You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/users-default-permissions.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,8 +15,8 @@ ms.reviewer: vincesm
15
15
ms.custom: "it-pro, seodec18, contperf-fy21q1"
16
16
ms.collection: M365-identity-device-management
17
17
---
18
-
19
18
# What are the default user permissions in Azure Active Directory?
19
+
20
20
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user's access consists of the type of user, their [role assignments](active-directory-users-assign-role-azure-portal.md), and their ownership of individual objects.
21
21
22
22
This article describes those default permissions and compares the member and guest user defaults. The default user permissions can be changed only in user settings in Azure AD.
@@ -50,17 +50,17 @@ For example, a university has many users in its directory. The admin might not w
50
50
51
51
You can restrict default permissions for member users in the following ways:
52
52
53
-
Permission | Setting explanation
54
-
---------- | ------------
55
-
**Register applications** | Setting this option to **No** prevents users from creating application registrations. You can the grant the ability back to specific individuals by adding them to the application developer role.
56
-
**Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md).
57
-
**Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md).
58
-
**Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md).
59
-
**Access the Azure AD administration portal** | <p>Setting this option to **No** lets non-administrators use the Azure AD administration portal to read and manage Azure AD resources. **Yes** restricts all non-administrators from accessing any Azure AD data in the administration portal.</p><p>This setting does not restrict access to Azure AD data by using PowerShell or other clients such as Visual Studio. When you set this option to **Yes** to grant a specific non-admin user the ability to use the Azure AD administration portal, assign any administrative role such as the directory reader role.</p><p>The directory reader role allows reading basic directory information. Member users have it by default. Guests and service principals don't.</p><p>This settings blocks non-admin users who are owners of groups or applications from using the Azure portal to manage their owned resources. This setting does not restrict access as long as a user is assigned a custom role (or any role) and is not just a user.</p>
60
-
**Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`.
53
+
|Permission | Setting explanation|
54
+
|---------- | ------------|
55
+
|**Register applications**| Setting this option to **No** prevents users from creating application registrations. You can the grant the ability back to specific individuals by adding them to the application developer role.|
56
+
|**Allow users to connect work or school account with LinkedIn**| Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md).|
57
+
|**Create security groups**| Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md).|
58
+
|**Create Microsoft 365 groups**| Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md).|
59
+
| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
60
+
|**Read other users**| This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`.|
61
61
62
-
>[!NOTE]
63
-
>It's assumed that the average user would only use the portal to access Azure AD, and not use PowerShell or the Azure CLI to access their resources. Currently, restricting access to users' default permissions occurs only when users try to access the directory within the Azure portal.
62
+
>[!NOTE]
63
+
>It's assumed that the average user would only use the portal to access Azure AD, and not use PowerShell or the Azure CLI to access their resources. Currently, restricting access to users' default permissions occurs only when users try to access the directory within the Azure portal.
Copy file name to clipboardExpand all lines: articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md
+1-65Lines changed: 1 addition & 65 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -152,71 +152,7 @@ The CURL response gives you the list of Keys. For example, if you get the read-
152
152
"secondaryReadonlyMasterKey":"38v5ns...7bA=="}
153
153
```
154
154
155
-
Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the `<COSMOS DB CONNECTION URL>` from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the `<ACCESS KEY>` with the value you obtained above:
156
-
157
-
```azurecli-interactive
158
-
az cosmosdb collection show -c <COLLECTION ID> -d <DATABASE ID> --url-connection "<COSMOS DB CONNECTION URL>" --key <ACCESS KEY>
159
-
```
160
-
161
-
This CLI command returns details about the collection:
Copy file name to clipboardExpand all lines: articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md
+1-67Lines changed: 1 addition & 67 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -131,79 +131,13 @@ The response gives you the list of Keys. For example, if you get read-only keys
131
131
{"primaryReadonlyMasterKey":"bWpDxS...dzQ==",
132
132
"secondaryReadonlyMasterKey":"38v5ns...7bA=="}
133
133
```
134
-
Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the `<COSMOS DB CONNECTION URL>` from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the `<ACCESS KEY>` with the value you obtained above:
135
-
136
-
```azurecli
137
-
az cosmosdb collection show -c <COLLECTION ID> -d <DATABASE ID> --url-connection "<COSMOS DB CONNECTION URL>" --key <ACCESS KEY>
138
-
```
139
-
140
-
This CLI command returns details about the collection:
title: Migrate from Dapr OSS to the Dapr extension for Azure Kubernetes Service (AKS)
3
+
description: Learn how to migrate from Dapr OSS to the Dapr extension for AKS
4
+
author: hhunter-ms
5
+
ms.author: hannahhunter
6
+
ms.reviewer: nigreenf
7
+
ms.service: container-service
8
+
ms.topic: article
9
+
ms.date: 07/21/2022
10
+
ms.custom: devx-track-azurecli
11
+
---
12
+
13
+
# Migrate from Dapr OSS to the Dapr extension for Azure Kubernetes Service (AKS)
14
+
15
+
You've installed and configured Dapr OSS on your Kubernetes cluster and want to migrate to the Dapr extension on AKS. Before you can successfully migrate to the Dapr extension, you need to fully remove Dapr OSS from your AKS cluster. In this guide, you will migrate from Dapr OSS by:
16
+
17
+
> [!div class="checklist"]
18
+
> - Uninstalling Dapr, including CRDs and the `dapr-system` namespace
19
+
> - Installing Dapr via the Dapr extension for AKS
20
+
> - Applying your components
21
+
> - Restarting your applications that use Dapr
22
+
23
+
> [!NOTE]
24
+
> Expect downtime of approximately 10 minutes while migrating to Dapr extension for AKS. Downtime may take longer depending on varying factors. During this downtime, no Dapr functionality should be expected to run.
25
+
26
+
## Uninstall Dapr
27
+
28
+
#### [Dapr CLI](#tab/cli)
29
+
30
+
1. Run the following command to uninstall Dapr and all CRDs:
31
+
32
+
```bash
33
+
dapr uninstall -k –-all
34
+
```
35
+
36
+
1. Uninstall the Dapr namespace:
37
+
38
+
```bash
39
+
kubectl delete namespace dapr-system
40
+
```
41
+
42
+
> [!NOTE]
43
+
> `dapr-system` is the default namespace installed with `dapr init -k`. If you created a custom namespace, replace `dapr-system` with your namespace.
44
+
45
+
#### [Helm](#tab/helm)
46
+
47
+
1. Run the following command to uninstall Dapr:
48
+
49
+
```bash
50
+
dapr uninstall -k –-all
51
+
```
52
+
53
+
1. Uninstall CRDs:
54
+
55
+
```bash
56
+
kubectl delete crd components.dapr.io
57
+
kubectl delete crd configurations.dapr.io
58
+
kubectl delete crd subscriptions.dapr.io
59
+
kubectl delete crd resiliencies.dapr.io
60
+
```
61
+
62
+
1. Uninstall the Dapr namespace:
63
+
64
+
```bash
65
+
kubectl delete namespace dapr-system
66
+
```
67
+
68
+
> [!NOTE]
69
+
> `dapr-system` is the default namespace while doing a Helm install. If you created a custom namespace (`helm install dapr dapr/dapr --namespace <my-namespace>`), replace `dapr-system` with your namespace.
70
+
71
+
---
72
+
73
+
## Install Dapr via the AKS extension
74
+
75
+
Once you've uninstalled Dapr from your system, install the [Dapr extension for AKS and Arc-enabled Kubernetes](./dapr.md#create-the-extension-and-install-dapr-on-your-aks-or-arc-enabled-kubernetes-cluster).
76
+
77
+
```bash
78
+
az k8s-extension create --cluster-type managedClusters \
79
+
--cluster-name <dapr-cluster-name> \
80
+
--resource-group <dapr-resource-group> \
81
+
--name <dapr-ext> \
82
+
--extension-type Microsoft.Dapr
83
+
```
84
+
85
+
## Apply your components
86
+
87
+
```bash
88
+
kubectl apply -f <component.yaml>
89
+
```
90
+
91
+
## Restart your applications that use Dapr
92
+
93
+
Restarting the deployment will create a new sidecar from the new Dapr installation.
94
+
95
+
```bash
96
+
kubectl rollout restart <deployment-name>
97
+
```
98
+
99
+
## Next steps
100
+
101
+
Learn more about [the cluster extension](./dapr-overview.md) and [how to use it](./dapr.md).
0 commit comments