recommendations/read | Reads recommendations |
> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | > | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/billingProperty/read | | > | **NotActions** | |
Can view cost data and configuration (e.g. budgets, exports) [Learn more](../cos
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/configurations/read | |
-> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/recommendations/read | |
+> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/configurations/read | Get configurations |
+> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/recommendations/read | Reads recommendations |
> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | > | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/billingProperty/read | | > | **NotActions** | |
role-based-access-control Resource Provider Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/role-based-access-control/resource-provider-operations.md
Previously updated : 07/13/2021 Last updated : 07/23/2021
Azure service: core
> | Action | Description | > | | | > | Microsoft.Support/register/action | Registers Support Resource Provider |
+> | Microsoft.Support/lookUpResourceId/action | Looks up resource Id for resource type |
> | Microsoft.Support/checkNameAvailability/action | Checks that name is valid and not in use for resource type | > | Microsoft.Support/operationresults/read | Gets the result of the asynchronous operation | > | Microsoft.Support/operations/read | Lists all operations available on Microsoft.Support resource provider |
Azure service: [Container Instances](../container-instances/index.yml)
> | Microsoft.ContainerInstance/containerGroups/containers/logs/read | Get logs for a specific container. | > | Microsoft.ContainerInstance/containerGroups/detectors/read | List Container Group Detectors | > | Microsoft.ContainerInstance/containerGroups/operationResults/read | Get async operation result |
+> | Microsoft.ContainerInstance/containerGroups/outboundNetworkDependenciesEndpoints/read | List Container Group Detectors |
> | Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the container group. | > | Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the container group. | > | Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for container group. |
Azure service: [Azure Kubernetes Service (AKS)](../aks/index.yml)
> | Microsoft.ContainerService/managedClusters/read | Get a managed cluster | > | Microsoft.ContainerService/managedClusters/write | Creates a new managed cluster or updates an existing one | > | Microsoft.ContainerService/managedClusters/delete | Deletes a managed cluster |
+> | Microsoft.ContainerService/managedClusters/start/action | Starts a managed cluster |
+> | Microsoft.ContainerService/managedClusters/stop/action | Stops a managed cluster |
> | Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | List the clusterAdmin credential of a managed cluster | > | Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | > | Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | List the clusterMonitoringUser credential of a managed cluster | > | Microsoft.ContainerService/managedClusters/resetServicePrincipalProfile/action | Reset the service principal profile of a managed cluster |
+> | Microsoft.ContainerService/managedClusters/resolvePrivateLinkServiceId/action | Resolve the private link service id of a managed cluster |
> | Microsoft.ContainerService/managedClusters/resetAADProfile/action | Reset the AAD profile of a managed cluster | > | Microsoft.ContainerService/managedClusters/rotateClusterCertificates/action | Rotate certificates of a managed cluster | > | Microsoft.ContainerService/managedClusters/runCommand/action | Run user issued command against managed kubernetes server. |
Azure service: [Azure Data Explorer](/azure/data-explorer/)
> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/read | Reads a private endpoint connection proxy | > | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/write | Writes a private endpoint connection proxy | > | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/delete | Deletes a private endpoint connection proxy |
-> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/read | Reads a private endpoint connection proxy |
-> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/write | Writes a private endpoint connection proxy |
-> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/delete | Deletes a private endpoint connection proxy |
> | Microsoft.Kusto/Clusters/PrivateEndpointConnections/read | Reads a private endpoint connection | > | Microsoft.Kusto/Clusters/PrivateEndpointConnections/write | Writes a private endpoint connection | > | Microsoft.Kusto/Clusters/PrivateLinkResources/read | Reads private link resources |
Azure service: [Azure Synapse Analytics](../synapse-analytics/index.yml)
> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnections/delete | Delete Private Endpoint Connection for PrivateLinkHub | > | Microsoft.Synapse/privateLinkHubs/privateLinkResources/read | Get a list of Private Link Resources | > | Microsoft.Synapse/resourceGroups/operationStatuses/read | Read any Async Operation Status. |
+> | Microsoft.Synapse/SKUs/read | Reads a SKU resource. |
> | Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action | Replaces all Ip Firewall Rules for the Workspace. | > | Microsoft.Synapse/workspaces/write | Create or Update any Workspaces. | > | Microsoft.Synapse/workspaces/read | Read any Workspaces. |
Azure service: [Azure Synapse Analytics](../synapse-analytics/index.yml)
> | Microsoft.Synapse/workspaces/kustoPools/Start/action | Starts the cluster. | > | Microsoft.Synapse/workspaces/kustoPools/Stop/action | Stops the cluster. | > | Microsoft.Synapse/workspaces/kustoPools/CheckNameAvailability/action | Checks the cluster name availability. |
+> | Microsoft.Synapse/workspaces/kustoPools/ListLanguageExtensions/action | Lists language extensions. |
+> | Microsoft.Synapse/workspaces/kustoPools/AddLanguageExtensions/action | Add language extensions. |
+> | Microsoft.Synapse/workspaces/kustoPools/RemoveLanguageExtensions/action | Remove language extensions. |
+> | Microsoft.Synapse/workspaces/kustoPools/DetachFollowerDatabases/action | Detaches follower's databases. |
+> | Microsoft.Synapse/workspaces/kustoPools/ListFollowerDatabases/action | Lists the follower's databases. |
> | Microsoft.Synapse/workspaces/kustoPools/Databases/read | Reads a database resource. | > | Microsoft.Synapse/workspaces/kustoPools/Databases/write | Writes a database resource. | > | Microsoft.Synapse/workspaces/kustoPools/Databases/delete | Deletes a database resource. |
Azure service: [Azure Synapse Analytics](../synapse-analytics/index.yml)
> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/read | Reads a private endpoint connection proxy | > | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/write | Writes a private endpoint connection proxy | > | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/delete | Deletes a private endpoint connection proxy |
-> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnections/read | Reads a private endpoint connection |
-> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnections/write | Writes a private endpoint connection |
> | Microsoft.Synapse/workspaces/kustoPools/PrivateLinkResources/read | Reads private link resources |
+> | Microsoft.Synapse/workspaces/kustoPools/SKUs/read | Reads a cluster SKU resource. |
> | Microsoft.Synapse/workspaces/libraries/read | Read Library Artifacts | > | Microsoft.Synapse/workspaces/managedIdentitySqlControlSettings/write | Update Managed Identity SQL Control Settings on the workspace | > | Microsoft.Synapse/workspaces/managedIdentitySqlControlSettings/read | Get Managed Identity SQL Control Settings |
Azure service: [Azure Synapse Analytics](../synapse-analytics/index.yml)
> | Microsoft.Synapse/workspaces/privateEndpointConnections/write | Create or Update Private Endpoint Connection | > | Microsoft.Synapse/workspaces/privateEndpointConnections/read | Read any Private Endpoint Connection | > | Microsoft.Synapse/workspaces/privateEndpointConnections/delete | Delete Private Endpoint Connection |
+> | Microsoft.Synapse/workspaces/PrivateEndpointConnections/read | Reads a private endpoint connection |
+> | Microsoft.Synapse/workspaces/PrivateEndpointConnections/write | Writes a private endpoint connection |
> | Microsoft.Synapse/workspaces/privateLinkResources/read | Get a list of Private Link Resources | > | Microsoft.Synapse/workspaces/recoverableSqlpools/read | Gets recoverable SQL Analytics Pools, which are the resources representing geo backups of SQL Analytics Pools | > | Microsoft.Synapse/workspaces/restorableDroppedSqlPools/read | Gets a deleted Sql pool that can be restored |
Azure service: [Machine Learning Service](../machine-learning/index.yml)
> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/read | Gets the notebook files for a workspace | > | Microsoft.MachineLearningServices/workspaces/notebooks/storage/write | Writes files to the workspace storage | > | Microsoft.MachineLearningServices/workspaces/notebooks/storage/delete | Deletes files from workspace storage |
+> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/upload/action | Upload files to workspace storage |
+> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/download/action | Download files from workspace storage |
> | Microsoft.MachineLearningServices/workspaces/notebooks/vm/read | Gets the Notebook VMs for a particular workspace | > | Microsoft.MachineLearningServices/workspaces/notebooks/vm/write | Change the state of a Notebook VM | > | Microsoft.MachineLearningServices/workspaces/notebooks/vm/delete | Deletes a Notebook VM |
Azure service: [Azure Active Directory Domain Services](../active-directory-doma
> | Microsoft.AAD/domainServices/oucontainer/read | Read Ou Containers | > | Microsoft.AAD/domainServices/oucontainer/write | Write Ou Container | > | Microsoft.AAD/domainServices/oucontainer/delete | Delete Ou Container |
+> | Microsoft.AAD/domainServices/OutboundNetworkDependenciesEndpoints/read | Get the network endpoints of all outbound dependencies |
> | Microsoft.AAD/locations/operationresults/read | | > | Microsoft.AAD/Operations/read | |
Azure service: [Security Center](../security-center/index.yml)
> | Microsoft.Security/deviceSecurityGroups/read | Gets IoT device security groups | > | Microsoft.Security/informationProtectionPolicies/read | Gets the information protection policies for the resource | > | Microsoft.Security/informationProtectionPolicies/write | Updates the information protection policies for the resource |
-> | Microsoft.Security/iotDefenderSettings/read | Gets IoT Defender Settings |
-> | Microsoft.Security/iotDefenderSettings/write | Create or updates IoT Defender Settings |
-> | Microsoft.Security/iotDefenderSettings/delete | Deletes IoT Defender Settings |
-> | Microsoft.Security/iotDefenderSettings/PackageDownloads/action | Gets downloadable IoT Defender packages information |
-> | Microsoft.Security/iotDefenderSettings/DownloadManagerActivation/action | Download manager activation file with subscription quota data |
> | Microsoft.Security/iotSecuritySolutions/write | Creates or updates IoT security solutions | > | Microsoft.Security/iotSecuritySolutions/delete | Deletes IoT security solutions | > | Microsoft.Security/iotSecuritySolutions/read | Gets IoT security solutions | > | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT security analytics model | > | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT alert types |
-> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT alert types |
> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT alerts |
-> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT alerts |
-> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT recommendation types |
> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT recommendation types | > | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT recommendations |
-> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT recommendations |
-> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets devices |
> | Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedAlerts/read | Gets IoT aggregated alerts | > | Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedAlerts/dismiss/action | Dismisses IoT aggregated alerts | > | Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedRecommendations/read | Gets IoT aggregated recommendations |
-> | Microsoft.Security/iotSensors/read | Gets IoT Sensors |
-> | Microsoft.Security/iotSensors/write | Create or updates IoT Sensors |
-> | Microsoft.Security/iotSensors/delete | Deletes IoT Sensors |
-> | Microsoft.Security/iotSensors/DownloadActivation/action | Downloads activation file for IoT Sensors |
-> | Microsoft.Security/iotSensors/TriggerTiPackageUpdate/action | Triggers threat intelligence package update |
-> | Microsoft.Security/iotSensors/DownloadResetPassword/action | Downloads reset password file for IoT Sensors |
-> | Microsoft.Security/iotSite/read | Gets IoT site |
-> | Microsoft.Security/iotSite/write | Creates or updates IoT site |
-> | Microsoft.Security/iotSite/delete | Deletes IoT site |
> | Microsoft.Security/locations/read | Gets the security data location | > | Microsoft.Security/locations/alerts/read | Gets all available security alerts | > | Microsoft.Security/locations/alerts/dismiss/action | Dismiss a security alert | > | Microsoft.Security/locations/alerts/activate/action | Activate a security alert |
-> | Microsoft.Security/locations/alerts/resolve/action | Resolve a security alert |
-> | Microsoft.Security/locations/alerts/simulate/action | Simulate a security alert |
> | Microsoft.Security/locations/jitNetworkAccessPolicies/read | Gets the just-in-time network access policies | > | Microsoft.Security/locations/jitNetworkAccessPolicies/write | Creates a new just-in-time network access policy or updates an existing one | > | Microsoft.Security/locations/jitNetworkAccessPolicies/delete | Deletes the just-in-time network access policy |
Azure service: [Security Center](../security-center/index.yml)
> | Microsoft.Security/pricings/read | Gets the pricing settings for the scope | > | Microsoft.Security/pricings/write | Updates the pricing settings for the scope | > | Microsoft.Security/pricings/delete | Deletes the pricing settings for the scope |
-> | Microsoft.Security/secureScoreControlDefinitions/read | Get secure score control definition |
-> | Microsoft.Security/secureScoreControls/read | Get calculated secure score control for your subscription |
-> | Microsoft.Security/secureScores/read | Get calculated secure score for your subscription |
-> | Microsoft.Security/secureScores/secureScoreControls/read | Get calculated secure score control for your secure score calculation |
> | Microsoft.Security/securityContacts/read | Gets the security contact | > | Microsoft.Security/securityContacts/write | Updates the security contact | > | Microsoft.Security/securityContacts/delete | Deletes the security contact |
Azure service: [Azure Lab Services](../lab-services/index.yml)
> | Microsoft.DevTestLab/labs/schedules/write | Add or modify schedules. | > | Microsoft.DevTestLab/labs/schedules/Execute/action | Execute a schedule. | > | Microsoft.DevTestLab/labs/schedules/ListApplicable/action | Lists all applicable schedules |
+> | Microsoft.DevTestLab/labs/secrets/delete | Delete lab secrets. |
+> | Microsoft.DevTestLab/labs/secrets/read | Read lab secrets. |
+> | Microsoft.DevTestLab/labs/secrets/write | Add or modify lab secrets. |
> | Microsoft.DevTestLab/labs/serviceRunners/delete | Delete service runners. | > | Microsoft.DevTestLab/labs/serviceRunners/read | Read service runners. | > | Microsoft.DevTestLab/labs/serviceRunners/write | Add or modify service runners. |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.Insights/AutoscaleSettings/Delete | Delete an autoscale setting | > | Microsoft.Insights/AutoscaleSettings/Read | Read an autoscale setting | > | Microsoft.Insights/AutoscaleSettings/Scaleup/Action | Autoscale scale up initiated |
+> | Microsoft.Insights/AutoscaleSettings/PredictiveScaleup/Action | Predictive Autoscale scale up initiated |
> | Microsoft.Insights/AutoscaleSettings/Scaledown/Action | Autoscale scale down initiated |
+> | Microsoft.Insights/AutoscaleSettings/PredictiveScaleupResult/Action | Predictive Autoscale scale up completed |
> | Microsoft.Insights/AutoscaleSettings/ScaleupResult/Action | Autoscale scale up completed | > | Microsoft.Insights/AutoscaleSettings/ScaledownResult/Action | Autoscale scale down completed | > | Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/diagnosticSettings/Read | Read a resource diagnostic setting |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesLogonLogoff/read | Read data from the AADDomainServicesLogonLogoff table | > | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesPolicyChange/read | Read data from the AADDomainServicesPolicyChange table | > | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesPrivilegeUse/read | Read data from the AADDomainServicesPrivilegeUse table |
-> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesSystemSecurity/read | Read data from the AADDomainServicesSystemSecurity table |
> | Microsoft.OperationalInsights/workspaces/query/AADManagedIdentitySignInLogs/read | Read data from the AADManagedIdentitySignInLogs table | > | Microsoft.OperationalInsights/workspaces/query/AADNonInteractiveUserSignInLogs/read | Read data from the AADNonInteractiveUserSignInLogs table | > | Microsoft.OperationalInsights/workspaces/query/AADProvisioningLogs/read | Read data from the AADProvisioningLogs table |
+> | Microsoft.OperationalInsights/workspaces/query/AADRiskyUsers/read | Read data from the AADRiskyUsers table |
> | Microsoft.OperationalInsights/workspaces/query/AADServicePrincipalSignInLogs/read | Read data from the AADServicePrincipalSignInLogs table |
+> | Microsoft.OperationalInsights/workspaces/query/AADUserRiskEvents/read | Read data from the AADUserRiskEvents table |
> | Microsoft.OperationalInsights/workspaces/query/ABSBotRequests/read | Read data from the ABSBotRequests table | > | Microsoft.OperationalInsights/workspaces/query/ABSChannelToBotRequests/read | Read data from the ABSChannelToBotRequests table | > | Microsoft.OperationalInsights/workspaces/query/ABSDependenciesRequests/read | Read data from the ABSDependenciesRequests table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/ADFSSISPackageExecutionDataStatistics/read | Read data from the ADFSSISPackageExecutionDataStatistics table | > | Microsoft.OperationalInsights/workspaces/query/ADFTriggerRun/read | Read data from the ADFTriggerRun table | > | Microsoft.OperationalInsights/workspaces/query/ADPAudit/read | Read data from the ADPAudit table |
+> | Microsoft.OperationalInsights/workspaces/query/ADPDiagnostics/read | Read data from the ADPDiagnostics table |
> | Microsoft.OperationalInsights/workspaces/query/ADPRequests/read | Read data from the ADPRequests table | > | Microsoft.OperationalInsights/workspaces/query/ADReplicationResult/read | Read data from the ADReplicationResult table | > | Microsoft.OperationalInsights/workspaces/query/ADSecurityAssessmentRecommendation/read | Read data from the ADSecurityAssessmentRecommendation table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/AmlComputeClusterEvent/read | Read data from the AmlComputeClusterEvent table | > | Microsoft.OperationalInsights/workspaces/query/AmlComputeClusterNodeEvent/read | Read data from the AmlComputeClusterNodeEvent table | > | Microsoft.OperationalInsights/workspaces/query/AmlComputeCpuGpuUtilization/read | Read data from the AmlComputeCpuGpuUtilization table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlComputeInstanceEvent/read | Read data from the AmlComputeInstanceEvent table |
> | Microsoft.OperationalInsights/workspaces/query/AmlComputeJobEvent/read | Read data from the AmlComputeJobEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlDataLabelEvent/read | Read data from the AmlDataLabelEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlDataSetEvent/read | Read data from the AmlDataSetEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlDataStoreEvent/read | Read data from the AmlDataStoreEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlDeploymentEvent/read | Read data from the AmlDeploymentEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlInferencingEvent/read | Read data from the AmlInferencingEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlModelsEvent/read | Read data from the AmlModelsEvent table |
> | Microsoft.OperationalInsights/workspaces/query/AmlOnlineEndpointConsoleLog/read | Read data from the AmlOnlineEndpointConsoleLog table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlPipelineEvent/read | Read data from the AmlPipelineEvent table |
+> | Microsoft.OperationalInsights/workspaces/query/AmlRunEvent/read | Read data from the AmlRunEvent table |
> | Microsoft.OperationalInsights/workspaces/query/AmlRunStatusChangedEvent/read | Read data from the AmlRunStatusChangedEvent table | > | Microsoft.OperationalInsights/workspaces/query/Anomalies/read | Read data from the Anomalies table | > | Microsoft.OperationalInsights/workspaces/query/ApiManagementGatewayLogs/read | Read data from the ApiManagementGatewayLogs table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/AppPlatformSystemLogs/read | Read data from the AppPlatformSystemLogs table | > | Microsoft.OperationalInsights/workspaces/query/AppRequests/read | Read data from the AppRequests table | > | Microsoft.OperationalInsights/workspaces/query/AppServiceAntivirusScanAuditLogs/read | Read data from the AppServiceAntivirusScanAuditLogs table |
-> | Microsoft.OperationalInsights/workspaces/query/AppServiceAntivirusScanLogs/read | Read data from the AppServiceAntivirusScanLogs table |
> | Microsoft.OperationalInsights/workspaces/query/AppServiceAppLogs/read | Read data from the AppServiceAppLogs table | > | Microsoft.OperationalInsights/workspaces/query/AppServiceAuditLogs/read | Read data from the AppServiceAuditLogs table | > | Microsoft.OperationalInsights/workspaces/query/AppServiceConsoleLogs/read | Read data from the AppServiceConsoleLogs table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/AutoscaleEvaluationsLog/read | Read data from the AutoscaleEvaluationsLog table | > | Microsoft.OperationalInsights/workspaces/query/AutoscaleScaleActionsLog/read | Read data from the AutoscaleScaleActionsLog table | > | Microsoft.OperationalInsights/workspaces/query/AWSCloudTrail/read | Read data from the AWSCloudTrail table |
+> | Microsoft.OperationalInsights/workspaces/query/AWSGuardDuty/read | Read data from the AWSGuardDuty table |
+> | Microsoft.OperationalInsights/workspaces/query/AWSVPCFlow/read | Read data from the AWSVPCFlow table |
> | Microsoft.OperationalInsights/workspaces/query/AzureActivity/read | Read data from the AzureActivity table | > | Microsoft.OperationalInsights/workspaces/query/AzureActivityV2/read | Read data from the AzureActivityV2 table | > | Microsoft.OperationalInsights/workspaces/query/AzureAssessmentRecommendation/read | Read data from the AzureAssessmentRecommendation table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/BehaviorAnalytics/read | Read data from the BehaviorAnalytics table | > | Microsoft.OperationalInsights/workspaces/query/BlockchainApplicationLog/read | Read data from the BlockchainApplicationLog table | > | Microsoft.OperationalInsights/workspaces/query/BlockchainProxyLog/read | Read data from the BlockchainProxyLog table |
-> | Microsoft.OperationalInsights/workspaces/query/BoundPort/read | Read data from the BoundPort table |
> | Microsoft.OperationalInsights/workspaces/query/CDBCassandraRequests/read | Read data from the CDBCassandraRequests table | > | Microsoft.OperationalInsights/workspaces/query/CDBControlPlaneRequests/read | Read data from the CDBControlPlaneRequests table | > | Microsoft.OperationalInsights/workspaces/query/CDBDataPlaneRequests/read | Read data from the CDBDataPlaneRequests table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/DatabricksSecrets/read | Read data from the DatabricksSecrets table | > | Microsoft.OperationalInsights/workspaces/query/DatabricksSQLPermissions/read | Read data from the DatabricksSQLPermissions table | > | Microsoft.OperationalInsights/workspaces/query/DatabricksSSH/read | Read data from the DatabricksSSH table |
-> | Microsoft.OperationalInsights/workspaces/query/DatabricksTables/read | Read data from the DatabricksTables table |
> | Microsoft.OperationalInsights/workspaces/query/DatabricksWorkspace/read | Read data from the DatabricksWorkspace table | > | Microsoft.OperationalInsights/workspaces/query/dependencies/read | Read data from the dependencies table | > | Microsoft.OperationalInsights/workspaces/query/DeviceAppCrash/read | Read data from the DeviceAppCrash table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/DeviceRegistryEvents/read | Read data from the DeviceRegistryEvents table | > | Microsoft.OperationalInsights/workspaces/query/DeviceSkypeHeartbeat/read | Read data from the DeviceSkypeHeartbeat table | > | Microsoft.OperationalInsights/workspaces/query/DeviceSkypeSignIn/read | Read data from the DeviceSkypeSignIn table |
-> | Microsoft.OperationalInsights/workspaces/query/DeviceSleepState/read | Read data from the DeviceSleepState table |
-> | Microsoft.OperationalInsights/workspaces/query/DHAppFailure/read | Read data from the DHAppFailure table |
> | Microsoft.OperationalInsights/workspaces/query/DHAppReliability/read | Read data from the DHAppReliability table |
-> | Microsoft.OperationalInsights/workspaces/query/DHCPActivity/read | Read data from the DHCPActivity table |
> | Microsoft.OperationalInsights/workspaces/query/DHDriverReliability/read | Read data from the DHDriverReliability table | > | Microsoft.OperationalInsights/workspaces/query/DHLogonFailures/read | Read data from the DHLogonFailures table | > | Microsoft.OperationalInsights/workspaces/query/DHLogonMetrics/read | Read data from the DHLogonMetrics table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/FunctionAppLogs/read | Read data from the FunctionAppLogs table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightAmbariClusterAlerts/read | Read data from the HDInsightAmbariClusterAlerts table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightAmbariSystemMetrics/read | Read data from the HDInsightAmbariSystemMetrics table |
-> | Microsoft.OperationalInsights/workspaces/query/HDInsightGatewayAuditLogs/read | Read data from the HDInsightGatewayAuditLogs table |
> | Microsoft.OperationalInsights/workspaces/query/HDInsightHadoopAndYarnLogs/read | Read data from the HDInsightHadoopAndYarnLogs table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightHadoopAndYarnMetrics/read | Read data from the HDInsightHadoopAndYarnMetrics table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightHBaseLogs/read | Read data from the HDInsightHBaseLogs table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkBlockManagerEvents/read | Read data from the HDInsightSparkBlockManagerEvents table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkEnvironmentEvents/read | Read data from the HDInsightSparkEnvironmentEvents table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkExecutorEvents/read | Read data from the HDInsightSparkExecutorEvents table |
-> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkExtraEvents/read | Read data from the HDInsightSparkExtraEvents table |
> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkJobEvents/read | Read data from the HDInsightSparkJobEvents table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkLogs/read | Read data from the HDInsightSparkLogs table | > | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkSQLExecutionEvents/read | Read data from the HDInsightSparkSQLExecutionEvents table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/HuntingBookmark/read | Read data from the HuntingBookmark table | > | Microsoft.OperationalInsights/workspaces/query/IdentityInfo/read | Read data from the IdentityInfo table | > | Microsoft.OperationalInsights/workspaces/query/IISAssessmentRecommendation/read | Read data from the IISAssessmentRecommendation table |
-> | Microsoft.OperationalInsights/workspaces/query/InboundConnection/read | Read data from the InboundConnection table |
> | Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read | Read data from the InsightsMetrics table | > | Microsoft.OperationalInsights/workspaces/query/IntuneAuditLogs/read | Read data from the IntuneAuditLogs table | > | Microsoft.OperationalInsights/workspaces/query/IntuneDeviceComplianceOrg/read | Read data from the IntuneDeviceComplianceOrg table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/MADevice/read | Read data from the MADevice table | > | Microsoft.OperationalInsights/workspaces/query/MADeviceNotEnrolled/read | Read data from the MADeviceNotEnrolled table | > | Microsoft.OperationalInsights/workspaces/query/MADeviceNRT/read | Read data from the MADeviceNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MADevicePnPHealth/read | Read data from the MADevicePnPHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MADevicePnPHealthAlternativeVersions/read | Read data from the MADevicePnPHealthAlternativeVersions table |
-> | Microsoft.OperationalInsights/workspaces/query/MADevicePnPHealthIssues/read | Read data from the MADevicePnPHealthIssues table |
> | Microsoft.OperationalInsights/workspaces/query/MADeviceReadiness/read | Read data from the MADeviceReadiness table | > | Microsoft.OperationalInsights/workspaces/query/MADriverInstanceReadiness/read | Read data from the MADriverInstanceReadiness table | > | Microsoft.OperationalInsights/workspaces/query/MADriverReadiness/read | Read data from the MADriverReadiness table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddin/read | Read data from the MAOfficeAddin table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinEntityHealth/read | Read data from the MAOfficeAddinEntityHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinHealth/read | Read data from the MAOfficeAddinHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinHealthEventNRT/read | Read data from the MAOfficeAddinHealthEventNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinHealthIssues/read | Read data from the MAOfficeAddinHealthIssues table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinInstance/read | Read data from the MAOfficeAddinInstance table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinInstanceReadiness/read | Read data from the MAOfficeAddinInstanceReadiness table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinReadiness/read | Read data from the MAOfficeAddinReadiness table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeApp/read | Read data from the MAOfficeApp table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppCrashesNRT/read | Read data from the MAOfficeAppCrashesNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppHealth/read | Read data from the MAOfficeAppHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppInstance/read | Read data from the MAOfficeAppInstance table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppInstanceHealth/read | Read data from the MAOfficeAppInstanceHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppReadiness/read | Read data from the MAOfficeAppReadiness table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppSessionsNRT/read | Read data from the MAOfficeAppSessionsNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeBuildInfo/read | Read data from the MAOfficeBuildInfo table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeCurrencyAssessment/read | Read data from the MAOfficeCurrencyAssessment table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeCurrencyAssessmentDailyCounts/read | Read data from the MAOfficeCurrencyAssessmentDailyCounts table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeDeploymentStatus/read | Read data from the MAOfficeDeploymentStatus table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeDeploymentStatusNRT/read | Read data from the MAOfficeDeploymentStatusNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroErrorNRT/read | Read data from the MAOfficeMacroErrorNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroGlobalHealth/read | Read data from the MAOfficeMacroGlobalHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroHealth/read | Read data from the MAOfficeMacroHealth table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroHealthIssues/read | Read data from the MAOfficeMacroHealthIssues table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroIssueInstanceReadiness/read | Read data from the MAOfficeMacroIssueInstanceReadiness table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroIssueReadiness/read | Read data from the MAOfficeMacroIssueReadiness table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeMacroSummary/read | Read data from the MAOfficeMacroSummary table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeSuite/read | Read data from the MAOfficeSuite table |
-> | Microsoft.OperationalInsights/workspaces/query/MAOfficeSuiteInstance/read | Read data from the MAOfficeSuiteInstance table |
> | Microsoft.OperationalInsights/workspaces/query/MAProposedPilotDevices/read | Read data from the MAProposedPilotDevices table | > | Microsoft.OperationalInsights/workspaces/query/MAWindowsBuildInfo/read | Read data from the MAWindowsBuildInfo table | > | Microsoft.OperationalInsights/workspaces/query/MAWindowsCurrencyAssessment/read | Read data from the MAWindowsCurrencyAssessment table | > | Microsoft.OperationalInsights/workspaces/query/MAWindowsCurrencyAssessmentDailyCounts/read | Read data from the MAWindowsCurrencyAssessmentDailyCounts table | > | Microsoft.OperationalInsights/workspaces/query/MAWindowsDeploymentStatus/read | Read data from the MAWindowsDeploymentStatus table | > | Microsoft.OperationalInsights/workspaces/query/MAWindowsDeploymentStatusNRT/read | Read data from the MAWindowsDeploymentStatusNRT table |
-> | Microsoft.OperationalInsights/workspaces/query/MAWindowsSysReqInstanceReadiness/read | Read data from the MAWindowsSysReqInstanceReadiness table |
> | Microsoft.OperationalInsights/workspaces/query/McasShadowItReporting/read | Read data from the McasShadowItReporting table | > | Microsoft.OperationalInsights/workspaces/query/MCCEventLogs/read | Read data from the MCCEventLogs table | > | Microsoft.OperationalInsights/workspaces/query/MCVPOperationLogs/read | Read data from the MCVPOperationLogs table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/NetworkMonitoring/read | Read data from the NetworkMonitoring table | > | Microsoft.OperationalInsights/workspaces/query/NetworkSessions/read | Read data from the NetworkSessions table | > | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorDestinationListenerResult/read | Read data from the NWConnectionMonitorDestinationListenerResult table |
-> | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorDNSResult/read | Read data from the NWConnectionMonitorDNSResult table |
> | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorPathResult/read | Read data from the NWConnectionMonitorPathResult table | > | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorTestResult/read | Read data from the NWConnectionMonitorTestResult table | > | Microsoft.OperationalInsights/workspaces/query/OfficeActivity/read | Read data from the OfficeActivity table | > | Microsoft.OperationalInsights/workspaces/query/Operation/read | Read data from the Operation table |
-> | Microsoft.OperationalInsights/workspaces/query/OutboundConnection/read | Read data from the OutboundConnection table |
> | Microsoft.OperationalInsights/workspaces/query/Perf/read | Read data from the Perf table | > | Microsoft.OperationalInsights/workspaces/query/PowerBIDatasetsTenant/read | Read data from the PowerBIDatasetsTenant table | > | Microsoft.OperationalInsights/workspaces/query/PowerBIDatasetsTenantPreview/read | Read data from the PowerBIDatasetsTenantPreview table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/SQLAssessmentRecommendation/read | Read data from the SQLAssessmentRecommendation table | > | Microsoft.OperationalInsights/workspaces/query/SqlAtpStatus/read | Read data from the SqlAtpStatus table | > | Microsoft.OperationalInsights/workspaces/query/SqlDataClassification/read | Read data from the SqlDataClassification table |
-> | Microsoft.OperationalInsights/workspaces/query/SQLQueryPerformance/read | Read data from the SQLQueryPerformance table |
> | Microsoft.OperationalInsights/workspaces/query/SQLSecurityAuditEvents/read | Read data from the SQLSecurityAuditEvents table | > | Microsoft.OperationalInsights/workspaces/query/SqlVulnerabilityAssessmentResult/read | Read data from the SqlVulnerabilityAssessmentResult table | > | Microsoft.OperationalInsights/workspaces/query/SqlVulnerabilityAssessmentScanStatus/read | Read data from the SqlVulnerabilityAssessmentScanStatus table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/SynapseGatewayApiRequests/read | Read data from the SynapseGatewayApiRequests table | > | Microsoft.OperationalInsights/workspaces/query/SynapseGatewayEvents/read | Read data from the SynapseGatewayEvents table | > | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationActivityRuns/read | Read data from the SynapseIntegrationActivityRuns table |
-> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationActivityRunsEnded/read | Read data from the SynapseIntegrationActivityRunsEnded table |
> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationPipelineRuns/read | Read data from the SynapseIntegrationPipelineRuns table |
-> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationPipelineRunsEnded/read | Read data from the SynapseIntegrationPipelineRunsEnded table |
> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationTriggerRuns/read | Read data from the SynapseIntegrationTriggerRuns table |
-> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationTriggerRunsEnded/read | Read data from the SynapseIntegrationTriggerRunsEnded table |
> | Microsoft.OperationalInsights/workspaces/query/SynapseRBACEvents/read | Read data from the SynapseRBACEvents table | > | Microsoft.OperationalInsights/workspaces/query/SynapseRbacOperations/read | Read data from the SynapseRbacOperations table | > | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolDmsWorkers/read | Read data from the SynapseSqlPoolDmsWorkers table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolSqlRequests/read | Read data from the SynapseSqlPoolSqlRequests table | > | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolWaits/read | Read data from the SynapseSqlPoolWaits table | > | Microsoft.OperationalInsights/workspaces/query/Syslog/read | Read data from the Syslog table |
-> | Microsoft.OperationalInsights/workspaces/query/SysmonEvent/read | Read data from the SysmonEvent table |
> | Microsoft.OperationalInsights/workspaces/query/Tables.Custom/read | Reading data from any custom log | > | Microsoft.OperationalInsights/workspaces/query/ThreatIntelligenceIndicator/read | Read data from the ThreatIntelligenceIndicator table | > | Microsoft.OperationalInsights/workspaces/query/TSIIngress/read | Read data from the TSIIngress table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/UADriver/read | Read data from the UADriver table | > | Microsoft.OperationalInsights/workspaces/query/UADriverProblemCodes/read | Read data from the UADriverProblemCodes table | > | Microsoft.OperationalInsights/workspaces/query/UAFeedback/read | Read data from the UAFeedback table |
-> | Microsoft.OperationalInsights/workspaces/query/UAHardwareSecurity/read | Read data from the UAHardwareSecurity table |
> | Microsoft.OperationalInsights/workspaces/query/UAIESiteDiscovery/read | Read data from the UAIESiteDiscovery table | > | Microsoft.OperationalInsights/workspaces/query/UAOfficeAddIn/read | Read data from the UAOfficeAddIn table | > | Microsoft.OperationalInsights/workspaces/query/UAProposedActionPlan/read | Read data from the UAProposedActionPlan table |
Azure service: [Azure Monitor](../azure-monitor/index.yml)
> | Microsoft.OperationalInsights/workspaces/query/VMConnection/read | Read data from the VMConnection table | > | Microsoft.OperationalInsights/workspaces/query/VMProcess/read | Read data from the VMProcess table | > | Microsoft.OperationalInsights/workspaces/query/W3CIISLog/read | Read data from the W3CIISLog table |
-> | Microsoft.OperationalInsights/workspaces/query/W3CIISLogV2/read | Read data from the W3CIISLogV2 table |
> | Microsoft.OperationalInsights/workspaces/query/WaaSDeploymentStatus/read | Read data from the WaaSDeploymentStatus table | > | Microsoft.OperationalInsights/workspaces/query/WaaSInsiderStatus/read | Read data from the WaaSInsiderStatus table | > | Microsoft.OperationalInsights/workspaces/query/WaaSUpdateStatus/read | Read data from the WaaSUpdateStatus table |
Azure service: [Azure Advisor](../advisor/index.yml)
> [!div class="mx-tableFixed"] > | Action | Description | > | | |
+> | Microsoft.Advisor/generateRecommendations/action | Gets generate recommendations status |
+> | Microsoft.Advisor/register/action | Registers the subscription for the Microsoft Advisor |
+> | Microsoft.Advisor/unregister/action | Unregisters the subscription for the Microsoft Advisor |
> | Microsoft.Advisor/advisorScore/read | Gets the score data for given subscription |
+> | Microsoft.Advisor/configurations/read | Get configurations |
+> | Microsoft.Advisor/configurations/write | Creates/updates configuration |
+> | Microsoft.Advisor/generateRecommendations/read | Gets generate recommendations status |
+> | Microsoft.Advisor/metadata/read | Get Metadata |
+> | Microsoft.Advisor/operations/read | Gets the operations for the Microsoft Advisor |
+> | Microsoft.Advisor/recommendations/read | Reads recommendations |
+> | Microsoft.Advisor/recommendations/available/action | New recommendation is available in Microsoft Advisor |
+> | Microsoft.Advisor/recommendations/suppressions/read | Gets suppressions |
+> | Microsoft.Advisor/recommendations/suppressions/write | Creates/updates suppressions |
+> | Microsoft.Advisor/recommendations/suppressions/delete | Deletes suppression |
+> | Microsoft.Advisor/suppressions/read | Gets suppressions |
+> | Microsoft.Advisor/suppressions/write | Creates/updates suppressions |
+> | Microsoft.Advisor/suppressions/delete | Deletes suppression |
### Microsoft.Authorization
Azure service: [Batch](../batch/index.yml)
> | Microsoft.Batch/batchAccounts/certificates/delete | Deletes a certificate from a Batch account | > | Microsoft.Batch/batchAccounts/certificates/cancelDelete/action | Cancels the failed deletion of a certificate on a Batch account | > | Microsoft.Batch/batchAccounts/operationResults/read | Gets the results of a long running Batch account operation |
+> | Microsoft.Batch/batchAccounts/outboundNetworkDependenciesEndpoints/read | Lists the outbound network dependency endpoints for a Batch account |
> | Microsoft.Batch/batchAccounts/poolOperationResults/read | Gets the results of a long running pool operation on a Batch account | > | Microsoft.Batch/batchAccounts/pools/read | Lists pools on a Batch account or gets the properties of a pool | > | Microsoft.Batch/batchAccounts/pools/write | Creates a new pool on a Batch account or updates an existing pool |
Azure service: [Batch](../batch/index.yml)
> | Microsoft.Batch/batchAccounts/privateLinkResources/read | Gets the properties of a Private link resource or Lists Private link resources on a Batch account | > | Microsoft.Batch/locations/checkNameAvailability/action | Checks that the account name is valid and not in use. | > | Microsoft.Batch/locations/accountOperationResults/read | Gets the results of a long running Batch account operation |
+> | Microsoft.Batch/locations/cloudServiceSkus/read | Lists available Batch supported Cloud Service VM sizes at the given location |
> | Microsoft.Batch/locations/quotas/read | Gets Batch quotas of the specified subscription at the specified Azure region |
+> | Microsoft.Batch/locations/virtualMachineSkus/read | Lists available Batch supported Virtual Machine VM sizes at the given location |
> | Microsoft.Batch/operations/read | Lists operations available on Microsoft.Batch resource provider | > | **DataAction** | **Description** | > | Microsoft.Batch/batchAccounts/jobs/read | Lists jobs on a Batch account or gets the properties of a job |
Azure service: [Cost Management + Billing](../cost-management-billing/index.yml)
> [!div class="mx-tableFixed"] > | Action | Description | > | | |
-> | Microsoft.Billing/billingAccounts/read | |
-> | Microsoft.Billing/billingAccounts/listInvoiceSectionsWithCreateSubscriptionPermission/action | |
-> | Microsoft.Billing/billingAccounts/write | |
-> | Microsoft.Billing/billingAccounts/confirmTransition/action | |
-> | Microsoft.Billing/billingAccounts/agreements/read | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/write | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/read | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/write | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/write | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/read | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/write | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/validateDeleteInvoiceSectionEligibility/write | |
-> | Microsoft.Billing/billingAccounts/billingProfiles/validateDeleteBillingProfileEligibility/write | |
> | Microsoft.Billing/billingAccounts/billingSubscriptions/downloadDocuments/action | Download invoice using download link from list |
-> | Microsoft.Billing/billingAccounts/policies/read | |
-> | Microsoft.Billing/billingAccounts/policies/write | |
+> | Microsoft.Billing/billingPeriods/read | |
+> | Microsoft.Billing/billingProperty/read | |
> | Microsoft.Billing/billingProperty/write | | > | Microsoft.Billing/invoices/read | |
-> | Microsoft.Billing/invoices/download/action | Download invoice using download link from list |
-> | Microsoft.Billing/operations/read | |
### Microsoft.Blueprint
Azure service: [Azure Arc](../azure-arc/index.yml)
> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read | Read any Azure Arc privateEndpointConnections | > | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/write | Writes an Azure Arc privateEndpointConnections | > | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/delete | Deletes an Azure Arc privateEndpointConnections |
+> | **DataAction** | **Description** |
+> | Microsoft.HybridCompute/machines/login/action | Log in to a Azure Arc machine as a regular user |
+> | Microsoft.HybridCompute/machines/loginAsAdmin/action | Log in to a Azure Arc machine with Windows administrator or Linux root user privilege |
### Microsoft.Kubernetes
Azure service: [Site Recovery](../site-recovery/index.yml)
> | Action | Description | > | | | > | Microsoft.RecoveryServices/register/action | Registers subscription for given Resource Provider |
-> | Microsoft.RecoveryServices/Locations/backupCrossRegionRestore/action | Trigger Cross region restore. |
-> | Microsoft.RecoveryServices/Locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Locations/backupPreValidateProtection/action | |
-> | Microsoft.RecoveryServices/Locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
-> | Microsoft.RecoveryServices/Locations/backupValidateFeatures/action | Validate Features |
+> | microsoft.recoveryservices/Locations/backupCrossRegionRestore/action | Trigger Cross region restore. |
+> | microsoft.recoveryservices/Locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
+> | microsoft.recoveryservices/Locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
+> | microsoft.recoveryservices/Locations/backupPreValidateProtection/action | |
+> | microsoft.recoveryservices/Locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
+> | microsoft.recoveryservices/Locations/backupValidateFeatures/action | Validate Features |
> | Microsoft.RecoveryServices/locations/allocateStamp/action | AllocateStamp is internal operation used by service | > | Microsoft.RecoveryServices/locations/checkNameAvailability/action | Check Resource Name Availability is an API to check if resource name is available | > | Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service |
-> | Microsoft.RecoveryServices/Locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. |
-> | Microsoft.RecoveryServices/Locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Locations/backupProtectedItem/write | Create a backup Protected Item |
-> | Microsoft.RecoveryServices/Locations/backupProtectedItems/read | Returns the list of all Protected Items. |
+> | microsoft.recoveryservices/Locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. |
+> | microsoft.recoveryservices/Locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
+> | microsoft.recoveryservices/Locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
+> | microsoft.recoveryservices/Locations/backupProtectedItem/write | Create a backup Protected Item |
+> | microsoft.recoveryservices/Locations/backupProtectedItems/read | Returns the list of all Protected Items. |
> | Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation | > | Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
-> | Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
-> | Microsoft.RecoveryServices/Vaults/backupSecurityPIN/action | Returns Security PIN Information for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
+> | microsoft.recoveryservices/Vaults/backupJobsExport/action | Export Jobs |
+> | microsoft.recoveryservices/Vaults/backupSecurityPIN/action | Returns Security PIN Information for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
> | Microsoft.RecoveryServices/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | > | Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | > | Microsoft.RecoveryServices/Vaults/delete | The Delete Vault operation deletes the specified Azure resource of type 'vault' |
-> | Microsoft.RecoveryServices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupconfig/write | Updates Configuration for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupEncryptionConfigs/read | Gets Backup Resource Encryption Configuration. |
-> | Microsoft.RecoveryServices/Vaults/backupEncryptionConfigs/write | Updates Backup Resource Encryption Configuration |
-> | Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/delete | Delete a backup Protection Intent |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/operationsStatus/read | Returns status of the operation |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete | Deletes the registered Container |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationsStatus/read | Gets status of Operation performed on Protection Container. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/delete | Deletes Protected Item |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPointsRecommendedForMove/action | Get Recovery points recommended for move to another tier |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/move/action | Move Recovery point to another tier |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. |
-> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item |
-> | Microsoft.RecoveryServices/Vaults/backupJobs/cancel/action | Cancel the Job |
-> | Microsoft.RecoveryServices/Vaults/backupJobs/read | Returns all Job Objects |
-> | Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. |
-> | Microsoft.RecoveryServices/Vaults/backupJobs/operationsStatus/read | Returns the status of Job Operation. |
-> | Microsoft.RecoveryServices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupPolicies/delete | Delete a Protection Policy |
-> | Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
-> | Microsoft.RecoveryServices/Vaults/backupPolicies/write | Creates Protection Policy |
-> | Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
-> | Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
-> | Microsoft.RecoveryServices/Vaults/backupProtectableItems/read | Returns list of all Protectable Items. |
-> | Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
-> | Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
-> | Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
-> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
-> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
-> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |
-> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
-> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
-> | Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupstorageconfig/write | Updates Storage Configuration for Recovery Services Vault. |
-> | Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
+> | microsoft.recoveryservices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupconfig/write | Updates Configuration for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupEncryptionConfigs/read | Gets Backup Resource Encryption Configuration. |
+> | microsoft.recoveryservices/Vaults/backupEncryptionConfigs/write | Updates Backup Resource Encryption Configuration |
+> | microsoft.recoveryservices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
+> | microsoft.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/delete | Delete a backup Protection Intent |
+> | microsoft.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
+> | microsoft.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |
+> | microsoft.recoveryservices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
+> | microsoft.recoveryservices/Vaults/backupFabrics/operationsStatus/read | Returns status of the operation |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/delete | Deletes the registered Container |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/operationsStatus/read | Gets status of Operation performed on Protection Container. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/delete | Deletes Protected Item |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPointsRecommendedForMove/action | Get Recovery points recommended for move to another tier |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/move/action | Move Recovery point to another tier |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. |
+> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item |
+> | microsoft.recoveryservices/Vaults/backupJobs/cancel/action | Cancel the Job |
+> | microsoft.recoveryservices/Vaults/backupJobs/read | Returns all Job Objects |
+> | microsoft.recoveryservices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. |
+> | microsoft.recoveryservices/Vaults/backupJobs/operationsStatus/read | Returns the status of Job Operation. |
+> | microsoft.recoveryservices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupPolicies/delete | Delete a Protection Policy |
+> | microsoft.recoveryservices/Vaults/backupPolicies/read | Returns all Protection Policies |
+> | microsoft.recoveryservices/Vaults/backupPolicies/write | Creates Protection Policy |
+> | microsoft.recoveryservices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
+> | microsoft.recoveryservices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
+> | microsoft.recoveryservices/Vaults/backupProtectableItems/read | Returns list of all Protectable Items. |
+> | microsoft.recoveryservices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
+> | microsoft.recoveryservices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
+> | microsoft.recoveryservices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
+> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
+> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |
+> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
+> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
+> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
+> | microsoft.recoveryservices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupstorageconfig/write | Updates Storage Configuration for Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
> | Microsoft.RecoveryServices/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | > | Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | > | Microsoft.RecoveryServices/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
Azure service: [Site Recovery](../site-recovery/index.yml)
> | Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. | > | Microsoft.RecoveryServices/Vaults/monitoringConfigurations/read | Gets the Recovery services vault notification configuration. | > | Microsoft.RecoveryServices/Vaults/monitoringConfigurations/write | Configures e-mail notifications to Recovery services vault. |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/delete | Wait for a few minutes and then try the operation again. If the issue persists, please contact Microsoft support. |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/read | Get all protectable containers |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/validate/action | Get all protectable containers |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/write | Get all protectable containers |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/operationsStatus/read | Get all protectable containers |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/delete | Delete Private Endpoint requests. This call is made by Backup Admin. |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/write | Approve or Reject Private Endpoint requests. This call is made by Backup Admin. |
-> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/operationsStatus/read | Returns the operation status for a private endpoint connection. |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/delete | Wait for a few minutes and then try the operation again. If the issue persists, please contact Microsoft support. |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/read | Get all protectable containers |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/validate/action | Get all protectable containers |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/write | Get all protectable containers |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/operationsStatus/read | Get all protectable containers |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnections/delete | Delete Private Endpoint requests. This call is made by Backup Admin. |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnections/write | Approve or Reject Private Endpoint requests. This call is made by Backup Admin. |
+> | microsoft.recoveryservices/Vaults/privateEndpointConnections/operationsStatus/read | Returns the operation status for a private endpoint connection. |
> | Microsoft.RecoveryServices/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. | > | Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | > | Microsoft.RecoveryServices/Vaults/registeredIdentities/delete | The UnRegister Container operation can be used to unregister a container. |
Azure service: [Site Recovery](../site-recovery/index.yml)
> | Microsoft.RecoveryServices/vaults/replicationVaultSettings/read | Read any | > | Microsoft.RecoveryServices/vaults/replicationVaultSettings/write | Create or Update any | > | Microsoft.RecoveryServices/vaults/replicationvCenters/read | Read any vCenters |
-> | Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
+> | microsoft.recoveryservices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
> | Microsoft.RecoveryServices/vaults/usages/read | Read any Vault Usages | > | Microsoft.RecoveryServices/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. |
search Cognitive Search Attach Cognitive Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-attach-cognitive-services.md
Content-Type: application/json
"skills": [ {
- "@odata.type": "#Microsoft.Skills.Text.EntityRecognitionSkill",
+ "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
"categories": [ "Organization" ], "defaultLanguageCode": "en", "inputs": [
search Cognitive Search Concept Annotations Syntax https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-concept-annotations-syntax.md
Because the default context is `"/document"`, the list of people can now be refe
```json {
- "@odata.type": "#Microsoft.Skills.Text.EntityRecognitionSkill",
+ "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
"categories": [ "Person"], "defaultLanguageCode": "en", "inputs": [
search Cognitive Search Concept Intro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-concept-intro.md
Extraction and enrichment are implemented using *cognitive skills* attached to t
Built-in skills fall into these categories:
-+ **Natural language processing** skills include [entity recognition](cognitive-search-skill-entity-recognition-v3.md), [language detection](cognitive-search-skill-language-detection.md), [key phrase extraction](cognitive-search-skill-keyphrases.md), text manipulation, [sentiment detection](cognitive-search-skill-sentiment-v3.md), and [PII detection](cognitive-search-skill-pii-detection.md). With these skills, unstructured text is mapped as searchable and filterable fields in an index.
++ **Natural language processing** skills include [entity recognition](cognitive-search-skill-entity-recognition-v3.md), [language detection](cognitive-search-skill-language-detection.md), [key phrase extraction](cognitive-search-skill-keyphrases.md), text manipulation, [sentiment detection (including opinion mining)](cognitive-search-skill-sentiment-v3.md), and [PII detection](cognitive-search-skill-pii-detection.md). With these skills, unstructured text is mapped as searchable and filterable fields in an index. + **Image processing** skills include [Optical Character Recognition (OCR)](cognitive-search-skill-ocr.md) and identification of [visual features](cognitive-search-skill-image-analysis.md), such as facial detection, image interpretation, image recognition (famous people and landmarks) or attributes like image orientation. These skills create text representations of image content, making it searchable using the query capabilities of Azure Cognitive Search.
search Cognitive Search Debug Session https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-debug-session.md
If the enrichment pipeline does not have any errors, a debug session can be used
## Creating a debug session
-To start a debug session you must have an existing AI enrichment pipeline including; a data source, a skillset, an indexer, and an index. To configure a debug session, you need to name the session, and provide a general-purpose storage account that will be used to cache the skill executions during the indexer run. You will also need to select the indexer that will be running. The indexer has references stored to the data source, skillset, and index. The debug session will default to the first document in the data source or you can specify a document in the data source to step through.
+You can create a debug session on the **Overview** page of your search service in the Azure portal. To start a debug session you must have an existing AI enrichment pipeline including; a data source, a skillset, an indexer, and an index. To configure a debug session, you need to name the session, and provide a general-purpose storage account that will be used to cache the skill executions during the indexer run. You will also need to select the indexer that will be running. The indexer has references stored to the data source, skillset, and index. The debug session will default to the first document in the data source or you can specify a document in the data source to step through.
> :::image type="content" source="media/cognitive-search-debug/debug-session-new.png" alt-text="Creating a debug session":::
The debug session begins by executing the skillset on the selected document. The
## AI Enrichments
-As skills execute a tree of enrichments, representing the document, grows. Using a tree to visualize the outputs of skills or enrichments provides a comprehensive look at all the enrichments performed. You can look across the entire document and inspect each node of the enrichment tree. This perspective makes it easier to shape objects. This format also provides visual cues to the type, path, and contents of each node in the tree.
+As skills get executed, a tree of enrichments representing the document grows. Using a tree to visualize the outputs of skills or enrichments provides a comprehensive look at all the enrichments performed. You can look across the entire document and inspect each node of the enrichment tree. This perspective makes it easier to shape objects. This format also provides visual cues to the type, path, and contents of each node in the tree.
## Skill Graph The **Skill Graph** view provides a hierarchical, visual representation of the skillset. The graph is a top to bottom representation of the order in which the skills are executed. Skills that are dependent upon the output of other skills will be shown lower in the graph. Skills at the same level in the hierarchy can execute in parallel.
-Selecting a skill in the graph will highlight the skills connected to it, the nodes that create its inputs and the nodes that accept its outputs. Each skill node displays its type, errors or warnings, and execution counts. The **Skill Graph** is where you will select which skill to debug or enhance. When you select a skill its details will be displayed in the skill details pane to the right of the graph.
+Selecting a skill in the graph will highlight the skills connected to it, the nodes that create its inputs and the nodes that accept its outputs. Each skill node displays its type, errors or warnings, and execution counts. The **Skill Graph** is where you will select which skill to debug or enhance. When you select a skill, its details will be displayed in the skill details pane to the right of the graph.
> :::image type="content" source="media/cognitive-search-debug/skills-graph.png" alt-text="Skill Graph":::
This window displays all of the errors and warnings the skillset produces as it
## Limitations
-Debug sesisons work with all generally available data sources amd most preview data sources. The MongoDB API (preview) and Cassandra API (preview) of Cosmos DB are currently not supported.
+Debug sessions work with all generally available data sources and most preview data sources. The MongoDB API (preview) and Cassandra API (preview) of Cosmos DB are currently not supported.
## Next steps
search Cognitive Search Defining Skillset https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-defining-skillset.md
Content-Type: application/json
"skills": [ {
- "@odata.type": "#Microsoft.Skills.Text.EntityRecognitionSkill",
+ "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
"context": "/document", "categories": [ "Organization" ], "defaultLanguageCode": "en",
search Cognitive Search Skill Entity Linking V3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-skill-entity-linking-v3.md
Last updated 05/19/2021
# Entity Linking cognitive skill
-> [!IMPORTANT]
-> This skill is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [preview REST API](/rest/api/searchservice/index-preview) supports this skill.
- The **Entity Linking** skill extracts linked entities from text. This skill uses the machine learning models provided by [Text Analytics](../cognitive-services/text-analytics/overview.md) in Cognitive Services. > [!NOTE]
search Cognitive Search Skill Entity Recognition V3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-skill-entity-recognition-v3.md
Last updated 05/19/2021
# Entity Recognition cognitive skill (V3)
-> [!IMPORTANT]
-> This skill is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [preview REST API](/rest/api/searchservice/index-preview) supports this skill.
- The **Entity Recognition** skill extracts entities of different types from text. These entities fall under 14 distinct categories, ranging from people and organizations to URLs and phone numbers. This skill uses the machine learning models provided by [Text Analytics](../cognitive-services/text-analytics/overview.md) in Cognitive Services. > [!NOTE]
search Cognitive Search Skill Pii Detection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-skill-pii-detection.md
Title: PII Detection cognitive skill (preview)
+ Title: PII Detection cognitive skill
-description: Extract and mask personal information from text in an enrichment pipeline in Azure Cognitive Search. This skill is currently in public preview.
+description: Extract and mask personal information from text in an enrichment pipeline in Azure Cognitive Search.
Last updated 06/17/2020
# PII Detection cognitive skill
-> [!IMPORTANT]
-> This skill is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [preview REST API](/rest/api/searchservice/index-preview) supports this skill.
- The **PII Detection** skill extracts personal information from an input text and gives you the option of masking it. This skill uses the machine learning models provided by [Text Analytics](../cognitive-services/text-analytics/overview.md) in Cognitive Services. > [!NOTE]
Parameters are case-sensitive and all are optional.
| Parameter name | Description | |--|-|
-| `defaultLanguageCode` | (Optional) The language code to apply to documents that don't specify language explicitly. If the default language code is not specified, English (en) will be used as the default language code. <br/> See [Full list of supported languages](../cognitive-services/text-analytics/language-support.md). |
+| `defaultLanguageCode` | (Optional) The language code to apply to documents that don't specify language explicitly. If the default language code is not specified, English (en) will be used as the default language code. <br/> See [Full list of supported languages](../cognitive-services/text-analytics/language-support.md?tabs=pii). |
| `minimumPrecision` | A value between 0.0 and 1.0. If the confidence score (in the `piiEntities` output) is lower than the set `minimumPrecision` value, the entity is not returned or masked. The default is 0.0. | | `maskingMode` | A parameter that provides various ways to mask the personal information detected in the input text. The following options are supported: <ul><li>`none` (default): No masking occurs and the `maskedText` output will not be returned. </li><li> `replace`: Replaces the detected entities with the character given in the `maskingCharacter` parameter. The character will be repeated to the length of the detected entity so that the offsets will correctly correspond to both the input text as well as the output `maskedText`.</li></ul> <br/> During the PIIDetectionSkill preview, the `maskingMode` option `redact` was also supported, which allowed removing the detected entities entirely without replacement. The `redact` option has since been deprecated and will no longer be supported in the skill going forward. | | `maskingCharacter` | The character used to mask the text if the `maskingMode` parameter is set to `replace`. The following option is supported: `*` (default). This parameter can only be `null` if `maskingMode` is not set to `replace`. <br/><br/> During the PIIDetectionSkill preview, there was support for additional `maskingCharacter` options `X` and `#`. The `X` and `#` options have since been deprecated and will no longer be supported in the skill going forward. |
+| `domain` | (Optional) A string value, if specified, will set the PII domain to include only a subset of the entity categories. Possible values include: `phi` (detect confidential health information only), `none`. |
+| `piiCategories` | (Optional) If you want to specify which entities will be detected and returned, use the optional `piiCategories` parameter (defined as a list of strings) with the appropriate entity categories. This parameter can also let you detect entities that aren't enabled by default for your document language. See [the TextAnalytics documentation](../cognitive-services/text-analytics/named-entity-types.md?tabs=personal) for list of categories that are available. |
| `modelVersion` | (Optional) The version of the model to use when calling the Text Analytics service. It will default to the most recent version when not specified. We recommend you do not specify this value unless absolutely necessary. See [Model versioning in the Text Analytics API](../cognitive-services/text-analytics/concepts/model-versioning.md) for more details. | ## Skill inputs | Input name | Description | ||-|
-| `languageCode` | A string indicating the language of the records. If this parameter is not specified, the default language code will be used to analyze the records. <br/>See [Full list of supported languages](../cognitive-services/text-analytics/language-support.md) |
+| `languageCode` | A string indicating the language of the records. If this parameter is not specified, the default language code will be used to analyze the records. <br/>See [Full list of supported languages](../cognitive-services/text-analytics/language-support.md?tabs=pii) |
| `text` | The text to analyze. | ## Skill outputs
search Cognitive Search Skill Sentiment V3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-skill-sentiment-v3.md
Last updated 05/25/2021
# Sentiment cognitive skill (V3)
-> [!IMPORTANT]
-> This skill is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [preview REST API](/rest/api/searchservice/index-preview) supports this skill.
-
-The V3 **Sentiment** skill evaluates unstructured text and for each record, provides sentiment labels (such as "negative", "neutral" and "positive") based on the highest confidence score found by the service at a sentence and document-level. This skill uses the machine learning models provided by version 3 of [Text Analytics](../cognitive-services/text-analytics/overview.md) in Cognitive Services.
+The V3 **Sentiment** skill evaluates unstructured text and for each record, provides sentiment labels (such as "negative", "neutral" and "positive") based on the highest confidence score found by the service at a sentence and document-level. This skill uses the machine learning models provided by version 3 of [Text Analytics](../cognitive-services/text-analytics/overview.md) in Cognitive Services. It also exposes [the opinion mining capabilities of the Text Analytics API](../cognitive-services/text-analytics/how-tos/text-analytics-how-to-sentiment-analysis.md#opinion-mining), which provides more granular information about the opinions related to attributes of products or services in text.
> [!NOTE] > As you expand scope by increasing the frequency of processing, adding more documents, or adding more AI algorithms, you will need to [attach a billable Cognitive Services resource](cognitive-search-attach-cognitive-services.md). Charges accrue when calling APIs in Cognitive Services, and for image extraction as part of the document-cracking stage in Azure Cognitive Search. There are no charges for text extraction from documents.
search Cognitive Search Skill Textsplit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-skill-textsplit.md
Parameters are case-sensitive.
| Parameter name | Description | |--|-|
-| `textSplitMode` | Either "pages" or "sentences" |
-| `maximumPageLength` | If textSplitMode is set to "pages", this refers to the maximum page length as measured by `String.Length`. The minimum value is 300. If the textSplitMode is set to "pages", the algorithm will try to split the text into chunks that are at most "maximumPageLength" in size. In this case, the algorithm will do its best to break the sentence on a sentence boundary, so the size of the chunk may be slightly less than "maximumPageLength". |
-| `defaultLanguageCode` | (optional) One of the following language codes: `da, de, en, es, fi, fr, it, ko, pt`. Default is English (en). Few things to consider:<ul><li>If you pass a languagecode-countrycode format, only the languagecode part of the format is used.</li><li>If the language is not in the previous list, the split skill breaks the text at character boundaries.</li><li>Providing a language code is useful to avoid cutting a word in half for non-whitespace languages such as Chinese, Japanese, and Korean.</li><li>If you do not know the language (i.e. you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), the default of English (en) should be sufficient. </li></ul> |
+| `textSplitMode` | Either `pages` or `sentences` |
+| `maximumPageLength` | Only applies if `textSplitMode` is set to `pages`. This refers to the maximum page length in characters as measured by `String.Length`. The minimum value is 300, the maximum is 100000, and the default value is 10000. The algorithm will do its best to break the text on sentence boundaries, so the size of each chunk may be slightly less than `maximumPageLength`. |
+| `defaultLanguageCode` | (optional) One of the following language codes: `am, bs, cs, da, de, en, es, et, fr, he, hi, hr, hu, fi, id, is, it, ja, ko, lv, no, nl, pl, pt-PT, pt-BR, ru, sk, sl, sr, sv, tr, ur, zh-Hans`. Default is English (en). Few things to consider:<ul><li>Providing a language code is useful to avoid cutting a word in half for non-whitespace languages such as Chinese, Japanese, and Korean.</li><li>If you do not know the language (i.e. you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), the default of English (en) should be sufficient. </li></ul> |
## Skill Inputs
Parameters are case-sensitive.
| Parameter name | Description | |-|| | `text` | The text to split into substring. |
-| `languageCode` | (Optional) Language code for the document. If you do not know the language (i.e. you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), it is safe to remove this input. |
+| `languageCode` | (Optional) Language code for the document. If you do not know the language (i.e. you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), it is safe to remove this input. If the language is not in the supported list for the `defaultLanguageCode` parameter above, a warning will be emitted and the text will not be split. |
## Skill Outputs
Parameters are case-sensitive.
``` ## Error cases
-If a language is not supported, a warning is generated and the text is split at character boundaries.
+If a language is not supported, a warning is generated.
## See also
search Cognitive Search Tutorial Blob Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-tutorial-blob-python.md
skillset_payload = {
"skills": [ {
- "@odata.type": "#Microsoft.Skills.Text.EntityRecognitionSkill",
+ "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
"categories": ["Organization"], "defaultLanguageCode": "en", "inputs": [
search Cognitive Search Tutorial Blob https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-tutorial-blob.md
A [skillset object](/rest/api/searchservice/create-skillset) is a set of enrichm
"skills": [ {
- "@odata.type": "#Microsoft.Skills.Text.EntityRecognitionSkill",
+ "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
"categories": [ "Person", "Organization", "Location" ], "defaultLanguageCode": "en", "inputs": [
search Search Api Preview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-api-preview.md
Preview features that transition to general availability are removed from this l
|Feature&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Category | Description | Availability | |||-|| | [**Search REST API 2021-04-30-Preview**](/rest/api/searchservice/index-preview) | Security | Modifies [Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source) to support managed identities under Azure Active Directory, for indexers that connect to external data sources. | Public preview, [Search REST API 2021-04-30-Preview](/rest/api/searchservice/index-preview) |
-| [**Azure RBAC support**](search-security-rbac.md) | Security | Use new built-in roles to control access to indexes and indexing, eliminating or reducing the dependency on API keys. | Use Azure portal or [Create or Update Service](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) (Management REST API version 2021-04-01-Preview) to enable data plane authorization on a search service. |
+| [**Azure RBAC support**](search-security-rbac.md) | Security | Use new built-in roles to control access to indexes and indexing, eliminating or reducing the dependency on API keys. | Public preview ([by request](https://aka.ms/azure-cognitive-search/rbac-preview)). After your subscription is on-boarded, use Azure portal or the Management REST API version 2021-04-01-Preview to configure a search service for data plane authentication. |
| [**Management REST API 2021-04-01-Preview**](/rest/api/searchmanagement/) | Security | Modifies [Create or Update Service](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to support new [DataPlaneAuthOptions](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#dataplaneauthoptions). | Public preview, [Management REST API ](/rest/api/searchmanagement/), API version 2021-04-01-Preview.| | [**Reset Documents**](search-howto-run-reset-indexers.md) | Indexer | Reprocesses individually selected search documents in indexer workloads. | Use the [Reset Documents REST API](/rest/api/searchservice/preview-api/reset-documents), API versions 2021-04-30-Preview or 2020-06-30-Preview. | | [**Power Query connectors**](search-how-to-index-power-query-data-sources.md) | Indexer data source | Indexers can now index from other cloud platforms. If you are using an indexer to crawl external data sources for indexing, you can now use Power Query connectors to connect to Amazon Redshift, Elasticsearch, PostgreSQL, Salesforce Objects, Salesforce Reports, Smartsheet, and Snowflake. | [Sign up](https://aka.ms/azure-cognitive-search/indexer-preview) is required so that support can be enabled for your subscription on the backend. Configure this data source using [Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source), API versions 2021-04-30-Preview or 2020-06-30-Preview, or the Azure portal.|
Preview features that transition to general availability are removed from this l
| [**Normalizers**](search-normalizers.md) | Query | Normalizers provide simple text pre-processing: consistent casing, accent removal, and ASCII folding, without invoking the full text analysis chain.| Use [Search Documents](/rest/api/searchservice/preview-api/search-documents), API versions 2021-04-30-Preview or 2020-06-30-Preview.| | [**featuresMode parameter**](/rest/api/searchservice/preview-api/search-documents#query-parameters) | Relevance (scoring) | Relevance score expansion to include details: per field similarity score, per field term frequency, and per field number of unique tokens matched. You can consume these data points in [custom scoring solutions](https://github.com/Azure-Samples/search-ranking-tutorial). | Add this query parameter using [Search Documents](/rest/api/searchservice/preview-api/search-documents), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. | | [**Azure Machine Learning (AML) skill**](cognitive-search-aml-skill.md) | AI enrichment (skills) | A new skill type to integrate an inferencing endpoint from Azure Machine Learning. Get started with [this tutorial](cognitive-search-tutorial-aml-custom-skill.md). | Use [Search Preview REST API](/rest/api/searchservice/), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. Also available in the portal, in skillset design, assuming Cognitive Search and Azure ML services are deployed in the same subscription. |
-| [**Entity Linking skill (v3)**](cognitive-search-skill-entity-linking-v3.md) | AI enrichment (skills) | A cognitive skill used during indexing that returns a list of recognized entities with links to a well-known knowledge base. | Reference this preview skill using [Create or Update Skillset Preview REST API](/rest/api/searchservice/create-skillset), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. |
-| [**Entity Recognition cognitive skill (v3)**](cognitive-search-skill-entity-recognition-v3.md) | AI enrichment (skills) | A cognitive skill used during indexing that recognizes more entities than the previous version. | Reference this preview skill using [Create or Update Skillset Preview REST API](/rest/api/searchservice/create-skillset), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. |
-| [**Sentiment cognitive skill (v3)**](cognitive-search-skill-sentiment-v3.md) | AI enrichment (skills) | A cognitive skill used during indexing that evaluates unstructured text and for each record, provides sentiment labels. This version adds opinion mining. | Reference this preview skill using [Create or Update Skillset Preview REST API](/rest/api/searchservice/create-skillset), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. |
-| [**PII Detection skill**](cognitive-search-skill-pii-detection.md) | AI enrichment (skills) | A cognitive skill used during indexing that extracts personal information from an input text and gives you the option to mask it from that text in various ways. | Reference this preview skill using the Skillset editor in the portal or [Create or Update Skillset Preview REST API](/rest/api/searchservice/create-skillset), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. |
| [**Incremental enrichment**](cognitive-search-incremental-indexing-conceptual.md) | AI enrichment (skills) | Adds caching to an enrichment pipeline, allowing you to reuse existing output if a targeted modification, such as an update to a skillset or another object, does not change the content. Caching applies only to enriched documents produced by a skillset.| Add this configuration setting using [Create or Update Indexer Preview REST API](/rest/api/searchservice/create-indexer), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. | | [**Debug Sessions**](cognitive-search-debug-session.md) | Portal, AI enrichment (skills) | An in-session skillset editor used to investigate and resolve issues with a skillset. Fixes applied during a debug session can be saved to a skillset in the service. | Portal only, using mid-page links on the Overview page to open a debug session. | | [**moreLikeThis**](search-more-like-this.md) | Query | Finds documents that are relevant to a specific document. This feature has been in earlier previews. | Add this query parameter in [Search Documents Preview REST API](/rest/api/searchservice/search-documents) calls, with API versions 2021-04-30-Preview, 2020-06-30-Preview, 2019-05-06-Preview, 2016-09-01-Preview, or 2017-11-11-Preview. |
search Search Security Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-security-rbac.md
Azure provides a global [role-based access control (RBAC) authorization system](
+ Allow access to control plane operations, such as adding capacity or rotating keys, on the search service itself through Owner, Contributor, and Reader roles.
-+ Allow access to data plane operations, such as creating or querying indexes. This capability is currently in public preview.
++ Allow access to data plane operations, such as creating or querying indexes. This capability is currently in public preview ([by request](https://aka.ms/azure-cognitive-search/rbac-preview)). After your subscription is on-boarded, follow the instructions in this article to use the feature. + Allow outbound indexer connections to be made [using a managed identity](search-howto-managed-identities-data-sources.md). For a search service that has a managed identity assigned to it, you can create roles assignments that extend external data services, such as Azure Blob Storage, to allow read access on blobs by your trusted search service.
Built-in roles include generally available and preview roles, whose assigned mem
Role assignments are cumulative and pervasive across all tools and client libraries used to create or manage a search service. Clients include the Azure portal, Management REST API, Azure PowerShell, Azure CLI, and the management client library of Azure SDKs.
-There are no regional, tier, or pricing restrictions for using RBAC on Azure Cognitive Search.
+There are no regional, tier, or pricing restrictions for using RBAC on Azure Cognitive Search, but your search service must be in the Azure public cloud.
| Role | Status | Applies to | Description | | - | -| - | -- |
search Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/whats-new.md
Learn what's new in the service. Bookmark this page to keep up to date with the
|Feature&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Description | Availability | ||--|| | [Search REST API 2021-04-30-Preview](/rest/api/searchservice/index-preview) | Adds REST API support for indexer connections made using [managed identities](search-howto-managed-identities-data-sources.md) and Azure Active Directory (Azure AD) authentication. | Public preview |
-| [Role-based authorization (preview)](search-security-rbac.md) | Authenticate using Azure Active Directory and new built-in roles for data plane access to indexes and indexing, eliminating or reducing the dependency on API keys. | Public preview, using Azure portal or the Management REST API version 2021-04-01-Preview to configure a search service for data plane authentication.|
+| [Role-based authorization (preview)](search-security-rbac.md) | Authenticate using Azure Active Directory and new built-in roles for data plane access to indexes and indexing, eliminating or reducing the dependency on API keys. | Public preview ([by request](https://aka.ms/azure-cognitive-search/rbac-preview)). After your subscription is on-boarded, use Azure portal or the Management REST API version 2021-04-01-Preview to configure a search service for data plane authentication.|
| [Management REST API 2021-04-01-Preview](/rest/api/searchmanagement/) | Modifies [Create or Update Service](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to support new [DataPlaneAuthOptions](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#dataplaneauthoptions). | Public preview | ## May 2021
sentinel Customize Entity Activities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/sentinel/customize-entity-activities.md
ms.devlang: na
na Previously updated : 06/07/2021 Last updated : 07/26/2021
SecurityEvent
#### Presenting the activity in the timeline
-You can determine how the activity will be presented in the timeline for your convenience.
+For the sake of convenience, you may want to determine how the activity is presented in the timeline by adding dynamic parameters to the activity output.
-You can add dynamic parameters to the activity output with the following format: `{{ParameterName}}`. The parameters include built-in ones provided by Azure Sentinel, plus others based on the fields you projected in the query.
+Azure Sentinel provides built-in parameters for you to use, and you can also use others based on the fields you projected in the query.
-Once the activity query passes validation (you'll know it has if you see the "View query results" link below the query window), the **Available values** section can be expanded, and you'll see the different parameters you can use to create a dynamic activity title. Clicking on the **copy** icon next to a particular parameter will copy that parameter to your clipboard, and you can then paste it into the **Activity title** field above.
+Use the following format for your parameters: `{{ParameterName}}`
+
+After the activity query passes validation and displays the **View query results** link below the query window, you'll be able to expand the **Available values** section to view the parameters available for you to use when creating a dynamic activity title.
+
+Select the **Copy** icon next to a specific parameter to copy that parameter to your clipboard so that you can paste it into the **Activity title** field above.
+
+Add any of the following parameters to your query:
-You can add the following parameters:
- Any field you projected in the query.+ - Entity identifiers of any entities mentioned in the query.-- Count ΓÇô use this parameter to summarize the count of the KQL query output. The bucket size is determined in the entity page.-- StartTimeUTC ΓÇô Start time of the activity in UTC.-- EndTimeUTC ΓÇô End time of the activity in UTC.+
+- `StartTimeUTC`, to add the start time of the activity, in UTC time.
+
+- `EndTimeUTC`, to add the end time of the activity, in UTC time.
+
+- `Count`, to summarize several KQL query outputs into a single output.
+
+ The `count` parameter adds the following command to your query in the background, even though it's not displayed fully in the editor:
+
+ ```kql
+ Summarize count() by <each parameter youΓÇÖve projected in the activity>
+ ```
+
+ Then, when you use the **Bucket Size** filter in the entity pages, the following command is also added to the query that's run in the background:
+
+ ```kql
+ Summarize count() by <each parameter youΓÇÖve projected in the activity>, bin (TimeGenerated, Bucket in Hours)
+ ```
+
+For example:
:::image type="content" source="./media/customize-entity-activities/new-activity-title.png" alt-text="Screenshot - See the available values for your activity title"::: When you are satisfied with your query and activity title, select **Next : Review**.
-### Review and create tab
+### Review and create tab
1. Verify all the configuration information of your custom activity.
storage Soft Delete Blob Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/blobs/soft-delete-blob-manage.md
Previously updated : 06/29/2021 Last updated : 07/23/2021
When blobs or directories are soft-deleted, they are invisible in the Azure port
> [!div class="mx-imgBorder"] > ![Screenshot showing how to list soft-deleted blobs in Azure portal (hierarchical namespace enabled accounts)](media/soft-delete-blob-manage/soft-deleted-blobs-list-portal-hns.png)
+> [!NOTE]
+> If you rename a directory that contains soft deleted items (subdirectories and blobs), those soft deleted items become disconnected from the directory, so they won't appear in the Azure portal when you toggle the **Show deleted blobs** setting. If you want to view them in the Azure portal, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name.
+ Next, select the deleted directory or blob from the list display its properties. Under the **Overview** tab, notice that the status is set to **Deleted**. The portal also displays the number of days until the blob is permanently deleted. > [!div class="mx-imgBorder"]
To restore a soft-deleted blob or directory in the Azure portal, first display t
$deletedItems | Restore-AzDataLakeGen2DeletedItem ```
+ If you rename the directory that contains the soft deleted items, those items become disconnected from the directory. If you want to restore those items, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted items.
### Restore soft deleted blobs and directories by using Azure CLI
To restore a soft-deleted blob or directory in the Azure portal, first display t
az storage fs undelete-path -f $filesystemName --deleted-path-name $dirName ΓÇödeletion-id "<deletionId>" --auth-mode login ```
+ If you rename the directory that contains the soft deleted items, those items become disconnected from the directory. If you want to restore those items, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted items.
+ ### Restore soft deleted blobs and directories by using .NET >[!IMPORTANT]
To restore a soft-deleted blob or directory in the Azure portal, first display t
```
+ If you rename the directory that contains the soft deleted items, those items become disconnected from the directory. If you want to restore those items, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted items.
+ ### Restore soft deleted blobs and directories by using Java >[!IMPORTANT]
To restore a soft-deleted blob or directory in the Azure portal, first display t
```
+ If you rename the directory that contains the soft deleted items, those items become disconnected from the directory. If you want to restore those items, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted items.
+ ### Restore soft deleted blobs and directories by using Python >[!IMPORTANT]
To restore a soft-deleted blob or directory in the Azure portal, first display t
```
+ If you rename the directory that contains the soft deleted items, those items become disconnected from the directory. If you want to restore those items, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted items.
+ ## Next steps - [Soft delete for Blob storage](soft-delete-blob-overview.md)
storage Soft Delete Blob Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/blobs/soft-delete-blob-overview.md
Previously updated : 06/29/2021 Last updated : 07/23/2021
If a blob has snapshots, the blob cannot be deleted unless the snapshots are als
You can also delete one or more active snapshots without deleting the base blob. In this case, the snapshot is soft-deleted.
-If a directory is deleted in an account that has the hierarchical namespace feature enabled on it, the directory and all its contents are marked as soft-deleted.
+If a directory is deleted in an account that has the hierarchical namespace feature enabled on it, the directory and all its contents are marked as soft-deleted.
Soft-deleted objects are invisible unless they are explicitly displayed or listed. For more information about how to list soft-deleted objects, see [Manage and restore soft-deleted blobs](soft-delete-blob-manage.md).
For premium storage accounts, soft-deleted snapshots do not count toward the per
You can restore soft-deleted blobs or directories (in a hierarchical namespace) by calling the [Undelete Blob](/rest/api/storageservices/undelete-blob) operation within the retention period. The **Undelete Blob** operation restores a blob and any soft-deleted snapshots associated with it. Any snapshots that were deleted during the retention period are restored.
-In accounts that have a hierarchical namespace, the **Undelete Blob** operation can also be used to restore a soft-deleted directory and all its contents.
+In accounts that have a hierarchical namespace, the **Undelete Blob** operation can also be used to restore a soft-deleted directory and all its contents. If you rename a directory that contains soft deleted blobs, those soft deleted blobs become disconnected from the directory. If you want to restore those blobs, you'll have to revert the name of the directory back to it's original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted blobs.
Calling **Undelete Blob** on a blob that is not soft-deleted will restore any soft-deleted snapshots that are associated with the blob. If the blob has no snapshots and is not soft-deleted, then calling **Undelete Blob** has no effect.
storage Storage Blob Rehydration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/blobs/storage-blob-rehydration.md
While a blob is in the archive access tier, it's considered offline and can't be
### Lifecycle management
-Rehydrating a blob doesn't change it's `Last-Modified` time. Using the [lifecycle management](storage-lifecycle-management-concepts.md) feature can create a scenario where a blob is rehydrated, then a lifecycle management policy moves the blob back to archive because the `Last-Modified` time is beyond the threshold set for the policy. To avoid this scenario, use the *[Copy an archived blob to an online tier](#copy-an-archived-blob-to-an-online-tier)* method. The copy method creates a new instance of the blob with an updated `Last-Modified` time and won't trigger the lifecycle management policy.
+Rehydrating a blob doesn't change its `Last-Modified` time. Using the [lifecycle management](storage-lifecycle-management-concepts.md) feature can create a scenario where a blob is rehydrated, then a lifecycle management policy moves the blob back to archive because the `Last-Modified` time is beyond the threshold set for the policy. To avoid this scenario, use the *[Copy an archived blob to an online tier](#copy-an-archived-blob-to-an-online-tier)* method. The copy method creates a new instance of the blob with an updated `Last-Modified` time and won't trigger the lifecycle management policy.
## Monitor rehydration progress
storage Storage Explorer Support Policy Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/common/storage-explorer-support-policy-lifecycle.md
This table describes the release date and the end of support date for each relea
| Storage Explorer version | Release date | End of support date | |:-:|::|:-:|
+| v1.20.1 | July 23, 2021 | July 23, 2022 |
| v1.20.0 | June 25, 2021 | June 25, 2022 | | v1.19.1 | April 29, 2021 | April 29, 2022 | | v1.19.0 | April 15, 2021 | April 15, 2022 |
stream-analytics Stream Analytics Real Time Fraud Detection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/stream-analytics/stream-analytics-real-time-fraud-detection.md
Now that you have a stream of call events, you can create a Stream Analytics job
1. To create a Stream Analytics job, navigate to the [Azure portal](https://portal.azure.com/).
-2. Select **Create a resource** and search for **Stream Analytics job**. Select the **Stream Analytics job** tile and select *Create**.
+2. Select **Create a resource** and search for **Stream Analytics job**. Select the **Stream Analytics job** tile and select **Create**.
3. Fill out the **New Stream Analytics job** form with the following values:
virtual-desktop App Attach Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-azure-portal.md
You can also leave feedback for Azure Virtual Desktop at the [Azure Virtual Desk
Here are some other articles you might find helpful: - [MSIX app attach glossary](app-attach-glossary.md)-- [MSIX app attach FAQ](app-attach-faq.md)
+- [MSIX app attach FAQ](app-attach-faq.yml)
virtual-desktop App Attach Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-faq.md
- Title: Azure Virtual Desktop MSIX app attach FAQ - Azure
-description: Frequently asked questions about MSIX app attach for Azure Virtual Desktop.
----- Previously updated : 08/17/2020----
-# MSIX app attach FAQ
-
-This article answers frequently asked questions about MSIX app attach for Azure Virtual Desktop.
-
-## What's the difference between MSIX and MSIX app attach?
-
-MSIX is a packaging format for apps, while MSIX app attach is the feature that delivers MSIX packages to your deployment.
-
-## Does MSIX app attach use FSLogix?
-
-MSIX app attach doesn't use FSLogix. However, MSIX app attach and FSLogix are designed to work together to provide a seamless user experience.
-
-## Can I use the MSIX app attach outside of Azure Virtual Desktop?
-
-The APIs that power MSIX app attach are available for Windows 10 Enterprise. These APIs can be used outside of Azure Virtual Desktop. However, there's no management plane for MSIX app attach outside of Azure Virtual Desktop.
-
-## How do I get an MSIX package?
-
-Your software vendor will give you an MSIX package. You can also convert non-MSIX packages to MSIX. Learn more at [How to move your existing installers to MSIX](/windows/msix/packaging-tool/create-an-msix-overview#how-to-move-your-existing-installers-to-msix).
-
-## Which operating systems support MSIX app attach?
-
-Windows 10 Enterprise and Windows 10 Enterprise Multi-session, version 2004 or later.
-
-## Is MSIX app attach currently generally available?
-
-MSIX app attach is part of Windows 10 Enterprise and Windows 10 Enterprise Multi-session, version 2004 or later. Both operating systems are currently generally available.
-
-## Can I use MSIX app attach outside of Azure Virtual Desktop?
-
-MSIX and MSIX app attach APIs are part of Windows 10 Enterprise and Windows 10 Enterprise Multi-session, version 2004 and later. We currently don't provide management software for MSIX app attach outside of Azure Virtual Desktop.
-
-## Can I run two versions of the same application at the same time?
-
-For two version of the same MSIX applications to run simultaneously, the MSIX package family defined in the appxmanifest.xml file must be different for each app.
-
-## Should I disable auto-update when using MSIX app attach?
-
-Yes. MSIX app attach doesn't support auto-update for MSIX applications.
-
-## How do permissions work with MSIX app attach?
-
-All virtual machines (VMs) in a host pool that uses MSIX app attach must have read permissions on the file share where the MSIX images are stored. If it also uses Azure Files, they'll need to be granted both role-based access control (RBAC) and New Technology File System (NTFS) permissions.
-
-## How many users can use an MSIX image handle?
-
-MSIX app attach mounts MSIX images on a per-machine basis, not a per-user basis. The amount of users who can use an MSIX image handle is based on the size of the machine's file system and throughput of the network. Also, Azure Files has a limit of 2,000 open handles per file.
-
-## Can I use Azure Active Directory Domain Services (Azure AD DS) with MSIX app attach?
-
-MSIX app attach doesn't currently support Azure AD DS. Because Azure AD DS computer objects aren't synchronized to Azure Active Directory (Azure AD), the administrator can't provide the required role-based access control (RBAC) permissions for Azure Files.
-
-## Can I use MSIX app attach for HTTP or HTTPs?
-
-Using MSIX app attach over HTTP or HTTPs is currently not supported.
-
-## Can I restage the same MSIX application?
-
-Yes. You can restage applications you've already restaged, and this shouldn't cause any errors.
-
-## Does MSIX app attach support self-signed certificates?
-
-Yes. You need to install the self-signed certificate on all the session host VMs where MSIX app attach is used to host the self-signed application. Learn how to create a self-signed certificate at [Create a certificate for package signing](/windows/msix/package/create-certificate-package-signing).
-
-## What applications can I repackage to MSIX?
-
-Each application uses different features of the OS, programming languages, and frameworks. To repackage your application, follow the directions in [How to move your existing installers to MSIX](/windows/msix/packaging-tool/create-an-msix-overview#how-to-move-your-existing-installers-to-msix). You can find a list of the things you need in order to repackage an application at [Prepare to package a desktop application](/windows/msix/desktop/desktop-to-uwp-prepare).
-
-Certain applications can't be application layered, which means they can't be repackaged into an MSIX file. Here's a list of the applications that can't be repackaged:
--- Drivers -- Active-X or Silverlight-- VPN clients-- Antivirus programs-
-## How many MISX applications can I add to each session host?
-
-Each session host has different limits based on their CPU, memory, and OS. Going over these limits can affect application performance and overall user experience. However, MSIX app attach itself has no limit on how many applications it can use.
-
-## How many .VHD or .VHDX files can I mount on a host pool?
-
-MSIX app attach itself doesn't have a limit to the number of files you can mount. However, the host pool itself can be limited by the following factors:
--- The ability of the OS to handle mounted volumes.-- The maximum number of open files your storage solution or file system can hold.-- The host pool's session host memory and CPU utilization.-
-In other words, the host pool's limits would be the same as if you're installing and running the apps locally.
-
-## Next steps
-
-If you want to learn more about MSIX app attach, check out our [overview](what-is-app-attach.md) and [glossary](app-attach-glossary.md). Otherwise, get started with [Set up app attach](app-attach.md).
virtual-desktop App Attach File Share https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-file-share.md
Once you're finished, here are some other resources you might find helpful:
- Ask our community questions about this feature at the [Azure Virtual Desktop TechCommunity](https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/bd-p/WindowsVirtualDesktop). - You can also leave feedback for Azure Virtual Desktop at the [Azure Virtual Desktop feedback hub](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - [MSIX app attach glossary](app-attach-glossary.md)-- [MSIX app attach FAQ](app-attach-faq.md)
+- [MSIX app attach FAQ](app-attach-faq.yml)
virtual-desktop App Attach Glossary https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-glossary.md
The following table is a performance comparison between VHD and CimFS. These num
## Next steps
-If you want to learn more about MSIX app attach, check out our [overview](what-is-app-attach.md) and [FAQ](app-attach-faq.md). Otherwise, get started with [Set up app attach](app-attach.md).
+If you want to learn more about MSIX app attach, check out our [overview](what-is-app-attach.md) and [FAQ](app-attach-faq.yml). Otherwise, get started with [Set up app attach](app-attach.md).
virtual-desktop App Attach Image Prep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-image-prep.md
You can also leave feedback for Azure Virtual Desktop at the [Azure Virtual Desk
Here are some other articles you might find helpful: - [MSIX app attach glossary](app-attach-glossary.md)-- [MSIX app attach FAQ](app-attach-faq.md)
+- [MSIX app attach FAQ](app-attach-faq.yml)
virtual-desktop App Attach Msixmgr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-msixmgr.md
To learn how to set up app attach, check out these articles:
- [Prepare an MSIX image for Azure Virtual Desktop](app-attach-image-prep.md) - [Set up a file share for MSIX app attach](app-attach-file-share.md)
-If you have questions about MSIX app attach, see our [App attach FAQ](app-attach-faq.md) and [App attach glossary](app-attach-glossary.md).
+If you have questions about MSIX app attach, see our [App attach FAQ](app-attach-faq.yml) and [App attach glossary](app-attach-glossary.md).
virtual-desktop App Attach Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/app-attach-powershell.md
You can also leave feedback for Azure Virtual Desktop at the [Azure Virtual Desk
Here are some other articles you might find helpful: - [MSIX app attach glossary](app-attach-glossary.md)-- [MSIX app attach FAQ](app-attach-faq.md)
+- [MSIX app attach FAQ](app-attach-faq.yml)
virtual-desktop Create Host Pools Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/create-host-pools-azure-marketplace.md
To set up your virtual machine within the host pool setup process:
3. Choose the **Virtual machine location** where you want to create the virtual machines. They can be the same or different from the region you selected for the host pool. Keep in mind that VM prices vary by region, and the VM locations should be near their users when possible to maximize performance. Learn more at [Data locations for Azure Virtual Desktop](data-locations.md).
-4. Next, choose the availability option that best suit your needs. To learn more about which option is right for you, see [Availability options for virtual machines in Azure](../virtual-machines/availability.md) and [our FAQ](faq.md#which-availability-option-is-best-for-me).
+4. Next, choose the availability option that best suit your needs. To learn more about which option is right for you, see [Availability options for virtual machines in Azure](../virtual-machines/availability.md) and [our FAQ](/azure/virtual-desktop/faq#which-availability-option-is-best-for-me).
> [!div class="mx-imgBorder"] > ![A screenshot of the availability zone drop-down menu. The "availability zone" option is highlighted.](media/availability-zone.png)
To set up your virtual machine within the host pool setup process:
- If you choose **Storage Blob**, you can use your own image build through Hyper-V or on an Azure VM. All you have to do is enter the location of the image in the storage blob as a URI.
- The image's location is independent of the availability option, but the imageΓÇÖs zone resiliency determines whether that image can be used with availability zone. If you select an availability zone while creating your image, make sure you're using an image from the gallery with zone resiliency enabled. To learn more about which zone resiliency option you should use, see [the FAQ](faq.md#which-availability-option-is-best-for-me).
+ The image's location is independent of the availability option, but the imageΓÇÖs zone resiliency determines whether that image can be used with availability zone. If you select an availability zone while creating your image, make sure you're using an image from the gallery with zone resiliency enabled. To learn more about which zone resiliency option you should use, see [the FAQ](/azure/virtual-desktop/faq#which-availability-option-is-best-for-me).
6. After that, choose the **Virtual machine size** you want to use. You can either keep the default size as-is or select **Change size** to change the size. If you select **Change size**, in the window that appears, choose the size of the virtual machine suitable for your workload. To learn more about virtual machine sizes and which size you should choose, see [Virtual machine sizing guidelines](/windows-server/remote/remote-desktop-services/virtual-machine-recs?context=/azure/virtual-desktop/context/context).
virtual-desktop Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/faq.md
- Title: Azure Virtual Desktop FAQ - Azure
-description: Frequently asked questions and best practices for Azure Virtual Desktop.
-- Previously updated : 03/09/2021----
-# Azure Virtual Desktop FAQ
-
-This article answers frequently asked questions and explains best practices for Azure Virtual Desktop.
-
-## What are the minimum admin permissions I need to manage objects?
-
-If you want to create host pools and other objects, you must be assigned the Contributor role on the subscription or resource group you're working with.
-
-You must be assigned the User Access Admin role on an app group to publish app groups to users or user groups.
-
-To restrict an admin to only manage user sessions, such as sending messages to users, signing out users, and so on, you can create custom roles. For example:
-
-```powershell
-"actions": [
-"Microsoft.Resources/deployments/operations/read",
-"Microsoft.Resources/tags/read",
-"Microsoft.Authorization/roleAssignments/read",
-"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
-"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
-"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write"
-],
-"notActions": [],
-"dataActions": [],
-"notDataActions": []
-}
-```
-
-## Does Azure Virtual Desktop support split Azure Active Directory models?
-
-When a user is assigned to an app group, the service does a simple Azure role assignment. As a result, the userΓÇÖs Azure Active Directory (AD) and the app groupΓÇÖs Azure AD must be in the same location. All service objects, such as host pools, app groups, and workspaces, also must be in the same Azure AD as the user.
-
-You can create virtual machines (VMs) in a different Azure AD as long as you sync the Active Directory with the user's Azure AD in the same virtual network (VNET).
-
-## What are location restrictions?
-
-All service resources have a location associated with them. A host poolΓÇÖs location determines which geography the service metadata for the host pool is stored in. An app group can't exist without a host pool. If you add apps to a RemoteApp app group, you'll also need a session host to determine the start menu apps. For any app group action, you'll also need a related data access on the host pool. To make sure data isn't being transferred between multiple locations, the app group's location should be the same as the host pool's.
-
-Workspaces also must be in the same location as their app groups. Whenever the workspace updates, the related app group updates along with it. Like with app groups, the service requires that all workspaces are associated with app groups created in the same location.
-
-## How do you expand an object's properties in PowerShell?
-
-When you run a PowerShell cmdlet, you only see the resource name and location.
-
-For example:
-
-```powershell
-Get-AzWvdHostPool -Name 0224hp -ResourceGroupName 0224rg
-
-Location Name Type
- -
-westus 0224hp Microsoft.DesktopVirtualization/hostpools
-```
-
-To see all of a resource's properties, add either `format-list` or `fl` to the end of the cmdlet.
-
-For example:
-
-```powershell
-Get-AzWvdHostPool -Name 0224hp -ResourceGroupName 0224rg |fl
-```
-
-To see specific properties, add the specific property names after `format-list` or `fl`.
-
-For example:
-
-```powershell
-Get-AzWvdHostPool -Name demohp -ResourceGroupName 0414rg |fl CustomRdpProperty
-
-CustomRdpProperty : audiocapturemode:i:0;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:0;redirectprinters:i:1;redirectsmartcards:i:1;screen modeid:i:2;
-```
-
-## Does Azure Virtual Desktop support guest users?
-
-Azure Virtual Desktop doesn't support Azure AD guest user accounts. For example, let's say a group of guest users have Microsoft 365 E3 Per-user, Windows E3 Per-user, or WIN VDA licenses in their own company, but are guest users in a different company's Azure AD. The other company would manage the guest users' user objects in both Azure AD and Active Directory like local accounts.
-
-You can't use your own licenses for the benefit of a third party. Also, Azure Virtual Desktop doesn't currently support Microsoft Account (MSA).
-
-## Why don't I see the client IP address in the WVDConnections table?
-
-We don't currently have a reliable way to collect the web client's IP addresses, so we don't include that value in the table.
-
-## How does Azure Virtual Desktop handle backups?
-
-There are multiple options in Azure for handling backup. You can use Azure backup, Site Recovery, and snapshots.
-
-## Does Azure Virtual Desktop support third-party collaboration apps?
-
-Azure Virtual Desktop is currently optimized for Teams. Microsoft currently doesn't support third-party collaboration apps like Zoom. Third-party organizations are responsible for giving compatibility guidelines to their customers. Azure Virtual Desktop also doesn't support Skype for Business.
-
-## Can I change from pooled to personal host pools?
-
-Once you create a host pool, you can't change its type. However, you can move any VMs you register to a host pool to a different type of host pool.
-
-## What's the largest profile size FSLogix can handle?
-
-Limitations or quotas in FSLogix depend on the storage fabric used to store user profile VHD(X) files.
-
-The following table gives an example of how many IOPS an FSLogix profile needs to support each user. Requirements can vary widely depending on the user, applications, and activity on each profile.
-
-| Resource | Requirement |
-|||
-| Steady state IOPS | 10 |
-| Sign in/sign out IOPS | 50 |
-
-The example in this table is of a single user, but can be used to estimate requirements for the total number of users in your environment. For example, you'd need around 1,000 IOPS for 100 users, and around 5,000 IOPS during sign-in and sign-out.
-
-## Is there a scale limit for host pools created in the Azure portal?
-
-These factors can affect scale limit for host pools:
--- The Azure template is limited to 800 objects. To learn more, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#template-limits). Each VM also creates about six objects, so that means you can create around 132 VMs each time you run the template.--- There are restrictions on how many cores you can create per region and per subscription. For example, if you have an Enterprise Agreement subscription, you can create 350 cores. You'll need to divide 350 by either the default number of cores per VM or your own core limit to determine how many VMs you can create each time you run the template. Learn more at [Virtual Machines limits - Azure Resource Manager](../azure-resource-manager/management/azure-subscription-service-limits.md#virtual-machines-limitsazure-resource-manager).--- The VM prefix name and the number of VMs is fewer than 15 characters. To learn more, see [Naming rules and restrictions for Azure resources](../azure-resource-manager/management/resource-name-rules.md#microsoftcompute).-
-## Can I manage Azure Virtual Desktop environments with Azure Lighthouse?
-
-Azure Lighthouse doesn't fully support managing Azure Virtual Desktop environments. Since Lighthouse doesn't currently support cross-Azure AD tenant user management, Lighthouse customers still need to sign in to the Azure AD that customers use to manage users.
-
-You also can't use CSP sandbox subscriptions with the Azure Virtual Desktop service. To learn more, see [Integration sandbox account](/partner-center/develop/set-up-api-access-in-partner-center#integration-sandbox-account).
-
-Finally, if you enabled the resource provider from the CSP owner account, the CSP customer accounts won't be able to modify the resource provider.
-
-## How often should I turn my VMs on to prevent registration issues?
-
-After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components. Turning your VM on within this time limit will prevent its registration token from expiring or becoming invalid. If you've started your VM after 90 days and are experiencing registration issues, follow the instructions in the [Azure Virtual Desktop agent troubleshooting guide](troubleshoot-agent.md#your-issue-isnt-listed-here-or-wasnt-resolved) to remove the VM from the host pool, reinstall the agent, and reregister it to the pool.
-
-## Can I set availability options when creating host pools?
-
-Yes. Azure Virtual Desktop host pools have an option for selecting either availability set or availability zones when you create a VM. These availability options are the same as the ones Azure Compute uses. If you select a zone for the VM you create in a host pool, the setting automatically applies to all VMs you create in that zone. If you'd prefer to spread your host pool VMs across multiple zones, you'll need to follow the directions in [Add virtual machines with the Azure portal](expand-existing-host-pool.md#add-virtual-machines-with-the-azure-portal) to manually select a new zone for each new VM you create.
-
-## Which availability option is best for me?
-
-The availability option you should use for your VMs depends on your image's location and its managed disk fields. The following table explains the relationship each setting has with these variables to help you figure out which option is best for your deployment.
-
-| Availability option | Image location | Use managed disk option button (radio button) |
-||||
-| None | Gallery | Disabled with "Yes" as default |
-| None | Blob storage | Enabled with "No" as default |
-| Availability zone | Gallery (blob storage option disabled) | Disabled with "Yes" as default |
-| Availability set with managed SKU (managed disk) | Gallery | Disabled with "Yes" as default |
-| Availability set with managed SKU (managed disk) | Blob storage | Enabled with "No" as default |
-| Availability set with managed SKU (managed disk) | Blob storage (Gallery option disabled) | Disabled with "No" as default |
-| Availability set (newly created by user) | Gallery | Disabled with "Yes" as default |
-| Availability set (newly created by user) | Blob storage | Enabled with "No" as default |
virtual-desktop Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/security-baseline.md
+
+ Title: Azure security baseline for Windows Virtual Desktop
+description: The Windows Virtual Desktop security baseline provides procedural guidance and resources for implementing the security recommendations specified in the Azure Security Benchmark.
+++ Last updated : 01/25/2021+++
+# Important: This content is machine generated; do not modify this topic directly. Contact mbaldwin for more information.
+++
+# Azure security baseline for Windows Virtual Desktop
+
+This security baseline applies guidance from the [Azure Security Benchmark version 2.0](../security/benchmarks/overview.md) to Windows Virtual Desktop. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Windows Virtual Desktop. **Controls** not applicable to Windows Virtual Desktop have been excluded.
+
+Windows Virtual Desktop service includes the service itself, the Windows 10 Enterprise for multi-session virtual sku as well as FSLogix. For FSLogix-related security recommendations, see the [security baseline for storage](../storage/common/security-baseline.md). The service has an agent running on virtual machines but since the virtual machines are under full control of the customer, follow [security recommendations for compute](../virtual-machines/windows/security-baseline.md)
+
+To see how Windows Virtual Desktop completely maps to the Azure Security Benchmark, see the [full Windows Virtual Desktop security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
+
+## Network Security
+
+*For more information, see the [Azure Security Benchmark: Network Security](../security/benchmarks/security-controls-v2-network-security.md).*
+
+### NS-1: Implement security for internal traffic
+
+**Guidance**: You must create or use an existing virtual network when you deploy virtual machines to be registered to Windows Virtual Desktop. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group or Azure Firewall.
+
+Use Adaptive Network Hardening features in Azure Security Center to recommend network security group configurations which limit ports and source IPs with reference to external network traffic rules.
+
+Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology)
+
+For the network security groups associated with your virtual machine (that are part of Windows Virtual Desktop) subnets, you must allow outgoing traffic to specific endpoints.
+
+- [Find out what URLs are required to be allowed access for Windows Virtual Desktop](safe-url-list.md)
+
+- [Adaptive Network Hardening in Azure Security Center](../security-center/security-center-adaptive-network-hardening.md)
+
+- [Azure Firewall for Windows Virtual Desktop ](../firewall/protect-windows-virtual-desktop.md)
+
+- [How to create a network security group with security rules](../virtual-network/tutorial-filter-network-traffic.md)
+
+
+
+- [How to deploy and configure Azure Firewall](../firewall/tutorial-firewall-deploy-portal.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### NS-2: Connect private networks together
+
+**Guidance**: Use Azure ExpressRoute or Azure virtual private network to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet, offer more reliability, faster speeds and lower latencies than typical internet connections.
+
+For point-to-site and site-to-site virtual private networks, you can connect on-premises devices or networks to a virtual network using any combination of virtual private network options and Azure ExpressRoute.
+
+Use virtual network peering to connect two or more virtual networks together in Azure. Network traffic between peered virtual networks is private and stays on the Azure backbone network.
+
+- [What are the ExpressRoute connectivity models](../expressroute/expressroute-connectivity-models.md)
+
+- [Azure VPN overview](../vpn-gateway/vpn-gateway-about-vpngateways.md)
+
+- [Virtual network peering](../virtual-network/virtual-network-peering-overview.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### NS-4: Protect applications and services from external network attacks
+
+**Guidance**: Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your Windows Virtual Desktop resources against attacks from external networks, including distributed denial of service attacks, application specific attacks, unsolicited and potentially malicious internet traffic. Protect your assets against distributed denial of service attacks by enabling DDoS standard protection on your Azure Virtual Networks. Use Azure Security Center to detect misconfiguration risks related to your network related resources.
+
+Windows Virtual Desktop is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks targeting web applications.
+
+- [Azure Firewall Documentation](../firewall/index.yml)
+
+- [Manage Azure DDoS Protection Standard using the Azure portal](../ddos-protection/manage-ddos-protection.md)
+
+- [Azure Security Center recommendations](../security-center/recommendations-reference.md#networking-recommendations)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### NS-5: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)
+
+**Guidance**: Use Azure Firewall with threat intelligence based filtering to alert on and optionally block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. When payload inspection is required, you can deploy a third-party intrusion detection or prevention solution from the Azure Marketplace.
+
+If you have a regulatory or other requirement for intrusion detection or prevention solution usage, ensure that it is always tuned to provide high-quality alerts to your security information and event management (SIEM) solution.
+
+- [How to deploy Azure Firewall](../firewall/tutorial-firewall-deploy-portal.md)
+
+- [Azure Marketplace includes 3rd party IDS capabilities](https://azuremarketplace.microsoft.com/marketplace?search=IDS)
+
+- [Microsoft Defender ATP EDR capability](/bs-cyrl-ba/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### NS-6: Simplify network security rules
+
+**Guidance**: Use Azure Virtual Network service tags to define network access controls on network security groups or an Azure Firewall configured for your Windows Virtual Desktop resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (For example: WindowsVirtualDesktop) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
+
+- [Understand and using Service Tags](../virtual-network/service-tags-overview.md)
+
+- [Learn more about what is covered by the Windows Virtual Desktop Service Tag here ](safe-url-list.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Identity Management
+
+*For more information, see the [Azure Security Benchmark: Identity Management](../security/benchmarks/security-controls-v2-identity-management.md).*
+
+### IM-1: Standardize Azure Active Directory as the central identity and authentication system
+
+**Guidance**: Windows Virtual Desktop uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organizationΓÇÖs identity and access management in:
+
+- Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
+
+- Your organization's resources, such as applications on Azure or your corporate network resources.
+
+Securing Azure AD should be a high priority in your organizationΓÇÖs cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to MicrosoftΓÇÖs best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
+
+Azure AD supports external identities which allow users without a Microsoft account to sign-in to their applications and resources with their external identity.
+
+- [Tenancy in Azure AD](../active-directory/develop/single-and-multi-tenant-apps.md)
+
+- [Use external identity providers for application](../active-directory/external-identities/identity-providers.md)
+
+- [What is the identity secure score in Azure AD](../active-directory/fundamentals/identity-secure-score.md)
+
+- [Specific roles that you need to operate Windows Virtual Desktop ](/azure/virtual-desktop/faq#what-are-the-minimum-admin-permissions-i-need-to-manage-objects)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IM-2: Manage application identities securely and automatically
+
+**Guidance**: Windows Virtual Desktop supports Azure managed identities for non-human accounts such as services or automation. It is recommended to use Azure managed identity feature instead of creating a more powerful human account to access or execute your resources.
+
+Windows Virtual Desktop recommends using Azure Active Directory (Azure AD) to create a service principal with restricted permissions at the resource level to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used to in conjunction with Azure managed identities, so that the runtime environment (such as, an Azure Function) can retrieve the credential from the key vault.
+
+- [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md)
+
+- [Azure service principal](/powershell/azure/create-azure-service-principal-azureps)
+
+- [Create a service principal with certificates](../active-directory/develop/howto-authenticate-service-principal-powershell.md)
+
+- [Use Azure Key Vault for security principal registration](../key-vault/general/authentication.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IM-3: Use Azure AD single sign-on (SSO) for application access
+
+**Guidance**: Windows Virtual Desktop uses Azure Active Directory (Azure AD) to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organizationΓÇÖs data and resources on-premises and in the cloud. Connect all your users, applications, and devices to Azure AD for seamless secure access with greater visibility and control.
+
+- [Understand Application SSO with Azure AD](../active-directory/manage-apps/what-is-single-sign-on.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IM-4: Use strong authentication controls for all Azure Active Directory based access
+
+**Guidance**: Windows Virtual Desktop uses Azure Active Directory (Azure AD), which supports strong authentication controls through multifactor authentication and strong passwordless methods.
+
+- Multifactor authentication - Enable Azure AD multifactor authentication and follow Identity and Access Management recommendations from Azure Security Center for some best practices in your multifactor authentication setup. Multifactor authentication can be enforced on all, select users or at the per-user level based on sign-in conditions and risk factors.
+
+- Passwordless authentication ΓÇô Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.
+
+Windows Virtual Desktop supports legacy password-based authentication such as Cloud-only accounts (user accounts created directly in Azure) that have a baseline password policy or Hybrid accounts (user accounts from on-premise Azure AD which follow the on-premises password policies). When using password-based authentication, Azure AD provides a password protection capability that prevents users to set passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (such as branding, cultural references, and so on). This password protection can be used for cloud-only and hybrid accounts.
+
+Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as multifactor authentication and a strong password policy. For third-party applications and marketplace services which may have default passwords, you should change them upon the service initial setup.
+
+For administrator and privileged users, ensure the highest level of strong authentication methods are used, followed by rolling out the appropriate strong authentication policy to other users.
+
+- [Introduction to passwordless authentication options for Azure Active Directory](../active-directory/authentication/concept-authentication-passwordless.md)
+
+- [Azure AD default password policy](../active-directory/authentication/concept-sspr-policy.md#password-policies-that-only-apply-to-cloud-user-accounts)
+
+- [Eliminate bad passwords using Azure Active Directory Password Protection](../active-directory/authentication/concept-password-ban-bad.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IM-5: Monitor and alert on account anomalies
+
+**Guidance**: Windows Virtual Desktop is integrated with Azure Active Directory (Azure AD) which provides the following data sources:
+
+- Sign in - The sign-in report provides information about the usage of managed applications and user sign in activities.
+
+- Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
+
+- Risky sign in - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
+
+- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
+
+These data sources can be integrated with Azure Monitor, Azure Sentinel or a third-party security information and event management (SIEM) systems. Azure Security Center can also alert on certain suspicious activities such as excessive number of failed authentication attempts, deprecated accounts in the subscription. Azure Advanced Threat Protection (ATP) is a security solution that can use Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.
+
+- [Audit activity reports in the Azure AD](../active-directory/reports-monitoring/concept-audit-logs.md)
+
+- [How to view Azure AD risky sign-ins](../active-directory/identity-protection/overview-identity-protection.md)
+
+- [Alerts in Azure Security Center's threat intelligence protection module](../security-center/alerts-reference.md)
+
+- [How to integrate Azure Activity Logs into Azure Monitor](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IM-6: Restrict Azure resource access based on conditions
+
+**Guidance**: Windows Virtual Desktop supports conditional access with Azure Active Directory (Azure AD) for a granular access-control based on user-defined conditions. For example, user logins from certain IP ranges could be required to use multifactor authentication for access.
+
+Additionally, granular authentication session management policy can also be used for different use cases.
+
+- [Azure conditional access overview](../active-directory/conditional-access/overview.md)
+
+- [Common conditional access policies](../active-directory/conditional-access/concept-conditional-access-policy-common.md)
+
+- [Configure authentication session management with conditional access](../active-directory/conditional-access/howto-conditional-access-session-lifetime.md)
+
+- [Windows Virtual Desktop specific conditional access setup info can be found here](set-up-mfa.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Privileged Access
+
+*For more information, see the [Azure Security Benchmark: Privileged Access](../security/benchmarks/security-controls-v2-privileged-access.md).*
+
+### PA-2: Restrict administrative access to business-critical systems
+
+**Guidance**: Windows Virtual Desktop uses Azure role-based access-control (Azure RBAC) to isolate access to business-critical systems. Ensure that you also restrict access to the management, identity, and security systems that have administrative access to your business critical access such as Active Directory Domain Controllers, security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can potentially immediately weaponize them to compromise business critical assets.
+
+All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.
+
+- [Azure Components and Reference model](/security/compass/microsoft-security-compass-introduction#azure-components-and-reference-model-2151)
+
+- [Management Group Access](../governance/management-groups/overview.md#management-group-access)
+
+- [Azure subscription administrators](../cost-management-billing/manage/add-change-subscription-administrator.md)
+
+- [Minimum admin permissions needed to manage Windows Virtual Desktop](/azure/virtual-desktop#what-are-the-minimum-admin-permissions-i-need-to-manage-objects)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### PA-3: Review and reconcile user access regularly
+
+**Guidance**: Windows Virtual Desktop uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts and access assignment regularly to ensure the accounts and their access are valid.
+
+Use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts.
+
+In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.
+
+Some Azure services support local users and roles which not managed through Azure AD. You will need to manage these users separately.
+
+- [Built-in roles for Windows Virtual Desktop](rbac.md)
+
+- [Create an access review of Azure resource roles in Privileged Identity Management(PIM)](../active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md)
+
+- [How to use Azure AD identity and access reviews](../active-directory/governance/access-reviews-overview.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### PA-4: Set up emergency access in Azure AD
+
+**Guidance**: Windows Virtual Desktop uses Azure Active Directory (Azure AD) to manage its resources. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used.
+
+You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.
+
+- [Manage emergency access accounts in Azure AD](../active-directory/roles/security-emergency-access.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### PA-5: Automate entitlement management
+
+**Guidance**: Windows Virtual Desktop is integrated with Azure Active Directory (Azure AD) to manage its resources. Use Azure AD entitlement management features to automate access request workflows, including access assignments, reviews, and expirations. In additional, dual or multi-stage approvals are also supported.
+
+- [What are Azure AD access reviews](../active-directory/governance/access-reviews-overview.md)
+
+- [What is Azure AD entitlement management](../active-directory/governance/entitlement-management-overview.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### PA-6: Use privileged access workstations
+
+**Guidance**: Secured and isolated workstations are critically important for the security of sensitive roles, such as, administrators, developers, and critical service operators. Use highly secured user workstations and/or Azure Bastion for administrative tasks.
+
+Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstation can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, restricted logical and network access.
+
+- [Understand privileged access workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/)
+
+- [Deploy a privileged access workstation](/security/compass/privileged-access-deployment)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### PA-7: Follow just enough administration (least privilege principle)
+
+**Guidance**: Windows Virtual Desktop is integrated with Azure role-based access-control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.
+
+The privileges you assign to resources with Azure RBAC should always be limited to the ones as required by the roles. This complements the just in time (JIT) approach of Privileged Identity Management (PIM), with Azure Active Directory (Azure AD), and should be reviewed periodically.
+
+Additionally, use built-in roles to allocate permissions and only create custom roles when required.
+
+- [What is Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md)
+
+- [How to configure Azure RBAC](../role-based-access-control/role-assignments-portal.md)
+
+- [How to use Azure AD identity and access reviews](../active-directory/governance/access-reviews-overview.md)
+
+- [Built-in roles for Windows Virtual Desktop](rbac.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### PA-8: Choose approval process for Microsoft support
+
+**Guidance**: In support scenarios where Microsoft needs to access customer data, Windows Virtual Desktop supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.
+
+- [Understand Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Shared
+
+## Data Protection
+
+*For more information, see the [Azure Security Benchmark: Data Protection](../security/benchmarks/security-controls-v2-data-protection.md).*
+
+### DP-1: Discovery, classify and label sensitive data
+
+**Guidance**: Discover, classify, and label your sensitive data so that you can design the appropriate controls. This is to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.
+
+Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, Office 365 and other locations.
+
+You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
+
+- [Tag sensitive information using Azure Information Protection](/azure/information-protection/what-is-information-protection)
+
+- [How to implement Azure SQL Data Discovery](../azure-sql/database/data-discovery-and-classification-overview.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### DP-2: Protect sensitive data
+
+**Guidance**: Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).
+
+To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
+
+Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.
+
+- [Azure Role Based Access Control (RBAC)](../role-based-access-control/overview.md)
+
+- [Understand customer data protection in Azure](../security/fundamentals/protection-customer-data.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### DP-3: Monitor for unauthorized transfer of sensitive data
+
+**Guidance**: Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.
+
+Advanced Threat Protection (ATP) features with both Azure Storage and Azure SQL ATP can alert on anomalous transfer of information, indicating what might be unauthorized transfers of sensitive information.
+
+Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labeled.
+
+Use data loss prevention solutions, such as the host-based ones, to enforce detective and/or preventative controls to prevent data exfiltration.
+
+- [Enable Azure SQL ATP](../azure-sql/database/threat-detection-overview.md)
+
+- [Enable Azure Storage ATP](../storage/common/azure-defender-storage-configure.md?tabs=azure-security-center)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Asset Management
+
+*For more information, see the [Azure Security Benchmark: Asset Management](../security/benchmarks/security-controls-v2-asset-management.md).*
+
+### AM-1: Ensure security team has visibility into risks for assets
+
+**Guidance**: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.
+
+Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
+
+Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
+
+Additional permissions might be required for visibility into workloads and services.
+
+- [Overview of Security Reader Role](../role-based-access-control/built-in-roles.md#security-reader)
+
+- [Overview of Azure Management Groups](../governance/management-groups/overview.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### AM-2: Ensure security team has access to asset inventory and metadata
+
+**Guidance**: Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.
+
+Use Azure Virtual Machine Inventory to automate the collection of information about software on Virtual Machines. Software Name, Version, publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.
+
+- [How to create queries with Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md)
+
+- [Azure Security Center asset inventory management](../security-center/asset-inventory.md)
+
+- [Resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=%2fazure%2fazure-resource-manager%2fmanagement%2ftoc.json)
+
+- [How to enable Azure virtual machine inventory](../automation/automation-tutorial-installed-software.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### AM-3: Use only approved Azure services
+
+**Guidance**: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
+
+- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md)
+
+- [How to deny a specific resource type with Azure Policy](../governance/policy/samples/built-in-policies.md#general)
+
+- [How to create queries with Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### AM-4: Ensure security of asset lifecycle management
+
+**Guidance**: Not applicable. Windows Virtual Desktop cannot be used for ensuring security of assets in a lifecycle management process. It is the customer's responsibility to maintain attributes and network configurations of assets which are considered high-impact.
+
+It is recommended that the customer create a process to capture the attribute and network-configuration changes, measure the change-impact and create remediation tasks, as applicable.
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### AM-5: Limit users' ability to interact with Azure Resource Manager
+
+**Guidance**: Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.
+
+- [How to configure Conditional Access to block access to Azure Resources Manager](../role-based-access-control/conditional-access-azure-management.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### AM-6: Use only approved applications in compute resources
+
+**Guidance**: Use Azure virtual machine Inventory to automate the collection of information about all software on virtual machines. Software Name, Version, Publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.
+
+- [How to enable Azure virtual machine inventory](../automation/automation-tutorial-installed-software.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Logging and Threat Detection
+
+*For more information, see the [Azure Security Benchmark: Logging and Threat Detection](../security/benchmarks/security-controls-v2-logging-threat-detection.md).*
+
+### LT-1: Enable threat detection for Azure resources
+
+**Guidance**: Use the Azure Security Center built-in threat detection capability and enable Azure Defender (Formally Azure Advanced Threat Protection) for your Windows Virtual Desktop resources. Azure Defender for Windows Virtual Desktop provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Windows Virtual Desktop resources.
+
+Forward any logs from Windows Virtual Desktop to your security information event management (SIEM) solution which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
+
+- [Threat protection in Azure Security Center](../security-center/azure-defender.md)
+
+- [Azure Security Center security alerts reference guide](../security-center/alerts-reference.md)
+
+- [Create custom analytics rules to detect threats](../sentinel/tutorial-detect-threats-custom.md)
+
+- [Cyber threat intelligence with Azure Sentinel](/azure/architecture/example-scenario/data/sentinel-threat-intelligence)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### LT-2: Enable threat detection for Azure identity and access management
+
+**Guidance**: Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other security information and event management (SIEM) or monitoring tools for further sophisticated monitoring and analytics use cases:
+
+- Sign-in ΓÇô The sign-in report provides information about the usage of managed applications and user sign-in activities.
+
+- Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
+
+- Risky sign-in - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
+
+- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
+
+Azure Security Center can also alert on certain suspicious activities such as excessive number of failed authentication attempts and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, the Threat Protection module in Azure Security Center can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside the individual resources.
+
+- [Audit activity reports in the Azure Active Directory](../active-directory/reports-monitoring/concept-audit-logs.md)
+
+- [Enable Azure Identity Protection](../active-directory/identity-protection/overview-identity-protection.md)
+
+- [Threat protection in Azure Security Center](../security-center/azure-defender.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### LT-3: Enable logging for Azure network activities
+
+**Guidance**: Windows Virtual Desktop does not produce or process domain name service (DNS) query logs. However resources that are registered to the service can produce flow logs.
+
+Enable and collect network security group resource and flow logs, Azure Firewall logs and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.
+
+- [How to enable network security group flow logs](../network-watcher/network-watcher-nsg-flow-logging-portal.md)
+
+- [Azure Firewall logs and metrics](../firewall/logs-and-metrics.md)
+
+- [How to enable and use Traffic Analytics](../network-watcher/traffic-analytics.md)
+
+- [Azure networking monitoring solutions in Azure Monitor](../azure-monitor/insights/azure-networking-analytics.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### LT-4: Enable logging for Azure resources
+
+**Guidance**: Activity logs, which are automatically enabled, contain all write operations (PUT, POST, DELETE) for your Windows Virtual Desktop resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.
+
+- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
+
+- [Understand logging and different log types in Azure](../azure-monitor/essentials/platform-logs-overview.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Shared
+
+### LT-5: Centralize security log management and analysis
+
+**Guidance**: Centralize logging storage and analysis to enable correlation. For each log source, ensure you have assigned a data owner, access guidance, storage location, the tools used to process and access the data, and data retention requirements.
+
+Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
+
+In addition, enable and onboard data to Azure Sentinel or a third-party security information event management (SIEM). Many organizations choose to use Azure Sentinel for ΓÇ£hotΓÇ¥ data that is used frequently and Azure Storage for ΓÇ£coldΓÇ¥ data that is used less frequently.
+
+- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
+
+- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Incident Response
+
+*For more information, see the [Azure Security Benchmark: Incident Response](../security/benchmarks/security-controls-v2-incident-response.md).*
+
+### IR-1: Preparation ΓÇô update incident response process for Azure
+
+**Guidance**: Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.
+
+- [Implement security across the enterprise environment](/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud)
+
+- [Incident response reference guide](/microsoft-365/downloads/IR-Reference-Guide.pdf)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### IR-2: Preparation ΓÇô setup incident notification
+
+**Guidance**: Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs.
+
+- [How to set the Azure Security Center security contact](../security-center/security-center-provide-security-contact-details.md)
+
+**Azure Security Center monitoring**: Yes
+
+**Responsibility**: Customer
+
+### IR-3: Detection and analysis ΓÇô create incidents based on high quality alerts
+
+**Guidance**: Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they donΓÇÖt waste time on false positives.
+
+High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.
+
+Azure Security Center provides high-quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.
+
+Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.
+
+- [How to configure export](../security-center/continuous-export.md)
+
+- [How to stream alerts into Azure Sentinel](../sentinel/connect-azure-security-center.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IR-4: Detection and analysis ΓÇô investigate an incident
+
+**Guidance**: Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference.
+
+The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:
+
+- Network data ΓÇô use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.
+
+- Snapshots of running systems:
+
+ - Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.
+
+ - Use the operating system's native memory dump capability to create a snapshot of the running system's memory.
+
+ - Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.
+
+Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.
+
+- [Snapshot a Windows machine's disk](../virtual-machines/windows/snapshot-copy-managed-disk.md)
+
+- [Snapshot a Linux machine's disk](../virtual-machines/linux/snapshot-copy-managed-disk.md)
+
+- [Microsoft Azure Support diagnostic information and memory dump collection](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/)
+
+- [Investigate incidents with Azure Sentinel](../sentinel/tutorial-investigate-cases.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### IR-5: Detection and analysis ΓÇô prioritize incidents
+
+**Guidance**: Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.
+
+Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.
+
+Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
+
+- [Security alerts in Azure Security Center](../security-center/security-center-alerts-overview.md)
+
+- [Use tags to organize your Azure resources](../azure-resource-manager/management/tag-resources.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### IR-6: Containment, eradication and recovery ΓÇô automate the incident handling
+
+**Guidance**: Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks.
+Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.
+
+- [Configure workflow automation in Security Center](../security-center/workflow-automation.md)
+
+- [Set up automated threat responses in Azure Security Center](../security-center/tutorial-security-incident.md#triage-security-alerts)
+
+- [Set up automated threat responses in Azure Sentinel](../sentinel/tutorial-respond-threats-playbook.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Posture and Vulnerability Management
+
+*For more information, see the [Azure Security Benchmark: Posture and Vulnerability Management](../security/benchmarks/security-controls-v2-posture-vulnerability-management.md).*
+
+### PV-3: Establish secure configurations for compute resources
+
+**Guidance**: Use Azure Security Center and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.
+
+You can use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.
+
+- [How to monitor Azure Security Center recommendations](../security-center/security-center-recommendations.md)
+
+- [Azure Automation State Configuration Overview](../automation/automation-dsc-overview.md)
+
+- [Windows Virtual Desktop environment](environment-setup.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### PV-4: Sustain secure configurations for compute resources
+
+**Guidance**: Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources including virtual machines, containers, and others. In addition, you may use Azure Resource Manager templates, custom operating system images or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. The Microsoft virtual machine templates combined with the Azure Automation State Configuration may assist in meeting and maintaining the security requirements.
+
+Azure Marketplace Virtual Machine Images published by Microsoft are managed and maintained by Microsoft.
+
+Azure Security Center can also scan vulnerabilities in container image and performs continuous monitoring of your Docker configuration in containers against Center Internet Security's Docker benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues.
+
+- [How to implement Azure Security Center vulnerability assessment recommendations](../security-center/deploy-vulnerability-assessment-vm.md)
+
+- [How to create an Azure Virtual Machine from an ARM template](../virtual-machines/windows/ps-template.md)
+
+- [Azure Automation State Configuration Overview](../automation/automation-dsc-overview.md)
+
+- [Container security in Security Center](../security-center/container-security.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### PV-5: Securely store custom operating system and container images
+
+**Guidance**: Windows Virtual Desktop allows customers to manage operating system images. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. Use an Azure Shared Image Gallery you can share your images to different users, service principals, or Active Directory groups within your organization. Store container images in Azure Container Registry and use RBAC to ensure that only authorized users have access.
+
+- [Understand Azure RBAC](../role-based-access-control/rbac-and-directory-admin-roles.md)
+
+- [How to configure Azure RBAC](../role-based-access-control/quickstart-assign-role-user-portal.md)
+
+- [Shared Image Gallery overview](../virtual-machines/shared-image-galleries.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### PV-6: Perform software vulnerability assessments
+
+**Guidance**: Windows Virtual Desktop allows you to deploy your own virtual machines and register them to the service as well as have SQL database running in the environment.
+
+Windows Virtual Desktop can use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
+
+As require, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated.
+
+Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines (and SQL servers). Azure Security Center has a built-in vulnerability scanner for virtual machine, container images, and SQL database.
+
+As required, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected solution's portal to view historical scan data.
+
+- [How to implement Azure Security Center vulnerability assessment recommendations](../security-center/deploy-vulnerability-assessment-vm.md)
+
+- [Integrated vulnerability scanner for virtual machines](../security-center/deploy-vulnerability-assessment-vm.md)
+- [SQL vulnerability assessment](../azure-sql/database/sql-vulnerability-assessment.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### PV-7: Rapidly and automatically remediate software vulnerabilities
+
+**Guidance**: Windows Virtual Desktop doesn't use or require any third-party software. However, Windows Virtual Desktop allows you to deploy your own virtual machines and register them to the service.
+
+Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows Server virtual machines. For Windows virtual machines, ensure Windows Update has been enabled and set to update automatically.
+
+Use a third-party patch management solution for third-party software or System Center Updates Publisher for Configuration Manager.
+
+- [How to configure Update Management for virtual machines in Azure](../automation/update-management/overview.md)
+
+- [Manage updates and patches for your Azure VMs](../automation/update-management/manage-updates-for-vm.md)
+
+- [Configure Microsoft Endpoint Configuration Manager for Windows Virtual Desktop](configure-automatic-updates.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### PV-8: Conduct regular attack simulation
+
+**Guidance**: Windows Virtual Desktop does not allow customers to perform their own penetration testing on their Windows Virtual Desktop resources.
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Shared
+
+## Endpoint Security
+
+*For more information, see the [Azure Security Benchmark: Endpoint Security](../security/benchmarks/security-controls-v2-endpoint-security.md).*
+
+### ES-1: Use Endpoint Detection and Response (EDR)
+
+**Guidance**: Windows Virtual Desktop does not provide any specific capabilities for endpoint detection and response (EDR) processes. However resources registered to the service can benefit from endpoint detection and response capabilities.
+
+Enable endpoint detection and response capabilities for servers and clients and integrate them with security information and event management (SIEM) solutions and Security Operations processes.
+
+Advanced Threat Protection from Microsoft Defender provides Endpoint Detection and Response capabilities, as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.
+
+- [Microsoft Defender Advanced Threat Protection Overview](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
+
+- [Microsoft Defender ATP service for Windows servers](/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints)
+
+- [Microsoft Defender ATP service for non-Windows servers](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows)
+
+- [Microsoft Defender ATP for non-persistent virtual desktop infrastructure](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### ES-2: Use centrally managed modern anti-malware software
+
+**Guidance**: Protect your Windows Virtual Desktop resources with a centrally managed and modern endpoint anti-malware solution capable of real time and periodic scanning.
+
+Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.
+
+Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). Also, you can use Threat detection with Azure Security Center for data services to detect malware uploaded to Azure Storage accounts.
+
+- [How to configure Microsoft Antimalware for Cloud Services and Virtual Machines](../security/fundamentals/antimalware.md)
+
+- [Supported endpoint protection solutions](../security-center/security-center-services.md?tabs=features-windows#supported-endpoint-protection-solutions-)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### ES-3: Ensure anti-malware software and signatures are updated
+
+**Guidance**: Ensure anti-malware signatures are updated rapidly and consistently.
+
+Follow recommendations in Azure Security Center: "Compute &amp; Apps" to ensure all virtual machines and/or containers are up to date with the latest signatures.
+
+Microsoft Antimalware will automatically install the latest signatures and engine updates by default.
+
+- [How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines](../security/fundamentals/antimalware.md)
+
+- [Endpoint protection assessment and recommendations in Azure Security Center](../security-center/security-center-endpoint-protection.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Backup and Recovery
+
+*For more information, see the [Azure Security Benchmark: Backup and Recovery](../security/benchmarks/security-controls-v2-backup-recovery.md).*
+
+### BR-1: Ensure regular automated backups
+
+**Guidance**: Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be guidance by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
+
+Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.
+
+For a higher level of redundancy, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.
+
+- [Enterprise-scale business continuity and disaster recovery](/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery)
+
+- [How to enable Azure Backup](../backup/index.yml)
+
+- [How to enable cross region restore](../backup/backup-azure-arm-restore-vms.md#cross-region-restore)
+
+- [How to set up a business continuity and disaster recovery plan in Windows Virtual Desktop](disaster-recovery.md)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### BR-2: Encrypt backup data
+
+**Guidance**: Ensure your backups are protect against attacks. This should include encryption of the backups to protect against loss of confidentiality.
+
+For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backup using customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.
+
+Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer-managed keys. Additionally, you can enable advanced security features to require multifactor authentication before backups can be altered or deleted.
+
+Overview of security features in Azure Backup /azure/backup/security-overview
+
+- [Encryption of backup data using customer-managed keys](../backup/encryption-at-rest-with-cmk.md)
+
+- [How to backup Key Vault keys in Azure](/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?preserve-view=true&view=azurermps-6.13.0)
+
+- [Security features to help protect hybrid backups from attacks](../backup/backup-azure-security-feature.md#prevent-attacks)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+### BR-3: Validate all backups including customer-managed keys
+
+**Guidance**: It is recommended to validate data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.
+
+- [How to recover files from Azure Virtual Machine backup](../backup/backup-azure-restore-files-from-vm.md)
+
+- [Security implementation](../backup/backup-azure-restore-files-from-vm.md#security-implementations)
+
+**Azure Security Center monitoring**: Currently not available
+
+**Responsibility**: Customer
+
+## Governance and Strategy
+
+*For more information, see the [Azure Security Benchmark: Governance and Strategy](../security/benchmarks/security-controls-v2-governance-strategy.md).*
+
+### GS-1: Define asset management and data protection strategy
+
+**Guidance**: Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.
+
+This strategy should include documented guidance, policy, and standards for the following elements:
+
+- Data classification standard in accordance with the business risks
+
+- Security organization visibility into risks and asset inventory
+
+- Security organization approval of Azure services for use
+
+- Security of assets through their lifecycle
+
+- Required access control strategy in accordance with organizational data classification
+
+- Use of Azure native and third party data protection capabilities
+
+- Data encryption requirements for in-transit and at-rest use cases
+
+- Appropriate cryptographic standards
+
+For more information, see the following references:
+- [Azure Security Architecture Recommendation - Storage, data, and encryption](/azure/architecture/framework/security/storage-data-encryption?bc=%2fsecurity%2fcompass%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fcompass%2ftoc.json)
+
+- [Azure Security Fundamentals - Azure Data security, encryption, and storage](../security/fundamentals/encryption-overview.md)
+
+- [Cloud Adoption Framework - Azure data security and encryption best practices](../security/fundamentals/data-encryption-best-practices.md?bc=%2fazure%2fcloud-adoption-framework%2f_bread%2ftoc.json&toc=%2fazure%2fcloud-adoption-framework%2ftoc.json)
+
+- [Azure Security Benchmark - Asset management](../security/benchmarks/security-controls-v2-asset-management.md)
+
+- [Azure Security Benchmark - Data Protection](../security/benchmarks/security-controls-v2-data-protection.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### GS-2: Define enterprise segmentation strategy
+
+**Guidance**: Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.
+
+Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
+
+Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.
+
+- [Guidance on segmentation strategy in Azure (video)](/security/compass/microsoft-security-compass-introduction#azure-components-and-reference-model-2151)
+
+- [Guidance on segmentation strategy in Azure (document)](/security/compass/governance#enterprise-segmentation-strategy)
+
+- [Align network segmentation with enterprise segmentation strategy](/security/compass/network-security-containment#align-network-segmentation-with-enterprise-segmentation-strategy)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### GS-3: Define security posture management strategy
+
+**Guidance**: Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.
+
+- [Azure Security Benchmark - Posture and vulnerability management](../security/benchmarks/security-controls-v2-posture-vulnerability-management.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### GS-4: Align organization roles, responsibilities, and accountabilities
+
+**Guidance**: Ensure you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.
+
+- [Azure Security Best Practice 1 ΓÇô People: Educate Teams on Cloud Security Journey](/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey)
+
+- [Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology](/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology)
+
+- [Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions](/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### GS-5: Define network security strategy
+
+**Guidance**: Establish an Azure network security approach as part of your organizationΓÇÖs overall security access control strategy.
+
+This strategy should include documented guidance, policy, and standards for the following elements:
+
+- Centralized network management and security responsibility
+
+- Virtual network segmentation model aligned with the enterprise segmentation strategy
+
+- Remediation strategy in different threat and attack scenarios
+
+- Internet edge and ingress and egress strategy
+
+- Hybrid cloud and on-premises interconnectivity strategy
+
+- Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)
+
+For more information, see the following references:
+- [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy)
+
+- [Azure Security Benchmark - Network Security](../security/benchmarks/security-controls-v2-network-security.md)
+
+- [Azure network security overview](../security/fundamentals/network-overview.md)
+
+- [Enterprise network architecture strategy](/azure/cloud-adoption-framework/ready/enterprise-scale/architecture)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### GS-6: Define identity and privileged access strategy
+
+**Guidance**: Establish an Azure identity and privileged access approaches as part of your organizationΓÇÖs overall security access control strategy.
+
+This strategy should include documented guidance, policy, and standards for the following elements:
+
+- A centralized identity and authentication system and its interconnectivity with other internal and external identity systems
+
+- Strong authentication methods in different use cases and conditions
+
+- Protection of highly privileged users
+
+- Anomaly user activities monitoring and handling
+
+- User identity and access review and reconciliation process
+
+For more information, see the following references:
+
+- [Azure Security Benchmark - Identity management](../automation/update-management/overview.md)
+
+- [Azure Security Benchmark - Privileged access](../security/benchmarks/security-controls-v2-privileged-access.md)
+
+- [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy)
+
+- [Azure identity management security overview](../security/fundamentals/identity-management-overview.md)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+### GS-7: Define logging and threat response strategy
+
+**Guidance**: Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high-quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.
+
+This strategy should include documented guidance, policy, and standards for the following elements:
+
+- The security operations (SecOps) organizationΓÇÖs role and responsibilities
+
+- A well-defined incident response process aligning with NIST or another industry framework
+
+- Log capture and retention to support threat detection, incident response, and compliance needs
+
+- Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources
+
+- Communication and notification plan with your customers, suppliers, and public parties of interest
+
+- Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication
+
+- Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention
+
+For more information, see the following references:
+
+- [Azure Security Benchmark - Logging and threat detection](../security/benchmarks/security-controls-v2-logging-threat-detection.md)
+
+- [Azure Security Benchmark - Incident response](../security/benchmarks/security-controls-v2-incident-response.md)
+
+- [Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud](/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud)
+
+- [Azure Adoption Framework, logging, and reporting decision guide](/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/)
+
+- [Azure enterprise scale, management, and monitoring](/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring)
+
+**Azure Security Center monitoring**: Not applicable
+
+**Responsibility**: Customer
+
+## Next steps
+
+- See the [Azure Security Benchmark V2 overview](../security/benchmarks/overview.md)
+- Learn more about [Azure security baselines](../security/benchmarks/security-baselines-overview.md)
virtual-desktop Start Virtual Machine Connect Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/start-virtual-machine-connect-faq.md
Yes. Users can shut down the VM by using the Start menu within their session, ju
To learn how to configure Start VM on Connect, see [Start virtual machine on connect (preview)](start-virtual-machine-connect.md).
-If you have more general questions about Azure Virtual Desktop, check out our general [FAQ](faq.md).
+If you have more general questions about Azure Virtual Desktop, check out our general [FAQ](faq.yml).
virtual-desktop Troubleshoot Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/troubleshoot-agent.md
To resolve this issue:
3. Make sure the [agent service is running](#error-the-rdagentbootloader-andor-remote-desktop-agent-loader-has-stopped-running) and the [stack listener is working](#error-stack-listener-isnt-working-on-windows-10-2004-vm). 4. Make sure [the agent can connect to the broker](#error-agent-cannot-connect-to-broker-with-invalid_form). 5. Make sure [your VM has a valid registration token](#error-invalid_registration_token).
-6. Make sure [the VM registration token hasn't expired](faq.md#how-often-should-i-turn-my-vms-on-to-prevent-registration-issues).
+6. Make sure [the VM registration token hasn't expired](/azure/virtual-desktop/faq#how-often-should-i-turn-my-vms-on-to-prevent-registration-issues).
## Error: InstallMsiException
virtual-desktop What Is App Attach https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-desktop/what-is-app-attach.md
The following table compares key feature of MSIX app attach and app layering.
## Next steps
-If you want to learn more about MSIX app attach, check out our [glossary](app-attach-glossary.md) and [FAQ](app-attach-faq.md). Otherwise, get started with [Set up app attach](app-attach.md).
+If you want to learn more about MSIX app attach, check out our [glossary](app-attach-glossary.md) and [FAQ](app-attach-faq.yml). Otherwise, get started with [Set up app attach](app-attach.md).
virtual-machines Dav4 Dasv4 Series https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/dav4-dasv4-series.md
Title: Dav4 and Dasv4-series description: Specifications for the Dav4 and Dasv4-series VMs.--++
virtual-machines Disks Shared Enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/disks-shared-enable.md
description: Configure an Azure managed disk with shared disks so that you can s
Previously updated : 07/19/2021 Last updated : 07/26/2021
virtual-machines Disks Shared https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/disks-shared.md
description: Learn about sharing Azure managed disks across multiple Linux VMs.
Previously updated : 07/19/2021 Last updated : 07/26/2021
virtual-machines Mac Create Ssh Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/linux/mac-create-ssh-keys.md
With a secure shell (SSH) key pair, you can create virtual machines (VMs) in Azure that use SSH keys for authentication. This article shows you how to quickly generate and use an SSH public-private key file pair for Linux VMs. You can complete these steps with the Azure Cloud Shell, a macOS or Linux host.
+For help with troubleshooting issues with SSH, see [Troubleshoot SSH connections to an Azure Linux VM that fails, errors out, or is refused](/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection).
+ > [!NOTE] > VMs created using SSH keys are by default configured with passwords disabled, which greatly increases the difficulty of brute-force guessing attacks.
If the VM is using the just-in-time access policy, you need to request access be
* For more information on working with SSH key pairs, see [Detailed steps to create and manage SSH key pairs](create-ssh-keys-detailed.md).
-* If you have difficulties with SSH connections to Azure VMs, see [Troubleshoot SSH connections to an Azure Linux VM](/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection).
+* If you have difficulties with SSH connections to Azure VMs, see [Troubleshoot SSH connections to an Azure Linux VM](/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection).
vpn-gateway Vpn Gateway Howto Point To Site Resource Manager Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md
Verify that you have an Azure subscription. If you don't already have an Azure s
You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:
+**VNet**
+ * **VNet Name:** VNet1 * **Address space:** 10.1.0.0/16<br>For this example, we use only one address space. You can have more than one address space for your VNet. * **Subnet name:** FrontEnd
You can use the following values to create a test environment, or refer to these
* **Subscription:** If you have more than one subscription, verify that you are using the correct one. * **Resource Group:** TestRG1 * **Location:** East US
-* **GatewaySubnet:** 10.1.255.0/27<br>
+
+**Virtual network gateway**
+ * **Virtual network gateway name:** VNet1GW * **Gateway type:** VPN * **VPN type:** Route-based * **SKU:** VpnGw2
-* **Generation:** Generation 2
+* **Generation:** Generation2
+* **Gateway subnet address range:** 10.1.255.0/27
* **Public IP address name:** VNet1GWpip+
+**Connection type and client address pool**
+ * **Connection type:** Point-to-site * **Client address pool:** 172.16.201.0/24<br>VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.
vpn-gateway Vpn Gateway Vpn Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/vpn-gateway-vpn-faq.md
Previously updated : 06/23/2021 Last updated : 07/26/2021 # VPN Gateway FAQ
You can configure your virtual network to use both Site-to-Site and Point-to-Sit
## <a name="privacy"></a>Privacy
-### Does the VPN service store customer data?
+### Does the VPN service store or process customer data?
No.
web-application-firewall Waf Front Door Drs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/web-application-firewall/afds/waf-front-door-drs.md
description: This article provides information on Web Application Firewall DRS
Previously updated : 06/09/2021 Last updated : 07/26/2021
The Default action is to BLOCK. Additionally, custom rules can be configured in
Custom rules are always applied before rules in the Default Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Default Rule Set are processed. You can also remove the Default Rule Set from your WAF policies.
+### Microsoft Threat Intelligence Collection rules
+
+The Microsoft Threat Intelligence Collection rules are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
+ ### Anomaly Scoring mode OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.