MicrosoftDocs
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory/managed-identities-azure-resources/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/managed-identities-azure-resources/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/managed-identities-azure-resources/how-to-managed-identity-regional-move.md
Lines changed: 53 additions & 0 deletions b/‎articles/active-directory/managed-identities-azure-resources/how-to-managed-identity-regional-move.md
Lines changed: 53 additions & 0 deletions
diff --git a/‎articles/active-directory/managed-identities-azure-resources/managed-identities-status.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/managed-identities-azure-resources/managed-identities-status.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/roles/security-planning.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/roles/security-planning.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/api-management/api-management-using-with-internal-vnet.md
Lines changed: 1 addition & 1 deletion b/‎articles/api-management/api-management-using-with-internal-vnet.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/api-management/api-management-using-with-vnet.md
Lines changed: 1 addition & 1 deletion b/‎articles/api-management/api-management-using-with-vnet.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/attestation/audit-logs.md
Lines changed: 60 additions & 108 deletions b/‎articles/attestation/audit-logs.md
Lines changed: 60 additions & 108 deletions
@@ -30,6 +30,11 @@
             "redirect_url": "/azure/azure-monitor/change/change-analysis-visualizations",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/troubleshoot-portal-connectivity.md",
+            "redirect_url": "https://docs.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/troubleshoot-portal-connectivity",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/change-analysis-troubleshoot.md",
             "redirect_url": "/azure/azure-monitor/change/change-analysis-troubleshoot",
 
@@ -125,6 +125,8 @@
       href: how-to-assign-app-role-managed-identity-cli.md
   - name: View managed identity activity
     href: how-to-view-managed-identity-activity.md
+  - name: Move a managed identity to a new region
+    href: how-to-managed-identity-regional-move.md
 
 - name: Reference
   items:
 
@@ -0,0 +1,53 @@
+---
+title: Move managed identities to another region - Azure AD
+description: Steps involved in getting a managed identity recreated in another region
+services: active-directory
+documentationcenter: 
+author: barclayn
+manager: karenhoran
+editor: 
+
+ms.service: active-directory
+ms.subservice: msi
+ms.topic: how-to
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 04/13/2022
+ms.author: barclayn
+ms.custom: subject-moving-resources
+
+---
+
+# Move managed identity for Azure resources across regions
+
+There are situations in which you'd want to move your existing user-assigned managed identities from one region to another. For example, you may need to move a solution that uses user-assigned managed identities to another region. You may also want to move an existing identity to another region as part of disaster recovery planning, and testing.
+
+Moving User-assigned managed identities across Azure regions is not supported.  You can however, recreate a user-assigned managed identity in the target region.
+
+## Prerequisites
+
+- Permissions to list permissions granted to existing user-assigned managed identity.
+- Permissions to grant a new user-assigned managed identity the required permissions.
+- Permissions to assign a new user-assigned identity to the Azure resources.
+- Permissions to edit Group membership, if your user-assigned managed identity is a member of one or more groups.
+
+## Prepare and move
+
+1. Copy user-assigned managed identity assigned permissions. You can list [Azure role assignments](../../role-based-access-control/role-assignments-list-powershell.md) but that may not be enough depending on how permissions were granted to the user-assigned managed identity. You should confirm that your solution doesn't depend on permissions granted using a service specific option.
+1. Create a [new user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#create-a-user-assigned-managed-identity-2) at the target region.
+1. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review [Assign Azure roles to a managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.md), and [Group membership](../../active-directory/fundamentals/active-directory-groups-view-azure-portal.md).
+1. Specify the new identity in the properties of the resource instance that uses the newly created user assigned managed identity.
+
+## Verify
+
+After reconfiguring your service to use your new managed identities in the target region, you need to confirm that all operations have been restored.
+
+## Clean up
+
+Once that you confirm your service is back online, you can proceed to delete any resources in the source region that you no longer use.
+
+## Next steps
+
+In this tutorial, you took the steps needed to recreate a user-assigned managed identity in a new region.
+
+- [Manage user-assigned managed identities](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#delete-a-user-assigned-managed-identity-2)
@@ -57,7 +57,7 @@ The following Azure services support managed identities for Azure resources:
 | Azure Media services            | [Managed identities](/azure/media-services/latest/concept-managed-identities) |
 | Azure Monitor                   | [Azure Monitor customer-managed key](../../azure-monitor/logs/customer-managed-keys.md?tabs=portal)                                                                                              |
 | Azure Policy                    | [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md)      |
-| Azure Purview                   | [Credentials for source authentication in Azure Purview](../../purview/manage-credentials.md)                                                                                                                          |
+| Microsoft Purview                   | [Credentials for source authentication in Microsoft Purview](../../purview/manage-credentials.md)                                                                                                                          |
 | Azure Resource Mover            | [Move resources across regions (from resource group)](../../resource-mover/move-region-within-resource-group.md)
 | Azure Site Recovery             | [Replicate machines with private endpoints](../../site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.md#enable-the-managed-identity-for-the-vault)                                  |
 | Azure Search                    | [Set up an indexer connection to a data source using a managed identity](../../search/search-howto-managed-identities-data-sources.md)                                                                                            |
 
@@ -7,7 +7,7 @@ keywords:
 author: rolyon
 manager: karenhoran
 ms.author: rolyon
-ms.date: 11/04/2021
+ms.date: 04/19/2022
 ms.topic: conceptual
 ms.service: active-directory
 ms.workload: identity
@@ -110,7 +110,7 @@ Evaluate the accounts that are assigned or eligible for the Global Administrator
 
 #### Turn on multi-factor authentication and register all other highly privileged single-user non-federated administrator accounts
 
-Require Azure AD Multi-Factor Authentication (MFA) at sign-in for all individual users who are permanently assigned to one or more of the Azure AD administrator roles: Global Administrator, Privileged Role Administrator, Exchange Administrator, and SharePoint Administrator. Use the guide to enable [Multi-factor Authentication (MFA) for your administrator accounts](../authentication/howto-mfa-userstates.md) and ensure that all those users have registered at [https://aka.ms/mfasetup](https://aka.ms/mfasetup). More information can be found under step 2 and step 3 of the guide [Protect access to data and services in Microsoft 365](https://support.office.com/article/Protect-access-to-data-and-services-in-Office-365-a6ef28a4-2447-4b43-aae2-f5af6d53c68e). 
+Require Azure AD Multi-Factor Authentication (MFA) at sign-in for all individual users who are permanently assigned to one or more of the Azure AD administrator roles: Global Administrator, Privileged Role Administrator, Exchange Administrator, and SharePoint Administrator. Use the guidance at [Enforce multifactor authentication on your administrators](../authentication/how-to-authentication-find-coverage-gaps.md#enforce-multifactor-authentication-on-your-administrators) and ensure that all those users have registered at [https://aka.ms/mfasetup](https://aka.ms/mfasetup). More information can be found under step 2 and step 3 of the guide [Protect user and device access in Microsoft 365](/microsoft-365/compliance/protect-access-to-data-and-services). 
 
 ## Stage 2: Mitigate frequently used attacks
 
 
@@ -66,7 +66,7 @@ After successful deployment, you should see your API Management service's **priv
  
 ### Enable connectivity using a Resource Manager template (`stv2` platform)
 
-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip) (API version 2021-01-01-preview )
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip) (API version 2021-08-01 )
 
      [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-internal-vnet-publicip%2Fazuredeploy.json)
 
 
@@ -53,7 +53,7 @@ It can take 15 to 45 minutes to update the API Management instance. The Develope
 
 ### Enable connectivity using a Resource Manager template (`stv2` compute platform)
 
-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip) (API version 2021-01-01-preview)
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip) (API version 2021-08-01)
 
      [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet-publicip%2Fazuredeploy.json)
 
 
@@ -11,123 +11,75 @@ ms.author: mbaldwin
 
 ---
 
-# Audit logs for Azure Attestation
+# Azure Attestation logging
 
-Audit logs are secure, immutable, timestamped records of discrete events that happened over time. These logs capture important events that may affect the functionality of your attestation instance.
+If you create one or more Azure Attestation resources, you’ll want to monitor how and when your attestation instance is accessed, and by whom. You can do this by enabling logging for Microsoft Azure Attestation, which saves information in an Azure storage account you provide.  
 
-Azure Attestation manages attestation instances and the policies associated with them. Actions associated with instance management and policy changes are audited and logged.
+Logging information will be available up to 10 minutes after the operation occurred (in most cases, it will be quicker than this). Since you provide the storage account, you can secure your logs via standard Azure access controls and delete logs you no longer want to keep in your storage account. 
 
-This article contains information on the events that are logged, the information collected, and the location of these logs.
+## Interpret your Azure Attestation logs
 
-## About Audit logs
+When logging is enabled, up to three containers may be automatically created for you in your specified storage account:  **insights-logs-auditevent, insights-logs-operational, insights-logs-notprocessed**. It is recommended to only use **insights-logs-operational** and **insights-logs-notprocessed**. **insights-logs-auditevent** was created to provide early access to logs for customers using VBS. Future enhancements to logging will occur in the **insights-logs-operational** and **insights-logs-notprocessed**.  
 
-Azure Attestation uses code to produce audit logs for events that affect the way attestation is performed. This typically boils down to how or when policy changes are made to your attestation instance as well as some admin actions.
+**Insights-logs-operational** contains generic information across all TEE types. 
 
-### Auditable Events
-Here are some of the audit logs we collect:
+**Insights-logs-notprocessed** contains requests which the service was unable to process, typically due to malformed HTTP headers, incomplete message bodies, or similar issues.  
 
-|     Event/API                              |     Event Description                                                                         |
-|--------------------------------------------|-----------------------------------------------------------------------------------------------|
-|     Create Instance                        |     Creates a new instance of an attestation service. |
-|     Destroy Instance                       |     Destroys an instance of an attestation service. |
-|     Add Policy Certificate                 |     Addition of a certificate to the current set of policy management certificates. |
-|     Remove Policy Certificate              |     Remove a certificate from the current set of policy management certificates. |
-|     Set Current Policy                     |     Sets the attestation policy for a given TEE type. |
-|     Reset Attestation Policy               |     Resets the attestation policy for a given TEE type. |
-|     Prepare to Update Policy               |     Prepare to update attestation policy for a given TEE type. |
-|     Rehydrate Tenants After Disaster       |     Re-seals all of the attestation tenants on this instance of the attestation service. This can only be performed by Attestation Service admins. |
+Individual blobs are stored as text, formatted as a JSON blob. Let’s look at an example log entry: 
 
-### Collected  information
-For each of these events, Azure Attestation collects the following information:
 
-- Operation Name
-- Operation Success
-- Operation Caller, which could be any of the following:
-    - Azure AD UPN
-    - Object ID
-    - Certificate
-    - Azure AD Tenant ID
-- Operation Target, which could be any of the following:
-    - Environment
-    - Service Region
-    - Service Role
-    - Service Role Instance
-    - Resource ID
-    - Resource Region
+```json
+{  
+ "Time": "2021-11-03T19:33:54.3318081Z", 
+ "resourceId": "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Attestation/attestationProviders/<instance name>",
+ "region": "EastUS", 
+ "operationName": "AttestSgxEnclave", 
+ "category": "Operational", 
+ "resultType": "Succeeded", 
+ "resultSignature": "400", 
+ "durationMs": 636, 
+ "callerIpAddress": "::ffff:24.17.183.201", 
+ "traceContext": "{\"traceId\":\"e4c24ac88f33c53f875e5141a0f4ce13\",\"parentId\":\"0000000000000000\",}", 
+ "identity": "{\"callerAadUPN\":\"[email protected]\",\"callerAadObjectId\":\"6ab02abe-6ca2-44ac-834d-42947dbde2b2\",\"callerId\":\"[email protected]\"}",
+ "uri": "https://deschumatestrp.eus.test.attest.azure.net:443/attest/SgxEnclave?api-version=2018-09-01-preview", 
+ "level": "Informational", 
+ "location": "EastUS", 
+ "properties": 
+  { 
+    "failureResourceId": "", 
+    "failureCategory": "None", 
+    "failureDetails": "", 
+    "infoDataReceived": 
+    { 
+      "Headers": 
+      { 
+      "User-Agent": "PostmanRuntime/7.28.4" 
+      }, 
+      "HeaderCount": 10,
+      "ContentType": "application/json",
+      "ContentLength": 6912, 
+      "CookieCount": 0, 
+      "TraceParent": "" 
+    } 
+   } 
+ } 
+```
 
-### Sample Audit log
+Most of these fields are documented in the [Top-level common schema](/azure-monitor/essentials/resource-logs-schema#top-level-common-schema). The following table lists the field names and descriptions for the entries not included in the top-level common schema: 
 
-Audit logs are provided in JSON format. Here is an example of what an audit log may look like.
+|     Field Name                           |     Description                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------|
+|     traceContext                        |     JSON blob representing the W3C trace-context |
+|    uri                       |     Request URI  |
 
-```json
-{
-    "operationName": "SetCurrentPolicy",
-    "resultType": "Success",
-    "resultDescription": null,
-    "auditEventCategory": [
-        "ApplicationManagement"
-    ],
-    "nCloud": null,
-    "requestId": null,
-    "callerIpAddress": null,
-    "callerDisplayName": null,
-    "callerIdentities": [
-        {
-            "callerIdentityType": "ObjectID",
-            "callerIdentity": "<some object ID>"
-        },
-        {
-            "callerIdentityType": "TenantId",
-            "callerIdentity": "<some tenant ID>"
-        }
-    ],
-    "targetResources": [
-        {
-            "targetResourceType": "Environment",
-            "targetResourceName": "PublicCloud"
-        },
-        {
-            "targetResourceType": "ServiceRegion",
-            "targetResourceName": "EastUS2"
-        },
-        {
-            "targetResourceType": "ServiceRole",
-            "targetResourceName": "AttestationRpType"
-        },
-        {
-            "targetResourceType": "ServiceRoleInstance",
-            "targetResourceName": "<some service role instance>"
-        },
-        {
-            "targetResourceType": "ResourceId",
-            "targetResourceName": "/subscriptions/<some subscription ID>/resourceGroups/<some resource group name>/providers/Microsoft.Attestation/attestationProviders/<some instance name>"
-        },
-        {
-            "targetResourceType": "ResourceRegion",
-            "targetResourceName": "EastUS2"
-        }
-    ],
-    "ifxAuditFormat": "Json",
-    "env_ver": "2.1",
-    "env_name": "#Ifx.AuditSchema",
-    "env_time": "2020-11-23T18:23:29.9427158Z",
-    "env_epoch": "MKZ6G",
-    "env_seqNum": 1277,
-    "env_popSample": 0.0,
-    "env_iKey": null,
-    "env_flags": 257,
-    "env_cv": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000",
-    "env_os": null,
-    "env_osVer": null,
-    "env_appId": null,
-    "env_appVer": null,
-    "env_cloud_ver": "1.0",
-    "env_cloud_name": null,
-    "env_cloud_role": null,
-    "env_cloud_roleVer": null,
-    "env_cloud_roleInstance": null,
-    "env_cloud_environment": null,
-    "env_cloud_location": null,
-    "env_cloud_deploymentUnit": null
-}
-```
+The properties contain additional Azure attestation specific context: 
+
+|     Field Name                           |     Description                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------|
+|     failureResourceId                        |     Resource ID of component which resulted in request failure  |
+|    failureCategory                       |     Broad category indicating category of a request failure. Includes categories such as AzureNetworkingPhysical, AzureAuthorization etc.   |
+|    failureDetails                       |     Detailed information about a request failure, if available   |
+|    infoDataReceived                       |     Information about the request received from the client. Includes some HTTP headers, the number of headers received, the content type and content length    |
+
+## Next steps
+- [How to enable Microsoft Azure Attestation logging ](azure-diagnostic-monitoring.md)