diff --git a/articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync.md b/articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync.md
index 3b8d8860846eb..1cf7e3c538f28 100644
--- a/articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync.md
+++ b/articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync.md
@@ -64,7 +64,7 @@ After you have changed your password, the new password will be usable in Azure A
## Related Content
-* [How to update your own password](../active-directory/active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).)
+* [How to update your own password](../active-directory/active-directory-passwords-update-your-own-password.md#reset-your-password).)
* [Getting started with Password Management in Azure AD](../active-directory/active-directory-passwords-getting-started.md).
* [Enable password synchronization to AAD Domain Services for a synced Azure AD tenant](active-directory-ds-getting-started-password-sync-synced-tenant.md)
* [Administer an Azure AD Domain Services managed domain](active-directory-ds-admin-guide-administer-domain.md)
diff --git a/articles/active-directory/active-directory-architecture.md b/articles/active-directory/active-directory-architecture.md
new file mode 100644
index 0000000000000..310fae2b66d9a
--- /dev/null
+++ b/articles/active-directory/active-directory-architecture.md
@@ -0,0 +1,117 @@
+---
+title: Understand Azure Active Directory architecture | Microsoft Docs
+description: Explains what an Azure AD tenant is, and how to manage Azure through Azure Active Directory
+services: active-directory
+documentationcenter: ''
+author: markvi
+writer: v-lorisc
+manager: femila
+
+ms.assetid:
+ms.service: active-directory
+ms.workload: infrastructure-services
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: get-started-article
+ms.date: 03/01/2017
+ms.author: markvi
+
+---
+# Understand Azure Active Directory architecture
+Azure Active Directory (Azure AD) enables you to securely manage access to Azure services and resources for your users. Included with Azure AD is a full suite of identity management capabilities. For information about Azure AD features, see [What is Azure Active Directory?](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis)
+
+With Azure AD, you can create and manage users and groups, and enable permissions to allow and deny access to enterprise resources. For information about identity management, see [The fundamentals of Azure identity management](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals-identity).
+
+## Azure AD architecture
+Azure AD's geographically distributed architecture combines extensive monitoring, automated rerouting, failover, and recovery capabilities enable us to deliver enterprise-level availability and performance to our customers.
+
+The following architecture elements are covered in this article:
+ * Service architecture design
+ * Scalability
+ * Continuous availability
+ * Data centers
+
+### Service architecture design
+The most common way to build a scalable, highly-available, data-rich system is through independent building blocks or scale units for the Azure AD data tier, scale units are called *partitions*.
+
+The data tier has several front-end services that provide read-write capability. The diagram below shows how the components of a single-directory partition are distributed throughout geographically-distrubuted data centers.
+
+ 
+
+The components of Azure AD architecture include a primary replica and secondary replicas.
+
+**Primary replica**
+
+The *primary replica* receives all *writes* for the partition it belongs to. Any write operation is immediately replicated to a secondary replica in a different datacenter before returning success to the caller, thus ensuring geo-redundant durability of writes.
+
+**Secondary replicas**
+
+All directory *reads* are serviced from *secondary replicas*, which are at data centers that are physically located across different geographies. There are many secondary replicas, as data is replicated asynchronously. Directory reads, such as authentication requests, are serviced from data centers that are close to our customers. The secondary replicas are responsible for read scalability.
+
+### Scalability
+
+Scalability is the ability of a service to expand to meet increasing performance demands. Write scalability is achieved by partitioning the data. Read scalability is achieved by replicating data from one partition to multiple secondary replicas distributed throughout the world.
+
+Requests from directory applications are generally routed to the datacenter that they are physically closest to. Writes are transparently redirected to the primary replica to provide read-write consistency. Secondary replicas significantly extend the scale of partitions because the directories are typically serving reads most of the time.
+
+Directory applications connect to the nearest datacenters. This improves performance, and therefore scaling out is possible. Since a directory partition can have many secondary replicas, secondary replicas can be placed closer to the directory clients. Only internal directory service components that are write-intensive target the active primary replica directly.
+
+### Continuous availability
+
+Availability (or uptime) defines the ability of a system to perform uninterrupted. The key to Azure AD’s high-availability is that our services can quickly shift traffic across multiple geographically-distributed data centers. Each data center is independent, which enables de-correlated failure modes.
+
+Azure AD’s partition design is simplified compared to the enterprise AD design, which is critical for scaling up the system. We adopted a single-master design that includes a carefully orchestrated and deterministic primary replica failover process.
+
+**Fault tolerance**
+
+A system is more available if it is tolerant to hardware, network, and software failures. For each partition on the directory, a highly available master replica exists: The primary replica. Only writes to the partition are performed at this replica. This replica is being continuously and closely monitored, and writes can be immediately shifted to another replica (which becomes the new primary) if a failure is detected. During failover, there could be a loss of write availability typically of 1-2 minutes. Read availability is not affected during this time.
+
+Read operations (which outnumber writes by many orders of magnitude) only go to secondary replicas. Since secondary replicas are idempotent, loss of any one replica in a given partition is easily compensated by directing the reads to another replica, usually in the same datacenter.
+
+**Data durability**
+
+A write is durably committed to at least two data centers prior to it being acknowledged. This happens by first committing the write on the primary, and then immediately replicating the write to at least one other data center. This ensures that a potential catastrophic loss of the data center hosting the primary does not result in data loss.
+
+Azure AD maintains a zero [Recovery Time Objective (RTO)](https://en.wikipedia.org/wiki/Recovery_time_objective) for token issuance and directory reads and in the order of minutes (~5 minutes) RTO for directory writes. We also maintain zero [Recovery Point Objective (RPO)](https://en.wikipedia.org/wiki/Recovery_point_objective) and will not lose data on failovers.
+
+### Data centers
+
+Azure AD’s replicas are stored in datacenters located throughout the world. For more information, see [Azure datacenters](https://azure.microsoft.com/en-us/overview/datacenters).
+
+Azure AD operates across data centers with the following characteristics:
+
+ * Authentication, Graph and other AD services reside behind the Gateway service. The Gateway manages load balancing of these services. It will failover automatically if any unhealthy servers are detected using transactional health probes. Based on these health probes, the Gateway dynamically routes traffic to healthy data centers.
+ * For *reads*, the directory has secondary replicas and corresponding front-end services in an active-active configuration operating in multiple data centers. In case of a failure of an entire data center, traffic will be automatically routed to a different datacenter.
+ * For *writes*, the directory will failover primary (master) replica across data centers via planned (new primary is synchronized to old primary) or emergency failover procedures. Data durability is achieved by replicating any commit to at least two data centers.
+
+**Data consistency**
+
+The directory model is one of eventual consistency. One typical problem with distributed asynchronously replicating systems is that the data returned from a “particular” replica may not be up to date.
+
+Azure AD provides read-write consistency for applications targeting a secondary replica by routing its writes to the primary replica, and synchronously pulling the writes back to the secondary replica.
+
+Application writes using the Graph API of Azure AD are abstracted from maintaining affinity to a directory replica for read-write consistency. The Azure AD Graph service maintains a logical session, which has affinity to a secondary replica used for reads; affinity is captured in a “replica token” that the graph service caches using a distributed cache. This token is then used for subsequent operations in the same logical session.
+
+ >[!NOTE]
+ >Writes are immediately replicated to the secondary replica to which the logical session's reads were issued.
+ >
+
+**Backup protection**
+
+The directory implements soft deletes, instead of hard deletes, for users and tenants for easy recovery in case of accidental deletes by a customer. If your tenant administrator accidently deletes users, they can easily undo and restore the deleted users.
+
+Azure AD implements daily backups of all data, and therefore can authoritatively restore data in case of any logical deletions or corruptions. Our data tier employs error correcting codes, so that it can check for errors and automatically correct particular types of disk errors.
+
+**Metrics and monitors**
+
+Running a high availability service requires world-class metrics and monitoring capabilities. Azure AD continually analyzes and reports key service health metrics and success criteria for each of its services. We continuously develop and tune metrics, monitoring and alerting for each scenario, within each Azure AD service and across all services.
+
+If any Azure AD service is not working as expected, we immediately take action to restore functionality as quickly as possible. The most important metric Azure AD tracks is how quickly we can detect and mitigate a customer or live site issue. We invest heavily in monitoring and alerts to minimize time to detect (TTD Target: <5 minutes) and operational readiness to minimize time to mitigate (TTM Target: <30 minutes).
+
+**Secure operations**
+
+We employ operational controls such as multi-factor authentication (MFA) for any operation, as well as auditing of all operations. In addition, we use a just-in-time elevation system to grant necessary temporary access for any operational task-on-demand on an ongoing basis. For more information, see [The Trusted Cloud](https://azure.microsoft.com/en-us/support/trust-center).
+
+## Next steps
+[Azure Active Directory developer's guide](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide)
+
diff --git a/articles/active-directory/active-directory-conditional-access-azuread-connected-apps.md b/articles/active-directory/active-directory-conditional-access-azuread-connected-apps.md
index 5e9e10b49e2d5..613f4c29b312c 100644
--- a/articles/active-directory/active-directory-conditional-access-azuread-connected-apps.md
+++ b/articles/active-directory/active-directory-conditional-access-azuread-connected-apps.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 01/10/2017
+ms.date: 03/28/2017
ms.author: markvi
---
diff --git a/articles/active-directory/active-directory-conditional-access-supported-apps.md b/articles/active-directory/active-directory-conditional-access-supported-apps.md
index 602d192f57105..d91eb38fa9ba9 100644
--- a/articles/active-directory/active-directory-conditional-access-supported-apps.md
+++ b/articles/active-directory/active-directory-conditional-access-supported-apps.md
@@ -1,5 +1,5 @@
---
-title: Applications that use conditional access rules in Azure Active Directory | Microsoft Docs
+title: Applications and browsers that use conditional access rules in Azure Active Directory | Microsoft Docs
description: With conditional access control, Azure Active Directory checks for specific conditions when it authenticates the user, and to allow application access.
services: active-directory
documentationcenter: ''
@@ -13,11 +13,12 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 03/22/2017
+ms.date: 03/28/2017
ms.author: markvi
---
-# Applications that use conditional access rules in Azure Active Directory
+# Applications and browsers that use conditional access rules in Azure Active Directory
+
Conditional access rules are supported in Azure Active Directory (Azure AD)-connected applications, pre-integrated federated software as a service (SaaS) applications, applications that use password single sign-on (SSO), line-of-business applications, and applications that use Azure AD Application Proxy. For a detailed list of applications for which you can use conditional access, see [Services enabled with conditional access](active-directory-conditional-access-technical-reference.md). Conditional access works both with mobile and desktop applications that use modern authentication. In this article, we cover how conditional access works in mobile and desktop apps.
You can use Azure AD sign-in pages in applications that use modern authentication. With a sign-in page, a user is prompted for multi-factor authentication. A message is shown if the user's access is blocked. Modern authentication is required for the device to authenticate with Azure AD, so that device-based conditional access policies are evaluated.
@@ -44,7 +45,7 @@ The following applications support conditional access for Office 365 and other A
| Office 365 SharePoint Online |Mac OS X |Office 2016 apps for multi-factor authentication and location only; device-based policy support planned for the future |
| Office 365 Yammer |Windows 10, iOS; Android support planned for the future |Office Yammer app |
| Dynamics CRM |Windows 10, Windows 8.1, Windows 7, iOS, and Android |Dynamics CRM app |
-| PowerBI service |Windows 10, Windows 8.1, Windows 7, and iOS|PowerBI app (Andoird app not supported) |
+| PowerBI service |Windows 10, Windows 8.1, Windows 7, iOS, and Android |PowerBI app |
| Azure Remote App service |Windows 10, Windows 8.1, Windows 7, iOS, Android, and Mac OS X |Azure Remote app |
| Any My Apps app service |Android and iOS |Any My Apps app service |
@@ -106,3 +107,34 @@ By applying the following three rules to the AD FS relying party trust for Micro
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] &&
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
+
+
+## Supported browsers
+
+
+| OS | Browsers | Support |
+| :-- | :-- | :-: |
+| Win 10 | IE, Edge | ![Check][1] |
+| Win 10 | Chrome | Coming soon |
+| Win 8 / 8.1 | IE | ![Check][1] |
+| Win 7 | IE | ![Check][1] |
+| iOS | Safari | ![Check][1] |
+| Android | Chrome | ![Check][1] |
+| WinPhone | IE, Edge | ![Check][1] |
+| Windows Server 2016 | IE, Edge | ![Check][1] |
+| Windows Server 2012 R2 | IE | ![Check][1] |
+| Windows Server2008 R2 | IE | ![Check][1] |
+| Mac OS | Safari | ![Check][1] |
+| Mac OS | Chrome | Coming soon |
+
+
+## Next steps
+
+For more details, see [Conditional access in Azure Active Directory](active-directory-conditional-access.md)
+
+
+
+
+[1]: ./media/active-directory-conditional-access-supported-apps/ic195031.png
+
+
diff --git a/articles/active-directory/active-directory-conditional-access-technical-reference.md b/articles/active-directory/active-directory-conditional-access-technical-reference.md
index 2b76a3d300e25..884c35e85e681 100644
--- a/articles/active-directory/active-directory-conditional-access-technical-reference.md
+++ b/articles/active-directory/active-directory-conditional-access-technical-reference.md
@@ -1,7 +1,7 @@
---
title: Azure Active Directory Conditional Access technical reference | Microsoft Docs
description: With Conditional access control, Azure Active Directory checks the specific conditions you pick when authenticating the user and before allowing access to the application. Once those conditions are met, the user is authenticated and allowed access to the application.
-services: active-directory
+services: active-directory.
documentationcenter: ''
author: MarkusVi
manager: femila
@@ -12,12 +12,14 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 03/01/2017
+ms.date: 03/28/2017
ms.author: markvi
---
# Azure Active Directory Conditional Access technical reference
+
## Services enabled with conditional access
+
Conditional Access rules are supported across various Azure AD application types. This list includes:
@@ -34,6 +36,13 @@ Conditional Access rules are supported across various Azure AD application types
* Visual Studio Online
+
+
+
+
+
+
+
## Enable access rules
Each rule can be enabled or disabled on a per application bases. When rules are **ON** they will be enabled and enforced for users accessing the application. When they are **OFF** they will not be used and will not impact the users sign in experience.
diff --git a/articles/active-directory/active-directory-conditional-access.md b/articles/active-directory/active-directory-conditional-access.md
index 2f1758697dba8..74e353743e0be 100644
--- a/articles/active-directory/active-directory-conditional-access.md
+++ b/articles/active-directory/active-directory-conditional-access.md
@@ -14,7 +14,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/23/2017
+ms.date: 03/28/2017
ms.author: markvi
---
@@ -78,7 +78,7 @@ See the following resource categories and articles to learn more about setting c
### Multi-factor authentication and location policies
* [Getting started with conditional access to Azure AD-connected apps based on group, location, and multi-factor authentication policies](active-directory-conditional-access-azuread-connected-apps.md)
-* [Applications that are supported](active-directory-conditional-access-supported-apps.md)
+* [Applications and browsers that are supported](active-directory-conditional-access-supported-apps.md)
### Device-based conditional access
* [Set device-based conditional access policy for access control to Azure Active Directory-connected applications](active-directory-conditional-access-policy-connected-applications.md)
diff --git a/articles/active-directory/active-directory-configurable-token-lifetimes.md b/articles/active-directory/active-directory-configurable-token-lifetimes.md
index 8cd05fa0e815f..604458ce9a123 100644
--- a/articles/active-directory/active-directory-configurable-token-lifetimes.md
+++ b/articles/active-directory/active-directory-configurable-token-lifetimes.md
@@ -199,7 +199,8 @@ To get started, do the following steps:
Connect-AzureAD -Confirm
```
-3. To see all policies that have been created in your organization, run the following command. Run this command after most operations in the following scenarios. Running the command also helps you get the **ObjectId** of your policies.
+3. To see all policies that have been created in your organization, run the following command. Run this command after most operations in the following scenarios. Running the command also helps you get the **
+** of your policies.
```PowerShell
Get-AzureADPolicy
@@ -239,10 +240,9 @@ In this example, you create a policy that lets your users sign in less frequentl
You might decide that the first policy you set in this example is not as strict as your service requires. To set your Single-Factor Refresh Token to expire in two days, run the following command:
```PowerShell
- Set-AzureADPolicy -ObjectId -DisplayName "OrganizationDefaultPolicyUpdatedScenario" -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"2.00:00:00"}}')
+ Set-AzureADPolicy -Id -DisplayName "OrganizationDefaultPolicyUpdatedScenario" -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"2.00:00:00"}}')
```
-
### Example: Create a policy for web sign-in
In this example, you create a policy that requires users to authenticate more frequently in your web app. This policy sets the lifetime of the access/ID tokens and the max age of a multi-factor session token to the service principal of your web app.
@@ -270,7 +270,7 @@ In this example, you create a policy that requires users to authenticate more fr
2. When you have the **ObjectId** of your service principal, run the following command:
```PowerShell
- Add-AzureADServicePrincipalPolicy -ObjectId -RefObjectId
+ Add-AzureADServicePrincipalPolicy -Id -RefObjectId
```
@@ -296,7 +296,7 @@ In this example, you create a policy that requires users to authenticate less fr
When you have the **ObjectId** of your app, run the following command:
```PowerShell
- Add-AzureADApplicationPolicy -ObjectId -RefObjectId
+ Add-AzureADApplicationPolicy -Id -RefObjectId
```
@@ -326,13 +326,13 @@ In this example, you create a few policies, to learn how the priority system wor
2. When you have the **ObjectId** of your service principal, run the following command:
```PowerShell
- Add-AzureADServicePrincipalPolicy -ObjectId -RefObjectId
+ Add-AzureADServicePrincipalPolicy -Id -RefObjectId
```
3. Set the `IsOrganizationDefault` flag to false:
```PowerShell
- Set-AzureADPolicy -ObjectId -DisplayName "ComplexPolicyScenario" -IsOrganizationDefault $false
+ Set-AzureADPolicy -Id -DisplayName "ComplexPolicyScenario" -IsOrganizationDefault $false
```
4. Create a new organization default policy:
@@ -376,7 +376,7 @@ Get-AzureADPolicy
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId [Optional] |**ObjectId** of the policy you want. |`-ObjectId ` |
+| ‑Id [Optional] |**ObjectId (Id)** of the policy you want. |`-Id ` |
@@ -384,12 +384,12 @@ Get-AzureADPolicy
Gets all apps and service principals that are linked to a policy.
```PowerShell
-Get-AzureADPolicyAppliedObject -ObjectId
+Get-AzureADPolicyAppliedObject -Id
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the policy you want. |`-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the policy you want. |`-Id ` |
@@ -397,12 +397,12 @@ Get-AzureADPolicyAppliedObject -ObjectId
Updates an existing policy.
```PowerShell
-Set-AzureADPolicy -ObjectId -DisplayName
+Set-AzureADPolicy -Id -DisplayName
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the policy you want. |`-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the policy you want. |`-Id ` |
| ‑DisplayName |String of the policy name. |`-DisplayName "MyTokenPolicy"` |
| ‑Definition [Optional] |Array of stringified JSON that contains all the policy's rules. |`-Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"20:00:00"}}')` |
| ‑IsOrganizationDefault [Optional] |If true, sets the policy as the organization's default policy. If false, does nothing. |`-IsOrganizationDefault $true` |
@@ -415,12 +415,12 @@ Set-AzureADPolicy -ObjectId -DisplayName
Deletes the specified policy.
```PowerShell
- Remove-AzureADPolicy -ObjectId
+ Remove-AzureADPolicy -Id
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the policy you want. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the policy you want. | `-Id ` |
@@ -431,12 +431,12 @@ You can use the following cmdlets for application policies.
Links the specified policy to an application.
```PowerShell
-Add-AzureADApplicationPolicy -ObjectId -RefObjectId
+Add-AzureADApplicationPolicy -Id -RefObjectId
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the application. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the application. | `-Id ` |
| ‑RefObjectId |**ObjectId** of the policy. | `-RefObjectId ` |
@@ -445,12 +445,12 @@ Add-AzureADApplicationPolicy -ObjectId -RefObjectId
+Get-AzureADApplicationPolicy -Id
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the application. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the application. | `-Id ` |
@@ -458,12 +458,12 @@ Get-AzureADApplicationPolicy -ObjectId
Removes a policy from an application.
```PowerShell
-Remove-AzureADApplicationPolicy -ObjectId -PolicyId
+Remove-AzureADApplicationPolicy -Id -PolicyId
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the application. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the application. | `-Id ` |
| ‑PolicyId |**ObjectId** of the policy. | `-PolicyId ` |
@@ -475,12 +475,12 @@ You can use the following cmdlets for service principal policies.
Links the specified policy to a service principal.
```PowerShell
-Add-AzureADServicePrincipalPolicy -ObjectId -RefObjectId
+Add-AzureADServicePrincipalPolicy -Id -RefObjectId
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the application. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the application. | `-Id ` |
| ‑RefObjectId |**ObjectId** of the policy. | `-RefObjectId ` |
@@ -489,12 +489,12 @@ Add-AzureADServicePrincipalPolicy -ObjectId -RefO
Gets any policy linked to the specified service principal.
```PowerShell
-Get-AzureADServicePrincipalPolicy -ObjectId
+Get-AzureADServicePrincipalPolicy -Id
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the application. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the application. | `-Id ` |
@@ -502,10 +502,10 @@ Get-AzureADServicePrincipalPolicy -ObjectId
Removes the policy from the specified service principal.
```PowerShell
-Remove-AzureADServicePrincipalPolicy -ObjectId -PolicyId
+Remove-AzureADServicePrincipalPolicy -Id -PolicyId
```
| Parameters | Description | Example |
| --- | --- | --- |
-| ‑ObjectId |**ObjectId** of the application. | `-ObjectId ` |
+| ‑Id |**ObjectId (Id)** of the application. | `-Id ` |
| ‑PolicyId |**ObjectId** of the policy. | `-PolicyId ` |
diff --git a/articles/active-directory/active-directory-editions.md b/articles/active-directory/active-directory-editions.md
index c97e7bc8065a4..24a48e5788d00 100644
--- a/articles/active-directory/active-directory-editions.md
+++ b/articles/active-directory/active-directory-editions.md
@@ -141,7 +141,7 @@ The default usage quota is 150,000 objects. An object is an entry in the directo
**More details:**
-* [How to update your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password)
+* [How to update your own password](active-directory-passwords-update-your-own-password.md#reset-your-password)
#### Connect (Sync engine that extends on-premises directories to Azure Active Directory)
**Type:** Common Features
diff --git a/articles/active-directory/active-directory-passwords-best-practices.md b/articles/active-directory/active-directory-passwords-best-practices.md
index 7a295cb593c81..5de3148d31968 100644
--- a/articles/active-directory/active-directory-passwords-best-practices.md
+++ b/articles/active-directory/active-directory-passwords-best-practices.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# Deploying Password Management and training users to use it
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -140,7 +140,7 @@ We are working on sample training materials that you can use to get your IT orga
## Next steps
Below are links to all of the Azure AD Password Reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Customize**](active-directory-passwords-customize.md) - learn how to customize the look & feel and behavior of the service to your organization's needs
diff --git a/articles/active-directory/active-directory-passwords-customize.md b/articles/active-directory/active-directory-passwords-customize.md
index a8209de7e298f..80fe6d533720c 100644
--- a/articles/active-directory/active-directory-passwords-customize.md
+++ b/articles/active-directory/active-directory-passwords-customize.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# Customizing password management to fit your organization's needs
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -974,7 +974,7 @@ The following table describes how each control affects the experience for users
## Next steps
Below are links to all of the Azure AD Password Reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Best practices**](active-directory-passwords-best-practices.md) - learn how to quickly deploy and effectively manage passwords in your organization
diff --git a/articles/active-directory/active-directory-passwords-faq.md b/articles/active-directory/active-directory-passwords-faq.md
index a287b343b0e0c..06b28946c167a 100644
--- a/articles/active-directory/active-directory-passwords-faq.md
+++ b/articles/active-directory/active-directory-passwords-faq.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# Password management frequently asked questions
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -177,7 +177,7 @@ This FAQ is split into the following sections:
> **A:** This is possible today if you are using ADFS by following the instructions here: [Sending Password Policy Claims with ADFS](https://technet.microsoft.com/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims?f=255&MSPPError=-2147217396). If you are using password hash synchronization, this is not possible today. This is because we do not sync password policies from on-premises, so it is not possible for us to post expiry notifications to cloud experiences. In either case, it is also possible to [notify users whose passwords are about to expire by using PowerShell](https://social.technet.microsoft.com/wiki/contents/articles/23313.notify-active-directory-users-about-password-expiry-using-powershell.aspx).
>
>
-
+
## Password management reports
* **Q: How long does it take for data to show up on the password management reports?**
@@ -242,7 +242,7 @@ This FAQ is split into the following sections:
## Next steps
Below are links to all of the Azure AD Password Reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Customize**](active-directory-passwords-customize.md) - learn how to customize the look & feel and behavior of the service to your organization's needs
diff --git a/articles/active-directory/active-directory-passwords-get-insights.md b/articles/active-directory/active-directory-passwords-get-insights.md
index 3a800acce6ee3..9b09952d1d82c 100644
--- a/articles/active-directory/active-directory-passwords-get-insights.md
+++ b/articles/active-directory/active-directory-passwords-get-insights.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# How to get operational insights with password management reports
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -90,10 +90,10 @@ The following activity types appear in the **Self-Service Password Management**
* [**Reset password (self-service)**](#activity-type-reset-password-self-service) - Indicates a user successfully reset his or her password from the [Azure AD Password Reset Portal](https://passwordreset.microsoftonline.com).
* [**Self serve password reset flow activity progress**](#activity-type-self-serve-password-reset-flow-activity-progress) - Indicates each specific step a user proceeds through (such as passing a specific password reset authentication gate) as part of the password reset process.
* [**Unlock user account (self-service)**](#activity-type-unlock-user-account-self-service) - Indicates a user successfully unlocked his or her Active Directory account without resetting his or her password from the [Azure AD Password Reset Portal](https://passwordreset.microsoftonline.com) using the [AD account unlock without reset](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-customize#allow-users-to-unlock-accounts-without-resetting-their-password) feature.
-* [**User registered for self-service password reset**](#activity-type-user-registered-for-self-service-password-reset) - Indicates a user has registered all the required information to be able to reset his or her password in accordance with the currently-specified tenant password reset policy.
+* [**User registered for self-service password reset**](#activity-type-user-registered-for-self-service-password-reset) - Indicates a user has registered all the required information to be able to reset his or her password in accordance with the currently-specified tenant password reset policy.
### Activity type: Blocked from self-service password reset
-The following list explains this activity in detail:
+The following list explains this activity in detail:
* **Activity Description** – Indicates a user tried to reset a password, use a specific gate, or validate a phone number more than 5 total times in 24 hours.
* **Activity Actor** - the user who was throttled from performing additional reset operations. May be an end-user or an administrator.
@@ -103,7 +103,7 @@ The following list explains this activity in detail:
* **Activity Status Failure Reason** - not applicable
### Activity type: Change password (self-service)
-The following list explains this activity in detail:
+The following list explains this activity in detail:
* **Activity Description** – Indicates a user performed a voluntary, or forced (due to expiry) password change.
* **Activity Actor** - the user who changed his or her password. May be an end-user or an administrator.
@@ -111,11 +111,11 @@ The following list explains this activity in detail:
* **Allowed Activity Statuses**
* _Success_ - indicates a user successfully changed his or her password
* _Failure_ - indicates a user failed to change his or her password. Clicking on the row will allow you to see the **Activity Status Reason** category to learn more about why the failure occurred.
-* **Activity Status Failure Reason** -
+* **Activity Status Failure Reason** -
* _FuzzyPolicyViolationInvalidPassword_ - the user selected a password which was automatically banned due to Microsoft's Banned Password Detection capabilities finding it to be too common or especially weak.
### Activity type: Reset password (by admin)
-The following list explains this activity in detail:
+The following list explains this activity in detail:
* **Activity Description** – Indicates an administrator performed a password reset on behalf of a user from the Azure Portal.
* **Activity Actor** - the administrator who performed the password reset on behalf of another end-user or administrator. Must be either a global administrator, password administrator, user administrator, or helpdesk administrator.
@@ -125,7 +125,7 @@ The following list explains this activity in detail:
* _Failure_ - indicates an admin failed to change a user's password. Clicking on the row will allow you to see the **Activity Status Reason** category to learn more about why the failure occurred.
### Activity type: Reset password (self-service)
-The following list explains this activity in detail:
+The following list explains this activity in detail:
* **Activity Description** – Indicates a user successfully reset his or her password from the [Azure AD Password Reset Portal](https://passwordreset.microsoftonline.com).
* **Activity Actor** - the user who reset his or her password. May be an end-user or an administrator.
@@ -133,11 +133,11 @@ The following list explains this activity in detail:
* **Allowed Activity Statuses**
* _Success_ - indicates an user successfully reset his or her own password
* _Failure_ - indicates an user failed to reset his or her own password. Clicking on the row will allow you to see the **Activity Status Reason** category to learn more about why the failure occurred.
-* **Activity Status Failure Reason** -
+* **Activity Status Failure Reason** -
* _FuzzyPolicyViolationInvalidPassword_ - the admin selected a password which was automatically banned due to Microsoft's Banned Password Detection capabilities finding it to be too common or especially weak.
### Activity type: Self serve password reset flow activity progress
-The following list explains this activity in detail:
+The following list explains this activity in detail:
* **Activity Description** – Indicates each specific step a user proceeds through (such as passing a specific password reset authentication gate) as part of the password reset process.
* **Activity Actor** - the user who performed part of the password reset flow. May be an end-user or an administrator.
@@ -149,7 +149,7 @@ The following list explains this activity in detail:
* See table below for [all allowed reset activity status reasons](#allowed-values-for-details-column)
### Activity type: Unlock user account (self-service)
-The following list explains this activity in detail:
+The following list explains this activity in detail:
* **Activity Description** – Indicates a user successfully unlocked his or her Active Directory account without resetting his or her password from the [Azure AD Password Reset Portal](https://passwordreset.microsoftonline.com) using the [AD account unlock without reset](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-customize#allow-users-to-unlock-accounts-without-resetting-their-password) feature.
* **Activity Actor** - the user who unlocked his or her account without resetting their password. May be an end-user or an administrator.
@@ -159,13 +159,13 @@ The following list explains this activity in detail:
* _Failure_ - indicates an user failed to unlock his or her account. Clicking on the row will allow you to see the **Activity Status Reason** category to learn more about why the failure occurred.
### Activity type: User registered for self-service password reset
-The following list explains this activity in detail:
+The following list explains this activity in detail:
-* **Activity Description** – Indicates a user has registered all the required information to be able to reset his or her password in accordance with the currently-specified tenant password reset policy.
+* **Activity Description** – Indicates a user has registered all the required information to be able to reset his or her password in accordance with the currently-specified tenant password reset policy.
* **Activity Actor** - the user who registered for password reset. May be an end-user or an administrator.
* **Activity Target** - the user who registered for password reset. May be an end-user or an administrator.
* **Allowed Activity Statuses**
- * _Success_ - indicates an user successfully registered for password reset in accordance with the current policy.
+ * _Success_ - indicates an user successfully registered for password reset in accordance with the current policy.
* _Failure_ - indicates a user failed to register for password reset. Clicking on the row will allow you to see the **Activity Status Reason** category to learn more about why the failure occurred. Note - this does not mean a user is not able to reset his or her own password, just that he or she did not complete the registration process. If there is unverified data on their account that is correct (such as a phone number that is not validated), even though they have not verified this phone number, they can still use it to reset their password. For more information, see [What happens when a user registers?](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-learn-more#what-happens-when-a-user-registers)
## How to retrieve password management events from the Azure AD Reports and Events API
@@ -180,7 +180,7 @@ Once you have a working script, you'll next want to examine the password reset a
* [SsprRegistrationActivityEvent](https://msdn.microsoft.com/library/azure/mt126081.aspx#BKMK_SsprRegistrationActivityEvent): Lists the columns available for password reset registration events
### Reporting API data retrieval limitations
-Currently, the Azure AD Reports and Events API retrieves up to **75,000 individual events** of the [SsprActivityEvent](https://msdn.microsoft.com/library/azure/mt126081.aspx#BKMK_SsprActivityEvent) and [SsprRegistrationActivityEvent](https://msdn.microsoft.com/library/azure/mt126081.aspx#BKMK_SsprRegistrationActivityEvent) types, spanning the **last 30 days**.
+Currently, the Azure AD Reports and Events API retrieves up to **75,000 individual events** of the [SsprActivityEvent](https://msdn.microsoft.com/library/azure/mt126081.aspx#BKMK_SsprActivityEvent) and [SsprRegistrationActivityEvent](https://msdn.microsoft.com/library/azure/mt126081.aspx#BKMK_SsprRegistrationActivityEvent) types, spanning the **last 30 days**.
If you need to retrieve or store data beyond this window, we suggest persisting it in an external database and using the API to query the deltas that result. A best practice is to begin retrieving this data when you start your password reset registration process in your organization, persist it externally, and then continue to track the deltas from this point forward.
@@ -296,7 +296,7 @@ Below is the list of result types you may expect when using the password reset a
## Next steps
Below are links to all of the Azure AD Password Reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Customize**](active-directory-passwords-customize.md) - learn how to customize the look & feel and behavior of the service to your organization's needs
diff --git a/articles/active-directory/active-directory-passwords-how-it-works.md b/articles/active-directory/active-directory-passwords-how-it-works.md
index cbf872aebf80a..0bca99db3923d 100644
--- a/articles/active-directory/active-directory-passwords-how-it-works.md
+++ b/articles/active-directory/active-directory-passwords-how-it-works.md
@@ -21,7 +21,7 @@ ms.custom: H1Hack27Feb2017
---
# How password management works in Azure Active Directory
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
Password management in Azure Active Directory (Azure AD) consists of the following logical components:
@@ -113,7 +113,7 @@ For more information about Azure AD Connect, see [Get started: Azure AD Connect]
To learn more, see the following Azure AD password reset pages:
-* **Are you here because you're having problems signing in?** If so, learn how to [change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, learn how to [change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**Getting started**](active-directory-passwords-getting-started.md): Learn how to allow you users to reset and change their cloud or on-premises passwords.
* [**Customize**](active-directory-passwords-customize.md): Learn how to customize the look, feel, and behavior of the service to your organization's needs.
* [**Best practices**](active-directory-passwords-best-practices.md): Learn how to quickly deploy and effectively manage passwords in your organization.
diff --git a/articles/active-directory/active-directory-passwords-learn-more.md b/articles/active-directory/active-directory-passwords-learn-more.md
index c0da35c409306..04a6ddc8974a0 100644
--- a/articles/active-directory/active-directory-passwords-learn-more.md
+++ b/articles/active-directory/active-directory-passwords-learn-more.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# Learn more about password management
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -116,7 +116,7 @@ The section below describes which scenarios are supported for which versions of
### Supported clients
We always recommend that you use the auto-update feature of Azure AD Connect, or install the latest version of [Azure AD Connect](connect/active-directory-aadconnect.md#install-azure-ad-connect) if you want to use password writeback.
-* **DirSync (any version > 1.0.6862)** - _NOT SUPPORTED_ - supports only basic writeback capabilities, and is no longer supported by the product group
+* **DirSync (any version > 1.0.6862)** - _NOT SUPPORTED_ - supports only basic writeback capabilities, and is no longer supported by the product group
* **Azure AD Sync** - _DEPRECATED_ - supports only basic writeback capabilities, and is missing account unlock capabilities, rich logging, and relability improvements made in Azure AD Connect. As such, we **highly** highly recommend upgrading.
* **Azure AD Connect** - _FULLY SUPPORTED_ - supports all writeback capabiltiies - please upgrade to the latest version to get the best new features and most stability / reliability possible
@@ -128,7 +128,7 @@ In order to use password writeback, you must have one of the following licenses
* **Enterprise Moblity Suite** - no limitations on password writeback usage
* **Enterprise Cloud Suite** - no limitations on password writeback usage
-You may not use password writeback with any Office 365 licensing plan, whether trial or paid. You must upgrade to one of the above plans in order to use this feature.
+You may not use password writeback with any Office 365 licensing plan, whether trial or paid. You must upgrade to one of the above plans in order to use this feature.
We have no plans to enable password writeback for any Office 365 SKUs.
@@ -162,7 +162,7 @@ Passwords are not written back in any of the following situations:
* **Unsupported Administrator operations**
* Any administrator-initiated end-user password reset from the [Office Management Portal](https://portal.office.com)
* Any administrator-initiated end-user password reset from PowerShell v1, v2, or the Azure AD Graph API
-
+
While we are working to remove these limitations, we do not have a specific timeline we can share yet.
## Password writeback security model
@@ -176,9 +176,9 @@ Password writeback is a highly secure and robust service. In order to ensure yo
### Password writeback encryption details
Below describes the encryption steps a password reset reqeust goes through after a user submits it, but before it arrives in your on-premises environment, to ensure maximum service reliability and security.
-* **Step 1 - Password encryption with 2048-bit RSA Key** - Once a user submits a password to be written back to on-premises, first, the submitted password itself is encrypted with a 2048-bit RSA key.
+* **Step 1 - Password encryption with 2048-bit RSA Key** - Once a user submits a password to be written back to on-premises, first, the submitted password itself is encrypted with a 2048-bit RSA key.
-* **Step 2 - Package-level encryption with AES-GCM** - Then the entire package (password + required metadata) is encrypted using AES-GCM. This prevents anyone with direct access to the underlying ServiceBus channel from viewing/tampering with the contents.
+* **Step 2 - Package-level encryption with AES-GCM** - Then the entire package (password + required metadata) is encrypted using AES-GCM. This prevents anyone with direct access to the underlying ServiceBus channel from viewing/tampering with the contents.
* **Step 3 - All communication occurs over TLS / SSL** - Additionally, all the communication with ServiceBus happens in a SSL/TLS channel. This secures the contents from unauthorized 3rd parties.
@@ -619,13 +619,13 @@ Password reset and change is fully supported with all B2B configurations. Read
1. **Users from a partner org with an existing Azure AD tenant** - If the organization you are partnering with has an existing Azure AD tenant, we will **respect whatever password reset policies are enabled in that tenant**. For password reset to work, the partner organization just needs to make sure Azure AD SSPR is enabled, which is no additional charge for O365 customers, and can be enabled by following the steps in our [Getting Started with Password Management](https://azure.microsoft.com/documentation/articles/active-directory-passwords-getting-started/#enable-users-to-reset-or-change-their-aad-passwords) guide.
2. **Users who signed up using [self-service sign up](https://docs.microsoft.com/azure/active-directory/active-directory-self-service-signup)** - If the organization you are partnering with used the [self-service sign up](https://docs.microsoft.com/azure/active-directory/active-directory-self-service-signup) feature to get into a tenant, we will let them reset out of the box with the email they registered.
3. **B2B users** - Any new B2B users created using the new [Azure AD B2B capabilities](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b) will also be able to reset their passwords out of the box with the email they registered during the invite process.
-
+
To test any of this, just go to http://passwordreset.microsoftonline.com with one of these partner users. As long as they have an alternate email or authentication email defined, password reset will work as expected. More info on data used by sspr here can be found in our [What data is used by Password Reset](https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-learn-more/#what-data-is-used-by-password-reset) overview.
## Next steps
Below are links to all of the Azure AD Password Reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Customize**](active-directory-passwords-customize.md) - learn how to customize the look & feel and behavior of the service to your organization's needs
diff --git a/articles/active-directory/active-directory-passwords-policy.md b/articles/active-directory/active-directory-passwords-policy.md
index f32c826dcf3f6..fc33e58e72ec9 100644
--- a/articles/active-directory/active-directory-passwords-policy.md
+++ b/articles/active-directory/active-directory-passwords-policy.md
@@ -21,7 +21,7 @@ ms.author: curtand
This article describes the password policies and complexity requirements associated with user accounts stored in your Azure AD directory.
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -50,7 +50,7 @@ The following table describes the available password policy settings that can be
| Account Lockout |After 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for increasing durations. |
## Next steps
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [Manage your passwords from anywhere](active-directory-passwords.md)
* [How Password Management works](active-directory-passwords-how-it-works.md)
* [Getting started with Password Mangement](active-directory-passwords-getting-started.md)
diff --git a/articles/active-directory/active-directory-passwords-set-expiration-policy.md b/articles/active-directory/active-directory-passwords-set-expiration-policy.md
index 8bfdd45bc2ca3..6cd17cb22d19f 100644
--- a/articles/active-directory/active-directory-passwords-set-expiration-policy.md
+++ b/articles/active-directory/active-directory-passwords-set-expiration-policy.md
@@ -19,7 +19,7 @@ ms.author: curtand
---
# Set password expiration policies in Azure Active Directory
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -59,4 +59,4 @@ To use Windows PowerShell cmdlets, you first must install them.
* To set the passwords of all the users in an organization to never expire, run the following cmdlet: `Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true`
## Next steps
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
diff --git a/articles/active-directory/active-directory-passwords-troubleshoot.md b/articles/active-directory/active-directory-passwords-troubleshoot.md
index 23c311d4cdfee..8c139f1d7a75b 100644
--- a/articles/active-directory/active-directory-passwords-troubleshoot.md
+++ b/articles/active-directory/active-directory-passwords-troubleshoot.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# How to troubleshoot Password Management
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -1498,7 +1498,7 @@ If that does not resolve your issue, then we recommend that you take a look at [
## Next steps
Below are links to all of the Azure AD Password Reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Customize**](active-directory-passwords-customize.md) - learn how to customize the look & feel and behavior of the service to your organization's needs
diff --git a/articles/active-directory/active-directory-passwords.md b/articles/active-directory/active-directory-passwords.md
index 748a19867da10..16cd24ffd9daf 100644
--- a/articles/active-directory/active-directory-passwords.md
+++ b/articles/active-directory/active-directory-passwords.md
@@ -19,7 +19,7 @@ ms.author: joflore
---
# Azure Active Directory password reset for IT administrators
> [!IMPORTANT]
-> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+> **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
>
>
@@ -209,7 +209,7 @@ Below are some of the cool features we're working on right now!
## Next steps
Below are links to all of the Azure AD password reset documentation pages:
-* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+* **Are you here because you're having problems signing in?** If so, [here's how you can change and reset your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
* [**How it works**](active-directory-passwords-how-it-works.md) - learn about the six different components of the service and what each does
* [**Getting started**](active-directory-passwords-getting-started.md) - learn how to allow you users to reset and change their cloud or on-premises passwords
* [**Customize**](active-directory-passwords-customize.md) - learn how to customize the look & feel and behavior of the service to your organization's needs
diff --git a/articles/active-directory/active-directory-reporting-api-with-certificates.md b/articles/active-directory/active-directory-reporting-api-with-certificates.md
new file mode 100644
index 0000000000000..adf867ce61c73
--- /dev/null
+++ b/articles/active-directory/active-directory-reporting-api-with-certificates.md
@@ -0,0 +1,92 @@
+---
+title: Get data using the Azure AD Reporting API with certificates | Microsoft Docs
+description: Explains how to use the Azure AD Reporting API with certificate credentials to get data from directories without user intervention.
+services: active-directory
+documentationcenter: ''
+author: ramical
+writer: v-lorisc
+manager: kannar
+
+ms.assetid:
+ms.service: active-directory
+ms.workload: infrastructure-services
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: get-started-article
+ms.date: 03/24/2017
+ms.author: ramical
+
+---
+# Get data using the Azure AD Reporting API with certificates
+This article discusses how to use the Azure AD Reporting API with certificate credentials to get data from directories without user intervention.
+
+## Use the Azure AD Reporting API
+Azure AD Reporting API requires that you complete the following steps:
+ * Install prerequisites
+ * Set the certificate in your app
+ * Get an access token
+ * Use the access token to call the Graph API
+
+For information about source code, see [Leverage Report API Module](https://github.com/AzureAD/azure-activedirectory-powershell/tree/gh-pages/Modules/AzureADUtils).
+
+### Install prerequisites
+You will need to have Azure AD PowerShell V2 and AzureADUtils module installed.
+
+1. Download and install Azure AD Powershell V2, following the instructions at [Azure Active Directory PowerShell](https://github.com/Azure/azure-docs-powershell-azuread/blob/master/Azure AD Cmdlets/AzureAD/index.md).
+2. Download the Azure AD Utils module from [AzureAD/azure-activedirectory-powershell](https://github.com/AzureAD/azure-activedirectory-powershell/blob/gh-pages/Modules/AzureADUtils/AzureADUtils.psm1).
+ This module provides several utility cmdlets including:
+ * The latest version of ADAL using Nuget
+ * Access tokens from user, application keys, and certificates using ADAL
+ * Graph API handling paged results
+
+**To install the Azure AD Utils module:**
+
+1. Create a directory to save the utilities module (for example, c:\azureAD) and download the module from GitHub.
+2. Open a PowerShell session, and go to the directory you just created.
+3. Import the module, and install it in the PowerShell module path using the Install-AzureADUtilsModule cmdlet.
+
+The session should look similar to this screen:
+
+ 
+
+### Set the certificate in your app
+1. If you already have an app, get its Object ID from the Azure Portal.
+
+ 
+
+2. Open a PowerShell session and connect to Azure AD using the Connect-AzureAD cmdlet.
+
+ 
+
+3. Use the New-AzureADApplicationCertificateCredential cmdlet from AzureADUtils to add a certificate credential to it.
+
+>[!Note]
+>You need to provide the application Object ID that you captured earlier, as well as the certificate object (get this using the Cert: drive).
+>
+
+
+ 
+
+### Get an access token
+
+To get an access token, use the Get-AzureADGraphAPIAccessTokenFromCert cmdlet from AzureADUtils.
+
+>[!NOTE]
+>You need to use the Application ID instead of the Object ID that you used in the last section.
+>
+
+ 
+
+### Use the access token to call the Graph API
+
+Now you can create the script. Below is an example using the Invoke-AzureADGraphAPIQuery cmdlet from the AzureADUtils. This cmdlet handles multi-paged results, and then sends those results to the PowerShell pipeline.
+
+ 
+
+You are now ready to export to a CSV and save to a SIEM system. You can also wrap your script in a scheduled task to get Azure AD data from your tenant periodically without having to store application keys in the source code.
+
+## Next steps
+[The fundamentals of Azure identity management](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals-identity)
+
+
+
diff --git a/articles/active-directory/active-directory-saas-access-panel-user-help.md b/articles/active-directory/active-directory-saas-access-panel-user-help.md
index f34c7e9e0b593..27f3ae93f1e92 100644
--- a/articles/active-directory/active-directory-saas-access-panel-user-help.md
+++ b/articles/active-directory/active-directory-saas-access-panel-user-help.md
@@ -19,10 +19,10 @@ ms.author: markvi
---
# Do you need help with MyApps?
-You have probably reached this page because you were unfortunately running into an issue when using the MyApps portal. While there are cases that require you to contact helpdesk or your administrator to get a problem solved, we are capturing in this topic steps to common questions you can try out yourself, first.
+You have probably reached this page because you were unfortunately running into an issue when using the MyApps portal. While there are cases that require you to contact helpdesk or your administrator to get a problem solved, we are capturing in this topic steps to common questions you can try out yourself, first.
+
+If you are looking for help related to password management, try [this](active-directory-passwords-update-your-own-password.md#reset-your-password).
-If you are looking for help related to password management, try [this](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).#how-to-reset-your-password).
-
## What is the MyApps portal?
@@ -31,9 +31,9 @@ MyApps is a web portal that allows you to:
- Manage and launch cloud-based applications
- Manage your group memberships
-- Manage your profile settings
+- Manage your profile settings
-![Access Panel][1]
+![Access Panel][1]
@@ -45,7 +45,7 @@ MyApps is a web portal that allows you to:
3. Type your old password, and then type a new password and confirm it.
4. Click **Submit**.
-For more details, see [How to update your own password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+For more details, see [How to update your own password](active-directory-passwords-update-your-own-password.md#reset-your-password).
## How do I setup password reset?
@@ -54,7 +54,7 @@ For more details, see [How to update your own password](active-directory-passwor
2. Under **Manage Account**, click **Set up self service password reset**.
3. Follow the steps in the dialogue box and submit.
-For more details, see [How to reset your password](active-directory-passwords-update-your-own-password.md#how-to-reset-your-password).
+For more details, see [How to reset your password](active-directory-passwords-update-your-own-password.md#reset-your-password).
## How can I add a new app?
diff --git a/articles/active-directory/active-directory-saas-allocadia-tutorial.md b/articles/active-directory/active-directory-saas-allocadia-tutorial.md
index eaeafe1ed95b4..d34d1992ca706 100644
--- a/articles/active-directory/active-directory-saas-allocadia-tutorial.md
+++ b/articles/active-directory/active-directory-saas-allocadia-tutorial.md
@@ -13,7 +13,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Allocadia with Azure Active Directo
Integrating Allocadia with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to Allocadia
-* You can enable your users to automatically get signed-on to Allocadia (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically sign in to Allocadia using single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -32,26 +32,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Allocadia, you need the following items:
* An Azure AD subscription
-* A Allocadia single-sign on enabled subscription
+* A Allocadia SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario Description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Allocadia from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Allocadia from the gallery
+## Add Allocadia from the gallery
To configure the integration of Allocadia into Azure AD, you need to add Allocadia from the gallery to your list of managed SaaS apps.
**To add Allocadia from the gallery, perform the following steps:**
@@ -82,22 +82,23 @@ To configure the integration of Allocadia into Azure AD, you need to add Allocad
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Allocadia based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Allocadia based on a test user called "Britta Simon".
+
+For SSO to work, Azure AD needs to know what the counterpart user in Allocadia is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Allocadia needs to be established.
-For single sign-on to work, Azure AD needs to know what the counterpart user in Allocadia is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Allocadia needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Allocadia.
-To configure and test Azure AD single sign-on with Allocadia, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Allocadia, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating an Allocadia test user](#creating-an-allocadia-test-user)** - to have a counterpart of Britta Simon in Allocadia that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD Single Sign-On
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Allocadia application.
+### Configure Azure AD single sign-on
+In this section, you enable Azure AD SSO in the classic portal and configure SSO in your Allocadia application.
Allocadia application expects the SAML assertions in a specific format. Please configure the following claims for this application. You can manage the values of these attributes from the **"Atrribute"** tab of the application. The following screenshot shows an example for this.
@@ -117,59 +118,51 @@ Allocadia application expects the SAML assertions in a specific format. Please c
| lastname |user.surname |
| email |user.mail |
- a. Click **add user attribute** to open the **Add User Attribure** dialog.
+ 1. Click **add user attribute** to open the **Add User Attribure** dialog.
-
- b. In the **Attrubute Name** textbox, type the attribute name shown for that row.
-
- c. From the **Attribute Value** list, selsect the attribute value shown for that row.
-
- d. Click **Complete**.
-
-
-1. In the menu on the top, click **Quick Start**.
+ 2. In the **Attrubute Name** textbox, type the attribute name shown for that row.
+ 3. From the **Attribute Value** list, selsect the attribute value shown for that row.
+ 4. Click **Complete**.
+
+3. In the menu on the top, click **Quick Start**.
-2. On the **How would you like users to sign on to Allocadia** page, select **Azure AD Single Sign-On**, and then click **Next**.
+4. On the **How would you like users to sign on to Allocadia** page, select **Azure AD Single Sign-On**, and then click **Next**.
-3. On the **Configure App Settings** dialog page, perform the following steps:.
-
- 
-
- a. In the IDENTIFER box type the URL in the following pattern: For test environment use the URL as **"https://na2standby.allocadia.com"** and for production environment use **"https://na2.allocadia.com"**
+5. On the **Configure App Settings** dialog page, perform the following steps:.
- b. In the Reply URL type the URL in the following pattern: For test environment use the URL pattern as **"https://na2standby.allocadia.com/allocadia/saml/SSO"** and for production environment use **"https://na2.allocadia.com/allocadia/saml/SSO"**
+ 
+ 1. In the IDENTIFER box type the URL in the following pattern: For test environment use the URL as **"https://na2standby.allocadia.com"** and for production environment use **"https://na2.allocadia.com"**.
+ 2. In the Reply URL type the URL in the following pattern: For test environment use the URL pattern as **"https://na2standby.allocadia.com/allocadia/saml/SSO"** and for production environment use **"https://na2.allocadia.com/allocadia/saml/SSO"**
-4. On the **Configure single sign-on at Allocadia** page, perform the following steps:
+6. On the **Configure single sign-on at Allocadia** page, perform the following steps:
-
- a. Click **Download metadata**, and then save the file on your computer.
-
- b. Click **Next**.
+ 1. Click **Download metadata**, and then save the file on your computer.
+ 2. Click **Next**.
-5. To get SSO configured for your application, contact [Allocadia Support](mailTo:support@allocadia.com) team and they will assist to configure SSO. Please note that you have to send email and attach downloaded metadata file to configure SSO on the Allocadia side.
+7. To get SSO configured for your application, contact [Allocadia Support](mailTo:support@allocadia.com) team and they will assist to configure SSO. Please note that you have to send email and attach downloaded metadata file to configure SSO on the Allocadia side.
- > [!NOTE]
- > Please make sure that Allocadia team set the Identifier value in the test environment as **"https://na2standby.allocadia.com"** and for production environment, it should be: **"https://na2.allocadia.com"**
- >
- >
+ >[!NOTE]
+ >Please make sure that Allocadia team set the Identifier value in the test environment as **"https://na2standby.allocadia.com"** and for production environment, it should be: **"https://na2.allocadia.com"**
+ >
-6. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
+8. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
![Azure AD Single Sign-On][10]
-7. On the **Single sign-on confirmation** page, click **Complete**.
+9. On the **Single sign-on confirmation** page, click **Complete**.
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### CreatE an Azure AD test user
In this section, you create a test user in the classic portal called Britta Simon.
-In the Users list, select **Britta Simon**.
+
+* In the Users list, select **Britta Simon**.
![Create Azure AD User][20]
@@ -192,26 +185,18 @@ In the Users list, select **Britta Simon**.
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
- 
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -219,22 +204,19 @@ In the Users list, select **Britta Simon**.
8. On the **Get temporary password** dialog page, perform the following steps:
- 
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating an Allocadia test user
+### CreatE an Allocadia test user
In this section, you create a user called Britta Simon in Allocadia. Allocadia application support just in time user provisioning. If you have configured the claims as stated above in **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** section then it will provision the users in the application.
-> [!NOTE]
-> If you need to create a user manually or batch of users, you need to contact the Allocadia support team.
->
+>[!NOTE]
+>If you need to create a user manually or batch of users, you need to contact the Allocadia support team.
>
-### Assigning the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Allocadia.
+### Assign the Azure AD test user
+In this section, you enable Britta Simon to use Azure sso by granting her access to Allocadia.
![Assign User][200]
@@ -258,8 +240,9 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
-### Testing Single Sign-On
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+### Test Single Sign-On
+In this section, you test your Azure AD sso configuration using the Access Panel.
+
When you click the Allocadia tile in the Access Panel, you should get automatically signed-on to your Allocadia application.
## Additional Resources
diff --git a/articles/active-directory/active-directory-saas-amazon-web-service-tutorial.md b/articles/active-directory/active-directory-saas-amazon-web-service-tutorial.md
index ae9b4c2e39882..76b74a9218c75 100644
--- a/articles/active-directory/active-directory-saas-amazon-web-service-tutorial.md
+++ b/articles/active-directory/active-directory-saas-amazon-web-service-tutorial.md
@@ -13,16 +13,17 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration with Amazon Web Services (AWS)
The objective of this tutorial is to show you how to integrate Amazon Web Services (AWS) with Azure Active Directory (Azure AD).
+
Integrating Amazon Web Services (AWS) with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to Amazon Web Services (AWS)
-* You can enable your users to automatically get signed-on to Amazon Web Services (AWS) (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to Amazon Web Services (AWS) single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -31,29 +32,30 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Amazon Web Services (AWS), you need the following items:
* An Azure AD subscription
-* An Amazon Web Services (AWS) single-sign on enabled subscription
+* An Amazon Web Services (AWS) SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario Description
-The objective of this tutorial is to enable you to test Azure AD single sign-on in a test environment.
+The objective of this tutorial is to enable you to test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of three main building blocks:
1. Adding Amazon Web Services (AWS) from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Amazon Web Services (AWS) from the gallery
+## Add Amazon Web Services (AWS) from the gallery
To configure the integration of Amazon Web Services (AWS) into Azure AD, you need to add Amazon Web Services (AWS) from the gallery to your list of managed SaaS apps.
-### To add Amazon Web Services (AWS) from the gallery, perform the following steps:
+**To add Amazon Web Services (AWS) from the gallery, perform the following steps:**
+
1. In the **Azure classic portal**, on the left navigation pane, click **Active Directory**.
![Active Directory][1]
@@ -80,23 +82,26 @@ To configure the integration of Amazon Web Services (AWS) into Azure AD, you nee
![Applications][6]
-## Configuring and testing Azure AD single sign-on
-The objective of this section is to show you how to configure and test Azure AD single sign-on with Amazon Web Services (AWS) based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+The objective of this section is to show you how to configure and test Azure AD SSO with Amazon Web Services (AWS) based on a test user called "Britta Simon".
+
+For SSO to work, Azure AD needs to know what the counterpart user in Amazon Web Services (AWS) to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in Amazon Web Services (AWS) needs to be established.
-For single sign-on to work, Azure AD needs to know what the counterpart user in Amazon Web Services (AWS) to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in Amazon Web Services (AWS) needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Amazon Web Services (AWS).
-To configure and test Azure AD single sign-on with Amazon Web Services (AWS), you need to complete the following building blocks:
+To configure and test Azure AD SSO with Amazon Web Services (AWS), you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Amazon Web Services (AWS) test user](#creating-a-halogen-software-test-user)** - to have a counterpart of Britta Simon in Amazon Web Services (AWS) that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
+
+### Configure Azure AD single sign-on
+The objective of this section is to enable Azure AD SSO in the Azure classic portal and to configure single sign-on in your Amazon Web Services (AWS) application.
-### Configuring Azure AD Single Single Sign-On
-The objective of this section is to enable Azure AD single sign-on in the Azure classic portal and to configure single sign-on in your Amazon Web Services (AWS) application.
Your Amazon Web Services (AWS) application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your **saml token attributes** configuration.
+
The following screenshot shows an example for this.
![Configure Single Sign-On][27]
@@ -111,7 +116,7 @@ The following screenshot shows an example for this.
![Configure Single Sign-On][8]
-3. On the **Configure App Settings** dialog page, click Next.
+3. On the **Configure App Settings** dialog page, click **Next**.
![Configure App Settings][9]
@@ -135,15 +140,11 @@ The following screenshot shows an example for this.
9. On the **Configure Provider** dialog page, perform the following steps:
- ![Configure Single Sign-On][14]
-
- a. As **Provider Type**, select **SAML**.
-
- b. In the **Provider Name** textbox, type a provider name (e.g.: *WAAD*).
-
- c. To upload your downloaded metadata file, click **Choose File**.
-
- d. Click **Next Step**.
+ ![Configure Single Sign-On][14]
+ 1. As **Provider Type**, select **SAML**.
+ 2. In the **Provider Name** textbox, type a provider name (e.g.: *WAAD*).
+ 3. To upload your downloaded metadata file, click **Choose File**.
+ 4. Click **Next Step**.
10. On the **Verify Provider Information** dialog page, click **Create**.
@@ -155,27 +156,21 @@ The following screenshot shows an example for this.
12. On the **Set Role Name** dialog, perform the following steps:
- ![Configure Single Sign-On][17]
-
- a. In the **Role Name** textbox, type a role name (e.g.: *TestUser*).
-
- b. Click **Next Step**.
+ ![Configure Single Sign-On][17]
+ 1. In the **Role Name** textbox, type a role name (e.g.: *TestUser*).
+ 2. Click **Next Step**.
13. On the **Select Role Type** dialog, perform the following steps:
- ![Configure Single Sign-On][18]
-
- a. Select **Role For Identity Provider Access**.
-
- b. In the **Grant Web Single Sign-On (WebSSO) access to SAML providers** section, click **Select**.
+ ![Configure Single Sign-On][18]
+ 1. Select **Role For Identity Provider Access**.
+ 2. In the **Grant Web Single Sign-On (WebSSO) access to SAML providers** section, click **Select**.
14. On the **Establish Trust** dialog, perform the following steps:
- ![Configure Single Sign-On][19]
-
- a. As SAML provider, select the SAML provider you have created previousley (e.g.: *WAAD*)
-
- b. Click **Next Step**.
+ ![Configure Single Sign-On][19]
+ 1. As SAML provider, select the SAML provider you have created previousley (e.g.: *WAAD*)
+ 2. Click **Next Step**.
15. On the **Verify Role Trust** dialog, click **Next Step**.
@@ -187,13 +182,10 @@ The following screenshot shows an example for this.
17. On the **Review** dialog, perform the following steps:
- ![Configure Single Sign-On][34]
-
- a. Copy the **Role ARN** value.
-
- b. Copy the **Trusted Entities** ARN value.
-
- c. Click **Create Role**.
+ ![Configure Single Sign-On][34]
+ 1. Copy the **Role ARN** value.
+ 2. Copy the **Trusted Entities** ARN value.
+ 3. Click **Create Role**.
18. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Next**.
@@ -213,40 +205,30 @@ The following screenshot shows an example for this.
22. On the Add User Attribute dialog, perform the following steps.
- ![Configure Single Sign-On][24]
-
- a. In the **Attribute Name** textbox, type **https://aws.amazon.com/SAML/Attributes/Role**.
-
- b. In the **Attribute Value** textbox, type **[the Role ARN value],[the Trusted Entity ARN value]**.
+ ![Configure Single Sign-On][24]
+ 1. In the **Attribute Name** textbox, type **https://aws.amazon.com/SAML/Attributes/Role**.
+ 2. In the **Attribute Value** textbox, type **[the Role ARN value],[the Trusted Entity ARN value]**.
- > [!TIP]
- > These are the values you have copied from the Review dialog when you have created your role.
- >
- >
-
- c. Click **Complete** to close the **Add User Attribute** dialog.
+ >[!TIP]
+ >These are the values you have copied from the Review dialog when you have created your role.
+ >
+
+ 3. Click **Complete** to close the **Add User Attribute** dialog.
23. Click **add user attribute**.
![Configure Single Sign-On][23]
-24. On the Add User Attribute dialog, perform the following steps.
+24. On the Add User Attribute dialog, perform the following steps, and then click **Apply Changes**.
![Configure Single Sign-On][25]
+ 1. In the **Attribute Name** textbox, type **https://aws.amazon.com/SAML/Attributes/RoleSessionName**.
+ 2. In the **Attribute Value** textbox, type or select **user.userprincipalname** from the drop down list.
- a. In the **Attribute Name** textbox, type **https://aws.amazon.com/SAML/Attributes/RoleSessionName**.
-
- b. In the **Attribute Value** textbox, type or select **user.userprincipalname** from the drop down list.
-
- ![Configure Single Sign-On][35]
-
- c. Click **Complete** to close the **Add User Attribute** dialog.
-
-1. Click **Apply Changes**.
-
-
+ ![Configure Single Sign-On][35]
+ 3. Click **Complete** to close the **Add User Attribute** dialog.
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the Azure classic portal called Britta Simon.
@@ -270,26 +252,18 @@ The objective of this section is to create a test user in the Azure classic port
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click Next.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click Next.
6. On the **User Profile** dialog page, perform the following steps:
- 
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** txtbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** txtbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -297,21 +271,15 @@ The objective of this section is to create a test user in the Azure classic port
8. On the **Get temporary password** dialog page, perform the following steps:
- 
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating a Amazon Web Services (AWS) test user
+### Create a Amazon Web Services (AWS) test user
The objective of this section is to create a user called Britta Simon in Amazon Web Services (AWS).
-> [!NOTE]
-> AWS support just in time user provisioning with SAML. This is by default enabled and so you do not have to provision the users in AWS.
->
->
+**To create a user called Britta Simon in Amazon Web Services (AWS), perform the following steps:**
-### To create a user called Britta Simon in Amazon Web Services (AWS), perform the following steps:
1. Log in to your **Amazon Web Services (AWS)** company site as administrator.
2. Click the **Console Home** icon.
@@ -328,14 +296,12 @@ The objective of this section is to create a user called Britta Simon in Amazon
5. On the Create User dialog, perform the following steps:
- ![Configure Single Sign-On][30]
-
- a. In the **Enter User Names** textboxes, type Brita Simon's user name (userprincipalname) in Azure AD.
-
- b. Click **Create**.
+ ![Configure Single Sign-On][30]
+ 1. In the **Enter User Names** textboxes, type Brita Simon's user name (userprincipalname) in Azure AD.
+ 2. Click **Create**.
-### Assigning the Azure AD test user
-The objective of this section is to enabling Britta Simon to use Azure single sign-on by granting her access to Amazon Web Services (AWS).
+### Assign the Azure AD test user
+The objective of this section is to enabling Britta Simon to use Azure SSO by granting her access to Amazon Web Services (AWS).
![Assign User][31]
@@ -359,8 +325,9 @@ The objective of this section is to enabling Britta Simon to use Azure single si
![Assign User][29]
-### Testing Single Sign-On
-The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+The objective of this section is to test your Azure AD SSO configuration using the Access Panel.
+
When you click the Amazon Web Services (AWS) tile in the Access Panel, you should get automatically signed-on to your Amazon Web Services (AWS) application.
## Additional Resources
diff --git a/articles/active-directory/active-directory-saas-bridge-tutorial.md b/articles/active-directory/active-directory-saas-bridge-tutorial.md
index 04b3d5b0a7553..bef7ac94d237e 100644
--- a/articles/active-directory/active-directory-saas-bridge-tutorial.md
+++ b/articles/active-directory/active-directory-saas-bridge-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Bridge with Azure Active Directory
Integrating Bridge with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Bridge
-- You can enable your users to automatically get signed-on to Bridge (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to Bridge single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -33,28 +33,29 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Bridge, you need the following items:
- An Azure AD subscription
-- A Bridge single-sign on enabled subscription
+- A Bridge SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
-
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Bridge from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Bridge from the gallery
+## Add Bridge from the gallery
To configure the integration of Bridge into Azure AD, you need to add Bridge from the gallery to your list of managed SaaS apps.
**To add Bridge from the gallery, perform the following steps:**
@@ -86,24 +87,24 @@ To configure the integration of Bridge into Azure AD, you need to add Bridge fro
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Bridge based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Bridge based on a test user called "Britta Simon".
-For single sign-on to work, Azure AD needs to know what the counterpart user in Bridge is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Bridge needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in Bridge is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Bridge needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Bridge.
To configure and test Azure AD single sign-on with Bridge, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Bridge test user](#creating-a-bridge-test-user)** - to have a counterpart of Britta Simon in Bridge that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
+### Configure Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Bridge application.
+In this section, you enable Azure AD SSO in the classic portal and configure single sign-on in your Bridge application.
**To configure Azure AD single sign-on with Bridge, perform the following steps:**
@@ -119,15 +120,13 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, perform the following steps:
+ 1. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.bridgeapp.com`
+ 2. In the **Identifier** textbox, type a URL using the following pattern: `https://.bridgeapp.com`
+ 3. Click **Next**.
- a. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.bridgeapp.com`
-
- b. In the **Identifier** textbox, type a URL using the following pattern: `https://.bridgeapp.com`
-
- c. Click **Next**.
-
- > [!NOTE]
- > Please note that these are not the real values. You have to update these values with the actual Sign On URL and Identifier. You can raise the support ticket with Bridge from here to get these values.
+ >[!NOTE]
+ >Please note that these are not the real values. You have to update these values with the actual Sign On URL and Identifier. You can raise the support ticket with Bridge from here to get these values.
+ >
4. On the **Configure single sign-on at Bridge** page, click **Download certificate** and then save the file on your computer:
@@ -135,13 +134,10 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
5. To get SSO configured for your application, You can raise the support ticket with Bridge support team from here and provide them with the following:
- • The downloaded **certificate file**
-
- • The **Entity ID**
-
- • The **Single Sign-On Service URL**
-
- • The **Single Sign-Out Service URL**
+ * The downloaded **certificate file**
+ * The **Entity ID**
+ * The **Single Sign-On Service URL**
+ * The **Single Sign-Out Service URL**
6. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
@@ -152,7 +148,7 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -176,26 +172,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -204,21 +192,16 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
-
-
-
-### Creating a Bridge test user
+### Create a Bridge test user
In this section, you create a user called Britta Simon in Bridge. Please work with Bridge support team to create a user in the platform. You can raise the support ticket with Bridge from here to add the users in the Bridge platform.
+### Assign the Azure AD test user
-### Assigning the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Bridge.
+In this section, you enable Britta Simon to use Azure SSO by granting her access to Bridge.
![Assign User][200]
@@ -242,15 +225,12 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
+### Test single sign-on
-
-### Testing single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD SSO configuration using the Access Panel.
When you click the Bridge tile in the Access Panel, you should get automatically signed-on to your Bridge application.
-
## Additional resources
* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](active-directory-saas-tutorial-list.md)
diff --git a/articles/active-directory/active-directory-saas-convercent-tutorial.md b/articles/active-directory/active-directory-saas-convercent-tutorial.md
index 224f5cb43dc56..b8933e1002bec 100644
--- a/articles/active-directory/active-directory-saas-convercent-tutorial.md
+++ b/articles/active-directory/active-directory-saas-convercent-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Convercent with Azure Active Direct
Integrating Convercent with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Convercent
-- You can enable your users to automatically get signed-on to Convercent (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to Convercent single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure new portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -33,28 +33,27 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Convercent, you need the following items:
- An Azure AD subscription
-- A Convercent single-sign on enabled subscription
-
-
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
+- A Convercent SSO enabled subscription
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get an one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Convercent from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-
-## Adding Convercent from the gallery
+## Add Convercent from the gallery
To configure the integration of Convercent into Azure AD, you need to add Convercent from the gallery to your list of managed SaaS apps.
**To add Convercent from the gallery, perform the following steps:**
@@ -79,25 +78,24 @@ To configure the integration of Convercent into Azure AD, you need to add Conver
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Convercent based on a test user called "Britta Simon".
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Convercent based on a test user called "Britta Simon".
-
-For single sign-on to work, Azure AD needs to know what the counterpart user in Convercent is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Convercent needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in Convercent is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Convercent needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Convercent.
-To configure and test Azure AD single sign-on with Convercent, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Convercent, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Convercent test user](#creating-a-works-mobile-test-user)** - to have a counterpart of Britta Simon in Convercent that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
+### Configure Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the Azure new portal and configure single sign-on in your Convercent application.
+In this section, you enable Azure AD SSO in the Azure new portal and configure single sign-on in your Convercent application.
**To configure Azure AD single sign-on with Convercent, perform the following steps:**
@@ -112,21 +110,17 @@ In this section, you enable Azure AD single sign-on in the Azure new portal and
3. On the **Convercent Domain and URLs** section, If you wish to configure the application in **IDP initiated mode**, perform the following steps:
-
- a. In the **Identifier** textbox, type: `https://sts.convercent.com/`
-
- b. Click on **"Show advanced URL settings"**
-
- c. In the **Relay State** textbox, type: `https://app.convercent.com/`
+ 1. In the **Identifier** textbox, type: `https://sts.convercent.com/`
+ 2. Click **"Show advanced URL settings"**.
+ 3. In the **Relay State** textbox, type: `https://app.convercent.com/`
4. If you wish to configure the application in **SP initiated mode**, on the **Convercent Domain and URLs** section perform the following steps:
-
- a. In the **Sign On URL** textbox, type: `https://app.convercent.com/`
-
- > [!NOTE]
- > Here we will suggest you to use the specified unique Identifier. Contact [Convercent support team](mailTo:support@convercent.com) to get this value.
+ * In the **Sign On URL** textbox, type: `https://app.convercent.com/`
+ >[!NOTE]
+ >Here we will suggest you to use the specified unique Identifier. Contact [Convercent support team](mailTo:support@convercent.com) to get this value.
+ >
5. On the **Convercent Configuration** section, click **Configure Convercent** to open **Configure sign-on** dialog. Then click **SAML XML Metadata** and then save the metadata file on your computer.
@@ -138,8 +132,7 @@ In this section, you enable Azure AD single sign-on in the Azure new portal and
7. In the Azure new portal, click **Save** button.
-
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the new portal called Britta Simon.
![Create Azure AD User][100]
@@ -161,25 +154,18 @@ The objective of this section is to create a test user in the new portal called
4. On the **User** dialog page, perform the following steps:
+ 1. In the **Name** textbox, type **BrittaSimon**.
+ 2. In the **User name** textbox, type the **email address** of BrittaSimon.
+ 3. Select **Show Password** and write down the value of the **Password**.
+ 4. Click **Create**.
- a. In the **Name** textbox, type **BrittaSimon**.
-
- b. In the **User name** textbox, type the **email address** of BrittaSimon.
-
- c. Select **Show Password** and write down the value of the **Password**.
-
- d. Click **Create**.
-
-
-
-### Creating a Convercent test user
+### Create a Convercent test user
In this section, you create a user called Britta Simon in Convercent. Please work with [Convercent support team](emailto:support@convercent.com) to add the users in the Convercent platform.
+### Assign the Azure AD test user
-### Assigning the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Convercent.
+In this section, you enable Britta Simon to use Azure SSO by granting her access to Convercent.
![Assign User][200]
@@ -207,11 +193,9 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
7. Click **Assign** button on **Add Assignment** dialog.
+### Test single sign-on
-
-### Testing single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD SSO configuration using the Access Panel.
When you click the Convercent tile in the Access Panel, you should get automatically signed-on to your Convercent application.
diff --git a/articles/active-directory/active-directory-saas-filecloud-tutorial.md b/articles/active-directory/active-directory-saas-filecloud-tutorial.md
index 81fe037cff7de..c54ccd9588873 100644
--- a/articles/active-directory/active-directory-saas-filecloud-tutorial.md
+++ b/articles/active-directory/active-directory-saas-filecloud-tutorial.md
@@ -13,7 +13,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ The objective of this tutorial is to show you how to integrate FileCloud with Az
Integrating FileCloud with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to FileCloud
-* You can enable your users to automatically get signed-on to FileCloud (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to FileCloud single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -32,27 +32,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with FileCloud, you need the following items:
* An Azure AD subscription
-* A FileCloud single-sign on enabled subscription
+* A FileCloud SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-The objective of this tutorial is to enable you to test Azure AD single sign-on in a test environment.
+The objective of this tutorial is to enable you to test Azure AD SSO in a test environment.
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding FileCloud from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding FileCloud from the gallery
+## Add FileCloud from the gallery
To configure the integration of FileCloud into Azure AD, you need to add FileCloud from the gallery to your list of managed SaaS apps.
**To add FileCloud from the gallery, perform the following steps:**
@@ -83,23 +82,23 @@ To configure the integration of FileCloud into Azure AD, you need to add FileClo
-## Configuring and testing Azure AD single sign-on
-The objective of this section is to show you how to configure and test Azure AD single sign-on with FileCloud based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+The objective of this section is to show you how to configure and test Azure AD SSO with FileCloud based on a test user called "Britta Simon".
-For single sign-on to work, Azure AD needs to know what the counterpart user in FileCloud to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in FileCloud needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in FileCloud to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in FileCloud needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in FileCloud.
-To configure and test Azure AD single sign-on with FileCloud, you need to complete the following building blocks:
+To configure and test Azure AD SSO with FileCloud, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a FileCloud test user](#creating-a-filecloud-test-user)** - to have a counterpart of Britta Simon in FileCloud that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your FileCloud application.
+### Configure Azure AD single sign-on
+In this section, you enable Azure AD SSO in the classic portal and configure SSO in your FileCloud application.
**To configure Azure AD single sign-on with FileCloud, perform the following steps:**
@@ -114,25 +113,19 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, perform the following steps and click **Next**:
+ 1. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.filecloudhosted.com`.
+ 2. In the **Identifier** textbox, type: `https://.filecloudhosted.com/simplesaml/module.php/saml/sp/metadata.php/default-sp`.
+ 3. Click **Next**.
- a. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.filecloudhosted.com`.
-
- b. In the **Identifier** textbox, type: `https://.filecloudhosted.com/simplesaml/module.php/saml/sp/metadata.php/default-sp`.
-
- c. Click **Next**
-
- > [!NOTE]
- > Please note that you have to update these values with the actual Sign On URL and Identifier. To get these values, contact FileCloud support team via .
- >
- >
+ >[!NOTE]
+ >Please note that you have to update these values with the actual Sign On URL and Identifier. To get these values, contact FileCloud support team via .
+ >
4. On the **Configure single sign-on at FileCloud** page, perform the following steps and click **Next**:
-
- a. Click **Download metadata**, and then save the file on your computer.
-
- b. Click **Next**.
+ 1. Click **Download metadata**, and then save the file on your computer.
+ 2. Click **Next**.
5. In a different web browser window, sign-on to your FileCloud tenant as an administrator.
@@ -166,7 +159,7 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -190,26 +183,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
- 
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -217,24 +202,21 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
- 
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating a FileCloud test user
+### Create a FileCloud test user
The objective of this section is to create a user called Britta Simon in FileCloud. FileCloud supports just-in-time provisioning, which is by default enabled.
There is no action item for you in this section. A new user will be created during an attempt to access FileCloud if it doesn't exist yet.
-> [!NOTE]
-> If you need to create an user manually, you need to contact the FileCloud support team.
->
+>[!NOTE]
+>If you need to create an user manually, you need to contact the FileCloud support team.
>
-### Assigning the Azure AD test user
-The objective of this section is to enabling Britta Simon to use Azure single sign-on by granting her access to FileCloud.
+### Assign the Azure AD test user
+The objective of this section is to enabling Britta Simon to use Azure SSO by granting her access to FileCloud.
![Assign User][200]
@@ -258,8 +240,8 @@ The objective of this section is to enabling Britta Simon to use Azure single si
![Assign User][205]
-### Testing single sign-on
-The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+The objective of this section is to test your Azure AD SSO configuration using the Access Panel.
When you click the FileCloud tile in the Access Panel, you should get automatically signed-on to your FileCloud application.
diff --git a/articles/active-directory/active-directory-saas-itrp-tutorial.md b/articles/active-directory/active-directory-saas-itrp-tutorial.md
index c96e5203e378b..57eb9a20203fe 100644
--- a/articles/active-directory/active-directory-saas-itrp-tutorial.md
+++ b/articles/active-directory/active-directory-saas-itrp-tutorial.md
@@ -12,7 +12,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 03/09/2017
ms.author: jeedes
---
@@ -28,16 +28,17 @@ After completing this tutorial, the Azure AD users you have assigned to ITRP wil
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for ITRP
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for ITRP
+## Enable the application integration for ITRP
The objective of this section is to outline how to enable the application integration for ITRP.
-### To enable the application integration for ITRP, perform the following steps:
+**To enable the application integration for ITRP, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,13 +65,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to ITRP with their account in Azure AD using federation based on the SAML protocol.
+
Configuring single sign-on for ITRP requires you to retrieve a thumbprint value from a certificate.
+
If you are not familiar with this procedure, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI).
-### To configure single sign-on, perform the following steps:
+**To configure single sign-on, perform the following steps:**
+
1. In the Azure classic portal, on the **ITRP** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -101,33 +105,30 @@ If you are not familiar with this procedure, see [How to retrieve a certificate'
- 
-
- a. Click **Enable**.
-
- b. In the Azure classic portal, on the **Configure single sign-on at ITRP** dialog page, copy the **Remote Logout URL** value, and then paste it into the **Remote Logout URL** textbox.
-
- c. In the Azure classic portal, on the **Configure single sign-on at ITRP** dialog page, copy the **SAML SSO URL** value, and then paste it into the **SAML SSO URL** textbox.
-
- d. Copy the **Thumbprint** value from the exported certificate, and then paste it into the **Certificate Fingerprint** textbox.
+ 
+ 1. Click **Enable**.
+ 2. In the Azure classic portal, on the **Configure single sign-on at ITRP** dialog page, copy the **Remote Logout URL** value, and then paste it into the **Remote Logout URL** textbox.
+ 3. In the Azure classic portal, on the **Configure single sign-on at ITRP** dialog page, copy the **SAML SSO URL** value, and then paste it into the **SAML SSO URL** textbox.
+ 4. Copy the **Thumbprint** value from the exported certificate, and then paste it into the **Certificate Fingerprint** textbox.
- > [!TIP]
- > For more details, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI)
- >
- >
-
- e. Click **Save**.
+ >[!TIP]
+ >For more details, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI).
+ >
+
+ 5. Click **Save**.
9. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure AD users to log into ITRP, they must be provisioned into ITRP.
+
In the case of ITRP, provisioning is a manual task.
-### To provision a user accounts, perform the following steps:
+**To provision a user accounts, perform the following steps:**
+
1. Log in to your **ITRP** tenant.
2. In the toolbar on the top, click **Records**.
@@ -144,21 +145,19 @@ In the case of ITRP, provisioning is a manual task.
5. On the Add New Person dialog, perform the following steps:
- 
-
- a. Type the **Name**, **Email** of a valid AAD account you want to provision.
-
- b. Click **Save**.
+ 
+ 1. Type the **Name**, **Email** of a valid AAD account you want to provision.
+ 2. Click **Save**.
-> [!NOTE]
-> You can use any other ITRP user account creation tools or APIs provided by ITRP to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other ITRP user account creation tools or APIs provided by ITRP to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to ITRP, perform the following steps:
+**To assign users to ITRP, perform the following steps:**
+
1. In the Azure AD portal, create a test account.
2. On the **ITRP **application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-kronos-tutorial.md b/articles/active-directory/active-directory-saas-kronos-tutorial.md
index b0ece9b7e966c..647fb57d52c02 100644
--- a/articles/active-directory/active-directory-saas-kronos-tutorial.md
+++ b/articles/active-directory/active-directory-saas-kronos-tutorial.md
@@ -13,7 +13,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Kronos with Azure Active Directory
Integrating Kronos with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to Kronos
-* You can enable your users to automatically get signed-on to Kronos (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to Kronos single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -32,26 +32,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Kronos, you need the following items:
* An Azure AD subscription
-* A **Kronos Workforce Central** single-sign on enabled subscription
+* A **Kronos Workforce Central** SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Kronos from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Kronos from the gallery
+## Add Kronos from the gallery
To configure the integration of Kronos into Azure AD, you need to add Kronos from the gallery to your list of managed SaaS apps.
**To add Kronos from the gallery, perform the following steps:**
@@ -82,24 +82,29 @@ To configure the integration of Kronos into Azure AD, you need to add Kronos fro
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Kronos based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Kronos based on a test user called "Britta Simon".
+
+For SSO to work, Azure AD needs to know what the counterpart user in Kronos is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Kronos needs to be established.
-For single sign-on to work, Azure AD needs to know what the counterpart user in Kronos is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Kronos needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Kronos.
-To configure and test Azure AD single sign-on with Kronos, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Kronos, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating an Kronos test user](#creating-an-kronos-test-user)** - to have a counterpart of Britta Simon in Kronos that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
+
+### Configure Azure AD single sign-on
+In this section, you enable Azure AD SSO in the classic portal and configure single sign-on in your Kronos application.
+
+Your Kronos application expects the SAML assertions in a specific format. Please work with Kronos team first to identify the correct user identifier which will be mapped into the application.
-### Configuring Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Kronos application.
+Also please take the guidance from Kronos team about the attribute which they want to use for this mapping. Microsoft recommend to use the **"NameIdentifier"** attribute as user identifier. You can manage the value of this attribute from the **"Atrribute"** tab of the application.
-Your Kronos application expects the SAML assertions in a specific format. Please work with Kronos team first to identify the correct user identifier which will be mapped into the application. Also please take the guidance from Kronos team about the attribute which they want to use for this mapping. Microsoft recommend to use the **"NameIdentifier"** attribute as user identifier. You can manage the value of this attribute from the **"Atrribute"** tab of the application. The following screenshot shows an example for this. Here we have mapped the nameidentifier claim with the **userprincipalname** attribute along with the **ExtractMailPrefix** function, which provides unique user ID, which will be sent to the Kronos application in the every successful SAML Response.
+The following screenshot shows an example for this. Here we have mapped the nameidentifier claim with the **userprincipalname** attribute along with the **ExtractMailPrefix** function, which provides unique user ID, which will be sent to the Kronos application in the every successful SAML Response.
@@ -116,18 +121,14 @@ Your Kronos application expects the SAML assertions in a specific format. Please
3. On the **Configure App Settings** dialog page, perform the following steps:.
-
- a. In the IDENTIFIER textbox, type the URL used by your users to sign-on to your Kronos application using the following pattern: `https://.kronos.net/`
-
- b. In the Reply URL type the URL in the following pattern: `https://.kronos.net/wfc/navigator/logonWithUID`
+ 1. In the IDENTIFIER textbox, type the URL used by your users to sign-on to your Kronos application using the following pattern: `https://.kronos.net/`
+ 2. In the Reply URL type the URL in the following pattern: `https://.kronos.net/wfc/navigator/logonWithUID`
1. On the **Configure single sign-on at Kronos** page, perform the following steps:
-
- a. Click **Download metadata**, and then save the file on your computer.
-
- b. Click **Next**.
+ 1. Click **Download metadata**, and then save the file on your computer.
+ 2. Click **Next**.
2. To get SSO configured for your application, contact your Kronos Account Manager and he will assist with the proper channel to configure SSO. Please note that you have to send email and attach downloaded metadata file.
@@ -139,7 +140,7 @@ Your Kronos application expects the SAML assertions in a specific format. Please
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
In this section, you create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -163,26 +164,18 @@ In this section, you create a test user in the classic portal called Britta Simo
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -191,21 +184,20 @@ In this section, you create a test user in the classic portal called Britta Simo
8. On the **Get temporary password** dialog page, perform the following steps:
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating an Kronos test user
-In this section, you create a user called Britta Simon in Kronos. Kronos application need all the users to be provisioned in the application before doing Single Sign On. So please work with the Kronos Customer support associate to provision all these users into the application.
+### Create an Kronos test user
+In this section, you create a user called Britta Simon in Kronos. Kronos application need all the users to be provisioned in the application before doing SSO.
-> [!NOTE]
-> If you need to create a user manually or batch of users, you need to contact the Kronos support team.
->
+Please work with the Kronos Customer support associate to provision all these users into the application.
+
+>[!NOTE]
+>If you need to create a user manually or batch of users, you need to contact the Kronos support team.
>
-### Assigning the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Kronos.
+### Assign the Azure AD test user
+In this section, you enable Britta Simon to use Azure SSO by granting her access to Kronos.
![Assign User][200]
@@ -229,8 +221,9 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
-### Testing single sign-on
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+In this section, you test your Azure AD SSO configuration using the Access Panel.
+
When you click the Kronos tile in the Access Panel, you should get automatically signed-on to your Kronos application.
## Additional resources
diff --git a/articles/active-directory/active-directory-saas-oneteam-tutorial.md b/articles/active-directory/active-directory-saas-oneteam-tutorial.md
index 3c8f9a8aeb959..813c80af891f4 100644
--- a/articles/active-directory/active-directory-saas-oneteam-tutorial.md
+++ b/articles/active-directory/active-directory-saas-oneteam-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Oneteam with Azure Active Directory
Integrating Oneteam with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Oneteam
-- You can enable your users to automatically get signed-on to Oneteam (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to Oneteam single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -33,28 +33,27 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Oneteam, you need the following items:
- An Azure AD subscription
-- A Oneteam single-sign on enabled subscription
-
-
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
+- A Oneteam SSO enabled subscription
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Oneteam from the gallery
-2. Configuring and testing Azure AD single sign-on
-
+2. Configuring and testing Azure AD SSO
-## Adding Oneteam from the gallery
+## Add Oneteam from the gallery
To configure the integration of Oneteam into Azure AD, you need to add Oneteam from the gallery to your list of managed SaaS apps.
**To add Oneteam from the gallery, perform the following steps:**
@@ -85,25 +84,24 @@ To configure the integration of Oneteam into Azure AD, you need to add Oneteam f
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Oneteam based on a test user called "Britta Simon".
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Oneteam based on a test user called "Britta Simon".
-
-For single sign-on to work, Azure AD needs to know what the counterpart user in Oneteam is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Oneteam needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in Oneteam is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Oneteam needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Oneteam.
-To configure and test Azure AD single sign-on with Oneteam, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Oneteam, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Oneteam test user](#creating-a-oneteam-test-user)** - to have a counterpart of Britta Simon in Oneteam that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
+### Configure Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Oneteam application.
+In this section, you enable Azure AD SSO in the classic portal and configure single sign-on in your Oneteam application.
**To configure Azure AD single sign-on with Oneteam, perform the following steps:**
@@ -119,23 +117,19 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, If you wish to configure the application in **IDP initiated mode**, perform the following steps and click **Next**:
-
- a. In the **Identifier** textbox, type a URL using the following pattern: `https://api.one-team.io/teams//auth/saml/issuer`.
-
- b. In the **Reply URL** textbox, type a URL using the following pattern: `https://api.one-team.io/teams//auth/saml/callback`.
-
- c. Click **Next**.
+ 1. In the **Identifier** textbox, type a URL using the following pattern: `https://api.one-team.io/teams//auth/saml/issuer`.
+ 2. In the **Reply URL** textbox, type a URL using the following pattern: `https://api.one-team.io/teams//auth/saml/callback`.
+ 3. Click **Next**.
4. If you wish to configure the application in **SP initiated mode** on the **Configure App Settings** dialog page, then click on the **“Show advanced settings (optional)”** and then enter the **Sign On URL** and click **Next**.
+ 1. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.one-team.io/`.
+ 2. Click **Next**.
- a. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.one-team.io/`.
-
- b. Click **Next**.
-
- > [!NOTE]
- > Please note that you have to update these values with the actual Sign On URL, Identifier and Reply URL. You can raise the support ticket with Oneteam from here to get these values.
+ >[!NOTE]
+ >Please note that you have to update these values with the actual Sign On URL, Identifier and Reply URL. You can raise the support ticket with Oneteam from here to get these values.
+ >
5. On the **Configure single sign-on at Oneteam** page, click **Download metadata** and then save the file on your computer:
@@ -151,8 +145,7 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -176,26 +169,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -204,24 +189,19 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
-
-
-
-### Creating a Oneteam test user
+### Create a Oneteam test user
The objective of this section is to create a user called Britta Simon in Oneteam. Oneteam supports just-in-time provisioning, which is by default enabled.
There is no action item for you in this section. A new user will be created during an attempt to access Oneteam if it doesn't exist yet.
-> [!NOTE]
-> If you need to create an user manually, you can raise the support ticket with Oneteam support team from here.
+>[!NOTE]
+>If you need to create an user manually, you can raise the support ticket with Oneteam support team from here.
-
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Oneteam.
@@ -247,11 +227,9 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
+### Test single sign-on
-
-### Testing single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD SSO configuration using the Access Panel.
When you click the Oneteam tile in the Access Panel, you should get automatically signed-on to your Oneteam application.
diff --git a/articles/active-directory/active-directory-saas-optimizely-tutorial.md b/articles/active-directory/active-directory-saas-optimizely-tutorial.md
index 60b8f20ceceff..b29568541dfb7 100644
--- a/articles/active-directory/active-directory-saas-optimizely-tutorial.md
+++ b/articles/active-directory/active-directory-saas-optimizely-tutorial.md
@@ -13,7 +13,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Optimizely with Azure Active Direct
Integrating Optimizely with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to Optimizely
-* You can enable your users to automatically get signed-on to Optimizely (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to Optimizely single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -32,26 +32,27 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Optimizely, you need the following items:
* An Azure AD subscription
-* A **Optimizely** single-sign on enabled subscription
+* A **Optimizely** SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
>
+
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario Description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Optimizely from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Optimizely from the gallery
+## Add Optimizely from the gallery
To configure the integration of Optimizely into Azure AD, you need to add Optimizely from the gallery to your list of managed SaaS apps.
**To add Optimizely from the gallery, perform the following steps:**
@@ -82,24 +83,27 @@ To configure the integration of Optimizely into Azure AD, you need to add Optimi
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Optimizely based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Optimizely based on a test user called "Britta Simon".
+
+For SSO to work, Azure AD needs to know what the counterpart user in Optimizely is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Optimizely needs to be established.
-For single sign-on to work, Azure AD needs to know what the counterpart user in Optimizely is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Optimizely needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Optimizely.
-To configure and test Azure AD single sign-on with Optimizely, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Optimizely, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating an Optimizely test user](#creating-an-optimizely-test-user)** - to have a counterpart of Britta Simon in Optimizely that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD Single Sign-On
-The objective of this section is to enable Azure AD single sign-on in the Azure classic portal and to configure single sign-on in your Optimizely application.
+### Configure Azure AD single sign-on
+The objective of this section is to enable Azure AD SSO in the Azure classic portal and to configure SSO in your Optimizely application.
-Optimizely application expects the SAML assertions to contain an attribute named "email". The value of "email" should be an Optimizely recognized email that can get authenticated by Azure AD. Please configure the "email" claim for this application. You can manage the values of these attributes from the **"Atrributes"** tab of the application. The following screenshot shows an example for this.
+Optimizely application expects the SAML assertions to contain an attribute named "email". The value of "email" should be an Optimizely recognized email that can get authenticated by Azure AD. Please configure the "email" claim for this application.
+
+You can manage the values of these attributes from the **"Atrributes"** tab of the application. The following screenshot shows an example for this.
@@ -110,16 +114,12 @@ Optimizely application expects the SAML assertions to contain an attribute named
![Configure Single Sign-On][5]
2. On the SAML token attributes dialog, add the "email" attribute.
-
- a. Click **add user attribute** to open the **Add User Attribute** dialog.
+ 1. Click **add user attribute** to open the **Add User Attribute** dialog.
-
- b. In the **Attribute Name** textbox, type the attribute name "email".
-
- c. From the **Attribute Value** list, select the attribute value "userprincipalname" or any value that contains an email recognized by Azure AD and Optimizely.
-
- d. Click **Complete**.
+ 2. In the **Attribute Name** textbox, type the attribute name "email".
+ 3. From the **Attribute Value** list, select the attribute value "userprincipalname" or any value that contains an email recognized by Azure AD and Optimizely.
+ 4. Click **Complete**.
3. In the menu on the top, click **Quick Start**.
@@ -136,48 +136,39 @@ Optimizely application expects the SAML assertions to contain an attribute named
6. On the **Configure App Settings** dialog page, perform the following steps:
+ 1. In the **Sign On URL** textbox, type: `https://app.optimizely.net/contoso`
+ 2. In the **Identifier** textbox, type: `urn:auth0:optimizely:contoso`
+ 3. Click **Next**.
- a. In the **Sign On URL** textbox, type: `https://app.optimizely.net/contoso`
-
- b. In the **Identifier** textbox, type: `urn:auth0:optimizely:contoso`
-
- c. Click **Next**.
-
- > [!NOTE]
- > The values for the **Sign On URL** and **Identifier** are only placeholders for the actual values. You can find instructions for aquiring the actual values from Optimizely later in this tutorial.
+ >[!NOTE]
+ >The values for the **Sign On URL** and **Identifier** are only placeholders for the actual values. You can find instructions for aquiring the actual values from Optimizely later in this tutorial.
+ >
1. On the **Configure single sign-on at Optimizely** page, perform the following steps:
-
- a. Click **Download certificate**, and then save the file on your computer.
-
- b. Copy the **Single Sign-On Service URL**.
+ 1. Click **Download certificate**, and then save the file on your computer.
+ 2. Copy the **Single Sign-On Service URL**.
2. To get SSO configured for your application, contact your Optimizely Account Manager and provide the following information:
- * Your downloaded certificate
- * The Single Sign-On Service URL
+ * Your downloaded certificate
+ * The single sign-on service URL
- In response to your email, Optimizely provides you with the Sign On URL (SP-initiated SSO) and the Identifier (Service Provider Entity ID) values.
+ In response to your email, Optimizely provides you with the Sign On URL (SP-initiated SSO) and the Identifier (Service Provider Entity ID) values.
3. Go back to **Configure App Settings** dialog page, and then perform the following steps:
- 
-
- a. In the **Sign On URL** textbox, type the **SP-initiated SSO URL** provided by Optimizely.
-
- b. In the **Identifier** textbox, type the **Service Provider Entity ID** provided by Optimizely.
-
- c. Click **Next**.
+ 
+ 1. In the **Sign On URL** textbox, type the **SP-initiated SSO URL** provided by Optimizely.
+ 2. In the **Identifier** textbox, type the **Service Provider Entity ID** provided by Optimizely.
+ 3. Click **Next**.
4. On the **Configure single sign-on at Optimizely** page, perform the following steps:
- ![Azure AD Single Sign-On][10]
-
- a. Select the single sign-on configuration confirmation.
-
- b. Click **Next**.
+ ![Azure AD Single Sign-On][10]
+ 1. Select the single sign-on configuration confirmation.
+ 2. Click **Next**.
5. On the **Single sign-on confirmation** page, click **Complete**.
@@ -193,9 +184,10 @@ Optimizely application expects the SAML assertions to contain an attribute named
-### Creating an Azure AD test user
+### Create an Azure AD test user
In this section, you create a test user in the classic portal called Britta Simon.
-In the Users list, select **Britta Simon**.
+
+* In the Users list, select **Britta Simon**.
![Create Azure AD User][20]
@@ -217,27 +209,19 @@ In the Users list, select **Britta Simon**.
5. On the **Tell us about this user** dialog page, perform the following steps:
- 
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
- 
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -245,16 +229,14 @@ In the Users list, select **Britta Simon**.
8. On the **Get temporary password** dialog page, perform the following steps:
- 
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating an Optimizely test user
+### Create an Optimizely test user
In this section, you create a user called Britta Simon in Optimizely.
-1. On the home page, select **Collaborators** tab
+1. On the home page, select **Collaborators** tab.
2. Click **New Collaborator** to add a new collaborator to the project.
@@ -266,7 +248,7 @@ In this section, you create a user called Britta Simon in Optimizely.
1. They will receive an email invite. Using the email address, they will have to log into Optimizely.
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Optimizely.
![Assign User][200]
@@ -291,8 +273,8 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
-### Testing Single Sign-On
-The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+The objective of this section is to test your Azure AD SSO configuration using the Access Panel.
When you click the Optimizely tile in the Access Panel, you should get automatically signed-on to your Optimizely application.
diff --git a/articles/active-directory/active-directory-saas-rightscale-tutorial.md b/articles/active-directory/active-directory-saas-rightscale-tutorial.md
index 372bccad66a6d..bf403919402c2 100644
--- a/articles/active-directory/active-directory-saas-rightscale-tutorial.md
+++ b/articles/active-directory/active-directory-saas-rightscale-tutorial.md
@@ -13,16 +13,17 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration with RightScale
-The objective of this tutorial is to show you how to integrate RightScale with Azure Active Directory (Azure AD).
+The objective of this tutorial is to show you how to integrate RightScale with Azure Active Directory (Azure AD).
+
Integrating RightScale with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to RightScale
-* You can enable your users to automatically get signed-on to RightScale (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to RightScale single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -31,26 +32,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with RightScale, you need the following items:
* An Azure AD subscription
-* A RightScale single-sign on enabled subscription
+* A RightScale single-sign on (SSO) enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-The objective of this tutorial is to enable you to test Azure AD single sign-on in a test environment.
+The objective of this tutorial is to enable you to test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding RightScale from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD single sign-on (SSO)
-## Adding RightScale from the gallery
+## Add RightScale from the gallery
To configure the integration of RightScale into Azure AD, you need to add RightScale from the gallery to your list of managed SaaS apps.
**To add RightScale from the gallery, perform the following steps:**
@@ -80,21 +81,21 @@ To configure the integration of RightScale into Azure AD, you need to add RightS
7. In the results pane, select **RightScale**, and then click **Complete** to add the application.
-## Configuring and testing Azure AD single sign-on
-The objective of this section is to show you how to configure and test Azure AD single sign-on with RightScale based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+The objective of this section is to show you how to configure and test Azure AD SSO with RightScale based on a test user called "Britta Simon".
-For single sign-on to work, Azure AD needs to know what the counterpart user in RightScale to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in RightScale needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in RightScale to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in RightScale needs to be established.
To configure and test Azure AD single sign-on with RightScale, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a RightScale test user](#creating-a-rightscale-test-user)** - to have a counterpart of Britta Simon in RightScale that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
### Configuring Azure AD single sign-on
-The objective of this section is to enable Azure AD single sign-on in the classic portal and to configure single sign-on in your RightScale application.
+The objective of this section is to enable Azure AD SSO in the classic portal and to configure SSO in your RightScale application.
**To configure Azure AD single sign-on with RightScale, perform the following steps:**
@@ -109,62 +110,48 @@ The objective of this section is to enable Azure AD single sign-on in the classi
3. On the **Configure App Settings** dialog page, If you wish to configure the application in **IDP initiated mode**, perform the following steps and click **Next**:
-
- a. In the Reply URL textbox, type the URL in the following pattern: `https://login.rightscale.com/login/saml2/consume`
-
- b. Click **Next**
+ 1. In the Reply URL textbox, type the URL in the following pattern: `https://login.rightscale.com/login/saml2/consume`
+ 2. Click **Next**.
1. If you wish to configure the application in **SP initiated mode** on the **Configure App Settings** dialog page, then click on the **“Show advanced settings (optional)”** and then enter the **Sign On URL** and click **Next**.
-
- a. In the Sign On URL textbox, type the URL used by your users to sign-on to your RightScale application using the following pattern: `https://login.rightscale.com/`
-
- b. Click **Next**
+ 1. In the Sign On URL textbox, type the URL used by your users to sign-on to your RightScale application using the following pattern: `https://login.rightscale.com/`
+ 2. Click **Next**.
2. On the **Configure single sign-on at RightScale** page, perform the following steps and click **Next**:
-
- a. Click **Download certificate**, and then save the base-64 encoded certificate file on your computer.
-
- b. Click **Next**.
+ 1. Click **Download certificate**, and then save the base-64 encoded certificate file on your computer.
+ 2. Click **Next**.
3. To get SSO configured for your application, you need to sign-on to your RightScale tenant as an administrator.
-
- a. In the menu on the top, click the **Settings** tab and select **Single Sign-On**.
+ 1. In the menu on the top, click the **Settings** tab and select **Single Sign-On**.
+ 2. Click the "**new**" button to add **Your SAML Identity Providers**.
- b. Click the "**new**" button to add **Your SAML Identity Providers**.
-
- 
-
- c. In the textbox of **Display Name**, input your company name.
+ 
+ 3. In the textbox of **Display Name**, input your company name.
-
- d. Select **Allow RightScale-initiated SSO using a discovery hint** and input your **domain name** in the below textbox.
+ 4. Select **Allow RightScale-initiated SSO using a discovery hint** and input your **domain name** in the below textbox.
-
- e. Copy SAML SSO URL from Azure AD to **SAML SSO Endpoint** in RightScale.
+ 5. Copy SAML SSO URL from Azure AD to **SAML SSO Endpoint** in RightScale.
-
- f. Copy Entity ID from Azure AD to **SAML EntityID** in RightScale.
+ 6. Copy Entity ID from Azure AD to **SAML EntityID** in RightScale.
-
- g. Click **Browser** button to upload the certificate which you downloaded in step4.
+ 7. Click **Browser** button to upload the certificate which you downloaded in step4.
-
- h. Click **Save**.
+ 8. Click **Save**.
4. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
@@ -174,7 +161,7 @@ The objective of this section is to enable Azure AD single sign-on in the classi
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -198,26 +185,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As **Type Of User**, select **New user in your organization**.
-
- b. In the User **Name** textbox, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As **Type Of User**, select **New user in your organization**.
+ 2. In the User **Name** textbox, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -225,17 +204,15 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
- 
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating a RightScale test user
+### Create a RightScale test user
In this section, you create a user called Britta Simon in RightScale. Please work with RightScale support team via support@rightscale.com to add the users in the RightScale platform.
-### Assigning the Azure AD test user
-The objective of this section is to enabling Britta Simon to use Azure single sign-on by granting her access to RightScale.
+### Assign the Azure AD test user
+The objective of this section is to enabling Britta Simon to use Azure SSO by granting her access to RightScale.
![Assign User][200]
@@ -259,8 +236,9 @@ The objective of this section is to enabling Britta Simon to use Azure single si
![Assign User][205]
-### Testing Single Sign-On
-The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+The objective of this section is to test your Azure AD SSO configuration using the Access Panel.
+
When you click the RightScale tile in the Access Panel, you should get automatically signed-on to your RightScale application.
## Additional Resources
diff --git a/articles/active-directory/active-directory-saas-rolepoint-tutorial.md b/articles/active-directory/active-directory-saas-rolepoint-tutorial.md
index a847ef368fd78..d231fe8d71fb5 100644
--- a/articles/active-directory/active-directory-saas-rolepoint-tutorial.md
+++ b/articles/active-directory/active-directory-saas-rolepoint-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate RolePoint with Azure Active Directo
Integrating RolePoint with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to RolePoint
-- You can enable your users to automatically get signed-on to RolePoint (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to RolePoint single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -33,28 +33,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with RolePoint, you need the following items:
- An Azure AD subscription
-- A RolePoint single-sign on enabled subscription
-
-
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
+- A RolePoint SSO enabled subscription
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
-
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding RolePoint from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-
-## Adding RolePoint from the gallery
+## Add RolePoint from the gallery
To configure the integration of RolePoint into Azure AD, you need to add RolePoint from the gallery to your list of managed SaaS apps.
**To add RolePoint from the gallery, perform the following steps:**
@@ -85,25 +83,24 @@ To configure the integration of RolePoint into Azure AD, you need to add RolePoi
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with RolePoint based on a test user called "Britta Simon".
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with RolePoint based on a test user called "Britta Simon".
-
-For single sign-on to work, Azure AD needs to know what the counterpart user in RolePoint is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in RolePoint needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in RolePoint is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in RolePoint needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in RolePoint.
-To configure and test Azure AD single sign-on with RolePoint, you need to complete the following building blocks:
+To configure and test Azure AD SSO with RolePoint, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a RolePoint test user](#creating-a-rolepoint-test-user)** - to have a counterpart of Britta Simon in RolePoint that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
+### Configure Azure AD single sign-on
-The objective of this section is to enable Azure AD single sign-on in the Azure classic portal and to configure single sign-on in your RolePoint application.
+The objective of this section is to enable Azure AD SSO in the Azure classic portal and to configure single sign-on in your RolePoint application.
RolePoint application expects the SAML assertions in a specific format. Please configure the following claims for this application. You can manage the values of these attributes from the "**Atrribute**" tab of the application. The following screenshot shows an example for this.
@@ -122,16 +119,13 @@ RolePoint application expects the SAML assertions in a specific format. Please c
| FirstName | user.givenname |
| LastName | user.surname |
| Email | user.mail |
-
- a. Click **add user attribute** to open the **Add User Attribure** dialog.
+
+ 1. Click **add user attribute** to open the **Add User Attribure** dialog.
-
- b. In the **Attribute Name** textbox, type the attribute name shown for that row.
-
- c. From the **Attribute Value** list, type the attribute value shown for that row.
-
- d. Click **Complete**
+ 2. In the **Attribute Name** textbox, type the attribute name shown for that row.
+ 3. From the **Attribute Value** list, type the attribute value shown for that row.
+ 4. Click **Complete**.
3. In the menu on the top, click **Quick Start**.
@@ -144,13 +138,12 @@ RolePoint application expects the SAML assertions in a specific format. Please c
5. On the **Configure App Settings** dialog page, perform the following steps:
-
- a. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.rolepoint.com/login`
-
- b. Click **Next**.
-
- > [!NOTE]
- > Please note that this is not the real value. You have to update this value with the actual Sign On URL. Contact [RolePoint support team](emaiLto:info@rolepoint.com) to get this value.
+ 1. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.rolepoint.com/login`
+ 2. Click **Next**.
+
+ >[!NOTE]
+ >Please note that this is not the real value. You have to update this value with the actual Sign On URL. Contact [RolePoint support team](emaiLto:info@rolepoint.com) to get this value.
+ >
6. On the **Configure single sign-on at RolePoint** page, click **Download metadata** and then save the file on your computer:
@@ -166,8 +159,7 @@ RolePoint application expects the SAML assertions in a specific format. Please c
![Azure AD Single Sign-On][11]
-
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -191,26 +183,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -219,19 +203,14 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
-
-
-
-### Creating a RolePoint test user
+### Create a RolePoint test user
In this section, you create a user called Britta Simon in RolePoint. Please work with [RolePoint support team](emaiLto:info@rolepoint.com) to add the users in the RolePoint platform.
-
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting her access to RolePoint.
@@ -257,15 +236,12 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
+### Test single sign-on
-
-### Testing single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD SSO configuration using the Access Panel.
When you click the RolePoint tile in the Access Panel, you should get automatically signed-on to your RolePoint application.
-
## Additional resources
* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](active-directory-saas-tutorial-list.md)
diff --git a/articles/active-directory/active-directory-saas-silkroad-life-suite-tutorial.md b/articles/active-directory/active-directory-saas-silkroad-life-suite-tutorial.md
index aceb01ea3e433..412f7c0f1e762 100644
--- a/articles/active-directory/active-directory-saas-silkroad-life-suite-tutorial.md
+++ b/articles/active-directory/active-directory-saas-silkroad-life-suite-tutorial.md
@@ -13,16 +13,17 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration with SilkRoad Life Suite
-The objective of this tutorial is to show you how to integrate SilkRoad Life Suite with Azure Active Directory (Azure AD).
+The objective of this tutorial is to show you how to integrate SilkRoad Life Suite with Azure Active Directory (Azure AD).
+
Integrating SilkRoad Life Suite with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to SilkRoad Life Suite
-* You can enable your users to automatically get signed-on to SilkRoad Life Suite (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to SilkRoad Life Suite single sign-on (SSO) with their Azure AD accounts
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -30,26 +31,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with SilkRoad Life Suite, you need the following items:
* An Azure AD subscription
-* A SilkRoad Life Suite single-sign on enabled subscription
+* A SilkRoad Life Suite SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario Description
-The objective of this tutorial is to enable you to test Azure AD single sign-on in a test environment.
+The objective of this tutorial is to enable you to test Azure AD SSO in a test environment.
+
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding SilkRoad Life Suite from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding SilkRoad Life Suite from the gallery
+## Add SilkRoad Life Suite from the gallery
To configure the integration of SilkRoad Life Suite into Azure AD, you need to add SilkRoad Life Suite from the gallery to your list of managed SaaS apps.
**To add SilkRoad Life Suite from the gallery, perform the following steps:**
@@ -80,69 +81,64 @@ To configure the integration of SilkRoad Life Suite into Azure AD, you need to a
![Applications][50]
-## Configuring and testing Azure AD single sign-on
-The objective of this section is to show you how to configure and test Azure AD single sign-on with SilkRoad Life Suite based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+The objective of this section is to show you how to configure and test Azure AD SSO with SilkRoad Life Suite based on a test user called "Britta Simon".
+
+For SSO to work, Azure AD needs to know what the counterpart user in SilkRoad Life Suite to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in SilkRoad Life Suite needs to be established.
-For single sign-on to work, Azure AD needs to know what the counterpart user in SilkRoad Life Suite to an user in Azure AD is. In other words, a link relationship between an Azure AD user and the related user in SilkRoad Life Suite needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in SilkRoad Life Suite.
To configure and test Azure AD single sign-on with SilkRoad Life Suite, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a SilkRoad Life Suite test user](#creating-a-silkroad-life-suite-test-user)** - to have a counterpart of Britta Simon in SilkRoad Life Suite that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD Single Sign-On
-The objective of this section is to enable Azure AD single sign-on in the Azure classic portal and to configure single sign-on in your SilkRoad Life Suite application.
+### Configure Azure AD single sign-on
+The objective of this section is to enable Azure AD SSO in the Azure classic portal and to configure SSO in your SilkRoad Life Suite application.
**To configure Azure AD single sign-on with SilkRoad Life Suite, perform the following steps:**
1. Sign-on to your SilkRoad company site as administrator.
- > [!NOTE]
- > To obtain access to the SilkRoad Life Suite Authentication application for configuring federation with Microsoft Azure AD, please contact SilkRoad Support or your SilkRoad Services representative.
+ >[!NOTE]
+ > To obtain access to the SilkRoad Life Suite Authentication application for configuring federation with Microsoft Azure AD, please contact SilkRoad Support or your SilkRoad Services representative.
+ >
-1. Go to **Service Provider**, and then click **Federation Details**.
+2. Go to **Service Provider**, and then click **Federation Details**.
![Azure AD Single Sign-On][10]
-2. Click **Download Federation Metadata**, and then save the metadata file on your computer.
+3. Click **Download Federation Metadata**, and then save the metadata file on your computer.
![Azure AD Single Sign-On][11]
-3. In the Azure classic portal, on the **SilkRoad Life Suite** application integration page, click **Configure single sign-on** to open the **Configure Single Sign-On** dialog.
+4. In the Azure classic portal, on the **SilkRoad Life Suite** application integration page, click **Configure single sign-on** to open the **Configure Single Sign-On** dialog.
![Configure Single Sign-On][6]
-4. On the **How would you like users to sign on to SilkRoad Life Suite** page, select **Azure AD Single Sign-On**, and then click **Next**.
+5. On the **How would you like users to sign on to SilkRoad Life Suite** page, select **Azure AD Single Sign-On**, and then click **Next**.
![Azure AD Single Sign-On][7]
-5. On the **Configure App Settings** dialog page, perform the following steps:
-
- ![Azure AD Single Sign-On][8]
-
- a. In the **Sign On URL** textbox, type the URL used by your users to sign-on to your SilkRoad Life Suite site (e.g.: *https://defcompanytest-test-redcarpet.silkroad-eng.com/Authentication/*).
-
- b. Open the downloaded **Silkroad** metadata file.
+6. On the **Configure App Settings** dialog page, perform the following steps:
- c. Locate the **AssertionConsumerService** tag, and then copy the **Location** attribute.
+ ![Azure AD Single Sign-On][8]
+ 1. In the **Sign On URL** textbox, type the URL used by your users to sign-on to your SilkRoad Life Suite site (e.g.: *https://defcompanytest-test-redcarpet.silkroad-eng.com/Authentication/*).
+ 2. Open the downloaded **Silkroad** metadata file.
+ 3. Locate the **AssertionConsumerService** tag, and then copy the **Location** attribute.
![Azure AD Single Sign-On][21]
-
- d. Paste the value into the **Reply URL** textbox.
-
- e. Click **Next**.
+ 4. Paste the value into the **Reply URL** textbox.
+ 5. Click **Next**.
6. On the **Configure single sign-on at SilkRoad Life Suite** page, perform the following steps:
- ![Azure AD Single Sign-On][9]
-
- a. Click Download certificate, and then save the file on your computer.
-
- b. Click **Next**.
+ ![Azure AD Single Sign-On][9]
+ 1. Click Download certificate, and then save the file on your computer.
+ 2. Click **Next**.
7. In your **SilkRoad** application, click **Authentication Sources**.
@@ -154,11 +150,9 @@ The objective of this section is to enable Azure AD single sign-on in the Azure
9. In the **Add Authentication Source** section, perform the following steps:
- ![Azure AD Single Sign-On][14]
-
- a. Under **Option 2 - Metadata File**, click **Browse** to upload the downloaded metadata file.
-
- b. Click **Create Identity Provider using File Data**.
+ ![Azure AD Single Sign-On][14]
+ 1. Under **Option 2 - Metadata File**, click **Browse** to upload the downloaded metadata file.
+ 2. Click **Create Identity Provider using File Data**.
10. In the **Authentication Sources** section, click **Edit**.
@@ -167,14 +161,10 @@ The objective of this section is to enable Azure AD single sign-on in the Azure
11. On the **Edit Authentication Source** dialog, perform the following steps:
![Azure AD Single Sign-On][16]
-
- a. As **Enabled**, select **Yes**.
-
- b. In the **IdP Description** textbox, type a description for your configuration (e.g.: *Azure AD SSO*).
-
- c. In the **IdP Name** textbox, type a name that is specific to your configuration (e.g.: *Azure SP*).
-
- d. Click **Save**.
+ 1. As **Enabled**, select **Yes**.
+ 2. In the **IdP Description** textbox, type a description for your configuration (e.g.: *Azure AD SSO*).
+ 3. In the **IdP Name** textbox, type a name that is specific to your configuration (e.g.: *Azure SP*).
+ 4. Click **Save**.
12. Disable all other authentication sources.
@@ -188,7 +178,7 @@ The objective of this section is to enable Azure AD single sign-on in the Azure
![Azure AD Single Sign-On][19]
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the Azure classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -212,26 +202,18 @@ The objective of this section is to create a test user in the Azure classic port
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
- 
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -239,21 +221,19 @@ The objective of this section is to create a test user in the Azure classic port
8. On the **Get temporary password** dialog page, perform the following steps:
- 
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating a SilkRoad Life Suite test user
+### Create a SilkRoad Life Suite test user
The objective of this section is to create a user called Britta Simon in SilkRoad Life Suite. Britta's must have an SSO ID (sometimes referred to as an *AuthParam*) that matches Britta's **emailaddress** in Azure AD.
**To create a user called Britta Simon in SilkRoad Life Suite, perform the following steps:**
- Ask your SilkRoad Life Suite support team to create a user that has as **SSO ID** attribute the same value as the **emailaddress** of Britta Simon in Azure AD.
-### Assigning the Azure AD test user
-The objective of this section is to enable Britta Simon to use Azure single sign-on by granting her access to SilkRoad Life Suite.
+### Assign the Azure AD test user
+The objective of this section is to enable Britta Simon to use Azure SSO by granting her access to SilkRoad Life Suite.
![Assign User][200]
@@ -277,8 +257,9 @@ The objective of this section is to enable Britta Simon to use Azure single sign
![Assign User][205]
-### Testing Single Sign-On
-The objective of this section is to test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+The objective of this section is to test your Azure AD SSO configuration using the Access Panel.
+
When you click the SilkRoad Life Suite tile in the Access Panel, you should get automatically signed-on to your SilkRoad Life Suite application.
## Additional Resources
diff --git a/articles/active-directory/active-directory-saas-simplenexus-tutorial.md b/articles/active-directory/active-directory-saas-simplenexus-tutorial.md
index ee081c5163ad9..77e086d633bc1 100644
--- a/articles/active-directory/active-directory-saas-simplenexus-tutorial.md
+++ b/articles/active-directory/active-directory-saas-simplenexus-tutorial.md
@@ -12,23 +12,24 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration with SimpleNexus
The objective of this tutorial is to show the integration of Azure and SimpleNexus.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
-* A SimpleNexus single sign-on enabled subscription
+* A SimpleNexus single sign-on (SSO) enabled subscription
After completing this tutorial, the Azure AD users you have assigned to SimpleNexus will be able to single sign into the application at your SimpleNexus company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for SimpleNexus
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
@@ -37,7 +38,8 @@ The scenario outlined in this tutorial consists of the following building blocks
## Enabling the application integration for SimpleNexus
The objective of this section is to outline how to enable the application integration for SimpleNexus.
-### To enable the application integration for SimpleNexus, perform the following steps:
+**To enable the application integration for SimpleNexus, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,12 +66,13 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to SimpleNexus with their account in Azure AD using federation based on the SAML protocol.
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **SimpleNexus** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **SimpleNexus** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -85,29 +88,29 @@ The objective of this section is to outline how to enable users to authenticate
- > [!NOTE]
- > Single sign-on needs to be enabled by the SimpleNexus support team.
- >
+ >[!NOTE]
+ >Single sign-on needs to be enabled by the SimpleNexus support team.
>
5. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
+
+In order to enable Azure AD users to log into SimpleNexus, they must be provisioned into SimpleNexus.
-In order to enable Azure AD users to log into SimpleNexus, they must be provisioned into SimpleNexus.
In the case of SimpleNexus, provisioning is a manual task performed by the tenant administrator.
-> [!NOTE]
-> You can use any other SimpleNexus user account creation tools or APIs provided by SimpleNexus to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other SimpleNexus user account creation tools or APIs provided by SimpleNexus to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to SimpleNexus, perform the following steps:
+**To assign users to SimpleNexus, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **SimpleNexus** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-smarteru-tutorial.md b/articles/active-directory/active-directory-saas-smarteru-tutorial.md
index 619bc21457f8c..55585396a482f 100644
--- a/articles/active-directory/active-directory-saas-smarteru-tutorial.md
+++ b/articles/active-directory/active-directory-saas-smarteru-tutorial.md
@@ -12,32 +12,34 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory Integration with SmarterU
The objective of this tutorial is to show the integration of Azure and SmarterU.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
* A SmarterU tenant
-After completing this tutorial, the Azure AD users you have assigned to SmarterU will be able to single sign into the application at your SmarterU company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
+After completing this tutorial, the Azure AD users you have assigned to SmarterU will be able to sign into the application using single sign-on (SSO) at your SmarterU company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for SmarterU
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for SmarterU
+## Enable the application integration for SmarterU
The objective of this section is to outline how to enable the application integration for SmarterU.
-### To enable the application integration for SmarterU, perform the following steps:
+**To enable the application integration for SmarterU, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,10 +66,11 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to SmarterU with their account in Azure AD using federation based on the SAML protocol.
-### To configure single sign-on, perform the following steps:
+**To configure single sign-on, perform the following steps:**
+
1. In the Azure classic portal, on the **SmarterU** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -88,54 +91,46 @@ The objective of this section is to outline how to enable users to authenticate
6. On the account configuration page, perform the following steps:
- 
-
- a. Select **Enable External Authorization**.
-
- b. In the **Master Login Control** section, select the **SmarterU** tab.
-
- c. In the **User Default Login** section, select the **SmarterU** tab.
-
- d. Select **Enable Okta**.
-
- e. Copy the content of the downloaded metadata file, and then paste it into the **Okta Metadata** textbox.
-
- f. Click **Save**.
+ 
+ 1. Select **Enable External Authorization**.
+ 2. In the **Master Login Control** section, select the **SmarterU** tab.
+ 3. In the **User Default Login** section, select the **SmarterU** tab.
+ 4. Select **Enable Okta**.
+ 5. Copy the content of the downloaded metadata file, and then paste it into the **Okta Metadata** textbox.
+ 6. Click **Save**.
7. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
-In order to enable Azure AD users to log into SmarterU, they must be provisioned into SmarterU.
+## Configure user provisioning
+In order to enable Azure AD users to log into SmarterU, they must be provisioned into SmarterU.
+
In the case of SmarterU, provisioning is a manual task.
-### To provision a user accounts, perform the following steps:
+**To provision a user accounts, perform the following steps:**
+
1. Log in to your **SmarterU** tenant.
2. Go to **Users**.
3. In the user section, perform the following steps:
- 
-
- a. Click **+User**.
-
- b. Type the related attribute values of the Azure AD user account into the following textboxes: **Primary Email**, **Employee ID**, **Password**, **Verify Password**, **Given Name**, **Surname**.
-
- c. Click **Active**.
-
- d. Click **Save**.
+ 
+ 1. Click **+User**.
+ 2. Type the related attribute values of the Azure AD user account into the following textboxes: **Primary Email**, **Employee ID**, **Password**, **Verify Password**, **Given Name**, **Surname**.
+ 3. Click **Active**.
+ 4. Click **Save**.
-> [!NOTE]
-> You can use any other SmarterU user account creation tools or APIs provided by SmarterU to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other SmarterU user account creation tools or APIs provided by SmarterU to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to SmarterU, perform the following steps:
+**To assign users to SmarterU, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **SmarterU** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-splunk-enterprise-and-splunk-cloud-tutorial.md b/articles/active-directory/active-directory-saas-splunk-enterprise-and-splunk-cloud-tutorial.md
index 939f5cf0532e0..c7e620dc2cc95 100644
--- a/articles/active-directory/active-directory-saas-splunk-enterprise-and-splunk-cloud-tutorial.md
+++ b/articles/active-directory/active-directory-saas-splunk-enterprise-and-splunk-cloud-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
+ms.date: 3/09/2017
ms.author: jeedes
---
@@ -24,7 +24,7 @@ In this tutorial, you learn how to integrate Splunk Enterprise and Splunk Cloud
Integrating Splunk Enterprise and Splunk Cloud with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Splunk Enterprise and Splunk Cloud
-- You can enable your users to automatically get signed-on to Splunk Enterprise and Splunk Cloud (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to Splunk Enterprise and Splunk Cloud single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -34,17 +34,17 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Splunk Enterprise and Splunk Cloud, you need the following items:
- An Azure AD subscription
-- A Splunk Enterprise or Splunk Cloud single-sign on enabled subscription
+- A Splunk Enterprise or Splunk Cloud SSO enabled subscription
>[!NOTE]
>To test the steps in this tutorial, we do not recommend using a production environment.
-
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
@@ -53,10 +53,10 @@ In this tutorial, you test Azure AD single sign-on in a test environment.
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Splunk Enterprise and Splunk Cloud from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Splunk Enterprise and Splunk Cloud from the gallery
+## Add Splunk Enterprise and Splunk Cloud from the gallery
To configure the integration of Splunk Enterprise and Splunk Cloud into Azure AD, you need to add Splunk Enterprise and Splunk Cloud from the gallery to your list of managed SaaS apps.
**To add Splunk Enterprise and Splunk Cloud from the gallery, perform the following steps:**
@@ -87,7 +87,7 @@ To configure the integration of Splunk Enterprise and Splunk Cloud into Azure AD
-## Configuring and testing Azure AD single sign-on
+## Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Splunk Enterprise and Splunk Cloud based on a test user called "Britta Simon".
For single sign-on to work, Azure AD needs to know what the counterpart user in Splunk Enterprise and Splunk Cloud is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Splunk Enterprise and Splunk Cloud needs to be established.
@@ -96,15 +96,15 @@ This link relationship is established by assigning the value of the **user name*
To configure and test Azure AD single sign-on with Splunk Enterprise and Splunk Cloud, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Splunk Enterprise and Splunk Cloud test user](#creating-a-splunk-enterprise-and-splunk-cloud-test-user)** - to have a counterpart of Britta Simon in Splunk Enterprise and Splunk Cloud that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
+### Configure Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Splunk Enterprise and Splunk Cloud application.
+In this section, you enable Azure AD SSO in the classic portal and configure SSO in your Splunk Enterprise and Splunk Cloud application.
**To configure Azure AD single sign-on with Splunk Enterprise and Splunk Cloud, perform the following steps:**
@@ -120,28 +120,20 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, perform the following steps:
-
- a. In the **Sign On URL** textbox, type the URL used by your users to sign-on to your Splunk Enterprise and Splunk Cloud application using the following pattern: `https:///en-US/app/launcher/home`
-
- b. In the **Identifier** textbox, type the URL of your Splunk Server
-
- c. In the **Reply URL** textbox, type the URL with the following pattern: `https:///saml/acs`
-
- d. Click **Next**
+ 1. In the **Sign On URL** textbox, type the URL used by your users to sign-on to your Splunk Enterprise and Splunk Cloud application using the following pattern: `https:///en-US/app/launcher/home`
+ 2. In the **Identifier** textbox, type the URL of your Splunk Server.
+ 3. In the **Reply URL** textbox, type the URL with the following pattern: `https:///saml/acs`
+ 4. Click **Next**.
4. On the **Configure single sign-on at Splunk Enterprise and Splunk Cloud** page, perform the following steps:
-
- a. Click **Download metadata**, and then save the file on your computer.
-
- b. Click **Next**.
-
+ 1. Click **Download metadata**, and then save the file on your computer.
+ 2. Click **Next**.
5. To get SSO configured for your application, contact Splunk Enterprise and Splunk Cloud support team and provide them with the following:
- a. The downloaded **federaton metadata**
-
+ * The downloaded **federaton metadata**
6. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
![Azure AD Single Sign-On][10]
@@ -150,11 +142,9 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-
-### Creating an Azure AD test user
+### Create an Azure AD test user
In this section, you create a test user in the classic portal called Britta Simon.
-
![Create Azure AD User][20]
**To create a test user in Azure AD, perform the following steps:**
@@ -174,26 +164,20 @@ In this section, you create a test user in the classic portal called Britta Simo
5. On the **Tell us about this user** dialog page, perform the following steps:
- 
-
- a. As Type Of User, select New user in your organization.
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
+
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -202,21 +186,17 @@ In this section, you create a test user in the classic portal called Britta Simo
8. On the **Get temporary password** dialog page, perform the following steps:
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
-
-
-
-### Creating an Splunk Enterprise and Splunk Cloud test user
+### Create a Splunk Enterprise and Splunk Cloud test user
In this section, you create a user called Britta Simon in Splunk Enterprise and Splunk Cloud. Please work with Splunk Enterprise and Splunk Cloud support team to add the users in the Splunk Enterprise and Splunk Cloud platform.
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Splunk Enterprise and Splunk Cloud.
+In this section, you enable Britta Simon to use Azure SSOy granting her access to Splunk Enterprise and Splunk Cloud.
![Assign User][200]
@@ -240,10 +220,9 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
+### Test single sign-on
-### Testing Single Sign-On
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD SSOonfiguration using the Access Panel.
When you click the Splunk Enterprise and Splunk Cloud tile in the Access Panel, you should get automatically signed-on to your Splunk Enterprise and Splunk Cloud application.
diff --git a/articles/active-directory/active-directory-saas-spring-cm-tutorial.md b/articles/active-directory/active-directory-saas-spring-cm-tutorial.md
index da0cdcf774151..ba7ea54c99d59 100644
--- a/articles/active-directory/active-directory-saas-spring-cm-tutorial.md
+++ b/articles/active-directory/active-directory-saas-spring-cm-tutorial.md
@@ -12,22 +12,22 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 03/08/2017
+ms.date: 03/10/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration with SpringCM
-The objective of this tutorial is to show how to set up single sign-on between Azure Active Directory and SpringCM.
+The objective of this tutorial is to show how to set up single sign-on (SSO) between Azure Active Directory and SpringCM.
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
-* A SpringCM single sign-on enabled subscription
+* A SpringCM single sign-on (SSO) enabled subscription
-After completing this tutorial, the Azure Active Directory users you have assigned to SpringCM will be able to single sign-on using the AAD Access Panel.
+After completing this tutorial, the Azure Active Directory users you have assigned to SpringCM will be able to SSO using the AAD Access Panel.
1. Enabling the application integration for SpringCM
-2. Configuring Single Sign-On
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
@@ -36,7 +36,8 @@ After completing this tutorial, the Azure Active Directory users you have assign
## Enabling the application integration for SpringCM
The objective of this section is to outline how to enable the application integration for SpringCM.
-### To enable the application integration for SpringCM, perform the following steps:
+**To enable the application integration for SpringCM, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -63,10 +64,11 @@ The objective of this section is to outline how to enable the application integr
-## Configuring Single Sign-On
+## Configure single sign-on
This section outlines how to enable users to authenticate to SpringCM with their account in Azure Active Directory, using federation based on the SAML protocol.
-### To configure single sign-on, perform the following steps:
+**To configure single sign-on, perform the following steps:**
+
1. In the Azure classic portal, on the **SpringCM** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -93,32 +95,28 @@ This section outlines how to enable users to authenticate to SpringCM with their
7. In the Identity Provider Configuration section, perform the following steps:
- 
-
- a. To upload your downloaded Azure Active Directory certificate, click **Select Issuer Certificate** or **Change Issuer Certificate**.
-
- b. In the Azure classic portal, on the **Configure single sign-on at SpringCM** page, copy the **Issuer URL** value, and then paste it into the **Issuer** textbox.
-
- c. In the Azure classic portal, on the **Configure single sign-on at SpringCM** page, copy the **Singel Sign-On Service URL** value, and then paste it into the **Service Provider (SP) Initiated Endpoint** textbox.
-
- d. As **SAML Enabled**, select **Enable**.
-
- e. Click **Save**.
+ 
+ 1. To upload your downloaded Azure Active Directory certificate, click **Select Issuer Certificate** or **Change Issuer Certificate**.
+ 2. In the Azure classic portal, on the **Configure single sign-on at SpringCM** page, copy the **Issuer URL** value, and then paste it into the **Issuer** textbox.
+ 3. In the Azure classic portal, on the **Configure single sign-on at SpringCM** page, copy the **Singel Sign-On Service URL** value, and then paste it into the **Service Provider (SP) Initiated Endpoint** textbox.
+ 4. As **SAML Enabled**, select **Enable**.
+ 5. Click **Save**.
8. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure Active Directory users to log into SpringCM, they must be provisioned into SpringCM.
+
In the case of SpringCM, provisioning is a manual task.
-> [!NOTE]
-> For more details, see [Create and Edit a SpringCM User](http://knowledge.springcm.com/create-and-edit-a-springcm-user)
->
+>[!NOTE]
+>For more details, see [Create and Edit a SpringCM User](http://knowledge.springcm.com/create-and-edit-a-springcm-user).
>
-### To provision a user account to SpringCM, perform the following steps:
+**To provision a user account to SpringCM, perform the following steps:**
+
1. Log in to your **SpringCM** company site as administrator.
2. Click **GOTO**, and then click **Address Book**.
@@ -137,15 +135,15 @@ In the case of SpringCM, provisioning is a manual task.
8. Click **Save**.
-> [!NOTE]
-> You can use any other SpringCM user account creation tools or APIs provided by SpringCM to provision AAD user accounts.
->
->
+ >[!NOTE]
+ >You can use any other SpringCM user account creation tools or APIs provided by SpringCM to provision AAD user accounts.
+ >
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to SpringCM, perform the following steps:
+**To assign users to SpringCM, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **SpringCM** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-sprinklr-tutorial.md b/articles/active-directory/active-directory-saas-sprinklr-tutorial.md
index 4648d7efadf17..9071d6cf0d97e 100644
--- a/articles/active-directory/active-directory-saas-sprinklr-tutorial.md
+++ b/articles/active-directory/active-directory-saas-sprinklr-tutorial.md
@@ -12,7 +12,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -28,16 +28,17 @@ After completing this tutorial, the Azure AD users you have assigned to Sprinklr
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for Sprinklr
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for Sprinklr
+## Enable the application integration for Sprinklr
The objective of this section is to outline how to enable the application integration for Sprinklr.
-### To enable the application integration for Sprinklr, perform the following steps:
+**To enable the application integration for Sprinklr, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,12 +65,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
-The objective of this section is to outline how to enable users to authenticate to Sprinklr with their account in Azure AD using federation based on the SAML protocol.
+## Configure single sign-on
+The objective of this section is to outline how to enable users to authenticate to Sprinklr with their account in Azure AD using federation based on the SAML protocol.
+
+
As part of this procedure, you are required to create a base-64 encoded certificate file.
+
If you are not familiar with this procedure, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o).
-### To configure single sign-on, perform the following steps:
+**To configure single sign-on, perform the following steps:**
+
1. In the Azure classic portal, on the **Sprinklr** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -103,41 +108,30 @@ If you are not familiar with this procedure, see [How to convert a binary certif
9. On the **Single Sign on** page, perform the following steps:
-
- a. In the **Name** textbox, type a name for your configuration (e.g.: *WAADSSOTest*).
-
- b. Select **Enabled**.
-
- c. Select **Use new SSO Certificate**.
-
- d. Create a **base-64 encoded** file from your downloaded certificate.
-
- > [!TIP]
- > For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o)
- >
- >
-
- e. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Identity Provider Certificate** textbox,
-
- f. In the Azure classic portal, on the **Configure single sign-on at Sprinklr** dialog page, copy the **Identity Provider ID** value, and then paste it into the **Entity Id** textbox.
-
- g. In the Azure classic portal, on the **Configure single sign-on at Sprinklr** dialog page, copy the **Remote Login URL** value, and then paste it into the **Identity Provider Login URL** textbox.
-
- h. In the Azure classic portal, on the **Configure single sign-on at Sprinklr** dialog page, copy the **Remote Logout URL** value, and then paste it into the **Identity Provider Logout URL** textbox.
-
- i. As **SAML User ID Type**, select **Assertion contains User”s sprinklr.com username**.
-
- j. As **SAML User ID Location**, select **User ID is in the Name Identifier element of the Subject statement**.
-
- k. Close **Save**.
+ 1. In the **Name** textbox, type a name for your configuration (e.g.: *WAADSSOTest*).
+ 2. Select **Enabled**.
+ 3. Select **Use new SSO Certificate**.
+ 4. Create a **base-64 encoded** file from your downloaded certificate.
+
+ >[!TIP]
+ >For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o).
+ >
+
+ 5. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Identity Provider Certificate** textbox.
+ 6. In the Azure classic portal, in the **Configure SSO at Sprinklr** dialog:
+ * Copy the **Identity Provider ID** value, and then paste it into the **Entity Id** textbox.
+ * Copy the **Remote Login URL** value, and then paste it into the **Identity Provider Login URL** textbox.
+ * Copy the **Remote Logout URL** value, and then paste it into the **Identity Provider Logout URL** textbox.
+ 7. As **SAML User ID Type**, select **Assertion contains User”s sprinklr.com username**.
+ 8. As **SAML User ID Location**, select **User ID is in the Name Identifier element of the Subject statement**.
+ 9. Click **Save**.
-
10. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
For AAD users to be able to sign in, they must be provisioned for access inside the Sprinklr application.
This section describes how to create AAD user accounts inside Sprinklr.
@@ -158,40 +152,32 @@ This section describes how to create AAD user accounts inside Sprinklr.
5. On the **Edit user** dialog, perform the following steps:
- 
-
- a. In the **Email**, **First Name** and **Last Name** textboxes, type the information of an Azure AD user account you want to provision.
-
- b. Select **Password Disabled**.
-
- c. Select a **Language**.
+ 
+ 1. In the **Email**, **First Name** and **Last Name** textboxes, type the information of an Azure AD user account you want to provision.
+ 2. Select **Password Disabled**.
+ 3. Select a **Language**.
+ 4. Select a **User Type**.
+ 5. Click **Update**.
- d. Select a **User Type**.
-
- e. Click **Update**.
-
- > [!IMPORTANT]
- > **Password Disabled** must be selected to enable a user to log in via an Identity provider.
- >
- >
+ >[!IMPORTANT]
+ >**Password Disabled** must be selected to enable a user to log in via an Identity provider.
+ >
6. Go to **Role**, and then perform the following steps:
-
- a. From the **Global** list, select **ALL\_Permissions**.
-
- b. Click **Update**.
+ 1. From the **Global** list, select **ALL\_Permissions**.
+ 2. Click **Update**.
-> [!NOTE]
-> You can use any other Sprinklr user account creation tools or APIs provided by Sprinklr to provision Azure AD user accounts.
->
+>[!NOTE]
+>You can use any other Sprinklr user account creation tools or APIs provided by Sprinklr to provision Azure AD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to Sprinklr, perform the following steps:
+**To assign users to Sprinklr, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **Sprinklr **application integration page, click **Assign users**.
@@ -202,5 +188,5 @@ To test your configuration, you need to grant the Azure AD users you want to all
-If you want to test your single sign-on settings, open the Access Panel. For more details about the Access Panel, see [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
+If you want to test your SSO settings, open the Access Panel. For more details about the Access Panel, see [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
diff --git a/articles/active-directory/active-directory-saas-sugarcrm-tutorial.md b/articles/active-directory/active-directory-saas-sugarcrm-tutorial.md
index 71092d10624a0..95736a2905e56 100644
--- a/articles/active-directory/active-directory-saas-sugarcrm-tutorial.md
+++ b/articles/active-directory/active-directory-saas-sugarcrm-tutorial.md
@@ -12,32 +12,34 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/07/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration integration with SugarCRM
The objective of this tutorial is to show the integration of Azure and Sugar CRM.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
-* A Sugar CRM single sign-on enabled subscription
+* A Sugar CRM single sign-on (SSO) enabled subscription
-After completing this tutorial, the Azure AD users you have assigned to Sugar CRM will be able to single sign into the application at your Sugar CRM company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
+After completing this tutorial, the Azure AD users you have assigned to Sugar CRM will be able to sign into the application using SSO at your Sugar CRM company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for Sugar CRM
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for Sugar CRM
+## Enable the application integration for Sugar CRM
The objective of this section is to outline how to enable the application integration for Sugar CRM.
-### To enable the application integration for Sugar CRM, perform the following steps:
+**To enable the application integration for Sugar CRM, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,13 +66,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to Sugar CRM with their account in Azure AD using federation based on the SAML protocol.
+
As part of this procedure, you are required to upload a base-64 encoded certificate to your Sugar CRM tenant.
+
If you are not familiar with this procedure, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o)
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **Sugar CRM** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **Sugar CRM** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -102,34 +107,30 @@ If you are not familiar with this procedure, see [How to convert a binary certif
9. In the **SAML Authentication** section, perform the following steps:
- 
-
- a. In the Azure classic portal, on the **Configure single sign-on at Sugar CRM** dialog page, copy the **Remote Login URL** value, and then paste it into the **Login URL** textbox.
-
- b. In the Azure classic portal, on the **Configure single sign-on at Sugar CRM** dialog page, copy the **Remote Login URL** value, and then paste it into the **SLO URL** textbox.
-
- c. Create a **Base-64 encoded** file from your downloaded certificate.
+ 
+ 1. In the Azure classic portal, on the **Configure single sign-on at Sugar CRM** dialog page, copy the **Remote Login URL** value, and then paste it into the **Login URL** textbox.
+ 2. In the Azure classic portal, on the **Configure single sign-on at Sugar CRM** dialog page, copy the **Remote Login URL** value, and then paste it into the **SLO URL** textbox.
+ 3. Create a **Base-64 encoded** file from your downloaded certificate.
- > [!TIP]
- > For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o)
- >
- >
-
- d. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste the entire Certificate into **X.509 Certificate** textbox.
-
- e. Click **Save**.
+ >[!TIP]
+ >For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o).
+ >
+
+ 4. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste the entire Certificate into **X.509 Certificate** textbox.
+ 5. Click **Save**.
10. In the Azure classic portal, on the **Configure single sign-on at Sugar CRM** dialog page, select the single sign-on configuration confirmation, and then click **Complete**.
-## Configuring user provisioning
-In order to enable Azure AD users to log into Sugar CRM, they must be provisioned to Sugar CRM.
+## Configure user provisioning
+In order to enable Azure AD users to log into Sugar CRM, they must be provisioned to Sugar CRM.
+
In the case of Sugar CRM, provisioning is a manual task.
-### To provision a user accounts, perform the following steps:
-1. Log in to your **Sugar CRM** company site as administrator.
+**To provision a user accounts, perform the following steps:**
+1. Log in to your **Sugar CRM** company site as administrator.
2. Go to **Admin**.
@@ -145,28 +146,24 @@ In the case of Sugar CRM, provisioning is a manual task.
5. On the **User Profile** tab, perform the following steps:
-
- a. Type the user name, last name and email address of a valid Azure Active Directory user into the related textboxes.
-
+ * Type the user name, last name and email address of a valid Azure Active Directory user into the related textboxes.
6. As **Status**, select **Active**.
7. On the Password tab, perform the following steps:
-
- a. Type the password into the related textbox.
-
- b. Click **Save**.
+ 1. Type the password into the related textbox.
+ 2. Click **Save**.
-> [!NOTE]
-> You can use any other Sugar CRM user account creation tools or APIs provided by Sugar CRM to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other Sugar CRM user account creation tools or APIs provided by Sugar CRM to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to Sugar CRM, perform the following steps:
+**To assign users to Sugar CRM, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **Sugar CRM** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-sumologic-tutorial.md b/articles/active-directory/active-directory-saas-sumologic-tutorial.md
index bd74f6d79201a..8f25662b9354e 100644
--- a/articles/active-directory/active-directory-saas-sumologic-tutorial.md
+++ b/articles/active-directory/active-directory-saas-sumologic-tutorial.md
@@ -12,12 +12,13 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/07/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory Integration with SumoLogic
The objective of this tutorial is to show the integration of Azure and SumoLogic.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
@@ -28,16 +29,17 @@ After completing this tutorial, the Azure AD users you have assigned to SumoLogi
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for SumoLogic
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for SumoLogic
+## Enable the application integration for SumoLogic
The objective of this section is to outline how to enable the application integration for SumoLogic.
-### To enable the application integration for SumoLogic, perform the following steps:
+**To enable the application integration for SumoLogic, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,13 +66,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to SumoLogic with their account in Azure AD using federation based on the SAML protocol.
+
As part of this procedure, you are required to upload a base-64 encoded certificate to your SumoLogictenant.
+
If you are not familiar with this procedure, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o)
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **SumoLogic** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **SumoLogic** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -102,42 +107,33 @@ If you are not familiar with this procedure, see [How to convert a binary certif
9. On the **Configure SAML 2.0** dialog, perform the following steps:
- 
-
- a. In the **Configuration Name** textbox, type **Azure AD**.
-
- b. Select **Debug Mode**.
-
- c. In the Azure classic portal, on the **Configure single sign-on at SumoLogic** dialogue page, copy the **Issuer URL** value, and then paste it into the **Issuer** textbox.
-
- d. In the Azure classic portal, on the **Configure single sign-on at SumoLogic** dialogue page, copy the **Authentication Request URL** value, and then paste it into the **Authn Request URL** textbox.
-
- e. Create a **Base-64 encoded** file from your downloaded certificate.
+ 
+ 1. In the **Configuration Name** textbox, type **Azure AD**.
+ 2. Select **Debug Mode**.
+ 3. In the Azure classic portal, on the **Configure single sign-on at SumoLogic** dialogue page, copy the **Issuer URL** value, and then paste it into the **Issuer** textbox.
+ 4. In the Azure classic portal, on the **Configure single sign-on at SumoLogic** dialogue page, copy the **Authentication Request URL** value, and then paste it into the **Authn Request URL** textbox.
+ 5. Create a **Base-64 encoded** file from your downloaded certificate.
- > [!TIP]
- > For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o)
- >
- >
-
- f. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste the entire Certificate into **X.509 Certificate** textbox.
-
- g. As **Email Attribute**, select **Use SAML subject**.
-
- h. Select **SP initiated Login Configuration**.
-
- i. In the **Login Path** textbox, type **Azure**.
-
- j. Click **Save**.
+ >[!TIP]
+ >For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o).
+ >
+
+ 6. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste the entire Certificate into **X.509 Certificate** textbox.
+ 7. As **Email Attribute**, select **Use SAML subject**.
+ 8. Select **SP initiated Login Configuration**.
+ 9. In the **Login Path** textbox, type **Azure** and click **Save**.
10. In the Azure classic portal, on the **Configure single sign-on at SumoLogic** dialogue page, select the single sign-on configuration confirmation, and then click **Complete**.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure AD users to log into SumoLogic, they must be provisioned to SumoLogic.
-In the case of SumoLogic, provisioning is a manual task.
-### To provision a user accounts, perform the following steps:
+* In the case of SumoLogic, provisioning is a manual task.
+
+**To provision a user accounts, perform the following steps:**
+
1. Log in to your **SumoLogic** tenant.
2. Go to **Manage \> Users**.
@@ -150,25 +146,21 @@ In the case of SumoLogic, provisioning is a manual task.
4. On the **New User** dialog, perform the following steps:
- 
-
- a. Type the related information of the Azure AD account you want to provision into the **First Name**, **Last Name** and **Email** textboxes.
-
- b. Select a role.
-
- c. As **Status**, select **Active**.
-
- d. Click **Save**.
+ 
+ 1. Type the related information of the Azure AD account you want to provision into the **First Name**, **Last Name** and **Email** textboxes.
+ 2. Select a role.
+ 3. As **Status**, select **Active**.
+ 4. Click **Save**.
-> [!NOTE]
-> You can use any other SumoLogic user account creation tools or APIs provided by SumoLogic to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other SumoLogic user account creation tools or APIs provided by SumoLogic to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to SumoLogic, perform the following steps:
+**To assign users to SumoLogic, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **SumoLogic** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-syncplicity-tutorial.md b/articles/active-directory/active-directory-saas-syncplicity-tutorial.md
index 15b464be0ea01..bdd142ec9af23 100644
--- a/articles/active-directory/active-directory-saas-syncplicity-tutorial.md
+++ b/articles/active-directory/active-directory-saas-syncplicity-tutorial.md
@@ -12,7 +12,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/09/2017
ms.author: jeedes
---
@@ -27,16 +27,17 @@ The scenario outlined in this tutorial assumes that you already have the followi
After completing this tutorial, the Azure AD users to whom you have assign Syncplicity access will be able to single sign into the application at your Syncplicity company site (service provider initiated sign on), or using the Azure AD Access Panel.
1. Enabling the application integration for Syncplicity
-2. Configuring Single Sign-On
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for Syncplicity
+## Enable the application integration for Syncplicity
The objective of this section is to outline how to enable the application integration for Syncplicity.
-### To enable the application integration for Syncplicity, perform the following steps:
+**To enable the application integration for Syncplicity, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -63,11 +64,12 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
This section outlines how to enable users to authenticate to Syncplicity with their account in Azure Active Directory, using federation based on the SAML protocol.
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **Syncplicity** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **Syncplicity** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -93,30 +95,24 @@ This section outlines how to enable users to authenticate to Syncplicity with th
7. On the **Single Sign-On (SSO)** dialog page, perform the following steps:
- 
-
- a. In the **Custom Domain** textbox, type the name of your domain.
-
- b. Select **Enabled** as **Single Sign-On Status**.
-
- c. In the Azure classic portal, on the **Configure single sign-on at Syncplicity** page, copy the **Entity ID** value, and then paste it into the **Entity Id** textbox.
-
- d. In the Azure classic portal, on the **Configure single sign-on at Syncplicity** page, copy the **Single Sign-On Service URL** value, and then paste it into the **Sign-in page URL** textbox.
-
- e. In the Azure classic portal, on the **Configure single sign-on at Syncplicity** page, copy the **Remote Logout URL** value, and then paste it into the **Logout page URL** textbox.
-
- f. In **Identity Provider Certificate**, click **Choose file**, and then upload the certificate you have downloaded from the Azure classic portal.
-
- g. Click **Save Changes**.
+ 
+ 1. In the **Custom Domain** textbox, type the name of your domain.
+ 2. Select **Enabled** as **Single Sign-On Status**.
+ 3. In the Azure classic portal, on the **Configure single sign-on at Syncplicity** page, copy the **Entity ID** value, and then paste it into the **Entity Id** textbox.
+ 4. In the Azure classic portal, on the **Configure single sign-on at Syncplicity** page, copy the **Single Sign-On Service URL** value, and then paste it into the **Sign-in page URL** textbox.
+ 5. In the Azure classic portal, on the **Configure single sign-on at Syncplicity** page, copy the **Remote Logout URL** value, and then paste it into the **Logout page URL** textbox.
+ 6. In **Identity Provider Certificate**, click **Choose file**, and then upload the certificate you have downloaded from the Azure classic portal.
+ 7. Click **Save Changes**.
8. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
For AAD users to be able to sign in, they must be provisioned to Syncplicity application. This section describes how to create AAD user accounts in Syncplicity.
-### To provision a user account to Syncplicity, perform the following steps:
+**To provision a user account to Syncplicity, perform the following steps:**
+
1. Log in to your **Syncplicity** tenant (e.g.: *https://company.Syncplicity.com*).
2. Click **Admin** and select **user accounts**.
@@ -129,33 +125,31 @@ For AAD users to be able to sign in, they must be provisioned to Syncplicity app
- > [!NOTE]
- > The AAD account holder will get an email including a link to confirm and activate the account.
- >
+ >[!NOTE]
+ >The AAD account holder will get an email including a link to confirm and activate the account.
>
5. Select a group in your company that your new user should become a member of, and then click **Next**.
- > [!NOTE]
- > If there are no groups listed, just click **Next**.
- >
+ >[!NOTE]
+ >If there are no groups listed, just click **Next**.
>
6. Select the folders you would like to place under Syncplicity’s control on the user’s computer, and then click **Next**.
-> [!NOTE]
-> You can use any other Syncplicity user account creation tools or APIs provided by Syncplicity to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other Syncplicity user account creation tools or APIs provided by Syncplicity to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to Syncplicity, perform the following steps:
+**To assign users to Syncplicity, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **Syncplicity** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-synergi-tutorial.md b/articles/active-directory/active-directory-saas-synergi-tutorial.md
index 86df134856b5d..7871e72c02e23 100644
--- a/articles/active-directory/active-directory-saas-synergi-tutorial.md
+++ b/articles/active-directory/active-directory-saas-synergi-tutorial.md
@@ -13,7 +13,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 03/08/2017
+ms.date: 3/10/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Synergi with Azure Active Directory
Integrating Synergi with Azure AD provides you with the following benefits:
* You can control in Azure AD who has access to Synergi
-* You can enable your users to automatically get signed-on to Synergi (Single Sign-On) with their Azure AD accounts
+* You can enable your users to automatically get signed-on to Synergi single sign-on (SSO) with their Azure AD accounts
* You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -32,27 +32,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Synergi, you need the following items:
* An Azure AD subscription
-* A Synergi single-sign on enabled subscription
+* A Synergi SSO enabled subscription
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
->
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
>
To test the steps in this tutorial, you should follow these recommendations:
* You should not use your production environment, unless this is necessary.
-* If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
-In this tutorial, you test Azure AD single sign-on in a test environment.
+In this tutorial, you test Azure AD SSO in a test environment.
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Synergi from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding Synergi from the gallery
+## Add Synergi from the gallery
To configure the integration of Synergi into Azure AD, you need to add Synergi from the gallery to your list of managed SaaS apps.
**To add Synergi from the gallery, perform the following steps:**
@@ -83,23 +82,23 @@ To configure the integration of Synergi into Azure AD, you need to add Synergi f
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Synergi based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Synergi based on a test user called "Britta Simon".
-For single sign-on to work, Azure AD needs to know what the counterpart user in Synergi is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Synergi needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in Synergi is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Synergi needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Synergi.
-To configure and test Azure AD single sign-on with Synergi, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Synergi, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Synergi test user](#creating-a-synergi-test-user)** - to have a counterpart of Britta Simon in Synergi that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Synergi application.
+### Configure Azure AD single sign-on
+In this section, you enable Azure AD SSO in the classic portal and configure SSO in your Synergi application.
**To configure Azure AD single sign-on with Synergi, perform the following steps:**
@@ -114,26 +113,20 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, perform the following steps:
-
- a. In the **Sign On URL** textbox, type the URL used by your users to sign-on to your Synergi application using the following pattern: **https://\.irmsecurity.com/sso/\**.
-
- b. click **Next**
+ 1. In the **Sign On URL** textbox, type the URL used by your users to sign-on to your Synergi application using the following pattern: **https://\.irmsecurity.com/sso/\**.
+ 2. click **Next**
4. On the **Configure single sign-on at Synergi** page, perform the following steps:
-
- a. Click **Download certificate**, and then save the file on your computer.
-
- b. Click **Next**.
+ 1. Click **Download certificate**, and then save the file on your computer.
+ 2. Click **Next**.
5. To get SSO configured for your application, contact Synergi support team and provide them with the following:
- • The downloaded certificate
-
- • The **Entity ID**
-
- • The **Single Sign Out Service URL**
+ * The downloaded certificate
+ * The **Entity ID**
+ * The **Single Sign Out Service URL**
6. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
@@ -143,7 +136,7 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
In this section, you create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -167,26 +160,18 @@ In this section, you create a test user in the classic portal called Britta Simo
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -195,15 +180,13 @@ In this section, you create a test user in the classic portal called Britta Simo
8. On the **Get temporary password** dialog page, perform the following steps:
-
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
-### Creating an Synergi test user
+### Create an Synergi test user
In this section, you create a user called Britta Simon in Synergi. Please work with Synergi support team to add the users in the Synergi platform.
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Synergi.
![Assign User][200]
@@ -228,8 +211,8 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
-### Testing Single Sign-On
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+### Test single sign-on
+In this section, you test your Azure AD SSO configuration using the Access Panel.
When you click the Synergi tile in the Access Panel, you should get automatically signed-on to your Synergi application.
diff --git a/articles/active-directory/active-directory-saas-talentlms-tutorial.md b/articles/active-directory/active-directory-saas-talentlms-tutorial.md
index fa8888eb064e8..324059bc68484 100644
--- a/articles/active-directory/active-directory-saas-talentlms-tutorial.md
+++ b/articles/active-directory/active-directory-saas-talentlms-tutorial.md
@@ -12,12 +12,13 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/07/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory Integration with TalentLMS
The objective of this tutorial is to show the integration of Azure and TalentLMS.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
@@ -28,16 +29,17 @@ After completing this tutorial, the Azure AD users you have assigned to TalentLM
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for TalentLMS
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for TalentLMS
+## Enable the application integration for TalentLMS
The objective of this section is to outline how to enable the application integration for TalentLMS.
-### To enable the application integration for TalentLMS, perform the following steps:
+**To enable the application integration for TalentLMS, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,13 +66,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
-The objective of this section is to outline how to enable users to authenticate to TalentLMS with their account in Azure AD using federation based on the SAML protocol. .
-Configuring single sign-on for TalentLMS requires you to retrieve a thumbprint value from a certificate.
+## Configure single sign-on
+The objective of this section is to outline how to enable users to authenticate to TalentLMS with their account in Azure AD using federation based on the SAML protocol.
+
+Configuring SSO for TalentLMS requires you to retrieve a thumbprint value from a certificate.
+
If you are not familiar with this procedure, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI).
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **TalentLMS** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **TalentLMS** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -95,63 +100,54 @@ If you are not familiar with this procedure, see [How to retrieve a certificate'
8. In the Single Sign-On section, perform the following steps:
- 
-
- a. From the **SSO integration type** list, select **SAML 2.0**.
-
- b. In the Azure classic portal, on the **Configure single sign-on at TalentLMS** dialog page, copy the **Identity Provider ID** value, and then paste it into the **Identity provider (IdP)** textbox.
-
- c. Copy the **Thumbprint** value from the exported certificate, and then paste it into the **Certificate Fingerprint** textbox.
+ 
+ 1. From the **SSO integration type** list, select **SAML 2.0**.
+ 2. In the Azure classic portal, on the **Configure single sign-on at TalentLMS** dialog page, copy the **Identity Provider ID** value, and then paste it into the **Identity provider (IdP)** textbox.
+ 3. Copy the **Thumbprint** value from the exported certificate, and then paste it into the **Certificate Fingerprint** textbox.
- > [!TIP]
- > For more details, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI)
- >
- >
-
- d. In the Azure classic portal, on the **Configure single sign-on at TalentLMS** dialog page, copy the **Remote Login URL** value, and then paste it into the **Remote sign-in URL** textbox.
-
- e. In the Azure classic portal, on the **Configure single sign-on at TalentLMS** dialog page, copy the **Remote Logout URL** value, and then paste it into the **Remote sign-out URL** textbox.
-
- f. In the **TargetedID** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name**
-
- g. In the **First name** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname**
-
- h. In the **Last name** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname**
-
- i. In the **Email** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress**
-
- j. Click **Save**.
+ >[!TIP]
+ >For more details, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI).
+ >
+
+ 4. In the Azure classic portal, on the **Configure single sign-on at TalentLMS** dialog page, copy the **Remote Login URL** value, and then paste it into the **Remote sign-in URL** textbox.
+ 5. In the Azure classic portal, on the **Configure single sign-on at TalentLMS** dialog page, copy the **Remote Logout URL** value, and then paste it into the **Remote sign-out URL** textbox.
+ 6. Fill in the following:
+ * In the **TargetedID** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name**.
+ * In the **First name** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname**.
+ * In the **Last name** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname**.
+ * In the **Email** textbox, type **http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress**.
+ 7. Click **Save**.
9. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure AD users to log into TalentLMS, they must be provisioned into TalentLMS.
-In the case of TalentLMS, provisioning is a manual task.
-### To provision a user accounts, perform the following steps:
+* In the case of TalentLMS, provisioning is a manual task.
+
+**To provision a user accounts, perform the following steps:**
+
1. Log in to your **TalentLMS** tenant.
2. Click **Users**, and then click **Add User**.
3. On the **Add user** dialog page, perform the following steps:
- 
-
- a. Type the related attribute values of the Azure AD user account into the following textboxes: **First name**, **Last name**, **Email address**.
-
- b. Click **Add User**.
+ 
+ 1. Type the related attribute values of the Azure AD user account into the following textboxes: **First name**, **Last name**, **Email address**.
+ 2. Click **Add User**.
-> [!NOTE]
-> You can use any other TalentLMS user account creation tools or APIs provided by TalentLMS to provision AAD user accounts.
->
->
+>[!NOTE]
+>You can use any other TalentLMS user account creation tools or APIs provided by TalentLMS to provision AAD user accounts.
+>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to TalentLMS, perform the following steps:
+**To assign users to TalentLMS, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **TalentLMS **application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-teamseer-tutorial.md b/articles/active-directory/active-directory-saas-teamseer-tutorial.md
index 904a8c8eb6b4b..6f9efe53646b8 100644
--- a/articles/active-directory/active-directory-saas-teamseer-tutorial.md
+++ b/articles/active-directory/active-directory-saas-teamseer-tutorial.md
@@ -12,7 +12,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/09/2017
ms.author: jeedes
---
@@ -28,16 +28,17 @@ After completing this tutorial, the Azure AD users you have assigned to TeamSeer
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for TeamSeer
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for TeamSeer
+## Enable the application integration for TeamSeer
The objective of this section is to outline how to enable the application integration for TeamSeer.
-### To enable the application integration for TeamSeer, perform the following steps:
+**To enable the application integration for TeamSeer, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,13 +65,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to TeamSeer with their account in Azure AD using federation based on the SAML protocol.
+
As part of this procedure, you are required to create a base-64 encoded certificate file.
+
If you are not familiar with this procedure, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o).
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **TeamSeer** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **TeamSeer** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -102,67 +106,59 @@ If you are not familiar with this procedure, see [How to convert a binary certif
9. In the SAML provider details section, perform the following steps:
- 
-
- a. In the Azure classic portal, on the **Configure single sign-on at TeamSeer** dialog page, copy the **Single Sign-On Service URL** value, and then paste it into the **URL** textbox.
-
- b. Create a **base-64 encoded** file from your downloaded certificate.
+ 
+ 1. In the Azure classic portal, on the **Configure single sign-on at TeamSeer** dialog page, copy the **Single Sign-On Service URL** value, and then paste it into the **URL** textbox.
+ 2. Create a **base-64 encoded** file from your downloaded certificate.
- > [!TIP]
- > For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o)
- >
- >
-
- c. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **IdP Public Certificate** textbox.
+ >[!TIP]
+ >For more details, see [How to convert a binary certificate into a text file](http://youtu.be/PlgrzUZ-Y1o).
+ >
+
+ 3. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **IdP Public Certificate** textbox.
10. To complete the SAML provider configuration, perform the following steps:
- 
-
- a. In the **Test Email Addresses**, type the test user’s email address.
-
- b. In the **Issuer** textbox, type the Issuer URL of the service provider.
-
- c. Click **Save**.
+ 
+ 1. In the **Test Email Addresses**, type the test user’s email address.
+ 2. In the **Issuer** textbox, type the Issuer URL of the service provider.
+ 3. Click **Save**.
11. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure AD users to log into TeamSeer, they must be provisioned into ShiftPlanning.
-In the case of TeamSeer, provisioning is a manual task.
-### To provision a user accounts, perform the following steps:
+* In the case of TeamSeer, provisioning is a manual task.
+
+**To provision a user accounts, perform the following steps:**
+
1. Log in to your **TeamSeer** company site as an administrator.
2. Perform the following steps:
- 
-
- a. Go to **HR Admin \> Users**.
-
- b. Click **Run the New User wizard**.
+ 
+ 1. Go to **HR Admin \> Users**.
+ 2. Click **Run the New User wizard**.
3. In the **User Details** section, perform the following steps:
-
- a. Type the **First Name**, **Surname**, **User name (Email address)** of a valid AAD account you want to provision into the related textboxes.
-
- b. Click **Next**.
+ 1. Type the **First Name**, **Surname**, **User name (Email address)** of a valid AAD account you want to provision into the related textboxes.
+ 2. Click **Next**.
4. Follow the on screen instructions for adding a new user, and click **Finish**.
-> [!NOTE]
-> You can use any other TeamSeer user account creation tools or APIs provided by TeamSeer to provision Azure AD user accounts.
->
+>[!NOTE]
+>You can use any other TeamSeer user account creation tools or APIs provided by TeamSeer to provision Azure AD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to TeamSeer, perform the following steps:
+**To assign users to TeamSeer, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **TeamSeer **application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-thirdlight-tutorial.md b/articles/active-directory/active-directory-saas-thirdlight-tutorial.md
index a282068587e6c..4d0ba0a9f3b17 100644
--- a/articles/active-directory/active-directory-saas-thirdlight-tutorial.md
+++ b/articles/active-directory/active-directory-saas-thirdlight-tutorial.md
@@ -12,32 +12,34 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/07/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory Integration with Thirdlight
The objective of this tutorial is to show the integration of Azure and Thirdlight.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
-* A Thirdlight single sign-on enabled subscription
+* A Thirdlight single sign-on (SSO) enabled subscription
-After completing this tutorial, the Azure AD users you have assigned to Thirdlight will be able to single sign into the application at your Thirdlight company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
+After completing this tutorial, the Azure AD users you have assigned to Thirdlight will be able to sign into the application using SSO at your Thirdlight company site (service provider initiated sign on), or using the [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md).
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for Thirdlight
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for Thirdlight
+## Enable the application integration for Thirdlight
The objective of this section is to outline how to enable the application integration for Thirdlight.
-### To enable the application integration for Thirdlight, perform the following steps:
+**To enable the application integration for Thirdlight, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -64,13 +66,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to Thirdlight with their account in Azure AD using federation based on the SAML protocol.
-Configuring single sign-on for Thirdlight requires you to retrieve a thumbprint value from a certificate.
+
+Configuring SSO for Thirdlight requires you to retrieve a thumbprint value from a certificate.
+
If you are not familiar with this procedure, see [How to retrieve a certificate's thumbprint value](http://youtu.be/YKQF266SAxI).
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **Thirdlight** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **Thirdlight** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -94,25 +99,23 @@ If you are not familiar with this procedure, see [How to retrieve a certificate'
7. In the SAML2 configuration section, perform the following steps:
- 
-
- a. Select **Enable SAML2 Single Sign-On**.
-
- b. As **Source for IdP Metadata**, select **Load IdP Metadata from XML**.
-
- c. Open the downloaded metadata file, copy the content, and then paste it into the **IdP Metadata XML** textbox.
-
- d. Click **Save SAML2 settings**.
+ 
+ 1. Select **Enable SAML2 Single Sign-On**.
+ 2. As **Source for IdP Metadata**, select **Load IdP Metadata from XML**.
+ 3. Open the downloaded metadata file, copy the content, and then paste it into the **IdP Metadata XML** textbox.
+ 4. Click **Save SAML2 settings**.
8. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure AD users to log into Thirdlight, they must be provisioned into Thirdlight.
-In the case of Thirdlight, provisioning is a manual task.
-### To configure user provisioning, perform the following steps:
+* In the case of Thirdlight, provisioning is a manual task.
+
+**To configure user provisioning, perform the following steps:**
+
1. Log in to your **Thirdlight** company site as an administrator.
2. Go to **Users** tab.
@@ -125,15 +128,15 @@ In the case of Thirdlight, provisioning is a manual task.
6. Click **Create**.
-> [!NOTE]
-> You can use any other Thirdlight user account creation tools or APIs provided by Thirdlight to provision AAD user accounts.
->
+>[!NOTE]
+>You can use any other Thirdlight user account creation tools or APIs provided by Thirdlight to provision AAD user accounts.
>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to Thirdlight, perform the following steps:
+**To assign users to Thirdlight, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **Thirdlight **application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-thoughtworks-mingle-tutorial.md b/articles/active-directory/active-directory-saas-thoughtworks-mingle-tutorial.md
index 018f51c58dd66..1cfa76ee2bcf0 100644
--- a/articles/active-directory/active-directory-saas-thoughtworks-mingle-tutorial.md
+++ b/articles/active-directory/active-directory-saas-thoughtworks-mingle-tutorial.md
@@ -12,12 +12,13 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/09/2017
ms.author: jeedes
---
# Tutorial: Azure Active Directory integration with Thoughtworks Mingle
The objective of this tutorial is to show the integration of Azure and Thoughtworks Mingle.
+
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
@@ -26,16 +27,17 @@ The scenario outlined in this tutorial assumes that you already have the followi
The scenario outlined in this tutorial consists of the following building blocks:
1. Enabling the application integration for Thoughtworks Mingle
-2. Configuring single sign-on
+2. Configuring single sign-on (SSO)
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for Thoughtworks Mingle
+## Enable the application integration for Thoughtworks Mingle
The objective of this section is to outline how to enable the application integration for Thoughtworks Mingle.
-### To enable the application integration for Thoughtworks Mingle, perform the following steps:
+**To enable the application integration for Thoughtworks Mingle, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -62,12 +64,14 @@ The objective of this section is to outline how to enable the application integr
-## Configuring single sign-on
+## Configure single sign-on
The objective of this section is to outline how to enable users to authenticate to Thoughtworks Mingle with their account in Azure AD using federation based on the SAML protocol.
+
As part of this procedure, you are required to upload a certificate to Thoughtworks Mingle.
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **Thoughtworks Mingle **application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **Thoughtworks Mingle **application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
@@ -91,21 +95,21 @@ As part of this procedure, you are required to upload a certificate to Thoughtwo
7. In the **SSO Config** section, perform the following steps:
- 
-
- a. To upload the metadata file, click **Choose file**.
-
- b. Click **Save Changes**.
+ 
+ 1. To upload the metadata file, click **Choose file**.
+ 2. Click **Save Changes**.
8. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
For AAD users to be able to sign in, they must be provisioned to the Thoughtworks Mingle application using their Azure Active Directory user names.
-In the case of Thoughtworks Mingle, provisioning is a manual task.
-### To configure user provisioning, perform the following steps:
+* In the case of Thoughtworks Mingle, provisioning is a manual task.
+
+**To configure user provisioning, perform the following steps:**
+
1. Log in to your Thoughtworks Mingle company site as administrator.
2. Click **Profile**.
@@ -122,23 +126,20 @@ In the case of Thoughtworks Mingle, provisioning is a manual task.
5. On the **New User** dialog page, perform the following steps:
- 
-
- a. Type the **Sign-in name**, **Display name**, **Choose password**, **Confirm password** of a valid AAD account you want to provision into the related textboxes.
-
- b. As **User type**, select **Full user**.
-
- c. Click **Create This Profile**.
+ 
+ 1. Type the **Sign-in name**, **Display name**, **Choose password**, **Confirm password** of a valid AAD account you want to provision into the related textboxes.
+ 2. As **User type**, select **Full user**.
+ 3. Click **Create This Profile**.
-> [!NOTE]
-> You can use any other Thoughtworks Mingle user account creation tools or APIs provided by Thoughtworks Mingle to provision AAD user accounts.
->
->
+>[!NOTE]
+>You can use any other Thoughtworks Mingle user account creation tools or APIs provided by Thoughtworks Mingle to provision AAD user accounts.
+>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to Thoughtworks Mingle, perform the following steps:
+**To assign users to Thoughtworks Mingle, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **Thoughtworks Mingle** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-thousandeyes-tutorial.md b/articles/active-directory/active-directory-saas-thousandeyes-tutorial.md
index acbbfaf27a80c..a7084d723de60 100644
--- a/articles/active-directory/active-directory-saas-thousandeyes-tutorial.md
+++ b/articles/active-directory/active-directory-saas-thousandeyes-tutorial.md
@@ -12,7 +12,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: identity
-ms.date: 02/27/2017
+ms.date: 3/09/2017
ms.author: jeedes
---
@@ -22,21 +22,22 @@ The objective of this tutorial is to show how to set up single sign-on between A
The scenario outlined in this tutorial assumes that you already have the following items:
* A valid Azure subscription
-* A ThousandEyes single sign on enabled subscription
+* A ThousandEyes single sign on (SSO) enabled subscription
-After completing this tutorial, the AAD users to whom you have assign ThousandEyes access will be able to single sign into the application at your ThousandEyes company site (service provider initiated sign on), or using the AAD Access Panel .
+After completing this tutorial, the AAD users to whom you have assign ThousandEyes access will be able to single sign into the application at your ThousandEyes company site (service provider initiated sign on), or using the AAD Access Panel.
1. Enabling the application integration for ThousandEyes
-2. Configuring Single Sign-On
+2. Configuring single sign-on
3. Configuring user provisioning
4. Assigning users
-## Enabling the application integration for ThousandEyes
+## Enable the application integration for ThousandEyes
The objective of this section is to outline how to enable the application integration for ThousandEyes.
-### To enable the application integration for ThousandEyes, perform the following steps:
+**To enable the application integration for ThousandEyes, perform the following steps:**
+
1. In the Azure classic portal, on the left navigation pane, click **Active Directory**.
@@ -62,15 +63,16 @@ The objective of this section is to outline how to enable the application integr
-## Configuring Single Sign-On
+## Configure single sign-on
This section outlines how to enable users to authenticate to ThousandEyes with their account in Azure Active Directory, using federation based on the SAML protocol.
-### To configure single sign-on, perform the following steps:
-1. In the Azure classic portal, on the **ThousandEyes** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On ** dialog.
+**To configure single sign-on, perform the following steps:**
+
+1. In the Azure classic portal, on the **ThousandEyes** application integration page, click **Configure single sign-on** to open the **Configure Single Sign On** dialog.
-1. On the **How would you like users to sign on to ThousandEyes** page, select **Microsoft Azure AD Single Sign-On**, and then click **Next**.
+2. On the **How would you like users to sign on to ThousandEyes** page, select **Microsoft Azure AD Single Sign-On**, and then click **Next**.
@@ -99,28 +101,23 @@ This section outlines how to enable users to authenticate to ThousandEyes with t
9. In the **Setup Single Sign-On** section, perform the following steps:
-
- a. Select **Enable Single Sign-On**.
-
- b. In the Microsoft Azure classic portal, on the **Configure single sign-on at ThousandEyes** page, copy the **Remote Login URL** value, and then paste it into the **Login Page URL** textbox.
-
- c. In the Microsoft Azure classic portal, on the **Configure single sign-on at ThousandEyes** page, copy the **Remote Logout URL** value, and then paste it into the **Logout Page URL** textbox.
-
- d. In the Microsoft Azure classic portal, on the **Configure single sign-on at ThousandEyes** page, copy the **Issuer URL** value, and then paste it into the **Identity Provider Issuer** textbox.
-
- e. In **Identity Provider Certificate**, click **Choose file**, and then upload the certificate you have downloaded from the Microsoft Azure classic portal.
-
- f. Click **Save**.
+ 1. Select **Enable Single Sign-On**.
+ 2. In the Microsoft Azure classic portal, on the **Configure single sign-on at ThousandEyes** page, copy the **Remote Login URL** value, and then paste it into the **Login Page URL** textbox.
+ 3. In the Microsoft Azure classic portal, on the **Configure single sign-on at ThousandEyes** page, copy the **Remote Logout URL** value, and then paste it into the **Logout Page URL** textbox.
+ 4. In the Microsoft Azure classic portal, on the **Configure single sign-on at ThousandEyes** page, copy the **Issuer URL** value, and then paste it into the **Identity Provider Issuer** textbox.
+ 5. In **Identity Provider Certificate**, click **Choose file**, and then upload the certificate you have downloaded from the Microsoft Azure classic portal.
+ 6. Click **Save**.
10. On the Azure classic portal, select the single sign-on configuration confirmation, and then click **Complete** to close the **Configure Single Sign On** dialog.
-## Configuring user provisioning
+## Configure user provisioning
In order to enable Azure AD users to log into ThousandEyes, they must be provisioned into ThousandEyes.
In the case of ThousandEyes, provisioning is a manual task.
-### To provision a user account to ThousandEyes, perform the following steps:
+**To provision a user account to ThousandEyes, perform the following steps:**
+
1. Log into your ThousandEyes company site as an administrator.
2. Click **Settings**.
@@ -137,26 +134,23 @@ In the case of ThousandEyes, provisioning is a manual task.
5. In the **Add Users & Accounts** section, perform the following steps:
- 
-
- a. Type the **Name**, **Email** and other details of a valid Azure Active Directory account you want to provision into the related textboxes.
-
- b. Click **Add New User to Account**.
+ 
+ 1. Type the **Name**, **Email** and other details of a valid Azure Active Directory account you want to provision into the related textboxes.
+ 2. Click **Add New User to Account**.
- > [!NOTE]
- > The AAD account holder will get an email including a link to confirm and activate the account.
- >
- >
+ >[!NOTE]
+ >The AAD account holder will get an email including a link to confirm and activate the account.
+ >
-> [!NOTE]
-> You can use any other ThousandEyes user account creation tools or APIs provided by ThousandEyes to provision AAD user accounts.
->
->
+>[!NOTE]
+>You can use any other ThousandEyes user account creation tools or APIs provided by ThousandEyes to provision AAD user accounts.
+>
-## Assigning users
+## Assign users
To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.
-### To assign users to ThousandEyes, perform the following steps:
+**To assign users to ThousandEyes, perform the following steps:**
+
1. In the Azure classic portal, create a test account.
2. On the **ThousandEyes** application integration page, click **Assign users**.
diff --git a/articles/active-directory/active-directory-saas-tivitz-tutorial.md b/articles/active-directory/active-directory-saas-tivitz-tutorial.md
index c579a35776d8f..f8c692c422fe2 100644
--- a/articles/active-directory/active-directory-saas-tivitz-tutorial.md
+++ b/articles/active-directory/active-directory-saas-tivitz-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
+ms.date: 3/07/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate TiViTz with Azure Active Directory
Integrating TiViTz with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to TiViTz
-- You can enable your users to automatically get signed-on to TiViTz (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to TiViTz single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -33,28 +33,26 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with TiViTz, you need the following items:
- An Azure AD subscription
-- A TiViTz single-sign on enabled subscription
-
-
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
+- A TiViTz SSO enabled subscription
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
-
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
In this tutorial, you test Azure AD single sign-on in a test environment.
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding TiViTz from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-## Adding TiViTz from the gallery
+## Add TiViTz from the gallery
To configure the integration of TiViTz into Azure AD, you need to add TiViTz from the gallery to your list of managed SaaS apps.
**To add TiViTz from the gallery, perform the following steps:**
@@ -85,26 +83,24 @@ To configure the integration of TiViTz into Azure AD, you need to add TiViTz fro
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with TiViTz based on a test user called "Britta Simon".
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with TiViTz based on a test user called "Britta Simon".
-
-For single sign-on to work, Azure AD needs to know what the counterpart user in TiViTz is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in TiViTz needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in TiViTz is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in TiViTz needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in TiViTz.
To configure and test Azure AD single sign-on with TiViTz, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a TiViTz test user](#creating-a-tivitz-test-user)** - to have a counterpart of Britta Simon in TiViTz that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
-
-### Configuring Azure AD single sign-on
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your TiViTz application.
+### Configure Azure AD single sign-on
+In this section, you enable Azure AD SSO in the classic portal and configure single sign-on in your TiViTz application.
**To configure Azure AD single sign-on with TiViTz, perform the following steps:**
@@ -119,15 +115,13 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, perform the following steps:
+ 1. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.o365.tivitz.com/`
+ 2. In the **Identifier** textbox, type a URL using the following pattern: `https://.o365.tivitz.com/`
+ 3. Click **Next**.
- a. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.o365.tivitz.com/`
-
- b. In the **Identifier** textbox, type a URL using the following pattern: `https://.o365.tivitz.com/`
-
- c. Click **Next**.
-
- > [!NOTE]
- > Please note that these are not the real values. You have to update these values with the actual Sign On URL and Identifier. Contact [TiViTz support team](emaiLto:info@tivitz.com) to get these values.
+ >[!NOTE]
+ >Please note that these are not the real values. You have to update these values with the actual Sign On URL and Identifier. Contact [TiViTz support team](emaiLto:info@tivitz.com) to get these values.
+ >
4. On the **Configure single sign-on at TiViTz** page, click **Download metadata** and then save the file on your computer:
@@ -144,7 +138,7 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -168,26 +162,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -196,24 +182,19 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
-
-
-
-### Creating a TiViTz test user
+### Create a TiViTz test user
The objective of this section is to create a user called Britta Simon in TiViTz. TiViTz supports just-in-time provisioning, which is by default enabled.
There is no action item for you in this section. A new user will be created during an attempt to access TiViTz if it doesn't exist yet.
-> [!NOTE]
-> If you need to create an user manually, you need to contact [TiViTz support team](emaiLto:info@tivitz.com).
-
+>[!NOTE]
+>If you need to create an user manually, you need to contact [TiViTz support team](emaiLto:info@tivitz.com).
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting her access to TiViTz.
@@ -239,15 +220,12 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
-
-
-### Testing single sign-on
+### Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the TiViTz tile in the Access Panel, you should get automatically signed-on to your TiViTz application.
-
## Additional resources
* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](active-directory-saas-tutorial-list.md)
diff --git a/articles/active-directory/active-directory-saas-voyance-tutorial.md b/articles/active-directory/active-directory-saas-voyance-tutorial.md
index 0e1aff1d5a6f6..57a7fb286a786 100644
--- a/articles/active-directory/active-directory-saas-voyance-tutorial.md
+++ b/articles/active-directory/active-directory-saas-voyance-tutorial.md
@@ -12,7 +12,7 @@ ms.workload: identity
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
+ms.date: 3/09/2017
ms.author: jeedes
---
@@ -23,7 +23,7 @@ In this tutorial, you learn how to integrate Voyance with Azure Active Directory
Integrating Voyance with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Voyance
-- You can enable your users to automatically get signed-on to Voyance (Single Sign-On) with their Azure AD accounts
+- You can enable your users to automatically get signed-on to Voyance single sign-on (SSO) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure classic portal
If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md).
@@ -33,17 +33,16 @@ If you want to know more details about SaaS app integration with Azure AD, see [
To configure Azure AD integration with Voyance, you need the following items:
- An Azure AD subscription
-- A Voyance single-sign on enabled subscription
-
-
-> [!NOTE]
-> To test the steps in this tutorial, we do not recommend using a production environment.
+- A Voyance SSO enabled subscription
+>[!NOTE]
+>To test the steps in this tutorial, we do not recommend using a production environment.
+>
To test the steps in this tutorial, you should follow these recommendations:
- You should not use your production environment, unless this is necessary.
-- If you don't have an Azure AD trial environment, you can get a one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+- If you don't have an Azure AD trial environment, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
## Scenario description
@@ -51,10 +50,9 @@ In this tutorial, you test Azure AD single sign-on in a test environment.
The scenario outlined in this tutorial consists of two main building blocks:
1. Adding Voyance from the gallery
-2. Configuring and testing Azure AD single sign-on
+2. Configuring and testing Azure AD SSO
-
-## Adding Voyance from the gallery
+## Add Voyance from the gallery
To configure the integration of Voyance into Azure AD, you need to add Voyance from the gallery to your list of managed SaaS apps.
**To add Voyance from the gallery, perform the following steps:**
@@ -86,22 +84,22 @@ To configure the integration of Voyance into Azure AD, you need to add Voyance f
-## Configuring and testing Azure AD single sign-on
-In this section, you configure and test Azure AD single sign-on with Voyance based on a test user called "Britta Simon".
+## Configure and test Azure AD single sign-on
+In this section, you configure and test Azure AD SSO with Voyance based on a test user called "Britta Simon".
-For single sign-on to work, Azure AD needs to know what the counterpart user in Voyance is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Voyance needs to be established.
+For SSO to work, Azure AD needs to know what the counterpart user in Voyance is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Voyance needs to be established.
This link relationship is established by assigning the value of the **user name** in Azure AD as the value of the **Username** in Voyance.
To configure and test Azure AD single sign-on with Voyance, you need to complete the following building blocks:
-1. **[Configuring Azure AD Single Sign-On](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configuring Azure AD single sign-on](#configuring-azure-ad-single-sign-on)** - to enable your users to use this feature.
2. **[Creating an Azure AD test user](#creating-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
3. **[Creating a Voyance test user](#creating-a-voyance-test-user)** - to have a counterpart of Britta Simon in Voyance that is linked to the Azure AD representation of her.
4. **[Assigning the Azure AD test user](#assigning-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Testing Single Sign-On](#testing-single-sign-on)** - to verify whether the configuration works.
+5. **[Testing single sign-on](#testing-single-sign-on)** - to verify whether the configuration works.
-### Configuring Azure AD single sign-on
+### Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the classic portal and configure single sign-on in your Voyance application.
@@ -119,23 +117,19 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
3. On the **Configure App Settings** dialog page, If you wish to configure the application in **IDP initiated mode**, perform the following steps and click **Next**:
-
- a. In the **Identifier** textbox, type a URL using the following pattern: `https://.nyansa.com`.
-
- b. In the **Reply URL** textbox, type a URL using the following pattern: `https://.nyansa.com/saml/create/`.
-
- c. Click **Next**.
+ 1. In the **Identifier** textbox, type a URL using the following pattern: `https://.nyansa.com`.
+ 2. In the **Reply URL** textbox, type a URL using the following pattern: `https://.nyansa.com/saml/create/`.
+ 3. Click **Next**.
4. If you wish to configure the application in **SP initiated mode** on the **Configure App Settings** dialog page, then click on the **“Show advanced settings (optional)”** and then enter the **Sign On URL** and click **Next**.
+ 1. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.nyansa.com/`.
+ 2. Click **Next**.
- a. In the **Sign On URL** textbox, type a URL using the following pattern: `https://.nyansa.com/`.
-
- b. Click **Next**.
-
- > [!NOTE]
- > Please note that you have to update these values with the actual Sign On URL, Identifier and Reply URL. To get these values, contact [Voyance support team](emaiLto:support@nyansa.com).
+ >[!NOTE]
+ >You have to update these values with the actual Sign On URL, Identifier and Reply URL. To get these values, contact [Voyance support team](emaiLto:support@nyansa.com).
+ >
5. On the **Configure single sign-on at Voyance** page, click **Download certificate** and then save the file on your computer:
@@ -147,29 +141,25 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
-8. Click on "**Admin Settings**".
+8. Click "**Admin Settings**".
-9. Click on "**User Access**" Tab
+9. Click "**User Access**" tab.
-10. Click on "**SSO is disabled**" button to configure Azure AD as an IdP using SAML 2.0.
+10. Click the "**SSO is disabled**" button to configure Azure AD as an IdP using SAML 2.0.
11. Go to **SAML v2** section and perform below steps:
-
- a. Select **Enabled**.
-
- b. In the **IdP Login URL** textbox put the value of **SAML SSO URL** from Azure AD application configuration wizard.
-
- c. Open your Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **IdP Cert** textbox.
-
- d. Click **Save** button.
+ 1. Select **Enabled**.
+ 2. In the **IdP Login URL** textbox put the value of **SAML SSO URL** from Azure AD application configuration wizard.
+ 3. Open your Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **IdP Cert** textbox.
+ 4. Click **Save**.
12. In the classic portal, select the single sign-on configuration confirmation, and then click **Next**.
@@ -180,7 +170,7 @@ In this section, you enable Azure AD single sign-on in the classic portal and co
![Azure AD Single Sign-On][11]
-### Creating an Azure AD test user
+### Create an Azure AD test user
The objective of this section is to create a test user in the classic portal called Britta Simon.
![Create Azure AD User][20]
@@ -204,26 +194,18 @@ The objective of this section is to create a test user in the classic portal cal
5. On the **Tell us about this user** dialog page, perform the following steps:
-
- a. As Type Of User, select New user in your organization.
-
- b. In the User Name **textbox**, type **BrittaSimon**.
-
- c. Click **Next**.
+ 1. As Type Of User, select New user in your organization.
+ 2. In the User Name **textbox**, type **BrittaSimon**.
+ 3. Click **Next**.
6. On the **User Profile** dialog page, perform the following steps:
-
- a. In the **First Name** textbox, type **Britta**.
-
- b. In the **Last Name** textbox, type, **Simon**.
-
- c. In the **Display Name** textbox, type **Britta Simon**.
-
- d. In the **Role** list, select **User**.
-
- e. Click **Next**.
+ 1. In the **First Name** textbox, type **Britta**.
+ 2. In the **Last Name** textbox, type, **Simon**.
+ 3. In the **Display Name** textbox, type **Britta Simon**.
+ 4. In the **Role** list, select **User**.
+ 5. Click **Next**.
7. On the **Get temporary password** dialog page, click **create**.
@@ -232,24 +214,20 @@ The objective of this section is to create a test user in the classic portal cal
8. On the **Get temporary password** dialog page, perform the following steps:
+ 1. Write down the value of the **New Password**.
+ 2. Click **Complete**.
- a. Write down the value of the **New Password**.
-
- b. Click **Complete**.
-
-
-
-### Creating a Voyance test user
+### Create a Voyance test user
The objective of this section is to create a user called Britta Simon in Voyance. Voyance supports just-in-time provisioning, which is by default enabled.
There is no action item for you in this section. A new user will be created during an attempt to access Voyance if it doesn't exist yet.
-> [!NOTE]
-> If you need to create an user manually, you need to contact [Voyance support team](emaiLto:support@nyansa.com).
-
+>[!NOTE]
+>If you need to create an user manually, you need to contact [Voyance support team](emaiLto:support@nyansa.com).
+>
-### Assigning the Azure AD test user
+### Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting her access to Voyance.
@@ -276,8 +254,7 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
![Assign User][205]
-
-### Testing single sign-on
+### Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
diff --git a/articles/active-directory/active-directory-secure-passwords.md b/articles/active-directory/active-directory-secure-passwords.md
new file mode 100644
index 0000000000000..c4856115093fc
--- /dev/null
+++ b/articles/active-directory/active-directory-secure-passwords.md
@@ -0,0 +1,81 @@
+---
+title: Secure passwords in Azure AD and reset passwords that get blocked by Smart Password Lockout | Microsoft Docs
+description: Explains what an Azure AD tenant is, and how to manage Azure through Azure Active Directory
+services: active-directory
+documentationcenter: ''
+author: markvi
+writer: v-lorisc
+manager: femila
+
+ms.assetid:
+ms.service: active-directory
+ms.workload: infrastructure-services
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: get-started-article
+ms.date: 03/02/2017
+ms.author: markvi
+
+---
+# Secure passwords in Azure AD and reset passwords that get blocked by Smart Password Lockout
+This article discusses best practices you can follow as a user or as an administrator to protect your Azure Active Directory (Azure AD) and Microsoft Account Service accounts.
+
+ >[!NOTE]
+ >Azure AD administrators can reset user passwords by clicking the directory name. From the [Azure Management portal](https://manage.windowsazure.com), choose the Users page, click the name of the user, and Reset Password.
+ >
+
+Azure AD incorporates the following common approaches to securing passwords:
+ * Password length requirements
+ * Password “complexity” requirements
+ * Regular and periodic password expiration
+
+For information about password management capabilities, see [Manage passwords in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-passwords).
+
+## Azure AD password protection
+Azure AD and the Microsoft Account System use industry proven approaches to ensure secure protection of user and administrator passwords.
+
+This section discusses how Azure AD protects passwords using the following methods:
+ * Dynamically banned passwords
+ * Smart Password Lockout
+
+For information about password management based on current research, see the [Password Guidance](http://aka.ms/passwordguidance) whitepaper.
+
+### Dynamically banned passwords
+Azure AD and Microsoft Account System safeguard password protection by dynamically banning all commonly used passwords. The Azure ID Identity Protection team routinely analyzes banned password lists, preventing users from selecting commonly used passwords. This service is available to Azure AD and the Microsoft Account Service customers.
+
+When creating passwords, it is important for administrators to encourage users to choose uncommon password phrases that include a unique combination of letters, numbers, and characters. This helps to make user passwords nearly impossible to be compromised.
+
+**Breach lists**
+
+Azure AD is always working to stay one step ahead of cyber-criminals. One way we do that is by preventing users from creating passwords that are on the current attack list.
+
+The Azure AD Identity Protection team continually analyzes passwords that are commonly used. Cyber-criminals also use similar strategies to inform their attacks, such as building a [rainbow table](https://en.wikipedia.org/wiki/Rainbow_table) for cracking password hashes.
+
+Microsoft continually analyzes [data breaches](https://www.privacyrights.org/data-breaches) to maintain a dynamically updated banned password list, which ensures that vulnerable passwords are banned before they become a real threat to Azure AD customers. For more information about our current security efforts, see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/sir/default.aspx).
+
+### Smart Password Lockout
+
+When Azure AD detects a potential cyber-criminal trying to hack into a user password, we lock the user account with Smart Password Lockout. Azure AD is designed to determine the risk associated with specific login sessions.
+
+Using the most up-to-date security data, we apply lockout semantics to cyber threats. This way users won’t get locked out, in the case when a cyber-criminal has hacked into user passwords on your network.
+
+If a user is locked out of Azure AD, their screen looks similar to the one below:
+
+ 
+
+And for other Microsoft accounts, their screen looks similar to the one below:
+
+ 
+
+For information about password management in Azure Active Directory, see [How password management works](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works).
+
+ >![NOTE]
+ >If you are an Azure AD administrator, you may want to use [Windows Hello](https://www.microsoft.com/en-us/windows/windows-hello) to avoid having your users create traditional passwords altogether.
+ >
+
+## Next steps
+[How to update your own password](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-update-your-own-password)
+[The fundamentals of Azure identity management](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals-identity)
+[How to get operational insights with password management reports](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-get-insights#view-password-reset-activity)
+
+
diff --git a/articles/active-directory/connect/active-directory-aadconnectsync-installation-wizard.md b/articles/active-directory/connect/active-directory-aadconnectsync-installation-wizard.md
index 674486addbd6b..763db70f2cedd 100644
--- a/articles/active-directory/connect/active-directory-aadconnectsync-installation-wizard.md
+++ b/articles/active-directory/connect/active-directory-aadconnectsync-installation-wizard.md
@@ -28,7 +28,7 @@ When you start the installation wizard, you see a page with these options:
-If you have installed ADFS with Azure AD Connect, you have even more options. The additional options you have for ADFS are documented in [ADFS management](active-directory-aadconnect-federation-management.md#ad-fs-management).
+If you have installed ADFS with Azure AD Connect, you have even more options. The additional options you have for ADFS are documented in [ADFS management](active-directory-aadconnect-federation-management.md#manage-ad-fs).
Select one of the tasks and click **Next** to continue.
diff --git a/articles/active-directory/media/active-directory-architecture/active-directory-architecture.png b/articles/active-directory/media/active-directory-architecture/active-directory-architecture.png
new file mode 100644
index 0000000000000..fda0aa19d2c7b
Binary files /dev/null and b/articles/active-directory/media/active-directory-architecture/active-directory-architecture.png differ
diff --git a/articles/active-directory/media/active-directory-conditional-access-supported-apps/ic195031.png b/articles/active-directory/media/active-directory-conditional-access-supported-apps/ic195031.png
new file mode 100644
index 0000000000000..0fc6068f94111
Binary files /dev/null and b/articles/active-directory/media/active-directory-conditional-access-supported-apps/ic195031.png differ
diff --git a/articles/active-directory/media/active-directory-report-api-with-certificates/add-certificate-credential.png b/articles/active-directory/media/active-directory-report-api-with-certificates/add-certificate-credential.png
new file mode 100644
index 0000000000000..b27629d50430e
Binary files /dev/null and b/articles/active-directory/media/active-directory-report-api-with-certificates/add-certificate-credential.png differ
diff --git a/articles/active-directory/media/active-directory-report-api-with-certificates/application-id.png b/articles/active-directory/media/active-directory-report-api-with-certificates/application-id.png
new file mode 100644
index 0000000000000..7d84a926b9b0c
Binary files /dev/null and b/articles/active-directory/media/active-directory-report-api-with-certificates/application-id.png differ
diff --git a/articles/active-directory/media/active-directory-report-api-with-certificates/azure-portal.png b/articles/active-directory/media/active-directory-report-api-with-certificates/azure-portal.png
new file mode 100644
index 0000000000000..f6995bc9de420
Binary files /dev/null and b/articles/active-directory/media/active-directory-report-api-with-certificates/azure-portal.png differ
diff --git a/articles/active-directory/media/active-directory-report-api-with-certificates/connect-azuaread-cmdlet.png b/articles/active-directory/media/active-directory-report-api-with-certificates/connect-azuaread-cmdlet.png
new file mode 100644
index 0000000000000..61063d1f71573
Binary files /dev/null and b/articles/active-directory/media/active-directory-report-api-with-certificates/connect-azuaread-cmdlet.png differ
diff --git a/articles/active-directory/media/active-directory-report-api-with-certificates/script-completed.png b/articles/active-directory/media/active-directory-report-api-with-certificates/script-completed.png
new file mode 100644
index 0000000000000..1cbbad4e3999e
Binary files /dev/null and b/articles/active-directory/media/active-directory-report-api-with-certificates/script-completed.png differ
diff --git a/articles/active-directory/media/active-directory-report-api-with-certificates/windows-powershell.png b/articles/active-directory/media/active-directory-report-api-with-certificates/windows-powershell.png
new file mode 100644
index 0000000000000..480521889bd25
Binary files /dev/null and b/articles/active-directory/media/active-directory-report-api-with-certificates/windows-powershell.png differ
diff --git a/articles/active-directory/media/active-directory-secure-passwords/locked-out-azuread.png b/articles/active-directory/media/active-directory-secure-passwords/locked-out-azuread.png
new file mode 100644
index 0000000000000..eb49b5e362294
Binary files /dev/null and b/articles/active-directory/media/active-directory-secure-passwords/locked-out-azuread.png differ
diff --git a/articles/active-directory/media/active-directory-secure-passwords/locked-out-ms-accounts.png b/articles/active-directory/media/active-directory-secure-passwords/locked-out-ms-accounts.png
new file mode 100644
index 0000000000000..8c19a1d47d95d
Binary files /dev/null and b/articles/active-directory/media/active-directory-secure-passwords/locked-out-ms-accounts.png differ
diff --git a/articles/azure-government/documentation-government-developer-guide.md b/articles/azure-government/documentation-government-developer-guide.md
index b0326087dd3ee..7de339599692c 100644
--- a/articles/azure-government/documentation-government-developer-guide.md
+++ b/articles/azure-government/documentation-government-developer-guide.md
@@ -13,7 +13,7 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: azure-government
-ms.date: 02/13/2017
+ms.date: 03/19/2017
ms.author: stemi
---
@@ -53,14 +53,17 @@ To learn about mapping public Azure and SQL Database endpoints to Azure Governme
| ResourceManagerUrl | https://management.usgovcloudapi.net/ |
| SqlDatabaseDnsSuffix | .database.usgovcloudapi.net |
| StorageEndpointSuffix | core.usgovcloudapi.net |
-| ActiveDirectoryAuthority | https://login-us.microsoftonline.com/ |
+| ActiveDirectoryAuthority | https://login.microsoftonline.us/ |
| GraphUrl | https://graph.windows.net/ |
| GraphEndpointResourceId | https://graph.windows.net/ |
| TrafficManagerDnsSuffix | usgovtrafficmanager.net |
| AzureKeyVaultDnsSuffix | vault.usgovcloudapi.net |
| AzureKeyVaultServiceEndpointResourceId | https://vault.usgovcloudapi.net |
-
+> [!NOTE]
+> The **ActiveDirectoryAuthority** for Azure Government has changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. The original URL will continue to work but all applications should be updated to the new authority URL.
+>
+>
## Next steps
For more information about Azure Government, see the following resources:
diff --git a/articles/azure-government/documentation-government-get-started-connect-with-cli.md b/articles/azure-government/documentation-government-get-started-connect-with-cli.md
index 08608baa81d1b..e799930e959b0 100644
--- a/articles/azure-government/documentation-government-get-started-connect-with-cli.md
+++ b/articles/azure-government/documentation-government-get-started-connect-with-cli.md
@@ -13,17 +13,46 @@ ms.devlang: na
ms.topic: article
ms.tgt_pltfrm: na
ms.workload: azure-government
-ms.date: 02/13/2017
+ms.date: 03/19/2017
ms.author: zakramer
---
-# Connect to Azure Government with Azure CLI
+# Connect to Azure Government with Azure Command Line Interface (CLI)
+To use Azure CLI, you need to connect to Azure Government instead of Azure public. The Azure CLI can be used to manage a large subscription through script or to access features that are not currently available in the Azure portal. If you have used Azure CLI in Azure Public, it is mostly the same.
-To use Azure CLI, you need to connect to Azure Government instead of Azure public. The Azure CLI can be used to manage a large subscription through script or to access features that are not currently available in the Azure portal. If you have used Azure CLI in Azure Public, it is mostly the same. The differences in Azure Government are:
+## Azure CLI 2.0
+There are multiple ways to [install the Azure CLI v2](https://docs.microsoft.com/cli/azure/install-az-cli2).
-There are multiple ways to [install the Azure CLI](https://docs.microsoft.com/en-us/azure/xplat-cli-install). If you already have Node installed, the easiest way is to install the npm package:
+To connect to Azure Government, you set the cloud:
+
+```
+az cloud set --name AzureUSGovernment
+```
+
+After the cloud has been set, you can continue logging in:
+
+```
+az login --username your-user-name@your-gov-tenant.onmicrosoft.com
+```
+
+To confirm the cloud has correctly been set to AzureUSGovernment, run this command:
+
+```
+az cloud list
+```
+
+or
+
+```
+az cloud list --output table
+```
+
+and verify that the `isActive` flag is set to `true` for the AzureUSGovernment item.
+
+## Azure CLI 1.0
+There are multiple ways to [install the Azure CLI v1](https://docs.microsoft.com/azure/xplat-cli-install). If you already have Node installed, the easiest way is to install the npm package:
To install the CLI from an npm package, make sure you have downloaded and installed the [latest Node.js and npm](https://nodejs.org/en/download/package-manager/). Then, run **npm install** to install the azure-cli package:
@@ -51,4 +80,4 @@ Once you are logged in, you can run Azure CLI commands as you normally would:
```
azure webapp list my-resource-group
-```
\ No newline at end of file
+```
diff --git a/articles/azure-government/documentation-government-get-started-connect-with-vs.md b/articles/azure-government/documentation-government-get-started-connect-with-vs.md
index a722145c44be7..5d2ce7916fd98 100644
--- a/articles/azure-government/documentation-government-get-started-connect-with-vs.md
+++ b/articles/azure-government/documentation-government-get-started-connect-with-vs.md
@@ -22,6 +22,56 @@ ms.author: zakramer
# Connecting via Visual Studio
Visual Studio is used by developers to easily manage their Azure subscriptions while building solutions. Visual Studio does not currently allow you to configure a connection to Azure Government in the user interface.
+## Visual Studio 2017
+Visual Studio 2017 requires a configuration file for Visual Studio to connect to Azure Government. With this file inplace Visual Studio connects to Azure Government instead of Azure Public.
+
+### Create a configuration file for Azure Government
+Create a file named **AadProvider.Configuration.json** with the following content:
+
+ {
+ "AuthenticationQueryParameters": null,
+ "AsmEndPoint": "https://management.core.usgovcloudapi.net/",
+ "Authority": "https://login.microsoftonline.us/",
+ "AzureResourceManagementEndpoint": "https://management.usgovcloudapi.net",
+ "AzureResourceManagementAudienceEndpoints": [ "https://management.core.usgovcloudapi.net" ],
+ "ClientIdentifier": "872cd9fa-d31f-45e0-9eab-6e460a02d1f1",
+ "EnvironmentName": "AzureUSGovernment",
+ "GraphEndpoint": "https://graph.windows.net",
+ "MsaHomeTenantId": "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
+ "NativeClientRedirect": "urn:ietf:wg:oauth:2.0:oob",
+ "PortalEndpoint": "https://portal.azure.us/",
+ "ResourceEndpoint": "https://management.core.usgovcloudapi.net",
+ "ValidateAuthority": true,
+ "VisualStudioOnlineEndpoint": "https://app.vssps.visualstudio.com/",
+ "VisualStudioOnlineAudience": "499b84ac-1321-427f-aa17-267ca6975798"
+ }
+
+### Updating Visual Studio for Azure Government
+
+1. Close Visual Studio
+2. Place **AadProvider.Configuration.json** created in the previous step into **%localappdata%\\.IdentityService\AadConfigurations**. Create this folder if not present.
+3. Launch Visual Studio and begin using your Azure Government account.
+
+> [!NOTE]
+> With the configuration file, only Azure Government subscriptions are accessible. You still see subscriptions that you configured previously but they do not work because Visual Studio is now connected to Azure Government instead of Azure Public. Remove the file to connect to Azure Commercial.
+>
+>
+
+### Reverting Visual Studio Connection to Azure Government
+To enable Visual Studio to connect to Azure Public, you need to remove the configuration file settings that enables connection to Azure Government.
+
+1. Close Visual Studio
+2. Delete this folder: **%localappdata%\.IdentityService\AadConfigurations**
+3. Restart Visual Studio and begin using your Azure Public account.
+
+> [!NOTE]
+> Once this configuration has been reverted, your Azure Government subscriptions no longer accessible.
+>
+>
+
+## Visual Studio 2015
+Visual Studio 2015 requires a registry change for Visual Studio to connect to Azure Government. Once this registry key is set Visual Studio connects to Azure Government instead of Azure Public.
+
### Updating Visual Studio for Azure Government
To enable Visual Studio to connect to Azure Government, you need to update the registry.
@@ -32,14 +82,14 @@ To enable Visual Studio to connect to Azure Government, you need to update the r
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\VSCommon\ConnectedUser]
- "AadInstance"="https://login-us.microsoftonline.com/"
+ "AadInstance"="https://login.microsoftonline.us/"
"adaluri"="https://management.core.usgovcloudapi.net"
"AzureRMEndpoint"="https://management.usgovcloudapi.net"
"AzureRMAudienceEndpoint"="https://management.core.usgovcloudapi.net"
"EnableAzureRMIdentity"="true"
"GraphUrl"="graph.windows.net"
4. Save and then run the file by double-clicking it. You are prompted to merge the file into your registry.
-5. Launch Visual Studio and begin using [Cloud Explorer](../vs-azure-tools-resources-managing-with-cloud-explorer.md)
+5. Launch Visual Studio and begin using [Cloud Explorer](../vs-azure-tools-resources-managing-with-cloud-explorer.md) with your Azure Government account.
> [!NOTE]
> Once this registry key is set, only Azure Government subscriptions are accessible. You still see subscriptions that you configured previously but they do not work because Visual Studio is now connected to Azure Government instead of Azure Public. See the following section for steps to revert the changes.
diff --git a/articles/azure-stack/azure-stack-install-visual-studio.md b/articles/azure-stack/azure-stack-install-visual-studio.md
index 41d195ec641d9..58d6eb573ab2d 100644
--- a/articles/azure-stack/azure-stack-install-visual-studio.md
+++ b/articles/azure-stack/azure-stack-install-visual-studio.md
@@ -13,47 +13,36 @@ ms.workload: na
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 12/16/2016
-ms.author: helaw
+ms.date: 03/27/2016
+ms.author: sngun
---
# Install Visual Studio and connect to Azure Stack
-> [!IMPORTANT]
-> This topic applies only to Azure Stack Technical Preview 2.
->
-
-You can use Visual Studio to author and deploy Azure Resource Manager [templates](azure-stack-arm-templates.md) in Azure Stack. Use the following steps to install the supported version for Azure Stack TP2.
-
-## Before you begin
- - These steps perform a new installation of Visual Studio 2015 Community Edition. Read more about [coexistence](https://msdn.microsoft.com/library/ms246609.aspx) between other Visual Studio versions.
- - You can install on [MAS-CON01](azure-stack-connect-azure-stack.md#connect-with-remote-desktop), or install on a workstation that has [VPN](azure-stack-connect-azure-stack.md#connect-with-vpn) connectivity to Azure Stack.
+Use Visual Studio to author and deploy Azure Resource Manager [templates](azure-stack-arm-templates.md) in Azure Stack. You can use the steps described in this article to install Visual Studio either on [MAS-CON01](azure-stack-connect-azure-stack.md#connect-with-remote-desktop) computer, Azure Stack host computer or on a Windows-based external client if you are connected through [VPN](azure-stack-connect-azure-stack.md#connect-with-vpn). These steps perform a new installation of Visual Studio 2015 Community Edition. Read more about [coexistence](https://msdn.microsoft.com/library/ms246609.aspx) between other Visual Studio versions.
## Install Visual Studio
-1. Download and run the [Web Platform Installer](https://www.microsoft.com/web/downloads/platform.aspx).
-
-2. Search for **Visual Studio Community 2015 with Microsoft Azure SDK - 2.9.6**, then click **Add**, and **Install**.
+1. Download and run the [Web Platform Installer](https://www.microsoft.com/web/downloads/platform.aspx).
+2. Search for **Visual Studio Community 2015 with Microsoft Azure SDK - 2.9.6**, click **Add**, and **Install**.
-3. Uninstall the **Microsoft Azure PowerShell** that is installed as part of the Azure SDK.
-
- 
+3. Uninstall the **Microsoft Azure PowerShell** that is installed as part of the Azure SDK.
-4. Open the Web Platform Installer, search for **Microsoft Azure PowerShell - Azure Stack Technical Preview 2**, click **Add**, and **Install**.
+ 
- 
+4. [Install PowerShell for Azure Stack](azure-stack-powershell-install.md)
-5. Restart the operating system once the installation completes.
+5. Restart the operating system after the installation completes.
## Connect to Azure Stack
-1. Launch Visual Studio.
+1. Launch Visual Studio.
-2. From the **Edit** menu, select **Cloud Explorer**.
+2. From the **Edit** menu, select **Cloud Explorer**.
-3. In the new pane, select **Add Account** and sign in with your Azure AD credentials.
+3. In the new pane, select **Add Account** and sign in with your Active Directory credentials.
Once logged in, you can [deploy templates](azure-stack-deploy-template-visual-studio.md) or browse available resource types and resource groups to create your own templates.
diff --git a/articles/azure-stack/azure-stack-policy-module.md b/articles/azure-stack/azure-stack-policy-module.md
index 74eb557652af5..e6be657707489 100644
--- a/articles/azure-stack/azure-stack-policy-module.md
+++ b/articles/azure-stack/azure-stack-policy-module.md
@@ -21,12 +21,12 @@ ms.author: helaw
The Azure Stack Policy module allows you to configure an Azure subscription with the same versioning and service availability as Azure Stack. The module uses the **New-AzureRMPolicyAssignment** cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. Once complete, you can use your Azure subscription to develop apps for Azure Stack.
## Install the module
-1. Install the required version of the AzureRM PowerShell module, as described in Step1 of [Install PowerShell for Azure Stack](azure-stack-powershell-install.md#install-the-required-version).
+1. Install the required version of the AzureRM PowerShell module, as described in Step1 of [Install PowerShell for Azure Stack](azure-stack-powershell-install.md).
2. [Download the Azure Stack tools from GitHub](azure-stack-powershell-download.md)
3. [Configure PowerShell for use with Azure Stack](azure-stack-powershell-configure.md)
-
+
4. Import the AzureStack.Policy.psm1 module:
-
+
```PowerShell
import-module .\Policy\AzureStack.Policy.psm1
```
@@ -65,4 +65,3 @@ Once you've deployed the Azure policy, you receive an error when you try to depl
[Deploy templates with Azure CLI](azure-stack-deploy-template-command-line.md)
[Deploy Templates with Visual Studio](azure-stack-deploy-template-visual-studio.md)
-
diff --git a/articles/container-registry/container-registry-get-started-azure-cli.md b/articles/container-registry/container-registry-get-started-azure-cli.md
index 9aa208ab51f6a..5676cffbfad75 100644
--- a/articles/container-registry/container-registry-get-started-azure-cli.md
+++ b/articles/container-registry/container-registry-get-started-azure-cli.md
@@ -37,17 +37,17 @@ Use commands in the [Azure CLI 2.0](https://github.com/Azure/azure-cli) to creat
Run the `az acr create` command to create a container registry.
> [!TIP]
-> When you create a registry, specify a globally unique top-level domain name, containing only letters and numbers. The registry name in the examples is `myRegistry`, but substitute a unique name of your own.
+> When you create a registry, specify a globally unique top-level domain name, containing only letters and numbers. The registry name in the examples is `myRegistry1`, but substitute a unique name of your own.
>
>
-The following command uses the minimal parameters to create container registry `myRegistry` in the resource group `myResourceGroup` in the South Central US location:
+The following command uses the minimal parameters to create container registry `myRegistry1` in the resource group `myResourceGroup` in the South Central US location:
```azurecli
-az acr create -n myRegistry -g myResourceGroup -l southcentralus
+az acr create -n myRegistry1 -g myResourceGroup -l southcentralus
```
-* `--storage-account-name` or `-s` is optional. If not specified, a storage account is created with a random name in the specified resource group.
+* `--storage-account-name` is optional. If not specified, a storage account is created with a name consisting of the registry name and a timestamp in the specified resource group.
The output is similar to the following:
@@ -57,7 +57,7 @@ The output is similar to the following:
Take special note:
* `id` - Identifier for the registry in your subscription, which you need if you want to assign a service principal.
-* `loginServer` - The fully qualified name you specify to [log in to the registry](container-registry-authentication.md). In this example, the name is `myregistry.exp.azurecr.io` (all lowercase).
+* `loginServer` - The fully qualified name you specify to [log in to the registry](container-registry-authentication.md). In this example, the name is `myregistry1.exp.azurecr.io` (all lowercase).
## Assign a service principal
Use CLI 2.0 commands to assign an Azure Active Directory service principal to a registry. The service principal in these examples is assigned the Owner role, but you can assign [other roles](../active-directory/role-based-access-control-configure.md) if you want.
@@ -66,7 +66,7 @@ Use CLI 2.0 commands to assign an Azure Active Directory service principal to a
In the following command, a new service principal is assigned Owner role access to the registry identifier passed with the `--scopes` parameter. Specify a strong password with the `--password` parameter.
```azurecli
-az ad sp create-for-rbac --scopes /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/Microsoft.ContainerRegistry/registries/myregistry --role Owner --password myPassword
+az ad sp create-for-rbac --scopes /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/Microsoft.ContainerRegistry/registries/myregistry1 --role Owner --password myPassword
```
@@ -75,7 +75,7 @@ az ad sp create-for-rbac --scopes /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx
If you already have a service principal and want to assign it Owner role access to the registry, run a command similar to the following example. You pass the service principal app ID using the `--assignee` parameter:
```azurecli
-az role assignment create --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/Microsoft.ContainerRegistry/registries/myregistry --role Owner --assignee myAppId
+az role assignment create --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/Microsoft.ContainerRegistry/registries/myregistry1 --role Owner --assignee myAppId
```
@@ -85,17 +85,17 @@ An admin account is automatically created for each container registry and is dis
### Obtain admin user credentials
```azurecli
-az acr credential show -n myRegistry
+az acr credential show -n myRegistry1
```
### Enable admin user for an existing registry
```azurecli
-az acr update -n myRegistry --admin-enabled true
+az acr update -n myRegistry1 --admin-enabled true
```
### Disable admin user for an existing registry
```azurecli
-az acr update -n myRegistry --admin-enabled false
+az acr update -n myRegistry1 --admin-enabled false
```
## List images and tags
@@ -109,14 +109,14 @@ Use the `az acr` CLI commands to query the images and tags in a repository.
The following example lists the repositories in a registry, in JSON (JavaScript Object Notation) format:
```azurecli
-az acr repository list -n myRegistry -o json
+az acr repository list -n myRegistry1 -o json
```
### List tags
The following example lists the tags on the **samples/nginx** repository, in JSON format:
```azurecli
-az acr repository show-tags -n myRegistry --repository samples/nginx -o json
+az acr repository show-tags -n myRegistry1 --repository samples/nginx -o json
```
## Next steps
diff --git a/articles/container-registry/media/container-registry-get-started-azure-cli/acr_create.png b/articles/container-registry/media/container-registry-get-started-azure-cli/acr_create.png
index 586b42875723d..23e7a7cef8277 100644
Binary files a/articles/container-registry/media/container-registry-get-started-azure-cli/acr_create.png and b/articles/container-registry/media/container-registry-get-started-azure-cli/acr_create.png differ
diff --git a/articles/expressroute/expressroute-prerequisites.md b/articles/expressroute/expressroute-prerequisites.md
index ff3441faf0623..938067ecc40b3 100644
--- a/articles/expressroute/expressroute-prerequisites.md
+++ b/articles/expressroute/expressroute-prerequisites.md
@@ -27,18 +27,9 @@ To connect to Microsoft cloud services using ExpressRoute, you need to verify th
* An active Office 365 subscription (if using Office 365 services). For more information, see the [Office 365 specific requirements](#office-365-specific-requirements) section of this article.
## Connectivity provider
-<<<<<<< HEAD
-<<<<<<< HEAD
-* You can work with an [ExpressRoute connectivity partner](expressroute-locations.md#partners) to connect to the Microsoft cloud. You can set up a connection between your on-premises network and Microsoft in [three ways](expressroute-introduction.md).
-* If your provider is not an ExpressRoute connectivity partner, you can still connect to the Microsoft cloud through a cloud exchange provider.
-=======
-* You can work with an [ExpressRoute connectivity partner](expressroute-locations.md#partners) to connect to the Microsoft cloud. You can set up a connection between your on-premises network and Microsoft in [three ways](expressroute-introduction.md).
-* If your provider is not an ExpressRoute connectivity partner, you can still connect to the Microsoft cloud through a [cloud exchange provider](expressroute-locations.md#c1partners).
->>>>>>> edb44088f29448db4be9de5e6394bf15d8d79657
-=======
+
* You can work with an [ExpressRoute connectivity partner](expressroute-locations.md#partners) to connect to the Microsoft cloud. You can set up a connection between your on-premises network and Microsoft in [three ways](expressroute-introduction.md).
* If your provider is not an ExpressRoute connectivity partner, you can still connect to the Microsoft cloud through a [cloud exchange provider](expressroute-locations.md#c1partners).
->>>>>>> e926e608bd788ea7b2a642d09acc91e8d188d622
## Network requirements
* **Redundant connectivity**: there is no redundancy requirement on physical connectivity between you and your provider. Microsoft does require redundant BGP sessions to be set up between Microsoft’s routers and the peering routers, even when you have just [one physical connection to a cloud exchange](expressroute-faqs.md#onep2plink).
diff --git a/articles/iot-hub/TOC.md b/articles/iot-hub/TOC.md
index aae2b2721bc4a..8bb13728ff864 100644
--- a/articles/iot-hub/TOC.md
+++ b/articles/iot-hub/TOC.md
@@ -98,6 +98,11 @@
## Use an Arduino
### [Adafruit Feather HUZZAH ESP8266](iot-hub-arduino-huzzah-esp8266-get-started.md)
+#### [Manage cloud device messaging with iothub-explorer](iot-hub-explorer-cloud-device-messaging.md)
+#### [Save IoT Hub messages to Azure data storage](iot-hub-store-data-in-azure-table-storage.md)
+### [Sparkfun ESP8266 Thing Dev](iot-hub-sparkfun-esp8266-thing-dev-get-started.md)
+#### [Manage cloud device messaging with iothub-explorer](iot-hub-explorer-cloud-device-messaging.md)
+#### [Save IoT Hub messages to Azure data storage](iot-hub-store-data-in-azure-table-storage.md)
### [Adafruit Feather M0](iot-hub-adafruit-feather-m0-wifi-kit-arduino-get-started.md)
#### Lesson 1: Configure your device
diff --git a/articles/iot-hub/iot-hub-arduino-huzzah-esp8266-get-started.md b/articles/iot-hub/iot-hub-arduino-huzzah-esp8266-get-started.md
index fd9b91a179510..1e07c3faaf006 100644
--- a/articles/iot-hub/iot-hub-arduino-huzzah-esp8266-get-started.md
+++ b/articles/iot-hub/iot-hub-arduino-huzzah-esp8266-get-started.md
@@ -50,7 +50,7 @@ You also need the following for your development environment:
* Mac or PC that is running Windows or Ubuntu.
* Wireless network for Feather HUZZAH ESP8266 to connect to.
* Internet connection to download the configuration tool.
-* [Arduino IDE](https://www.arduino.cc/en/main/software) version 1.6.8 (or newer), earlier versions will not work with the AzureIoT library).
+* [Arduino IDE](https://www.arduino.cc/en/main/software) version 1.6.8 (or newer), earlier versions will not work with the AzureIoT library.
The following items are optional in case you don’t have a sensor. You also have the option of using simulated sensor data.
@@ -282,6 +282,12 @@ If you see the following output from the serial monitor window and the blinking
-## Summary
+## Next steps
+
+You have successfully connected a Feather HUZZAH ESP8266 to your IoT hub and sent the captured sensor data to your IoT hub.
+
+To continue getting started with IoT Hub and to explore other IoT scenarios, see:
+
+- [Manage cloud device messaging with iothub-explorer](iot-hub-explorer-cloud-device-messaging.md)
+- [Save IoT Hub messages to Azure data storage](iot-hub-store-data-in-azure-table-storage.md)
-You have successfully connected a Feather HUZZAH ESP8266 to your IoT hub and sent the captured sensor data to your IoT hub.
diff --git a/articles/iot-hub/iot-hub-explorer-cloud-device-messaging.md b/articles/iot-hub/iot-hub-explorer-cloud-device-messaging.md
new file mode 100644
index 0000000000000..781e0f791c851
--- /dev/null
+++ b/articles/iot-hub/iot-hub-explorer-cloud-device-messaging.md
@@ -0,0 +1,89 @@
+---
+title: Manage Azure IoT Hub cloud device messaging with iothub-explorer | Microsoft Docs
+description: Learn how to use the iothub-explorer CLI tool to monitor device to cloud (D2C) messages and send cloud to device (C2D) messages in Azure IoT Hub.
+services: iot-hub
+documentationcenter: ''
+author: shizn
+manager: timtl
+tags: ''
+keywords: 'iothub explorer, cloud device messaging, iot hub cloud to device, cloud to device messaging'
+
+ms.assetid: 04521658-35d3-4503-ae48-51d6ad3c62cc
+ms.service: iot-hub
+ms.devlang: arduino
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 03/27/2017
+ms.author: xshi
+
+---
+# Use iothub-explorer to send and receive messages between your device and IoT Hub
+
+> [!NOTE]
+> Before you start this tutorial, make sure you’ve completed [Connect ESP8266 to Azure IoT Hub](iot-hub-arduino-huzzah-esp8266-get-started.md). In [Connect ESP8266 to Azure IoT Hub](iot-hub-arduino-huzzah-esp8266-get-started.md), you set up your IoT device and IoT hub, and deploy a sample application to run on your device. The application sends collected sensor data to your IoT hub.
+
+[iothub-explorer](https://github.com/azure/iothub-explorer) has a handful of commands that makes IoT Hub management easier. This tutorial focuses on how to use iothub-explorer to send and receive messages between your device and your IoT hub.
+
+## What you will learn
+
+You learn how to use iothub-explorer to monitor device-to-cloud messages and to send cloud-to-device messages. Device-to-cloud messages could be sensor data that your device collects and then sends to your IoT hub. Cloud-to-device messages could be commands that your IoT hub sends to your device to blink an LED that is connected to your device.
+
+## What you will do
+
+- Use iothub-explorer to monitor device-to-cloud messages.
+- Use iothub-explorer to send cloud-to-device messages.
+
+## What you need
+
+- Tutorial [Connect ESP8266 to Azure IoT Hub](iot-hub-arduino-huzzah-esp8266-get-started.md) completed which covers the following requirements:
+ - An active Azure subscription.
+ - An Azure IoT hub under your subscription.
+ - A client application that sends messages to your Azure IoT hub.
+- iothub-explorer. ([Download iothub-explorer](https://github.com/azure/iothub-explorer))
+
+## Monitor device-to-cloud messages
+
+To monitor messages that are sent from your device to your IoT hub, follow these steps:
+
+1. Open a console window.
+1. Run the following command:
+
+ ```bash
+ iothub-explorer monitor-events --login
+ ```
+
+ > [!Note]
+ > Get `` and `` from Tutorial 1.
+
+Here is the output:
+
+## Send cloud-to-device messages
+
+To send a message from your IoT hub to your device, follow these steps:
+
+1. Open a console window.
+1. Start a session on your IoT hub by running the following command:
+
+ ```bash
+ iothub-explorer login
+ ```
+
+1. Send a message to your device by running the following command:
+
+ ```bash
+ iothub-explorer send
+ ```
+
+The command blinks the LED that is connected to your device and sends the message to your device.
+
+> [!Note]
+> There is no need for the device to send a separate ack command back to your IoT hub upon receiving the message.
+
+## Next steps
+
+You’ve learned how to monitor device-to-cloud messages and send cloud-to-device messages between your IoT device and Azure IoT Hub.
+
+To continue getting started with IoT Hub and to explore other IoT scenarios, see:
+
+- [Save IoT Hub messages to Azure data storage](iot-hub-store-data-in-azure-table-storage.md)
\ No newline at end of file
diff --git a/articles/iot-hub/iot-hub-sparkfun-esp8266-thing-dev-get-started.md b/articles/iot-hub/iot-hub-sparkfun-esp8266-thing-dev-get-started.md
new file mode 100644
index 0000000000000..9d4791e89985e
--- /dev/null
+++ b/articles/iot-hub/iot-hub-sparkfun-esp8266-thing-dev-get-started.md
@@ -0,0 +1,291 @@
+---
+title: ESP8266 to cloud - Connect Sparkfun ESP8266 Thing Dev to Azure IoT Hub | Microsoft Docs
+description: A guide to connecting an Arduino device, Sparkfun ESP8266 Thing Dev, to Azure IoT Hub which is a Microsoft cloud service that helps manage your IoT assets.
+services: iot-hub
+documentationcenter: ''
+author: shizn
+manager: timtl
+tags: ''
+keywords: ''
+
+ms.assetid: 587fe292-9602-45b4-95ee-f39bba10e716
+ms.service: iot-hub
+ms.devlang: arduino
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 03/15/2017
+ms.author: xshi
+
+---
+# Connect Sparkfun ESP8266 Thing Dev to Azure IoT Hub in the cloud
+
+
+
+## What you will do
+
+Connect Sparkfun ESP8266 Thing Dev to an IoT hub you will create. Then run a sample application on ESP8266 to collect temperature and humidity data from a DHT22 sensor. Finally, send the sensor data to your IoT hub.
+
+> [!NOTE]
+> If you are using other ESP8266 boards, you can still follow these steps to connect it to your IoT hub. Depending on the ESP8266 board you are using, you may need to reconfigure the `LED_PIN`. For example, if you are using ESP8266 from AI-Thinker, you may change it from `0` to `2`. Don't have a kit yet?: Click [here](http://azure.com/iotstarterkits)
+
+## What you will learn
+
+* How to create an IoT hub and register a device for Thing Dev.
+* How to connect Thing Dev with the sensor and your computer.
+* How to collect sensor data by running a sample application on Thing Dev.
+* How to send the sensor data to your IoT hub.
+
+## What you will need
+
+To complete this operation, you need the following parts from your Thing Dev Starter Kit:
+
+* The Sparkfun ESP8266 Thing Dev board.
+* A Micro USB to Type A USB cable.
+
+You also need the following for your development environment:
+
+* Mac or PC that is running Windows or Ubuntu.
+* Wireless network for Sparkfun ESP8266 Thing Dev to connect to.
+* Internet connection to download the configuration tool.
+* [Arduino IDE](https://www.arduino.cc/en/main/software) version 1.6.8 (or newer), earlier versions will not work with the AzureIoT library.
+
+The following items are optional in case you don’t have a sensor. You also have the option of using simulated sensor data.
+
+* An Adafruit DHT22 temperature and humidity sensor.
+* A breadboard.
+* M/M jumper wires.
+
+## Create an IoT hub and register a device for Sparkfun ESP8266 Thing Dev
+
+### Create your Azure IoT hub in the Azure portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Click **New** > **Internet of Things** > **IoT Hub**.
+
+ 
+
+1. In the **IoT hub** pane, enter the necessary information for your IoT hub:
+
+ 
+
+ * **Name**: The name for your IoT hub. If the name you enter is valid, a green check mark appears.
+ * **Pricing and scale tier**: Select the free F1 tier, will suffice for this demo. See [pricing and scale tier](https://azure.microsoft.com/pricing/details/iot-hub/).
+ * **Resource group**: Create a resource group to host the IoT hub or use an existing one. See [Using resource groups to manage your Azure resources](../azure-resource-manager/resource-group-portal.md).
+ * **Location**: Select the closest location to you where the IoT hub is created.
+ * **Pin the dashboard**: Check this option for easy access to your IoT hub from the dashboard.
+1. Click **Create**. It could take a few minutes for your IoT hub to be created. You can see progress in the **Notifications** pane.
+
+ 
+
+1. Once your IoT hub is created, click it from the dashboard. Make a note of the **Hostname** that is used later, and then click **Shared access policies**.
+
+ 
+
+1. In the **Shared access policies** pane, click the **iothubowner** policy, and then copy and make a note of the **Connection string** of your IoT hub that is used later. For more information, see [Control access to IoT Hub](iot-hub-devguide-security.md).
+
+ 
+
+You have now created your IoT hub. The host name and connection string that you noted down will be used later.
+
+### Register a device for Sparkfun ESP8266 Thing Dev in your IoT hub
+
+Every IoT hub has an identity registry that stores information about the devices that are permitted to connect to the IoT hub. Before a device can connect to an IoT hub, there must be an entry for that device in the IoT hub's identity registry.
+
+In this section, you will use a CLI tool iothub explorer to register a device for ESP8266 Thing Dev in the identity registry of your IoT hub.
+
+> [!NOTE]
+> iothub explorer requires Node.js 4.x or higher to work properly.
+
+To register a device for ESP8266 Thing Dev, follow these steps:
+
+1. [Download](https://nodejs.org/en/download/) and install the latest LTS version of Node.js, NPM included.
+1. Install iothub explorer by using NPM.
+
+ * Windows 7 or later
+ Start a command prompt as an administrator. Install iothub explorer by running the following command:
+
+ ```bash
+ npm install -g iothub-explorer
+ ```
+ * Ubuntu 16.04 or later
+ Open a terminal by using the keyboard shortcut Ctrl + Alt + T, and then run the following command:
+
+ ```bash
+ sudo npm install -g iothub-explorer
+ ```
+ * macOS 10.1 or later
+ Open a terminal, and then run the following command:
+
+ ```bash
+ npm install -g iothub-explorer
+ ```
+1. Log in to your IoT hub by running the following command:
+
+ ```bash
+ iothub-explorer login [your iot hub connection string]
+ ```
+1. Register a new device, which `deviceID` is `new-device`, and get its connection string by running the following command.
+
+ ```bash
+ iothub-explorer create new-device --connection-string
+ ```
+
+Make a note of the connection string of the registered device, it will be used later.
+
+## Connect ESP8266 Thing Dev with the sensor and your computer
+
+### Connect a DHT22 temperature and humidity sensor to ESP8266 Thing Dev
+
+Use the breadboard and jumper wires to make the connection as follows. If you don’t have a sensor, skip this section because you can use simulated sensor data instead.
+
+
+
+For sensor pins, we will use the following wiring:
+
+| Start (Sensor) | End (Board) | Cable Color |
+| ----------------------- | ---------------------- | ------------: |
+| VDD (Pin 27F) | 3V (Pin 8A) | Red cable |
+| DATA (Pin 28F) | GPIO 2 (Pin 9A) | White cable |
+| GND (Pin 30F) | GND (Pin 7J) | Black cable |
+
+
+- For more information, see: [DHT22 sensor setup](http://cdn.sparkfun.com/datasheets/Sensors/Weather/RHT03.pdf) and [Sparkfun ESP8266 Thing Dev specification](https://www.sparkfun.com/products/13711)
+
+Now your Sparkfun ESP8266 Thing Dev should be connected with a working sensor.
+
+
+
+### Connect Sparkfun ESP8266 Thing Dev to your computer
+
+Use the Micro USB to Type A USB cable to connect Sparkfun ESP8266 Thing Dev to your computer as follows.
+
+
+
+### Add serial port permissions – Ubuntu only
+
+If you use Ubuntu, make sure a normal user has the permissions to operate on the USB port of Sparkfun ESP8266 Thing Dev. To add serial port permissions for a normal user, follow these steps:
+
+1. Run the following commands at a terminal:
+
+ ```bash
+ ls -l /dev/ttyUSB*
+ ls -l /dev/ttyACM*
+ ```
+
+ You get one of the following outputs:
+
+ * crw-rw---- 1 root uucp xxxxxxxx
+ * crw-rw---- 1 root dialout xxxxxxxx
+
+ In the output, notice `uucp` or `dialout` that is the group owner name of the USB port.
+
+1. Add the user to the group by running the following command:
+
+ ```bash
+ sudo usermod -a -G
+ ```
+
+ `` is the group owner name you obtained in the previous step. `` is your Ubuntu user name.
+
+1. Log out Ubuntu and log in it again for the change to take effect.
+
+## Collect sensor data and send it to your IoT hub
+
+In this section, you deploy and run a sample application on Sparkfun ESP8266 Thing Dev. The sample application blinks the LED on Sparkfun ESP8266 Thing Dev and sends the temperature and humidity data collected from the DHT22 sensor to your IoT hub.
+
+### Get the sample application from Github
+
+The sample application is hosted on Github. Clone the sample repository that contains the sample application from GitHub. To clone the sample repository, follow these steps:
+
+1. Open a command prompt or a terminal window.
+1. Go to a folder where you want the sample application to be stored.
+1. Run the following command:
+
+ ```bash
+ git clone https://github.com/Azure-Samples/iot-hub-SparkFun-ThingDev-client-app.git
+ ```
+
+Install the package for Sparkfun ESP8266 Thing Dev in Arduino IDE:
+
+1. Open the folder where the sample application is stored.
+1. Open the app.ino file in the app folder in Arduino IDE.
+
+ 
+
+1. In the Arduino IDE, click **File** > **Preferences**.
+1. In the **Preferences** dialog box, click the icon next to the **Additional Boards Manager URLs** text box.
+1. In the pop-up window, enter the following URL, and then click **OK**.
+
+ `http://arduino.esp8266.com/stable/package_esp8266com_index.json`
+
+ 
+
+1. In the **Preference** dialog box, click **OK**.
+1. Click **Tools** > **Board** > **Boards Manager**, and then search for esp8266.
+ ESP8266 with a version of 2.2.0 or later should be installed.
+
+ 
+
+1. Click **Tools** > **Board** > **Adafruit HUZZAH ESP8266**.
+
+### Install necessary libraries
+
+1. In the Arduino IDE, click **Sketch** > **Include Library** > **Manage Libraries**.
+1. Search for the following library names one by one. For each of the library you find, click **Install**.
+ * `AzureIoTHub`
+ * `AzureIoTUtility`
+ * `AzureIoTProtocol_MQTT`
+ * `ArduinoJson`
+ * `DHT sensor library`
+ * `Adafruit Unified Sensor`
+
+### Don’t have a real DHT22 sensor?
+
+The sample application can simulate temperature and humidity data in case you don’t have a real DHT22 sensor. To enable the sample application to use simulated data, follow these steps:
+
+1. Open the `config.h` file in the `app` folder.
+1. Locate the following line of code and change the value from `false` to `true`:
+ ```c
+ define SIMULATED_DATA true
+ ```
+ 
+
+1. Save with `Control-s`.
+
+### Deploy the sample application to Sparkfun ESP8266 Thing Dev
+
+1. In the Arduino IDE, click **Tool** > **Port**, and then click the serial port for Sparkfun ESP8266 Thing Dev.
+1. Click **Sketch** > **Upload** to build and deploy the sample application to Sparkfun ESP8266 Thing Dev.
+
+### Enter your credentials
+
+After the upload completes successfully, follow the steps to enter your credentials:
+
+1. In the Arduino IDE, click **Tools** > **Serial Monitor**.
+1. In the serial monitor window, notice the two drop-down lists on the bottom right corner.
+1. Select **No line ending** for the left drop-down list.
+1. Select **115200 baud** for the right drop-down list.
+1. In the input box located at the top of the serial monitor window, enter the following information if you are asked to provide them, and then click **Send**.
+ * Wi-Fi SSID
+ * Wi-Fi password
+ * Device connection string
+
+> [!Note]
+> The credential information is stored in the EEPROM of Sparkfun ESP8266 Thing Dev. If you click the reset button on the Sparkfun ESP8266 Thing Dev board, the sample application asks you if you want to erase the information. Enter `Y` to have the information erased and you are asked to provide the information again.
+
+### Verify the sample application is running successfully
+
+If you see the following output from the serial monitor window and the blinking LED on Sparkfun ESP8266 Thing Dev, the sample application is running successfully.
+
+
+
+## Next steps
+
+You have successfully connected a Sparkfun ESP8266 Thing Dev to your IoT hub and sent the captured sensor data to your IoT hub.
+
+To continue getting started with IoT Hub and to explore other IoT scenarios, see:
+
+- [Manage cloud device messaging with iothub-explorer](iot-hub-explorer-cloud-device-messaging.md)
+- [Save IoT Hub messages to Azure data storage](iot-hub-store-data-in-azure-table-storage.md)
+
diff --git a/articles/iot-hub/iot-hub-store-data-in-azure-table-storage.md b/articles/iot-hub/iot-hub-store-data-in-azure-table-storage.md
new file mode 100644
index 0000000000000..3b19751874ec2
--- /dev/null
+++ b/articles/iot-hub/iot-hub-store-data-in-azure-table-storage.md
@@ -0,0 +1,206 @@
+---
+title: Save IoT Hub messages to Azure data storage | Microsoft Docs
+description: Use Azure Function App to save IoT Hub messages to Azure table storage. The IoT Hub messages contain information like sensor data that is sent from your IoT device.
+services: iot-hub
+documentationcenter: ''
+author: shizn
+manager: timtl
+tags: ''
+keywords: 'iot data storage, iot sensor data storage'
+
+ms.assetid: 62fd14fd-aaaa-4b3d-8367-75c1111b6269
+ms.service: iot-hub
+ms.devlang: arduino
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 03/27/2017
+ms.author: xshi
+
+---
+# Save IoT Hub messages that contain information like sensor data to Azure table storage
+
+> [!Note]
+> Before you start this tutorial, make sure you’ve completed [Connect ESP8266 to Azure IoT Hub](/iot-hub-arduino-huzzah-esp8266-get-started.md). In [Connect ESP8266 to Azure IoT Hub](/iot-hub-arduino-huzzah-esp8266-get-started.md), you set up your IoT device and IoT hub, and deploy a sample application to run on your device. The application sends collected sensor data to your IoT hub.
+
+## What you will learn
+
+You learn how to create an Azure storage account and an Azure Function App to store IoT Hub messages in Azure table storage.
+
+## What you will do
+
+- Create an Azure storage account.
+- Prepare for IoT Hub connection to read messages.
+- Create and deploy an Azure Function App.
+
+## What you will need
+
+- Tutorial [Connect ESP8266 to Azure IoT Hub](/iot-hub-arduino-huzzah-esp8266-get-started.md) completed which covers the following requirements:
+ - An active Azure subscription.
+ - An Azure IoT hub under your subscription.
+ - A running application that sends messages to your Azure IoT hub.
+
+## Create an Azure storage account
+
+1. In the Azure portal, click **New** > **Storage** > **Storage account**.
+1. Enter the necessary information for the storage acount:
+
+ 
+
+ **Name**: The name of the storage account. The name must be globally unique.
+
+ **Resource group**: Use the same resource group that your IoT hub uses.
+
+ **Pin to dashboard**: Check this option for easy access to your IoT hub from the dashboard.
+1. Click **Create**.
+
+## Prepare for IoT Hub connection to read messages
+
+IoT Hub exposes a built-in Event Hub-compatible endpoint to enable applications to read IoT Hub messages. Meanwhile, applications use consumer groups to read data from IoT Hub. Before creating an Azure Function App to read data from your IoT hub, you need to:
+
+- Get the connection string of your IoT hub endpoint.
+- Create a consumer group for your IoT hub.
+
+### Get the connection string of your IoT hub endpoint
+
+1. Open your IoT hub.
+1. On the **IoT Hub** pane, click **Endpoints** under **MESSAGING**.
+1. On the right pane, click **Events** under **Built-in endpoints**.
+1. In the **Properties** pane, make a note of the following values:
+ - Event Hub-compatible endpoint
+ - Event Hub-compatible name
+
+ 
+
+1. On the **IoT Hub** pane, click **Shared access policies** under **SETTINGS**.
+1. Click **iothubowner**.
+1. Make a note of the **Primary key** value.
+1. Make up the connection string of your IoT hub endpoint as follows:
+
+ Endpoint=;SharedAccessKeyName=iothubowner;SharedAccessKey=
+
+ > [!Note]
+ > Replace `` and `` with the values you noted down.
+
+### Create a consumer group for your IoT hub
+
+1. Open your IoT hub.
+1. On the **IoT Hub** pane, click **Endpoints** under **MESSAGING**.
+1. On the right pane, click **Events** under **Built-in endpoints**.
+1. In the **Properties** pane, enter a name under **Consumer groups** and make a note of the name.
+1. Click **Save**.
+
+## Create and deploy an Azure Function App
+
+1. In the [Azure portal](https://portal.azure.com/), click **New** > **Compute** > **Function App**.
+1. Enter the necessary information for the Function App.
+
+ 
+
+ **App name**: The name of the Function App. The name must be globally unique.
+
+ **Resource group**: Use the same resource group that your IoT Hub uses.
+
+ **Storage Account**: The storage account that you created.
+
+ **Pin to dashboard**: Check this option for easy access to the Function App from the dashboard.
+1. Click **Create**.
+1. Open the Function App once it is created.
+1. Create a new function in the Function App.
+ 1. Click **New Function**.
+ 1. Select **JavaScript** for **Language**, and **Data Processing** for **Scenario**.
+ 1. Click the **EventHubTrigger-JavaScript** template.
+ 1. Enter the necessary information for the template.
+
+ **Name your function**: The name of the functio.
+
+ **Event Hub name**: The Event Hub-compatible name you noted down.
+
+ **Event Hub connection**: Click new to add the connection string of your IoT hub endpoint that you made up.
+ 1. Click **Create**.
+1. Configure an output of the function.
+ 1. Click **Integrate** > **New Output** > **Azure Table Storage** > **Select**.
+
+ 
+ 1. Enter the necessary information.
+
+ **Table name**: Use `deviceData` for the name.
+
+ **Storage account connection**: Click **new** and select your storage account.
+ 1. Click **Save**.
+1. Under **Triggers**, click **Azure Event Hub (myEventHubTrigger)**.
+1. Under **Event Hub consumer group**, enter the name of the consumer group that you created, and then click **Save**.
+1. Click **Develop**, and then click **View files**.
+1. Click **Add** to add a new file named `package.json`, paste in the following information, and then click **Save**.
+
+ ```json
+ {
+ "name": "iothub_save_message_to_table",
+ "version": "0.0.1",
+ "private": true,
+ "main": "index.js",
+ "author": "Microsoft Corp.",
+ "dependencies": {
+ "azure-iothub": "1.0.9",
+ "azure-iot-common": "1.0.7",
+ "moment": "2.14.1"
+ }
+ }
+ ```
+1. Replace the code in `index.js` with the following, and then click **Save**.
+
+ ```javascript
+ 'use strict';
+
+ // This function is triggered each time a message is revieved in the IoTHub.
+ // The message payload is persisted in an Azure Storage Table
+ var moment = require('moment');
+
+ module.exports = function (context, iotHubMessage) {
+ context.log('Message received: ' + JSON.stringify(iotHubMessage));
+ context.bindings.outputTable = {
+ "partitionKey": moment.utc().format('YYYYMMDD'),
+ "rowKey": moment.utc().format('hhmmss') + process.hrtime()[1] + '',
+ "message": JSON.stringify(iotHubMessage)
+ };
+ context.done();
+ };
+ ```
+1. Click **Function app settings** > **Open dev console**.
+
+ You should be at the `wwwroot` folder of the Function App.
+1. Go to the function folder by running the following command:
+
+ ```bash
+ cd
+ ```
+1. Install the npm package by running the following command:
+
+ ```bash
+ npm install
+ ```
+
+ > [!Note]
+ > The installation may take some time to complete.
+
+By now, you have created the Function App. It stores messages that your IoT hub receives in your Azure table storage.
+
+> [!Note]
+> You can use the **Run** button to test the Function App. When you click **Run**, the test message is sent to your IoT hub. The arrival of the message should trigger the Function App to start and then save the message to your Azure table storage. The **Logs** pane records the details of the process.
+
+## Verify your message in your table storage
+
+1. Run the sample application on your device to send messages to your IoT hub.
+1. [Download and install Microsoft Azure Storage Explorer](http://storageexplorer.com/).
+1. Open Microsoft Azure Storage Explorer, click **Add an Azure Account** > **Sign in**, and then sign in to your Azure account.
+1. Click your Azure subscription > **Storage Accounts** > your storage account > **Tables** > **deviceData**.
+
+ You should see messages sent from your device to your IoT hub logged in the `deviceData` table.
+
+## Next steps
+
+You’ve successfully created your Azure storage account and Azure Function App to store messages that your IoT hub receives in your Azure table storage.
+
+To continue getting started with IoT Hub and to explore other IoT scenarios, see:
+
+- [Manage cloud device messaging with iothub-explorer](iot-hub-explorer-cloud-device-messaging.md)
\ No newline at end of file
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/10_arduino-ide-open-sample-app.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/10_arduino-ide-open-sample-app.png
new file mode 100644
index 0000000000000..5960794368888
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/10_arduino-ide-open-sample-app.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/11_arduino-ide-package-url.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/11_arduino-ide-package-url.png
new file mode 100644
index 0000000000000..216214bb3bc45
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/11_arduino-ide-package-url.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/12_arduino-ide-esp8266-installed.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/12_arduino-ide-esp8266-installed.png
new file mode 100644
index 0000000000000..1f7f0b3249538
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/12_arduino-ide-esp8266-installed.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/13_arduino-ide-configure-app-use-simulated-data.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/13_arduino-ide-configure-app-use-simulated-data.png
new file mode 100644
index 0000000000000..53cfcc3d000e9
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/13_arduino-ide-configure-app-use-simulated-data.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/14_arduino-ide-final-output.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/14_arduino-ide-final-output.png
new file mode 100644
index 0000000000000..813eb9de1a8f0
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/14_arduino-ide-final-output.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/15_connections_on_breadboard.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/15_connections_on_breadboard.png
new file mode 100644
index 0000000000000..f03d5746df4a3
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/15_connections_on_breadboard.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/1_connection-hdt22-thing-dev-iot-hub.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/1_connection-hdt22-thing-dev-iot-hub.png
new file mode 100644
index 0000000000000..8904d7be6f929
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/1_connection-hdt22-thing-dev-iot-hub.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/3_iot-hub-creation.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/3_iot-hub-creation.png
new file mode 100644
index 0000000000000..a69bbda5d25c4
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/3_iot-hub-creation.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/4_iot-hub-provide-basic-info.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/4_iot-hub-provide-basic-info.png
new file mode 100644
index 0000000000000..3c1ee30e2f73a
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/4_iot-hub-provide-basic-info.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/5_iot-hub-monitor-creation-progress-notification-pane.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/5_iot-hub-monitor-creation-progress-notification-pane.png
new file mode 100644
index 0000000000000..4590ce951d34a
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/5_iot-hub-monitor-creation-progress-notification-pane.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/6_iot-hub-get-hostname.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/6_iot-hub-get-hostname.png
new file mode 100644
index 0000000000000..f63ebf8e6e6b3
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/6_iot-hub-get-hostname.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/7_iot-hub-get-connection-string.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/7_iot-hub-get-connection-string.png
new file mode 100644
index 0000000000000..0283deadc45a2
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/7_iot-hub-get-connection-string.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/8_connect-dht22-thing-dev.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/8_connect-dht22-thing-dev.png
new file mode 100644
index 0000000000000..3fe00acb18e00
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/8_connect-dht22-thing-dev.png differ
diff --git a/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/9_connect-thing-dev-computer.png b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/9_connect-thing-dev-computer.png
new file mode 100644
index 0000000000000..5597f535684a1
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-sparkfun-thing-dev-get-started/9_connect-thing-dev-computer.png differ
diff --git a/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/1_azure-portal-create-storage-account.png b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/1_azure-portal-create-storage-account.png
new file mode 100644
index 0000000000000..05eaa3832fce0
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/1_azure-portal-create-storage-account.png differ
diff --git a/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/2_azure-portal-iot-hub-endpoint-connection-string.png b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/2_azure-portal-iot-hub-endpoint-connection-string.png
new file mode 100644
index 0000000000000..e897769d56ec4
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/2_azure-portal-iot-hub-endpoint-connection-string.png differ
diff --git a/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/3_azure-portal-create-function-app.png b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/3_azure-portal-create-function-app.png
new file mode 100644
index 0000000000000..a66d5ada3d9e6
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/3_azure-portal-create-function-app.png differ
diff --git a/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/4_azure-portal-function-app-add-output-table-storage.png b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/4_azure-portal-function-app-add-output-table-storage.png
new file mode 100644
index 0000000000000..18034004a2c1b
Binary files /dev/null and b/articles/iot-hub/media/iot-hub-store-data-in-azure-table-storage/4_azure-portal-function-app-add-output-table-storage.png differ
diff --git a/articles/log-analytics/log-analytics-oms-gateway.md b/articles/log-analytics/log-analytics-oms-gateway.md
index 7e4dc036488c0..c075ad9ad780d 100644
--- a/articles/log-analytics/log-analytics-oms-gateway.md
+++ b/articles/log-analytics/log-analytics-oms-gateway.md
@@ -1,5 +1,5 @@
---
-title: Connect computers and devices to OMS using the OMS Gateway | Microsoft Docs
+title: Connect computers to OMS using the OMS Gateway | Microsoft Docs
description: Connect your OMS-managed devices and Operations Manager-monitored computers with the OMS Gateway to send data to the OMS service when they do not have Internet access.
services: log-analytics
documentationcenter: ''
@@ -12,34 +12,47 @@ ms.workload: na
ms.tgt_pltfrm: na
ms.devlang: na
ms.topic: article
-ms.date: 02/27/2017
-ms.author: banders
-ms.custom: H1Hack27Feb2017
-
+ms.date: 03/27/2017
+ms.author: magoedte;banders
---
-# Connect computers and devices without Internet access to OMS using the OMS Gateway
-This document describes how your OMS-managed devices and System Center Operations Manager (SCOM)-monitored computers can send data to the OMS service when they do not have Internet access. The OMS Gateway can collect the data and send it to the OMS service on their behalf.
+# Connect computers without Internet access to OMS using the OMS Gateway
+
+This document describes how your OMS-managed and System Center Operations Manager monitored computers can send data to the OMS service when they do not have Internet access. The OMS Gateway, which is an HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command, can collect data and send it to the OMS service on their behalf.
+
+The OMS Gateway supports:
+
+1. Azure Automation Hybrid Runbook Workers
+2. Windows computers with the Microsoft Monitoring Agent directly connected to an OMS workspace
+3. System Center Operations Manager 2012 SP1 with UR7, Operations Manager 2012 R2 with UR3, or Operations Manager 2016 management group integrated with OMS.
+
+If your IT security policies do not allow computers on your network to connect to the Internet, such as point of sale (POS) devices, or servers supporting IT services, but you need to connect them to OMS to manage and monitor them, they can be configured to communicate directly with the OMS Gateway to receive configuration and forward data on their behalf. If these computers are configured with the OMS agent to directly connect to an OMS workspace, all computers will instead communicate with the OMS Gateway. The gateway transfers data from the agents to OMS directly, it does not analyze any of the data in transit.
-The gateway is a HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command. The gateway can handle up to 2000 OMS concurrently connected devices when run on a 4-core CPU, 16-GB server running Windows.
+When an Operations Manager management group is integrated with OMS, the management servers can be configured to connect to the OMS Gateway to receive configuration information and send collected data depending on the solution you have enabled. Operations Manager agents send some data such as Operations Manager alerts, configuration assessment, instance space, and capacity data to the management server. Other high-volume data, such as IIS logs, performance, and security events are sent directly to the OMS Gateway. If you have one or more Operations Manager Gateway servers deployed in a DMZ or other isolated network to monitor untrusted systems, it cannot communicate with an OMS Gateway. Operations Manager Gateway servers can only report to a management server. When an Operations Manager management group is configured to communicate with the OMS Gateway, the proxy configuration information is automatically distributed to every agent-managed computer that is configured to collect data for Log Analytics, even if the setting is empty.
-As an example, your enterprise or large organization might have servers with network connectivity but might not have Internet connectivity. In another example, you might have many point of sale (POS) devices with no means of monitoring them directly. And in another example, Operations Manager can use the OMS Gateway as a proxy server. In these examples, the OMS Gateway can transfer data from the agents that are installed on these servers or POS devices to OMS.
+To provide high availability for direct connected or Operations Management groups that communicate with OMS through the gateway, you can use network load balancing to redirect and distribute the traffic across multiple gateway servers. If one gateway server goes down, the traffic is redirected to another available node.
-Instead of each individual agent sending data directly to OMS and requiring a direct Internet connection, all agent data is instead sent through a single computer that has an Internet connection. That computer is where you install and use the gateway. In this scenario, you can install agents on any computers where you want to collect data. The gateway then transfers data from the agents to OMS directly—the gateway does not analyze any of the data that is transferred.
+It is recommended that you install the OMS agent on the computer running the OMS Gateway software to monitor the OMS Gateway and analyze performance or event data. Additionally, the agent helps the OMS Gateway identify the service end points that it needs to communicate with.
-You must install the OMS agent on the computer where the gateway is also installed. Doing so allows you to monitor the OMS Gateway and analyze performance or event data for the server where it is installed. Additionally, the agent helps the OMS Gateway identify the service end points that it needs to communicate with.
+Each agent must have network connectivity to its gateway so that agents can automatically transfer data to and from the gateway. Installing the gateway on a domain controller is not recommended.
-The gateway must have access to the Internet to upload data to OMS. Each agent must also have network connectivity to its gateway so that agents can automatically transfer data to and from the gateway. For best results, do not install the gateway on a computer that is also a domain controller.
+The following diagram shows data flow from direct agents to OMS using the gateway server. Agents must have their proxy configuration match the same port the OMS Gateway is configured to communicate with to OMS.
-Here's a diagram that shows data flow from direct agents to OMS.
+
-
+The following diagram shows data flow from an Operations Manager management group to OMS.
-Here's a diagram that shows data flow from Operations Manager to OMS.
+
-
+## Prerequisites
-## Language availability
+When designating a computer to run the OMS Gateway, this computer must have the following:
+
+* Windows 10, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 operating system
+* .Net Framework 4.5
+* Minimum of a 4-core processor and 8 GB of memory
+
+### Language availability
The OMS Gateway is available in the following languages:
@@ -62,102 +75,100 @@ The OMS Gateway is available in the following languages:
## Download the OMS Gateway
-There are three ways to get the OMS Gateway Setup file.
-
-### Microsoft Download Center
-
-- Download the latest version of the OMS Gateway from the [Microsoft Download Center](http://download.microsoft.com/download/2/5/C/25CF992A-0347-4765-BD7D-D45D5B27F92C/OMS%20Gateway.msi).
-
-### OMS portal
+There are three ways to get the latest version of the OMS Gateway Setup file.
-1. Log into your OMS workspace.
-2. Select **Settings** > **Connected Sources** > **Windows Servers**.
-3. Click **Download OMS Gateway**.
+1. Download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=54443).
+2. Download from the OMS portal. After you sign in to your OMS workspace, navigate to **Settings** > **Connected Sources** > **Windows Servers** and click **Download OMS Gateway**.
-### Azure portal
+3. Download from the [Azure portal](https://portal.azure.com). After you sign in:
-1. Go to the [Azure portal](https://portal.azure.com) and sign in, browse the list of services, and then select **Log Analytics**.
-2. Select a workspace.
-3. In your workspace blade under **General**, click **Quick Start**.
-4. Under **Choose a data source to connect to the workspace**, click **Computers**.
-4. In the **Direct Agent** blade, click **Download OMS Gateway**.
- 
+ 1. Browse the list of services, and then select **Log Analytics**.
+ 2. Select a workspace.
+ 3. In your workspace blade under **General**, click **Quick Start**.
+ 4. Under **Choose a data source to connect to the workspace**, click **Computers**.
+ 5. In the **Direct Agent** blade, click **Download OMS Gateway**.
## Install the OMS Gateway
-Installing this Gateway replaces previous versions of the Gateway that you have installed (Log Analytics Forwarder).
-Prerequisites: .Net Framework 4.5, Windows Server 2012 R2 SP1 and above
+To install a gateway, perform the following steps. If you installed a previous version, formerly called *Log Analytics Forwarder*, it will be upgraded to this release.
-
-1. To start the installation, double-click **OMS Gateway.msi**.
-2. On the Welcome page, **Next**.
- 
-3. On the License Agreement page, select **I accept the terms in the License Agreement** to agree to the EULA and then **Next**.
-4. On the port and proxy address page:
- 1. Type the TCP port number to be used for the gateway. Setup opens this port number from Windows firewall. The default value is 8080.
+1. From the destination folder, double-click **OMS Gateway.msi**.
+2. On the **Welcome** page, click **Next**.
+3. On the **License Agreement** page, select **I accept the terms in the License Agreement** to agree to the EULA and then click **Next**.
+4. On the **Port and proxy address** page:
+ 1. Type the TCP port number to be used for the gateway. Setup configures an inbound rule with this port number on Windows firewall. The default value is 8080.
The valid range of the port number is 1 - 65535. If the input does not fall into this range, an error message appears.
- 2. Optionally, if the server where the gateway is installed needs to use a proxy, type the proxy address where the gateway needs to connect. For example, `http://myorgname.corp.contoso.com:80` If blank, the gateway will try to connect to the Internet directly. Otherwise, the gateway connects to the proxy. If your proxy server requires authentication, type your username and password.
- 
- 3. Click **Next**
-5. If you do not have Microsoft Updates enabled, the Microsoft Update page appears where you can choose to enable Microsoft Updates. Make a selection and then click **Next**. Otherwise, continue to the next step.
-6. On the Destination Folder page, either leave the default folder c:\ProgramFiles\OMS Gateway or type the location where you want to install gateway and then click **Next**.
-7. On the Ready to install page, click **Install**. A User Account Control might appear requesting permission to install. If so, click **Yes**.
-8. After Setup completes, click **Finish**. You can verify that the service is running by opening the services.msc snap-in and verify that **OMS Gateway** appears in the list of services.
- 
+ 2. Optionally, if the server where the gateway is installed needs to communicate through a proxy, type the proxy address where the gateway needs to connect. For example, `http://myorgname.corp.contoso.com:80`. If blank, the gateway will try to connect to the Internet directly. If your proxy server requires authentication, enter a username and password.
+ 3. Click **Next**.
+5. If you do not have Microsoft Update enabled, the Microsoft Update page appears where you can choose to enable it. Make a selection and then click **Next**. Otherwise, continue to the next step.
+6. On the **Destination Folder** page, either leave the default folder C:\Program Files\OMS Gateway or type the location where you want to install gateway and then click **Next**.
+7. On the **Ready to install** page, click **Install**. User Account Control might appear requesting permission to install. If so, click **Yes**.
+8. After Setup completes, click **Finish**. You can verify that the service is running by opening the services.msc snap-in and verify that **OMS Gateway** appears in the list of services and it status is **Running**.
-## Install an agent on devices
-If needed, see [Connect Windows computers to Log Analytics](log-analytics-windows-agents.md) for information about how to install directly connected agents. The article describes how you can install the agent using a Setup wizard or by using the command line.
+## Configure network load balancing
+You can configure the gateway for high availability using network load balancing (NLB) using either Microsoft Network Load Balancing (NLB) or hardware-based load balancers. The load balancer manages traffic by redirecting the requested connections from the OMS Agents or Operations Manager management servers across its nodes. If one Gateway server goes down, the traffic gets redirected to other nodes.
-## Configure OMS agents
-See [Configure proxy and firewall settings with the Microsoft Monitoring Agent](log-analytics-proxy-firewall.md) for information about configuring an agent to use a proxy server, which in this case is the gateway.
+To learn how to design and deploy a Windows Server 2016 network load balancing cluster, see [Network load balancing](https://technet.microsoft.com/windows-server-docs/networking/technologies/network-load-balancing). The following steps describe how to configure a Microsoft network load balancing cluster.
-Operations Manager agents send some data such as Operations Manager alerts, configuration assessment, instance space, and capacity data, through the Management Server. Other high-volume data, such as IIS logs, performance, and security are sent directly to the OMS Gateway. See [Add Log Analytics solutions from the Solutions Gallery](log-analytics-add-solutions.md) for a complete list of data that is sent through each channel.
+1. Sign onto the Windows server that is a member of the NLB cluster with an administrative account.
+2. Open Network Load Balancing Manager in Server Manager, click **Tools**, and then click **Network Load Balancing Manager**.
+3. To connect an OMS Gateway server with the Microsoft Monitoring Agent installed, right-click the cluster's IP address, and then click **Add Host to Cluster**.
+4. Enter the IP address of the gateway server that you want to connect.
+
+## Configure OMS agent and Operations Manager management group
+The following section includes steps on how to configure directly connected OMS agents, an Operations Manager management group, or Azure Automation Hybrid Runbook Workers with the OMS Gateway to communicate with OMS.
-> [!NOTE]
-> If you plan to use the Gateway with network load balancing, see [Optionally configure network load balancing](#optionally-configure-network-load-balancing).
->
->
+To understand requirements and steps on how to install the OMS agent on Windows computers directly connecting to OMS, see [Connect Windows computers to OMS](log-analytics-windows-agents.md) or for Linux computers see [Connect Linux computers to OMS](log-analytics-linux-agents.md).
+
+### Configuring the OMS agent and Operations Manager to use the OMS Gateway as a proxy server
-## Configure a SCOM proxy server
-You configure Operations Manager to add the gateway to act as a proxy server. When you update the proxy configuration, the proxy configuration is automatically applied to all the agents reporting to Operations Manager.
+### Configure standalone OMS agent
+See [Configure proxy and firewall settings with the Microsoft Monitoring Agent](log-analytics-proxy-firewall.md) for information about configuring an agent to use a proxy server, which in this case is the gateway. If you have deployed multiple gateway servers behind a network load balancer, the OMS agent proxy configuration is the virtual IP address of the NLB:
-To use the Gateway to support Operations Manager, you need to have:
+### Configure Operations Manager - all agents use the same proxy server
+You configure Operations Manager to add the gateway server. The Operations Manager proxy configuration is automatically applied to all agents reporting to Operations Manager, even if the setting is empty.
+
+To use the Gateway to support Operations Manager, you must have:
* Microsoft Monitoring Agent (agent version – **8.0.10900.0** and later) installed on the Gateway server and configured for the OMS workspaces with which you want to communicate.
* The gateway must have Internet connectivity or be connected to a proxy server that does.
-### To configure SCOM for the gateway
-1. Open the Operations Manager console and under **Operations Management Suite**, click **Connection** and then click **Configure Proxy Server**:
- 
-2. Select **Use a proxy server to access the Operations Management Suite** and then type the IP address of the OMS Gateway server. Ensure that you start with the `http://` prefix:
- 
+> [!NOTE]
+> If you do not specify a value for the gateway, blank values are pushed to all agents.
+
+
+1. Open the Operations Manager console and under **Operations Management Suite**, click **Connection** and then click **Configure Proxy Server**.
+2. Select **Use a proxy server to access the Operations Management Suite** and then type the IP address of the OMS Gateway server or virtual IP address of the NLB. Ensure that you start with the `http://` prefix.
3. Click **Finish**. Your Operations Manager server is connected to your OMS workspace.
-## Configure network load balancing
-You can configure the gateway for high availability using network load balancing by creating a cluster. The cluster manages traffic from your agents by redirecting the requested connections from the Microsoft Monitoring Agents across its nodes. If one Gateway server goes down, the traffic gets redirected to other nodes.
+### Configure Operations Manager - specific agents use proxy server
+For large or complex environments, you may only want specific servers (or groups) to use the OMS Gateway server. For these servers, you cannot update the Operations Manager agent directly as this value is overwritten by the global value for the management group. Instead you need to override the rule used to push these values.
-1. Open Network Load Balancing Manager and create a cluster.
-2. Right-click the cluster before adding gateways, and select **Cluster Properties.** Configure the cluster to have its own IP address:
- 
-3. To connect an OMS Gateway server with the Microsoft Monitoring Agent installed, right-click the cluster's IP address, and then click **Add Host to Cluster**.
- 
-4. Enter the IP address of the Gateway's server that you want to connect:
- 
-5. On computers that do not have Internet connectivity, be sure to use the IP address of the cluster when you configure the **Microsoft Monitoring Agent Properties**:
- 
+> [!NOTE]
+> This same configuration technique can be used to allow the use of multiple OMS Gateway servers in your environment. For example, you may require specific OMS Gateway servers to be specified on a per-region basis.
-## Configure for automation hybrid workers
-If you have automation hybrid workers in your environment, the following steps provide manual, temporary workarounds to configure the Gateway to support them.
+1. Open the Operations Manager console and select the **Authoring** workspace.
+2. In the Authoring workspace, select **Rules** and click the **Scope** button on the Operations Manager toolbar. If this button is not available, check to make sure that you have an object, not a folder, selected in the Monitoring pane. The **Scope Management Pack Objects** dialog box displays a list of common targeted classes, groups, or objects.
+3. Type **Health Service** in the **Look for** field and select it from the list. Click **OK**.
+4. Search for the rule **Advisor Proxy Setting Rule** and in the Operations console toolbar, click **Overrides** and then point to **Override the Rule\For a specific object of class: Health Service** and select a specific object from the list. Optionally, you can create a custom group containing the health service object of the servers you wish to apply this override to and then apply the override to that group.
+5. In the **Override Properties** dialog box, click to place a check mark in the **Override** column next to the **WebProxyAddress** parameter. In the **Override Value** field, enter the URL of the OMS Gateway server ensuring that you start with the `http://` prefix.
+ >[!NOTE]
+ > You do not need to enable the rule as it is already managed automatically with an override contained in the Microsoft System Center Advisor Secure Reference Override management pack targeting the Microsoft System Center Advisor Monitoring Server Group.
+ >
+6. Either select a management pack from the **Select destination management pack** list or create a new unsealed management pack by clicking **New**.
+7. When you complete your changes, click **OK**.
+
+### Configure for automation hybrid workers
+If you have Automation Hybrid Runbook Workers in your environment, the following steps provide manual, temporary workarounds to configure the Gateway to support them.
In the following steps, you need to know the Azure region where the Automation account resides. To locate the location:
1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Select the Azure Automation service.
3. Select the appropriate Azure Automation account.
-4. View its region under **Location**.
- 
+4. View its region under **Location**.
Use the following tables to identify the URL for each location:
@@ -191,32 +202,32 @@ Use the following tables to identify the URL for each location:
| Japan |jpe-agentservice-prod-1.azure-automation.net |
| Australia |ase-agentservice-prod-1.azure-automation.net |
-If your computer is registered as a hybrid worker automatically for patching using the Update Management solution, use these steps:
+If your computer is registered as a Hybrid Runbook Worker automatically for patching using the Update Management solution, follow these steps:
1. Add the Job Runtime Data service URLs to the Allowed Host list on the OMS Gateway. For example:
`Add-OMSGatewayAllowedHost we-jobruntimedata-prod-su1.azure-automation.net`
-2. Restart the OMS Gateway Service by using the following PowerShell cmdlet:
+2. Restart the OMS Gateway service by using the following PowerShell cmdlet:
`Restart-Service OMSGatewayService`
-If your computer is on-boarded to Azure Automation by using the hybrid worker registration cmdlet, use these steps:
+If your computer is on-boarded to Azure Automation by using the Hybrid Runbook Worker registration cmdlet, follow these steps:
1. Add the agent service registration URL to the Allowed Host list on the OMS Gateway. For example:
`Add-OMSGatewayAllowedHost ncus-agentservice-prod-1.azure-automation.net`
2. Add the Job Runtime Data service URLs to the Allowed Host list on the OMS Gateway. For example:
`Add-OMSGatewayAllowedHost we-jobruntimedata-prod-su1.azure-automation.net`
-3. Restart the OMS Gateway Service.
+3. Restart the OMS Gateway service.
`Restart-Service OMSGatewayService`
## Useful PowerShell cmdlets
Cmdlets can help you complete tasks that are needed to update the OMS Gateway's configuration settings. Before you use them, be sure to:
1. Install the OMS Gateway (MSI).
-2. Open the PowerShell window.
+2. Open a PowerShell console window.
3. To import the module, type this command: `Import-Module OMSGateway`
-4. If no error occurred in the previous step, the module was successfully imported, and the cmdlets can be used. Type `Get-Module OMSGateway`
+4. If no error occurred in the previous step, the module was successfully imported and the cmdlets can be used. Type `Get-Module OMSGateway`
5. After you make changes by using the cmdlets, ensure that you restart the Gateway service.
-If you get an error in step 3, the module wasn't imported. The error might occur when PowerShell is unable to find the module. You can find it in the Gateway's installation path: C:\Program Files\Microsoft OMS Gateway\PowerShell.
+If you get an error in step 3, the module wasn't imported. The error might occur when PowerShell is unable to find the module. You can find it in the Gateway's installation path: *C:\Program Files\Microsoft OMS Gateway\PowerShell*.
| **Cmdlet** | **Parameters** | **Description** | **Examples** |
| --- | --- | --- | --- |
@@ -226,15 +237,13 @@ If you get an error in step 3, the module wasn't imported. The error might occur
| `Get-OMSGatewayRelayProxy` | |Gets the address of relay (upstream) proxy |`Get-OMSGatewayRelayProxy` |
| `Add-OMSGatewayAllowedHost` |Host (required) |Adds the host to the allowed list |`Add-OMSGatewayAllowedHost -Host www.test.com` |
| `Remove-OMSGatewayAllowedHost` |Host (required) |Removes the host from the allowed list |`Remove-OMSGatewayAllowedHost -Host www.test.com` |
-| `Get-OMSGatewayAllowedHost` | |Gets the currently allowed host (only the locally configured allowed host, do not include automatically downloaded allowed hosts) |`Get-OMSGatewayAllowedHost` |
+| `Get-OMSGatewayAllowedHost` | |Gets the currently allowed host (only the locally configured allowed host, does not include automatically downloaded allowed hosts) |`Get-OMSGatewayAllowedHost` |
| `Add-OMSGatewayAllowedClientCertificate` |Subject (required) |Adds the client certificate subject to the allowed list |`Add-OMSGatewayAllowedClientCertificate -Subject mycert` |
| `Remove-OMSGatewayAllowedClientCertificate` |Subject (required) |Removes the client certificate subject from the allowed list |`Remove- OMSGatewayAllowedClientCertificate -Subject mycert` |
-| `Get-OMSGatewayAllowedClientCertificate` | |Gets the currently allowed client certificate subjects (only the locally configured allowed subjects, do not include automatically downloaded allowed subjects) |`Get-OMSGatewayAllowedClientCertificate` |
-
-## Troubleshoot
-You must install the OMS agent on computers that have the gateway installed. You can then use the agent to collect the events that are logged by the gateway.
+| `Get-OMSGatewayAllowedClientCertificate` | |Gets the currently allowed client certificate subjects (only the locally configured allowed subjects, does not include automatically downloaded allowed subjects) |`Get-OMSGatewayAllowedClientCertificate` |
-
+## Troubleshooting
+To collect events logged by the gateway, you need to also have the OMS agent installed.
**OMS Gateway Event IDs and descriptions**
diff --git a/articles/log-analytics/media/log-analytics-oms-gateway/oms-omsgateway-agentdirectconnect.png b/articles/log-analytics/media/log-analytics-oms-gateway/oms-omsgateway-agentdirectconnect.png
new file mode 100644
index 0000000000000..f69a316b53533
Binary files /dev/null and b/articles/log-analytics/media/log-analytics-oms-gateway/oms-omsgateway-agentdirectconnect.png differ
diff --git a/articles/log-analytics/media/log-analytics-oms-gateway/oms-omsgateway-opsmgrconnect.png b/articles/log-analytics/media/log-analytics-oms-gateway/oms-omsgateway-opsmgrconnect.png
new file mode 100644
index 0000000000000..bda195d67a3cf
Binary files /dev/null and b/articles/log-analytics/media/log-analytics-oms-gateway/oms-omsgateway-opsmgrconnect.png differ
diff --git a/articles/security/TOC.md b/articles/security/TOC.md
index 58679231f3db9..198d728e58958 100644
--- a/articles/security/TOC.md
+++ b/articles/security/TOC.md
@@ -1,40 +1,55 @@
# [Overview](security-get-started-overview.md)
-## [How it works](azure-security-getting-started.md)
-## [Security services and technologies](azure-security-services-technologies.md)
## [Network security](security-network-overview.md)
+## [Storage security](security-storage-overview.md)
+## [Compute security](security-virtual-machines-overview.md)
+## [Security management and monitoring](security-management-and-monitoring-overview.md)
+## [Identity management](security-identity-management-overview.md)
+## [IoT security](../iot-suite/iot-security-architecture.md#security-in-iot)
+## [Security architecture](azure-security-architecture-overview.md)
+
+# Get Started
+## [Getting started with Azure security](azure-security-getting-started.md)
+## [Security best practices and patterns](security-best-practices-and-patterns.md)
+## [Security services and technologies](azure-security-services-technologies.md)
+
+## Network security
### [Network security best practices](azure-security-network-security-best-practices.md)
### [Boundary security](../best-practices-network-security.md?toc=%2fazure%2fsecurity%2ftoc.json)
### [Secure hybrid network architecture](../guidance/guidance-iaas-ra-secure-vnet-hybrid.md?toc=%2fazure%2fsecurity%2ftoc.json)
-## [Storage security](security-storage-overview.md)
+
+## Storage security
### [Data security and encryption best practices](azure-security-data-encryption-best-practices.md)
### [Storage security guide](../storage/storage-security-guide.md?toc=%2fazure%2fsecurity%2ftoc.json)
-## [Compute security](security-virtual-machines-overview.md)
+
+## Compute security
### [Best practices for Azure VMs](azure-security-best-practices-vms.md)
### [Best practices for IaaS workloads ](azure-security-iaas.md)
### [Microsoft Antimalware](azure-security-antimalware.md)
-### [Disk encryption](azure-security-disk-encryption.md)
-### [Encrypt Azure VM](../security-center/security-center-disk-encryption.md?toc=%2fazure%2fsecurity%2ftoc.json)
-## [Security management and monitoring](security-management-and-monitoring-overview.md)
+### [Disk encryption for IaaS VMs](azure-security-disk-encryption.md)
+### [Encrypt an Azure VM](../security-center/security-center-disk-encryption.md?toc=%2fazure%2fsecurity%2ftoc.json)
+
+## Security management and monitoring
### [Security management](azure-security-management.md)
### [Azure Security Center](../security-center/security-center-intro.md?toc=%2fazure%2fsecurity%2ftoc.json)
-### [Azure log integration](security-azure-log-integration-overview.md)
-#### [Get started](security-azure-log-integration-get-started.md)
+### [Introduction to Azure log integration](security-azure-log-integration-overview.md)
+#### [Get started with Azure log integration](security-azure-log-integration-get-started.md)
#### [FAQ](security-azure-log-integration-faq.md)
-## [Identity management](security-identity-management-overview.md)
+
+## Identity management
### [Identity management security best practices](azure-security-identity-management-best-practices.md)
+
## PaaS services
### [Securing PaaS deployments](security-paas-deployments.md)
-#### [Securing PaaS applications using SQL](security-paas-applications-using-sql.md)
-#### [Securing PaaS applications using App Services](security-paas-applications-using-app-services.md)
-### [IoT security overview](security-internet-of-things-overview.md)
-### [IoT security best practices](azure-security-iot-best-practices.md)
-## Vertical industries
-### [Designing secure health solutions](security-health-care-solution.md)
-## [Security architecture](azure-security-architecture-overview.md)
-### [Data classification for cloud readiness](azure-security-data-classification.md)
-### [Application architecture on Azure](security-application-architecture-on-azure.md)
-### [Security best practices and patterns](security-best-practices-and-patterns.md)
-### [Architecting resilient applications](../resiliency/resiliency-disaster-recovery-high-availability-azure-applications.md?toc=%2fazure%2fsecurity%2ftoc.json)
+#### [Securing PaaS web and mobile applications using SQL](security-paas-applications-using-sql.md)
+#### [Securing PaaS web and mobile applications using App Services](security-paas-applications-using-app-services.md)
+
+## Internet of Things
+### [Security your IoT deployment](../iot-suite/iot-suite-security-deployment.md)
+### [IoT security best practices](../iot-suite/iot-security-best-practices.md)
+
+## Security architecture
+### [Data classification](azure-security-data-classification.md)
+### [Disaster recovery and high availability for applications built on Azure](../resiliency/resiliency-disaster-recovery-high-availability-azure-applications.md?toc=%2fazure%2fsecurity%2ftoc.json)
# Related
## [Trust Center](security-microsoft-trust-center.md)
@@ -45,6 +60,7 @@
## [Log Analytics](../log-analytics/log-analytics-overview.md)
## [Multi-Factor Authentication](../multi-factor-authentication/multi-factor-authentication.md)
## [Azure Active Directory](../active-directory/active-directory-whatis.md)
+## [Operations Management Suite](../operations-management-suite/oms-security-getting-started.md)
# Resources
## [Security and Compliance blog](http://blogs.msdn.com/b/azuresecurity/)
diff --git a/articles/security/azure-security-iaas.md b/articles/security/azure-security-iaas.md
index 6acd9bb3da3f5..39b1e7e83d400 100644
--- a/articles/security/azure-security-iaas.md
+++ b/articles/security/azure-security-iaas.md
@@ -1,6 +1,6 @@
---
title: Security best practices for IaaS workloads in Azure | Microsoft Docs
- description: " The migration of workloads to Azure IaaS brings about opportunities to re-evaluate our designs "
+ description: " The migration of workloads to Azure IaaS brings opportunities to reevaluate our designs "
services: security
documentationcenter: na
author: barclayn
@@ -22,221 +22,213 @@
# Security best practices for IaaS workloads in Azure
-As you started thinking about moving workloads to Azure IaaS you probably came to the realization that some considerations are familiar. You may already have experience securing virtual environments. The move to Azure IaaS allow you to apply your expertise in securing virtual environments and also brings a new set of options to help you secure your assets.
+As you started thinking about moving workloads to Azure infrastructure as a service (IaaS), you probably realized that some considerations are familiar. You might already have experience securing virtual environments. When you move to Azure IaaS, you can apply your expertise in securing virtual environments and use a new set of options to help secure your assets.
-Before we get going let's start by saying that we should not expect to bring on-premises resources as one-to-one to Azure. The new challenges and the new options bring about an opportunity to reevaluate existing deigns, tools, and processes.
+Let's start by saying that we should not expect to bring on-premises resources as one-to-one to Azure. The new challenges and the new options bring an opportunity to reevaluate existing deigns, tools, and processes.
+Your responsibility for security is based on the type of cloud service. The following chart summarizes the balance of responsibility for both Microsoft and you:
+
-
->[!NOTE]
-> Your responsibility for security is based on the type of cloud service. The chart above summarizes the balance of responsibility for both Microsoft and you.
-
-## Best practices
-We will be discussing some of the options available in Azure that could help you meet your organization’s security requirements. While doing this we must keep in mind the different types of workloads and how their security requirements may vary. Not one of these best practices can by itself secure your systems. Like anything else in security, you have to choose the appropriate options and see how the solutions can complement each other by filling gaps left by the others.
-
-### Use Privileged Access Workstations (PAW)
+We'll discuss some of the options available in Azure that can help you meet your organization’s security requirements. Keep in mind that security requirements can vary for different types of workloads. Not one of these best practices can by itself secure your systems. Like anything else in security, you have to choose the appropriate options and see how the solutions can complement each other by filling gaps.
-Organizations often fall prey to cyber-attacks because of administrators performing actions while using accounts with elevated rights. Usually this isn’t done maliciously but because existing configuration and processes allow them to do it. Most of these users understand the risk from a conceptual standpoint but still choose to take steps that they would agree are risky.
+## Use Privileged Access Workstations
-Doing things like checking email and browsing the Internet seem innocent enough but may expose elevated accounts to compromise by malicious actors who may use browsing activities, specially crafted emails, or other techniques to gain access to your enterprise. The use of secure management workstations for conducting all Azure administration tasks is highly recommended as a way of reducing exposure to accidental compromise.
+Organizations often fall prey to cyberattacks because administrators perform actions while using accounts with elevated rights. Usually this isn’t done maliciously but because existing configuration and processes allow it. Most of these users understand the risk of these actions from a conceptual standpoint but still choose to do them.
-Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.
+Doing things like checking email and browsing the Internet seem innocent enough. But they might expose elevated accounts to compromise by malicious actors who can use browsing activities, specially crafted emails, or other techniques to gain access to your enterprise. We highly recommend the use of secure management workstations for conducting all Azure administration tasks, as a way of reducing exposure to accidental compromise.
-The PAW approach is an extension of the well-established recommended practice to use separate admin and user accounts for administrative personnel. This practice uses an individually assigned administrative account that is separate from the user's standard user account. PAW builds on that account separation practice by providing a trustworthy workstation for those sensitive accounts.
+Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks--one that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily-use workstations and devices provides strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-the-Ticket.
-For more information on Privileged Access Workstations and guidance for PAW implementation, follow this link:
+The PAW approach is an extension of the well-established and recommended practice to use an individually assigned administrative account that is separate from a standard user account. A PAW provides a trustworthy workstation for those sensitive accounts.
-- [Privileged Access Workstations](https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations)
+For more information and implementation guidance, see [Privileged Access Workstations](https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations).
-### Use multifactor authentication
+## Use Multi-Factor Authentication
-In the past, your network perimeter was used to control access to corporate data. In a cloud-first, mobile-first world, identity is the control plane: You use it to control access to IaaS services from any device, and you use it to get visibility and insight into where and how your data is being used. Protecting the digital identity of your Azure users is the cornerstone of protecting your subscriptions from identity theft and other cybercrimes.
+In the past, your network perimeter was used to control access to corporate data. In a cloud-first, mobile-first world, identity is the control plane: You use it to control access to IaaS services from any device. You also use it to get visibility and insight into where and how your data is being used. Protecting the digital identity of your Azure users is the cornerstone of protecting your subscriptions from identity theft and other cybercrimes.
-One of the most beneficial steps that you can take to secure an account is to enable two factor authentication. Two factor authentication is a way of authenticating by using more than just your password. The second factor is something in addition to the password. This helps mitigate the risk of access by someone who manages to get a hold of someone else’s password.
+One of the most beneficial steps that you can take to secure an account is to enable two-factor authentication. Two-factor authentication is a way of authenticating by using something in addition to a password. It helps mitigate the risk of access by someone who manages to get someone else’s password.
-Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication with a range of easy verification options—phone call, text message, or mobile app notification—allowing users to choose the method they prefer.
+[Azure Multi-Factor Authentication](../multi-factor-authentication/multi-factor-authentication.md) helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication with a range of easy verification options--phone call, text message, or mobile app notification. Users choose the method that they prefer.
-The easiest way to use [Azure MFA](../multi-factor-authentication/multi-factor-authentication.md) is the Microsoft Authenticator mobile app that can be used on mobile devices running Windows, IOS and Android. With the latest release of Windows 10 and your on premises Active Directory integrated with Azure AD, [Microsoft Hello for Business](../active-directory/active-directory-azureadjoin-passport-deployment.md) can be used for seamless single sign-on to Azure resources. In this case, the Windows 10 device will be used as the second factor for authentication.
+The easiest way to use Multi-Factor Authentication is the Microsoft Authenticator mobile app that can be used on mobile devices running Windows, iOS, and Android. With the latest release of Windows 10 and the integration of on-premises Active Directory with Azure Active Directory (Azure AD), [Windows Hello for Business](../active-directory/active-directory-azureadjoin-passport-deployment.md) can be used for seamless single sign-on to Azure resources. In this case, the Windows 10 device is used as the second factor for authentication.
+For accounts that manage your Azure subscription and for accounts that can sign in to virtual machines, using Multi-Factor Authentication gives you a much greater level of security than using only a password. Other forms of two-factor authentication might work just as well, but deploying them might be complicated if they're not already in production.
-In the case of Azure, the simplest way to enable two factor authentication is to use Azure Multifactor Authentication (MFA). [Azure MFA](../multi-factor-authentication/multi-factor-authentication.md) has an application that can be used on your mobile devices, it can work via phone calls, text messages or via a code generated in the app and it can integrate with your on-premises directory.
+The following screenshot shows some of the options available for Azure Multi-Factor Authentication:
-For accounts that manage your Azure subscription you should use MFA and for accounts that can logon to the Virtual Machines you should use MFA when possible. Using MFA for these accounts gives you much greater level of security than just using a password. Using other forms of two factor authentication could work just as well but may be more involved to get deployed if they are not already in production.
+
-The screenshot below shows some of the options available for Azure MFA authentication.
+## Limit and constrain administrative access
-
+Securing the accounts that can manage your Azure subscription is extremely important. The compromise of any of those accounts negates the value of all the other steps that you might take to ensure the confidentiality and integrity of your data. As recently illustrated by the [Edward Snowden](https://en.wikipedia.org/wiki/Edward_Snowden) leak of classified information, internal attacks pose a huge threat to the overall security of any organization.
-### Limit and Constrain Administrative Access
-
-Securing the accounts that can manage your Azure subscription is extremely important. The compromise of any of those accounts effectively negates the value of all the other steps you may take to ensure the confidentiality and integrity of your data. As recently illustrated by the [Edward Snowden](https://en.wikipedia.org/wiki/Edward_Snowden) leak of classified information, internal attacks pose a huge threat to the overall security of any organization.
-
-Individuals who have administrative rights should have been evaluated by following a criteria similar to the one below:
+Evaluate individuals for administrative rights by following criteria similar to these:
- Are they performing tasks that require administrative privileges?
- How often are the tasks performed?
-- Specific reason why the tasks cannot be performed by another administrator on their behalf.
-- Document all other known alternative approaches to granting the privilege and why each isn't acceptable.
+- Is there a specific reason why the tasks cannot be performed by another administrator on their behalf?
+
+Document all other known alternative approaches to granting the privilege and why each isn't acceptable.
-The use of just in time administration prevents the unnecessary existence of accounts with elevated rights during time periods when those rights are not needed. Accounts have elevated rights for a limited time enabling administrators to do their jobs and then they have those rights removed at the end of a shift or when a task is completed.
+The use of just-in-time administration prevents the unnecessary existence of accounts with elevated rights during periods when those rights are not needed. Accounts have elevated rights for a limited time so that administrators can do their jobs. Then, those rights are removed at the end of a shift or when a task is completed.
-[PIM](../active-directory/active-directory-privileged-identity-management-configure.md) allows you to manage, monitor, and control access within your organization. It helps you remain aware of the actions taken by individuals within your organization and brings just-in-time administration to Azure AD by introducing the concept of an eligible admin. These are individuals who have accounts with the potential to be granted admin rights. These types of users can go through an activation process and be granted admin rights for a limited time.
+You can use [Privileged Identity Management](../active-directory/active-directory-privileged-identity-management-configure.md) to manage, monitor, and control access in your organization. It helps you remain aware of the actions that individuals take in your organization. It also brings just-in-time administration to Azure AD by introducing the concept of eligible admins. These are individuals who have accounts with the potential to be granted admin rights. These types of users can go through an activation process and be granted admin rights for a limited time.
-### Use DevTest Labs
+## Use DevTest Labs
-Using Azure for labs and development environments allows organizations to gain agility in testing and development by taking away the delays introduced by hardware procurement. Unfortunately, there is the risk that a lack of familiarity with Azure or a desire to help expedite its adoption may lead the administrator to be overly permissive with rights assignment. This may be unintentionally exposing the organization to internal attacks. Some users could be granted a lot more access than they should have.
+Using Azure for labs and development environments enables organizations to gain agility in testing and development by taking away the delays that hardware procurement introduces. Unfortunately, a lack of familiarity with Azure or a desire to help expedite its adoption might lead the administrator to be overly permissive with rights assignment. This risk might unintentionally expose the organization to internal attacks. Some users might be granted a lot more access than they should have.
-In Azure we now include a service called [DevTest Labs](../devtest-lab/devtest-lab-overview.md). DevTest Labs uses [Azure Role based access control(RBAC)](../active-directory/role-based-access-control-what-is.md)(RBAC). RBAC allows you to segregate duties within your team into roles that grant only the level of access necessary for users to do their jobs. It comes with pre-defined roles (Owner, lab user and contributor). These roles can even be used to assign rights to external partners and greatly simplify collaboration.
+The [Azure DevTest Labs](../devtest-lab/devtest-lab-overview.md) service uses [Azure Role-Based Access Control](../active-directory/role-based-access-control-what-is.md) (RBAC). By using RBAC, you can segregate duties within your team into roles that grant only the level of access necessary for users to do their jobs. RBAC comes with predefined roles (owner, lab user, and contributor). You can even use these roles to assign rights to external partners and greatly simplify collaboration.
-Since DevTest Labs uses RBAC, it is possible to create additional [custom roles](../devtest-lab/devtest-lab-grant-user-permissions-to-specific-lab-policies.md). DevTest Labs not only simplifies the management of permissions, it is also designed to simplify the process of getting environments provisioned and to deal with other typical challenges of teams working on development and test environments. It requires some preparation but in the long term it will make things easier for your team.
+Because DevTest Labs uses RBAC, it's possible to create additional, [custom roles](../devtest-lab/devtest-lab-grant-user-permissions-to-specific-lab-policies.md). DevTest Labs not only simplifies the management of permissions, it simplifies the process of getting environments provisioned. It also helps you deal with other typical challenges of teams that are working on development and test environments. It requires some preparation, but in the long term, it will make things easier for your team.
-Some key Azure DevTest Labs features include:
+Azure DevTest Labs features include:
-- Administrative control over the options available to users. Things like allowed VM sizes, maximum number of VMs and when VMs are started and shut down can be centrally managed by the administrator
-- Automation of lab environment creation
-- Cost tracking
-- Simplified distribution of VMs for temporary collaborative work
-- Self-service allowing users to provision their labs using templates
-- Managing and limiting consumption
+- Administrative control over the options available to users. The administrator can centrally manage things like allowed VM sizes, maximum number of VMs, and when VMs are started and shut down.
+- Automation of lab environment creation.
+- Cost tracking.
+- Simplified distribution of VMs for temporary collaborative work.
+- Self-service that enables users to provision their labs by using templates.
+- Managing and limiting consumption.
-
+
-There is no additional cost associated with the usage of DevTest Labs. The creation of labs, policy configuration, templates, and artifacts are all free. You only pay for the azure resources used within your labs such as virtual machines, storage accounts and virtual networks.
+No additional cost is associated with the usage of DevTest Labs. The creation of labs, policies, templates, and artifacts is free. You pay for only the Azure resources used in your labs, such as virtual machines, storage accounts, and virtual networks.
-### Control and Limit Endpoint Access
+## Control and limit endpoint access
-Hosting labs or production systems in Azure means that your systems need to be accessible from the Internet. By default, a new windows virtual machine has the RDP port accessible from the Internet and a Linux virtual machine has the SSH port open. This means that taking steps to 'limit exposed endpoints' is necessary to minimize the risk of unauthorized access.
+Hosting labs or production systems in Azure means that your systems need to be accessible from the Internet. By default, a new Windows virtual machine has the RDP port accessible from the Internet, and a Linux virtual machine has the SSH port open. Taking steps to limit exposed endpoints is necessary to minimize the risk of unauthorized access.
-There are technologies in Azure that can help you limit the access to those administrative endpoints. In Azure you can use Network Security Groups ([NSGs](../virtual-network/virtual-networks-nsg.md)). When you use Resource Manager for deployment NSGs are used to limit the access from all networks to just the management endpoints (RDP or SSH). When you think NSGs, think router ACLs. You can use them to tightly control the network communication between various segments of your Azure networks. This is similar to creating networks in DMZs or other isolated networks. They do not inspect the traffic but they will help with network segmentation.
+Technologies in Azure can help you limit the access to those administrative endpoints. In Azure, you can use [network security groups](../virtual-network/virtual-networks-nsg.md) (NSGs). When you use Azure Resource Manager for deployment, NSGs limit the access from all networks to just the management endpoints (RDP or SSH). When you think NSGs, think router ACLs. You can use them to tightly control the network communication between various segments of your Azure networks. This is similar to creating networks in perimeter networks or other isolated networks. They do not inspect the traffic, but they do help with network segmentation.
-In Azure you can configure a [site-to-site VPN](../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md) from your on-premises network, effectively extending your on-premises network to the cloud. This would provide you with another opportunity to use NSGs, as you could also modify the NSGs to not allow access from anywhere other than the local network and then require that administration is done by first connecting to the Azure network via VPN.
+In Azure, you can configure a [site-to-site VPN](../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md) from your on-premises network. A site-to-site VPN extends your on-premises network to the cloud. This gives you another opportunity to use NSGs, because you can also modify the NSGs to not allow access from anywhere other than the local network. You can then require that administration is done by first connecting to the Azure network via VPN.
-The site-to-site VPN option may be most attractive in cases where you are hosting production systems that are closely integrated with your on-premises resources in Azure.
+The site-to-site VPN option might be most attractive in cases where you are hosting production systems that are closely integrated with your on-premises resources in Azure.
-Alternatively, the [point to site](../vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps.md) option could be used in situations where you want to manage systems that don't need access to on-premises resources. Those systems can be isolated in their own Azure Virtual Network and administrators could VPN into the Azure hosted environment from their administrative workstation.
+Alternatively, you can use the [point-to-site](../vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps.md) option in situations where you want to manage systems that don't need access to on-premises resources. Those systems can be isolated in their own Azure virtual network. Administrators can VPN into the Azure hosted environment from their administrative workstation.
>[!NOTE]
-Either VPN option would allow you to reconfigure the ACLs on the NSGs to not allow access to management endpoints from the Internet.
+>You can use either VPN option to reconfigure the ACLs on the NSGs to not allow access to management endpoints from the Internet.
-Another option worth considering is a [Remote Desktop Gateway](../multi-factor-authentication/multi-factor-authentication-get-started-server-rdg.md) deployment. You could use this remote desktop gateway deployment to securely connect over HTTPS to remote desktop servers while applying more granular controls to those connections.
+Another option worth considering is a [Remote Desktop Gateway](../multi-factor-authentication/multi-factor-authentication-get-started-server-rdg.md) deployment. You can use this deployment to securely connect to Remote Desktop servers over HTTPS, while applying more detailed controls to those connections.
-Some of the features that you would have access to include:
+Features that you would have access to include:
- Administrator options to limit connections to requests from specific systems.
-- Smartcard authentication or Azure MFA
+- Smart-card authentication or Azure Multi-Factor Authentication.
- Control over which systems someone can connect to via the gateway.
- Control over device and disk redirection.
-### Use a Key Management solution
+## Use a key management solution
Secure key management is essential to protecting data in the cloud. With [Azure Key Vault](../key-vault/key-vault-whatis.md), you can securely store encryption keys and small secrets like passwords in hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs.
-If you choose to do this, Microsoft will process your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). Monitor and audit key use with Azure logging—pipe logs into Azure applying or your SIEM for additional analysis and threat detection.
+Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). Monitor and audit key use with Azure logging: pipe logs into Azure or your Security Information and Event Management (SIEM) system for additional analysis and threat detection.
-Anyone with an Azure subscription can create and use key vaults. Although Key Vault benefits developers and security administrators, it could be implemented and managed by an organization’s administrator responsible for managing Azure services.
+Anyone with an Azure subscription can create and use key vaults. Although Key Vault benefits developers and security administrators, it can be implemented and managed by an administrator who is responsible for managing Azure services in an organization.
-### Encrypt Virtual Disks and Disk Storage
+## Encrypt virtual disks and disk storage
-[Azure Disk Encryption](https://gallery.technet.microsoft.com/Azure-Disk-Encryption-for-a0018eb0) addresses the threat of data theft or exposure from unauthorized access achieved by moving a disk. The disk could be attached to another system as a way of bypassing other security controls. Disk encryption uses [BitLocker](https://technet.microsoft.com/library/hh831713 ) in windows and DM-Crypt in Linux to encrypt operating system and data drives. Azure Disk Encryption integrates with key vault to control and manage the encryption keys and it is available for standard VMs and VMs with premium storage.
+[Azure Disk Encryption](https://gallery.technet.microsoft.com/Azure-Disk-Encryption-for-a0018eb0) addresses the threat of data theft or exposure from unauthorized access that's achieved by moving a disk. The disk can be attached to another system as a way of bypassing other security controls. Disk encryption uses [BitLocker](https://technet.microsoft.com/library/hh831713) in Windows and DM-Crypt in Linux to encrypt operating system and data drives. Azure Disk Encryption integrates with Key Vault to control and manage the encryption keys. It's available for standard VMs and VMs with premium storage.
-For more information, look at the article covering [Azure Disk Encryption in Windows and Linux IaaS VMs](azure-security-disk-encryption.md).
+For more information, see [Azure Disk Encryption in Windows and Linux IaaS VMs](azure-security-disk-encryption.md).
-[Azure Storage Service Encryption](../storage/storage-service-encryption.md) protects your data at rest. It is enabled at the storage account level and it encrypts data as its written in our datacenters and it is automatically decrypted as you access it. It supports the following scenarios:
+[Azure Storage Service Encryption](../storage/storage-service-encryption.md) helps protect your data at rest. It's enabled at the storage account level. It encrypts data as it's written in our datacenters, and it's automatically decrypted as you access it. It supports the following scenarios:
-- Encryption of block blobs, append blobs, and page blobs.
-- Encryption of archived VHDs and templates brought to Azure from on-premises.
-- Encryption of underlying OS and data disks for IaaS VMs created using your VHDs.
+- Encryption of block blobs, append blobs, and page blobs
+- Encryption of archived VHDs and templates brought to Azure from on-premises
+- Encryption of underlying OS and data disks for IaaS VMs that you created by using your VHDs
-Before you proceed with Azure Storage encryption you should be aware of two notable limitations:
+Before you proceed with Azure Storage Encryption, be aware of two limitations:
- It is not available on classic storage accounts.
-- It only encrypts data written after encryption is enabled.
+- It encrypts only data written after encryption is enabled.
-### Use a Centralized Security Management System
+## Use a centralized security management system
-Your servers need to be monitored for patching, configuration, events, and activities that may be considered security concerns. To address those concerns you can use [Security Center](https://azure.microsoft.com/services/security-center/) and [Operations Management Suite Security and Compliance](https://azure.microsoft.com/services/security-center/). Both of these options go beyond the configuration within the operating system and also provide monitoring of the configuration of the underlying infrastructure like network configuration and virtual appliance use.
+Your servers need to be monitored for patching, configuration, events, and activities that might be considered security concerns. To address those concerns, you can use [Security Center](https://azure.microsoft.com/services/security-center/) and [Operations Management Suite Security and Compliance](https://azure.microsoft.com/services/security-center/). Both of these options go beyond the configuration in the operating system. They also provide monitoring of the configuration of the underlying infrastructure, like network configuration and virtual appliance use.
-### Operating system management best practices
+## Manage operating systems
-In an IaaS deployment you are still responsible for the management of the systems that you deploy just like any other server or workstation in your environment. This means that patching, hardening, rights assignments and any other activity related to the maintenance of your system is still your responsibility. For systems that are tightly integrated with your on-premises resources you may want to use the same tools and procedures that you are using on-premises for things like anti-virus, anti-malware, patching, and backup.
+In an IaaS deployment, you are still responsible for the management of the systems that you deploy, just like any other server or workstation in your environment. Patching, hardening, rights assignments, and any other activity related to the maintenance of your system are still your responsibility. For systems that are tightly integrated with your on-premises resources, you might want to use the same tools and procedures that you're using on-premises for things like antivirus, antimalware, patching, and backup.
-**Hardening**
-All virtual machines in Azure IaaS should be hardened so that they only expose services endpoints that are required for the applications that are installed. For Windows virtual machines, follow the recommendations that are published by Microsoft as baselines for the Security Compliance Manager solution.
+### Harden systems
+All virtual machines in Azure IaaS should be hardened so that they expose only service endpoints that are required for the applications that are installed. For Windows virtual machines, follow the recommendations that Microsoft publishes as baselines for the [Security Compliance Manager](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) solution.
-[Security Compliance Manager](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) - we recently released version 4.0 - This is a free tool that enables you to quickly configure and manage your desktops, traditional datacenter, private and public cloud using Group Policy and System Center Configuration Manager.
+Security Compliance Manager is a free tool. You can use it to quickly configure and manage your desktops, traditional datacenter, and private and public cloud by using Group Policy and System Center Configuration Manager.
-SCM provides ready to deploy policies and DCM configuration packs that are tested. These baselines are based on [Microsoft Security guide](https://technet.microsoft.com/en-us/library/cc184906.aspx) recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats.
+Security Compliance Manager provides ready-to-deploy policies and Desired Configuration Management configuration packs that are tested. These baselines are based on [Microsoft Security Guidance](https://technet.microsoft.com/en-us/library/cc184906.aspx) recommendations and industry best practices. They help you manage configuration drift, address compliance requirements, and reduce security threats.
-You can leverage SCM to import the current configuration of your computers using two different methods: first, you can import Active Directory-based group policies; second, you can import the configuration of a “golden master” reference machine by using the [LocalGPO tool](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) to backup the local group policy which you can then import into SCM.
+You can use Security Compliance Manager to import the current configuration of your computers by using two different methods. First, you can import Active Directory-based group policies. Second, you can import the configuration of a “golden master” reference machine by using the [LocalGPO tool](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) to back up the local group policy. You can then import the local group policy into Security Compliance Manager.
-Compare your standards to industry best practices, customize them , and create new policies and DCM configuration packs.
-Baselines have been published for all supported operating systems, including Windows 10 Anniversary Update and Windows Server 2016.
+Compare your standards to industry best practices, customize them, and create new policies and Desired Configuration Management configuration packs. Baselines have been published for all supported operating systems, including Windows 10 Anniversary Update and Windows Server 2016.
-**Install and manage antimalware**
+### Install and manage antimalware
-For environments that are hosted separately from your production environment there is an antimalware extension that can be used to protect your virtual machines and cloud services and it integrates with [Azure Security Center](../security-center/security-center-intro.md).
+For environments that are hosted separately from your production environment, you can use an antimalware extension to help protect your virtual machines and cloud services. It integrates with [Azure Security Center](../security-center/security-center-intro.md).
[Microsoft Antimalware](azure-security-antimalware.md) includes features like real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection, and [PowerShell support](https://msdn.microsoft.com/library/dn771715.aspx).
-**Install the latest security updates**
-Some of the first workloads we see customers move to Azure are labs and external facing systems. If you are hosting virtual machines in Azure that host applications or services that need to be made accessible to the Internet, you need to be vigilant about patching. Remember that this goes beyond patching the operating system. Unpatched vulnerabilities on third-party applications can also lead to problems that would have been easily avoided if good patch management was in place.
+### Install the latest security updates
+Some of the first workloads that customers move to Azure are labs and external-facing systems. If your Azure-hosted virtual machines host applications or services that need to be accessible to the Internet, be vigilant about patching. Patch beyond the operating system. Unpatched vulnerabilities on third-party applications can also lead to problems that can be avoided if good patch management is in place.
-**Deploy and test a backup solution**
+### Deploy and test a backup solution
-Just like security updates, backup needs to be handled the same way you handle any other operation. This is true of systems that are part of your production environment extending to the cloud. Test and Dev Systems must follow backup strategies that are able of providing similar restore capabilities to what users have grown accustomed to based on their experience with on-premise environments.
+Just like security updates, a backup needs to be handled the same way that you handle any other operation. This is true of systems that are part of your production environment extending to the cloud. Test and dev systems must follow backup strategies that provide restore capabilities that are similar to what users have grown accustomed to, based on their experience with on-premises environments.
-Production workloads moved to Azure should integrate with existing backup solutions when possible or you can use [Azure Backup](../backup/backup-azure-arm-vms.md) to help you address your backup requirements.
+Production workloads moved to Azure should integrate with existing backup solutions when possible. Or, you can use [Azure Backup](../backup/backup-azure-arm-vms.md) to help address your backup requirements.
-### Monitor
+## Monitor
[Security Center](../security-center/security-center-intro.md) provides ongoing evaluation of the security state of your Azure resources to identify potential security vulnerabilities. A list of recommendations guides you through the process of configuring needed controls.
Examples include:
-- Provisioning antimalware to help identify and remove malicious software
-- Configuring network security groups and rules to control traffic to virtual machines
-- Provisioning of web application firewalls to help defend against attacks that target your web applications
-- Deploying missing system updates
-- Addressing OS configurations that do not match the recommended baselines
+- Provisioning antimalware to help identify and remove malicious software.
+- Configuring network security groups and rules to control traffic to virtual machines.
+- Provisioning web application firewalls to help defend against attacks that target your web applications.
+- Deploying missing system updates.
+- Addressing OS configurations that do not match the recommended baselines.
-In the image below you can see some of the options available for you to enable in Security Center.
+The following image shows some of the options that you can enable in Security Center.
-
+
- [Operations Management Suite](../operations-management-suite/operations-management-suite-overview.md) is a Microsoft cloud based IT management solution that helps you manage and protect your on-premise and cloud infrastructure. Since OMS is implemented as a cloud based service it can be deployed quickly and with minimal investment in infrastructure resources.
+[Operations Management Suite](../operations-management-suite/operations-management-suite-overview.md) is a Microsoft cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. Because Operations Management Suite is implemented as a cloud-based service, it can be deployed quickly and with minimal investment in infrastructure resources.
-New features are delivered automatically saving you from ongoing maintenance and upgrade costs. It also integrates with System Center Operations Manager. OMS has different components to help you better manage your Azure workloads including a [Security and Compliance](../operations-management-suite/oms-security-getting-started.md) module.
+New features are delivered automatically, saving you from ongoing maintenance and upgrade costs. Operations Management Suite also integrates with System Center Operations Manager. It has different components to help you better manage your Azure workloads, including a [Security and Compliance](../operations-management-suite/oms-security-getting-started.md) module.
-The security and compliance features in OMS allow you to view information about your resources organized into four major categories:
+You can use the security and compliance features in Operations Management Suite to view information about your resources. The information is organized into four major categories:
-- Security Domains: in this area you will be able to further explore security records over time, access malware assessment, update assessment, network security, identity and access information, computers with security events and quickly have access to Azure Security Center dashboard.
-- Notable Issues: this option will allow you to quickly identify the number of active issues and the severity of these issues.
-- Detections (Preview): enables you to identify attack patterns by visualizing security alerts as they take place against your resources.
-- Threat Intelligence: enables you to identify attack patterns by visualizing the total number of servers with outbound malicious IP traffic, the malicious threat type, and a map that shows where these IPs are coming from.
-- Common security queries: this option provides you a list of the most common security queries that you can use to monitor your environment. When you click in one of those queries, it opens the Search blade with the results for that query
+- **Security domains**: Further explore security records over time. Access malware assessment, update assessment, network security information, identity and access information, and computers with security events. Take advantage of quick access to the Azure Security Center dashboard.
+- **Notable issues**: Quickly identify the number of active issues and the severity of these issues.
+- **Detections (preview)**: Identify attack patterns by visualizing security alerts as they happen against your resources.
+- **Threat intelligence**: Identify attack patterns by visualizing the total number of servers with outbound malicious IP traffic, the malicious threat type, and a map that shows where these IPs are coming from.
+- **Common security queries**: See a list of the most common security queries that you can use to monitor your environment. When you click one of those queries, the **Search** blade opens and shows the results for that query.
-The screenshot below shows an example of the type of information that can be displayed by OMS.
+The following screenshot shows an example of the information that Operations Management Suite can display.
-
+
-## Next Steps
+## Next steps
-* [Azure security Team Blog](https://blogs.msdn.microsoft.com/azuresecurity/)
+* [Azure Security Team Blog](https://blogs.msdn.microsoft.com/azuresecurity/)
* [Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx)
-* [Azure Security Best Practices and Patterns](security-best-practices-and-patterns.md)
+* [Azure security best practices and patterns](security-best-practices-and-patterns.md)
diff --git a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-overview.md b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-overview.md
index 2a786d2b3de9c..0c2e0ceb26911 100644
--- a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-overview.md
+++ b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-overview.md
@@ -3,8 +3,8 @@ title: Manage compute power in Azure SQL Data Warehouse (Overview) | Microsoft D
description: Performance scale out capabilities in Azure SQL Data Warehouse. Scale out by adjusting DWUs or pause and resume compute resources to save costs.
services: sql-data-warehouse
documentationcenter: NA
-author: barbkess
-manager: jhubbard
+author: hirokib
+manager: johnmac
editor: ''
ms.assetid: e13a82b0-abfe-429f-ac3c-f2b6789a70c6
@@ -13,8 +13,8 @@ ms.devlang: NA
ms.topic: article
ms.tgt_pltfrm: NA
ms.workload: data-services
-ms.date: 10/31/2016
-ms.author: barbkess
+ms.date: 03/22/2017
+ms.author: elbutter
---
# Manage compute power in Azure SQL Data Warehouse (Overview)
@@ -27,22 +27,65 @@ ms.author: barbkess
>
>
-The architecture of SQL Data Warehouse separates storage and compute, allowing each to scale independently. As a result, you can scale out performance while saving costs by only paying for performance when you need it.
+The architecture of SQL Data Warehouse separates storage and compute, allowing each to scale independently. As a result, compute can be scaled to meet performance demands independent of the amount of data. A natural consequence of this architecture is that [billing][billed] for compute and storage is separate.
-This overview describes the following performance scale-out capabilities of SQL Data Warehouse and gives recommendations on how and when to use them.
+This overview describes how scale out works with SQL Data Warehouse and how to utilize the pause, resume, and scale capabilities of SQL Data Warehouse. Consult the [data warehouse units (DWUs)][data warehouse units (DWUs)] page to learn how DWUs and performance are related.
-* Scale compute power by adjusting [data warehouse units (DWUs)][data warehouse units (DWUs)]
-* Pause or resume compute resources
+## How compute management operations work in SQL Data Warehouse
+The architecture for SQL Data Warehouse consists of a control node, compute nodes, and the storage layer spread across 60 distributions.
-
+During a normal active session in SQL Data Warehouse, your system's head node that manages the metadata and contains the distributed query optimizer. Beneath this head node are your compute nodes and your storage layer. For a DWU 400, your system has one head node, four compute nodes, and the storage layer, consisting of 60 distributions.
-## Scale performance
-In SQL Data Warehouse, you can quickly scale performance out or back by increasing or decreasing compute resources of CPU, memory, and I/O bandwidth. To scale performance, all you need to do is adjust the number of [data warehouse units (DWUs)][data warehouse units (DWUs)] that SQL Data Warehouse allocates to your database. SQL Data Warehouse quickly makes the change and handles all the underlying changes to hardware or software.
+When you undergo a scale or pause operation, the system first kills all incoming queries and then rolls back transactions to ensure a consistent state. For scale operations, scaling will only occur once this transactional rollback has completed. For a scale-up operation, the system provisions the extra desired number of compute nodes, and then begins reattaching the compute nodes to the storage layer. For a scale-down operation, the unneeded nodes are released and the remaining compute nodes reattach themselves to the appropriate number of distributions. For a pause operation, all compute nodes are released and your system will undergo a variety of metadata operations to leave your final system in a stable state.
-Gone are the days where you need to research what type of processors, how much memory or what type of storage you need to have great performance in your data warehouse. By putting your Data Warehouse in the cloud, you no longer have to deal with low-level hardware issues. Instead, SQL Data Warehouse asks you this question: how fast do you want to analyze your data?
+| DWU | \#of compute nodes | \# of distributions per node |
+| ---- | ------------------ | ---------------------------- |
+| 100 | 1 | 60 |
+| 200 | 2 | 30 |
+| 300 | 3 | 20 |
+| 400 | 4 | 15 |
+| 500 | 5 | 12 |
+| 600 | 6 | 10 |
+| 1000 | 10 | 6 |
+| 1200 | 12 | 5 |
+| 1500 | 15 | 4 |
+| 2000 | 20 | 3 |
+| 3000 | 30 | 2 |
+| 6000 | 60 | 1 |
-### How do I scale performance?
-To elastically increase or decrease your compute power, simply change the [data warehouse units (DWUs)][data warehouse units (DWUs)] setting for your database. Performance will increase linearly as you add more DWU. At higher DWU levels, you need to add more than 100 DWUs to notice a significant improvement in performance. To help you select meaningful jumps in DWUs, we offer the DWU levels that will give the best results.
+The three primary functions for managing compute are:
+
+1. Pause
+2. Resume
+3. Scale
+
+Each of these operations may take several minutes to complete. If you are scaling/pausing/resuming automatically, you may want to implement logic to ensure that certain operations have been completed before proceeding with another action.
+
+Checking the database state through various endpoints will allow you to correctly implement automation of such operations. The portal will provide notification upon completion of an operation and the databases current state but does not allow for programmatic checking of state.
+
+> [!NOTE]
+>
+> Compute management functionality does not exist across all endpoints.
+>
+>
+
+| | Pause/Resume | Scale | Check database state |
+| ------------ | ------------ | ----- | -------------------- |
+| Azure portal | Yes | Yes | **No** |
+| PowerShell | Yes | Yes | Yes |
+| REST API | Yes | Yes | Yes |
+| T-SQL | **No** | Yes | Yes |
+
+
+
+
+
+## Scale compute
+
+Performance in SQL Data Warehouse is measured in [data warehouse units (DWUs)][data warehouse units (DWUs)] which is an abstracted measure of compute resources such as CPU, memory, and I/O bandwidth. A user who wishes to scale their system's performance can do so through various means, such as through the portal, T-SQL, and REST APIs.
+
+### How do I scale compute?
+Compute power is managed for you SQL Data Warehouse by changing the DWU setting. Performance increases [linearly][linearly] as you add more DWU for certain operations. We offer DWU offerings that ensure that your performance will change noticeably when you scale your system up or down.
To adjust DWUs, you can use any of these individual methods.
@@ -52,25 +95,35 @@ To adjust DWUs, you can use any of these individual methods.
* [Scale compute power with TSQL][Scale compute power with TSQL]
### How many DWUs should I use?
-Performance in SQL Data Warehouse scales linearly, and changing from one compute scale to another (say from 100 DWUs to 2000 DWUs) happens in seconds. This gives you the flexibility to experiment with different DWU settings until you determine your scenario's best fit.
-To understand what your ideal DWU value is, try scaling up and down, and running a few queries after loading your data. Since scaling is quick, you can try a number of different levels of performance in an hour or less. Do keep in mind, that SQL Data Warehouse is designed to process large amounts of data and to see its true capabilities for scaling, especially at the larger scales we offer, you'll want to use a large data set which approaches or exceeds 1 TB.
+To understand what your ideal DWU value is, try scaling up and down, and running a few queries after loading your data. Since scaling is quick, you can try various performance levels in an hour or less.
+
+> [!Note]
+> SQL Data Warehouse is designed to process large amounts of data. To see its true capabilities for scaling, especially at larger DWUs, you want to use a large data set which approaches or exceeds 1 TB.
Recommendations for finding the best DWU for your workload:
-1. For a data warehouse in development, begin by selecting a small number of DWUs. A good starting point is DW400 or DW200.
+1. For a data warehouse in development, begin by selecting a smaller DWU performance level. A good starting point is DW400 or DW200.
2. Monitor your application performance, observing the number of DWUs selected compared to the performance you observe.
3. Determine how much faster or slower performance should be for you to reach the optimum performance level for your requirements by assuming linear scale.
-4. Increase or decrease the number of DWUs in proportion to how much faster or slower you want your workload to perform. The service will respond quickly and adjust the compute resources to meet the new DWU requirements.
+4. Increase or decrease the number of DWUs in proportion to how much faster or slower you want your workload to perform.
5. Continue making adjustments until you reach an optimum performance level for your business requirements.
+> [!NOTE]
+>
+> Query performance only increases with more parallelization if the work can be split between compute nodes. If you find that scaling is not changing your performance, please check out our performance tuning articles to check whether your data is unevenly distributed or if you are introducing a large amount of data movement.
+
### When should I scale DWUs?
-When you need faster results, increase your DWUs and pay for greater performance. When you need less compute power, decrease your DWUs and pay only for what you need.
+Scaling DWUs alters the following important scenarios:
+
+1. Linearly changing performance of the system for scans, aggregations, and CTAS statements
+2. Increasing the number of readers and writers when loading with PolyBase
+3. Maximum number of concurrent queries and concurrency slots
Recommendations for when to scale DWUs:
-1. If your application has a fluctuating workload, scale DWU levels up or down to accommodate peaks and low points. For example, if your workload typically peaks at the end of the month, plan to add more DWUs during those peak days, then scale down once the peak period is over.
-2. Before you perform a heavy data loading or transformation operation, scale up DWUs so that your data is available more quickly.
+1. Before you perform a heavy data loading or transformation operation, scale up DWUs so that your data is available more quickly.
+2. During peak business hours, scale to accommodate larger numbers of concurrent queries.
@@ -94,15 +147,26 @@ To resume a database, use any of these individual methods.
* [Resume compute with PowerShell][Resume compute with PowerShell]
* [Resume compute with REST APIs][Resume compute with REST APIs]
+
+
+## Check database state
+
+To resume a database, use any of these individual methods.
+
+- [Check database state with T-SQL]
+- [Check database state with PowerShell]
+- [Check database state with REST APIs]
+
## Permissions
-Scaling the database will require the permissions described in [ALTER DATABASE][ALTER DATABASE]. Pause and Resume will require the [SQL DB Contributor][SQL DB Contributor] permission, specifically Microsoft.Sql/servers/databases/action.
+
+Scaling the database requires the permissions described in [ALTER DATABASE][ALTER DATABASE]. Pause and Resume require the [SQL DB Contributor][SQL DB Contributor] permission, specifically Microsoft.Sql/servers/databases/action.
## Next steps
-Please refer to the following articles to help you understand some additional key performance concepts:
+Refer to the following articles to help you understand some additional key performance concepts:
-* [Workload and concurrency managment][Workload and concurrency managment]
+* [Workload and concurrency management][Workload and concurrency management]
* [Table design overview][Table design overview]
* [Table distribution][Table distribution]
* [Table indexing][Table indexing]
@@ -113,8 +177,9 @@ Please refer to the following articles to help you understand some additional ke
-[data warehouse units (DWUs)]: ./sql-data-warehouse-overview-what-is.md
-
+[data warehouse units (DWUs)]: ./sql-data-warehouse-overview-what-is.md#predictable-and-scalable-performance-with-data-warehouse-units
+[billed]: https://azure.microsoft.com/en-us/pricing/details/sql-data-warehouse/
+[linearly]: ./sql-data-warehouse-overview-what-is.md#predictable-and-scalable-performance-with-data-warehouse-units
[Scale compute power with Azure portal]: ./sql-data-warehouse-manage-compute-portal.md#scale-compute-power
[Scale compute power with PowerShell]: ./sql-data-warehouse-manage-compute-powershell.md#scale-compute-bk
[Scale compute power with REST APIs]: ./sql-data-warehouse-manage-compute-rest-api.md#scale-compute-bk
diff --git a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-powershell.md b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-powershell.md
index 85e5818a2f8e3..04bf9e6f23eea 100644
--- a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-powershell.md
+++ b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-powershell.md
@@ -24,14 +24,14 @@ ms.author: barbkess
> * [PowerShell](sql-data-warehouse-manage-compute-powershell.md)
> * [REST](sql-data-warehouse-manage-compute-rest-api.md)
> * [TSQL](sql-data-warehouse-manage-compute-tsql.md)
->
->
+>
+>
## Before you begin
### Install the latest version of Azure PowerShell
> [!NOTE]
> To use Azure PowerShell with SQL Data Warehouse, you need Azure PowerShell version 1.0.3 or greater. To verify your current version run the command **Get-Module -ListAvailable -Name Azure**. You can install the latest version from [Microsoft Web Platform Installer][Microsoft Web Platform Installer]. For more information, see [How to install and configure Azure PowerShell][How to install and configure Azure PowerShell].
->
+>
>
### Get started with Azure PowerShell cmdlets
@@ -39,7 +39,7 @@ To get started:
1. Open Azure PowerShell.
2. At the PowerShell prompt, run these commands to sign in to the Azure Resource Manager and select your subscription.
-
+
```PowerShell
Login-AzureRmAccount
Get-AzureRmSubscription
@@ -67,7 +67,7 @@ To pause a database, use the [Suspend-AzureRmSqlDatabase][Suspend-AzureRmSqlData
> [!NOTE]
> Note that if your server is foo.database.windows.net, use "foo" as the -ServerName in the PowerShell cmdlets.
->
+>
>
```Powershell
@@ -104,6 +104,44 @@ $resultDatabase = $database | Resume-AzureRmSqlDatabase
$resultDatabase
```
+
+
+## Check database state
+
+As shown in the above examples, one can use [Get-AzureRmSqlDatabase][Get-AzureRmSqlDatabase] cmdlet to get information on a database, thereby checking the status, but also to use as an argument.
+
+```powershell
+Get-AzureRmSqlDatabase [-ResourceGroupName] [-ServerName] [[-DatabaseName] ]
+ [-InformationAction ] [-InformationVariable ] [-Confirm] [-WhatIf]
+ []
+```
+
+Which will result in something like
+
+```powershell
+ResourceGroupName : nytrg
+ServerName : nytsvr
+DatabaseName : nytdb
+Location : West US
+DatabaseId : 86461aae-8e3d-4ded-9389-ac9d4bc69bbb
+Edition : DataWarehouse
+CollationName : SQL_Latin1General_CP1CI_AS
+CatalogCollation :
+MaxSizeBytes : 32212254720
+Status : Online
+CreationDate : 10/26/2016 4:33:14 PM
+CurrentServiceObjectiveId : 620323bf-2879-4807-b30d-c2e6d7b3b3aa
+CurrentServiceObjectiveName : System2
+RequestedServiceObjectiveId : 620323bf-2879-4807-b30d-c2e6d7b3b3aa
+RequestedServiceObjectiveName :
+ElasticPoolName :
+EarliestRestoreDate : 1/1/0001 12:00:00 AM
+```
+
+Where you can then check to see the *Status* of the database. In this case, you can see that this database is online.
+
+When you run this command, you should receive a Status value of either Online, Pausing, Resuming, Scaling, and Paused.
+
## Next steps
@@ -121,6 +159,7 @@ For other management tasks, see [Management overview][Management overview].
[Resume-AzureRmSqlDatabase]: https://msdn.microsoft.com/library/mt619347.aspx
[Suspend-AzureRmSqlDatabase]: https://msdn.microsoft.com/library/mt619337.aspx
[Set-AzureRmSqlDatabase]: https://msdn.microsoft.com/library/mt619433.aspx
+[Get-AzureRmSqlDatabase]: /powershell/servicemanagement/azure.sqldatabase/v1.6.1/get-azuresqldatabase
[Microsoft Web Platform Installer]: https://aka.ms/webpi-azps
diff --git a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-rest-api.md b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-rest-api.md
index 6f1fded09a753..62fa7a9117ef2 100644
--- a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-rest-api.md
+++ b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-rest-api.md
@@ -24,8 +24,8 @@ ms.author: barbkess
> * [PowerShell](sql-data-warehouse-manage-compute-powershell.md)
> * [REST](sql-data-warehouse-manage-compute-rest-api.md)
> * [TSQL](sql-data-warehouse-manage-compute-tsql.md)
->
->
+>
+>
@@ -65,7 +65,13 @@ POST https://management.azure.com/subscriptions/{subscription-id}/resourceGroups
To start a database, use the [Resume Database][Resume Database] REST API. The following example starts a database named Database02 hosted on a server named Server01. The server is in an Azure resource group named ResourceGroup1.
```
-POST https://management.azure.com/subscriptions{subscription-id}/resourceGroups/ResourceGroup1/providers/Microsoft.Sql/servers/Server01/databases/Database02/resume?api-version=2014-04-01-preview HTTP/1.1
+POST https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/ResourceGroup1/providers/Microsoft.Sql/servers/Server01/databases/Database02/resume?api-version=2014-04-01-preview HTTP/1.1
+```
+
+## Check database state
+
+```json
+GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}?api-version=2014-04-01 HTTP/1.1
```
diff --git a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-tsql.md b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-tsql.md
index 76b7ad06f0aac..013b2e8db079f 100644
--- a/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-tsql.md
+++ b/articles/sql-data-warehouse/sql-data-warehouse-manage-compute-tsql.md
@@ -24,8 +24,8 @@ ms.author: barbkess
> * [PowerShell](sql-data-warehouse-manage-compute-powershell.md)
> * [REST](sql-data-warehouse-manage-compute-rest-api.md)
> * [TSQL](sql-data-warehouse-manage-compute-tsql.md)
->
->
+>
+>
@@ -36,14 +36,15 @@ To view the current DWU settings for your databases:
2. Connect to the master database associated with the logical SQL Database server.
3. Select from the sys.database_service_objectives dynamic management view. Here is an example:
-```
+```sql
SELECT
- db.name [Database],
- ds.edition [Edition],
- ds.service_objective [Service Objective]
+ db.name [Database]
+, ds.edition [Edition]
+, ds.service_objective [Service Objective]
FROM
- sys.database_service_objectives ds
- JOIN sys.databases db ON ds.database_id = db.database_id
+ sys.database_service_objectives ds
+JOIN
+ sys.databases db ON ds.database_id = db.database_id
```
@@ -63,6 +64,35 @@ MODIFY (SERVICE_OBJECTIVE = 'DW1000')
;
```
+
+
+## Check database state and operation progress
+
+1. Connect to the master database associated with your logical SQL Database server.
+2. Submit query to check database state
+
+```sql
+SELECT *
+FROM
+sys.databases
+```
+
+3. Submit query to check status of operation
+
+```sql
+SELECT *
+FROM
+ sys.dm_operation_status
+WHERE
+ resource_type_desc = 'Database'
+AND
+ major_resource_id = 'MySQLDW'
+```
+
+This DMV will return information about various management operations on your SQL Data Warehouse such as the operation and the state of the operation, which will either be IN_PROGRESS or COMPLETED.
+
+
+
## Next steps
diff --git a/articles/sql-database/TOC.md b/articles/sql-database/TOC.md
index 6e4cacb49b827..c7871e27451b2 100644
--- a/articles/sql-database/TOC.md
+++ b/articles/sql-database/TOC.md
@@ -5,20 +5,17 @@
## [Create DB - Portal](sql-database-get-started-portal.md)
## [Create DB - Azure CLI](sql-database-get-started-cli.md)
## [Create DB - PowerShell](sql-database-get-started-powershell.md)
-## Connect
+## Manage
### [SSMS](sql-database-connect-query-ssms.md)
### [VS Code](sql-database-connect-query-vscode.md)
+## Connect
### [C#](sql-database-connect-query-dotnet.md)
# Samples
## [Azure CLI](sql-database-cli-samples.md)
## [PowerShell](sql-database-powershell-samples.md)
# Tutorials
-## Access
-### [SQL Server](sql-database-control-access-sql-authentication-get-started.md)
-### [Azure AD](sql-database-control-access-aad-authentication-get-started.md)
-## Recovery
-### [Portal](sql-database-get-started-backup-recovery-portal.md)
-### [PowerShell](sql-database-get-started-backup-recovery-powershell.md)
+## [Design a database](sql-database-design-first-database.md)
+
# Concepts
## DBs and servers
### [Databases](sql-database-overview.md)
@@ -110,6 +107,9 @@
### [PowerShell](sql-database-elastic-pool-manage-powershell.md)
### [Transact-SQL](sql-database-elastic-pool-manage-tsql.md)
### [C#](sql-database-elastic-pool-manage-csharp.md)
+## DB Access
+### [SQL Server](sql-database-control-access-sql-authentication-get-started.md)
+### [Azure AD](sql-database-control-access-aad-authentication-get-started.md)
## Secure data
### [Azure AD auth](sql-database-aad-authentication-configure.md)
### [Auditing](sql-database-auditing-portal.md)
@@ -117,11 +117,13 @@
### [Encrypt - cert store](sql-database-always-encrypted.md)
### [Encrypt - key vault](sql-database-always-encrypted-azure-key-vault.md)
### [Configure masking](sql-database-dynamic-data-masking-get-started-portal.md)
-## Back up and restore
-### [Restore - Portal](sql-database-restore-database-portal.md)
+## Recovery
+### [Portal](sql-database-get-started-backup-recovery-portal.md)
+### [PowerShell](sql-database-get-started-backup-recovery-powershell.md)
+### [Single table](sql-database-cloud-migrate-restore-single-table-azure-backup.md)
+## Retention
### [Retention - Portal](sql-database-manage-long-term-backup-retention-portal.md)
### [Retention - PowerShell](sql-database-manage-long-term-backup-retention-powershell.md)
-### [Recover single table](sql-database-cloud-migrate-restore-single-table-azure-backup.md)
## Geo-replicate data
### [Portal](sql-database-geo-replication-portal.md)
### [T-SQL - Configure](sql-database-geo-replication-transact-sql.md)
diff --git a/articles/sql-database/media/sql-database-design-first-database/restore-point.png b/articles/sql-database/media/sql-database-design-first-database/restore-point.png
new file mode 100644
index 0000000000000..ac65c8e0310fb
Binary files /dev/null and b/articles/sql-database/media/sql-database-design-first-database/restore-point.png differ
diff --git a/articles/sql-database/media/sql-database-design-first-database/restore.png b/articles/sql-database/media/sql-database-design-first-database/restore.png
new file mode 100644
index 0000000000000..30ef8f14b4058
Binary files /dev/null and b/articles/sql-database/media/sql-database-design-first-database/restore.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/create-database-1.png b/articles/sql-database/media/sql-database-get-started/create-database-1.png
new file mode 100644
index 0000000000000..12f3d80f0803e
Binary files /dev/null and b/articles/sql-database/media/sql-database-get-started/create-database-1.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/create-database-server.png b/articles/sql-database/media/sql-database-get-started/create-database-server.png
new file mode 100644
index 0000000000000..cbc26011591bc
Binary files /dev/null and b/articles/sql-database/media/sql-database-get-started/create-database-server.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/login.png b/articles/sql-database/media/sql-database-get-started/login.png
index 3e6daa365886d..ce6ce7c170b04 100644
Binary files a/articles/sql-database/media/sql-database-get-started/login.png and b/articles/sql-database/media/sql-database-get-started/login.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/new-database-s1-overview.png b/articles/sql-database/media/sql-database-get-started/new-database-s1-overview.png
index 50732c5d014ff..d6f3061ba4086 100644
Binary files a/articles/sql-database/media/sql-database-get-started/new-database-s1-overview.png and b/articles/sql-database/media/sql-database-get-started/new-database-s1-overview.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/notification.png b/articles/sql-database/media/sql-database-get-started/notification.png
new file mode 100644
index 0000000000000..b42b7ca60dedb
Binary files /dev/null and b/articles/sql-database/media/sql-database-get-started/notification.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/query-editor-results.png b/articles/sql-database/media/sql-database-get-started/query-editor-results.png
index a8543f91311cd..9b66d0412447a 100644
Binary files a/articles/sql-database/media/sql-database-get-started/query-editor-results.png and b/articles/sql-database/media/sql-database-get-started/query-editor-results.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/server-firewall-rule-set.png b/articles/sql-database/media/sql-database-get-started/server-firewall-rule-set.png
new file mode 100644
index 0000000000000..dd23e9c3536d8
Binary files /dev/null and b/articles/sql-database/media/sql-database-get-started/server-firewall-rule-set.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/server-firewall-rule.png b/articles/sql-database/media/sql-database-get-started/server-firewall-rule.png
index a89a1669b44d0..e8f3c4a7727e7 100644
Binary files a/articles/sql-database/media/sql-database-get-started/server-firewall-rule.png and b/articles/sql-database/media/sql-database-get-started/server-firewall-rule.png differ
diff --git a/articles/sql-database/media/sql-database-get-started/tools-menu.png b/articles/sql-database/media/sql-database-get-started/tools-menu.png
index 3e8d906ade717..cd8a916e82337 100644
Binary files a/articles/sql-database/media/sql-database-get-started/tools-menu.png and b/articles/sql-database/media/sql-database-get-started/tools-menu.png differ
diff --git a/articles/sql-database/sql-database-auditing-portal.md b/articles/sql-database/sql-database-auditing-portal.md
index 7d88bb8b0f350..665117d9f58e1 100644
--- a/articles/sql-database/sql-database-auditing-portal.md
+++ b/articles/sql-database/sql-database-auditing-portal.md
@@ -21,7 +21,7 @@ ms.author: ronitr;giladm
# Configure and manage SQL database auditing in the Azure portal
-The following section describes how to configure and manage auditing using the Azure portal. To configure and manage auditing using PowerShell, see [Configure auditing with PowerShell](sql-database-auditing-powershell.md).
+The following section describes how to configure and manage auditing using the Azure portal. To configure and manage auditing using PowerShell, see [Configure auditing with PowerShell](scripts/sql-database-create-and-configure-database-powershell.md).
For an overview of auditing, see [SQL Database auditing](sql-database-auditing.md).
@@ -184,6 +184,6 @@ In production, you are likely to refresh your storage keys periodically. When re
## Next steps
-* To configure and manage auditing using PowerShell, see [Configure database auditing using PowerShell](sql-database-auditing-powershell.md).
+* To configure and manage auditing using PowerShell, see [Configure database auditing using PowerShell](scripts/sql-database-create-and-configure-database-powershell.md).
* For an overview of auditing, see [Database auditing](sql-database-auditing.md).
diff --git a/articles/sql-database/sql-database-auditing-powershell.md b/articles/sql-database/sql-database-auditing-powershell.md
index a1fc596b65c58..0098ff2a4b35f 100644
--- a/articles/sql-database/sql-database-auditing-powershell.md
+++ b/articles/sql-database/sql-database-auditing-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-create-and-configure-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-create-and-configure-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-automated-backups.md b/articles/sql-database/sql-database-automated-backups.md
index 2d4a6ba99dd87..56006a29be75a 100644
--- a/articles/sql-database/sql-database-automated-backups.md
+++ b/articles/sql-database/sql-database-automated-backups.md
@@ -86,6 +86,6 @@ The restore API supports backups stored in the vault as long as the vault is in
- Database backups are an essential part of any business continuity and disaster recovery strategy because they protect your data from accidental corruption or deletion. To learn about the other Azure SQL Database business continuity solutions, see [Business continuity overview](sql-database-business-continuity.md).
- To restore to a point in time using the Azure portal, see [restore database to a point in time using the Azure portal](sql-database-point-in-time-restore-portal.md).
-- To restore to a point in time using PowerShell, see [restore database to a point in time using PowerShell](sql-database-point-in-time-restore-powershell.md).
+- To restore to a point in time using PowerShell, see [restore database to a point in time using PowerShell](scripts/sql-database-restore-database-powershell.md).
- To configure, manage, and restore from long-term retention of automated backups in an Azure Recovery Services vault using the Azure portal, see [Manage long-term backup retention usihg the Azure portal](sql-database-manage-long-term-backup-retention-portal.md).
- To configure, manage, and restore from long-term retention of automated backups in an Azure Recovery Services vault using PowerShell, see [Manage long-term backup retention usihg PowerShell](sql-database-manage-long-term-backup-retention-powershell.md).
diff --git a/articles/sql-database/sql-database-copy-portal.md b/articles/sql-database/sql-database-copy-portal.md
index d816dca2dfa88..49aa6a6b8c699 100644
--- a/articles/sql-database/sql-database-copy-portal.md
+++ b/articles/sql-database/sql-database-copy-portal.md
@@ -23,7 +23,7 @@ ms.tgt_pltfrm: NA
The following steps show you how to copy a SQL database with the [Azure portal](https://portal.azure.com) to the same server or a different server.
> [!NOTE]
-> You can also copy a SQL database using [PowerShell](sql-database-copy-powershell.md) or [Transact-SQL](sql-database-copy-transact-sql.md).
+> You can also copy a SQL database using [PowerShell](scripts/sql-database-copy-database-to-new-server-powershell.md) or [Transact-SQL](sql-database-copy-transact-sql.md).
>
To copy a SQL database, you need the following items:
@@ -66,8 +66,7 @@ To resolve logins after the copy operation completes, see [Resolve logins](sql-d
* [SQL Database documentation](https://azure.microsoft.com/documentation/services/sql-database/)
-[1]: ./media/sql-database-copy-portal/copy.png
-[2]: ./media/sql-database-copy-portal/copy-ok.png
+
[3]: ./media/sql-database-copy-portal/copy-notification.png
[4]: ./media/sql-database-copy-portal/monitor-copy.png
diff --git a/articles/sql-database/sql-database-copy-transact-sql.md b/articles/sql-database/sql-database-copy-transact-sql.md
index 1977893fd15aa..295d457179139 100644
--- a/articles/sql-database/sql-database-copy-transact-sql.md
+++ b/articles/sql-database/sql-database-copy-transact-sql.md
@@ -23,7 +23,7 @@ ms.tgt_pltfrm: NA
The following steps show you how to copy a SQL database with Transact-SQL to the same server or a different server. The database copy operation uses the [CREATE DATABASE](https://msdn.microsoft.com/library/ms176061.aspx) statement.
> [!NOTE]
-> You can also copy a SQL database using the [Azure portal](sql-database-copy-portal.md) or [PowerShell](sql-database-copy-powershell.md).
+> You can also copy a SQL database using the [Azure portal](sql-database-copy-portal.md) or [PowerShell](scripts/sql-database-copy-database-to-new-server-powershell.md).
>
To complete the steps in this article, you need the following:
diff --git a/articles/sql-database/sql-database-design-first-database.md b/articles/sql-database/sql-database-design-first-database.md
new file mode 100644
index 0000000000000..86c2f8c52e9ce
--- /dev/null
+++ b/articles/sql-database/sql-database-design-first-database.md
@@ -0,0 +1,188 @@
+---
+title: Design your first Azure SQL database | Microsoft Docs
+description: Learn to design your first Azure SQL database.
+services: sql-database
+documentationcenter: ''
+author: janeng
+manager: jstrauss
+editor: ''
+tags: ''
+
+ms.assetid:
+ms.service: sql-database
+ms.custom: tutorial
+ms.devlang: na
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload: ''
+ms.date: 03/23/2017
+ms.author: janeng
+
+---
+
+# Design your first Azure SQL database
+
+In this tutorial, you use the Azure portal to create a database on a new server with a server-level firewall. You will then use SQL Server Management Studio to create a table, load data into that table, query the table, and add an index to the table. Finally, you will use the SQL Database service's automated backups to restore the database to an earlier point in time before you added this new table.
+
+To complete this tutorial, make sure you have installed the newest version of [SQL Server Management Studio](https://msdn.microsoft.com/library/ms174173.aspx) (SSMS)
+
+## Step 1 - Log in to the Azure portal
+
+Log in to the [Azure portal](https://portal.azure.com/).
+
+## Step 2 - Create a SQL database
+
+An Azure SQL database is created with a defined set of [compute and storage resources](sql-database-service-tiers.md). The database is created within an [Azure resource group](../azure-resource-manager/resource-group-overview.md) and in an [Azure SQL Database logical server](sql-database-features.md).
+
+Follow these steps to create a SQL database containing the Adventure Works LT sample data.
+
+1. Click the **New** button found on the upper left-hand corner of the Azure portal.
+
+2. Select **Databases** from the **New** page, and select **SQL Database** from the **Databases** page.
+
+3. Fill out the SQL Database form with the required information:
+ - Database name: Provide a database name
+ - Subscription: Select your subscription
+ - Resource group: Select new or existing
+ - Source: Select **Sample (AdventureWorksLT)**
+ - Server: Create a new server (the **Server** name must be globally unique)
+ - Elastic pool: Select **Not now** for this quick start
+ - Pricing tier: Select **20 DTUs** and **250** GB of storage
+ - Collation: You cannot change this value when importing the sample database
+ - Pin to dashboard: Select this checkbox
+
+ 
+
+4. Click **Create** when complete. Provisioning takes a few minutes.
+5. Once the SQL database deployment has finished, select the **SQL databases** on the dashboard or by selecting **SQL Databases** from the left-hand menu, and click your new database on the **SQL databases** page. An overview page for your database opens, showing you the fully qualified server name (such as **mynewserver20170313.database.windows.net**) and provides options for further configuration.
+
+ 
+
+## Step 3 - Create a server-level firewall rule
+
+The SQL Database service creates a firewall preventing external applications and tools from connecting to your server and database. Follow these steps to create a [SQL Database server-level firewall rule](sql-database-firewall-configure.md) for your IP address to enable external connectivity through the SQL Database firewall.
+
+1. Click **Set server firewall** on the toolbar for your database. The **Firewall settings** page for the SQL Database server opens.
+
+ 
+
+2. Click **Add client IP** on the toolbar and then click **Save**. A server-level firewall rule is created for your current IP address.
+
+3. Click **OK** and then click the **X** to close the Firewall settings page.
+
+You can now connect to the database and its server using SQL Server Management Studio or another tool of your choice.
+
+## Step 4 - Get connection information
+
+Get the fully qualified server name for your Azure SQL Database server in the Azure portal. You use the fully qualified server name to connect to your server using SQL Server Management Studio.
+
+1. Log in to the [Azure portal](https://portal.azure.com/).
+2. Select **SQL Databases** from the left-hand menu, and click your database on the **SQL databases** page.
+3. In the **Essentials** pane in the Azure portal page for your database, locate and then copy the **Server name**.
+
+ 
+
+## Step 5 - Connect to the server using SSMS
+
+Use SQL Server Management Studio to establish a connection to your Azure SQL Database server.
+
+1. Type **SSMS** in the Windows search box and then click **Enter** to open SSMS.
+
+2. In the **Connect to Server** dialog box, enter the following information:
+ - **Server type**: Specify Database engine
+ - **Server name**: Enter your fully qualified server name, such as **mynewserver20170313.database.windows.net**
+ - **Authentication**: Specify SQL Server Authentication
+ - **Login**: Enter your server admin account
+ - **Password**: Enter the password for your server admin account
+
+ 
+
+3. Click **Connect**. The Object Explorer window opens in SSMS.
+
+ 
+
+4. In Object Explorer, expand **Databases** and then expand **mySampleDatabase** to view the objects in the sample database.
+
+## Step 6 - Create and query a table
+1. In Object Explorer, right-click **mySampleDatabase** and click **New Query**. A blank query window opens that is connected to your database.
+2. In the query window, execute following query:
+
+ ```sql
+ CREATE TABLE [dbo].[Students]
+ (
+ [student_id] int,
+ [name] varchar(100),
+ [age] int,
+ [email] varchar(100),
+ [AddressID] int REFERENCES [SalesLT].[Address] (AddressID)
+ );
+ ```
+
+ Once the query is complete, you have created an empty table in your database called Students.
+
+3. In an SSMS query window, execute following query:
+
+ ```sql
+ SELECT name, age, email
+ FROM [dbo].[Students]
+ ```
+
+ The Students table returns no data.
+
+## Step 7 - Load data into the table
+1. Open a command prompt window.
+
+2. Execute the following PowerShell command to download a sample text file to your current directory.
+
+ ```powershell
+ powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://sqldbtutorial.blob.core.windows.net/tutorials/SampleStudentData.txt', 'SampleStudentData.txt'); echo 'Download complete' }"
+ ```
+
+3. When this completes, execute the following command to insert 1000 rows into the Student table, replacing the values for **ServerName**, **DatabaseName**, **UserName**, and **Password** with the values for your environment.
+
+ ```bcp
+ bcp Students in SampleStudentData.txt -S -d -U -P -q -c -t ","
+ ```
+
+You have now loaded sample data into the table you created earlier.
+
+## Step 8 - Add an index to a table
+To make searching for specific values in the table more efficient, create an index on the Students table. An index organizes the data in such a way, that now all data has to be looked at to find a specific value.
+
+1. In an SSMS query window, execute following query:
+
+ ```sql
+ CREATE NONCLUSTERED INDEX IX_Age ON Students (age);
+ ```
+
+2. In an SSMS query window, execute following query:
+
+ ```sql
+ SELECT name, age, email
+ FROM [dbo].[Students]
+ WHERE age > 20
+ ```
+
+ This query returns the name, age, and email of students who are older than 20 years old.
+
+## Step 9 - Restore a database to a point in time
+Databases in Azure have [continuous backups](sql-database-automated-backups.md) that are taken automatically every 5 - 10 minutes. These backups allow you to restore your database to a previous point in time. Restoring a database to a different point in time creates a duplicate database in the same server as the original database as of the point in time you specify (within the retention period for your service tier). The following steps restore the sample database to a point before the **Students** table was added.
+
+1. On the SQL Database page for your database, click **Restore** on the toolbar. The **Restore** page opens.
+
+ 
+
+2. Fill out the **Restore** form with the required information:
+ * Database name: Provide a database name
+ * Point-in-time: Select the **Point-in-time** tab on the Restore form
+ * Restore point: Select a time that occurs before the database was changed
+ * Target server: You cannot change this value when restoring a database
+ * Elastic database pool: Select **None**
+ * Pricing tier: Select **20 DTUs** and **250 GB** of storage.
+
+ 
+
+3. Click **OK** to restore the database to a point in time before the *Students* table was added.
+
+## Next Steps
+For PowerShell samples for common tasks, see [SQL Database PowerShell samples](sql-database-powershell-samples.md)
diff --git a/articles/sql-database/sql-database-export-powershell.md b/articles/sql-database/sql-database-export-powershell.md
index a6afa1ae810ad..5387594cc7793 100644
--- a/articles/sql-database/sql-database-export-powershell.md
+++ b/articles/sql-database/sql-database-export-powershell.md
@@ -37,10 +37,10 @@ To complete this article, you need the following:
[!INCLUDE [Start your PowerShell session](../../includes/sql-database-powershell.md)]
## Export your database
-The [New-AzureRmSqlDatabaseExport](https://msdn.microsoft.com/library/azure/mt707796\(v=azure.300\).aspx) cmdlet submits an export database request to the service. Depending on the size of your database, the export operation may take some time to complete.
+The [New-AzureRmSqlDatabaseExport](https://docs.microsoft.com/powershell/resourcemanager/azurerm.sql/v2.7.0/new-azurermsqldatabaseexport) cmdlet submits an export database request to the service. Depending on the size of your database, the export operation may take some time to complete.
> [!IMPORTANT]
-> To guarantee a transactionally consistent BACPAC file, you should first [create a copy of your database](sql-database-copy-powershell.md), and then export the database copy.
+> To guarantee a transactionally consistent BACPAC file, you should first [create a copy of your database](scripts/sql-database-copy-database-to-new-server-powershell.md), and then export the database copy.
>
>
@@ -50,7 +50,7 @@ The [New-AzureRmSqlDatabaseExport](https://msdn.microsoft.com/library/azure/mt70
## Monitor the progress of the export operation
-After running [New-AzureRmSqlDatabaseExport](https://msdn.microsoft.com/library/azure/mt603644\(v=azure.300\).aspx), you can check the status of the request by running [Get-AzureRmSqlDatabaseImportExportStatus](https://msdn.microsoft.com/library/azure/mt707794\(v=azure.300\).aspx). Running this immediately after the request usually returns **Status : InProgress**. When you see **Status: Succeeded** the export is complete.
+After running [New-AzureRmSqlDatabaseExport](https://docs.microsoft.com//powershell/resourcemanager/azurerm.sql/v2.7.0/new-azurermsqldatabaseexport), you can check the status of the request by running [Get-AzureRmSqlDatabaseImportExportStatus](https://docs.microsoft.com/powershell/resourcemanager/azurerm.sql/v2.7.0/get-azurermsqldatabaseimportexportstatus). Running this immediately after the request usually returns **Status : InProgress**. When you see **Status: Succeeded** the export is complete.
Get-AzureRmSqlDatabaseImportExportStatus -OperationStatusLink $exportRequest.OperationStatusLink
@@ -100,7 +100,7 @@ Azure SQL Database Automated Export is now in preview and will be retired on Mar
## Next steps
-* To learn how to import an Azure SQL database by using Powershell, see [Import a BACPAC using PowerShell](sql-database-import-powershell.md).
+* To learn how to import an Azure SQL database by using Powershell, see [Import a BACPAC using PowerShell](scripts/sql-database-import-from-bacpac-powershell.md).
* To learn about importing a BACPAC using SQLPackage, see [Import a BACPAC to Azure SQL Database using SqlPackage](sql-database-import-sqlpackage.md)
* To learn about importing a BACPAC using the Azure portal, see [Import a BACPAC to Azure SQL Database using the Azure portal](sql-database-import-portal.md)
* For a discussion of the entire SQL Server database migration process, including performance recommendations, see [Migrate a SQL Server database to Azure SQL Database](sql-database-cloud-migrate.md).
@@ -110,6 +110,6 @@ Azure SQL Database Automated Export is now in preview and will be retired on Mar
## Additional resources
-* [New-AzureRmSqlDatabaseExport](https://msdn.microsoft.com/library/azure/mt707796\(v=azure.300\).aspx)
-* [Get-AzureRmSqlDatabaseImportExportStatus](https://msdn.microsoft.com/library/azure/mt707794\(v=azure.300\).aspx)
+* [New-AzureRmSqlDatabaseExport](https://docs.microsoft.com/powershell/resourcemanager/azurerm.sql/v2.7.0/new-azurermsqldatabaseexport)
+* [Get-AzureRmSqlDatabaseImportExportStatus](https://docs.microsoft.com/powershell/resourcemanager/azurerm.sql/v2.7.0/get-azurermsqldatabaseimportexportstatus)
diff --git a/articles/sql-database/sql-database-export-sqlpackage.md b/articles/sql-database/sql-database-export-sqlpackage.md
index ba3074fbb7052..943f0802da5b2 100644
--- a/articles/sql-database/sql-database-export-sqlpackage.md
+++ b/articles/sql-database/sql-database-export-sqlpackage.md
@@ -49,7 +49,7 @@ For an overview of exporting to a BACPAC file, see [Export to a BACPAC](sql-data
* To learn about importing a BACPAC using SQLPackage, see [Import a BACPAC to Azure SQL Database using SqlPackage](sql-database-import-sqlpackage.md)
* To learn about importing a BACPAC using the Azure portal, see [Import a BACPAC to Azure SQL Database using the Azure portal](sql-database-import-portal.md)
-* To learn about importing a BACPAC using PowerShell, see [Import a BACPAC to Azure SQL Database using PowerShell](sql-database-import-powershell.md)
+* To learn about importing a BACPAC using PowerShell, see [Import a BACPAC to Azure SQL Database using PowerShell](scripts/sql-database-import-from-bacpac-powershell.md)
* For a discussion of the entire SQL Server database migration process, including performance recommendations, see [Migrate a SQL Server database to Azure SQL Database](sql-database-cloud-migrate.md).
* To learn about long-term backup retention of an Azure SQL database backup as an alternative to exported a database for archive purposes, see [Long term backup retention](sql-database-long-term-retention.md)
* To learn about importing a BACPAC to a SQL Server database, see [Import a BACPCAC to a SQL Server database](https://msdn.microsoft.com/library/hh710052.aspx)
diff --git a/articles/sql-database/sql-database-export.md b/articles/sql-database/sql-database-export.md
index cbe37d2ae3c48..0909905de39e2 100644
--- a/articles/sql-database/sql-database-export.md
+++ b/articles/sql-database/sql-database-export.md
@@ -56,4 +56,4 @@ When you need to export a database for archiving or for moving to another platfo
* For a discussion of the entire SQL Server database migration process, see [Migrate a SQL Server database to Azure SQL Database](sql-database-cloud-migrate.md).
* For an overview of copying a database within Azure, see also [Copying an Azure SQL database](sql-database-copy.md).
-* You can copy your Azure SQL database within Azure using the [Azure portal](sql-database-copy-portal.md), [PowerShell](sql-database-copy-powershell.md), or [Transact-SQL](sql-database-copy-transact-sql.md).
+* You can copy your Azure SQL database within Azure using the [Azure portal](sql-database-copy-portal.md), [PowerShell](scripts/sql-database-copy-database-to-new-server-powershell.md), or [Transact-SQL](sql-database-copy-transact-sql.md).
diff --git a/articles/sql-database/sql-database-geo-replication-failover-powershell.md b/articles/sql-database/sql-database-geo-replication-failover-powershell.md
index cc6f0308e5cf1..032fd2ecc5caf 100644
--- a/articles/sql-database/sql-database-geo-replication-failover-powershell.md
+++ b/articles/sql-database/sql-database-geo-replication-failover-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-setup-geodr-and-failover-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-setup-geodr-and-failover-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-geo-replication-overview.md b/articles/sql-database/sql-database-geo-replication-overview.md
index a278a7c8dc36b..e8dcf0a5447fd 100644
--- a/articles/sql-database/sql-database-geo-replication-overview.md
+++ b/articles/sql-database/sql-database-geo-replication-overview.md
@@ -29,7 +29,7 @@ Active Geo-Replication enables you to configure up to four readable secondary da
If for any reason your primary database fails, or simply needs to be taken offline, you can *failover* to any of your secondary databases. When failover is activated to one of the secondary databases, all other secondaries are automatically linked to the new primary.
-You can failover to a secondary using the [Azure portal](sql-database-geo-replication-failover-portal.md), [PowerShell](sql-database-geo-replication-failover-powershell.md), [Transact-SQL](sql-database-geo-replication-failover-transact-sql.md), the [REST API - Planned Failover](https://msdn.microsoft.com/ibrary/azure/mt575007.aspx), or [REST API - Unplanned Failover](https://msdn.microsoft.com/library/azure/mt582027.aspx).
+You can failover to a secondary using the [Azure portal](sql-database-geo-replication-failover-portal.md), [PowerShell](scripts/sql-database-setup-geodr-and-failover-database-powershell.md), [Transact-SQL](sql-database-geo-replication-failover-transact-sql.md), the [REST API - Planned Failover](https://msdn.microsoft.com/library/mt575007.aspx), or [REST API - Unplanned Failover](https://msdn.microsoft.com/library/mt582027.aspx).
After failover, ensure the authentication requirements for your server and database are configured on the new primary. For details, see [SQL Database security after disaster recovery](sql-database-geo-replication-security-config.md).
@@ -103,10 +103,10 @@ As discussed previously, Active Geo-Replication can also be managed programmatic
### PowerShell
| Cmdlet | Description |
| --- | --- |
-| [Get-AzureRmSqlDatabase](https://msdn.microsoft.com/en-us/library/azure/mt603648.aspx) |Gets one or more databases. |
+| [Get-AzureRmSqlDatabase](https://msdn.microsoft.com/library/azure/mt603648.aspx) |Gets one or more databases. |
| [New-AzureRmSqlDatabaseSecondary](https://msdn.microsoft.com/library/mt603689.aspx) |Creates a secondary database for an existing database and starts data replication. |
-| [Set-AzureRmSqlDatabaseSecondary](https://msdn.microsoft.com/en-us/library/mt619393.aspx) |Switches a secondary database to be primary to initiate failover. |
-| [Remove-AzureRmSqlDatabaseSecondary](https://msdn.microsoft.com/en-us/library/mt603457.aspx) |Terminates data replication between a SQL Database and the specified secondary database. |
+| [Set-AzureRmSqlDatabaseSecondary](https://msdn.microsoft.com/library/mt619393.aspx) |Switches a secondary database to be primary to initiate failover. |
+| [Remove-AzureRmSqlDatabaseSecondary](https://msdn.microsoft.com/library/mt603457.aspx) |Terminates data replication between a SQL Database and the specified secondary database. |
| [Get-AzureRmSqlDatabaseReplicationLink](https://msdn.microsoft.com/library/mt619330.aspx) |Gets the geo-replication links between an Azure SQL Database and a resource group or SQL Server. |
| | |
@@ -115,7 +115,7 @@ As discussed previously, Active Geo-Replication can also be managed programmatic
| --- | --- |
| [Create or Update Database (createMode=Restore)](https://msdn.microsoft.com/library/azure/mt163685.aspx) |Creates, updates, or restores a primary or a secondary database. |
| [Get Create or Update Database Status](https://msdn.microsoft.com/library/azure/mt643934.aspx) |Returns the status during a create operation. |
-| [Set Secondary Database as Primary (Planned Failover)](https://msdn.microsoft.com/ibrary/azure/mt575007.aspx) |Promote a secondary database in a Geo-Replication partnership to become the new primary database. |
+| [Set Secondary Database as Primary (Planned Failover)](https://msdn.microsoft.com/library/azure/mt575007.aspx) |Promote a secondary database in a Geo-Replication partnership to become the new primary database. |
| [Set Secondary Database as Primary (Unplanned Failover)](https://msdn.microsoft.com/library/azure/mt582027.aspx) |To force a failover to the secondary database and set the secondary as the primary. |
| [Get Replication Links](https://msdn.microsoft.com/library/azure/mt600929.aspx) |Gets all replication links for a given SQL database in a geo-replication partnership. It retrieves the information visible in the sys.geo_replication_links catalog view. |
| [Get Replication Link](https://msdn.microsoft.com/library/azure/mt600778.aspx) |Gets a specific replication link for a given SQL database in a geo-replication partnership. It retrieves the information visible in the sys.geo_replication_links catalog view. |
diff --git a/articles/sql-database/sql-database-geo-replication-powershell.md b/articles/sql-database/sql-database-geo-replication-powershell.md
index cc6f0308e5cf1..032fd2ecc5caf 100644
--- a/articles/sql-database/sql-database-geo-replication-powershell.md
+++ b/articles/sql-database/sql-database-geo-replication-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-setup-geodr-and-failover-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-setup-geodr-and-failover-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-geo-restore-powershell.md b/articles/sql-database/sql-database-geo-restore-powershell.md
index 40f4d885aa3b7..99d440d3ab895 100644
--- a/articles/sql-database/sql-database-geo-restore-powershell.md
+++ b/articles/sql-database/sql-database-geo-restore-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-restore-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-restore-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-get-started-portal.md b/articles/sql-database/sql-database-get-started-portal.md
index bfd87ddb4627f..2fff67c1e2a28 100644
--- a/articles/sql-database/sql-database-get-started-portal.md
+++ b/articles/sql-database/sql-database-get-started-portal.md
@@ -19,9 +19,9 @@ ms.date: 03/13/2017
ms.author: carlrab
---
-# Create and query a single Azure SQL database in the Azure portal
+# Create an Azure SQL database in the Azure portal
-Azure SQL databases can be created through the Azure portal. This method provides a browser-based user interface for creating and configuring Azure SQL databases and all related Azure resources.
+This quick start tutorial walks through how to create a SQL database in Azure. Azure SQL Database is a “Database-as-a-Service” offering that enables you to run and scale highly-available SQL Server databases in the cloud. This quick start shows you how to get started by creating a new SQL database using the Azure portal.
## Log in to the Azure portal
@@ -37,52 +37,66 @@ Follow these steps to create a SQL database containing the Adventure Works LT sa
2. Select **Databases** from the **New** page, and select **SQL Database** from the **Databases** page.
-3. Fill out the SQL Database form with the required information:
- - Database name: Provide a database name
- - Subscription: Select your subscription
- - Resource group: Select new or existing
+ 
+
+3. Fill out the SQL Database form with the following information, as shown on the preceding image:
+ - Database name: Use **mySampleDatabase**
+ - Resource group: Use **myResourceGroup**
- Source: Select **Sample (AdventureWorksLT)**
- - Server: Create a new server (the **Server** name must be globally unique)
- - Elastic pool: Select **Not now** for this quick start
- - Pricing tier: Select **20 DTUs** and **250** GB of storage
- - Collation: You cannot change this value when importing the sample database
- - Pin to dashboard: Select this checkbox
- 
+4. Click **Server** to create and configure a new server for your new database. Fill out the **New server form** specifying a globally unique server name, provide a name for the Server admin login, and then specify the password of your choice.
+
+ 
+5. Click **Select**.
+
+6. Click **Pricing tier** to specify the service tier and performance level for your new database. For this quick start, select **20 DTUs** and **250** GB of storage
+
+ 
+
+7. Click **Apply**.
+
+8. Click **Create** to provision the database. Provisioning takes a few minutes.
-4. Click **Create** when complete. Provisioning takes a few minutes.
-5. Once the SQL database deployment has finished, select the **SQL databases** on the dashboard or by selecting **SQL Databases** from the left-hand menu, and click your new database on the **SQL databases** page. An overview page for your database opens, showing you the fully qualified server name (such as **mynewserver20170313.database.windows.net**) and provides options for further configuration.
+9. On the toolbar, click **Notifications** to monitor the deployment process.
+
+ 
- 
## Create a server-level firewall rule
-The SQL Database service creates a firewall preventing external applications and tools from connecting to your server and database. Follow these steps to create a [SQL Database server-level firewall rule](sql-database-firewall-configure.md) for your IP address to enable external connectivity through the SQL Database firewall.
+The SQL Database service creates a firewall at the server-level preventing external applications and tools from connecting to the server or any databases on the server unless a firewall rule is created to open the firewall for specific IP addresses. Follow these steps to create a [SQL Database server-level firewall rule](sql-database-firewall-configure.md) for your client's IP address and enable external connectivity through the SQL Database firewall for your IP address only.
-1. Click **Set server firewall** on the toolbar for your database. The **Firewall settings** page for the SQL Database server opens.
+1. After the deployment completes, click **SQL databases** from the left-hand menu and click your new database, **mySampleDatabase**, on the **SQL databases** page. The overview page for your database opens, showing you the fully qualified server name (such as **mynewserver20170327.database.windows.net**) and provides options for further configuration.
-2. Click **Add client IP** on the toolbar and then click **Save**. A server-level firewall rule is created for your current IP address.
+2. Click **Set server firewall** on the toolbar as shown in the previous image. The **Firewall settings** page for the SQL Database server opens.
+
+3. Click **Add client IP** on the toolbar and then click **Save**. A server-level firewall rule is created for your current IP address.
+
+ 
-3. Click **OK** and then click the **X** to close the Firewall settings page.
+4. Click **OK** and then click the **X** to close the **Firewall settings** page.
You can now connect to the database and its server using SQL Server Management Studio or another tool of your choice.
## Query the SQL database
-Follow these steps to query the database using the query editor in the Azure portal.
+When we created our SQL database, we populated it with the **AdventureWorksLT** sample database (this was one of the options we selected in the Create UI earlier in this quick start). Let’s now use the built-in query tool within the Azure portal to query the data.
-1. On the SQL Database page for your database, click **Tools** on the toolbar. The **Query editor** preview page opens.
+1. On the SQL Database page for your database, click **Tools** on the toolbar. The **Tools** page opens.
-2. Click **Query editor (preview)**, click the **Preview terms** checkbox, and then click **OK**. The query editor opens.
+2. Click **Query editor (preview)**, click the **Preview terms** checkbox, and then click **OK**. The Query editor page opens.
+
+3. Click **Login** and then, when prompted, select **SQL server authentication** and then provide the server admin login and password that you created earlier.
+
+ 
-3. Click **Login** and then, when prompted, select **SQL server authentication** and then provide the server admin login and password.
4. Click **OK** to log in.
-5. After you are authenticated, type a query of your choice in the query window, such as the following query:
+5. After you are authenticated, type the following query in the query editor pane.
```
SELECT pc.Name as CategoryName, p.name as ProductName
@@ -95,7 +109,7 @@ Follow these steps to query the database using the query editor in the Azure por
-7. Click the **X** to close the Query editor page.
+7. Click the **X** to close the **Query editor** page and click **X** again to close the **Tools** page.
## Clean up resources
diff --git a/articles/sql-database/sql-database-import-powershell.md b/articles/sql-database/sql-database-import-powershell.md
index 6a7afc4fc415c..098e3f48bb272 100644
--- a/articles/sql-database/sql-database-import-powershell.md
+++ b/articles/sql-database/sql-database-import-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-import-from-bacpac-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-import-from-bacpac-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-manage-servers-powershell.md b/articles/sql-database/sql-database-manage-servers-powershell.md
index a1fc596b65c58..0098ff2a4b35f 100644
--- a/articles/sql-database/sql-database-manage-servers-powershell.md
+++ b/articles/sql-database/sql-database-manage-servers-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-create-and-configure-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-create-and-configure-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-manage-single-databases-powershell.md b/articles/sql-database/sql-database-manage-single-databases-powershell.md
index a1fc596b65c58..0098ff2a4b35f 100644
--- a/articles/sql-database/sql-database-manage-single-databases-powershell.md
+++ b/articles/sql-database/sql-database-manage-single-databases-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-create-and-configure-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-create-and-configure-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-manage-single-databases-tsql.md b/articles/sql-database/sql-database-manage-single-databases-tsql.md
index 7b27288dff7df..9eeb626dcc6a3 100644
--- a/articles/sql-database/sql-database-manage-single-databases-tsql.md
+++ b/articles/sql-database/sql-database-manage-single-databases-tsql.md
@@ -20,7 +20,7 @@ ms.author: carlrab
---
# Create and manage single Azure SQL databases with Transact-SQL
-You can create and manage single Azure SQL databases with the [Azure portal](https://portal.azure.com/), PowerShell, Transact-SQL, the REST API, or C#. This topic is about using the Azure portal. For PowerShell, see [Create and manage single databases with Powershell](sql-database-manage-single-databases-powershell.md). For Transact-SQL, see [Create and manage single databases with Transact-SQL](sql-database-manage-single-databases-tsql.md).
+You can create and manage single Azure SQL databases with the [Azure portal](https://portal.azure.com/), PowerShell, Transact-SQL, the REST API, or C#. This topic is about using the Azure portal. For PowerShell, see [Create and manage single databases with Powershell](scripts/sql-database-create-and-configure-database-powershell.md). For Transact-SQL, see [Create and manage single databases with Transact-SQL](sql-database-manage-single-databases-tsql.md).
## Create an Azure SQL database using Transact-SQL in SQL Server Management Studio
diff --git a/articles/sql-database/sql-database-performance-guidance.md b/articles/sql-database/sql-database-performance-guidance.md
index f3a8eac7cbd0b..4f4b0e304d8cf 100644
--- a/articles/sql-database/sql-database-performance-guidance.md
+++ b/articles/sql-database/sql-database-performance-guidance.md
@@ -23,8 +23,8 @@ Azure SQL Database offers four [service tiers](sql-database-service-tiers.md): B
> [!NOTE]
> This article focuses on performance guidance for single databases in Azure SQL Database. For performance guidance related to elastic pools, see [Price and performance considerations for elastic pools](sql-database-elastic-pool-guidance.md). Note, though, that you can apply many of the tuning recommendations in this article to databases in an elastic pool, and get similar performance benefits.
->
->
+>
+>
## Why service tiers?
Although each database workload can differ, the purpose of service tiers is to provide performance predictability at various performance levels. Customers with large-scale database resource requirements can work in a more dedicated computing environment.
@@ -54,7 +54,7 @@ Each service tier and performance level is associated with different limits and
[!INCLUDE [SQL DB service tiers table](../../includes/sql-database-service-tiers-table.md)]
> [!IMPORTANT]
-> Customers using P11 and P15 performance levels can use up to 4 TB of included storage at no additional charge. This 4 TB option is currently in public preview in the following regions: US East2, West US, West Europe, South East Asia, Japan East, Australia East, Canada Central, and Canada East. For current limitations, see [Current 4 TB limitations](sql-database-service-tiers.md#current-limitations-of-p11-and-p15-databases-with-4-tb-maxsize)
+> Customers using P11 and P15 performance levels can use up to 4 TB of included storage at no additional charge. This 4 TB option is currently in public preview in the following regions: US East2, West US, West Europe, South East Asia, Japan East, Australia East, Canada Central, and Canada East.
>
### Maximum In-Memory OLTP storage
@@ -82,8 +82,8 @@ If multiple clients use the same connection string, the service authenticates ea
> [!NOTE]
> Currently, this limit does not apply to databases in elastic pools.
->
->
+>
+>
### Maximum sessions
To see the number of current active sessions, run this Transact-SQL query on your SQL database:
@@ -101,7 +101,7 @@ If you're analyzing an on-premises SQL Server workload, modify the query to focu
Again, these queries return a point-in-time count. If you collect multiple samples over time, you’ll have the best understanding of your session use.
-For SQL Database analysis, you can get historical statistics on sessions by querying the [sys.resource_stats](https://msdn.microsoft.com/library/dn269979.aspx) view and reviewing the **active_session_count** column.
+For SQL Database analysis, you can get historical statistics on sessions by querying the [sys.resource_stats](https://msdn.microsoft.com/library/dn269979.aspx) view and reviewing the **active_session_count** column.
## Monitor resource use
@@ -145,8 +145,8 @@ Azure SQL Database exposes consumed resource information for each active databas
> [!NOTE]
> You must be connected to the **master** database of your logical SQL database server to query **sys.resource_stats** in the following examples.
->
->
+>
+>
This example shows you how the data in this view is exposed:
@@ -160,14 +160,14 @@ This example shows you how the data in this view is exposed:
The next example shows you different ways that you can use the **sys.resource_stats** catalog view to get information about how your SQL database uses resources:
1. To look at the past week’s resource use for the database userdb1, you can run this query:
-
+
SELECT *
FROM sys.resource_stats
WHERE database_name = 'userdb1' AND
start_time > DATEADD(day, -7, GETDATE())
ORDER BY start_time DESC;
2. To evaluate how well your workload fits the performance level, you need to drill down into each aspect of the resource metrics: CPU, reads, writes, number of workers, and number of sessions. Here's a revised query using **sys.resource_stats** to report the average and maximum values of these resource metrics:
-
+
SELECT
avg(avg_cpu_percent) AS 'Average CPU use in percent',
max(avg_cpu_percent) AS 'Maximum CPU use in percent',
@@ -182,35 +182,35 @@ The next example shows you different ways that you can use the **sys.resource_st
FROM sys.resource_stats
WHERE database_name = 'userdb1' AND start_time > DATEADD(day, -7, GETDATE());
3. With this information about the average and maximum values of each resource metric, you can assess how well your workload fits into the performance level you chose. Usually, average values from **sys.resource_stats** give you a good baseline to use against the target size. It should be your primary measurement stick. For an example, you might be using the Standard service tier with S2 performance level. The average use percentages for CPU and I/O reads and writes are below 40 percent, the average number of workers is below 50, and the average number of sessions is below 200. Your workload might fit into the S1 performance level. It's easy to see whether your database fits in the worker and session limits. To see whether a database fits into a lower performance level with regards to CPU, reads, and writes, divide the DTU number of the lower performance level by the DTU number of your current performance level, and then multiply the result by 100:
-
+
**S1 DTU / S2 DTU * 100 = 20 / 50 * 100 = 40**
-
+
The result is the relative performance difference between the two performance levels in percentage. If your resource use doesn't exceed this amount, your workload might fit into the lower performance level. However, you need to look at all ranges of resource use values, and determine, by percentage, how often your database workload would fit into the lower performance level. The following query outputs the fit percentage per resource dimension, based on the threshold of 40 percent that we calculated in this example:
-
+
SELECT
(COUNT(database_name) - SUM(CASE WHEN avg_cpu_percent >= 40 THEN 1 ELSE 0 END) * 1.0) / COUNT(database_name) AS 'CPU Fit Percent'
,(COUNT(database_name) - SUM(CASE WHEN avg_log_write_percent >= 40 THEN 1 ELSE 0 END) * 1.0) / COUNT(database_name) AS 'Log Write Fit Percent'
,(COUNT(database_name) - SUM(CASE WHEN avg_data_io_percent >= 40 THEN 1 ELSE 0 END) * 1.0) / COUNT(database_name) AS 'Physical Data IO Fit Percent'
FROM sys.resource_stats
WHERE database_name = 'userdb1' AND start_time > DATEADD(day, -7, GETDATE());
-
+
Based on your database service level objective (SLO), you can decide whether your workload fits into the lower performance level. If your database workload SLO is 99.9 percent and the preceding query returns values greater than 99.9 percent for all three resource dimensions, your workload likely fits into the lower performance level.
-
+
Looking at the fit percentage also gives you insight into whether you should move to the next higher performance level to meet your SLO. For example, userdb1 shows the following CPU use for the past week:
-
+
| Average CPU percent | Maximum CPU percent |
| --- | --- |
| 24.5 |100.00 |
-
+
The average CPU is about a quarter of the limit of the performance level, which would fit well into the performance level of the database. But, the maximum value shows that the database reaches the limit of the performance level. Do you need to move to the next higher performance level? Look at how many times your workload reaches 100 percent, and then compare it to your database workload SLO.
-
+
SELECT
(COUNT(database_name) - SUM(CASE WHEN avg_cpu_percent >= 100 THEN 1 ELSE 0 END) * 1.0) / COUNT(database_name) AS 'CPU fit percent'
,(COUNT(database_name) - SUM(CASE WHEN avg_log_write_percent >= 100 THEN 1 ELSE 0 END) * 1.0) / COUNT(database_name) AS 'Log write fit percent'
,(COUNT(database_name) - SUM(CASE WHEN avg_data_io_percent >= 100 THEN 1 ELSE 0 END) * 1.0) / COUNT(database_name) AS 'Physical data I/O fit percent'
FROM sys.resource_stats
WHERE database_name = 'userdb1' AND start_time > DATEADD(day, -7, GETDATE());
-
+
If this query returns a value less than 99.9 percent for any of the three resource dimensions, consider either moving to the next higher performance level or use application-tuning techniques to reduce the load on the SQL database.
4. This exercise also considers your projected workload increase in the future.
@@ -396,8 +396,8 @@ You can see the effect in the **sys.resource_stats** table (there is a delay fro
> [!NOTE]
> Although the volume in this example is intentionally small, the effect of suboptimal parameters can be substantial, especially on larger databases. The difference, in extreme cases, can be between seconds for fast cases and hours for slow cases.
->
->
+>
+>
You can examine **sys.resource_stats** to determine whether the resource for a test uses more or fewer resources than another test. When you compare data, separate the timing of tests so that they are not in the same 5-minute window in the **sys.resource_stats** view. The goal of the exercise is to minimize the total amount of resources used, and not to minimize the peak resources. Generally, optimizing a piece of code for latency also reduces resource consumption. Make sure that the changes you make to an application are necessary, and that the changes don't negatively affect the customer experience for someone who might be using query hints in the application.
@@ -408,8 +408,8 @@ Because Azure SQL Database runs on commodity hardware, the capacity limits for a
> [!NOTE]
> SQL Database now provides a library to assist with sharding. For more information, see [Elastic Database client library overview](sql-database-elastic-database-client-library.md).
->
->
+>
+>
For example, if a database has customer name, order, and order details (like the traditional example Northwind database that ships with SQL Server), you could split this data into multiple databases by grouping a customer with the related order and order detail information. You can guarantee that the customer's data stays in a single database. The application would split different customers across databases, effectively spreading the load across multiple databases. With sharding, customers not only can avoid the maximum database size limit, but Azure SQL Database also can process workloads that are significantly larger than the limits of the different performance levels, as long as each individual database fits into its DTU.
@@ -432,4 +432,3 @@ Some database applications have read-heavy workloads. Caching layers might reduc
* For more information about service tiers, see [SQL Database options and performance](sql-database-service-tiers.md)
* For more information about elastic pools, see [What is an Azure elastic pool?](sql-database-elastic-pool.md)
* For information about performance and elastic pools, see [When to consider an elastic pool](sql-database-elastic-pool-guidance.md)
-
diff --git a/articles/sql-database/sql-database-point-in-time-restore-powershell.md b/articles/sql-database/sql-database-point-in-time-restore-powershell.md
index cece618a667b6..c962b4b3951d4 100644
--- a/articles/sql-database/sql-database-point-in-time-restore-powershell.md
+++ b/articles/sql-database/sql-database-point-in-time-restore-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-restore-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-restore-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-recovery-using-backups.md b/articles/sql-database/sql-database-recovery-using-backups.md
index c21d651a49a0e..018a3e96d6424 100644
--- a/articles/sql-database/sql-database-recovery-using-backups.md
+++ b/articles/sql-database/sql-database-recovery-using-backups.md
@@ -51,7 +51,7 @@ The recovery time to restore a database using automated database backups is impa
## Point-In-Time Restore
-You can restore an existing database to an earlier point in time as a new database on the same logical server using the [Azure portal](sql-database-point-in-time-restore-portal.md), [PowerShell](sql-database-point-in-time-restore-powershell.md), or the [REST API](https://msdn.microsoft.com/library/azure/mt163685.aspx).
+You can restore an existing database to an earlier point in time as a new database on the same logical server using the [Azure portal](sql-database-point-in-time-restore-portal.md), [PowerShell](scripts/sql-database-restore-database-powershell.md), or the [REST API](https://msdn.microsoft.com/library/azure/mt163685.aspx).
> [!IMPORTANT]
> You cannot overwrite the existing database during restore.
@@ -65,7 +65,7 @@ You generally restore a database to an earlier point for recovery purposes. When
* ***Data recovery:*** If you plan to retrieve data from the restored database to recover from a user or application error, you need to write and execute the necessary data recovery scripts to extract data from the restored database to the original database. Although the restore operation may take a long time to complete, the restoring database is visible in the database list throughout the restore process. If you delete the database during the restore, the restore operation is canceled and you are not charged for the database that did not complete the restore.
## Deleted database restore
-You can restore a deleted database to the deletion time for a deleted database on the same logical server using the [Azure portal](sql-database-restore-deleted-database-portal.md), [PowerShell](sql-database-restore-deleted-database-powershell.md), or the [REST (createMode=Restore)](https://msdn.microsoft.com/library/azure/mt163685.aspx).
+You can restore a deleted database to the deletion time for a deleted database on the same logical server using the [Azure portal](sql-database-restore-deleted-database-portal.md), [PowerShell](scripts/sql-database-restore-database-powershell.md), or the [REST (createMode=Restore)](https://msdn.microsoft.com/library/azure/mt163685.aspx).
> [!IMPORTANT]
> If you delete an Azure SQL Database server instance, all its databases are also deleted and cannot be recovered. There is currently no support for restoring a deleted server.
@@ -90,8 +90,8 @@ As previously discussed, in addition to the Azure portal, database recovery can
### PowerShell
| Cmdlet | Description |
| --- | --- |
-| [Get-AzureRmSqlDatabase](https://msdn.microsoft.com/en-us/library/azure/mt603648.aspx) |Gets one or more databases. |
-| [Get-AzureRMSqlDeletedDatabaseBackup](https://msdn.microsoft.com/en-us/library/azure/mt693387.aspx) |Gets a deleted database that you can restore. |
+| [Get-AzureRmSqlDatabase](https://msdn.microsoft.com/library/azure/mt603648.aspx) |Gets one or more databases. |
+| [Get-AzureRMSqlDeletedDatabaseBackup](https://msdn.microsoft.com/library/azure/mt693387.aspx) |Gets a deleted database that you can restore. |
| [Get-AzureRmSqlDatabaseGeoBackup](https://msdn.microsoft.com/library/azure/mt693388.aspx) |Gets a geo-redundant backup of a database. |
| [Restore-AzureRmSqlDatabase](https://msdn.microsoft.com/library/azure/mt693390.aspx) |Restores a SQL database. |
| | |
diff --git a/articles/sql-database/sql-database-resource-limits.md b/articles/sql-database/sql-database-resource-limits.md
index 9de0999272cfa..f8e351a495cb0 100644
--- a/articles/sql-database/sql-database-resource-limits.md
+++ b/articles/sql-database/sql-database-resource-limits.md
@@ -48,7 +48,7 @@ For a single database, the limits of a database are defined by the database serv
[!INCLUDE [SQL DB service tiers table](../../includes/sql-database-service-tiers-table.md)]
> [!IMPORTANT]
-> Customers using P11 and P15 performance levels can use up to 4 TB of included storage at no additional charge. This 4 TB option is currently in public preview in the following regions: US East2, West US, West Europe, South East Asia, Japan East, Australia East, Canada Central, and Canada East. For current limitations, see [Current 4 TB limitations](sql-database-service-tiers.md#current-limitations-of-p11-and-p15-databases-with-4-tb-maxsize)
+> Customers using P11 and P15 performance levels can use up to 4 TB of included storage at no additional charge. This 4 TB option is currently in public preview in the following regions: US East2, West US, West Europe, South East Asia, Japan East, Australia East, Canada Central, and Canada East.
>
### Elastic pools
@@ -66,7 +66,7 @@ For an expanded definition of each resource listed in the previous tables, see t
| DTUs per server |45000 |45000 DTUs are allowed per server on V12 servers for provisioning standalone databases and elastic pools. The total number of standalone databases and pools allowed per server is limited only by the number of server DTUs.
> [!IMPORTANT]
-> Azure SQL Database Automated Export is now in preview and will be retired on March 1, 2017. Starting December 1st, 2016, you will no longer be able to configure automated export on any SQL database. All your existing automated export jobs will continue to work until March 1st, 2017. After December 1st, 2016, you can use [long-term backup retention](sql-database-long-term-retention.md) or [Azure Automation](../automation/automation-intro.md) to archive SQL databases periodically using PowerShell periodically according to a schedule of your choice. For a sample script, you can download the [sample script from Github](https://github.com/Microsoft/sql-server-samples/tree/master/samples/manage/azure-automation-automated-export).
+> Azure SQL Database Automated Export is now in preview and will be retired on March 1, 2017. Starting December 1st, 2016, you will no longer be able to configure automated export on any SQL database. All your existing automated export jobs will continue to work until March 1st, 2017. After December 1st, 2016, you can use [long-term backup retention](sql-database-long-term-retention.md) or [Azure Automation](../automation/automation-intro.md) to archive SQL databases periodically using PowerShell periodically according to a schedule of your choice. For a sample script, you can download the [sample script from Github](https://github.com/Microsoft/sql-server-samples/tree/master/samples/manage/azure-automation-automated-export).
>
@@ -76,4 +76,3 @@ For an expanded definition of each resource listed in the previous tables, see t
[Azure SQL Database Service Tiers and Performance Levels](sql-database-service-tiers.md)
[Error messages for SQL Database client programs](sql-database-develop-error-messages.md)
-
diff --git a/articles/sql-database/sql-database-restore-database-portal.md b/articles/sql-database/sql-database-restore-database-portal.md
index 87e86d5883495..58806a9bbb732 100644
--- a/articles/sql-database/sql-database-restore-database-portal.md
+++ b/articles/sql-database/sql-database-restore-database-portal.md
@@ -1,83 +1,3 @@
---
-title: 'Azure portal: Restore a Azure SQL database | Microsoft Docs'
-description: Restore an Azure SQL database (Azure portal).
-services: sql-database
-documentationcenter: ''
-author: stevestein
-manager: jhubbard
-editor: ''
-
-ms.assetid: 33b0c9e6-1cd2-4fd9-9b0d-70ecf6e54821
-ms.service: sql-database
-ms.custom: business continuity
-ms.devlang: NA
-ms.date: 10/12/2016
-ms.author: sstein
-ms.workload: NA
-ms.topic: article
-ms.tgt_pltfrm: NA
-
----
-# Restore an Azure SQL database using the Azure portal
-
-The following steps show how to restore an Azure SQL database to a point-in-time, from a deleted database, and from a geo-redundant backup.
-
-## Restore an Azure SQL database to a previous point in time
-
-> [!TIP]
-> For a tutorial, see [Get Started with Backup and Restore for data protection and recovery](sql-database-get-started-backup-recovery-portal.md)
->
-
-Select a database to restore in the Azure portal:
-
-1. Open the [Azure portal](https://portal.azure.com).
-2. On the left side of the screen, select **More services** > **SQL databases**.
-3. Click the database you want to restore.
-4. At the top of your database's page, select **Restore**:
-
- 
-5. On the **Restore** page, select the date and time (in UTC time) to restore the database to, and then click **OK**:
-
- 
-
-6. After clicking **OK** in the previous step, click the notification icon at the upper right of the page, and click the **Restoring SQL database** notification for details.
-
- 
-7. The Restoring SQL database page opens with information about the status of the restore. You can click the line-item for more details:
-
- 
-
-
-## Restore a deleted Azure SQL database from backups
-To restore a deleted database in the Azure portal:
-
-1. In the [Azure portal](https://portal.azure.com), click **More services** > **SQL servers**.
-2. Select the server that contained the database you want to restore.
-3. Scroll down to the **operations** section of your server blade and select **Deleted databases**:
- 
-4. Select the database you want to restore.
-5. Specify a database name, and click **OK**:
-
- 
-
-## Restore an Azure SQL database from a geo-redundant backup
-
-To geo-restore a database in the Azure portal, do the following steps:
-
-1. Go to the [Azure portal](https://portal.azure.com).
-2. On the left side of the screen select **+New** > **Databases** > **SQL Database**:
-
- 
-3. Select **Backup** as the source, and then select the backup you want to restore. Specify a database name, a server you want to restore the database into, and then click **Create**:
-
- 
-
-4. Monitor the status of the restore operation by clicking the notification icon in the upper right of the page.
-
-## Next steps
-* For a business continuity overview and scenarios, see [Business continuity overview](sql-database-business-continuity.md)
-* To learn about Azure SQL Database automated backups, see [SQL Database automated backups](sql-database-automated-backups.md)
-* To learn about using automated backups for recovery, see [restore a database from the service-initiated backups](sql-database-recovery-using-backups.md)
-* To learn about faster recovery options, see [Active-Geo-Replication](sql-database-geo-replication-overview.md)
-* To learn about using automated backups for archiving, see [database copy](sql-database-copy.md)
-
+redirect_url: /azure/sql-database/sql-database-get-started-backup-recovery-portal
+---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-restore-deleted-database-powershell.md b/articles/sql-database/sql-database-restore-deleted-database-powershell.md
index 40f4d885aa3b7..99d440d3ab895 100644
--- a/articles/sql-database/sql-database-restore-deleted-database-powershell.md
+++ b/articles/sql-database/sql-database-restore-deleted-database-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-restore-database-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-restore-database-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-scale-up-powershell.md b/articles/sql-database/sql-database-scale-up-powershell.md
index b5f908de011ed..f0d30d62e96f9 100644
--- a/articles/sql-database/sql-database-scale-up-powershell.md
+++ b/articles/sql-database/sql-database-scale-up-powershell.md
@@ -1,3 +1,3 @@
---
-redirect_url: /azure/sql-database/sql-database-manage-single-databases-powershell
+redirect_url: /azure/sql-database/scripts/sql-database-manage-single-databases-powershell
---
\ No newline at end of file
diff --git a/articles/sql-database/sql-database-service-tiers.md b/articles/sql-database/sql-database-service-tiers.md
index 0b5bd1e572ee5..e39daa85d467c 100644
--- a/articles/sql-database/sql-database-service-tiers.md
+++ b/articles/sql-database/sql-database-service-tiers.md
@@ -57,7 +57,7 @@ First decide if you want to run a single database with a defined amount of dedic
Once you have determined the minimum service tier, you are ready to determine the performance level for the database (the number of DTUs). The standard S2 and S3 performance levels are often a good starting point. For databases with high CPU or IO requirements, the Premium performance levels are the right starting point. Premium offers more CPU and starts at 10x more IO compared to the highest Standard performance level.
## Single database service tiers and performance levels
-For single databases, there are multiple performance levels within each service tier. You have the flexibility to choose the level that best meets your workload’s demands using the [Azure portal](sql-database-manage-single-databases-portal.md), [PowerShell](sql-database-manage-single-databases-powershell.md), [Transact-SQL](sql-database-manage-single-databases-tsql.md), C#, and the REST API.
+For single databases, there are multiple performance levels within each service tier. You have the flexibility to choose the level that best meets your workload’s demands using the [Azure portal](sql-database-manage-single-databases-portal.md), [PowerShell](scripts/sql-database-monitor-and-scale-database-powershell.md), [Transact-SQL](sql-database-manage-single-databases-tsql.md), C#, and the REST API.
Regardless of the number of databases hosted, your database gets a guaranteed set of resources and the expected performance characteristics of your database are not affected.
@@ -69,7 +69,7 @@ Regardless of the number of databases hosted, your database gets a guaranteed se
## Scaling up or scaling down a single database
-After initially picking a service tier and performance level, you can scale a single database up or down dynamically based on actual experience. If you need to scale up or down, you can easily change the tiers of your database using the [Azure portal](sql-database-manage-single-databases-portal.md), [PowerShell](sql-database-manage-single-databases-powershell.md), [Transact-SQL](sql-database-manage-single-databases-tsql.md), C#, and the REST API.
+After initially picking a service tier and performance level, you can scale a single database up or down dynamically based on actual experience. If you need to scale up or down, you can easily change the tiers of your database using the [Azure portal](sql-database-manage-single-databases-portal.md), [PowerShell](scripts/sql-database-monitor-and-scale-database-powershell.md), [Transact-SQL](sql-database-manage-single-databases-tsql.md), C#, and the REST API.
> [!VIDEO https://channel9.msdn.com/Blogs/Azure/Azure-SQL-Database-dynamically-scale-up-or-scale-down/player]
>
@@ -85,7 +85,7 @@ The duration of the entire scale-up process depends on both the size and service
* The new properties for the database are not applied until the changes are complete.
> [!IMPORTANT]
-> For detailed steps, see [Manage a single database in the Azure portal](sql-database-manage-single-databases-portal.md), [Manage a single database with PowerShell](sql-database-manage-single-databases-powershell.md), or [Manage a single database with Transact-SQL](sql-database-manage-single-databases-tsql.md).
+> For detailed steps, see [Manage a single database in the Azure portal](sql-database-manage-single-databases-portal.md), [Manage a single database with PowerShell](scripts/sql-database-monitor-and-scale-database-powershell.md), or [Manage a single database with Transact-SQL](sql-database-manage-single-databases-tsql.md).
>
## Elastic pool service tiers and performance in eDTUs
@@ -105,7 +105,7 @@ After initially picking a service tier and performance level, you can scale the
* Changing the min eDTUs per database or max eDTUs per database typically completes in five minutes or less.
* Time to change the pool size (eDTUs) depends on the combined size of all databases in the pool. Changes average 90 minutes or less per 100 GB. For example, if the total space of all databases in the pool is 200 GB, then the expected latency for changing the pool eDTU per pool is 3 hours or less.
-For detailed steps, see [Manage an elastic pool in the Azure portal](sql-database-elastic-pool-manage-portal.md), [Manage an elastic pool with Powershell](sql-database-elastic-pool-manage-powershell.md), [Manage an elastic pool with Transact-SQL](sql-database-elastic-pool-manage-tsql.md), or [Manage an elastic pool with C#](sql-database-elastic-pool-manage-csharp.md).
+For detailed steps, see [Manage an elastic pool in the Azure portal](sql-database-elastic-pool-manage-portal.md), [Manage an elastic pool with Powershell](scripts/sql-database-monitor-and-scale-pool-powershell.md), [Manage an elastic pool with Transact-SQL](sql-database-elastic-pool-manage-tsql.md), or [Manage an elastic pool with C#](sql-database-elastic-pool-manage-csharp.md).
## Creating or upgrading to 4TB
diff --git a/articles/traffic-manager/traffic-manager-routing-methods.md b/articles/traffic-manager/traffic-manager-routing-methods.md
index 8cd7e7bafb152..d7f90c2098eb0 100644
--- a/articles/traffic-manager/traffic-manager-routing-methods.md
+++ b/articles/traffic-manager/traffic-manager-routing-methods.md
@@ -79,7 +79,7 @@ The 'closest' endpoint is not necessarily closest as measured by geographic dist
Traffic Manager looks up the source IP address of the incoming DNS request in the Internet Latency Table. Traffic Manager chooses an available endpoint in the Azure datacenter that has the lowest latency for that IP address range, then returns that endpoint in the DNS response.
-As explained in [How Traffic Manager Works](traffic-manager-how-traffic-manager-works.md), Traffic Manager does not receive DNS queries directly from clients. Rather, DNS queries come from the recursive DNS service that the clients are configured to use. Therefore, the IP address used to determine the 'closest' endpoint is not the client's IP address, but it is the IP address of the recursive DNS service. In practice, this IP address is a good proxy for the client.
+As explained in [How Traffic Manager Works](traffic-manager-overview.md#how-traffic-manager-works), Traffic Manager does not receive DNS queries directly from clients. Rather, DNS queries come from the recursive DNS service that the clients are configured to use. Therefore, the IP address used to determine the 'closest' endpoint is not the client's IP address, but it is the IP address of the recursive DNS service. In practice, this IP address is a good proxy for the client.
Traffic Manager regularly updates the Internet Latency Table to account for changes in the global Internet and new Azure regions. However, application performance varies based on real-time variations in load across the Internet. Performance traffic-routing does not monitor load on a given service endpoint. However, if an endpoint becomes unavailable, Traffic Manager does not include it in DNS query responses.
diff --git a/articles/virtual-machines/virtual-machines-linux-sap-dbms-guide.md b/articles/virtual-machines/virtual-machines-linux-sap-dbms-guide.md
index 68621abf09e1c..15295e22220ec 100644
--- a/articles/virtual-machines/virtual-machines-linux-sap-dbms-guide.md
+++ b/articles/virtual-machines/virtual-machines-linux-sap-dbms-guide.md
@@ -322,8 +322,8 @@ Throughout the document we will use the following terms:
> [!NOTE]
> Cross-Premises deployments of SAP systems where Azure Virtual Machines running SAP systems are members of an on-premises domain are supported for production SAP systems. Cross-Premises configurations are supported for deploying parts or complete SAP landscapes into Azure. Even running the complete SAP landscape in Azure requires having those VMs being part of on-premises domain and ADS. In former versions of the documentation we talked about Hybrid-IT scenarios, where the term ‘Hybrid’ is rooted in the fact that there is a cross-premises connectivity between on-premises and Azure. In this case ‘Hybrid’ also means that the VMs in Azure are part of the on-premises Active Directory.
->
->
+>
+>
Some Microsoft documentation describes Cross-Premises scenarios a bit differently, especially for DBMS HA configurations. In the case of the SAP related documents, the Cross-Premises scenario just boils down to having a site-to-site or private (ExpressRoute) connectivity and to the fact that the SAP landscape is distributed between on-premises and Azure.
@@ -356,8 +356,8 @@ You should have a working knowledge about the Microsoft Azure Architecture and h
> [!NOTE]
> We are **not** discussing Microsoft Azure Platform as a Service (PaaS) offerings of the Microsoft Azure Platform. This paper is about running a database management system (DBMS) in Microsoft Azure Virtual Machines (IaaS) just as you would run the DBMS in your on-premises environment. Database capabilities and functionalities between these two offers are very different and should not be mixed up with each other. See also:
->
->
+>
+>
Since we are discussing IaaS, in general the Windows, Linux and DBMS installation and configuration are essentially the same as any virtual machine or bare metal machine you would install on-premises. However, there are some architecture and system management implementation decisions which will be different when utilizing IaaS. The purpose of this document is to explain the specific architectural and system management differences that you must be prepared for when using IaaS.
@@ -373,7 +373,7 @@ In general, the overall areas of difference that this paper will discuss are:
## Structure of a RDBMS Deployment
In order follow this chapter, it is necessary to understand what was presented in [this][deployment-guide-3] chapter of the [Deployment Guide][deployment-guide]. Knowledge about the different VM-Series and their differences and differences of Azure Standard and Premium Storage should be understood and known before reading this chapter.
-Until March 2015, Azure VHDs which contain an operating system were limited to 127 GB in size. This limitation got lifted in March 2015 (for more information check ). From there on VHDs containing the operating system can have the same size as any other VHD. Nevertheless, we still prefer a structure of deployment where the operating system, DBMS and eventual SAP binaries are separate from the database files. Therefore, we expect SAP systems running in Azure Virtual Machines will have the base VM (or VHD) installed with the operating system, database management system executables and SAP executables. The DBMS data and log files will be stored in Azure Storage (Standard or Premium Storage) in separate VHD files and attached as logical disks to the original Azure operating system image VM.
+Until March 2015, Azure VHDs which contain an operating system were limited to 127 GB in size. This limitation got lifted in March 2015 (for more information check ). From there on VHDs containing the operating system can have the same size as any other VHD. Nevertheless, we still prefer a structure of deployment where the operating system, DBMS and eventual SAP binaries are separate from the database files. Therefore, we expect SAP systems running in Azure Virtual Machines will have the base VM (or VHD) installed with the operating system, database management system executables and SAP executables. The DBMS data and log files will be stored in Azure Storage (Standard or Premium Storage) in separate VHD files and attached as logical disks to the original Azure operating system image VM.
Dependent on leveraging Azure Standard or Premium Storage (e.g. by using the DS-series or GS-series VMs) there are other quotas in Azure which are documented [here][virtual-machines-sizes]. When planning your Azure VHDs, you’ll need to find the best balance of the quotas for the following:
@@ -392,14 +392,14 @@ The placement of the database files and log files and the type of Azure Storage
- - -
> ![Windows][Logo_Windows] Windows
->
+>
> Drive D:\ in an Azure VM is a non-persisted drive which is backed by some local disks on the Azure compute node. Because it is non-persisted, this means that any changes made to the content on the D:\ drive is lost when the VM is rebooted. By "any changes", we mean saved files, directories created, applications installed, etc.
->
+>
> ![Linux][Logo_Linux] Linux
->
+>
> Linux Azure VMs automatically mount a drive at /mnt/resource which is a non-persisted drive backed by local disks on the Azure compute node. Because it is non-persisted, this means that any changes made to content in /mnt/resource is lost when the VM is rebooted. By any changes, we mean files saved, directories created, applications installed, etc.
->
->
+>
+>
- - -
Dependent on the Azure VM-series, the local disks on the compute node show different performance which can be categorized like:
@@ -432,29 +432,29 @@ For Azure Premium Storage the following caching options exist:
Recommendation for Azure Premium Storage is to leverage **Read caching for data files** of the SAP database and chose **No caching for the VHD(s) of log file(s)**.
### Software RAID
-As already stated above, you will need to balance the number of IOPS needed for the database files across the number of VHDs you can configure and the maximum IOPS an Azure VM will provide per VHD or Premium Storage disk type. Easiest way to deal with the IOPS load over VHDs is to build a software RAID over the different VHDs. Then place a number of data files of the SAP DBMS on the LUNS carved out of the software RAID. Dependent on the requirements you might want to consider the usage of Premium Storage as well since two of the three different Premium Storage disks provide higher IOPS quota than VHDs based on Standard Storage. Besides the significant better I/O latency provided by Azure Premium Storage.
+As already stated above, you will need to balance the number of IOPS needed for the database files across the number of VHDs you can configure and the maximum IOPS an Azure VM will provide per VHD or Premium Storage disk type. Easiest way to deal with the IOPS load over VHDs is to build a software RAID over the different VHDs. Then place a number of data files of the SAP DBMS on the LUNS carved out of the software RAID. Dependent on the requirements you might want to consider the usage of Premium Storage as well since two of the three different Premium Storage disks provide higher IOPS quota than VHDs based on Standard Storage. Besides the significant better I/O latency provided by Azure Premium Storage.
Same applies to the transaction log of the different DBMS systems. With a lot of them just adding more Tlog files does not help since the DBMS systems write into one of the files at a time only. If higher IOPS rates are needed than a single Standard Storage based VHD can deliver, you can stripe over multiple Standard Storage VHDs or you can use a larger Premium Storage disk type that beyond higher IOPS rates also delivers factors lower latency for the write I/Os into the transaction log.
Situations experienced in Azure deployments which would favor using a software RAID are:
* Transaction Log/Redo Log require more IOPS than Azure provides for a single VHD. As mentioned above this can be solved by building a LUN over multiple VHDs using a software RAID.
-* Uneven I/O workload distribution over the different data files of the SAP database. In such cases one can experience one data file hitting the quota rather often. Whereas other data files are not even getting close to the IOPS quota of a single VHD. In such cases the easiest solution is to build one LUN over multiple VHDs using a software RAID.
+* Uneven I/O workload distribution over the different data files of the SAP database. In such cases one can experience one data file hitting the quota rather often. Whereas other data files are not even getting close to the IOPS quota of a single VHD. In such cases the easiest solution is to build one LUN over multiple VHDs using a software RAID.
* You don’t know what the exact I/O workload per data file is and only roughly know what the overall IOPS workload against the DBMS is. Easiest to do is to build one LUN with the help of a software RAID. The sum of quotas of multiple VHDs behind this LUN should then fulfill the known IOPS rate.
- - -
> ![Windows][Logo_Windows] Windows
->
+>
> Usage of Windows Server 2012 or higher Storage Spaces is preferable since it is more efficient than Windows Striping of earlier Windows versions. Please be aware that you might need to create the Windows Storage Pools and Storage Spaces by PowerShell commands when using Windows Server 2012 as Operating System. The PowerShell commands can be found here
->
+>
> ![Linux][Logo_Linux] Linux
->
+>
> Only MDADM and LVM (Logical Volume Manager) are supported to build a software RAID on Linux. For more information, read the following articles:
->
+>
> * [Configure Software RAID on Linux][virtual-machines-linux-configure-raid] (for MDADM)
> * [Configure LVM on a Linux VM in Azure][virtual-machines-linux-configure-lvm]
->
->
+>
+>
- - -
Considerations for leveraging VM-series which are able to work with Azure Premium Storage usually are:
@@ -473,7 +473,7 @@ Microsoft Azure Storage will store the base VM (with OS) and VHDs or BLOBs to at
Azure Storage Local Replication (Locally Redundant) provides levels of protection against data loss due to infrastructure failure that few customers could afford to deploy. As shown above there are 4 different options with a fifth being a variation of one of the first three. Looking closer at them we can distinguish:
* **Premium Locally Redundant Storage (LRS)**: Azure Premium Storage delivers high-performance, low-latency disk support for virtual machines running I/O-intensive workloads. There are 3 replicas of the data within the same Azure datacenter of an Azure region. The copies will be in different Fault and Upgrade Domains (for concepts see [this][planning-guide-3.2] chapter in the [Planning Guide][planning-guide]). In case of a replica of the data going out of service due to a storage node failure or disk failure, a new replica is generated automatically.
-* **Locally Redundant Storage (LRS)**: In this case there are 3 replicas of the data within the same Azure datacenter of an Azure region. The copies will be in different Fault and Upgrade Domains (for concepts see [this][planning-guide-3.2] chapter in the [Planning Guide][planning-guide]). In case of a replica of the data going out of service due to a storage node failure or disk failure, a new replica is generated automatically.
+* **Locally Redundant Storage (LRS)**: In this case there are 3 replicas of the data within the same Azure datacenter of an Azure region. The copies will be in different Fault and Upgrade Domains (for concepts see [this][planning-guide-3.2] chapter in the [Planning Guide][planning-guide]). In case of a replica of the data going out of service due to a storage node failure or disk failure, a new replica is generated automatically.
* **Geo Redundant Storage (GRS)**: In this case there is an asynchronous replication that will feed an additional 3 replicas of the data in another Azure Region which is in most of the cases in the same geographical region (like North Europe and West Europe). This will result in 3 additional replicas, so that there are 6 replicas in sum. A variation of this is an addition where the data in the geo replicated Azure region can be used for read purposes (Read-Access Geo-Redundant).
* **Zone Redundant Storage (ZRS)**: In this case the 3 replicas of the data remain in the same Azure Region. As explained in [this][planning-guide-3.1] chapter of the [Planning Guide][planning-guide] an Azure region can be a number of datacenters in close proximity. In the case of LRS the replicas would be distributed over the different datacenters that make one Azure region.
@@ -481,16 +481,16 @@ More information can be found [here][storage-redundancy].
> [!NOTE]
> For DBMS deployments, the usage of Geo Redundant Storage is not recommended
->
-> Azure Storage Geo-Replication is asynchronous. Replication of individual VHDs mounted to a single VM are not synchronized in lock step. Therefore, it is not suitable to replicate DBMS files that are distributed over different VHDs or deployed against a software RAID based on multiple VHDs. DBMS software requires that the persistent disk storage is precisely synchronized across different LUNs and underlying disks/VHDs/spindles. DBMS software uses various mechanisms to sequence IO write activities and a DBMS will report that the disk storage targeted by the replication is corrupted if these vary even by a few milliseconds. Hence if one really wants a database configuration with a database stretched across multiple VHDs geo-replicated, such a replication needs to be performed with database means and functionality. One should not rely on Azure Storage Geo-Replication to perform this job.
->
+>
+> Azure Storage Geo-Replication is asynchronous. Replication of individual VHDs mounted to a single VM are not synchronized in lock step. Therefore, it is not suitable to replicate DBMS files that are distributed over different VHDs or deployed against a software RAID based on multiple VHDs. DBMS software requires that the persistent disk storage is precisely synchronized across different LUNs and underlying disks/VHDs/spindles. DBMS software uses various mechanisms to sequence IO write activities and a DBMS will report that the disk storage targeted by the replication is corrupted if these vary even by a few milliseconds. Hence if one really wants a database configuration with a database stretched across multiple VHDs geo-replicated, such a replication needs to be performed with database means and functionality. One should not rely on Azure Storage Geo-Replication to perform this job.
+>
> The problem is simplest to explain with an example system. Let’s assume you have an SAP system uploaded into Azure which has 8 VHDs containing data files of the DBMS plus one VHD containing the transaction log file. Each one of these 9 VHDs will have data written to them in a consistent method according to the DBMS, whether the data is being written to the data or transaction log files.
->
+>
> In order to properly geo-replicate the data and maintain a consistent database image, the content of all nine VHDs would have to be geo-replicated in the exact order the I/O operations were executed against the nine different VHDs. However, Azure Storage geo-replication does not allow to declare dependencies between VHDs. This means Microsoft Azure Storage geo-replication doesn’t know about the fact that the content in these nine different VHDs are related to each other and that the data changes are consistent only when replicating in the order the I/O operations happened across all the 9 VHDs.
->
+>
> Besides chances being high that the geo-replicated images in the scenario do not provide a consistent database image, there also is a performance penalty that shows up with geo redundant storage that can severely impact performance. In summary do not use this type of storage redundancy for DBMS type workloads.
->
->
+>
+>
#### Mapping VHDs into Azure Virtual Machine Service Storage Accounts
An Azure Storage Account is not only an administrative construct, but also a subject of limitations. Whereas the limitations vary on whether we talk about an Azure Standard Storage Account or an Azure Premium Storage Account. The exact capabilities and limitations are listed [here][storage-scalability-targets]
@@ -499,7 +499,7 @@ So for Azure Standard Storage it is important to note there is a limit on the IO
For Azure Standard Storage it is not recommended to present storage from different storage accounts to a single VM if possible.
-Whereas using the DS or GS-series of Azure VMs it is possible to mount VHDs out of Azure Standard Storage Accounts and Premium Storage Accounts. Use cases like writing backups into Standard Storage backed VHDs whereas having DBMS data and log files on Premium Storage come to mind where such heterogeneous storage could be leveraged.
+Whereas using the DS or GS-series of Azure VMs it is possible to mount VHDs out of Azure Standard Storage Accounts and Premium Storage Accounts. Use cases like writing backups into Standard Storage backed VHDs whereas having DBMS data and log files on Premium Storage come to mind where such heterogeneous storage could be leveraged.
Based on customer deployments and testing around 30 to 40 VHDs containing database data files and log files can be provisioned on a single Azure Standard Storage Account with acceptable performance. As mentioned earlier, the limitation of an Azure Premium Storage Account is likely to be the data capacity it can hold and not IOPS.
@@ -546,25 +546,25 @@ It needs to be configured by purpose when rolling out VMs as seen here:
If we want to create highly available configurations of DBMS deployments (independent of the individual DBMS HA functionality used), the DBMS VMs would need to:
* Add the VMs to the same Azure Virtual Network ()
-* The VMs of the HA configuration should also be in the same subnet. Name resolution between the different subnets is not possible in Cloud-Only deployments, only IP resolution will work. Using site-to-site or ExpressRoute connectivity for Cross-Premises deployments, a network with at least one subnet will be already established. Name resolution will be done according to the on-premises AD policies and network infrastructure.
+* The VMs of the HA configuration should also be in the same subnet. Name resolution between the different subnets is not possible in Cloud-Only deployments, only IP resolution will work. Using site-to-site or ExpressRoute connectivity for Cross-Premises deployments, a network with at least one subnet will be already established. Name resolution will be done according to the on-premises AD policies and network infrastructure.
[comment]: <> (MSSedusch TODO Test if still true in ARM)
#### IP Addresses
It is highly recommended to setup the VMs for HA configurations in a resilient way. Relying on IP addresses to address the HA partner(s) within the HA configuration is not reliable in Azure unless static IP addresses are used. There are two “Shutdown” concepts in Azure:
-* Shut down through Azure Portal or Azure PowerShell cmdlet Stop-AzureRmVM: In this case the Virtual Machine gets shutdown and de-allocated. Your Azure account will no longer be charged for this VM so the only charges that will incur are for the storage used. However, if the private IP address of the network interface was not static, the IP address is released and it is not guaranteed that the network interface gets the old IP address assigned again after a restart of the VM. Performing the shut down through the Azure Portal or by calling Stop-AzureRmVM will automatically cause de-allocation. If you do not want to deallocat the machine use Stop-AzureRmVM -StayProvisioned
+* Shut down through Azure Portal or Azure PowerShell cmdlet Stop-AzureRmVM: In this case the Virtual Machine gets shutdown and de-allocated. Your Azure account will no longer be charged for this VM so the only charges that will incur are for the storage used. However, if the private IP address of the network interface was not static, the IP address is released and it is not guaranteed that the network interface gets the old IP address assigned again after a restart of the VM. Performing the shut down through the Azure Portal or by calling Stop-AzureRmVM will automatically cause de-allocation. If you do not want to deallocat the machine use Stop-AzureRmVM -StayProvisioned
* If you shut down the VM from an OS level, the VM gets shut down and NOT de-allocated. However, in this case, your Azure account will still be charged for the VM, despite the fact that it is shutdown. In such a case, the assignment of the IP address to a stopped VM will remain intact. Shutting down the VM from within will not automatically force de-allocation.
-Even for Cross-Premises scenarios, by default a shutdown and de-allocation will mean de-assignment of the IP addresses from the VM, even if on-premises policies in DHCP settings are different.
+Even for Cross-Premises scenarios, by default a shutdown and de-allocation will mean de-assignment of the IP addresses from the VM, even if on-premises policies in DHCP settings are different.
* The exception is if one assigns a static IP address to a network interface as described [here][virtual-networks-reserved-private-ip].
* In such a case the IP address remains fixed as long as the network interface is not deleted.
> [!IMPORTANT]
> In order to keep the whole deployment simple and manageable, the clear recommendation is to setup the VMs partnering in a DBMS HA or DR configuration within Azure in a way that there is a functioning name resolution between the different VMs involved.
->
->
+>
+>
## Deployment of Host Monitoring
For productive usage of SAP Applications in Azure Virtual Machines, SAP requires the ability to get host monitoring data from the physical hosts running the Azure Virtual Machines. A specific SAP HostAgent patch level will be required that enables this capability in SAPOSCOL and SAP HostAgent. The exact patch level is documented in SAP Note [1409604].
@@ -573,12 +573,12 @@ For the details regarding deployment of components that deliver host data to SAP
## Specifics to Microsoft SQL Server
### SQL Server IaaS
-Starting with Microsoft Azure, you can easily migrate your existing SQL Server applications built on Windows Server platform to Azure Virtual Machines. SQL Server in a Virtual Machine enables you to reduce the total cost of ownership of deployment, management and maintenance of enterprise breadth applications by easily migrating these applications to Microsoft Azure. With SQL Server in an Azure Virtual Machine, administrators and developers can still use the same development and administration tools that are available on-premises.
+Starting with Microsoft Azure, you can easily migrate your existing SQL Server applications built on Windows Server platform to Azure Virtual Machines. SQL Server in a Virtual Machine enables you to reduce the total cost of ownership of deployment, management and maintenance of enterprise breadth applications by easily migrating these applications to Microsoft Azure. With SQL Server in an Azure Virtual Machine, administrators and developers can still use the same development and administration tools that are available on-premises.
> [!IMPORTANT]
> Please note we are not discussing Microsoft Azure SQL Database which is a Platform as a Service offer of the Microsoft Azure Platform. The discussion in this paper is about running the SQL Server product as it is known for on-premises deployments in Azure Virtual Machines, leveraging the Infrastructure as a Service capability of Azure. Database capabilities and functionalities between these two offers are different and should not be mixed up with each other. See also:
->
->
+>
+>
It is strongly recommended to review [this][virtual-machines-sql-server-infrastructure-services] documentation before continuing.
@@ -588,9 +588,9 @@ There is some SQL Server in IaaS specific information you should know before con
* **Virtual Machine SLA**: There is an SLA for Virtual Machines running in Azure which can be found here:
* **SQL Version Support**: For SAP customers, we support SQL Server 2008 R2 and higher on Microsoft Azure Virtual Machine. Earlier editions are not supported. Review this general [Support Statement](https://support.microsoft.com/kb/956893) for more details. Please note that in general SQL Server 2008 is supported by Microsoft as well. However due to significant functionality for SAP which was introduced with SQL Server 2008 R2, SQL Server 2008 R2 is the minimum release for SAP. Keep in mind that SQL Server 2012 and 2014 got extended with deeper integration into the IaaS scenario (like backing up directly against Azure Storage). Therefore, we restrict this paper to SQL Server 2012 and 2014 with its latest patch level for Azure.
-* **SQL Feature Support**: Most SQL Server features are supported on Microsoft Azure Virtual Machines with some exceptions. **SQL Server Failover Clustering using Shared Disks is not supported**. Distributed technologies like Database Mirroring, AlwaysOn Availability Groups, Replication, Log Shipping and Service Broker are supported within a single Azure Region. SQL Server AlwaysOn also is supported between different Azure Regions as documented here: . Review the [Support Statement](https://support.microsoft.com/kb/956893) for more details. An example on how to deploy an AlwaysOn configuration is shown in [this][virtual-machines-workload-template-sql-alwayson] article. Also, check out the Best Practices documented [here][virtual-machines-sql-server-infrastructure-services]
+* **SQL Feature Support**: Most SQL Server features are supported on Microsoft Azure Virtual Machines with some exceptions. **SQL Server Failover Clustering using Shared Disks is not supported**. Distributed technologies like Database Mirroring, AlwaysOn Availability Groups, Replication, Log Shipping and Service Broker are supported within a single Azure Region. SQL Server AlwaysOn also is supported between different Azure Regions as documented here: . Review the [Support Statement](https://support.microsoft.com/kb/956893) for more details. An example on how to deploy an AlwaysOn configuration is shown in [this][virtual-machines-workload-template-sql-alwayson] article. Also, check out the Best Practices documented [here][virtual-machines-sql-server-infrastructure-services]
* **SQL Performance**: We are confident that Microsoft Azure hosted Virtual Machines will perform very well in comparison to other public cloud virtualization offerings, but individual results may vary. Check out [this][virtual-machines-sql-server-performance-best-practices] article.
-* **Using Images from Azure Marketplace**: The fastest way to deploy a new Microsoft Azure VM is to use an image from the Azure Marketplace. There are images in the Azure Marketplace which contain SQL Server. The images where SQL Server already is installed can’t be immediately used for SAP NetWeaver applications. The reason is the default SQL Server collation is installed within those images and not the collation required by SAP NetWeaver systems. In order to use such images, please check the steps documented in chapter [Using a SQL Server images out of the Microsoft Azure Marketplace][dbms-guide-5.6].
+* **Using Images from Azure Marketplace**: The fastest way to deploy a new Microsoft Azure VM is to use an image from the Azure Marketplace. There are images in the Azure Marketplace which contain SQL Server. The images where SQL Server already is installed can’t be immediately used for SAP NetWeaver applications. The reason is the default SQL Server collation is installed within those images and not the collation required by SAP NetWeaver systems. In order to use such images, please check the steps documented in chapter [Using a SQL Server images out of the Microsoft Azure Marketplace][dbms-guide-5.6].
* Check out [Pricing Details](https://azure.microsoft.com/pricing/) for more information. The [SQL Server 2012 Licensing Guide](https://download.microsoft.com/download/7/3/C/73CAD4E0-D0B5-4BE5-AB49-D5B886A5AE00/SQL_Server_2012_Licensing_Reference_Guide.pdf) and [SQL Server 2014 Licensing Guide](https://download.microsoft.com/download/B/4/E/B4E604D9-9D38-4BBA-A927-56E4C872E41C/SQL_Server_2014_Licensing_Guide.pdf) are also an important resource.
### SQL Server configuration guidelines for SAP related SQL Server installations in Azure VMs
@@ -640,7 +640,7 @@ In order to store SQL Server data files directly on Azure Premium Storage, you n
### SQL Server 2014 Buffer Pool Extension
SQL Server 2014 introduced a new feature which is called Buffer Pool Extension. This functionality extends the buffer pool of SQL Server which is kept in memory with a second level cache that is backed by local SSDs of a server or VM. This enables to keep a larger working set of data ‘in memory’. Compared to accessing Azure Standard Storage the access into the extension of the buffer pool which is stored on local SSDs of an Azure VM is many factors faster. Therefore, leveraging the local D:\ drive of the VM types that have excellent IOPS and throughput could be a very reasonable way to reduce the IOPS load against Azure Storage and improve response times of queries dramatically. This applies especially when not using Premium Storage. In case of Premium Storage and the usage of the Premium Azure Read Cache on the compute node, as recommended for data files, no big differences are expected. Reason is that both caches (SQL Server Buffer Pool Extension and Premium Storage Read Cache) are using the local disks of the compute nodes.
-For more details about this functionality, please check this documentation:
+For more details about this functionality, please check this documentation:
### Backup/Recovery considerations for SQL Server
When deploying SQL Server into Azure your backup methodology must be reviewed. Even if the system is not a productive system, the SAP database hosted by SQL Server must be backed up periodically. Since Azure Storage keeps three images, a backup is now less important in respect to compensating a storage crash. The priority reason for maintaining a proper backup and recovery plan is more that you can compensate for logical/manual errors by providing point in time recovery capabilities. So the goal is to either use backups to restore the database back to a certain point in time or to use the backups in Azure to seed another system by copying the existing database. For example, you could transfer from a 2-Tier SAP configuration to a 3-Tier system setup of the same system by restoring a backup.
@@ -672,7 +672,7 @@ In order not to mix up things between the 3 different types of backups, it is ad
In the example above, the backups would not be performed into the same storage account where the VMs are deployed. There would be a new storage account specifically for the backups. Within the storage accounts, there would be different containers created with a matrix of the type of backup and the VM name. Such segmentation will make it easier to administrate the backups of the different VMs.
-The BLOBs one directly writes the backups to, are not adding to the count of the VHDs of a VM. Hence one could maximize the maximum of VHDs mounted of the specific VM SKU for the data and transaction log file and still execute a backup against a storage container.
+The BLOBs one directly writes the backups to, are not adding to the count of the VHDs of a VM. Hence one could maximize the maximum of VHDs mounted of the specific VM SKU for the data and transaction log file and still execute a backup against a storage container.
#### SQL Server 2012 SP1 CU3 and earlier releases
The first step you must perform in order to achieve a backup directly against Azure Storage would be to download the msi which is linked to [this](https://www.microsoft.com/download/details.aspx?id=40740) KBA article.
@@ -683,7 +683,7 @@ Download the x64 installation file and the documentation. The file will install
* The tool will allow you to define rules which can be used to direct different types of backups to different Azure Storage containers.
* Once the rules are in place, the tool will redirect the write stream of the backup to one of the VHDs/disks to the Azure Storage location which was defined earlier.
* The tool will leave a small stub file of a few KB size on the VHD/Disk which was defined for the SQL Server backup. **This file should be left on the storage location since it is required to restore again from Azure Storage.**
- * If you have lost the stub file (e.g. through loss of the storage media that contained the stub file) and you have chosen the option of backing up to a Microsoft Azure Storage account, you may recover the stub file through Microsoft Azure Storage by downloading it from the storage container in which it was placed. You should then place the stub file into a folder on the local machine where the Tool is configured to detect and upload to the same container with the same encryption password if encryption was used with the original rule.
+ * If you have lost the stub file (e.g. through loss of the storage media that contained the stub file) and you have chosen the option of backing up to a Microsoft Azure Storage account, you may recover the stub file through Microsoft Azure Storage by downloading it from the storage container in which it was placed. You should then place the stub file into a folder on the local machine where the Tool is configured to detect and upload to the same container with the same encryption password if encryption was used with the original rule.
This means the schema as described above for more recent releases of SQL Server can be put in place as well for SQL Server releases which are not allowing direct address an Azure Storage location.
@@ -694,7 +694,7 @@ Other possibilities to backup databases is to attach additional VHDs to a VM tha
A second possibility is to use a large VM that can have many VHDs attached. E.g. D14 with 32VHDs. Use Storage Spaces to build a flexible environment where you could build shares that are used then as backup targets for the different DBMS servers.
-Some best practices got documented [here](https://blogs.msdn.com/b/sqlcat/archive/2015/02/26/large-sql-server-database-backup-on-an-azure-vm-and-archiving.aspx) as well.
+Some best practices got documented [here](https://blogs.msdn.com/b/sqlcat/archive/2015/02/26/large-sql-server-database-backup-on-an-azure-vm-and-archiving.aspx) as well.
#### Performance considerations for backups/restores
As in bare-metal deployments, backup/restore performance is dependent on how many volumes can be read in parallel and what the throughput of those volumes might be. In addition, the CPU consumption used by backup compression may play a significant role on VMs with just up to 8 CPU threads. Therefore, one can assume:
@@ -717,16 +717,16 @@ There is a requirement to manage the backups on your own. Since the expectation
* Microsoft Azure Storage Explorer ()
* 3rd party tools
-[comment]: <> (Not yet supported on ARM)
-[comment]: <> (#### Azure VM backup)
-[comment]: <> (VMs within the SAP system can be backed up using Azure Virtual Machine Backup functionality. Azure Virtual Machine Backup got introduced early in the year 2015 and meanwhile is a standard method to backup a complete VM in Azure. Azure Backup stores the backups in Azure and allows a restore of a VM again.)
-[comment]: <> (VMs that run databases can be backed up in a consistent manner as well if the DBMS systems supports the Windows VSS (Volume Shadow Copy Service - ) as e.g. SQL Server does. So using Azure VM backup could be a way to get to a restorable backup of a SAP database. However, be aware that based on Azure VM backups point-in-time restores of databases is not possible. Therefore, the recommendation is to perform backups of databases with DBMS functionality instead of relying on Azure VM Backup.)
-[comment]: <> (To get familiar with Azure Virtual Machine Backup please start here )
+
+
+
+
+
### Using a SQL Server images out of the Microsoft Azure Marketplace
Microsoft offers VMs in the Azure Marketplace which already contain versions of SQL Server. For SAP customers who require licenses for SQL Server and Windows, this might be an opportunity to basically cover the need for licenses by spinning up VMs with SQL Server already installed. In order to use such images for SAP, the following considerations need to be made:
-* The SQL Server non-Evaluation versions acquire higher costs than just a ‘Windows-only’ VM deployed from Azure Marketplace. Please see these articles to compare prices: and .
+* The SQL Server non-Evaluation versions acquire higher costs than just a ‘Windows-only’ VM deployed from Azure Marketplace. Please see these articles to compare prices: and .
* You only can use SQL Server releases which are supported by SAP, like SQL Server 2012.
* The collation of the SQL Server instance which is installed in the VMs offered in the Azure Marketplace is not the collation SAP NetWeaver requires the SQL Server instance to run. You can change the collation though with the directions in the following section.
@@ -753,8 +753,8 @@ If this is not the result, STOP deploying SAP and investigate why the setup comm
### SQL Server High-Availability for SAP in Azure
As mentioned earlier in this paper, there is no possibility to create shared storage which is necessary for the usage of the oldest SQL Server high availability functionality. This functionality would install two or more SQL Server instances in a Windows Server Failover Cluster (WSFC) using a shared disk for the user databases (and eventually tempdb). This is the long time standard high availability method which also is supported by SAP. Because Azure doesn’t support shared storage, SQL Server high availability configurations with a shared disk cluster configuration cannot be realized. However, many other high availability methods are still possible and are described in the following sections.
-[comment]: <> (Article is still refering to ASM)
-[comment]: <> (Before reading the different specific high availability technologies usable for SQL Server in Azure, there is a very good document which gives more details and pointers [here][virtual-machines-sql-server-high-availability-and-disaster-recovery-solutions])
+
+
#### SQL Server Log Shipping
One of the methods of high availability (HA) is SQL Server Log Shipping. If the VMs participating in the HA configuration have working name resolution, there is no problem and the setup in Azure will not differ from any setup that is done on-premises. It is not recommended to rely on IP resolution only. In regards to setting up Log Shipping and the principles around Log Shipping please check this documentation:
@@ -770,19 +770,19 @@ As of Cloud-Only deployments, the easiest method is to have another domain setup
If a domain is not possible, one can also use certificates for the database mirroring endpoints as described here:
-A tutorial to set-up Database Mirroring in Azure can be found here:
+A tutorial to set-up Database Mirroring in Azure can be found here:
#### AlwaysOn
As AlwaysOn is supported for SAP on-premises (see SAP Note [1772688]), it is supported to be used in combination with SAP in Azure. The fact that you are not able to create shared disks in Azure doesn’t mean that one can’t create an AlwaysOn Windows Server Failover Cluster (WSFC) configuration between different VMs. It only means that you do not have the possibility to use a shared disk as a quorum in the cluster configuration. Hence you can build an AlwaysOn WSFC configuration in Azure and simply not select the quorum type that utilizes shared disk. The Azure environment those VMs are deployed in should resolve the VMs by name and the VMs should be in the same domain. This is true for Azure only and Cross-Premises deployments. There are some special considerations around deploying the SQL Server Availability Group Listener (not to be confused with the Azure Availability Set) since Azure at this point in time does not allow to simply create an AD/DNS object as it is possible on-premises. Therefore, some different installation steps are necessary to overcome the specific behavior of Azure.
Some considerations using an Availability Group Listener are:
-* Using an Availability Group Listener is only possible with Windows Server 2012 or Windows Server 2012 R2 as guest OS of the VM. For Windows Server 2012 you need to make sure that this patch is applied:
+* Using an Availability Group Listener is only possible with Windows Server 2012 or Windows Server 2012 R2 as guest OS of the VM. For Windows Server 2012 you need to make sure that this patch is applied:
* For Windows Server 2008 R2 this patch does not exist and AlwaysOn would need to be used in the same manner as Database Mirroring by specifying a failover partner in the connections string (done through the SAP default.pfl parameter dbs/mss/server – see SAP Note [965908]).
* When using an Availability Group Listener, the Database VMs need to be connected to a dedicated Load Balancer. Name resolution in Cloud-Only deployments would either require all VMs of an SAP system (application servers, DBMS server and (A)SCS server) are in the same virtual network or would require from an SAP application layer the maintenance of the etc\host file in order to get the VM names of the SQL Server VMs resolved. In order to avoid that Azure is assigning new IP addresses in cases where both VMs incidentally are shutdown, one should assign static IP addresses to the network interfaces of those VMs in the AlwaysOn configuration (defining a static IP address is described in [this][virtual-networks-reserved-private-ip] article)
[comment]: <> (Old blogs)
-[comment]: <> (, )
+[comment]: <> (, )
* There are special steps required when building the WSFC cluster configuration where the cluster needs a special IP address assigned, because Azure with its current functionality would assign the cluster name the same IP address as the node the cluster is created on. This means a manual step must be performed to assign a different IP address to the cluster.
* The Availability Group Listener is going to be created in Azure with TCP/IP endpoints which are assigned to the VMs running the primary and secondary replicas of the Availability group.
* There might be a need to secure these endpoints with ACLs.
@@ -795,12 +795,12 @@ Some considerations using an Availability Group Listener are:
[comment]: <> (* )
[comment]: <> (* )
[comment]: <> (* )
-[comment]: <> (* )
+[comment]: <> (* )
It is possible to deploy a SQL Server AlwaysOn Availability Group over different Azure Regions as well. This functionality will leverage the Azure VNet-to-Vnet connectivity ([more details][virtual-networks-configure-vnet-to-vnet-connection]).
[comment]: <> (TODO old blog)
-[comment]: <> (The setup of SQL Server AlwaysOn Availability Groups in such a scenario is described here: .)
+[comment]: <> (The setup of SQL Server AlwaysOn Availability Groups in such a scenario is described here: .)
#### Summary on SQL Server High Availability in Azure
Given the fact that Azure Storage is protecting the content, there is one less reason to insist on a hot-standby image. This means your High Availability scenario needs to only protect against the following cases:
@@ -825,7 +825,7 @@ There are many recommendations in this guide and we recommend you read it more t
1. Use the latest DBMS release, like SQL Server 2014, that has the most advantages in Azure. For SQL Server, this is SQL Server 2012 SP1 CU4 which would include the feature of backing up against Azure Storage. However, in conjunction with SAP we would recommend at least SQL Server 2014 SP1 CU1 or SQL Server 2012 SP2 and the latest CU.
2. Carefully plan your SAP system landscape in Azure to balance the data file layout and Azure restrictions:
* Don’t have too many VHDs, but have enough to ensure you can reach your required IOPS.
- * Remember that IOPS are also limited per Azure Storage Account and that Storage Accounts are limited within each Azure subscription ([more details][azure-subscription-service-limits]).
+ * Remember that IOPS are also limited per Azure Storage Account and that Storage Accounts are limited within each Azure subscription ([more details][azure-subscription-service-limits]).
* Only stripe across VHDs if you need to achieve a higher throughput.
3. Never install software or put any files that require persistence on the D:\ drive as it is non-permanent and anything on this drive will be lost at a Windows reboot.
4. Don’t use Azure VHD caching for Azure Standard Storage.
@@ -857,7 +857,7 @@ General information on running SAP Business Suite on SAP ASE can be found in the
### SAP ASE Configuration Guidelines for SAP related SAP ASE Installations in Azure VMs
#### Structure of the SAP ASE Deployment
-In accordance with the general description, SAP ASE executables should be located or installed into the system drive of the VM’s base VHD (drive c:\). Typically, most of the SAP ASE system and tools databases are not really leveraged hard by SAP NetWeaver workload. Hence the system and tools databases (master, model, saptools, sybmgmtdb, sybsystemdb) can remain on the C:\drive as well.
+In accordance with the general description, SAP ASE executables should be located or installed into the system drive of the VM’s base VHD (drive c:\). Typically, most of the SAP ASE system and tools databases are not really leveraged hard by SAP NetWeaver workload. Hence the system and tools databases (master, model, saptools, sybmgmtdb, sybsystemdb) can remain on the C:\drive as well.
An exception could be the temporary database containing all work tables and temporary tables created by SAP ASE, which in case of some SAP ERP and all BW workloads might require either higher data volume or I/O operations volume which can’t fit into the original VM’s base VHD (drive c:\).
@@ -895,36 +895,36 @@ For SAP systems which are using SAP ASE as database platform, the DBACockpit is
As with on-premises systems several steps are required to enable all SAP NetWeaver functionality used by the Webdynpro implementation of the DBACockpit. Please follow SAP Note [1245200] to enable the usage of webdynpros and generate the required ones. When following the instructions in the above notes you will also configure the Internet Communication Manager (icm) along with the ports to be used for http and https connections. The default setting for http looks like this:
> icm/server_port_0 = PROT=HTTP,PORT=8000,PROCTIMEOUT=600,TIMEOUT=600
->
+>
> icm/server_port_1 = PROT=HTTPS,PORT=443$$,PROCTIMEOUT=600,TIMEOUT=600
->
->
+>
+>
and the links generated in transaction DBACockpit will look similar to this:
> https://`:44300/sap/bc/webdynpro/sap/dba_cockpit
->
+>
> http://`:8000/sap/bc/webdynpro/sap/dba_cockpit
->
->
+>
+>
Depending on if and how the Azure Virtual Machine hosting the SAP system is connected via site-to-site, multi-site or ExpressRoute (Cross-Premises deployment) you need to make sure that ICM is using a fully qualified hostname that can be resolved on the machine where you are trying to open the DBACockpit from. Please see SAP Note [773830] to understand how ICM determines the fully qualified host name depending on profile parameters and set parameter icm/host_name_full explicitly if required.
If you deployed the VM in a Cloud-Only scenario without cross-premises connectivity between on-premises and Azure, you need to define a public IP address and a domainlabel. The format of the public DNS name of the VM will then look like this :
> `.`.cloudapp.azure.com
->
->
+>
+>
More details related to the DNS name can be found [here][virtual-machines-azurerm-versus-azuresm].
Setting the SAP profile parameter icm/host_name_full to the DNS name of the Azure VM the link might look similar to:
> https://mydomainlabel.westeurope.cloudapp.net:44300/sap/bc/webdynpro/sap/dba_cockpit
->
+>
> http://mydomainlabel.westeurope.cloudapp.net:8000/sap/bc/webdynpro/sap/dba_cockpit
->
->
+>
+>
In this case you need to make sure to:
@@ -978,7 +978,7 @@ Striping a volume over multiple mounted VHDs has been discussed earlier in this
### Disaster Recovery with Azure VMs
#### Data Replication with SAP Sybase Replication Server
-With the SAP Sybase Replication Server (SRS) SAP ASE provides a warm standby solution to transfer database transactions to a distant location asynchronously.
+With the SAP Sybase Replication Server (SRS) SAP ASE provides a warm standby solution to transfer database transactions to a distant location asynchronously.
The installation and operation of SRS works as well functionally in a VM hosted in Azure Virtual Machine Services as it does on-premises.
@@ -1012,7 +1012,7 @@ General information on running SAP Business Suite on SAP ASE can be found in the
### SAP ASE Configuration Guidelines for SAP related SAP ASE Installations in Azure VMs
#### Structure of the SAP ASE Deployment
In accordance with the general description, SAP ASE executables should be located or installed into the root file system of the VM
-( /sybase ). Typically, most of the SAP ASE system and tools databases are not really leveraged hard by SAP NetWeaver workload. Hence the system and tools databases (master, model, saptools, sybmgmtdb, sybsystemdb) can remain on the root file system as well.
+( /sybase ). Typically, most of the SAP ASE system and tools databases are not really leveraged hard by SAP NetWeaver workload. Hence the system and tools databases (master, model, saptools, sybmgmtdb, sybsystemdb) can remain on the root file system as well.
An exception could be the temporary database containing all work tables and temporary tables created by SAP ASE, which in case of some SAP ERP and all BW workloads might require either higher data volume or I/O operations volume which can’t fit into the original VM’s OS disk.
@@ -1051,37 +1051,37 @@ For SAP systems which are using SAP ASE as database platform, the DBACockpit is
As with on-premises systems several steps are required to enable all SAP NetWeaver functionality used by the Webdynpro implementation of the DBACockpit. Please follow SAP Note [1245200] to enable the usage of webdynpros and generate the required ones. When following the instructions in the above notes you will also configure the Internet Communication Manager (icm) along with the ports to be used for http and https connections. The default setting for http looks like this:
> icm/server_port_0 = PROT=HTTP,PORT=8000,PROCTIMEOUT=600,TIMEOUT=600
->
+>
> icm/server_port_1 = PROT=HTTPS,PORT=443$$,PROCTIMEOUT=600,TIMEOUT=600
->
->
+>
+>
and the links generated in transaction DBACockpit will look similar to this:
> https://`:44300/sap/bc/webdynpro/sap/dba_cockpit
->
+>
> http://`:8000/sap/bc/webdynpro/sap/dba_cockpit
->
->
+>
+>
Depending on if and how the Azure Virtual Machine hosting the SAP system is connected via site-to-site, multi-site or ExpressRoute (Cross-Premises deployment) you need to make sure that ICM is using a fully qualified hostname that can be resolved on the machine where you are trying to open the DBACockpit from. Please see SAP Note [773830] to understand how ICM determines the fully qualified host name depending on profile parameters and set parameter icm/host_name_full explicitly if required.
-If you deployed the VM in a Cloud-Only scenario without cross-premises connectivity between on-premises and Azure, you need
+If you deployed the VM in a Cloud-Only scenario without cross-premises connectivity between on-premises and Azure, you need
to define a public IP address and a domainlabel. The format of the public DNS name of the VM will then look like this :
> `.`.cloudapp.azure.com
->
->
+>
+>
More details related to the DNS name can be found [here][virtual-machines-azurerm-versus-azuresm].
Setting the SAP profile parameter icm/host_name_full to the DNS name of the Azure VM the link might look similar to:
> https://mydomainlabel.westeurope.cloudapp.net:44300/sap/bc/webdynpro/sap/dba_cockpit
->
+>
> http://mydomainlabel.westeurope.cloudapp.net:8000/sap/bc/webdynpro/sap/dba_cockpit
->
->
+>
+>
In this case you need to make sure to:
@@ -1135,14 +1135,14 @@ Striping a volume over multiple mounted VHDs has been discussed earlier in this
### Disaster Recovery with Azure VMs
#### Data Replication with SAP Sybase Replication Server
-With the SAP Sybase Replication Server (SRS) SAP ASE provides a warm standby solution to transfer database transactions to a distant location asynchronously.
+With the SAP Sybase Replication Server (SRS) SAP ASE provides a warm standby solution to transfer database transactions to a distant location asynchronously.
The installation and operation of SRS works as well functionally in a VM hosted in Azure Virtual Machine Services as it does on-premises.
ASE HADR via SAP Replication Server is NOT supported at this point in time. It might be tested with and released for Microsoft Azure platforms in the future.
## Specifics to Oracle Database on Windows
-Since midyear 2013, Oracle software is supported by Oracle to run on Microsoft Windows Hyper-V and Azure. Please read this article to get more details on the general support of Windows Hyper-V and Azure by Oracle:
+Since midyear 2013, Oracle software is supported by Oracle to run on Microsoft Windows Hyper-V and Azure. Please read this article to get more details on the general support of Windows Hyper-V and Azure by Oracle:
Following the general support, the specific scenario of SAP applications leveraging Oracle Databases is supported as well. Details are named in this part of the document.
@@ -1153,10 +1153,10 @@ General information about running SAP Business Suite on Oracle can be found on S
### Oracle Configuration Guidelines for SAP Installations in Azure VMs
#### Storage configuration
-Only single instance Oracle using NTFS formatted disks is supported. All database files must be stored on the NTFS file system based on VHD disks. These VHDs are mounted to the Azure VM and are based on Azure Page BLOB Storage ().
+Only single instance Oracle using NTFS formatted disks is supported. All database files must be stored on the NTFS file system based on VHD disks. These VHDs are mounted to the Azure VM and are based on Azure Page BLOB Storage ().
Any kind of network drives or remote shares like Azure file services:
-*
+*
*
are **NOT** supported for Oracle database files!
@@ -1167,7 +1167,7 @@ As explained earlier in the general part of the document, quotas on IOPS through
To identify the supported Azure VM types, please refer to SAP note [1928533]
-As long as the current IOPS quota per disk satisfies the requirements, it is possible to store all the DB files on one single mounted Azure VHD.
+As long as the current IOPS quota per disk satisfies the requirements, it is possible to store all the DB files on one single mounted Azure VHD.
If more IOPS are required, it is strongly recommended to use Window Storage Pools (only available in Windows Server 2012 and higher) or Windows striping for Windows 2008 R2 to create one big logical device over multiple mounted VHD disks. See also chapter [Software RAID][dbms-guide-2.2] of this document. This approach simplifies the administration overhead to manage the disk space and avoids the effort to manually distribute files across multiple mounted VHDs.
@@ -1203,9 +1203,9 @@ You can find the updated list of SAP MaxDB documentation in the following SAP No
Azure storage best practices for SAP MaxDB follow the general recommendations mentioned in chapter [Structure of a RDBMS Deployment][dbms-guide-2].
> [!IMPORTANT]
-> Like other databases, SAP MaxDB also has data and log files. However, in SAP MaxDB terminology the correct term is “volume” (not “file”). For example, there are SAP MaxDB data volumes and log volumes. Do not confuse these with OS disk volumes.
->
->
+> Like other databases, SAP MaxDB also has data and log files. However, in SAP MaxDB terminology the correct term is “volume” (not “file”). For example, there are SAP MaxDB data volumes and log volumes. Do not confuse these with OS disk volumes.
+>
+>
In short you have to:
@@ -1221,7 +1221,7 @@ In short you have to:
#### Backup and Restore
When deploying SAP MaxDB into Azure, you must review your backup methodology. Even if the system is not a productive system, the SAP database hosted by SAP MaxDB must be backed up periodically. Since Azure Storage keeps three images, a backup is now less important in terms of protecting your system against storage failure and more important operational or administrative failures. The primary reason for maintaining a proper backup and restore plan is so that you can compensate for logical or manual errors by providing point-in-time recovery capabilities. So the goal is to either use backups to restore the database to a certain point in time or to use the backups in Azure to seed another system by copying the existing database. For example, you could transfer from a 2-tier SAP configuration to a 3-tier system setup of the same system by restoring a backup.
-Backing up and restoring a database in Azure works the same way as it does for on-premises systems, so you can use standard SAP MaxDB backup/restore tools, which are described in one of the SAP MaxDB documentation documents listed in SAP Note [767598].
+Backing up and restoring a database in Azure works the same way as it does for on-premises systems, so you can use standard SAP MaxDB backup/restore tools, which are described in one of the SAP MaxDB documentation documents listed in SAP Note [767598].
#### Performance Considerations for Backup and Restore
As in bare-metal deployments, backup and restore performance is dependent on how many volumes can be read in parallel and the throughput of those volumes. In addition, the CPU consumption used by backup compression can play a significant role on VMs with up to 8 CPU threads. Therefore, one can assume:
@@ -1239,13 +1239,13 @@ To increase the number of targets to write to, there are two options that you ca
* SAP MaxDB data volumes ( i.e. files)
* SAP MaxDB log volumes ( i.e. files)
-Striping a volume over multiple mounted VHDs has been discussed earlier in chapter [Software RAID][dbms-guide-2.2] of this document.
+Striping a volume over multiple mounted VHDs has been discussed earlier in chapter [Software RAID][dbms-guide-2.2] of this document.
#### Other
All other general topics such as Azure Availability Sets or SAP monitoring also apply as described in the first three chapters of this document for deployments of VMs with the SAP MaxDB database.
Other SAP MaxDB-specific settings are transparent to Azure VMs and are described in different documents listed in SAP Note [767598] and in these SAP notes:
-* [826037]
+* [826037]
* [1139904]
* [1173395]
@@ -1259,11 +1259,11 @@ To find the supported Microsoft Windows version for SAP liveCache on Azure, see:
* [SAP Product Availability Matrix (PAM)][sap-pam]
* SAP Note [1928533]
-It is highly recommended to use the newest version of the operating system Microsoft Windows, which is Microsoft Windows 2012 R2.
+It is highly recommended to use the newest version of the operating system Microsoft Windows, which is Microsoft Windows 2012 R2.
### SAP liveCache Configuration Guidelines for SAP Installations in Azure VMs
#### Recommended Azure VM Types
-As SAP liveCache is an application that performs huge calculations, the amount and speed of RAM and CPU has a major influence on SAP liveCache performance.
+As SAP liveCache is an application that performs huge calculations, the amount and speed of RAM and CPU has a major influence on SAP liveCache performance.
For the Azure VM types supported by SAP (SAP Note [1928533]), all virtual CPU resources allocated to the VM are backed by dedicated physical CPU resources of the hypervisor. No overprovisioning (and therefore no competition for CPU resources) takes place.
@@ -1272,21 +1272,21 @@ Similarly, for all Azure VM instance types supported by SAP, the VM memory is 10
From this perspective it is highly recommended to use the new D- series or DS-series (in combination with Azure Premium Storage) Azure VM type, as they have 60 % faster processors than the A-series. For the highest RAM and CPU load, you can use G-series and GS-series (in combination with Azure Premium Storage) VMs with the latest Intel® Xeon® processor E5 v3 family, which have twice the memory and four times the solid state drive storage (SSDs) of the D/DS-series.
#### Storage Configuration
-As SAP liveCache is based on SAP MaxDB technology, all the Azure storage best practice recommendations mentioned for SAP MaxDB in chapter [Storage configuration][dbms-guide-8.4.1] are also valid for SAP liveCache.
+As SAP liveCache is based on SAP MaxDB technology, all the Azure storage best practice recommendations mentioned for SAP MaxDB in chapter [Storage configuration][dbms-guide-8.4.1] are also valid for SAP liveCache.
#### Dedicated Azure VM for liveCache
-As SAP liveCache intensively uses computational power, for productive usage it is highly recommended to deploy on a dedicated Azure Virtual Machine.
+As SAP liveCache intensively uses computational power, for productive usage it is highly recommended to deploy on a dedicated Azure Virtual Machine.
![Dedicated Azure VM for liveCache for productive use case][dbms-guide-figure-700]
#### Backup and Restore
-Backup and restore, including performance considerations, are already described in the relevant SAP MaxDB chapters [Backup and Restore][dbms-guide-8.4.2] and [Performance Considerations for Backup and Restore][dbms-guide-8.4.3].
+Backup and restore, including performance considerations, are already described in the relevant SAP MaxDB chapters [Backup and Restore][dbms-guide-8.4.2] and [Performance Considerations for Backup and Restore][dbms-guide-8.4.3].
#### Other
-All other general topics are already described in the relevant SAP MaxDB [this][dbms-guide-8.4.4] chapter.
+All other general topics are already described in the relevant SAP MaxDB [this][dbms-guide-8.4.4] chapter.
## Specifics for the SAP Content Server on Windows
-The SAP Content Server is a separate, server-based component to store content such as electronic documents in different formats. The SAP Content Server is provided by development of technology and is to be used cross-application for any SAP applications. It is installed on a separate system. Typical content is training material and documentation from Knowledge Warehouse or technical drawings originating from the mySAP PLM Document Management System.
+The SAP Content Server is a separate, server-based component to store content such as electronic documents in different formats. The SAP Content Server is provided by development of technology and is to be used cross-application for any SAP applications. It is installed on a separate system. Typical content is training material and documentation from Knowledge Warehouse or technical drawings originating from the mySAP PLM Document Management System.
### SAP Content Server Version Support
SAP currently supports:
@@ -1295,7 +1295,7 @@ SAP currently supports:
* **SAP MaxDB version 7.9**
* **Microsoft IIS (Internet Information Server) version 8.0 (and higher)**
-It is highly recommended to use the newest version of SAP Content Server, which at the time of writing this document is **6.50 SP4**, and the newest version of **Microsoft IIS 8.5**.
+It is highly recommended to use the newest version of SAP Content Server, which at the time of writing this document is **6.50 SP4**, and the newest version of **Microsoft IIS 8.5**.
Check the latest supported versions of SAP Content Server and Microsoft IIS in the [SAP Product Availability Matrix (PAM)][sap-pam].
@@ -1309,17 +1309,17 @@ It is highly recommended to use the newest version of Microsoft Windows, which a
### SAP Content Server Configuration Guidelines for SAP Installations in Azure VMs
#### Storage Configuration
-If you configure SAP Content Server to store files in the SAP MaxDB database, all Azure storage best practices recommendation mentioned for SAP MaxDB in chapter [Storage Configuration][dbms-guide-8.4.1] are also valid for the SAP Content Server scenario.
+If you configure SAP Content Server to store files in the SAP MaxDB database, all Azure storage best practices recommendation mentioned for SAP MaxDB in chapter [Storage Configuration][dbms-guide-8.4.1] are also valid for the SAP Content Server scenario.
-If you configure SAP Content Server to store files in the file system, it is recommended to use a dedicated logical drive. Using storage spaces enables you to also increase logical disk size and IOPS throughput, as described in in chapter [Software RAID][dbms-guide-2.2].
+If you configure SAP Content Server to store files in the file system, it is recommended to use a dedicated logical drive. Using storage spaces enables you to also increase logical disk size and IOPS throughput, as described in in chapter [Software RAID][dbms-guide-2.2].
#### SAP Content Server Location
-SAP Content Server has to be deployed in the same Azure region and Azure VNET where the SAP system is deployed. You are free to decide whether you want to deploy SAP Content Server components on a dedicated Azure VM or on the same VM where the SAP system is running.
+SAP Content Server has to be deployed in the same Azure region and Azure VNET where the SAP system is deployed. You are free to decide whether you want to deploy SAP Content Server components on a dedicated Azure VM or on the same VM where the SAP system is running.
![Dedicated Azure VM for SAP Content Server][dbms-guide-figure-800]
#### SAP Cache Server Location
-The SAP Cache Server is an additional server-based component to provide access to (cached) documents locally. The SAP Cache Server caches the documents of a SAP Content Server. This is to optimize network traffic if documents have to be retrieved more than once from different locations. The general rule is that the SAP Cache Server has to be physically close to the client that accesses the SAP Cache Server.
+The SAP Cache Server is an additional server-based component to provide access to (cached) documents locally. The SAP Cache Server caches the documents of a SAP Content Server. This is to optimize network traffic if documents have to be retrieved more than once from different locations. The general rule is that the SAP Cache Server has to be physically close to the client that accesses the SAP Cache Server.
Here you have two options:
@@ -1334,21 +1334,21 @@ Here you have two options:
#### Backup / Restore
-If you configure the SAP Content Server to store files in the SAP MaxDB database, the backup/restore procedure and performance considerations are already described in SAP MaxDB chapter [Backup and Restore][dbms-guide-8.4.2] and chapter [Performance Considerations for Backup and Restore][dbms-guide-8.4.3].
+If you configure the SAP Content Server to store files in the SAP MaxDB database, the backup/restore procedure and performance considerations are already described in SAP MaxDB chapter [Backup and Restore][dbms-guide-8.4.2] and chapter [Performance Considerations for Backup and Restore][dbms-guide-8.4.3].
-If you configure the SAP Content Server to store files in the file system, one option is to execute manual backup/restore of the whole file structure where the documents are located. Similar to SAP MaxDB backup/restore, it is recommended to have a dedicated disk volume for backup purpose.
+If you configure the SAP Content Server to store files in the file system, one option is to execute manual backup/restore of the whole file structure where the documents are located. Similar to SAP MaxDB backup/restore, it is recommended to have a dedicated disk volume for backup purpose.
#### Other
Other SAP Content Server specific settings are transparent to Azure VMs and are described in various documents and SAP Notes:
-*
+*
* SAP Note [1619726]
## Specifics to IBM DB2 for LUW on Windows
With Microsoft Azure, you can easily migrate your existing SAP application running on IBM DB2 for Linux, UNIX, and Windows (LUW) to Azure virtual machines. With SAP on IBM DB2 for LUW, administrators and developers can still use the same development and administration tools which are available on-premises.
General information about running SAP Business Suite on IBM DB2 for LUW can be found in the SAP Community Network (SCN) at .
-For additional information and updates about SAP on DB2 for LUW on Azure, see SAP Note [2233094].
+For additional information and updates about SAP on DB2 for LUW on Azure, see SAP Note [2233094].
### IBM DB2 for Linux, UNIX, and Windows Version Support
SAP on IBM DB2 for LUW on Microsoft Azure Virtual Machine Services is supported as of DB2 version 10.5.
@@ -1357,17 +1357,17 @@ For information about supported SAP products and Azure VM types, please refer to
### IBM DB2 for Linux, UNIX, and Windows Configuration Guidelines for SAP Installations in Azure VMs
#### Storage Configuration
-All database files must be stored on the NTFS file system based on VHD disks. These VHDs are mounted to the Azure VM and are based in Azure Page BLOB Storage ().
-Any kind of network drives or remote shares like the following Azure file services are **NOT** supported for database files:
+All database files must be stored on the NTFS file system based on VHD disks. These VHDs are mounted to the Azure VM and are based in Azure Page BLOB Storage ().
+Any kind of network drives or remote shares like the following Azure file services are **NOT** supported for database files:
*
*
-If you are using Azure VHDs based on Azure Page BLOB Storage, the statements made in this document in chapter [Structure of a RDBMS Deployment][dbms-guide-2] also apply to deployments with the IBM DB2 for LUW Database.
+If you are using Azure VHDs based on Azure Page BLOB Storage, the statements made in this document in chapter [Structure of a RDBMS Deployment][dbms-guide-2] also apply to deployments with the IBM DB2 for LUW Database.
As explained earlier in the general part of the document, quotas on IOPS throughput for Azure VHDs exist. The exact quotas depend on the VM type used. A list of VM types with their quotas can be found [here][virtual-machines-sizes].
-As long as the current IOPS quota per disk is sufficient, it is possible to store all the database files on one single mounted Azure VHD.
+As long as the current IOPS quota per disk is sufficient, it is possible to store all the database files on one single mounted Azure VHD.
For performance considerations also refer to chapter “Data Safety and Performance Considerations for Database Directories” in SAP installation guides.
@@ -1377,7 +1377,7 @@ For the disks containing the DB2 storage paths for your sapdata and saptmp direc
#### Backup/Restore
The backup/restore functionality for IBM DB2 for LUW is supported in the same way as on standard Windows Server Operating Systems and Hyper-V.
-You must make sure that you have a valid database backup strategy in place.
+You must make sure that you have a valid database backup strategy in place.
As in bare-metal deployments, backup/restore performance depends on how many volumes can be read in parallel and what the throughput of those volumes might be. In addition, the CPU consumption used by backup compression may play a significant role on VMs with just up to 8 CPU threads. Therefore, one can assume:
@@ -1398,12 +1398,12 @@ DB2 high availability disaster recovery (HADR) is supported. If the virtual mach
Do not use Azure Store Geo-Replication. For further information, refer to chapter [Microsoft Azure Storage][dbms-guide-2.3] and chapter [High Availability and Disaster Recovery with Azure VMs][dbms-guide-3].
#### Other
-All other general topics like Azure Availability Sets or SAP monitoring apply as described in the first three chapters of this document for deployments of VMs with IBM DB2 for LUW as well.
+All other general topics like Azure Availability Sets or SAP monitoring apply as described in the first three chapters of this document for deployments of VMs with IBM DB2 for LUW as well.
Also refer to chapter [General SQL Server for SAP on Azure Summary][dbms-guide-5.8].
## Specifics to IBM DB2 for LUW on Linux
-With Microsoft Azure, you can easily migrate your existing SAP application running on IBM DB2 for Linux, UNIX, and Windows (LUW) to Azure virtual machines. With SAP on IBM DB2 for LUW, administrators and developers can still use the same development and administration tools which are available on-premises.
+With Microsoft Azure, you can easily migrate your existing SAP application running on IBM DB2 for Linux, UNIX, and Windows (LUW) to Azure virtual machines. With SAP on IBM DB2 for LUW, administrators and developers can still use the same development and administration tools which are available on-premises.
General information about running SAP Business Suite on IBM DB2 for LUW can be found in the SAP Community Network (SCN) at .
For additional information and updates about SAP on DB2 for LUW on Azure, see SAP Note [2233094].
@@ -1457,4 +1457,3 @@ Do not use Azure Store Geo-Replication. For further information, refer to chapte
All other general topics like Azure Availability Sets or SAP monitoring apply as described in the first three chapters of this document for deployments of VMs with IBM DB2 for LUW as well.
Also refer to chapter [General SQL Server for SAP on Azure Summary][dbms-guide-5.8].
-
diff --git a/articles/virtual-network/virtual-network-network-interface.md b/articles/virtual-network/virtual-network-network-interface.md
index 65bcec0b577e1..a6d230d9c1d9a 100644
--- a/articles/virtual-network/virtual-network-network-interface.md
+++ b/articles/virtual-network/virtual-network-network-interface.md
@@ -266,12 +266,13 @@ You can attach an existing NIC to a VM when you create it or you can attach an e
You can use PowerShell or the CLI to create a NIC or VM with all the previous attributes that you cannot use the portal for. Before completing the tasks in the following sections, consider the following constraints and behaviors:
-- The VM size
+- Different VM sizes support different numbers of NICs. To learn more about how many NICs each VM size supports, read the [Linux](../virtual-machines/virtual-machines-linux-sizes.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Windows](../virtual-machines/virtual-machines-windows-sizes.md?toc=%2fazure%2fvirtual-network%2ftoc.json) VM sizes articles.
- By default, the first NIC attached to a VM is defined as the *primary* NIC. All other NICs attached to the VM are *secondary* NICs.
- By default, all outbound traffic from the VM is sent out the IP address assigned to the primary IP configuration of the primary NIC. You can of course, control which IP address is used for outbound traffic within the VM's operating system.
- In the past, all VMs within the same availability set were required to have a single, or multiple, NICs. VMs with any number of NICs can now exist in the same availability set. A VM can only be added to an availability set when it's created though. To learn more about availability sets, read the [Manage the availability of Windows virtual machines in Azure](../virtual-machines/virtual-machines-windows-manage-availability.md?toc=%2fazure%2fvirtual-network%2ftoc.json#configure-multiple-virtual-machines-in-an-availability-set-for-redundancy) article.
- While NICs attached to the same VM can be connected to different subnets within a VNet, the NICs must all be connected to the same VNet.
- You can add any IP address for any IP configuration of any primary or secondary NIC to an Azure Load Balancer back-end pool. In the past, only the primary IP address for the primary NIC could be added to a back-end pool.
+- Deleting a VM does not delete the NICs attached to it. When a VM is deleted, the NICs are detached from the VM. You can attach the NICs to different VMs, or delete them.
### Attach one or more NICs when creating a virtual machine
diff --git a/contributor-guide/article-metadata.md b/contributor-guide/article-metadata.md
index df3412e440b99..d3b234c636389 100644
--- a/contributor-guide/article-metadata.md
+++ b/contributor-guide/article-metadata.md
@@ -7,20 +7,16 @@ The standard Azure metadata section looks like this:
title: | Microsoft Docs
description:
services:
- cloud:
- documentationcenter:
+ cloud:
author:
manager:
- ms.assetid:
ms.service:
- ms.workload: na
- ms.tgt_pltfrm: na
- ms.devlang:
+ ms.tgt_pltfrm:
+ ms.devlang:
ms.topic: article
ms.date: mm/dd/yyyy
ms.author:
-
---
```
##Usage
@@ -40,97 +36,23 @@ The standard Azure metadata section looks like this:
**cloud**: Required only for sovereign clouds such as Azure Government and Azure Stack. This value is assigned by the ACOM team, and is used across the azure.microsoft.com site and in URLs for the service. List the applicable services
-**documentationCenter**: Required for dev-centric articles best featured through a dev center. Specify the single dev center or language that applies to the article. The value you list will drive the navigational breadcrumbs for the page. In articles that specify both a services value and a documentationCenter value, the services value will drive the breadcrumb. Values:
-
-- **.net**
-- **nodejs**
-- **java**
-- **php**
-- **python**
-- **ruby**
-- **mobile**: Deprecated. Replace with specific mobile platform.
-- **ios**: Verifing this new value
-- **android**: Verifying this new value
-- **windows**: Verifying this new value
-- **xamarin**: Verifying this new value
-
**author**: Required, one value only. List the GitHub account for the primary author or article SME. Get the capitalization right, it matters!
**manager**: Required if you are a Microsoft contributor. List the email alias of the content publishing manager for the technology area. If you are a community contributor, include the attribute but leave it empty so we can fill it out.
-**tags**: Optional. Include only if you want to enable a link under the article breadcrumb to the article index page (http://azure.microsoft.com/documentation/articles/) to a prefiltered list of articles that match one of the approved values. These values are meant to provide a way to group content together when the content grouping is not service-specific. These tags can also provide labeling that indicates the technology stack the article applies to. This value **does not** support free-form tags or hashtags; the tags must be enabled on the site. You can supply multiple tags values to one article, separated by commas. The approved values are:
+**keywords**: Optional. For use by SEO champs only. Separate terms with commas. **Check with your SEO champ before you change or delete content in this article containing these terms.** This attribute records keywords the SEO champ has targeted and is tracking in order to improve search rank. The keywords do not render in the published HTML. Validation does not require this attribute.
- - architecture
- - azure-resource-manager
- - azure-service-management
- - billing
- - mysql
+**ms.service**: Required. Specifies the Azure service, tool, or feature that the article applies to. One value per page.
-**keywords**: Optional. For use by SEO champs only. Separate terms with commas. **Check with your SEO champ before you change or delete content in this article containing these terms.** This attribute records keywords the SEO champ has targeted and is tracking in order to improve search rank. The keywords do not render in the published HTML. Validation does not require this attribute.
+If a page applies to multiple services, choose the service to which it most directly applies; for instance, an article that uses an app hosted on web sites to demonstrate Service Bus functionality should have the **service-bus** value, rather than **web-sites**. If a page applies to multiple services equally, choose **multiple**. If a page does not apply to any services (this will be rare), choose **NA**.
-**ms.assetid**: Required, but leave it blank for now. We will be periodically adding the asset ID post publication.
+The list of approved values is listed [here](https://review.docs.microsoft.com/en-us/help/contribute/contribute-how-to-write-metadata?branch=master).
-**ms.service**: Required. Specifies the Azure service, tool, or feature that the article applies to. One value per page.
+**ms.tgt_pltfrm**: Optional. Specifies the target platform, for instance Windows, Linux, Windows Phone, iOS, Android, or special cache platforms. One value per page. This value will be **na** for most topics except mobile and virtual machines.
- If a page applies to multiple services, choose the service to which it most directly applies; for instance, an article that uses an app hosted on web sites to demonstrate Service Bus functionality should have the **service-bus** value, rather than **web-sites**. If a page applies to multiple services equally, choose **multiple**. If a page does not apply to any services (this will be rare), choose **NA**.
-
-The list of approved ms.service values is listed [here](https://microsoft.sharepoint.com/teams/STBCSI/Insights/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7A321BF1-0611-4184-84DA-A0E964C435FA%7d&file=WEDCS_MasterList_CSIValues.xlsx&action=default&IsList=1&ListId=%7b46B17C8A-CD7E-47ED-A1B6-F2B654B55E2B%7d&ListItemId=969)
-
-**ms.workload**: Required, but leave as **na** at this time. The ms.workload value is being mapped by an xls, not the value in the .md file. The ms.workload value is still required for validation until the feature can be updated. That work is now being scheduled. Please use **"na"** as the value for now.
-
-
-
-**ms.tgt_pltfrm**: Required. Specifies the target platform, for instance Windows, Linux, Windows Phone, iOS, Android, or special cache platforms. One value per page. This value will be **NA** for most topics except mobile and virtual machines.
-
- - **cache-in-role**
- - **cache-multiple**
- - **cache-redis**
- - **cache-service**
- - **cache-shared**
- - **command-line-interface**
- - **ibiza**: content that uses the Ibiza portal. Use this only in cases where the feature being discussed is available across both the Ibiza portal and the current portal.
- - **mobile-android**: Azure.com only right now
- - **mobile-html**: Azure.com only right now
- - **mobile-ios**: Azure.com only right now
- - **mobile-kindle**: Azure.com only right now
- - **mobile-multiple**
- - **mobile-nokia-x**: Azure.com only right now
- - **mobile-phonegap**: Azure.com only right now
- - **mobile-sencha**: Azure.com only right now
- - **mobile-windows**: Azure.com only right now; Windows Universal
- - **mobile-windows-phone**
- - **mobile-windows-store**
- - **mobile-xamarin**: Azure.com only right now; Xamarin all platforms
- - **mobile-xamarin-android**: Azure.com only right now
- - **mobile-xamarin-ios**: Azure.com only right now
- - **multiple**: The page applies to multiple platforms equally
- - **na**: A platform specifier is not applicable for this page
- - **powershell**
- - **vm-linux**
- - **vm-multiple**
- - **vm-windows**
- - **vm-windows-sharepoint**
- - **vm-windows-sql-server**
- - **vs-getting-started**: Identifies the VS Getting Started page group. Tag added 12/1/14.
- - **vs-what-happened**: Identifies the VS Getting Started What Happened page. Tag added 12/1/14.
-
-**ms.devlang**: Required. Specifies the programming language that the article applies to. Single value per page.
-
- If a page applies to two programming languages equally, choose **multiple**. If a page is primarily conceptual and its content is generally applicable to multiple programming languages, choose **multiple**. If a page is not targeted at developers and the programming language applicability is not relevant, choose **NA**. Use **rest-api** to identify REST API reference topics.
-
- - **cpp**
- - **dotnet**
- - **java**
- - **javascript**
- - **multiple**: The page applies to multiple programming languages equally.
- - **na**: The page is not targeting developers and is not specific to any programming languages.
- - **nodejs**
- - **objective-c**
- - **php**
- - **python**
- - **rest-api**
- - **ruby**
+**ms.devlang**: Optional. Specifies the programming language that the article applies to. Single value per page.
+The list of approved values is listed [here](https://review.docs.microsoft.com/en-us/help/contribute/contribute-how-to-write-metadata?branch=master).
**ms.topic**: Required. Specifies the topic type. Most new pages created by contributors will use "article".