Skip to content

Commit ba38f77

Browse files
authored
Merge pull request #205738 from MicrosoftDocs/main
7/22 PM Publish
2 parents eceb90e + 88ec4a8 commit ba38f77

File tree

101 files changed

+1303
-491
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

101 files changed

+1303
-491
lines changed

articles/active-directory/fundamentals/users-default-permissions.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@ ms.reviewer: vincesm
1515
ms.custom: "it-pro, seodec18, contperf-fy21q1"
1616
ms.collection: M365-identity-device-management
1717
---
18-
1918
# What are the default user permissions in Azure Active Directory?
19+
2020
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user's access consists of the type of user, their [role assignments](active-directory-users-assign-role-azure-portal.md), and their ownership of individual objects.
2121

2222
This article describes those default permissions and compares the member and guest user defaults. The default user permissions can be changed only in user settings in Azure AD.
@@ -50,17 +50,17 @@ For example, a university has many users in its directory. The admin might not w
5050

5151
You can restrict default permissions for member users in the following ways:
5252

53-
Permission | Setting explanation
54-
---------- | ------------
55-
**Register applications** | Setting this option to **No** prevents users from creating application registrations. You can the grant the ability back to specific individuals by adding them to the application developer role.
56-
**Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md).
57-
**Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md).
58-
**Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md).
59-
**Access the Azure AD administration portal** | <p>Setting this option to **No** lets non-administrators use the Azure AD administration portal to read and manage Azure AD resources. **Yes** restricts all non-administrators from accessing any Azure AD data in the administration portal.</p><p>This setting does not restrict access to Azure AD data by using PowerShell or other clients such as Visual Studio. When you set this option to **Yes** to grant a specific non-admin user the ability to use the Azure AD administration portal, assign any administrative role such as the directory reader role.</p><p>The directory reader role allows reading basic directory information. Member users have it by default. Guests and service principals don't.</p><p>This settings blocks non-admin users who are owners of groups or applications from using the Azure portal to manage their owned resources. This setting does not restrict access as long as a user is assigned a custom role (or any role) and is not just a user.</p>
60-
**Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`.
53+
| Permission | Setting explanation |
54+
| ---------- | ------------ |
55+
| **Register applications** | Setting this option to **No** prevents users from creating application registrations. You can the grant the ability back to specific individuals by adding them to the application developer role. |
56+
| **Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md). |
57+
| **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
58+
| **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
59+
| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
60+
| **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. |
6161

62-
>[!NOTE]
63-
>It's assumed that the average user would only use the portal to access Azure AD, and not use PowerShell or the Azure CLI to access their resources. Currently, restricting access to users' default permissions occurs only when users try to access the directory within the Azure portal.
62+
> [!NOTE]
63+
> It's assumed that the average user would only use the portal to access Azure AD, and not use PowerShell or the Azure CLI to access their resources. Currently, restricting access to users' default permissions occurs only when users try to access the directory within the Azure portal.
6464
6565
## Restrict guest users' default permissions
6666

articles/active-directory/manage-apps/datawiza-azure-ad-sso-oracle-jde.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Configure Azure AD Multi-Factor Authentication and SSO for an Oracle JD Edwards application using Datawiza Access Broker
2+
title: Configure Azure AD Multi-Factor Authentication and SSO for Oracle JD Edwards applications using Datawiza Access Broker
33
description: Enable Azure Active Directory Multi-Factor Authentication and SSO for Oracle JD Edwards application using Datawiza Access Broker
44
services: active-directory
55
author: gargi-sinha

articles/active-directory/manage-apps/datawiza-with-azure-ad.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,6 @@ DAB evaluates policies, calculates headers, and sends you to the upstream applic
123123

124124
- [Configure Datawiza with Azure AD B2C](../../active-directory-b2c/partner-datawiza.md)
125125

126-
- [Configure Azure AD SSO for an Oracle JD Edwards application using Datawiza Access Broker](datawiza-azure-ad-sso-oracle-jde.md)
126+
- [Configure Azure AD Multi-Factor Authentication and SSO for Oracle JDE applications using DAB](datawiza-azure-ad-sso-oracle-jde.md)
127127

128128
- [Datawiza documentation](https://docs.datawiza.com)

articles/active-directory/manage-apps/toc.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@
166166
items:
167167
- name: Integrate Datawiza with Azure AD
168168
href: datawiza-with-azure-ad.md
169-
- name: Configure Oracle JD Edwards application with Azure AD using Datawiza Access Broker
169+
- name: Configure Oracle JDE with Azure AD
170170
href: datawiza-azure-ad-sso-oracle-jde.md
171171
- name: F5
172172
items:

articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md

Lines changed: 1 addition & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -152,71 +152,7 @@ The CURL response gives you the list of Keys. For example, if you get the read-
152152
"secondaryReadonlyMasterKey":"38v5ns...7bA=="}
153153
```
154154

155-
Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the `<COSMOS DB CONNECTION URL>` from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the `<ACCESS KEY>` with the value you obtained above:
156-
157-
```azurecli-interactive
158-
az cosmosdb collection show -c <COLLECTION ID> -d <DATABASE ID> --url-connection "<COSMOS DB CONNECTION URL>" --key <ACCESS KEY>
159-
```
160-
161-
This CLI command returns details about the collection:
162-
163-
```output
164-
{
165-
"collection": {
166-
"_conflicts": "conflicts/",
167-
"_docs": "docs/",
168-
"_etag": "\"00006700-0000-0000-0000-5a8271e90000\"",
169-
"_rid": "Es5SAM2FDwA=",
170-
"_self": "dbs/Es5SAA==/colls/Es5SAM2FDwA=/",
171-
"_sprocs": "sprocs/",
172-
"_triggers": "triggers/",
173-
"_ts": 1518498281,
174-
"_udfs": "udfs/",
175-
"id": "Test",
176-
"indexingPolicy": {
177-
"automatic": true,
178-
"excludedPaths": [],
179-
"includedPaths": [
180-
{
181-
"indexes": [
182-
{
183-
"dataType": "Number",
184-
"kind": "Range",
185-
"precision": -1
186-
},
187-
{
188-
"dataType": "String",
189-
"kind": "Range",
190-
"precision": -1
191-
},
192-
{
193-
"dataType": "Point",
194-
"kind": "Spatial"
195-
}
196-
],
197-
"path": "/*"
198-
}
199-
],
200-
"indexingMode": "consistent"
201-
}
202-
},
203-
"offer": {
204-
"_etag": "\"00006800-0000-0000-0000-5a8271ea0000\"",
205-
"_rid": "f4V+",
206-
"_self": "offers/f4V+/",
207-
"_ts": 1518498282,
208-
"content": {
209-
"offerIsRUPerMinuteThroughputEnabled": false,
210-
"offerThroughput": 400
211-
},
212-
"id": "f4V+",
213-
"offerResourceId": "Es5SAM2FDwA=",
214-
"offerType": "Invalid",
215-
"offerVersion": "V2",
216-
"resource": "dbs/Es5SAA==/colls/Es5SAM2FDwA=/"
217-
}
218-
}
219-
```
155+
Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account.
220156

221157
## Next steps
222158

articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md

Lines changed: 1 addition & 67 deletions
Original file line numberDiff line numberDiff line change
@@ -131,79 +131,13 @@ The response gives you the list of Keys. For example, if you get read-only keys
131131
{"primaryReadonlyMasterKey":"bWpDxS...dzQ==",
132132
"secondaryReadonlyMasterKey":"38v5ns...7bA=="}
133133
```
134-
Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account. For a quick example, you can pass the access key to the Azure CLI. You can get the `<COSMOS DB CONNECTION URL>` from the **Overview** tab on the Cosmos DB account blade in the Azure portal. Replace the `<ACCESS KEY>` with the value you obtained above:
135-
136-
```azurecli
137-
az cosmosdb collection show -c <COLLECTION ID> -d <DATABASE ID> --url-connection "<COSMOS DB CONNECTION URL>" --key <ACCESS KEY>
138-
```
139-
140-
This CLI command returns details about the collection:
141-
142-
```output
143-
{
144-
"collection": {
145-
"_conflicts": "conflicts/",
146-
"_docs": "docs/",
147-
"_etag": "\"00006700-0000-0000-0000-5a8271e90000\"",
148-
"_rid": "Es5SAM2FDwA=",
149-
"_self": "dbs/Es5SAA==/colls/Es5SAM2FDwA=/",
150-
"_sprocs": "sprocs/",
151-
"_triggers": "triggers/",
152-
"_ts": 1518498281,
153-
"_udfs": "udfs/",
154-
"id": "Test",
155-
"indexingPolicy": {
156-
"automatic": true,
157-
"excludedPaths": [],
158-
"includedPaths": [
159-
{
160-
"indexes": [
161-
{
162-
"dataType": "Number",
163-
"kind": "Range",
164-
"precision": -1
165-
},
166-
{
167-
"dataType": "String",
168-
"kind": "Range",
169-
"precision": -1
170-
},
171-
{
172-
"dataType": "Point",
173-
"kind": "Spatial"
174-
}
175-
],
176-
"path": "/*"
177-
}
178-
],
179-
"indexingMode": "consistent"
180-
}
181-
},
182-
"offer": {
183-
"_etag": "\"00006800-0000-0000-0000-5a8271ea0000\"",
184-
"_rid": "f4V+",
185-
"_self": "offers/f4V+/",
186-
"_ts": 1518498282,
187-
"content": {
188-
"offerIsRUPerMinuteThroughputEnabled": false,
189-
"offerThroughput": 400
190-
},
191-
"id": "f4V+",
192-
"offerResourceId": "Es5SAM2FDwA=",
193-
"offerType": "Invalid",
194-
"offerVersion": "V2",
195-
"resource": "dbs/Es5SAA==/colls/Es5SAM2FDwA=/"
196-
}
197-
}
198-
```
199134

135+
Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account.
200136

201137
## Disable
202138

203139
[!INCLUDE [msi-tut-disable](../../../includes/active-directory-msi-tut-disable.md)]
204140

205-
206-
207141
## Next steps
208142

209143
In this tutorial, you learned how to use a Windows VM system-assigned identity to access Cosmos DB. To learn more about Cosmos DB see:

articles/aks/TOC.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -452,6 +452,8 @@
452452
href: dapr-overview.md
453453
- name: How to use Dapr
454454
href: dapr.md
455+
- name: Migrate from Dapr OSS
456+
href: dapr-migration.md
455457
- name: Use GitOps
456458
href: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md
457459
maintainContext: true

articles/aks/dapr-migration.md

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
---
2+
title: Migrate from Dapr OSS to the Dapr extension for Azure Kubernetes Service (AKS)
3+
description: Learn how to migrate from Dapr OSS to the Dapr extension for AKS
4+
author: hhunter-ms
5+
ms.author: hannahhunter
6+
ms.reviewer: nigreenf
7+
ms.service: container-service
8+
ms.topic: article
9+
ms.date: 07/21/2022
10+
ms.custom: devx-track-azurecli
11+
---
12+
13+
# Migrate from Dapr OSS to the Dapr extension for Azure Kubernetes Service (AKS)
14+
15+
You've installed and configured Dapr OSS on your Kubernetes cluster and want to migrate to the Dapr extension on AKS. Before you can successfully migrate to the Dapr extension, you need to fully remove Dapr OSS from your AKS cluster. In this guide, you will migrate from Dapr OSS by:
16+
17+
> [!div class="checklist"]
18+
> - Uninstalling Dapr, including CRDs and the `dapr-system` namespace
19+
> - Installing Dapr via the Dapr extension for AKS
20+
> - Applying your components
21+
> - Restarting your applications that use Dapr
22+
23+
> [!NOTE]
24+
> Expect downtime of approximately 10 minutes while migrating to Dapr extension for AKS. Downtime may take longer depending on varying factors. During this downtime, no Dapr functionality should be expected to run.
25+
26+
## Uninstall Dapr
27+
28+
#### [Dapr CLI](#tab/cli)
29+
30+
1. Run the following command to uninstall Dapr and all CRDs:
31+
32+
```bash
33+
dapr uninstall -k –-all
34+
```
35+
36+
1. Uninstall the Dapr namespace:
37+
38+
```bash
39+
kubectl delete namespace dapr-system
40+
```
41+
42+
> [!NOTE]
43+
> `dapr-system` is the default namespace installed with `dapr init -k`. If you created a custom namespace, replace `dapr-system` with your namespace.
44+
45+
#### [Helm](#tab/helm)
46+
47+
1. Run the following command to uninstall Dapr:
48+
49+
```bash
50+
dapr uninstall -k –-all
51+
```
52+
53+
1. Uninstall CRDs:
54+
55+
```bash
56+
kubectl delete crd components.dapr.io
57+
kubectl delete crd configurations.dapr.io
58+
kubectl delete crd subscriptions.dapr.io
59+
kubectl delete crd resiliencies.dapr.io
60+
```
61+
62+
1. Uninstall the Dapr namespace:
63+
64+
```bash
65+
kubectl delete namespace dapr-system
66+
```
67+
68+
> [!NOTE]
69+
> `dapr-system` is the default namespace while doing a Helm install. If you created a custom namespace (`helm install dapr dapr/dapr --namespace <my-namespace>`), replace `dapr-system` with your namespace.
70+
71+
---
72+
73+
## Install Dapr via the AKS extension
74+
75+
Once you've uninstalled Dapr from your system, install the [Dapr extension for AKS and Arc-enabled Kubernetes](./dapr.md#create-the-extension-and-install-dapr-on-your-aks-or-arc-enabled-kubernetes-cluster).
76+
77+
```bash
78+
az k8s-extension create --cluster-type managedClusters \
79+
--cluster-name <dapr-cluster-name> \
80+
--resource-group <dapr-resource-group> \
81+
--name <dapr-ext> \
82+
--extension-type Microsoft.Dapr
83+
```
84+
85+
## Apply your components
86+
87+
```bash
88+
kubectl apply -f <component.yaml>
89+
```
90+
91+
## Restart your applications that use Dapr
92+
93+
Restarting the deployment will create a new sidecar from the new Dapr installation.
94+
95+
```bash
96+
kubectl rollout restart <deployment-name>
97+
```
98+
99+
## Next steps
100+
101+
Learn more about [the cluster extension](./dapr-overview.md) and [how to use it](./dapr.md).

articles/aks/dapr-overview.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn more about using Dapr on your Azure Kubernetes Service (AKS)
44
ms.author: nickoman
55
ms.service: container-service
66
ms.topic: article
7-
ms.date: 05/03/2022
7+
ms.date: 07/21/2022
88
ms.custom: devx-track-azurecli, event-tier1-build-2022
99
---
1010

@@ -69,6 +69,8 @@ When installing Dapr OSS via helm or the Dapr CLI, runtime versions and configur
6969

7070
Lastly, the Dapr extension is an extension of AKS, therefore you can expect the same support policy as other AKS features.
7171

72+
[Learn more about migrating from Dapr OSS to the Dapr extension for AKS][dapr-migration].
73+
7274
### How can I switch to using the Dapr extension if I’ve already installed Dapr via a method, such as Helm?
7375

7476
Recommended guidance is to completely uninstall Dapr from the AKS cluster and reinstall it via the cluster extension.
@@ -84,6 +86,7 @@ After learning about Dapr and some of the challenges it solves, try [Deploying a
8486
[osm-docs]: ./open-service-mesh-about.md
8587
[cluster-extensions]: ./cluster-extensions.md
8688
[dapr-quickstart]: ./quickstart-dapr.md
89+
[dapr-migration]: ./dapr-migration.md
8790

8891
<!-- Links External -->
8992
[dapr-docs]: https://docs.dapr.io/

0 commit comments

Comments
 (0)