-In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) with [Datawiza Access Broker (DAB)](https://www.datawiza.com/access-broker). DAB enables single sign-on (SSO) and granular access control, helping Azure AD B2C protect on-premises legacy applications. With this solution, enterprises can transition from legacy to Azure AD B2C without rewriting applications.

- - The application runs on localhost: 3001 and DAB proxies traffic to applications via localhost: 9772

-2. DAB checks user authentication state. With no session token, or an invalid token, the user goes to Azure AD B2C for authentication.

-3. Azure AD B2C sends the user request to the endpoint specified during DAB registration in the Azure AD B2C tenant.

-4. The DAB evaluates access policies and calculates attribute values in HTTP headers forwarded to the application. The DAB might call to the identity provider (IdP) to retrieve information to set the header values. The DAB sets the header values and sends the request to the application.

-You can use Docker or Kubernetes to run DAB. Use the Docker image for users to create a sample header-based application.

-Learn more: To configure DAB and SSO integration, see [Deploy Datawiza Access Proxy With Your App](https://docs.datawiza.com/step-by-step/step3.html)

-A sample docker image `docker-compose.yml file` is provided. Sign in to the container registry to download DAB images and the header-based application.

- 

-2. The DAB redirects to the page you configured in your user flow.

-5. You're redirected to Azure AD B2C, which forwards the application request to the DAB redirect URI.

- 

- 

- 

-You can configure PingFederate as an authentication provider, or a proxy. for upstream IdPs. See the following diagram.

- 

- 

- 

- 

->Create a virtual host for every application. For more information, see [What can I configure with PingAccess?]([https://docs.pingidentity.com/bundle/pingaccess-43/page/reference/pa_c_KeyConsiderations.html](https://docs.pingidentity.com/bundle/pingaccess-71/page/kkj1564006722708.html).

-description: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory.

-2. Select **Enterprise applications** and then select your app.

-4. Under **Settings**, select the **Prevent accidental deletions** checkbox and specify a deletion

-threshold. Also, be sure the notification email address is completed. If the deletion threshold is met an email will be sent.

-5. Select **Save**, to save the changes.

-If you encounter an accidental deletion you'll see it on the provisioning status page. It will say **Provisioning has been quarantined. See quarantine details for more information**.

-When a user is set to be removed from the target application, it will be counted against the

-application could include: unassigning the user from the application and soft / hard deleting a user in the directory. Groups

-It is evaluated each cycle. If the number of deletions doesn't exceed the threshold during a

-description: Learn how to use scoping filters to prevent objects in apps that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements in Azure Active Directory Application Provisioning.

-# Attribute-based application provisioning with scoping filters

-The objective of this article is to explain how to use scoping filters to define attribute-based rules that determine which users are provisioned to an application.

-A scoping filter allows the Azure Active Directory (Azure AD) provisioning service to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from Azure AD to a SaaS application used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.

-By default, Azure AD provisioning connectors do not have any attribute-based scoping filters configured.

-1. In the [Azure portal](https://portal.azure.com), go to the **Azure Active Directory** > **Enterprise Applications** > **All applications** section.

-2. Select the application for which you have configured automatic provisioning: for example, "ServiceNow".

-3. Select the **Provisioning** tab.

-4. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Azure Active Directory Users to ServiceNow".

-5. Select the **Source object scope** menu.

-6. Select **Add scoping filter**.

-7. Define a clause by selecting a source **Attribute Name**, an **Operator**, and an **Attribute Value** to match against. The following operators are supported:

-description: Learn about known issues when you work with automated application provisioning in Azure Active Directory.

-# Known issues for application provisioning in Azure Active Directory

-This article discusses known issues to be aware of when you work with app provisioning. To provide feedback about the application provisioning service on UserVoice, see [Azure Active Directory (Azure AD) application provision UserVoice](https://aka.ms/appprovisioningfeaturerequest). We watch UserVoice closely so that we can improve the service.

-#### Global reader

-The global reader role is unable to read the provisioning configuration. Please create a custom role with the `microsoft.directory/applications/synchronization/standard/read` permission in order to read the provisioning configuration from the Azure Portal.

- - On-premises applications are sometimes not federated with Azure AD and require local passwords. The on-premises provisioning preview does not support password synchronization. Provisioning initial one-time passwords is supported. Please ensure that you are using the [Redact](./functions-for-customizing-application-data.md#redact) function to redact the passwords from the logs. In the SQL and LDAP connectors, the passwords are not exported on the initial call to the application, but rather a second call with set password.

-The ECMA host does not support updating the password in the connectivity page of the wizard. Please create a new connector when changing the password.

-1. Sign in to the **Azure portal**.

-1. Go to **All services** > **Enterprise applications**.

-1. Select your application, and then go to the provisioning configuration page.

-1. Configure provisioning by providing your admin credentials.

-1. Select **Provision on demand**.

-1. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to 5 users.

-1. Select **Provision** at the bottom of the page.

-The provisioning service attempts to authorize access to the target application by making a request for a "test user". The provisioning service expects a response that indicates that the service authorized to continue with the provisioning steps. This step is shown only when it fails. It's not shown during the on-demand provisioning experience when the step is successful.

-* Ensure that you've provided valid credentials, such as the secret token and tenant URL, to the target application. The required credentials vary by application. For detailed configuration tutorials, see the [tutorial list](../saas-apps/tutorial-list.md).

-* Make sure that the target application supports filtering on the matching attributes defined in the **Attribute mappings** pane. You might need to check the API documentation provided by the application developer to understand the supported filters.

-* Make sure that the target application supports filtering on the attribute that's defined as the matching attribute.

-The **View details** section displays the attributes that were modified in the target application. This display represents the final output of the provisioning service activity and the attributes that were exported. If this step fails, the attributes displayed represent the attributes that the provisioning service attempted to modify.

-* On-demand provisioning says the group or user can't be provisioned because they're not assigned to the application. Note that there is a replicate delay of up to a few minutes between when an object is assigned to an application and that assignment being honored by on-demand provisioning. You may need to wait a few minutes and try again.

-* If ***SkipOutOfScopeDeletions*** is set to 1 (true), accounts that go out of scope will not be disabled in the target. This flag is set at the *Provisioning App* level and can be configured using the Graph API.

-Because this configuration is widely used with the *Workday to Active Directory user provisioning* app, the following steps include screenshots of the Workday application. However, the configuration can also be used with *all other apps*, such as ServiceNow, Salesforce, and Dropbox. Note that in order to successfully complete this procedure you must have first set up app provisioning for the app. Each app has its own configuration article. For example, to configure the Workday application, see [Tutorial: Configure Workday to Azure AD user provisioning](../saas-apps/workday-inbound-cloud-only-tutorial.md).

- 

- 

-1. Upon successful sign-in, you will see the user account details in the left-hand pane.

- 

- 

-Here is the JSON block to add to the mapping.

- 

-You should get the output as "Success ΓÇô Status Code 204". If you receive an error you may need to check that your account has Read/Write permissions for ServicePrincipalEndpoint. You can find this permission by clicking on the *Modify permissions* tab in Graph Explorer.

- 

-You can test this flag results in expected behavior by updating your scoping rules to skip a specific user. In the example below, we are excluding the employee with ID 21173 (who was earlier in scope) by adding a new scoping rule:

- 

- 

-The user is then redirected to your tenanted endpoint, where they can either sign in with their email address or select an identity provider you've configured.

-| [Enforce the use of Privileged Identity Management](../privileged-identity-management/pim-security-wizard.md) | Remove administrative roles from normal day-to-day user accounts. Make administrative users eligible to use their role after succeeding a multi-factor authentication check, providing a business justification, or requesting approval from approvers. | Azure AD Premium P2 |

-description: Learn how to integrate Datawiza with Azure AD. See how to use Datawiza and Azure AD to authenticate users and give them access to on-premises and cloud apps.

-Datawiza's [Datawiza Access Broker (DAB)](https://www.datawiza.com/access-broker) extends Azure AD to enable single sign-on (SSO) and provide granular access controls to protect on-premises and cloud-hosted applications, such as Oracle E-Business Suite, Microsoft IIS, and SAP. By using this solution, enterprises can quickly transition from legacy web access managers (WAMs), such as Symantec SiteMinder, NetIQ, Oracle, and IBM, to Azure AD without rewriting applications. Enterprises can also use Datawiza as a no-code or low-code solution to integrate new applications to Azure AD. This approach enables enterprises to implement their Zero Trust strategy while saving engineering time and reducing costs.

-In this tutorial, learn how to integrate Azure Active Directory (Azure AD) with [Datawiza](https://www.datawiza.com/) for [hybrid access](../devices/concept-azure-ad-join-hybrid.md).

-The following diagram describes the authentication architecture orchestrated by Datawiza in a hybrid environment.

-

-|Step| Description|

-|:-|:--|

-| 1. | The user makes a request to access the on-premises or cloud-hosted application. DAB proxies the request made by the user to the application.|

-| 2. | DAB checks the user's authentication state. If it doesn't receive a session token, or the supplied session token is invalid, it sends the user to Azure AD for authentication.|

-| 3. | Azure AD sends the user request to the endpoint specified during the DAB application's registration in the Azure AD tenant.|

-| 4. | DAB evaluates access policies and calculates attribute values to be included in HTTP headers forwarded to the application. During this step, DAB may call out to the identity provider to retrieve the information needed to set the header values correctly. DAB sets the header values and sends the request to the application. |

-| 5. | The user is authenticated and has access to the application.|

-that's linked to your Azure subscription.

-2. Create an application on DCMC and generate a key pair for the app. The key pair consists of a `PROVISIONING_KEY` and `PROVISIONING_SECRET`. To create the app and generate the key pair, follow the instructions in [Datawiza Cloud Management Console](https://docs.datawiza.com/step-by-step/step2.html).

-3. Register your application in Azure AD by using Datawiza's convenient [one-click integration](https://docs.datawiza.com/tutorial/web-app-azure-one-click.html).

-

-To use an existing web application, you can manually populate the fields of the form. You'll need the tenant ID, client ID, and client secret. For more information about creating a web application and getting these values, see [Microsoft Azure AD in the Datawiza documentation](https://docs.datawiza.com/idp/azure.html).

-

-4. Run DAB using either Docker or Kubernetes. The docker image is needed to create a sample header-based application.

- - For Docker-specific instructions, see [Deploy Datawiza Access Broker With Your App](https://docs.datawiza.com/step-by-step/step3.html).

- - For Kubernetes-specific instructions, see [Deploy Datawiza Access Broker with a Web App using Kubernetes](https://docs.datawiza.com/tutorial/web-app-AKS.html).

- You can use the following sample docker image docker-compose.yml file:

-5. Sign in to the container registry and download the images of DAB and the header-based application by following the instructions in this [Important Step](https://docs.datawiza.com/step-by-step/step3.html#important-step).

-6. Run the following command:

- `docker-compose -f docker-compose.yml up`

- The header-based application should now have SSO enabled with Azure AD.

-7. In a browser, go to `http://localhost:9772/`. An Azure AD sign-in page appears.

-8. Pass user attributes to the header-based application. DAB gets user attributes from Azure AD and can pass these attributes to the application via a header or cookie. To pass user attributes such as an email address, a first name, and a last name to the header-based application, follow the instructions in [Pass User Attributes](https://docs.datawiza.com/step-by-step/step4.html).

-9. Confirm you have successfully configured user attributes by observing a green check mark next to each attribute.

-

-1. Go to the application URL. DAB should redirect you to the Azure AD sign-in page.

-2. After successfully authenticating, you should be redirected to DAB.

-DAB evaluates policies, calculates headers, and sends you to the upstream application. Your requested application should appear.

-description: Learn how to tell the difference between Privileged Access groups and role-assignable groups in Azure AD Privileged Identity Management (PIM).

-# What's the difference between Privileged Access groups and role-assignable groups?

-Privileged Identity Management (PIM) supports the ability to enable privileged access on role-assignable groups. But because an available role-assignable group is a prerequisite for creating a privileged access group, this article explains the differences and how to take advantage of them.

-## What are Azure AD role-assignable groups?

-Azure Active Directory (Azure AD), part of Microsoft Entra, lets you assign a cloud Azure AD security group to an Azure AD role. A Global Administrator or Privileged Role Administrator must create a new security group and make the group role-assignable at creation time. Only the Global Administrator, Privileged Role Administrator, or the group Owner role assignments can change the membership of the group. Also, no other users can reset the password of the users who are members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.

-## What are Privileged Access groups?

-Privileged Access groups enable users to elevate to the owner or member role of an Azure AD security group. This feature allows you to set up just-in-time workflows for not only Azure AD and Azure roles in batches, and also enables just-in-time scenarios for other use cases like Azure SQL, Azure Key Vault, Intune, or other application roles. For more information, see [Management capabilities for Privileged Access groups](groups-features.md).

->[!Note]

->For privileged access groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less-privileged administrators. For example, the Helpdesk Administrator has permission to reset an eligible user's passwords.

-## When to use a role-assignable group

-You can set up just-in-time access to permissions and roles beyond Azure AD and Azure Resource. If you have other resources whose authorization can be connected to an Azure AD security group (for Azure Key Vault, Intune, Azure SQL, or other apps and services), you should enable privileged access on the group and assign users as eligible for membership in the group.

-If you want to assign a group to an Azure AD or Azure Resource role and require elevation through a PIM process, there's only one way to do it:

-This method allows maximum granularity of permissions. Use this method to:

-## Next steps

-description: Learn how to activate your privileged access group roles in Azure AD Privileged Identity Management (PIM).

-# Activate my privileged access group roles in Privileged Identity Management

-Use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, to allow eligible role members for privileged access groups to schedule role activation for a specified date and time. They can also select an activation duration up to the maximum duration configured by administrators.

-This article is for eligible members who want to activate their privileged access group role in Privileged Identity Management.

-When you need to take on a privileged access group role, you can request activation by using the **My roles** navigation option in Privileged Identity Management.

-1. [Sign in to Azure AD portal](https://aad.portal.azure.com) with Global Administrator or group Owner permissions.

-1. Open [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart).

-1. Select **Privileged access groups (Preview)** and then select **Activate role** to open the **My roles** page for privileged access groups.

- 

-1. On the **My roles** page, select **Activate** on the row of the eligible assignment you want to activate.

- 

-1. If your role requires multi-factor authentication, select **Verify your identity before proceeding**. You only have to authenticate once per session.

- 

-1. Select **Verify my identity** and follow the instructions to provide additional security verification.

- 

-1. If necessary, specify a custom activation start time. The member or owner is to be activated only after the selected time.

-1. In the **Reason** box, enter the reason for the activation request.

- 

-1. Select **Activate**.

-You can view the status of your pending requests to activate.

-1. Open Azure AD Privileged Identity Management.

-1. Select **My requests** to see a list of your Azure AD role and privileged access group role requests.

-1. Scroll to the right, if needed, to view the **Request Status** column.

-## Cancel a pending request

-If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

-1. Open Azure AD Privileged Identity Management.

-1. Select **My requests**.

-1. For the role that you want to cancel, select the **Cancel** link.

- When you select **Cancel**, the request will be canceled. To activate the role again, you will have to submit a new request for activation.

-## Deactivate a role assignment

-When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. When you select **Deactivate**, there's a short time lag before the role is deactivated. Also, you can't deactivate a role assignment within five minutes after activation.

-When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.

-1. In Privileged Identity Management, verify that you are listed as the member of the role.

-description: Learn how to approve or deny requests for role-assignable groups in Azure AD Privileged Identity Management (PIM).

-# Approve activation requests for privileged access group members and owners (preview)

-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure privileged access group members and owners to require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each group to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

-Follow the steps in this article to approve or deny requests for Azure resource roles.

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Open **Azure AD Privileged Identity Management**.

-1. Select **Approve requests**.

- 

- In the **Requests for role activations** section, you'll see a list of requests pending your approval.

- 

- 

-description: Learn how to assign eligible owners or members of a role-assignable group in Azure AD Privileged Identity Management (PIM).

-# Assign eligibility for a privileged access group (preview) in Privileged Identity Management

-Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can help you manage the eligibility and activation of assignments to privileged access groups in Azure AD. You can assign eligibility to members or owners of the group.

-When a role is assigned, the assignment:

-Follow these steps to make a user eligible to be a member or owner of a privileged access group.

-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com/) with a user in the [Global Administrator](../roles/permissions-reference.md#global-administrator) role, the Privileged Role Administrator role, or the group Owner role.

-1. Select **Groups** and then select the [role-assignable group](concept-privileged-access-versus-role-assignable.md) you want to manage. You can search or filter the list.

- 

-1. Open the group and select **Privileged access (Preview)**.

- 

-1. Select **Add assignments**.

- 

-1. Select the members or owners you want to make eligible for the privileged access group.

- 

-1. Select **Next** to set the membership or ownership duration.

- 

-1. In the **Assignment type** list, select **Eligible** or **Active**. Privileged access groups provide two distinct assignment types:

- - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

- > [!Important]

- > For privileged access groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.

- - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

-1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on your organization's settings, the check box might not appear or might not be editable. For more information, check out the [Configure privileged access group settings](groups-role-settings.md#assignment-duration) article.

-1. When finished, select **Assign**.

-1. To create the new role assignment, select **Add**. A notification of the status is displayed.

- 

-Follow these steps to update or remove an existing role assignment.

-1. [Sign in to Azure AD](https://aad.portal.azure.com) with Global Administrator or group Owner permissions.

-1. Select **Groups** and then select the role-assignable group you want to manage. You can search or filter the list.

- 

-1. Open the group and select **Privileged access (Preview)**.

- 

-1. Select the role that you want to update or remove.

-1. Find the role assignment on the **Eligible roles** or **Active roles** tabs.

- 

-1. Select **Update** or **Remove** to update or remove the role assignment.

- For information about extending a role assignment, see [Extend or renew Azure resource roles in Privileged Identity Management](pim-resource-roles-renew-extend.md).

-description: View activity and audit history for privileged access group assignments in Azure AD Privileged Identity Management (PIM).

-# Audit activity history for privileged access group assignments (preview) in Privileged Identity Management

-With Privileged Identity Management (PIM), you can view activity, activations, and audit history for Azure privileged access group members and owners within your organization in Azure Active Directory (Azure AD), part of Microsoft Entra.

-Follow these steps to view the audit history for privileged access groups.

-**Resource audit** gives you a view of all activity associated with your privileged access groups.

-1. Open **Azure AD Privileged Identity Management**.

-1. Select **Privileged access groups (Preview)**.

-1. Select the privileged access group you want to view audit history for.

-1. Under **Activity**, select **Resource audit**.

-1. Filter the history using a predefined date or custom range.

- 

-**My audit** enables you to view your personal role activity for a privileged access group.

-1. Open **Azure AD Privileged Identity Management**.

-1. Select **Privileged access groups (Preview)**.

-1. Select the privileged access group you want to view audit history for.

-1. Under **Activity**, select **My audit**.

-1. Filter the history using a predefined date or custom range.

- 

-description: Learn how to onboard role-assignable groups to manage as privileged access groups in Privileged Identity Management (PIM).

-# Bring privileged access groups (preview) into Privileged Identity Management

-In Azure Active Directory (Azure AD), part of Microsoft Entra, you can assign Azure AD built-in roles to cloud groups to simplify how you manage role assignments. To protect Azure AD roles and to secure access, you can now use Privileged Identity Management (PIM) to manage just-in-time access for members or owners of these groups. To manage an Azure AD role-assignable group as a privileged access group in Privileged Identity Management, you must bring it under management in PIM.

-You can create a role-assignable group in Azure AD as described in [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md). You must be in the group Owner role, Global Administrator role, or Privileged Role Administrator role to bring the group under management with Privileged Identity Management.

-1. [Sign in to Azure AD](https://aad.portal.azure.com) with appropriate role permissions.

-1. Select **Groups** and then select the role-assignable group you want to manage in PIM. You can search and filter the list.

- 

-1. Open the group and select **Privileged access (Preview)**.

- 

-1. Start managing assignments in PIM.

- 

-> Once a privileged access group is managed, it can't be taken out of management. This prevents another resource administrator from removing Privileged Identity Management settings.

-> If a privileged access group is deleted from Azure Active Directory, it may take up to 24 hours for the group to be removed from the Privileged access groups (Preview) blade.

-description: How to manage members and owners of privileged access groups in Privileged Identity Management (PIM)

-#Customer intent: As a dev or IT admin, I want to manage group assignments in PIM, so that I can grant eligibility for elevation to a role assigned via group membership

-# Management capabilities for Privileged Access groups (preview)

-In Privileged Identity Management (PIM), you can now assign eligibility for membership or ownership of privileged access groups. Starting with this preview, you can assign built-in roles in Azure Active Directory (Azure AD), part of Microsoft Entra, to cloud groups and use PIM to manage group member and owner eligibility and activation. For more information about role-assignable groups in Azure AD, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).

-> [!IMPORTANT]

-> To provide a group of users with just-in-time access to Azure AD directory roles with permissions in SharePoint, Exchange, or Security & Compliance Center (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation. If instead you make active assignment of a role to a group and assign users to be eligible to group membership, it might take significant time to have all permissions of the role activated and ready to use.

-> [!NOTE]

-> For privileged access groups that are used to elevate into Azure AD roles, we recommend that you require an approval process for eligible member assignments. Assignments that can be activated without approval might create a security risk from administrators who have a lower level of permissions. For example, the Helpdesk Administrator has permissions to reset an eligible user's password.

-## Require different policies for each role assignable group

-Some organizations use tools like Azure AD business-to-business (B2B) collaboration to invite their partners as guests to their Azure AD organization. Instead of a single just-in-time policy for all assignments to a privileged role, you can create two different privileged access groups with their own policies. You can enforce less strict requirements for your trusted employees, and stricter requirements like approval workflow for your partners when they request activation into their assigned role.

-## Activate multiple role assignments in a single request

-With the privileged access groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 0 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. You can create a role-assignable group called ΓÇ£Tier 0 Office AdminsΓÇ¥, and make it eligible for assignment to the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can assign your admins and owners to the group. When the admins elevate the group into the roles, your staff will have permissions from all four Azure AD roles.

-## Extend and renew group assignments

-After you set up your time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:

-Both user-initiated actions require an approval from a Global administrator or Privileged role administrator. Admins will no longer need to be in the business of managing these expirations. They can just wait for the extension or renewal requests and approve them if the request is valid.

-## Next steps

-description: Learn how to extend or renew role-assignable group assignments in Azure AD Privileged Identity Management (PIM).

-# Extend or renew privileged access group assignments (preview) in Privileged Identity Management

-Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for privileged access groups. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

-Only administrators of the resource can extend or renew privileged access group assignments. The affected user or group can request to extend assignments that are about to expire and request to renew assignments that are already expired.

-The following steps outline the process for requesting, resolving, or administering an extension or renewal of a group assignment.

-Users assigned to a privileged access group can extend expiring group assignments directly from the **Eligible** or **Active** tab on the **Assignments** page for the group. Users or groups can request to extend eligible and active assignments that expire in the next 14 days.

-

-

-In a matter of moments, administrators receive an email notification requesting that they review the extension request. If a request to extend has already been submitted, an Azure notification appears in the portal.

-

-

-

-

-

-

-description: Learn how to configure role-assignable groups settings in Azure AD Privileged Identity Management (PIM).

-# Configure privileged access group settings (preview) in Privileged Identity Management

-Role settings are the default settings that are applied to group owner and group member privileged access assignments in Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. Use the following steps to set up the approval workflow to specify who can approve or deny requests to elevate privilege.

-## Open role settings

-Follow these steps to open the settings for an Azure privileged access group role.

-1. Sign in to the [Azure portal](https://portal.azure.com/) with a user in the [Global Administrator](../roles/permissions-reference.md#global-administrator) role, the Privileged Role Administrator role, or the group Owner role.

-1. Open **Azure AD Privileged Identity Management**.

-1. Select **Privileged access (Preview)**.

- >[!NOTE]

- > Approver doesn't have to be member of the group, owner of the group or have Azure AD role assigned.

-1. Select the group that you want to manage.

- 

- 

-1. Select the Owner or Member role whose settings you want to view or change. You can view the current settings for the role in the **Role setting details** page.

- 

-1. Select **Edit** to open the **Edit role setting** page. The **Activation** tab allows you to change the role activation settings, including whether to allow permanent eligible and active assignments.

- 

-1. Select the **Assignment** tab to open the assignment settings tab. These settings control the Privileged Identity Management assignment settings for this role.

- 

-1. Use the **Notification** tab or the **Next: Activation** button at the bottom of the page to get to the notification setting tab for this role. These settings control all the email notifications related to this role.

- 

-1. Select the **Update** button at any time to update the role settings.

-In the **Notifications** tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

-## Assignment duration

-## Require multifactor authentication

-Privileged Identity Management provides optional enforcement of Azure AD Multi-Factor Authentication for two distinct scenarios.

-### Require multifactor authentication on active assignment

-This option requires admins must complete multifactor authentication before creating an active (as opposed to eligible) role assignment. Privileged Identity Management can't enforce multifactor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

-To require multifactor authentication when creating an active role assignment, select the **Require Multi-Factor Authentication on active assignment** check box.

-### Require multifactor authentication on activation

-You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multifactor authentication ensures that the user is who they say they are with reasonable certainty. Enforcing this option protects critical resources in situations when the user account might have been compromised.

-To require multifactor authentication before activation, check the **Require Multi-Factor Authentication on activation** box.

-For more information, see [Multifactor authentication and Privileged Identity Management](pim-how-to-require-mfa.md).

-## Activation maximum duration

-Use the **Activation maximum duration** slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.

-## Require justification

-You can require that users enter a business justification when they activate. To require justification, check the **Require justification on active assignment** box or the **Require justification on activation** box.

-## Require approval to activate

-If you want to require approval to activate a role, follow these steps.

-1. Check the **Require approval to activate** check box.

-1. Select **Select approvers** to open the **Select a member or group** page.

- 

-1. Select at least one user or group and then click **Select**. You can add any combination of users and groups. You must select at least one approver. There are no default approvers.

- Your selections will appear in the list of selected approvers.

-1. Once you have specified your all your role settings, select **Update** to save your changes.

-In this case, you should use privileged access groups. Create a privileged access group and grant it permanent active access to multiple roles. See [privileged access groups management capabilities](groups-features.md).

-If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups, instead of individual users. You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. For more information, see [Management capabilities for privileged access Azure AD groups](../privileged-identity-management/groups-features.md).

-In this case, you should use [privileged access groups](../privileged-identity-management/groups-features.md). Create a privileged access group and grant it permanent access to multiple roles (Azure AD and/or Azure). Make that user an eligible member or owner of this group. With just one activation, they will have access to all the linked resources.

-> [!NOTE]

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> [!NOTE]

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> [!NOTE]

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> [!NOTE]

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for preview features, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for preview features, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> [!NOTE]

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-kubectl apply -f cluster-issuer.yaml

-AKS-managed Azure AD integration simplifies the Azure AD integration process. Previously, users were required to create a client and server app, and required the Azure AD tenant to grant Directory Read permissions. In the new version, the AKS resource provider manages the client and server apps for you.

-Learn more about the Azure AD integration flow on the [Azure Active Directory integration concepts documentation](concepts-identity.md#azure-ad-integration).

-## Limitations

-* AKS-managed Azure AD integration can't be disabled

-* Changing a AKS-managed Azure AD integrated cluster to legacy AAD is not supported

-* Clusters without Kubernetes RBAC enabled aren't supported for AKS-managed Azure AD integration

-* The Azure CLI version 2.29.0 or later

-* Kubectl with a minimum version of [1.18.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1181) or [kubelogin](https://github.com/Azure/kubelogin)

-* If you are using [helm](https://github.com/helm/helm), minimum version of helm 3.3.

-> [!Important]

-> You must use Kubectl with a minimum version of 1.18.1 or kubelogin. The difference between the minor versions of Kubernetes and kubectl should not be more than 1 version. If you don't use the correct version, you will notice authentication issues.

-To install kubectl and kubelogin, use the following commands:

-For your cluster, you need an Azure AD group. This group will be registered as an admin group on the cluster to grant cluster admin permissions. You can use an existing Azure AD group, or create a new one. Record the object ID of your Azure AD group.

-To create a new Azure AD group for your cluster administrators, use the following command:

-Create an AKS cluster by using the following CLI commands.

-Create an Azure resource group:

-Create an AKS cluster, and enable administration access for your Azure AD group

-A successful creation of an AKS-managed Azure AD cluster has the following section in the response body

-Once the cluster is created, you can start accessing it.

-Get the user credentials to access the cluster:

-

-Follow the instructions to sign in.

-Use the kubectl get nodes command to view nodes in the cluster:

-Configure [Azure role-based access control (Azure RBAC)](./azure-ad-rbac.md) to configure additional security groups for your clusters.

-> [!Important]

-> The steps described below are bypassing the normal Azure AD group authentication. Use them only in an emergency.

-To do these steps, you'll need to have access to the [Azure Kubernetes Service Cluster Admin](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) built-in role.

-## Enable AKS-managed Azure AD Integration on your existing cluster

-You can enable AKS-managed Azure AD Integration on your existing Kubernetes RBAC enabled cluster. Ensure to set your admin group to keep access on your cluster.

-A successful activation of an AKS-managed Azure AD cluster has the following section in the response body

-## Upgrading to AKS-managed Azure AD Integration

-If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD Integration.

-A successful migration of an AKS-managed Azure AD cluster has the following section in the response body

-Update kubeconfig in order to access the cluster, follow the steps [here][access-cluster].

-There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with kubectl. You can use [`kubelogin`](https://github.com/Azure/kubelogin) to access the cluster with non-interactive service principal sign-in.

-When deploying an AKS Cluster, local accounts are enabled by default. Even when enabling RBAC or Azure Active Directory integration, `--admin` access still exists, essentially as a non-auditable backdoor option. With this in mind, AKS offers users the ability to disable local accounts via a flag, `disable-local-accounts`. A field, `properties.disableLocalAccounts`, has also been added to the managed cluster API to indicate whether the feature has been enabled on the cluster.

-> [!NOTE]

-> On clusters with Azure AD integration enabled, users belonging to a group specified by `aad-admin-group-object-ids` will still be able to gain access via non-admin credentials. On clusters without Azure AD integration enabled and `properties.disableLocalAccounts` set to true, obtaining both user and admin credentials will fail.

-> After disabling local accounts users on an already existing AKS cluster where users might have used local account/s, admin must [rotate the cluster certificates](certificate-rotation.md), in order to revoke the certificates those users might have access to. If this is a new cluster then no action is required.

-To create a new AKS cluster without any local accounts, use the [az aks create][az-aks-create] command with the `disable-local-accounts` flag:

-In the output, confirm local accounts have been disabled by checking the field `properties.disableLocalAccounts` is set to true:

-Operation failed with status: 'Bad Request'. Details: Getting static credential is not allowed because this cluster is set to disable local accounts.

-To disable local accounts on an existing AKS cluster, use the [az aks update][az-aks-update] command with the `disable-local-accounts` flag:

-In the output, confirm local accounts have been disabled by checking the field `properties.disableLocalAccounts` is set to true:

-Operation failed with status: 'Bad Request'. Details: Getting static credential is not allowed because this cluster is set to disable local accounts.

-AKS also offers the ability to re-enable local accounts on an existing cluster with the `enable-local` flag:

-In the output, confirm local accounts have been re-enabled by checking the field `properties.disableLocalAccounts` is set to false:

-To create an example Conditional Access policy to use with AKS, complete the following steps:

-1. At the top of the Azure portal, search for and select Azure Active Directory.

-1. In the menu for Azure Active Directory on the left-hand side, select *Enterprise applications*.

-1. In the menu for Enterprise applications on the left-hand side, select *Conditional Access*.

-1. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.

-1. Enter a name for the policy such as *aks-policy*.

-1. Select *Users and groups*, then under *Include* select *Select users and groups*. Choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administration access to your cluster.

-1. Select *Cloud apps or actions*, then under *Include* select *Select apps*. Search for *Azure Kubernetes Service* and select *Azure Kubernetes Service AAD Server*.

-1. Under *Access controls*, select *Grant*. Select *Grant access* then *Require device to be marked as compliant*.

-1. Under *Enable policy*, select *On* then *Create*.

-Get the user credentials to access the cluster, for example:

-```azurecli-interactive

- az aks get-credentials --resource-group myResourceGroup --name myManagedCluster

-```

-Follow the instructions to sign in.

-Use the `kubectl get nodes` command to view nodes in the cluster:

-```azurecli-interactive

-kubectl get nodes

-```

-Follow the instructions to sign in again. Notice there is an error message stating you are successfully logged in, but your admin requires the device requesting access to be managed by your Azure AD to access the resource.

-In the Azure portal, navigate to Azure Active Directory, select *Enterprise applications* then under *Activity* select *Sign-ins*. Notice an entry at the top with a *Status* of *Failed* and a *Conditional Access* of *Success*. Select the entry then select *Conditional Access* in *Details*. Notice your Conditional Access policy is listed.

-1. At the top of the Azure portal, search for and select Azure Active Directory.

-1. Take note of the Tenant ID, referred to for the rest of these instructions as `<tenant-id>`

-1. In the menu for Azure Active Directory on the left-hand side, under *Manage* select *Groups* then *New Group*.

-1. Make sure a Group Type of *Security* is selected and enter a group name, such as *myJITGroup*. Under *Azure AD Roles can be assigned to this group (Preview)*, select *Yes*. Finally, select *Create*.

-1. You will be brought back to the *Groups* page. Select your newly created group and take note of the Object ID, referred to for the rest of these instructions as `<object-id>`.

-1. Deploy an AKS cluster with AKS-managed Azure AD integration by using the `<tenant-id>` and `<object-id>` values from earlier:

-1. Back in the Azure portal, in the menu for *Activity* on the left-hand side, select *Privileged Access (Preview)* and select *Enable Privileged Access*.

-1. Select *Add Assignments* to begin granting access.

-1. Select a role of *member*, and select the users and groups to whom you wish to grant cluster access. These assignments can be modified at any time by a group admin. When you're ready to move on, select *Next*.

-1. Choose an assignment type of *Active*, the desired duration, and provide a justification. When you're ready to proceed, select *Assign*. For more on assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management][aad-assignments].

-Note the authentication requirement and follow the steps to authenticate. If successful, you should see output similar to the following:

-3. Associate the group you just configured at the namespace level with PIM to complete the configuration.

-If `kubectl get nodes` returns an error similar to the following:

-* Learn about [Azure RBAC integration for Kubernetes Authorization][azure-rbac-integration]

-* Use [Azure Resource Manager (ARM) templates ][aks-arm-template] to create AKS-managed Azure AD enabled clusters.

-| 1.26 | Dec 2022 | Jan 2023 | Feb 2023 | Feb 2024

-|Security patches and hot fixes for node images|As-necessary||||

-| Load balance traffic in the same region | [Application Gateway with service endpoints][appgwserviceendpoints] |

-To learn how to set an address on your app, see [Add a TLS/SSL certificate in Azure App Service][appassignedaddress].

-[Using private endpoints for Azure Web App][privateendpoints].

-When the app, in App Service, does a DNS lookup on the host and port defined in your hybrid connection, the traffic automatically redirects to go through the hybrid connection and out of Hybrid Connection Manager. To learn more, see [App Service Hybrid Connections][hybridconn].

-### Gateway-required virtual network integration

-Gateway-required App Service virtual network integration enables your app to make *outbound* requests into an Azure virtual network. The feature works by connecting the host your app is running on to a Virtual Network gateway on your virtual network by using a point-to-site VPN. When you configure the feature, your app gets one of the point-to-site addresses assigned to each instance. This feature enables you to access resources in either classic or Azure Resource Manager virtual networks in any region.

-

-This feature solves the problem of accessing resources in other virtual networks. It can even be used to connect through a virtual network to either other virtual networks or on-premises. It doesn't work with ExpressRoute-connected virtual networks, but it does work with site-to-site VPN-connected networks. It's inappropriate to use this feature from an app in an App Service Environment (ASE) because the ASE is already in your virtual network. Use cases for this feature:

-* Access resources in cross region virtual networks that aren't peered to a virtual network in the region.

-When this feature is enabled, your app will use the DNS server that the destination virtual network is configured with. For more information on this feature, see [App Service virtual network integration][vnetintegrationp2s].

-### <a id="regional-vnet-integration"></a>Regional virtual network integration

-Gateway-required virtual network integration is useful, but it doesn't solve the problem of accessing resources across ExpressRoute. On top of needing to reach across ExpressRoute connections, there's a need for apps to be able to make calls to services secured by service endpoint. Another virtual network integration capability can meet these needs.

-The regional virtual network integration feature enables you to place the back end of your app in a subnet in a Resource Manager virtual network in the same region as your app. This feature isn't available from an App Service Environment, which is already in a virtual network. Use cases for this feature:

-To learn more, see [App Service virtual network integration][vnetintegration].

- * An ASE runs inside your virtual network, but it does have dependencies outside the virtual network. Those dependencies must be allowed. For more information, see [Networking considerations for an App Service Environment][networkinfo].

-The features noted for the multi-tenant service can be used together to solve more elaborate use cases. Two of the more common use cases are described here, but they're just examples. By understanding what the various features do, you can meet nearly all your system architecture needs.

-Configuring private endpoints will expose your apps on a private address, but you'll need to configure DNS to reach that address from on-premises. To make this configuration work, you'll need to forward the Azure DNS private zone that contains your private endpoints to your on-premises DNS servers. Azure DNS private zones don't support zone forwarding, but you can support zone forwarding by using a DNS server for that purpose. The [DNS Forwarder](https://azure.microsoft.com/resources/templates/dns-forwarder/) template makes it easier to forward your Azure DNS private zone to your on-premises DNS servers.

-| Infrastructure use | 7654, 1221 |

-<!--Links-->

-[appassignedaddress]: ./configure-ssl-certificate.md

-[serviceendpoints]: ./app-service-ip-restrictions.md

-[hybridconn]: ./app-service-hybrid-connections.md

-[vnetintegrationp2s]: ./overview-vnet-integration.md

-[vnetintegration]: ./overview-vnet-integration.md

-[networkinfo]: ./environment/network-info.md

-[appgwserviceendpoints]: ./networking/app-gateway-with-service-endpoints.md

-[privateendpoints]: ./networking/private-endpoint.md

-[servicetags]: ../virtual-network/service-tags-overview.md

- `az rest --uri /subscriptions/REPLACE-ME-SUBSCRIPTIONID/resourceGroups/REPLACE-ME-RESOURCEGROUP/providers/Microsoft.Web/sites/REPLACE-ME-APPNAME?api-version=2020-09-01 --method get > auth.json`

- `az rest --uri /subscriptions/REPLACE-ME-SUBSCRIPTIONID/resourceGroups/REPLACE-ME-RESOURCEGROUP/providers/Microsoft.Web/sites/REPLACE-ME-APPNAME?api-version=2020-09-01 --method put --body @auth.json`

-Check the current version of Log Analytics agent for your machine:  Go to the installation path - *C:\ProgramFiles\Microsoft Monitoring Agent\Agent* and right-click on *HealthService.exe* to check **Properties**. In the **Details** tab, the field **Product version** provides version number of the Log Analytics agent.

-If your Log Analytics agent version is prior to [10.20.18053 (bundle) and 1.0.18053.0 (extension)](../../virtual-machines/extensions/oms-windows.md#agent-and-vm-extension-version), upgrade to the latest version of the Windows Log Analytics agent, following these [guidelines](../../azure-monitor/agents/agent-manage.md).ΓÇ»

-## Version 1.21 - August 2022

-### New features

- - The `--subscription-id (-s)` parameter now accepts friendly names in addition to subscription IDs

- - Automatic registration of any missing resource providers for first-time users (additional user permissions required to register resource providers)

- - A progress bar now appears while the resource is being created and connected

- - The onboarding script now supports both the yum and dnf package managers on RPM-based Linux systems

-### Fixed

-## Version 1.20 - July 2022

-### Known issues

-### New features

- - GCP VM OS is no longer collected

- - CPU logical core count is now collected

-### Fixed

-* Red Hat Enterprise Linux (RHEL) 7 and 8

- > Zone redundancy doesn't support AOF persistence or work with geo-replication currently.

-1. On the page that lists the information that you entered, select **Test action group**.

-2. Select a sample type and the notification and action types that you want to test. Then select **Test**.

-3. If you close the window or select **Back to test setup** while the test is running, the test is stopped, and you don't get test results.

-4. When the test is complete, a test status of either **Success** or **Failed** appears. If the test failed and you'd like to get more information, select **View details**.

-You can use the information in the **Error details** section to understand the issue. Then you can edit and test the action group again.

-description: This article explains the common alert schema definitions for Azure Monitor.

-# Common alert schema definitions

-This article describes the [common alert schema definitions](./alerts-common-schema.md) for Azure Monitor. It includes the definitions for webhooks, Azure Logic Apps, Azure Functions, and Azure Automation runbooks.

-Any alert instance describes the resource that was affected and the cause of the alert. These instances are described in the common schema in the following sections:

-* **Essentials**: A set of standardized fields that are common across all alert types. Fields describe what resource the alert is on, along with other common alert metadata. Examples are severity or description.

-* **Alert context**: A set of fields that describe the cause of the alert. Fields vary based on the alert type. For example, a metric alert includes fields like the metric name and metric value in the alert context. An activity log alert has information about the event that generated the alert.

-**Sample alert payload**

-```json

-{

- "schemaId": "azureMonitorCommonAlertSchema",

- "data": {

- "essentials": {

- "alertId": "/subscriptions/<subscription ID>/providers/Microsoft.AlertsManagement/alerts/b9569717-bc32-442f-add5-83a997729330",

- "alertRule": "WCUS-R2-Gen2",

- "severity": "Sev3",

- "signalType": "Metric",

- "monitorCondition": "Resolved",

- "monitoringService": "Platform",

- "alertTargetIDs": [

- "/subscriptions/<subscription ID>/resourcegroups/pipelinealertrg/providers/microsoft.compute/virtualmachines/wcus-r2-gen2"

- ],

- "configurationItems": [

- "wcus-r2-gen2"

- ],

- "originAlertId": "3f2d4487-b0fc-4125-8bd5-7ad17384221e_PipeLineAlertRG_microsoft.insights_metricAlerts_WCUS-R2-Gen2_-117781227",

- "firedDateTime": "2019-03-22T13:58:24.3713213Z",

- "resolvedDateTime": "2019-03-22T14:03:16.2246313Z",

- "description": "",

- "essentialsVersion": "1.0",

- "alertContextVersion": "1.0"

- },

- "alertContext": {

- "properties": null,

- "conditionType": "SingleResourceMultipleMetricCriteria",

- "condition": {

- "windowSize": "PT5M",

- "allOf": [

- {

- "metricName": "Percentage CPU",

- "metricNamespace": "Microsoft.Compute/virtualMachines",

- "operator": "GreaterThan",

- "threshold": "25",

- "timeAggregation": "Average",

- "dimensions": [

- {

- "name": "ResourceId",

- "value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"

- }

- ],

- "metricValue": 7.727

- }

- ]

- }

- }

- }

-}

-```

-## Essentials

-| Field | Description|

-|:|:|

-| alertId | The unique resource ID that identifies the alert instance. |

-| alertRule | The name of the alert rule that generated the alert instance. |

-| Severity | The severity of the alert. Possible values are Sev0, Sev1, Sev2, Sev3, or Sev4. |

-| signalType | Identifies the signal on which the alert rule was defined. Possible values are Metric, Log, or Activity Log. |

-| monitorCondition | When an alert fires, the alert's monitor condition is set to **Fired**. When the underlying condition that caused the alert to fire clears, the monitor condition is set to **Resolved**. |

-| monitoringService | The monitoring service or solution that generated the alert. The fields for the alert context are dictated by the monitoring service. |

-| alertTargetIds | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |

-| configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the telemetry and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the `configurationItem` values are taken from explicitly defined dimensions in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li><li>In earlier versions of the log alerts API, the `configurationItem` values are taken implicitly from the results in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li></ul>In ITSM systems, the `configurationItems` field is used to correlate alerts to resources in a configuration management database. |

-| originAlertId | The ID of the alert instance, as generated by the monitoring service generating it. |

-| firedDateTime | The date and time when the alert instance was fired in Coordinated Universal Time (UTC). |

-| resolvedDateTime | The date and time when the monitor condition for the alert instance is set to **Resolved** in UTC. Currently only applicable for metric alerts.|

-| description | The description, as defined in the alert rule. |

-|essentialsVersion| The version number for the essentials section.|

-|alertContextVersion | The version number for the `alertContext` section. |

-**Sample values**

-```json

-{

- "essentials": {

- "alertId": "/subscriptions/<subscription ID>/providers/Microsoft.AlertsManagement/alerts/b9569717-bc32-442f-add5-83a997729330",

- "alertRule": "Contoso IT Metric Alert",

- "severity": "Sev3",

- "signalType": "Metric",

- "monitorCondition": "Fired",

- "monitoringService": "Platform",

- "alertTargetIDs": [

- "/subscriptions/<subscription ID>/resourceGroups/aimon-rg/providers/Microsoft.Insights/components/ai-orion-int-fe"

- ],

- "originAlertId": "74ff8faa0c79db6084969cf7c72b0710e51aec70b4f332c719ab5307227a984f",

- "firedDateTime": "2019-03-26T05:25:50.4994863Z",

- "description": "Test Metric alert",

- "essentialsVersion": "1.0",

- "alertContextVersion": "1.0"

- }

-}

-```

-## Alert context

-The following fields describe the cause of an alert.

-### Metric alerts - Static threshold

-#### `monitoringService` = `Platform`

-**Sample values**

-```json

-{

- "alertContext": {

- "properties": null,

- "conditionType": "SingleResourceMultipleMetricCriteria",

- "condition": {

- "windowSize": "PT5M",

- "allOf": [

- {

- "metricName": "Percentage CPU",

- "metricNamespace": "Microsoft.Compute/virtualMachines",

- "operator": "GreaterThan",

- "threshold": "25",

- "timeAggregation": "Average",

- "dimensions": [

- {

- "name": "ResourceId",

- "value": "3efad9dc-3d50-4eac-9c87-8b3fd6f97e4e"

- }

- ],

- "metricValue": 31.1105

- }

- ],

- "windowStartTime": "2019-03-22T13:40:03.064Z",

- "windowEndTime": "2019-03-22T13:45:03.064Z"

- }

- }

-}

-```

-### Metric alerts - Dynamic threshold

-#### `monitoringService` = `Platform`

-**Sample values**

-```json

-{

- "alertContext": {

- "properties": null,

- "conditionType": "DynamicThresholdCriteria",

- "condition": {

- "windowSize": "PT5M",

- "allOf": [

- {

- "alertSensitivity": "High",

- "failingPeriods": {

- "numberOfEvaluationPeriods": 1,

- "minFailingPeriodsToAlert": 1

- },

- "ignoreDataBefore": null,

- "metricName": "Egress",

- "metricNamespace": "microsoft.storage/storageaccounts",

- "operator": "GreaterThan",

- "threshold": "47658",

- "timeAggregation": "Total",

- "dimensions": [],

- "metricValue": 50101

- }

- ],

- "windowStartTime": "2021-07-20T05:07:26.363Z",

- "windowEndTime": "2021-07-20T05:12:26.363Z"

- }

- }

-}

-```

-### Metric alerts - Availability tests

-#### `monitoringService` = `Platform`

-**Sample values**

-```json

-{

- "alertContext": {

- "properties": null,

- "conditionType": "WebtestLocationAvailabilityCriteria",

- "condition": {

- "windowSize": "PT5M",

- "allOf": [

- {

- "metricName": "Failed Location",

- "metricNamespace": null,

- "operator": "GreaterThan",

- "threshold": "2",

- "timeAggregation": "Sum",

- "dimensions": [],

- "metricValue": 5,

- "webTestName": "myAvailabilityTest-myApplication"

- }

- ],

- "windowStartTime": "2019-03-22T13:40:03.064Z",

- "windowEndTime": "2019-03-22T13:45:03.064Z"

- }

- }

-}

-```

-### Log alerts

-> [!NOTE]

-> For log alerts that have a custom email subject and/or JSON payload defined, enabling the common schema reverts email subject and/or payload schema to the one described as follows. This means that if you want to have a custom JSON payload defined, the webhook can't use the common alert schema. Alerts with the common schema enabled have an upper size limit of 256 KB per alert. Search results aren't embedded in the log alerts payload if they cause the alert size to cross this threshold. You can determine this by checking the flag `IncludedSearchResults`. When the search results aren't included, use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get).

-#### `monitoringService` = `Log Analytics`

-**Sample values**

-```json

-{

- "alertContext": {

- "SearchQuery": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer",

- "SearchIntervalStartTimeUtc": "3/22/2019 1:36:31 PM",

- "SearchIntervalEndtimeUtc": "3/22/2019 1:51:31 PM",

- "ResultCount": 2,

- "LinkToSearchResults": "https://portal.azure.com/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",

- "LinkToFilteredSearchResultsUI": "https://portal.azure.com/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",

- "LinkToSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",

- "LinkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",

- "SeverityDescription": "Warning",

- "WorkspaceId": "12345a-1234b-123c-123d-12345678e",

- "SearchIntervalDurationMin": "15",

- "AffectedConfigurationItems": [

- "INC-Gen2Alert"

- ],

- "SearchIntervalInMinutes": "15",

- "Threshold": 10000,

- "Operator": "Less Than",

- "Dimensions": [

- {

- "name": "Computer",

- "value": "INC-Gen2Alert"

- }

- ],

- "SearchResults": {

- "tables": [

- {

- "name": "PrimaryResult",

- "columns": [

- {

- "name": "$table",

- "type": "string"

- },

- {

- "name": "Computer",

- "type": "string"

- },

- {

- "name": "TimeGenerated",

- "type": "datetime"

- }

- ],

- "rows": [

- [

- "Fabrikam",

- "33446677a",

- "2018-02-02T15:03:12.18Z"

- ],

- [

- "Contoso",

- "33445566b",

- "2018-02-02T15:16:53.932Z"

- ]

- ]

- }

- ],

- "dataSources": [

- {

- "resourceId": "/subscriptions/a5ea55e2-7482-49ba-90b3-60e7496dd873/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",

- "tables": [

- "Heartbeat"

- ]

- }

- ]

- },

- "IncludedSearchResults": "True",

- "AlertType": "Metric measurement"

- }

-}

-```

-#### `monitoringService` = `Application Insights`

-**Sample values**

-```json

-{

- "alertContext": {

- "SearchQuery": "requests | where resultCode == \"500\" | summarize AggregatedValue = Count by bin(Timestamp, 5m), IP",

- "SearchIntervalStartTimeUtc": "3/22/2019 1:36:33 PM",

- "SearchIntervalEndtimeUtc": "3/22/2019 1:51:33 PM",

- "ResultCount": 2,

- "LinkToSearchResults": "https://portal.azure.com/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",

- "LinkToFilteredSearchResultsUI": "https://portal.azure.com/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",

- "LinkToSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",

- "LinkToFilteredSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",

- "SearchIntervalDurationMin": "15",

- "SearchIntervalInMinutes": "15",

- "Threshold": 10000.0,

- "Operator": "Less Than",

- "ApplicationId": "8e20151d-75b2-4d66-b965-153fb69d65a6",

- "Dimensions": [

- {

- "name": "IP",

- "value": "1.1.1.1"

- }

- ],

- "SearchResults": {

- "tables": [

- {

- "name": "PrimaryResult",

- "columns": [

- {

- "name": "$table",

- "type": "string"

- },

- {

- "name": "Id",

- "type": "string"

- },

- {

- "name": "Timestamp",

- "type": "datetime"

- }

- ],

- "rows": [

- [

- "Fabrikam",

- "33446677a",

- "2018-02-02T15:03:12.18Z"

- ],

- [

- "Contoso",

- "33445566b",

- "2018-02-02T15:16:53.932Z"

- ]

- ]

- }

- ],

- "dataSources": [

- {

- "resourceId": "/subscriptions/a5ea27e2-7482-49ba-90b3-52e7496dd873/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/test",

- "tables": [

- "Heartbeat"

- ]

- }

- ]

- },

- "IncludedSearchResults": "True",

- "AlertType": "Metric measurement"

- }

-}

-```

-#### `monitoringService` = `Log Alerts V2`

-> [!NOTE]

-> Log alerts rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts. You can also use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links to generate a custom payload.

-**Sample values**

-```json

-{

- "alertContext": {

- "properties": {

- "name1": "value1",

- "name2": "value2"

- },

- "conditionType": "LogQueryCriteria",

- "condition": {

- "windowSize": "PT10M",

- "allOf": [

- {

- "searchQuery": "Heartbeat",

- "metricMeasureColumn": "CounterValue",

- "targetResourceTypes": "['Microsoft.Compute/virtualMachines']",

- "operator": "LowerThan",

- "threshold": "1",

- "timeAggregation": "Count",

- "dimensions": [

- {

- "name": "Computer",

- "value": "TestComputer"

- }

- ],

- "metricValue": 0.0,

- "failingPeriods": {

- "numberOfEvaluationPeriods": 1,

- "minFailingPeriodsToAlert": 1

- },

- "linkToSearchResultsUI": "https://portal.azure.com#@12345a-1234b-123c-123d-12345678e/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%212345a-1234b-123c-123d-12345678e%2FresourceGroups%2FContoso%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FContoso%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",

- "linkToFilteredSearchResultsUI": "https://portal.azure.com#@12345a-1234b-123c-123d-12345678e/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%212345a-1234b-123c-123d-12345678e%2FresourceGroups%2FContoso%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FContoso%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",

- "linkToSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/Contoso/providers/Microsoft.Compute/virtualMachines/Contoso/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29&timespan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",

- "linkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/Contoso/providers/Microsoft.Compute/virtualMachines/Contoso/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29&timespan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z"

- }

- ],

- "windowStartTime": "2020-07-07T13:54:34Z",

- "windowEndTime": "2020-07-09T13:54:34Z"

- }

- }

-}

-```

-### Activity log alerts

-#### `monitoringService` = `Activity Log - Administrative`

-**Sample values**

-```json

-{

- "alertContext": {

- "authorization": {

- "action": "Microsoft.Compute/virtualMachines/restart/action",

- "scope": "/subscriptions/<subscription ID>/resourceGroups/PipeLineAlertRG/providers/Microsoft.Compute/virtualMachines/WCUS-R2-ActLog"

- },

- "channels": "Operation",

- "claims": "{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/12345a-1234b-123c-123d-12345678e/\",\"iat\":\"1553260826\",\"nbf\":\"1553260826\",\"exp\":\"1553264726\",\"aio\":\"42JgYNjdt+rr+3j/dx68v018XhuFAwA=\",\"appid\":\"e9a02282-074f-45cf-93b0-50568e0e7e50\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/12345a-1234b-123c-123d-12345678e/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"9778283b-b94c-4ac6-8a41-d5b493d03aa3\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9778283b-b94c-4ac6-8a41-d5b493d03aa3\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"12345a-1234b-123c-123d-12345678e\",\"uti\":\"v5wYC9t9ekuA2rkZSVZbAA\",\"ver\":\"1.0\"}",

- "caller": "9778283b-b94c-4ac6-8a41-d5b493d03aa3",

- "correlationId": "8ee9c32a-92a1-4a8f-989c-b0ba09292a91",

- "eventSource": "Administrative",

- "eventTimestamp": "2019-03-22T13:56:31.2917159+00:00",

- "eventDataId": "161fda7e-1cb4-4bc5-9c90-857c55a8f57b",

- "level": "Informational",

- "operationName": "Microsoft.Compute/virtualMachines/restart/action",

- "operationId": "310db69b-690f-436b-b740-6103ab6b0cba",

- "status": "Succeeded",

- "subStatus": "",

- "submissionTimestamp": "2019-03-22T13:56:54.067593+00:00"

- }

-}

-```

-#### `monitoringService` = `Activity Log - Policy`

-**Sample values**

-```json

-{

- "alertContext": {

- "authorization": {

- "action": "Microsoft.Resources/checkPolicyCompliance/read",

- "scope": "/subscriptions/<GUID>"

- },

- "channels": "Operation",

- "claims": "{\"aud\":\"https://management.azure.com/\",\"iss\":\"https://sts.windows.net/<GUID>/\",\"iat\":\"1566711059\",\"nbf\":\"1566711059\",\"exp\":\"1566740159\",\"aio\":\"42FgYOhynHNw0scy3T/bL71+xLyqEwA=\",\"appid\":\"<GUID>\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/<GUID>/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"<GUID>\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"<GUID>\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"<GUID>\",\"uti\":\"Miy1GzoAG0Scu_l3m1aIAA\",\"ver\":\"1.0\"}",

- "caller": "<GUID>",

- "correlationId": "<GUID>",

- "eventSource": "Policy",

- "eventTimestamp": "2019-08-25T11:11:34.2269098+00:00",

- "eventDataId": "<GUID>",

- "level": "Warning",

- "operationName": "Microsoft.Authorization/policies/audit/action",

- "operationId": "<GUID>",

- "properties": {

- "isComplianceCheck": "True",

- "resourceLocation": "eastus2",

- "ancestors": "<GUID>",

- "policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/<GUID>/\",\"policySetDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/<GUID>/\",\"policyDefinitionReferenceId\":\"vulnerabilityAssessmentMonitoring\",\"policySetDefinitionName\":\"<GUID>\",\"policyDefinitionName\":\"<GUID>\",\"policyDefinitionEffect\":\"AuditIfNotExists\",\"policyAssignmentId\":\"/subscriptions/<GUID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn/\",\"policyAssignmentName\":\"SecurityCenterBuiltIn\",\"policyAssignmentScope\":\"/subscriptions/<GUID>\",\"policyAssignmentSku\":{\"name\":\"A1\",\"tier\":\"Standard\"},\"policyAssignmentParameters\":{}}]"

- },

- "status": "Succeeded",

- "subStatus": "",

- "submissionTimestamp": "2019-08-25T11:12:46.1557298+00:00"

- }

-}

-```

-#### `monitoringService` = `Activity Log - Autoscale`

-**Sample values**

-```json

-{

- "alertContext": {

- "channels": "Admin, Operation",

- "claims": "{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn\":\"Microsoft.Insights/autoscaleSettings\"}",

- "caller": "Microsoft.Insights/autoscaleSettings",

- "correlationId": "<GUID>",

- "eventSource": "Autoscale",

- "eventTimestamp": "2019-08-21T16:17:47.1551167+00:00",

- "eventDataId": "<GUID>",

- "level": "Informational",

- "operationName": "Microsoft.Insights/AutoscaleSettings/Scaleup/Action",

- "operationId": "<GUID>",

- "properties": {

- "description": "The autoscale engine attempting to scale resource '/subscriptions/d<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS' from 9 instances count to 10 instances count.",

- "resourceName": "/subscriptions/<GUID>/resourceGroups/voiceassistancedemo/providers/Microsoft.Compute/virtualMachineScaleSets/alexademo",

- "oldInstancesCount": "9",

- "newInstancesCount": "10",

- "activeAutoscaleProfile": "{\r\n \"Name\": \"Auto created scale condition\",\r\n \"Capacity\": {\r\n \"Minimum\": \"1\",\r\n \"Maximum\": \"10\",\r\n \"Default\": \"1\"\r\n },\r\n \"Rules\": [\r\n {\r\n \"MetricTrigger\": {\r\n \"Name\": \"Percentage CPU\",\r\n \"Namespace\": \"microsoft.compute/virtualmachinescalesets\",\r\n \"Resource\": \"/subscriptions/<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS\",\r\n \"ResourceLocation\": \"eastus\",\r\n \"TimeGrain\": \"PT1M\",\r\n \"Statistic\": \"Average\",\r\n \"TimeWindow\": \"PT5M\",\r\n \"TimeAggregation\": \"Average\",\r\n \"Operator\": \"GreaterThan\",\r\n \"Threshold\": 0.0,\r\n \"Source\": \"/subscriptions/<GUID>/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachineScaleSets/testVMSS\",\r\n \"MetricType\": \"MDM\",\r\n \"Dimensions\": [],\r\n \"DividePerInstance\": false\r\n },\r\n \"ScaleAction\": {\r\n \"Direction\": \"Increase\",\r\n \"Type\": \"ChangeCount\",\r\n \"Value\": \"1\",\r\n \"Cooldown\": \"PT1M\"\r\n }\r\n }\r\n ]\r\n}",

- "lastScaleActionTime": "Wed, 21 Aug 2019 16:17:47 GMT"

- },

- "status": "Succeeded",

- "submissionTimestamp": "2019-08-21T16:17:47.2410185+00:00"

- }

-}

-```

-#### `monitoringService` = `Activity Log - Security`

-**Sample values**

-```json

-{

- "alertContext": {

- "channels": "Operation",

- "correlationId": "<GUID>",

- "eventSource": "Security",

- "eventTimestamp": "2019-08-26T08:34:14+00:00",

- "eventDataId": "<GUID>",

- "level": "Informational",

- "operationName": "Microsoft.Security/locations/alerts/activate/action",

- "operationId": "<GUID>",

- "properties": {

- "threatStatus": "Quarantined",

- "category": "Virus",

- "threatID": "2147519003",

- "filePath": "C:\\AlertGeneration\\test.eicar",

- "protectionType": "Windows Defender",

- "actionTaken": "Blocked",

- "resourceType": "Virtual Machine",

- "severity": "Low",

- "compromisedEntity": "testVM",

- "remediationSteps": "[\"No user action is necessary\"]",

- "attackedResourceType": "Virtual Machine"

- },

- "status": "Active",

- "submissionTimestamp": "2019-08-26T09:28:58.3019107+00:00"

- }

-}

-```

-#### `monitoringService` = `ServiceHealth`

-**Sample values**

-```json

-{

- "alertContext": {

- "authorization": null,

- "channels": 1,

- "claims": null,

- "caller": null,

- "correlationId": "f3cf2430-1ee3-4158-8e35-7a1d615acfc7",

- "eventSource": 2,

- "eventTimestamp": "2019-06-24T11:31:19.0312699+00:00",

- "httpRequest": null,

- "eventDataId": "<GUID>",

- "level": 3,

- "operationName": "Microsoft.ServiceHealth/maintenance/action",

- "operationId": "<GUID>",

- "properties": {

- "title": "Azure Synapse Analytics Scheduled Maintenance Pending",

- "service": "Azure Synapse Analytics",

- "region": "East US",

- "communication": "<MESSAGE>",

- "incidentType": "Maintenance",

- "trackingId": "<GUID>",

- "impactStartTime": "2019-06-26T04:00:00Z",

- "impactMitigationTime": "2019-06-26T12:00:00Z",

- "impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"East US\"}],\"ServiceName\":\"Azure Synapse Analytics\"}]",

- "impactedServicesTableRows": "<tr>\r\n<td align='center' style='padding: 5px 10px; border-right:1px solid black; border-bottom:1px solid black'>Azure Synapse Analytics</td>\r\n<td align='center' style='padding: 5px 10px; border-bottom:1px solid black'>East US<br></td>\r\n</tr>\r\n",

- "defaultLanguageTitle": "Azure Synapse Analytics Scheduled Maintenance Pending",

- "defaultLanguageContent": "<MESSAGE>",

- "stage": "Planned",

- "communicationId": "<GUID>",

- "maintenanceId": "<GUID>",

- "isHIR": "false",

- "version": "0.1.1"

- },

- "status": "Active",

- "subStatus": null,

- "submissionTimestamp": "2019-06-24T11:31:31.7147357+00:00",

- "ResourceType": null

- }

-}

-```

-#### `monitoringService` = `Resource Health`

-**Sample values**

-```json

-{

- "alertContext": {

- "channels": "Admin, Operation",

- "correlationId": "<GUID>",

- "eventSource": "ResourceHealth",

- "eventTimestamp": "2019-06-24T15:42:54.074+00:00",

- "eventDataId": "<GUID>",

- "level": "Informational",

- "operationName": "Microsoft.Resourcehealth/healthevent/Activated/action",

- "operationId": "<GUID>",

- "properties": {

- "title": "This virtual machine is stopping and deallocating as requested by an authorized user or process",

- "details": null,

- "currentHealthStatus": "Unavailable",

- "previousHealthStatus": "Available",

- "type": "Downtime",

- "cause": "UserInitiated"

- },

- "status": "Active",

- "submissionTimestamp": "2019-06-24T15:45:20.4488186+00:00"

- }

-}

-```

-#### `monitoringService` = `Prometheus`

-**Sample values**

-```json

-{

- "alertContext": {

- "interval": "PT1M",

- "expression": "sql_up > 0",

- "expressionValue": "0",

- "for": "PT2M",

- "labels": {

- "Environment": "Prod",

- "cluster": "myCluster1"

- },

- "annotations": {

- "summary": "alert on SQL availability"

- },

- "ruleGroup": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.AlertsManagement/prometheusRuleGroups/myRuleGroup"

- }

-}

-```

-## Next steps

-#### monitoringService = Budget

-**Sample values**

-```json

-{

- "schemaId":"AIP Budget Notification",

- "data":{

- "SubscriptionName":"test-subscription",

- "SubscriptionId":"11111111-1111-1111-1111-111111111111",

- "EnrollmentNumber":"",

- "DepartmentName":"test-budgetDepartmentName",

- "AccountName":"test-budgetAccountName",

- "BillingAccountId":"",

- "BillingProfileId":"",

- "InvoiceSectionId":"",

- "ResourceGroup":"test-RG",

- "SpendingAmount":"1111.32",

- "BudgetStartDate":"11/17/2021 5:40:29 PM -08:00",

- "Budget":"10000",

- "Unit":"USD",

- "BudgetCreator":"email@domain.com",

- "BudgetName":"test-budgetName",

- "BudgetType":"Cost",

- "NotificationThresholdAmount":"8000.0"

- }

-}

-```

-#### monitoringService = Actual Cost Budget

- "configurationItems": ["budgets"],

- },

-#### monitoringService = Forecasted Budget

- "configurationItems": ["budgets"],

-#### monitoringService = Smart Alert

- Dimensions are name-value pairs that contain more data about the metric value. By using dimensions, you can filter the metrics and monitor specific time-series, instead of monitoring the aggregate of all the dimensional values. Dimensions can be either number or string columns.

-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.useAADAuth=true

-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.resources.daemonset.limits.cpu=150m amalogsagent.resources.daemonset.limits.memory=600Mi amalogsagent.resources.deployment.limits.cpu=1 amalogsagent.resources.deployment.limits.memory=750Mi

-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.logsettings.custommountpath=/home/data/docker

-az k8s-extension create --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.useAADAuth=true logAnalyticsWorkspaceResourceID=\<workspace-resource-id\>

-description: Query Azure Data Explorer data through Azure Log Analytics tools vice versa to join and analyze all your data in one place.

-# Cross service query - Azure Monitor and Azure Data Explorer

-Create cross service queries between [Azure Data Explorer](/azure/data-explorer/), [Application Insights](../app/app-insights-overview.md), and [Log Analytics](../logs/data-platform-logs.md).

-## Azure Monitor and Azure Data Explorer cross-service querying

-This experience enables you to [create cross service queries between Azure Data Explorer and Azure Monitor](/azure/data-explorer/query-monitor-data) and to [create cross service queries between Azure Monitor and Azure Data Explorer](./azure-monitor-data-explorer-proxy.md).

-For example, (querying Azure Data Explorer from Log Analytics):

-```kusto

-CustomEvents | where aField == 1

-| join (adx("Help/Samples").TableName | where secondField == 3) on $left.Key == $right.key

-```

-Where the outer query is querying a table in the workspace, and then joining with another table in an Azure Data Explorer cluster (in this case, clustername=help, databasename=samples) by using a new "adx()" function, like how you can do the same to query another workspace from inside query text.

-## Query exported Log Analytics data from Azure Blob storage account

-Exporting data from Azure Monitor to an Azure storage account enables low-cost retention and the ability to reallocate logs to different regions.

-Use Azure Data Explorer to query data that was exported from your Log Analytics workspaces. Once configured, supported tables that are sent from your workspaces to an Azure storage account will be available as a data source for Azure Data Explorer. [Query exported data from Azure Monitor using Azure Data Explorer](../logs/azure-data-explorer-query-storage.md).

->[!tip]

-> To export all data from your Log Analytics workspace to an Azure storage account or event hub, use the [Log Analytics workspace data export feature](/azure/data-explorer/query-monitor-data).

-## Next steps

-Learn how to:

-* [Query data in Azure Monitor from Azure Data Explorer](/azure/data-explorer/query-monitor-data).

-* [Query data in Azure Data Explorer from Azure Monitor](./azure-monitor-data-explorer-proxy.md).

-# Import your content from the trial account

-When creating a new ARM-based account, you have an option to import your content from the trial account into the new ARM-based account free of charge.

-## Considerations

-Review the following considerations.

-* The target ARM-based account needs to be created and available before import is assigned.

-* Target ARM-based account has to be an empty account (never indexed any media files).

- * If the account ID isn't showing, you can copy and paste the account ID from Azure portal or the account list, on the side blade in the Azure Video Indexer Portal.

-All media and content model customizations will be copied from the trial account into the new ARM-based account.

-## Next steps

-You can programmatically interact with your trial account and/or with your Azure Video Indexer accounts that are connected to Azure by following the instructions in: [Use APIs](video-indexer-use-apis.md).

-You should use the same Azure AD user you used when connecting to Azure.

-> If you are already using "AzureVideoAnalyzerForMedia" Network Service Tag you may experience issues with your networking security group starting 9 January 2023. This is because we are moving to a new Security Tag label "VideoIndexer" that was unfortunately not launched to GA in the UI before removing the preceding "AzureVideoAnalyzerForMedia" tag. The mitigatation is to remove the old tag from your configuration. We will update this document page + release notes once the new tag will be available.

-**Use a single global AzureVideoAnalyzerForMedia service tag**: This option opens your virtual network to all IP addresses that the Azure Video Indexer service uses across all regions we offer our service. This method will allow for all IP addresses owned and used by Azure Video Indexer to reach your network resources behind the NSG.

-The easiest way to begin using service tags with your Azure Video Indexer account is to add the global tag `AzureVideoAnalyzerForMedia` to an NSG rule.

-1. From the **Source service tag** drop-down list, select **AzureVideoAnalyzerForMedia**.

-You can also use Azure CLI to create a new or update an existing NSG rule and add the **AzureVideoAnalyzerForMedia** service tag using the `--source-address-prefixes`. For a full list of CLI commands and parameters see [az network nsg](/cli/azure/network/nsg/rule?view=azure-cli-latest&preserve-view=true)

-`az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithTags --priority 400 --source-address-prefixes AzureVideoAnalyzerForMedia --destination-address-prefixes '*' --destination-port-ranges '*' --direction Inbound --access Allow --protocol Tcp --description "Allow from VideoAnalyzerForMedia"`

-## Azure Data Box with the MARS Agent

-This article explains how you can use Azure Data Box to seed large initial backup data offline from the MARS Agent to a Recovery Services vault.

-## Supported platforms

-## Backup data size and supported Data Box SKUs

-

- 

- 

- 

- 

- 

- 

- 

- 

- >

- 

- 

-

-

- 

- 

-**Few-shot**: In this case, a user includes several examples in the call prompt that demonstrate the expected answer format and content. The following example shows a few-shot prompt where we provide multiple examples:

- Q: Ask Constance if we need some bread

- Q: Ask Ilya if we're still having our meeting this evening

- Q: Contact the ski store and figure out if I can get my skis fixed before I leave on Thursday

- Q: Thank Nicolas for lunch

- Q: Tell John that I need to book an appointment at 10:30

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Local | - | - | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Local | - | - | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Local | - | - | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Local | - | - | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | Public Preview | Public Preview\* |

-| USA & Puerto Rico | Local | - | - | Public Preview | Public Preview\* |

-az extension remove --name containerapps

-In the following example, the revision scales out up to five replicas and can scale in to zero. The scaling threshold is set to 100 concurrent requests.

-> Make sure you create a scale rule or set `minReplicas` to 1 or more if you don't enable ingress. If ingress is disabled and all you have is the default limits and rule, then your container app will scale to zero and have no way of starting back up.

-Because the number of documents to be deleted may be large, the operation runs in the background. Though the physical deletion operation runs in the background, the effects will be available immediately, as the documents to be deleted will not appear in the results of queries or read operations.

-For example, suppose you have provisioned 1000 RU/s on a container. There is an ongoing delete by partition key operation that consumes 100 RUs each second for 5 seconds. During each of these 5 seconds, there are 900 RUs available for non-background database operations. Once the delete operation is complete, all 1000 RU/s are now available again.

-For certain scenarios, the effects of a delete by partition key operation is not guaranteed to be immediately reflected. The effect may be partially seen as the operation progresses.

-](transactional-batch.md)

-This article describes how add or change the administrator role for a user using Azure RBAC at the subscription scope.

-If you're not sure who the account administrator is for a subscription, visit the [Subscriptions page in Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade). Then select the subscription you want to check, and then look under **Settings**. Select **Properties** and the account administrator of the subscription is shown in the **Account Admin** box.

-**Change data capture from databases:**

-**Change files capture from file based storages:**

-SQL change data capture (CDC) incremental extract - supports numeric columns in mapping dataflow

-1. Open your Azure Data Lake Analytics via https://portal.azure.com.

-2. Click **Add User Wizard**.

-3. In the **Select user** step, find the user you want to add. Click **Select**.

-4. the **Select role** step, pick **Data Lake Analytics Developer**. This role has the minimum set of permissions required to submit/monitor/manage U-SQL jobs. Assign to this role if the group is not intended for managing Azure services.

-5. In the **Select catalog permissions** step, select any additional databases that user will need access to. Read and Write Access to the default static database called "master" is required to submit jobs. When you are done, click **OK**.

-6. In the final step called **Assign selected permissions** review the changes the wizard will make. Click **OK**.

-## Optionally, add the user to the Azure Data Lake Storage Gen1 role **Reader** role.

-1. Find your Azure Data Lake Storage Gen1 account.

-2. Click on **Users**.

-3. Click **Add**.

-4. Select an Azure role to assign this group.

-5. Assign to Reader role. This role has the minimum set of permissions required to browse/manage data stored in ADLSGen1. Assign to this role if the Group is not intended for managing Azure services.

-6. Type in the name of the Group.

-7. Click **OK**.

-3. Run the PowerShell script.

- Once Data Lake Tools for Visual Studio is installed, you will see a **Data Lake** item in the **Tools** menu in Visual Studio:

-* **Install the sample data.** In the Azure Portal, open you Data Lake Analytics account and click **Sample Scripts** on the left menu, then click **Copy Sample Data**.

-2. Click **Data Lake > Options and Settings**.

-3. Click **Sign In**, or **Change User** if someone has signed in, and follow the instructions.

-4. Click **OK** to close the Options and Settings dialog.

-2. From **Server Explorer**, expand **Azure**, and then expand **Data Lake Analytics**. You shall see a list of your Data Lake Analytics accounts if there are any. You cannot create Data Lake Analytics accounts from the studio. To create an account, see [Get Started with Azure Data Lake Analytics using Azure Portal](data-lake-analytics-get-started-portal.md) or [Get Started with Azure Data Lake Analytics using Azure PowerShell](data-lake-analytics-get-started-powershell.md).

-1. Click the **File > New > Project**.

-3. Click **OK**. Visual studio creates a solution with a Script.usql file.

-7. From **Solution Explorer**, right click **Script.usql**, and then click **Build Script**. Verify the results in the Output pane.

-8. From **Solution Explorer**, right click **Script.usql**, and then click **Submit Script**.

-9. Verify the **Analytics Account** is the one where you want to run the job, and then click **Submit**. Submission results and job link are available in the Data Lake Tools for Visual Studio Results window when the submission is completed.

-10. Wait until the job is completed successfully. If the job failed, it is most likely missing the source file. Please see the Prerequisite section of this tutorial. For additional troubleshooting information, see [Monitor and troubleshoot Azure Data Lake Analytics jobs](data-lake-analytics-monitor-and-troubleshoot-jobs-tutorial.md).

-1. From **Server Explorer**, expand **Azure**, expand **Data Lake Analytics**, expand your Data Lake Analytics account, expand **Storage Accounts**, right-click the default Data Lake Storage account, and then click **Explorer**.

-* [Get started with Data Lake Analytics using Azure Portal](data-lake-analytics-get-started-portal.md)

-First migrate the project and get the NuGet package. Then call the standard MSBuild command line with the following additional arguments to build your U-SQL project:

-To build your U-SQL database project, call the standard MSBuild command line and pass the U-SQL SDK NuGet package reference as an additional argument. See the following example:

-The build output for a U-SQL database project is a U-SQL database deployment package, named with the suffix `.usqldbpack`. The `.usqldbpack` package is a zip file that includes all DDL statements in a single U-SQL script in a DDL folder. It includes all **.dlls** and additional files for assembly in a temp folder.

-|Secrete|The secrete or password for non-interactive authentication. It should be used only in a trusted and secure environment.|null|Required for non-interactive authentication, or else use SecreteFile.|

-|SecreteFile|The file saves the secrete or password for non-interactive authentication. Make sure to keep it readable only by the current user.|null|Required for non-interactive authentication, or else use Secrete.|

-|CertFile|The file saves X.509 certification for non-interactive authentication. The default is to use client secrete authentication.|null|false|

-If you reference them through [the Nuget package Microsoft.Azure.DataLake.USQL.Interfaces](https://www.nuget.org/packages/Microsoft.Azure.DataLake.USQL.Interfaces/), make sure you add a NuGet Restore task in your build pipeline.

-Briefly stated, data skew is an over-represented value. Imagine that you have assigned 50 tax examiners to audit tax returns, one examiner for each US state. The Wyoming examiner, because the population there is small, has little to do. In California, however, the examiner is kept very busy because of the state's large population.

- 

-If it does not affect your business logic, you can filter the higher-frequency values in advance. For example, if there are a lot of 000-000-000 in column GUID, you might not want to aggregate that value. Before you aggregate, you can write ΓÇ£WHERE GUID != ΓÇ£000-000-000ΓÇ¥ΓÇ¥ to filter the high-frequency value.

-Instead of using only _State_ as a partition key, you can use more than one key for partitioning. For example, consider adding _ZIP Code_ as an additional partition key to reduce data-partition sizes and distribute the data more evenly.

-If you cannot find an appropriate key for partition and distribution, you can try to use round-robin distribution. Round-robin distribution treats all rows equally and randomly puts them into corresponding buckets. The data gets evenly distributed, but it loses locality information, a drawback that can also reduce job performance for some operations. Additionally, if you are doing aggregation for the skewed key anyway, the data-skew problem will persist. To learn more about round-robin distribution, see the U-SQL Table Distributions section in [CREATE TABLE (U-SQL): Creating a Table with Schema](/u-sql/ddl/tables/create/managed/create-table-u-sql-creating-a-table-with-schema#dis_sch).

-U-SQL provides the CREATE STATISTICS statement on tables. This statement gives more information to the query optimizer about the data characteristics, such as value distribution, that are stored in a table. For most queries, the query optimizer already generates the necessary statistics for a high-quality query plan. Occasionally, you might need to improve query performance by creating additional statistics with CREATE STATISTICS or by modifying the query design. For more information, see the [CREATE STATISTICS (U-SQL)](/u-sql/ddl/statistics/create-statistics) page.

-Usually, you can set the parameter as 0.5 and 1, with 0.5 meaning not much skew and 1 meaning heavy skew. Because the hint affects execution-plan optimization for the current statement and all downstream statements, be sure to add the hint before the potential skewed key-wise aggregation.

-Provides a hint that the given columns have a skew factor x from 0 (no skew) through 1 (very heavy skew).

-In addition to SKEWFACTOR, for specific skewed-key join cases, if you know that the other joined row set is small, you can tell the optimizer by adding a ROWCOUNT hint in the U-SQL statement before JOIN. This way, optimizer can choose a broadcast join strategy to help improve performance. Be aware that ROWCOUNT does not resolve the data-skew problem, but it can offer some additional help.

-To change a non-recursive reducer to recursive, you need to make sure that your algorithm is associative. For example, the sum is associative, and the median is not. You also need to make sure that the input and output for reducer keep the same schema.

-Similar to the ROWCOUNT hint for specific skewed-key join cases, combiner mode tries to distribute huge skewed-key value sets to multiple vertices so that the work can be executed concurrently. Combiner mode canΓÇÖt resolve data-skew issues, but it can offer some additional help for huge skewed-key value sets.

-By default, the combiner mode is Full, which means that the left row set and right row set cannot be separated. Setting the mode as Left/Right/Inner enables row-level join. The system separates the corresponding row sets and distributes them into multiple vertices that run in parallel. However, before you configure the combiner mode, be careful to ensure that the corresponding row sets can be separated.

-

-For an assembly object, the tool provides a user-friendly UI editor that helps you register the assembly and deploy DLL files and other additional files. The following steps show you how to add an assembly object definition to the U-SQL database project:

-1. Right click **U-SQL Databases**, and then choose **Deploy Database**.

-1. Enter the **Database Name** to create a database. If there is a database with the same name that already exists in the target Azure Data Lake Analytics account, all objects that are defined in the database project are created without recreating the database.

-`PackageDeploymentTool.exe` provides the programming and command-line interfaces that help to deploy U-SQL databases. The SDK is included in the [U-SQL SDK Nuget package](https://www.nuget.org/packages/Microsoft.Azure.DataLake.USQL.SDK/), located at `build/runtime/PackageDeploymentTool.exe`.

-After you finish creating the item, right-click the node and then select **Refresh** to show the item. You can also delete the item by right-clicking it and then selecting **Delete**.

-## Additional features

- 

-U-SQL provides an extensibility model using C#. In U-SQL scripts, it is easy to call C# functions and perform analytic functions that SQL-like declarative language does not support. To learn more for U-SQL extensibility, see [U-SQL programmability guide](./data-lake-analytics-u-sql-programmability-guide.md#use-user-defined-functions-udf).

-In practice, any code may need debugging, but it is hard to debug a distributed job with custom code on the cloud with limited log files. [Azure Data Lake Tools for Visual Studio](https://aka.ms/adltoolsvs) provides a feature called **Failed Vertex Debug**, which helps you more easily debug the failures that occur in your custom code. When U-SQL job fails, the service keeps the failure state and the tool helps you to download the cloud failure environment to the local machine for debugging. The local download captures the entire cloud environment, including any input data and user code.

-1. Click **Download** to download all the required resources and input streams. If the download doesn't complete, click **Retry**.

-2. Click **Open** after the download completes to generate a local debugging environment. A new debugging solution will be opened, and if you have existing solution opened in Visual Studio, please make sure to save and close it before debugging.

-

-

-2. [I cannot find my source code in the solution](#source-code-is-not-included-in-debugging-solution)

-1. Press **F5** to start debugging. The code runs until it is stopped by an exception.

- 

-If the user code is not included in code-behind file, or you did not register the assembly with **debug info**, then the source code is not included automatically in the debugging solution. In this case, you need extra steps to add your source code:

- 

-2. Get the project folder path for **FailedVertexDebugHost** project.

- 

-

-Azure Data Lake Analytics is an on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you write queries to transform your data and extract valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need. You only pay for your job when it is running, making it cost-effective. This article provides guidance on how to protect your jobs from rare region-wide outages or accidental deletions.

-When using Azure Data Lake Analytics, it's critical for you to prepare your own disaster recovery plan. This article helps guide you to build a disaster recovery plan. There are additional resources that can help you create your own plan:

-You can run a recurring U-SQL job in an ADLA account in a region that reads and writes U-SQL tables as well as unstructured data. Prepare for a disaster by taking these steps:

-* This article requires that you are running the Azure CLI version 2.0 or later. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).

-You are requested to browse to a URL, and enter an authentication code. And then follow the instructions to enter your credentials.

-Once you have logged in, the login command lists your subscriptions.

-It is simpler to use relative paths for files stored in default Data Lake Store accounts. You can also use absolute paths. For example:

-This tutorial assumes you are already familiar with using Azure PowerShell. In particular, you need to know how to log in to Azure. See the [Get started with Azure PowerShell](/powershell/azure/get-started-azureps) if you need help.

-Instead of the subscription name, you can also use a subscription id to log in:

-* To see the same tutorial using other tools, click the tab selectors on the top of the page.

-* Cancelled

-This method is not supported.

-This method is not supported.

-# Monitor jobs in Azure Data Lake Analytics using the Azure Portal

-1. From the Azure portal, click **Microsoft Azure** in the upper left corner.

-2. Click the tile with your Data Lake Analytics account name. The job summary is shown on the **Job Management** tile.

-3. Click the **Job Management** tile to see the jobs. The jobs are categorized in **Running**, **Queued**, and **Ended**. You shall see your failed job in the **Ended** section. It shall be first one in the list. When you have a lot of jobs, you can click **Filter** to help you to locate jobs.

-4. Click the failed job from the list to open the job details:

-5. Click highlighted part from the previous screenshot to open the error details. You shall see something like:

- It tells you the source folder is not found.

-6. Click **Duplicate Script**.

-8. Click **Submit Job**.

-If you try to create a sixth ADLA account, you will get an error "You have reached the maximum number of Data Lake Analytics accounts allowed (5) in region under subscription name".

-3. Click **Properties**.

-3. Select your **Subscription** (make sure it is not a "trial" subscription).

- 3. In **Connection Managers** view, right-click the file connection created just now, and choose **Properties**.

-The control flow is like below.

-2. Select **File** type and click **Add...**.

- 2. Set **FileConnection** to the File Connection created just now.

- 2. Set **SourceVariable** to the SSIS Variable created just now.

-In some cases, you may want to dynamically set the U-SQL variable value in the U-SQL script. **Parameter Mapping** feature in Azure Data Lake Analytics Task help with this scenario. There are usually two typical user cases:

- - Click **Sample Script**.

-2. Click **More**.

- 

-1. Click the **New File** in your workspace.

-

-5. Right-click in **USQL** file, you can click **Compile Script** or **Submit Job** to running job.

-1. Click the **New File** in your workspace.

-5. Right-click in **USQL** file, you can click **Compile Script** or **Submit Job** to running job.

-1. Click the **New File** in your workspace.

-5. Right-click in **USQL** file, you can click **Compile Script** or **Submit Job** to running job.

-* [Use the Azure Data Lake Tools for Visual Studio Code](data-lake-analytics-data-lake-tools-for-vscode.md)

-* [U-SQL local run and local debug with Visual Studio Code](data-lake-tools-for-vscode-local-run-and-debug.md)

-* [Get started with Data Lake Analytics using PowerShell](data-lake-analytics-get-started-powershell.md)

-* [Get started with Data Lake Analytics using the Azure portal](data-lake-analytics-get-started-portal.md)

-* [Use Data Lake Tools for Visual Studio for developing U-SQL applications](data-lake-analytics-data-lake-tools-get-started.md)

-* [Use Data Lake Analytics(U-SQL) catalog](./data-lake-analytics-u-sql-get-started.md)

-description: Learn about the U-SQL overview and UDF programmability in Azure Data Lake Analytics to enable you create good USQL script.

-U-SQL is a query language that's designed for big data-type of workloads. One of the unique features of U-SQL is the combination of the SQL-like declarative language with the extensibility and programmability that's provided by C#. In this guide, we concentrate on the extensibility and programmability of the U-SQL language that's enabled by C#.

-Each uploaded assembly DLL and resource file, such as a different runtime, a native assembly, or a config file, can be at most 400 MB. The total size of deployed resources, either via DEPLOY RESOURCE or via references to assemblies and their additional files, cannot exceed 3 GB.

-Finally, note that each U-SQL database can only contain one version of any given assembly. For example, if you need both version 7 and version 8 of the NewtonSoft Json.NET library, you need to register them in two different databases. Furthermore, each script can only refer to one version of a given assembly DLL. In this respect, U-SQL follows the C# assembly management and versioning semantics.

-This is a regular C# function that we are going to use in our U-SQL project.

-Here is how the code-behind section looks in this scenario:

-Now we are going to call this function from the base U-SQL script. To do this, we have to provide a fully qualified name for the function, including the namespace, which in this case is NameSpace.Class.Function(parameter).

-Here is the code-behind section of our U-SQL program:

-* Navigate to you Data Lake Analytics Account in the Azure portal

-* In the left menu, under **GETTING STARTED** click on **Sample Scripts**

-* Click **Install U-SQL Extensions** then **OK**

-* Index vectors in Pandas are not supported in U-SQL. All input data frames in the Python function always have a 64-bit numerical index from 0 through the number of rows minus 1.

-* U-SQL datasets cannot have duplicate column names

-* U-SQL datasets column names that are not strings.

-### Additional Python modules

-Every vertex has a limited amount of memory assigned to it. Currently, that limit is 6 GB for an AU. Because the input and output DataFrames must exist in memory in the Python code, the total size for the input and output cannot exceed 6 GB.

-When developing U-SQL script, it is common to run and test U-SQL script locally before submit it to cloud. Azure Data Lake provides a Nuget package called Azure Data Lake U-SQL SDK for this scenario, through which you can easily scale U-SQL run and test. It is also possible to integrate this U-SQL test with CI (Continuous Integration) system to automate the compile and test.

- - Install [Visual Studio Community Edition](https://developer.microsoft.com/downloads/vs-thankyou). You'll have a \Windows Kits\10 folder under the Program Files folder--for example, C:\Program Files (x86)\Windows Kits\10\. You'll also find the Windows 10 SDK version under \Windows Kits\10\Lib. If you donΓÇÖt see these folders, reinstall Visual Studio and be sure to select the Windows 10 SDK during the installation. If you have this installed with Visual Studio, the U-SQL local compiler will find it automatically.

- In this case, the U-SQL local compiler cannot find the dependencies automatically. You need to specify the CppSDK path for it. You can either copy the files to another location or use it as is.

-Under SDK directory\build\runtime, LocalRunHelper.exe is the command-line helper application that provides interfaces to most of the commonly used local-run functions. Note that both the command and the argument switches are case-sensitive. To invoke it:

-U-SQL local run needs a specified data root as local storage account, as well as a specified CppSDK path for dependencies. You can both set the argument in command-line or set environment variable for them.

-Compile a U-SQL script and set the data-root folder. Note that this will overwrite the set environment variable.

-The programming interfaces are all located in the LocalRunHelper.exe. You can use them to integrate the functionality of the U-SQL SDK and the C# test framework to scale your U-SQL script local test. In this article, I will use the standard C# unit test project to show how to use these interfaces to test your U-SQL script.

-|CodeBehindReferences|string|If the script has additional code behind references, specify the paths separated with ';'|

-Please check the following:

-Only Windows installations of the Azure Data Lake Tools for Visual Studio support the action to run U-SQL locally and debug U-SQL locally. Installations on macOS and Linux-based operating systems do not support this feature.

-2. Locate the dependency packages from the path shown in the **Output** pane, and then install BuildTools and Win10SDK 10240. Here is an example path:

- 2.1 To install **BuildTools**, click visualcppbuildtools_full.exe in the LocalRunDependency folder, then follow the wizard instructions.

- 2.2 To install **Win10SDK 10240**, click sdksetup.exe in the LocalRunDependency/Win10SDK_10.0.10240_2 folder, then follow the wizard instructions.

-3. The cmd console opens. For first-time users, you need to enter **3**, and then locate the local folder path for your data input and output. If you are unsuccessful defining the path with backslashes, try forward slashes. For other options, you can use the default values.

-3. Install C# for Visual Studio Code as suggested in the message box if not installed. Click **Install** to continue, and then restart VSCode.

-Before you start migrating Azure Data Lake Analytics' U-SQL scripts to Spark, it is useful to understand the general language and processing philosophies of the two systems.

-Spark is a scale-out framework offering several language bindings in Scala, Java, Python, .NET etc. where you primarily write your code in one of these languages, create data abstractions called resilient distributed datasets (RDD), dataframes, and datasets and then use a LINQ-like domain-specific language (DSL) to transform them. It also provides SparkSQL as a declarative sublanguage on the dataframe and dataset abstractions. The DSL provides two categories of operations, transformations and actions. Applying transformations to the data abstractions will not execute the transformation but instead build-up the execution plan that will be submitted for evaluation with an action (for example, writing the result into a temporary table or file, or printing the result).

-Thus when translating a U-SQL script to a Spark program, you will have to decide which language you want to use to at least generate the data frame abstraction (which is currently the most frequently used data abstraction) and whether you want to write the declarative dataflow transformations using the DSL or SparkSQL. In some more complex cases, you may need to split your U-SQL script into a sequence of Spark and other steps implemented with Azure Batch or Azure Functions.

-Furthermore, Azure Data Lake Analytics offers U-SQL in a serverless job service environment where resources are allocated for each job, while Azure Synapse Spark, Azure Databricks and Azure HDInsight offer Spark either in form of a cluster service or with so-called Spark pool templates. When transforming your application, you will have to take into account the implications of now creating, sizing, scaling, and decommissioning the clusters or pools.

-1. Data gets read from either unstructured files, using the `EXTRACT` statement, a location or file set specification, and the built-in or user-defined extractor and desired schema, or from U-SQL tables (managed or external tables). It is represented as a rowset.

-U-SQL's expression language is C# and it offers a variety of ways to scale out custom .NET code with user-defined functions, user-defined operators and user-defined aggregators.

-.NET for Apache Spark currently does not support user-defined aggregators. Thus, [U-SQL user-defined aggregators](#transform-user-defined-scalar-net-functions-and-user-defined-aggregators) will have to be translated into Spark user-defined aggregators written in Scala.

-If you do not want to take advantage of the .NET for Apache Spark capabilities, you will have to rewrite your expressions into an equivalent Spark, Scala, Java, or Python expression, function, aggregator or connector.

-As mentioned above, .NET for Apache Spark supports user-defined functions written in .NET, but does not support user-defined aggregators. So for user-defined functions, .NET for Apache Spark can be used, while user-defined aggregators have to be authored in Scala for Spark.

-Spark does not offer the same extensibility model for operators, but has equivalent capabilities for some.

-The Spark equivalent to extractors and outputters is Spark connectors. For many U-SQL extractors, you may find an equivalent connector in the Spark community. For others, you will have to write a custom connector. If the U-SQL extractor is complex and makes use of several .NET libraries, it may be preferable to build a connector in Scala that uses interop to call into the .NET library that does the actual processing of the data. In that case, you will have to deploy the .NET Core runtime to the Spark cluster and make sure that the referenced .NET libraries are .NET Standard 2.0 compliant.

-The other types of U-SQL UDOs will need to be rewritten using user-defined functions and aggregators and the semantically appropriate Spark DLS or SparkSQL expression. For example, a processor can be mapped to a SELECT of a variety of UDF invocations, packaged as a function that takes a dataframe as an argument and returns a dataframe.

-Because U-SQL's type system is based on the .NET type system and Spark has its own type system, that is impacted by the host language binding, you will have to make sure that the types you are operating on are close and for certain types, the type ranges, precision and/or scale may be slightly different. Furthermore, U-SQL and Spark treat `null` values differently.

-In addition, U-SQL provides a variety of SQL-based scalar expressions such as

-Due to the different handling of NULL values, a U-SQL join will always match a row if both of the columns being compared contain a NULL value, while a join in Spark will not match such columns unless explicit null checks are added.

-U-SQL also offers a variety of other features and concepts, such as federated queries against SQL Server databases, parameters, scalar, and lambda expression variables, system variables, `OPTION` hints.

-U-SQL provides data source and external tables as well as direct queries against Azure SQL Database. While Spark does not offer the same object abstractions, it provides [Spark connector for Azure SQL Database](/azure/azure-sql/database/spark-connector) that can be used to query SQL databases.

-Spark's cost-based query optimizer has its own capabilities to provide hints and tune the query performance. Please refer to the corresponding documentation.

-U-SQL tables are not understood by Spark. If you have data stored in U-SQL tables, you'll run a U-SQL job that extracts the table data and saves it in a format that Spark understands. The most appropriate format is to create a set of Parquet files following the Hive metastore's folder layout.

- U-SQL tables provide two level partitioning. The outer level (`PARTITIONED BY`) is by value and maps mostly into the Hive/Spark partitioning scheme using folder hierarchies. You will need to ensure that the null values are mapped to the right folder. The inner level (`DISTRIBUTED BY`) in U-SQL offers 4 distribution schemes: round robin, range, hash, and direct hash.

- Hive/Spark tables only support value partitioning or hash partitioning, using a different hash function than U-SQL. When you output your U-SQL table data, you will probably only be able to map into the value partitioning for Spark and may need to do further tuning of your data layout depending on your final Spark queries.

-Microsoft supports several Analytics services such as [Azure Databricks](/azure/databricks/scenarios/what-is-azure-databricks) and [Azure HDInsight](../hdinsight/hdinsight-overview.md) as well as Azure Data Lake Analytics. We hear from developers that they have a clear preference for open-source-solutions as they build analytics pipelines. To help U-SQL developers understand Apache Spark, and how you might transform your U-SQL scripts to Apache Spark, we've created this guidance.

-It includes a number of steps you can take, and several alternatives.

- If you want to move your data from [Azure Data Lake Storage Gen1](../data-lake-store/data-lake-store-overview.md) to [Azure Data Lake Storage Gen2](../storage/blobs/data-lake-storage-introduction.md), you will have to copy both the file data and the catalog maintained data. Note that Azure Data Lake Analytics only supports Azure Data Lake Storage Gen1. See [Understand Spark data formats](understand-spark-data-formats.md)

- Before transforming your U-SQL scripts, you will have to choose an analytics service. Some of the available compute services available are:

- Apache Hive on HDInsight is suited to Extract, Transform, and Load (ETL) operations. This means you are going to translate your U-SQL scripts to Apache Hive.

- This means you are going to translate your U-SQL scripts to Spark. For more information, see [Understand Spark data formats](understand-spark-data-formats.md)

-* Always create a folder under the share for the files that you intend to copy and then copy the files to that folder. The folder created under block blob and page blob shares represents a container to which the data is uploaded as blobs. You cannot copy files directly to the *root* folder in the storage account.

-Governance rules can identify resources that require remediation according to specific recommendations or severities, and the rule assigns an owner and due date to make sure the recommendations are handled. Many governance rules can apply to the same recommendations, so the rule with lower priority value is the one that assigns the owner and due date.

-The due date set for the recommendation to be remediated is based on a timeframe of 7, 14, 30, or 90 days from when the recommendation is found by the rule. For example, if the rule identifies the resource on March 1st and the remediation timeframe is 14 days, March 15th is the due date. You can apply a grace period so that the resources that are given a due date don't impact your secure score until they're overdue.

-1. If you don't want the resources to impact your secure score until they're overdue, select **Apply grace period**.

-To view the effect rules on specific scope, use the ΓÇ£scopeΓÇ¥ filter and select a desired scope.

-Conflicting rules are applied in priority order. For example, rules on a management scope, (Azure management groups, AWS master accents and GCP organizations) take effect before rules on scopes (for example, Azure subscriptions, AWS accounts, or GCP projects).

-For every resource affected by a recommendation, you can assign an owner and a due date so that you know who needs to implement the security changes to improve your security posture and when they're expected to do it by. You can also apply a grace period so that the resources that are given a due date don't impact your secure score unless they become overdue.

-1. You can select **Apply grace period** to keep the resource from impacting the secure score until it's overdue.

-| [The name of the Secure score control Protect your applications with Azure advanced networking solutions will be changed](#the-name-of-the-secure-score-control-protect-your-applications-with-azure-advanced-networking-solutions-will-be-changed) | January 2023 |

-### The name of the Secure score control Protect your applications with Azure advanced networking solutions will be changed

-**Estimated date for change: January 2023**

-The secure score control `Protect your applications with Azure advanced networking solutions` will change to `Protect applications against DDoS attacks`.

-The updated name will be reflected on Azure Resource Graph (ARG), Secure Score Controls API and the `Download CSV report`.

-# Mandatory fields.

-description: Understand what has changed in the new version of Azure Digital Twins

-# Optional fields. Don't forget to remove # if you need a field.

-#

-#

-#

-# What is the new Azure Digital Twins? How is it different from the original version (2018)?

-The first public preview of Azure Digital Twins was released in October of 2018. While the core concepts from that original version have carried through to the current service, many of the interfaces and implementation details have changed to make the service more flexible and accessible. These changes were motivated by customer feedback.

-> [!IMPORTANT]

-> In light of the new service's expanded capabilities, the original Azure Digital Twins service has been retired. As of January 2021, its APIs and associated data are no longer available.

-If you used the first version of Azure Digital Twins during the first public preview, use the information and best practices in this article to learn how to work with the current service, and take advantage of its features.

-## Differences by topic

-The chart below provides a side-by-side view of concepts that have changed between the original version of the service and the current service.

-| Topic | In original version | In current version |

-| | | | |

-| **Modeling**<br>*More flexible* | The original release was designed around smart spaces, so it came with a built-in vocabulary for buildings. | The current Azure Digital Twins is domain-agnostic. You can define your own custom vocabulary and custom models for your solution, to represent more kinds of environments in more flexible ways.<br><br>Learn more in [Custom models](concepts-models.md). |

-| **Topology**<br>*More flexible*| The original release supported a tree data structure, tailored to smart spaces. Digital twins were connected with hierarchical relationships. | With the current release, your digital twins can be connected into arbitrary graph topologies, organized however you want. This freedom gives you more flexibility to express the complex relationships of the real world.<br><br>Learn more in [Digital twins and the twin graph](concepts-twins-graph.md). |

-| **Compute**<br>*Richer, more flexible* | In the original release, logic for processing events and telemetry was defined in JavaScript user-defined functions (UDFs). Debugging with UDFs was limited. | The current release has an open compute model: you provide custom logic by attaching external compute resources like [Azure Functions](../azure-functions/functions-overview.md). This functionality lets you use a programming language of your choice, access custom code libraries without restriction, and take advantage of development and debugging resources that the external service may have.<br><br>To see an end-to-end scenario driven by data flow through Azure functions, see [Connect an end-to-end solution](tutorial-end-to-end.md). |

-| **Device management with IoT Hub**<br>*More accessible* | The original release managed devices with an instance of [IoT Hub](../iot-hub/about-iot-hub.md) that was internal to the Azure Digital Twins service. This integrated hub wasn't fully accessible to developers. | In the current release, you "bring your own" IoT hub, by attaching an independently created IoT Hub instance (along with any devices it already manages). This architecture gives you full access to IoT Hub's capabilities and puts you in control of device management.<br><br>Learn more in [Ingest telemetry from IoT Hub](how-to-ingest-iot-hub-data.md). |

-| **Security**<br>*More standard* | The original release had pre-defined roles that you could use to manage access to your instance. | The current release integrates with the same [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) back-end service that other Azure services use. This type of integration may make it simpler to authenticate between other Azure services in your solution, like IoT Hub, Azure Functions, Event Grid, and more.<br>With RBAC, you can still use pre-defined roles, or you can build and configure custom roles.<br><br>Learn more in [Security for Azure Digital Twins solutions](concepts-security.md). |

-| **Scalability**<br>*Greater* | The original release had scale limitations for devices, messages, graphs, and scale units. Only one instance of Azure Digital Twins was supported per subscription. | The current release relies on a new architecture with improved scalability, and has greater compute power. It also supports 10 instances per region, per subscription.<br><br>See [Azure Digital Twins service limits](reference-service-limits.md) for details of the limits in the current release. |

-## Service limits

-For a list of Azure Digital Twins limits, see [Azure Digital Twins service limits](reference-service-limits.md).

-## Next steps

-* Dive into working with the current release in [Get started with Azure Digital Twins Explorer](quickstart-azure-digital-twins-explorer.md).

-* Or, start reading about key concepts with [Custom models](concepts-models.md).

- Azure Firewall Standard has been generally available since September 2018. It is cloud native, highly available, with built-in auto scaling firewall-as-a-service. You can centrally govern and log all your traffic flows using a DevOps approach. The service supports both application and network level-filtering rules, and is integrated with the Microsoft Threat Intelligence feed for filtering known malicious IP addresses and domains.

-Before you deploy Azure Firewall, the performance needs to be tested and evaluated to ensure it meets your expectations. Not only should Azure Firewall handle the current traffic on a network, but it should also be ready for potential traffic growth. It is recommended to evaluate on a test network and not in a production environment. The testing should attempt to replicate the production environment as close as possible. This includes the network topology, and emulating the actual characteristics of the expected traffic through the firewall.

-The following throughput numbers are for an Azure Firewall deployment before auto-scale (out of the box deployment). Azure Firewall gradually scales when the average throughput or CPU consumption is at 60%. It starts to scale out when it reaches 60% of its maximum throughput. Scale out takes five to seven minutes.

- Write-Host "Resource must be of type Microsoft.Network/firewallPolicies" -ForegroundColor Red

- Write-Host "Policy is already premium"

- ThreatIntelMode = $Policy.ThreatIntelMode

- DnsSetting = $Policy.DnsSettings

-* Use the [FHIR to Synapse Sync Agent](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) OSS tool

-> [FHIR to Synapse Sync Agent](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) is an open source tool released under MIT license, and is not covered by the Microsoft SLA for Azure services.

-Follow the OSS [documentation](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) for installation and usage instructions.

-FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

-The service ignores the 128-byte File Preamble, and replaces its contents with null characters. This ensures that no files passed through the service are vulnerable to the [malicious preamble vulnerability](https://dicom.nema.org/medical/dicom/current/output/chtml/part10/sect_7.5.html). However, this also means that [preambles used to encode dual format content](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6489422/) such as TIFF can't be used with the service.

-| `401 (Unauthorized)` | The client isnn't authenticated. |

-| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

-| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

-| `includefield=` | `{attributeID}`<br/>`all` | 0...N | The additional attributes to return in the response. Both, public and private tags are supported.<br/>When `all` is provided. Refer to [Search Response](#search-response) for more information about which attributes will be returned for each query type.<br/>If a mixture of `{attributeID}` and `all` is provided, the server will default to using `all`. |

-Tags can be encoded in a number of ways for the query parameter. We've partially implemented the standard as defined in [PS3.18 6.7.1.1.1](http://dicom.nema.org/medical/dicom/2019a/output/chtml/part18/sect_6.7.html#sect_6.7.1.1.1). The following encodings for a tag are supported:

-| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

-| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

-There are a number of requirements related to DICOM data attributes in the context of a specific transaction. Attributes may be required to be present, required to not be present, required to be empty, or required to not be empty. These requirements can be found [in this table](https://dicom.nema.org/medical/dicom/current/output/html/part04.html#table_CC.2.5-3).

-|`503 (Service Unavailable)`| The service is unavailable or busy. Please try again later.|

-This transaction will only succeed against Workitems in the `SCHEDULED` state. Any user can claim ownership of a Workitem by setting its Transaction UID and changing its state to `IN PROGRESS`. From then on, a user can only modify the Workitem by providing the correct Transaction UID. While UPS defines Watch and Event SOP classes that allow cancellation requests and other events to be forwarded, this DICOM service does not implement these classes, and so cancellation requests on workitems that are `IN PROGRESS` will return failure. An owned Workitem can be canceled via the [Change Workitem State](#change-workitem-state) transaction.

-|`400 (Bad Request)` |The request cannot be performed for one of the following reasons: (1) the request is invalid given the current state of the Target Workitem. (2) the Transaction UID is missing. (3) the Transaction UID is incorrect|

-* All other Workitem attributes passed as includefield parameter values

-|`503 (Service Unavailable)` | The service is unavailable or busy. Please try again later.|

-Follow the OSS [documentation](https://github.com/microsoft/FHIR-Analytics-Pipelines/blob/main/FhirToDataLake/docs/Deployment.md) for installation and usage instructions.

-description: Create or modify an Exchange peering with route server by using the Azure portal

-# Create or modify an Exchange peering with route server in Azure portal

-This article describes how to create a Microsoft Exchange peering with a route server by using the Azure portal. This article also shows how to check the status of the resource, update it, or delete and deprovision it.

- * Select the **Metro** location where you want to setup peering.

-1. Upon completion, click **Save**.

-1. Under Create a peering, you will see validation passed. Once validation passed, click **Create**

-1. Under Register an ASN, select a Name, populate the customer ASN, and click Save.

-1. Under Registered ASNs, there will be an associated Prefix Key assigned to each ASN. As an exchange provider, you will need to provide this Prefix Key to your customer so they can register Peering Service under their subscription.

-description: Create or modify a Direct peering by using the Azure portal

-# Create or modify a Direct peering by using the Azure portal

-description: Create or modify a Direct peering by using PowerShell

-# Create or modify a Direct peering by using PowerShell

-If you prefer, you can complete this guide by using the Azure [portal](howto-direct-portal.md).

-description: Create or modify an Exchange peering by using the Azure portal

-# Create or modify an Exchange peering by using the Azure portal

-description: Create or modify an Exchange peering by using PowerShell

-# Create or modify an Exchange peering by using PowerShell

-If you prefer, you can complete this guide by using the Azure [portal](howto-exchange-portal.md).

-description: Convert a legacy Direct peering to an Azure resource by using the Azure portal

-# Convert a legacy Direct peering to an Azure resource by using the Azure portal

-* Review the [prerequisites](prerequisites.md) and the [Direct peering walkthrough](walkthrough-direct-all.md) before you begin configuration.

-* Select your ASN in the **PeerASN** box.

->You can only choose an ASN with ValidationState as Approved before you submit a peering request. If you just submitted your PeerAsn request, wait for 12 hours or so for ASN association to be approved. If the ASN you select is pending validation, you'll see an error message. If you don't see the ASN you need to choose, check that you selected the correct subscription. If so, check if you have already created PeerAsn by using **[Associate Peer ASN to Azure subscription](https://go.microsoft.com/fwlink/?linkid=2129592)**.

-description: Convert a legacy Direct peering to an Azure resource by using PowerShell

-# Convert a legacy Direct peering to an Azure resource by using PowerShell

-If you prefer, you can complete this guide by using the Azure [portal](howto-legacy-direct-portal.md).

-description: Convert a legacy Exchange peering to an Azure resource by using the Azure portal

-# Convert a legacy Exchange peering to an Azure resource by using the Azure portal

-description: Convert a legacy Exchange peering to an Azure resource by using PowerShell

-# Convert a legacy Exchange peering to an Azure resource by using PowerShell

-If you prefer, you can complete this guide by using the Azure [portal](howto-legacy-exchange-portal.md).

-description: Enable Azure Peering Service on a Direct peering by using the Azure portal

-# Enable Azure Peering Service on a Direct peering by using the Azure portal

-description: Enable Azure Peering Service on a Direct peering by using PowerShell

-# Enable Azure Peering Service on a Direct peering by using PowerShell

-If you prefer, you can complete this guide by using the Azure [portal](howto-peering-service-portal.md).

-description: Associate peer ASN to Azure subscription using the portal

-# Associate peer ASN to Azure subscription using the portal

-As an Internet Service Provider or Internet Exchange Provider, before you submit a peering request, you should first associate your ASN with an Azure subscription using the steps below.

-Register for peering resource provider in your subscription by following the steps below. If you do not execute this, then Azure resources required to set up peering are not accessible.

-1. Click on **Subscriptions** on the top left corner of the portal. If you don't see it, click on **More services** and search for it.

-1. Click on the subscription you want to use for peering.

-1. Once the subscription opens, on the left, click on **Resource providers**. Then, in the right pane, search for *peering* in the search window, or use the scroll bar to find **Microsoft.Peering** and look at the **Status**. If the status is ***Registered***, skip the steps below and proceed to section **Create PeerAsn**. If the status is ***NotRegistered***, select **Microsoft.Peering** and click on **Register**.

-1. Wait for a min or so for it to complete registration. Then, click on **Refresh** and verify that the status is ***Registered***.

-1. On the **Associate a Peer ASN** page, under **Basics** tab, fill out the fields as shown below.

- * Choose the **Subscription** that you need to associate the ASN with.

- * **Peer name** corresponds to your company's name and needs to be as close as possible to your PeeringDB profile. Note that value supports only characters a-z, A-Z, and space

- * Click on **Create new** and enter **EMAIL ADDRESS** and **PHONE NUMBER** for your Network Operations Center (NOC)

-1. Then, click on **Review + create** and observe that portal runs basic validation of the information you entered. This is displayed in a ribbon on the top, as *Running final validation...*.

-1. Once the message in the ribbon turns to *Validation Passed*, verify your information and submit the request by clicking **Create**. If the validation doesn't pass, then click on **Previous** and repeat the steps above to modify your request and ensure the values you enter have no errors.

-1. After you submit the request, wait for it to complete deployment. If deployment fails, contact [Microsoft peering](mailto:peering@microsoft.com). A successful deployment will appear as below.

-Once PeerAsn resource is deployed successfully, you will need to wait for Microsoft to approve the association request. It may take up to 12 hours for approval. Once approved, you will receive a notification to the email address entered in the above section.

-Modifying PeerAsn is not currently supported. If you need to modify, contact [Microsoft peering](mailto:peering@microsoft.com).

-Deleting a PeerAsn is not currently supported. If you need to delete PeerAsn, contact [Microsoft peering](mailto:peering@microsoft.com).

-If you prefer, you can complete this guide using the [portal](howto-subscription-association-portal.md).

-Register for peering resource provider in your subscription using the command below. If you do not execute this, then Azure resources required to set up peering are not accessible.

-Deleting a PeerASN is not currently supported. If you need to delete PeerASN, contact [Microsoft peering](mailto:peering@microsoft.com).

-If you don't have a Microsoft Azure account, create a [Microsoft Azure account](https://azure.microsoft.com/free). A valid and active Microsoft Azure subscription is required to set up peering, as the peerings are modeled as resources within Azure subscriptions. It is important to note that:

- * The Azure resource types used to set up peering are always-free Azure products, i.e., you are not charged for creating an Azure account or creating a subscription or accessing the Azure resources **PeerAsn** and **Peering** to set up peering. This is not to be confused with peering agreement for Direct peering between you and Microsoft, the terms for which are explicitly discussed with our peering team. Contact [Microsoft peering](mailto:peering@microsoft.com) if any questions in this regard.

- * You can use the same Azure subscription to access other Azure products or cloud services which may be free or paid. When you access a paid product you will incur charges.

- * If you are creating a new Azure account and/or subscription, you may be eligible for free Azure credit during a trial period which you may utilize to try Azure Cloud services. If interested, visit [Microsoft Azure account](https://azure.microsoft.com/free) for more info.

- azureUser@vm-h2hnm5j5uxk2a:/var/aziot$ sudo ls -Rla /var/aziot

- drw-r--r-- 2 aziotcs aziotcs 4096 Jan 14 00:31 certs

- drwx 2 aziotks aziotks 4096 Jan 14 00:35 secrets

-

- drw-r--r-- 2 aziotcs aziotcs 4096 Jan 14 00:31 .

-

- total 20

- drwx 2 aziotks aziotks 4096 Jan 14 00:35 .

-azureUser@vm-h2hnm5j5uxk2a:/var/aziot$ sudo ls -Rla /var/aziot

-drw-r--r-- 2 aziotcs aziotcs 4096 Jan 14 00:31 certs

-drwx 2 aziotks aziotks 4096 Jan 14 00:35 secrets

-drw-r--r-- 2 aziotcs aziotcs 4096 Jan 14 00:31 .

-total 20

-drwx 2 aziotks aziotks 4096 Jan 14 00:35 .

-* [Source code](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-certificates)

-* [API reference documentation](https://azure.github.io/azure-sdk-for-java/keyvault.html)

-* [Product documentation](index.yml)

-* [Samples](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-certificates/src/samples/java/com/azure/security/keyvault/certificates)

- ```azurecli-interactive

- az login

- ```

-2. Sign in with your account credentials in the browser.

-In this quickstart, a logged in user is used to authenticate to Key Vault, which is preferred method for local development. For applications deployed to Azure, a Managed Identity should be assigned to an App Service or Virtual Machine. For more information, see [Managed Identity Overview](../../active-directory/managed-identities-azure-resources/overview.md).

-In the example below, the name of your key vault is expanded to the key vault URI, in the format "https://\<your-key-vault-name\>.vault.azure.net". This example is using the ['DefaultAzureCredential()'](/java/api/com.azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/java/api/overview/azure/identity-readme).

- .vaultUrl(keyVaultUri)

- .credential(new DefaultAzureCredentialBuilder().build())

- .buildClient();

- certificateClient.beginCreateCertificate(certificateName, CertificatePolicy.getDefault());

-* [Source code](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-keys)

-* [API reference documentation](https://azure.github.io/azure-sdk-for-java/keyvault.html)

-* [Product documentation](index.yml)

-* [Samples](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-keys/src/samples/java/com/azure/security/keyvault/keys)

- ```azurecli-interactive

- az login

- ```

-2. Sign in with your account credentials in the browser.

-In this quickstart, a logged in user is used to authenticate to Key Vault, which is preferred method for local development. For applications deployed to Azure, a Managed Identity should be assigned to an App Service or Virtual Machine. For more information, see [Managed Identity Overview](../../active-directory/managed-identities-azure-resources/overview.md).

-In this example, the name of your key vault is expanded to the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. This example is using the ['DefaultAzureCredential()'](/java/api/com.azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/java/api/overview/azure/identity-readme).

- .vaultUrl(keyVaultUri)

- .credential(new DefaultAzureCredentialBuilder().build())

- .buildClient();

-* [Source code](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-secrets)

-* [API reference documentation](https://azure.github.io/azure-sdk-for-java/keyvault.html)

-* [Product documentation](index.yml)

-* [Samples](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-secrets/src/samples/java/com/azure/security/keyvault/secrets)

- ```azurecli-interactive

- az login

- ```

-2. Sign in with your account credentials in the browser.

-In this quickstart, a logged in user is used to authenticate to Key Vault, which is preferred method for local development. For applications deployed to Azure, a Managed Identity should be assigned to an App Service or Virtual Machine. For more information, see [Managed Identity Overview](../../active-directory/managed-identities-azure-resources/overview.md).

-In this example, the name of your key vault is expanded to the key vault URI, in the format `https://\<your-key-vault-name\>.vault.azure.net`. This example is using the ['DefaultAzureCredential()'](/java/api/com.azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/java/api/overview/azure/identity-readme).

- Console con = System.console();

-

-

-## Contact us for help

-If you have questions or need help, [create a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot), or ask [Azure community support](/answers/topics/azure-labservices.html).

-description: This guide helps to fix common issues you might experience when using Azure Lab Services to create labs.

-# Troubleshooting lab creation in Azure Lab Services

-This article provides several common reasons why an educator might not be able to create a lab successfully and what to do to resolve the issue.

-## You can't see a virtual machine image

-Possible issues:

-## The preferred virtual machine size is not available

-Possible issues:

->[!NOTE]

-> You can run a script to query for lab quotas across all your regions. For more information, see the [PowerShell Quota script](https://aka.ms/azlabs/scripts/quota-powershell).

-## You don't see multiple regions/locations to choose from

-Possible issues:

-## Next steps

-For more information about setting up and managing labs, see:

-> [!IMPORTANT]

-> If you're using [Microsoft Azure operated by 21Vianet](/azure/china/), managed connectors and custom connectors don't have reserved or fixed IP addresses.

-> So, you can't set up firewall rules for logic apps that use these connectors in this cloud. For the Azure Logic Apps service IPs, review the

-> [documentation version for Azure operated by 21Vianet](https://docs.azure.cn/en-us/logic-apps/logic-apps-limits-and-config#firewall-ip-configuration).

-description: Connect to SAP resources from workflows in Azure Logic Apps.

-This article explains how you can access your SAP resources from Azure Logic Apps using the [SAP connector](/connectors/sap/).

-* A logic app workflow from which you want to access your SAP resources. If you're new to Azure Logic Apps, review the [Azure Logic Apps overview](logic-apps-overview.md) and the [quickstart for creating your first logic app workflow in the Azure portal](quickstart-create-first-logic-app-workflow.md).

- * If you've used a previous version of the SAP connector that has been deprecated, you must [migrate to the current connector](#migrate-to-current-connector) before you can connect to your SAP server.

-* An [SAP Application server](https://wiki.scn.sap.com/wiki/display/ABAP/ABAP+Application+Server) or [SAP Message server](https://help.sap.com/saphelp_nw70/helpdata/en/40/c235c15ab7468bb31599cc759179ef/frameset.htm) that you want to access from Azure Logic Apps. For information about the SAP servers that support this connector, review [SAP compatibility](#sap-compatibility).

- > [!IMPORTANT]

- > Make sure that you set up your SAP server and user account to allow using RFC. For more information, which includes the supported

- > user account types and the minimum required authorization for each action type (RFC, BAPI, IDOC), review the following SAP note:

- > [460089 - Minimum authorization profiles for external RFC programs](https://launchpad.support.sap.com/#/notes/460089).

- >

- > * For RFC actions, the user account additionally needs access to function modules `RFC_GROUP_SEARCH` and `DD_LANGU_TO_ISOLA`.

- > * For BAPI actions, the user account also needs access to the following function modules: `BAPI_TRANSACTION_COMMIT`,

- > `BAPI_TRANSACTION_ROLLBACK`, `RPY_BOR_TREE_INIT`, `SWO_QUERY_METHODS` and `SWO_QUERY_API_METHODS`.

- > * For IDOC actions, the user account also needs access to the following function modules: `IDOCTYPES_LIST_WITH_MESSAGES`,

- > `IDOCTYPES_FOR_MESTYPE_READ`, `INBOUND_IDOCS_FOR_TID`, `OUTBOUND_IDOCS_FOR_TID`, `GET_STATUS_FROM_IDOCNR`, and `IDOC_RECORD_READ`.

- > * For the **Read Table** action, the user account also needs access to *either* following function module:

- > `RFC BBP_RFC_READ_TABLE` or `RFC_READ_TABLE`.

-* Message content to send to your SAP server, such as a sample IDoc file. This content must be in XML format and include the namespace of the [SAP action](#actions) you want to use. You can [send IDocs with a flat file schema by wrapping them in an XML envelope](#send-flat-file-idocs).

-* If you want to use the **When a message is received from SAP** trigger, you must also do the following tasks:

- * Set up your SAP gateway security permissions or Access Control List (ACL). In the **secinfo** and **reginfo** files, which are visible in the Gateway Monitor dialog box, T-Code SMGW, follow **Goto > Expert Functions > External Security > Maintenance of ACL Files**. The following permission setting is required:

- If you don't configure the SAP gateway security permissions, you might receive this error:

- * In the **Configuration of RFC Connections** (T-Code SM59) dialog box, create an RFC connection with the **TCP/IP** type. The **Activation Type** must be **Registered Server Program**. Set the RFC connection's **Communication Type with Target System** value to **Unicode**.

- In SAP, the Logon Group is maintained by opening the **CCMS: Maintain Logon Groups** (T-Code SMLG) dialog box. For more information, review [SAP Note 26317 - Set up for LOGON group for automatic load balancing](https://service.sap.com/sap/support/notes/26317).

- 1. For your **Program ID**, enter a value. In SAP, your logic app workflow's trigger is registered by using this identifier.

-1. To start outbound IDoc processing, select **Continue**. When processing finishes, the **IDoc sent to SAP system or external program** message appears.

-When you send transactions to SAP from Logic Apps, this exchange happens in two steps as described in the SAP document, [Transactional RFC Server Programs](https://help.sap.com/doc/saphelp_nwpi71/7.1/22/042ad7488911d189490000e829fbbd/content.htm?no_cache=true). By default, the **Send to SAP** action handles both the steps for the function transfer and for the transaction confirmation in a single call. The SAP connector gives you the option to decouple these steps. You can send an IDoc and rather than automatically confirm the transaction, you can use the explicit **\[IDOC] Confirm transaction ID** action.

-This capability to decouple the transaction ID confirmation is useful when you don't want to duplicate transactions in SAP, for example, in scenarios where failures might happen due to causes such as network issues. By confirming the transaction ID separately, the transaction is only completed one time in your SAP system.

-1. Create a blank logic app and add the Request trigger.

-1. **Choose whether you want to a code-first experience or a no-code studio web experience**: Users who prefer a code-first experience can use the [AzureML SDKv2](how-to-configure-auto-train.md) or the [AzureML CLIv2](how-to-train-cli.md). Get started with [Tutorial: Train an object detection model with AutoML and Python](tutorial-auto-train-image-models.md). Users who prefer a limited/no-code experience can use the [web interface](how-to-use-automated-ml-for-ml-models.md) in Azure Machine Learning studio at [https://ml.azure.com](https://ml.azure.com/). Get started with [Tutorial: Create a classification model with automated ML in Azure Machine Learning](tutorial-first-experiment-automated-ml.md).

-Python packages are all installed in the **Python 3.8 - AzureML** environment. Compute instance has Ubuntu 18.04 as the base OS.

-| **Virtual Network (VNET)** | [Supported](how-to-secure-online-endpoint.md) (preview) | Supported |

-You can find more information on using Git to work with your GitHub repository from resources available on github.com. The [cheat sheet](https://services.github.com/on-demand/downloads/github-git-cheat-sheet.pdf) is a useful reference.

-* [Multi-class text classification](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-nlp-text-classification-multiclass-task-sentiment-analysis/automl-nlp-text-classification-multiclass-task-sentiment.ipynb)

-https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-nlp-text-classification-multilabel-task-paper-categorization/automl-nlp-text-classification-multilabel-task-paper-cat.ipynb)

-You can use Fairlearn's [mitigation algorithms](https://fairlearn.org/main/user_guide/mitigation.html), compare their generated mitigated model(s) to the original unmitigated model, and navigate the performance/fairness trade-offs among compared models.

-To see an example that demonstrates the use of the [Grid Search](https://fairlearn.org/main/user_guide/mitigation.html#grid-search) mitigation algorithm (which creates a collection of mitigated models with different fairness and performance trade offs) check out this [sample notebook](https://github.com/Azure/MachineLearningNotebooks/blob/master/contrib/fairness/fairlearn-azureml-mitigation.ipynb).

-* `*.blob.core.windows.net` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

-* `*.queue.core.windows.net` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

-* `*.table.core.windows.net` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

-az ml compute create --resource-group rg --workspace-name ws --vnet-name yourvnet --subnet yoursubnet --type AmlCompute or ComputeInstance --enable-node-public-ip false

-az ml compute create --resource-group rg --workspace-name ws --vnet-name yourvnet --subnet yoursubnet --type AmlCompute or ComputeInstance

- az ml workspace show -w yourworkspacename -g resourcegroupname --query 'container_registry'

-1. Go to the first repo you imported in the previous section, `mlops-v2-ado-demo`, select the **config-infra-dev.yml** file.

-1. To run the template, use the following command:

- # [Azure CLI](#tab/cli)

- > The `prefix` must be 5 or less characters.

- prefix=myprefix \

- > [!TIP]

- > The `prefix` must be 5 or less characters.

- -prefix "myprefix" `

-This quickstart shows how to create an automated workflow using Azure Logic Apps with Azure database for MySQL Flexible Server.

-In this quickstart shows how to create an automated workflow usingPower automate flow with [Azure database for MySQL connector](/connectors/azuremysql/).

-# Customer intent: As someone with basic Azure network experience, I want to understand how Azure Network Watcher can help me resolve some of the network-related problems I've encountered and provide insight into how I use Azure networking.

-Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products including Virtual Machines (VM), Virtual Networks, Application Gateways, Load balancers, etc.

-> It is not intended for and will not work for PaaS monitoring or Web analytics.

-For information about analyzing traffic from a network security group, see [Network Security Group](network-watcher-nsg-flow-logging-overview.md) and [Traffic Analytics](traffic-analytics.md).

-

-Virtual network gateways provide connectivity between on-premises resources and Azure virtual networks. Monitoring gateways and their connections are critical to ensuring communication are not broken. The *VPN diagnostics* capability provides the ability to diagnose gateways and connections. VPN diagnostics diagnoses the health of the gateway, or gateway connection, and informs you whether a gateway and gateway connections are available. If the gateway or connection is not available, VPN diagnostics tells you why, so you can resolve the problem. Learn more about VPN diagnostics by completing the [Diagnose a communication problem between networks](diagnose-communication-problem-between-networks.md) tutorial.

-There are [limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=/azure/network-watcher/toc.json#azure-resource-manager-virtual-networking-limits) to the number of network resources that you can create within an Azure subscription and region. If you meet the limits, you're unable to create more resources within the subscription or region. The *network subscription limit* capability provides a summary of how many of each network resource you have deployed in a subscription and region, and what the limit is for the resource. The following picture shows the partial output for network resources deployed in the East US region for an example subscription:

-

-

-Learn more about NSG flow logs by completing the [Log network traffic to and from a virtual machine](network-watcher-nsg-flow-logging-portal.md) tutorial and how to implement [traffic analytics](traffic-analytics.md).

-When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact on your resources or associated charge for automatically enabling Network Watcher. For more information, see [Network Watcher create](network-watcher-create.md).

-* You now have an overview of Azure Network Watcher. To get started using Network Watcher, diagnose a common communication problem to and from a virtual machine using IP flow verify. To learn how, see the [Diagnose a virtual machine network traffic filter problem](diagnose-vm-network-traffic-filtering-problem.md) quickstart.

-* [Learn module: Introduction to Azure Network Watcher](/training/modules/intro-to-azure-network-watcher).

-> [IMPORTANT!}

-> You may use your own resource group name and desired region. For this how-to, we will deploy all resources to the same resource group, **myResourceGroup**, deploy all resources to the **East US** Azure region. Use these and your Azure subscription as the default settings throughout the article.

-1. In the **Create key vault** page, enter or select these settings:

- | Subscription | Select a subscription. |

- | Resource Group | Select the **myResourceGroup** resource group. |

- | Location | Select **East US**. |

-1. On the **Create a certificate** page, specify the following settings:

-1. On the **Basics** tab, enter the following settings:

-

- | Setting | Value |

- | | |

- | Subscription | Select your subscription. |

- | Resource group | Select **myResourceGroup**. |

- | Region | Select **East US** |

- | Name | Select **myManagedIDappGW** |

-1. In **Create virtual network**, enter or select the following settings on the **Basics** tab:

-

- | Setting | Value |

- | | |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | **myResourceGroup** |

- | **Instance details** | |

- | Name | Enter **myHubVNet**. |

- | Region | Select **(US) East US**. |

-1. Select the **IP Addresses** tab, or select the **Next: IP Addresses** button at the bottom of the page and enter in the following settings:

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | **myResourceGroup** |

- | Name | **mySpokeVNet** |

- | Region | **(US) East US** |

-1. Navigate to the **myHubVNet** that you previously created.

-1. In the **Add peering** page, enter theIn This virtual network section, specify the following settings:

- | Virtual network | **mySpokeVNet** |

-1. On the **Basics** tab, enter the following settings:

-

- | Setting | Value |

- |--| - |

- | Subscription | Select your subscription |

- | Resource Group | **myResourceGroup** |

- | Name | Enter your domain name |

-1. In the **Create Web App** page, enter or select the following on the **Basics** tab:

- | **Project Details** | |

- | Resource group | Select **myResourceGroup**. |

- | Region | Select **East US**. |

-1. In the **Add Private Endpoint** pane, enter or select the following settings:

- | Subscription | Select your subscription |

- | Virtual network | **mySpokeVNet** |

-1. On the **Basics** tab, enter these settings for the following application gateway settings:

- | **Project details** | |

- | Resource group | Select **myResourceGroup**.|

- | Region | Select **East US**. |

- | Virtual network| Select **mySpokeVNet**. |

- | Rule name: **myRouteRule1** |

- | Priority: **100** |

-1. Under the **Listener** tab, enter the following settings:

-1. Select the **Backend targets** tab and enter the following settings:

-1. On the Add health probe page, specify the following settings:

-1. On the **Add record set** pane, enter or select the following settings:

-1. On the **Create a firewall** page, specify the following settings:

- | Subscription | Select your subscription. |

- | Resource group | Enter **myResourceGroup**. |

- | Region | Select **East US**. |

- | Region | Select **East US**. |

- | Virtual network | Select **myHubVNet**. |

-1. On the TLS inspection page, select **Enabled** and then specify the following settings:

-1. In the **Add a rule collection** page, enter or select the following settings:

-1. On the Create Route table page, specify the following settings:

- | Subscription | Select your subscription. |

- | Resource group | Select **myResourceGroup**. |

- | Region | Select **East US**. |

-1. On the **Create Route** table page, specify the following settings:

- | Subscription | Select your subscription. |

- | Resource group | Select **myResourceGroup**. |

- | Region | Select **East US**. |

-1. On the **Add Route** pane, specify the following settings:

-1. On the **Associate subnet** pane, select the **mySpokeVNet** virtual network, and then select the **AppGwSubnet** subnet.

-1. In the Add Route pane, specify the following settings:

-1. On the **Associate subnet** pane, select the **mySpokeVNet** virtual network, and then select the **App1** subnet.

-1. Select the **mySpokeVNet** virtual network, and then select the **AppGwSubnet** subnet. Select **OK**.

-1. On the Basics tab, enter or select the following settings:

-

- | Setting | Value |

- |--| - |

- | Subscription | Select your subscription. |

- | Resource group | Enter **myResourceGroup**. |

- | Name | Enter **nsg-app1**. |

- | Region | Select **East US**. |

-1. On the **Add inbound security rule** pane, enter or select the following settings:

-1. On the **Add inbound security rule** pane, enter or select the following settings:

-1. In the **Associate subnet** pane, select the **mySpokeVNet** virtual network.

-You'll clean up your environment by deleting the resource group containing all resources, **myResourceGroup**. Due to soft delete rules, Azure Key Vault may not be deleted. Learn how to delete [Azure Key Vault]

-description: Assignment and usage of the Azure Red Hat OpenShift cluster administrator role

-#Customer intent: As a developer, I need to understand how to administer an Azure Red Hat cluster by using the administrative role

-# Azure Red Hat OpenShift customer administrator role

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-You're the cluster administrator of an Azure Red Hat OpenShift cluster. Your account has increased permissions and access to all user-created projects.

-When your account has the customer-admin-cluster authorization role bound to it, it can automatically manage a project.

-> [!Note]

-> The customer-admin-cluster cluster role is not the same as the cluster-admin cluster role.

-For example, you can execute actions associated with a set of verbs (`create`) to operate on a set of resource names (`templates`). To view the details of these roles and their sets of verbs and resources, run the following command:

-`$ oc get clusterroles customer-admin-cluster -o yaml`

-The verb names don't necessarily all map directly to `oc` commands. They equate more generally to the types of CLI operations that you can perform.

-For example, having the `list` verb means that you can display a list of all objects of a resource name (`oc get`). The `get` verb means that you can display the details of a specific object if you know its name (`oc describe`).

-## Configure the customer administrator role

-You can configure the customer-admin-cluster cluster role only during cluster creation by providing the flag `--customer-admin-group-id`. This field is not currently configurable in the Azure portal. To learn how to configure Azure Active Directory and the Administrators group, see [Azure Active Directory integration for Azure Red Hat OpenShift](howto-aad-app-configuration.md).

-## Confirm membership in the customer administrator role

-To confirm your membership in the customer admin group, try the OpenShift CLI commands `oc get nodes` or `oc projects`. `oc get nodes` will show a list of nodes if you have the customer-admin-cluster role, and a permission error if you only have the customer-admin-project role. `oc projects` will show all projects in the cluster as opposed to just the projects you are working in.

-To further explore roles and permissions in your cluster, you can use the [`oc policy who-can <verb> <resource>`](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_rbac.html#managing-role-bindings) command.

-## Next steps

-Configure the customer-admin-cluster cluster role:

-> [!div class="nextstepaction"]

-> [Azure Active Directory integration for Azure Red Hat OpenShift](howto-aad-app-configuration.md)

-description: Security context constraints for Azure Red Hat OpenShift cluster administrators

-#Customer intent: As a developer, I need to understand how to manage security context constraints.

-# Manage security context constraints in Azure Red Hat OpenShift

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-Security context constraints (SCCs) allow cluster administrators to control permissions for pods. To learn more about this API type, see the [architecture documentation for SCCs](https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html). You can manage SCCs in your instance as normal API objects by using the CLI.

-## List security context constraints

-To get a current list of SCCs, use this command:

-```bash

-$ oc get scc

-NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES

-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret]

-hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret]

-hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret]

-hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]

-nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]

-privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]

-restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]

-```

-## Examine an object for security context constraints

-To examine a particular SCC, use `oc get`, `oc describe`, or `oc edit`. For example, to examine the **restricted** SCC, use this command:

-```bash

-$ oc describe scc restricted

-Name: restricted

-Priority: <none>

-Access:

- Users: <none>

- Groups: system:authenticated

-Settings:

- Allow Privileged: false

- Default Add Capabilities: <none>

- Required Drop Capabilities: KILL,MKNOD,SYS_CHROOT,SETUID,SETGID

- Allowed Capabilities: <none>

- Allowed Seccomp Profiles: <none>

- Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret

- Allow Host Network: false

- Allow Host Ports: false

- Allow Host PID: false

- Allow Host IPC: false

- Read Only Root Filesystem: false

- Run As User Strategy: MustRunAsRange

- UID: <none>

- UID Range Min: <none>

- UID Range Max: <none>

- SELinux Context Strategy: MustRunAs

- User: <none>

- Role: <none>

- Type: <none>

- Level: <none>

- FSGroup Strategy: MustRunAs

- Ranges: <none>

- Supplemental Groups Strategy: RunAsAny

- Ranges: <none>

-```

-## Next steps

-> [!div class="nextstepaction"]

-> [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md)

-description: Learn how to create an Azure AD security group and user for testing apps on your Microsoft Azure Red Hat OpenShift cluster.

-# Azure Active Directory integration for Azure Red Hat OpenShift

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-If you haven't already created an Azure Active Directory (Azure AD) tenant, follow the directions in [Create an Azure AD tenant for Azure Red Hat OpenShift](howto-create-tenant.md) before continuing with these instructions.

-Microsoft Azure Red Hat OpenShift needs permissions to perform tasks on behalf of your cluster. If your organization doesn't already have an Azure AD user, Azure AD security group, or an Azure AD app registration to use as the service principal, follow these instructions to create them.

-## Create a new Azure Active Directory user

-In the [Azure portal](https://portal.azure.com), ensure that your tenant appears under your user name in the top right of the portal:

-

-If the wrong tenant is displayed, click your user name in the top right, then click **Switch Directory**, and select the correct tenant from the **All Directories** list.

-Create a new Azure Active Directory 'Owner' user to sign in to your Azure Red Hat OpenShift cluster.

-1. Go to the [Users-All users](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers) blade.

-2. Click **+New user** to open the **User** pane.

-3. Enter a **Name** for this user.

-4. Create a **User name** based on the name of the tenant you created, with `.onmicrosoft.com` appended at the end. For example, `yourUserName@yourTenantName.onmicrosoft.com`. Write down this user name. You'll need it to sign in to your cluster.

-5. Click **Directory role** to open the directory role pane, and select **Owner** and then click **Ok** at the bottom of the pane.

-6. In the **User** pane, click **Show Password** and record the temporary password. After you sign in the first time, you'll be prompted to reset it.

-7. At the bottom of the pane, click **Create** to create the user.

-## Create an Azure AD security group

-To grant cluster admin access, the memberships in an Azure AD security group are synced into the OpenShift group "osa-customer-admins". If not specified, no cluster admin access will be granted.

-1. Open the [Azure Active Directory groups](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups) blade.

-2. Click **+New Group**.

-3. Provide a group name and description.

-4. Set **Group type** to **Security**.

-5. Set **Membership type** to **Assigned**.

- Add the Azure AD user that you created in the earlier step to this security group.

-6. Click **Members** to open the **Select members** pane.

-7. In the members list, select the Azure AD user that you created above.

-8. At the bottom of the portal, click on **Select** and then **Create** to create the security group.

- Write down the Group ID value.

-9. When the group is created, you will see it in the list of all groups. Click on the new group.

-10. On the page that appears, copy down the **Object ID**. We will refer to this value as `GROUPID` in the [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial.

-> [!IMPORTANT]

-> To sync this group with the osa-customer-admins OpenShift group, create the cluster by using the Azure CLI. The Azure portal currently lacks a field to set this group.

-## Create an Azure AD app registration

-If your organization doesn't already have an Azure Active Directory (Azure AD) app registration to use as a service principal, follow these instructions to create one.

-1. Open the [App registrations blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview) and click **+New registration**.

-2. In the **Register an application** pane, enter a name for your application registration.

-3. Ensure that under **Supported account types** that **Accounts in this organizational directory only** is selected. This is the most secure choice.

-4. We will add a redirect URI later once we know the URI of the cluster. Click the **Register** button to create the Azure AD application registration.

-5. On the page that appears, copy down the **Application (client) ID**. We will refer to this value as `APPID` in the [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial.

-

-### Create a client secret

-Generate a client secret for authenticating your app to Azure Active Directory.

-1. In the **Manage** section of the app registrations page, click **Certificates & secrets**.

-2. On the **Certificates & secrets** pane, click **+New client secret**. The **Add a client secret** pane appears.

-3. Provide a **Description**.

-4. Set **Expires** to the duration you prefer, for example **In 2 Years**.

-5. Click **Add** and the key value will appear in the **Client secrets** section of the page.

-6. Copy down the key value. We will refer to this value as `SECRET` in the [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial.

-

-For more information about Azure Application Objects, see [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md).

-For details on creating a new Azure AD application, see [Register an app with the Azure Active Directory v1.0 endpoint](../active-directory/develop/quickstart-register-app.md).

-## Add API permissions

-[//]: # (Do not change to Microsoft Graph. It does not work with Microsoft Graph.)

-1. In the **Manage** section click **API permissions**

-2. Click **Add permission** and select **Azure Active Directory Graph** then **Delegated permissions**.

-> [!NOTE]

-> Make sure you selected the "Azure Active Directory Graph" and not the "Microsoft Graph" tile.

-3. Expand **User** on the list below and enable the **User.Read** permission. If **User.Read** is enabled by default, ensure that it is the **Azure Active Directory Graph** permission **User.Read**.

-4. Scroll up and select **Application permissions**.

-5. Expand **Directory** on the list below and enable **Directory.ReadAll**.

-6. Click **Add permissions** to accept the changes.

-7. The API permissions panel should now show both *User.Read* and *Directory.ReadAll*. Please note the warning in **Admin consent required** column next to *Directory.ReadAll*.

-8. If you are the *Azure Subscription Administrator*, click **Grant admin consent for *Subscription Name*** below. If you are not the *Azure Subscription Administrator*, request the consent from your administrator.

-

-> [!IMPORTANT]

-> Synchronization of the cluster administrators group will work only after consent has been granted. You will see a green circle with a checkmark and a message "Granted for *Subscription Name*" in the *Admin consent required* column.

-For details on managing administrators and other roles, see [Add or change Azure subscription administrators](../cost-management-billing/manage/add-change-subscription-administrator.md).

-## Resources

-* [Applications and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md)

-* [Quickstart: Register an app with the Azure Active Directory v1.0 endpoint](../active-directory/develop/quickstart-register-app.md)

-## Next steps

-If you've met all the [Azure Red Hat OpenShift prerequisites](howto-setup-environment.md), you're ready to create your first cluster!

-Try the tutorial:

-> [!div class="nextstepaction"]

-> [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md)

-* [Azure Red Hat OpenShift v4 supported resources](supported-resources.md)

-description: Learn how to create a private cluster with Azure Red Hat OpenShift 3.11 and about the benefits of private clusters.

-keywords: aro, openshift, private cluster, red hat

-#Customer intent: As a customer, I want to create a private cluster on ARO OpenShift.

-# Create a private cluster with Azure Red Hat OpenShift 3.11

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [contact us](mailto:arofeedback@microsoft.com).

-Private clusters provide the following benefits:

-* Private clusters don't expose cluster control plane components, such as the API servers, on a public IP address.

-* The virtual network of a private cluster is configurable by customers. You can set up networking to allow peering with other virtual networks, including ExpressRoute environments. You can also configure custom DNS on the virtual network to integrate with internal services.

-## Before you begin

-The fields in the following configuration snippet are new and must be included in your cluster configuration. `managementSubnetCidr` must be within the cluster virtual network and is used by Azure to manage the cluster.

-```json

-properties:

- networkProfile:

- managementSubnetCidr: 10.0.1.0/24

- masterPoolProfile:

- apiProperties:

- privateApiServer: true

-```

-A private cluster can be deployed using the sample scripts provided below. Once the cluster is deployed, run the `cluster get` command and view the `properties.FQDN` property to determine the private IP address of the OpenShift API server.

-The cluster virtual network is created with permissions so that you can modify it. You can set up networking to access the virtual network, such as ExpressRoute, VPN, and virtual network peering.

-If you change the DNS nameservers on the cluster virtual network, issue an update on the cluster with the `properties.RefreshCluster` property set to `true` so that the virtual machines can be reimaged. This update allows them to pick up the new nameservers.

-## Sample configuration scripts

-Use the sample scripts in this section to set up and deploy your private cluster.

-### Environment

-Fill in the environment variables below as using your own values.

-> [!NOTE]

-> The location must be set to `eastus2` because this is currently the only supported location for private clusters.

-``` bash

-export CLUSTER_NAME=

-export LOCATION=eastus2

-export TOKEN=$(az account get-access-token --query 'accessToken' -o tsv)

-export SUBID=

-export TENANT_ID=

-export ADMIN_GROUP=

-export CLIENT_ID=

-export SECRET=

-```

-### private-cluster.json

-This sample is a cluster configuration with private cluster enabled. It uses the environment variables defined above.

-```json

-{

- "location": "$LOCATION",

- "name": "$CLUSTER_NAME",

- "properties": {

- "openShiftVersion": "v3.11",

- "networkProfile": {

- "vnetCIDR": "10.0.0.0/8",

- "managementSubnetCIDR" : "10.0.1.0/24"

- },

- "authProfile": {

- "identityProviders": [

- {

- "name": "Azure AD",

- "provider": {

- "kind": "AADIdentityProvider",

- "clientId": "$CLIENT_ID",

- "secret": "$SECRET",

- "tenantId": "$TENANT_ID",

- "customerAdminGroupID": "$ADMIN_GROUP"

- }

- }

- ]

- },

- "masterPoolProfile": {

- "name": "master",

- "count": 3,

- "vmSize": "Standard_D4s_v3",

- "osType": "Linux",

- "subnetCIDR": "10.0.0.0/24",

- "apiProperties": {

- "privateApiServer": true

- }

- },

- "agentPoolProfiles": [

- {

- "role": "compute",

- "name": "compute",

- "count": 1,

- "vmSize": "Standard_D4s_v3",

- "osType": "Linux",

- "subnetCIDR": "10.0.0.0/24"

- },

- {

- "role": "infra",

- "name": "infra",

- "count": 3,

- "vmSize": "Standard_D4s_v3",

- "osType": "Linux",

- "subnetCIDR": "10.0.0.0/24"

- }

- ],

- "routerProfiles": [

- {

- "name": "default"

- }

- ]

- }

-}

-```

-## Deploy a private cluster

-After configuring your private cluster with the sample scripts above, run the following command to deploy your private cluster.

-``` bash

-az group create --name $CLUSTER_NAME --location $LOCATION

-cat private-cluster.json | envsubst | curl -v -X PUT \

- https://management.azure.com/subscriptions/$SUBID/resourceGroups/$CLUSTER_NAME/providers/Microsoft.ContainerService/openShiftManagedClusters/$CLUSTER_NAME?api-version=2019-10-27-preview

-```

-## Next steps

-To learn about how to access the OpenShift console, see [Web Console Walkthrough](https://docs.openshift.com/container-platform/3.11/getting_started/developers_console.html).

-description: Here's how to create an Azure Active Directory (Azure AD) tenant to host your Microsoft Azure Red Hat OpenShift cluster.

-# Create an Azure AD tenant for Azure Red Hat OpenShift

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-Microsoft Azure Red Hat OpenShift requires an [Azure Active Directory (Azure AD)](../active-directory/develop/quickstart-create-new-tenant.md) tenant in which to create your cluster. A *tenant* is a dedicated instance of Azure AD that an organization or app developer receives when they create a relationship with Microsoft by signing up for Azure, Microsoft Intune, or Microsoft 365. Each Azure AD tenant is distinct and separate from other Azure AD tenants and has its own work and school identities and app registrations.

-If you don't already have an Azure AD tenant, follow these instructions to create one.

-## Create a new Azure AD tenant

-To create a tenant:

-1. Sign in to the [Azure portal](https://portal.azure.com/) using the account you wish to associate with your Azure Red Hat OpenShift cluster.

-2. Open the [Azure Active Directory blade](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory) to create a new tenant (also known as a new *Azure Active Directory*).

-3. Provide an **Organization name**.

-4. Provide an **Initial domain name**. This will have *onmicrosoft.com* appended to it. You can reuse the value for *Organization name* here.

-5. Choose a country or region where the tenant will be created.

-6. Click **Create**.

-7. After your Azure AD tenant is created, select the **Click here to manage your new directory** link. Your new tenant name should be displayed in the upper-right of the Azure portal:

- ![Screenshot of the portal showing the tenant name in the upper-right][tenantcallout]

-8. Make note of the *tenant ID* so you can later specify where to create your Azure Red Hat OpenShift cluster. In the portal, you should now see the Azure Active Directory overview blade for your new tenant. Select **Properties** and copy the value for your **Directory ID**. We will refer to this value as `TENANT` in the [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial.

-[tenantcallout]: ./media/howto-create-tenant/tenant-callout.png

-## Resources

-Check out [Azure Active Directory documentation](../active-directory/index.yml) for more info on [Azure AD tenants](../active-directory/develop/quickstart-create-new-tenant.md).

-## Next steps

-Learn how to create a service principal, generate a client secret and authentication callback URL, and create a new Active Directory user for testing apps on your Azure Red Hat OpenShift cluster.

-[Create an Azure AD app object and user](howto-aad-app-configuration.md)

-description: Create a Prometheus instance in an Azure Red Hat OpenShift cluster to monitor your application's metrics.

-keywords: prometheus, aro, openshift, metrics, red hat

-# Deploy a standalone Prometheus instance in an Azure Red Hat OpenShift cluster

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-This article describes how to configure a standalone Prometheus instance that uses service discovery in an Azure Red Hat OpenShift cluster.

-> [!NOTE]

-> Customer admin access to Azure Red Hat OpenShift cluster isn't required.

-Target setup:

-You'll prepare some Prometheus config files locally. Create a new folder to store them. Config files are stored in the cluster as secrets, in case secret tokens are added later to the cluster.

-## Sign in to the cluster by using the OC tool

-1. Open a web browser, and then go to the web console of your cluster (https://openshift.*random-id*.*region*.azmosa.io).

-2. Sign in with your Azure credentials.

-3. Select your username in the upper-right corner, and then select **Copy Login Command**.

-4. Paste your username into the terminal that you'll use.

-> [!NOTE]

-> To see if you're signed in to the correct cluster, run the `oc whoami -c` command.

-## Prepare the projects

-To create the projects, run the following commands:

-```

-oc new-project prometheus-project

-oc new-project app-project1

-oc new-project app-project2

-```

-> [!NOTE]

-> You can either use the `-n` or `--namespace` parameter, or select an active project by running the `oc project` command.

-## Prepare the Prometheus configuration file

-Create a prometheus.yml file by entering the following content:

-```

-global:

- scrape_interval: 30s

- evaluation_interval: 5s

-scrape_configs:

- - job_name: prom-sd

- scrape_interval: 30s

- scrape_timeout: 10s

- metrics_path: /metrics

- scheme: http

- kubernetes_sd_configs:

- - api_server: null

- role: endpoints

- namespaces:

- names:

- - prometheus-project

- - app-project1

- - app-project2

-```

-Create a secret called Prom by entering the following configuration:

-```

-oc create secret generic prom --from-file=prometheus.yml -n prometheus-project

-```

-The prometheus.yml file is a basic Prometheus configuration file. It sets the intervals and configures auto discovery in three projects (prometheus-project, app-project1, app-project2). In the previous configuration file, the auto-discovered endpoints are scraped over HTTP without authentication.

-For more information about scraping endpoints, see [Prometheus scape config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config).

-## Prepare the Alertmanager config file

-Create an alertmanager.yml file by entering the following content:

-```

-global:

- resolve_timeout: 5m

-route:

- group_wait: 30s

- group_interval: 5m

- repeat_interval: 12h

- receiver: default

- routes:

- - match:

- alertname: DeadMansSwitch

- repeat_interval: 5m

- receiver: deadmansswitch

-receivers:

-```

-Create a secret called Prom-Alerts by entering the following configuration:

-```

-oc create secret generic prom-alerts --from-file=alertmanager.yml -n prometheus-project

-```

-Alertmanager.yml is the Alert Manager configuration file.

-> [!NOTE]

-> To verify the two previous steps, run the `oc get secret -n prometheus-project` command.

-## Start Prometheus and Alertmanager

-Go to [openshift/origin repository](https://github.com/openshift/origin/tree/release-3.11/examples/prometheus) and download the [prometheus-standalone.yaml](

-https://raw.githubusercontent.com/openshift/origin/release-3.11/examples/prometheus/prometheus-standalone.yaml) template. Apply the template to prometheus-project by entering the following configuration:

-```

-oc process -f https://raw.githubusercontent.com/openshift/origin/release-3.11/examples/prometheus/prometheus-standalone.yaml | oc apply -f - -n prometheus-project

-```

-The prometheus-standalone.yaml file is an OpenShift template. It will create a Prometheus instance with oauth-proxy in front of it and an Alertmanager instance, also secured with oauth-proxy. In this template, oauth-proxy is configured to allow any user who can "get" the prometheus-project namespace (see the `-openshift-sar` flag).

-> [!NOTE]

-> To verify if the prom StatefulSet has equal DESIRED and CURRENT number replicas, run the `oc get statefulset -n prometheus-project` command. To check all resources in the project, run the `oc get all -n prometheus-project` command.

-## Add permissions to allow service discovery

-Create a prometheus-sdrole.yml file by entering the following content:

-```

-apiVersion: template.openshift.io/v1

-kind: Template

-metadata:

- name: prometheus-sdrole

- annotations:

- "openshift.io/display-name": Prometheus service discovery role

- description: |

- Role and rolebinding added permissions required for service discovery in a given project.

- iconClass: fa fa-cogs

- tags: "monitoring,prometheus,alertmanager,time-series"

-parameters:

- name: PROMETHEUS_PROJECT

- value: prometheus-project

-objects:

- kind: Role

- metadata:

- name: prometheus-sd

- rules:

- - apiGroups:

- - ""

- resources:

- - services

- - endpoints

- - pods

- verbs:

- - list

- - get

- - watch

- kind: RoleBinding

- metadata:

- name: prometheus-sd

- roleRef:

- apiGroup: rbac.authorization.k8s.io

- kind: Role

- name: prometheus-sd

- subjects:

- - kind: ServiceAccount

- name: prom

- namespace: ${PROMETHEUS_PROJECT}

-```

-To apply the template to all projects from which you want to allow service discovery, run the following commands:

-```

-oc process -f prometheus-sdrole.yml | oc apply -f - -n app-project1

-oc process -f prometheus-sdrole.yml | oc apply -f - -n app-project2

-oc process -f prometheus-sdrole.yml | oc apply -f - -n prometheus-project

-```

-> [!NOTE]

-> To verify that Role and RoleBinding were created correctly, run the `oc get role` and `oc get rolebinding` commands.

-## Optional: Deploy example application

-Everything is working, but there are no metrics sources. Go to the Prometheus URL (https://prom-prometheus-project.apps.*random-id*.*region*.azmosa.io/). You can find it by using following command:

-```

-oc get route prom -n prometheus-project

-```

-> [!IMPORTANT]

-> Remember to add the https:// prefix to beginning of the host name.

-The **Status > Service Discovery** page will show 0/0 active targets.

-To deploy an example application, which exposes basic Python metrics under the /metrics endpoint, run the following commands:

-```

-oc new-app python:3.6~https://github.com/Makdaam/prometheus-example --name=example1 -n app-project1

-oc new-app python:3.6~https://github.com/Makdaam/prometheus-example --name=example2 -n app-project2

-```

-The new applications should appear as valid targets on the Service Discovery page within 30 seconds after deployment.

-For more details, select **Status** > **Targets**.

-> [!NOTE]

-> For every successfully scraped target, Prometheus adds a data point in the up metric. Select **Prometheus** in the upper-left corner, enter **up** as the expression, and then select **Execute**.

-## Next steps

-You can add custom Prometheus instrumentation to your applications. The Prometheus Client library, which simplifies Prometheus metrics preparation, is ready for different programming languages.

-For more information, see the following GitHub libraries:

-description: Manage projects, templates, image-streams in an Azure Red Hat OpenShift cluster

-keywords: red hat openshift projects requests self-provisioner

-#Customer intent: As a developer, I need to understand how to manage Openshift projects and development resources

-# Manage projects, templates, image-streams in an Azure Red Hat OpenShift cluster

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-In an OpenShift Container Platform, projects are used to group and isolate related objects. As an administrator, you can give developers access to specific projects, allow them to create their own projects, and grant them administrative rights to individual projects.

-## Self-provisioning projects

-You can enable developers to create their own projects. An API endpoint is responsible for provisioning a project according to a template named project-request. The web console and the `oc new-project` command use this endpoint when a developer creates a new project.

-When a project request is submitted, the API substitutes the following parameters in the template:

-| Parameter | Description |

-| -- | - |

-| PROJECT_NAME | The name of the project. Required. |

-| PROJECT_DISPLAYNAME | The display name of the project. May be empty. |

-| PROJECT_DESCRIPTION | The description of the project. May be empty. |

-| PROJECT_ADMIN_USER | The username of the administrating user. |

-| PROJECT_REQUESTING_USER | The username of the requesting user. |

-Access to the API is granted to developers with the self-provisioners cluster role binding. This feature is available to all authenticated developers by default.

-## Modify the template for a new project

-1. Log in as a user with `customer-admin` privileges.

-2. Edit the default project-request template.

- ```

- oc edit template project-request -n openshift

- ```

-3. Remove the default project template from the Azure Red Hat OpenShift (ARO) update process by adding the following annotation:

- `openshift.io/reconcile-protect: "true"`

- ```

- ...

- metadata:

- annotations:

- openshift.io/reconcile-protect: "true"

- ...

- ```

- The project-request template will not be updated by the ARO update process. This enables customers to customize the template and preserve these customizations when the cluster is updated.

-## Disable the self-provisioning role

-You can prevent an authenticated user group from self-provisioning new projects.

-1. Log in as a user with `customer-admin` privileges.

-2. Edit the self-provisioners cluster role binding.

- ```

- oc edit clusterrolebinding.rbac.authorization.k8s.io self-provisioners

- ```

-3. Remove the role from the ARO update process by adding the following annotation: `openshift.io/reconcile-protect: "true"`.

- ```

- ...

- metadata:

- annotations:

- openshift.io/reconcile-protect: "true"

- ...

- ```

-4. Change the cluster role binding to prevent `system:authenticated:oauth` from creating projects:

- ```

- apiVersion: rbac.authorization.k8s.io/v1

- groupNames:

- - osa-customer-admins

- kind: ClusterRoleBinding

- metadata:

- annotations:

- openshift.io/reconcile-protect: "true"

- labels:

- azure.openshift.io/owned-by-sync-pod: "true"

- name: self-provisioners

- roleRef:

- name: self-provisioner

- subjects:

- - kind: SystemGroup

- name: osa-customer-admins

- ```

-## Manage default templates and imageStreams

-In Azure Red Hat OpenShift, you can disable updates for any default templates and image streams inside `openshift` namespace.

-To disable updates for ALL `Templates` and `ImageStreams` in `openshift` namespace:

-1. Log in as a user with `customer-admin` privileges.

-2. Edit `openshift` namespace:

- ```

- oc edit namespace openshift

- ```

-3. Remove `openshift` namespace from the ARO update process by adding the following annotation:

-`openshift.io/reconcile-protect: "true"`

- ```

- ...

- metadata:

- annotations:

- openshift.io/reconcile-protect: "true"

- ...

- ```

- Any individual object in the `openshift` namespace can be removed from the update process by adding annotation `openshift.io/reconcile-protect: "true"` to it.

-## Next steps

-Try the tutorial:

-> [!div class="nextstepaction"]

-> [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md)

-### INSTALLING AND DOWNLOADING PACKAGES AND TOOLS

-description: Run privileged containers to monitor security and compliance.

-keywords: aro, openshift, aquasec, twistlock, red hat

-#Customer intent: As a customer, I want to monitor security compliance of my ARO clusters.

-# Run privileged containers in an Azure Red Hat OpenShift cluster

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-You can't run arbitrary privileged containers on Azure Red Hat OpenShift clusters.

-Two security monitoring and compliance solutions are allowed to run on ARO clusters.

-This document describes the differences from the generic OpenShift deployment documentation of the security product vendors.

-Read through these instructions before following the vendor's instructions.

-Section titles in product-specific steps below refer directly to section titles in the vendors' documentation.

-## Before you begin

-The documentation of most security products assumes you have cluster-admin privileges.

-Customer admins don't have all privileges in Azure Red Hat OpenShift. Permissions required to modify cluster-wide resources are limited.

-First, ensure the user is logged in to the cluster as a customer admin, by running

-`oc get scc`. All users that are members of the customer admin group have permissions to view the Security Context Constraints (SCCs) on the cluster.

-Next, ensure that the `oc` binary version is `3.11.154`.

-```

-oc version

-oc v3.11.154

-kubernetes v1.11.0+d4cacc0

-features: Basic-Auth GSSAPI Kerberos SPNEGO

-Server https://openshift.aqua-test.osadev.cloud:443

-openshift v3.11.154

-kubernetes v1.11.0+d4cacc0

-```

-## Product-specific steps for Aqua Security

-The base instructions that are going to be modified can be found in the [Aqua Security deployment documentation](https://docs.aquasec.com/docs/openshift-red-hat). The steps here will run in conjunction to the Aqua deployment documentation.

-The first step is to annotate the required SCCs that will be updated. These annotations prevent the cluster's Sync Pod from reverting any changes to these SSCs.

-```

-oc annotate scc hostaccess openshift.io/reconcile-protect=true

-oc annotate scc privileged openshift.io/reconcile-protect=true

-```

-### Step 1: Prepare prerequisites

-Remember to log in to the cluster as an ARO Customer Admin instead of the cluster-admin role.

-Create the project and the service account.

-```

-oc new-project aqua-security

-oc create serviceaccount aqua-account -n aqua-security

-```

-Instead of assigning the cluster-reader role, assign the customer-admin-cluster role to the aqua-account with the following command.

-```

-oc adm policy add-cluster-role-to-user customer-admin-cluster system:serviceaccount:aqua-security:aqua-account

-oc adm policy add-scc-to-user privileged system:serviceaccount:aqua-security:aqua-account

-oc adm policy add-scc-to-user hostaccess system:serviceaccount:aqua-security:aqua-account

-```

-Continue following the remaining instructions in Step 1. Those instructions describe setting up the secret for the Aqua registry.

-### Step 2: Deploy the Aqua Server, Database, and Gateway

-Follow the steps provided in the Aqua documentation for installing the aqua-console.yaml.

-Modify the provided `aqua-console.yaml`. Remove the top two objects labeled, `kind: ClusterRole` and `kind: ClusterRoleBinding`. These resources won't be created as the customer admin doesn't have permission at this time to modify `ClusterRole` and `ClusterRoleBinding` objects.

-The second modification will be to the `kind: Route` portion of the `aqua-console.yaml`. Replace the following yaml for the `kind: Route` object in the `aqua-console.yaml` file.

-```

-apiVersion: route.openshift.io/v1

-kind: Route

-metadata:

- labels:

- app: aqua-web

- name: aqua-web

- namespace: aqua-security

-spec:

- port:

- targetPort: aqua-web

- tls:

- insecureEdgeTerminationPolicy: Redirect

- termination: edge

- to:

- kind: Service

- name: aqua-web

- weight: 100

- wildcardPolicy: None

-```

-Follow the remaining instructions.

-### Step 3: Login to the Aqua Server

-This section isn't modified in any way. Follow the Aqua documentation.

-Use the following command to get the Aqua Console address.

-```

-oc get route aqua-web -n aqua-security

-```

-### Step 4: Deploy Aqua Enforcers

-Set the following fields when deploying enforcers:

-| Field | Value |

-| -- | - |

-| Orchestrator | OpenShift |

-| ServiceAccount | aqua-account |

-| Project | aqua-security |

-## Product-specific steps for Prisma Cloud / Twistlock

-The base instructions we're going to modify can be found in the [Prisma Cloud deployment documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/19-11/prisma-cloud-compute-edition-admin/install/install_openshift.html)

-Start by installing the `twistcli` tool as described in the "Install Prisma Cloud" and "Download the Prisma Cloud software" sections.

-Create a new OpenShift project

-```

-oc new-project twistlock

-```

-Skip the optional section "Push the Prisma Cloud images to a private registry". It won't work on Azure Red Hat OpenShift. Use the online registry instead.

-You can follow the official documentation while applying the corrections described below.

-Start with the "Install Console" section.

-### Install Console

-During `oc create -f twistlock_console.yaml` in Step 2, you'll get an Error when creating the namespace.

-You can safely ignore it, the namespace has been created previously with the `oc new-project` command.

-Use `azure-disk` for storage type.

-### Create an external route to Console

-You can either follow the documentation, or the instructions below if you prefer the oc command.

-Copy the following Route definition to a file called twistlock_route.yaml on your computer

-```

-apiVersion: route.openshift.io/v1

-kind: Route

-metadata:

- labels:

- name: console

- name: twistlock-console

- namespace: twistlock

-spec:

- port:

- targetPort: mgmt-http

- tls:

- insecureEdgeTerminationPolicy: Redirect

- termination: edge

- to:

- kind: Service

- name: twistlock-console

- weight: 100

- wildcardPolicy: None

-```

-then run:

-```

-oc create -f twistlock_route.yaml

-```

-You can get the URL assigned to Twistlock console with this command:

-`oc get route twistlock-console -n twistlock`

-### Configure console

-Follow the Twistlock documentation.

-### Install Defender for Cloud

-During `oc create -f defender.yaml` in Step 2, you'll get Errors when creating the Cluster Role and Cluster Role Binding.

-You can ignore them.

-Defenders will be deployed only on compute nodes. You don't have to limit them with a node selector.

-description: Here are the prerequisites for working with Microsoft Azure Red Hat OpenShift.

-keywords: red hat openshift setup set up

-#Customer intent: As a developer, I need to understand the prerequisites for working with Azure Red Hat OpenShift

-# Set up your Azure Red Hat OpenShift dev environment

-> [!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:arofeedback@microsoft.com).

-To build and run Microsoft Azure Red Hat OpenShift applications, you'll need to:

-* Install version 2.0.65 (or higher) of the Azure CLI (or use the Azure Cloud Shell).

-* Register for the `AROGA` feature and associated resource providers.

-* Create an Azure Active Directory (Azure AD) tenant.

-* Create an Azure AD application object.

-* Create an Azure AD user.

-The following instructions will walk you through all of these prerequisites.

-## Install the Azure CLI

-Azure Red Hat OpenShift requires version 2.0.65 or higher of the Azure CLI. If you've already installed the Azure CLI, you can check which version you have by running:

-```azurecli

-az --version

-```

-The first line of output will have the CLI version, for example `azure-cli (2.0.65)`.

-Here are instructions for [installing the Azure CLI](/cli/azure/install-azure-cli) if you require a new installation or an upgrade.

-Alternately, you can use the [Azure Cloud Shell](../cloud-shell/overview.md). When using the Azure Cloud Shell, be sure to select the **Bash** environment if you plan to follow along with the [Create and manage an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial series.

-## Register providers and features

-The `Microsoft.ContainerService AROGA` feature, `Microsoft.Solutions`, `Microsoft.Compute`, `Microsoft.Storage`, `Microsoft.KeyVault` and `Microsoft.Network` providers must be registered to your subscription manually before deploying your first Azure Red Hat OpenShift cluster.

-To register these providers and features manually, use the following instructions from a Bash shell if you've installed the CLI, or from the Azure Cloud Shell (Bash) session in your Azure portal:

-1. If you have multiple Azure subscriptions, specify the relevant subscription ID:

- ```azurecli

- az account set --subscription <SUBSCRIPTION ID>

- ```

-1. Register the Microsoft.ContainerService AROGA feature:

- ```azurecli

- az feature register --namespace Microsoft.ContainerService -n AROGA

- ```

-1. Register the Microsoft.Storage provider:

- ```azurecli

- az provider register -n Microsoft.Storage --wait

- ```

-

-1. Register the Microsoft.Compute provider:

- ```azurecli

- az provider register -n Microsoft.Compute --wait

- ```

-1. Register the Microsoft.Solutions provider:

- ```azurecli

- az provider register -n Microsoft.Solutions --wait

- ```

-1. Register the Microsoft.Network provider:

- ```azurecli

- az provider register -n Microsoft.Network --wait

- ```

-1. Register the Microsoft.KeyVault provider:

- ```azurecli

- az provider register -n Microsoft.KeyVault --wait

- ```

-1. Refresh the registration of the Microsoft.ContainerService resource provider:

- ```azurecli

- az provider register -n Microsoft.ContainerService --wait

- ```

-## Create an Azure Active Directory (Azure AD) tenant

-The Azure Red Hat OpenShift service requires an associated Azure Active Directory (Azure AD) tenant that represents your organization and its relationship to Microsoft. Your Azure AD tenant enables you to register, build, and manage apps, as well as use other Azure services.

-If you don't have an Azure AD to use as the tenant for your Azure Red Hat OpenShift cluster, or you wish to create a tenant for testing, follow the instructions in [Create an Azure AD tenant for your Azure Red Hat OpenShift cluster](howto-create-tenant.md) before continuing with this guide.

-## Create an Azure AD user, security group and application object

-Azure Red Hat OpenShift requires permissions to perform tasks on your cluster, such as configuring storage. These permissions are represented through a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object). You'll also want to create a new Active Directory user for testing apps running on your Azure Red Hat OpenShift cluster.

-Follow the instructions in [Create an Azure AD app object and user](howto-aad-app-configuration.md) to create a service principal, generate a client secret and authentication callback URL for your app, and create a new Azure AD security group and user to access the cluster.

-## Next steps

-You're now ready to use Azure Red Hat OpenShift!

-Try the tutorial:

-> [!div class="nextstepaction"]

-> [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md)

-[azure-cli-install]: /cli/azure/install-azure-cli

-> [Set up your dev environment](tutorial-create-cluster.md)

-description: Migrate from an Azure Red Hat OpenShift 3.11 to Azure Red Hat OpenShift 4

-keywords: migration, aro, openshift, red hat

-#Customer intent: As a customer, I want to migrate from an existing Azure Red Hat OpenShift 3.11 cluster to an Azure Red Hat OpenShift 4 cluster.

-# Migrate from Azure Red Hat OpenShift 3.11 to Azure Red Hat OpenShift 4

-Azure Red Hat OpenShift on OpenShift 4 brings Kubernetes 1.16 on Red Hat Core OS, private clusters, bring your own virtual network support, and full cluster admin role. In addition, many new features are now available such as support for the operator framework, the Operator Hub, and OpenShift Service Mesh.

-To successfully transition from Azure Red Hat OpenShift 3.11 to Azure Red Hat OpenShift 4, make sure to review the [differences in storage, networking, logging, security, and monitoring](https://docs.openshift.com/container-platform/4.4/migration/migrating_3_4/planning-migration-3-to-4.html).

-In this article, we'll demonstrate how to migrate from an Azure Red Hat OpenShift 3.11 cluster to an Azure Red Hat 4 cluster.

-> [!NOTE]

-> Red Hat OpenShift migration tools such as the Control Plane Migration Assistance Tool and the Cluster Application Migration Tool (CAM) cannot be used with Azure Red Hat OpenShift 3.11 clusters.

-## Before you begin

-This article assumes you have an existing Azure Red Hat OpenShift 3.11 cluster.

-## Create a target Azure Red Hat OpenShift 4 cluster

-First, [create the Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md) you would like to use as the target cluster. Here, we'll use the basic configuration. If you're interested in different settings, see the [Create an Azure Red Hat OpenShift 4 Cluster tutorial](tutorial-create-cluster.md).

-Create a virtual network with two empty subnets for the master and worker nodes.

-```azurecli-interactive

- az network vnet create \

- --resource-group $RESOURCEGROUP \

- --name aro-vnet \

- --address-prefixes 10.0.0.0/22

- az network vnet subnet create \

- --resource-group $RESOURCEGROUP \

- --vnet-name aro-vnet \

- --name master-subnet \

- --address-prefixes 10.0.0.0/23 \

- --service-endpoints Microsoft.ContainerRegistry

- az network vnet subnet create \

- --resource-group $RESOURCEGROUP \

- --vnet-name aro-vnet \

- --name worker-subnet \

- --address-prefixes 10.0.2.0/23 \

- --service-endpoints Microsoft.ContainerRegistry

-```

-Then, use the following command to create the cluster.

-```azurecli-interactive

-az aro create \

- --resource-group $RESOURCEGROUP \

- --name $CLUSTER \

- --vnet aro-vnet \

- --master-subnet master-subnet \

- --worker-subnet worker-subnet \

- # --domain foo.example.com # [OPTIONAL] custom domain

- # --pull-secret @pull-secret.txt # [OPTIONAL]

-```

-## Configure the target OpenShift 4 cluster

-### Authentication

-For users to interact with Azure Red Hat OpenShift, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the Azure Red Hat OpenShift API. The authorization layer then uses information about the requesting user to determine if the request is allowed.

-When an Azure Red Hat OpenShift 4 cluster is created, a temporary administrative user is created. [Connect to your cluster](tutorial-connect-cluster.md), add users and groups and [configure the appropriate permissions](https://docs.openshift.com/container-platform/4.6/authentication/understanding-authentication.html) for both.

-### Networking

-Azure Red Hat OpenShift 4 uses a few different operators to set up the network in your cluster: [Cluster Network Operator](https://docs.openshift.com/container-platform/4.6/networking/cluster-network-operator.html#nw-cluster-network-operator_cluster-network-operator), [DNS Operator](https://docs.openshift.com/container-platform/4.6/networking/dns-operator.html), and the [Ingress Operator](https://docs.openshift.com/container-platform/4.6/networking/ingress-operator.html). For more information on setting up networking in an Azure Red Hat OpenShift 4 cluster, see the [Networking Diagram](concepts-networking.md) and [Understanding Networking](https://docs.openshift.com/container-platform/4.6/networking/understanding-networking.html).

-### Storage

-Azure Red Hat OpenShift 4 supports the following PersistentVolume plug-ins:

-For information on configuring these storage types, see [Configuring persistent storage](https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/storage/configuring-persistent-storage).

-### Registry

-Azure Red Hat OpenShift 4 can build images from your source code, deploy them, and manage their lifecycle. To enable this, Azure Red Hat OpenShift provides 4 an [internal, integrated container image registry](https://docs.openshift.com/container-platform/4.5/registry/registry-options.html) that can be deployed in your Azure Red Hat OpenShift environment to locally manage images.

-If you're using external registries such as [Azure Container Registry](../container-registry/index.yml), [Red Hat Quay registries](https://docs.openshift.com/container-platform/4.5/registry/registry-options.html#registry-quay-overview_registry-options), or an [authentication enabled Red Hat registry](https://docs.openshift.com/container-platform/4.5/registry/registry-options.html#registry-authentication-enabled-registry-overview_registry-options), follow steps to supply credentials to the cluster to allow the cluster to access the repositories.

-### Monitoring

-Azure Red Hat OpenShift includes a pre-configured, pre-installed, and self-updating monitoring stack that is based on the Prometheus open source project and its wider eco-system. It provides monitoring of cluster components and includes a set of alerts to immediately notify the cluster administrator about any occurring problems and a set of Grafana dashboards. The cluster monitoring stack is only supported for monitoring Azure Red Hat OpenShift clusters. For more information, see [Cluster monitoring for Azure Red Hat OpenShift](https://docs.openshift.com/container-platform/4.5/monitoring/cluster_monitoring/about-cluster-monitoring.html).

-If you have been using [Azure Monitor for Containers for Azure Red Hat OpenShift 3.11](../azure-monitor/containers/container-insights-azure-redhat-setup.md), you can also enable Azure Monitor for Containers for [Azure Red Hat OpenShift 4 clusters](../azure-monitor/containers/container-insights-azure-redhat4-setup.md) and continue using the same Log Analytics workspace.

-## Move your DNS or load-balancer configuration to the new cluster

-If you're using Azure Traffic Manager, add endpoints to refer to your target cluster and prioritize these endpoints.

-## Deploy application to your target cluster

-Once you have your target cluster properly configured for your workload, [connect to your cluster](tutorial-connect-cluster.md) and create the necessary applications, components, or services for your projects. Azure Red Hat OpenShift enables you to create these from Git, container images, the Red Hat Developer Catalog, a Dockerfile, a YAML/JSON definition, or by selecting a database service from the Catalog.

-## Delete your source cluster

-Once you've confirmed that your Azure Red Hat OpenShift 4 cluster is properly set up, delete your Azure Red Hat OpenShift 3.11 cluster.

-```azurecli

-az aro delete --name $CLUSTER_NAME

- --resource-group $RESOURCE_GROUP

- [--no-wait]

- [--yes]

-```

-## Next steps

-Check out Red Hat OpenShift documentation [here](https://docs.openshift.com/container-platform/4.6/welcome/https://docsupdatetracker.net/index.html).

-description: Understand which Azure regions and virtual machine sizes are supported by Microsoft Azure Red Hat OpenShift.

-# Azure Red Hat OpenShift resources

-This topic lists the Azure regions and virtual machine sizes supported by the Microsoft Azure Red Hat OpenShift 3.11 service.

-## Azure regions

-See [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=openshift&regions=all) for a current list of regions where you can deploy Azure Red Hat OpenShift clusters.

-## Virtual machine sizes

-Here are the supported virtual machine sizes you can specify for the compute nodes in your Azure Red Hat OpenShift cluster.

-> [!Important]

-> Each VM has a different number of drives that can be attached. This may not be as immediately clear as memory or CPU size.

-> Not all VM sizes are available in all regions. Even if the API supports the size you specify, you might get an error if the size is not available in the region you specify.

-> See [Current list of supported VM sizes per region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines) for more information.

-## Compute node sizes

-The following compute node sizes are supported by the Azure Red Hat OpenShift REST API:

-|Size|vCPU|RAM|

-|-|-|-|

-|Standard D4s v3|4|16 GB|

-|Standard D8s v3|8|32 GB|

-|Standard D16s v3|16|64 GB|

-|Standard D32s v3|32|128 GB|

-|-|-|-|

-|Standard E4s v3|4|32 GB|

-|Standard E8s v3|8|64 GB|

-|Standard E16s v3|16|128 GB|

-|Standard E32s v3|32|256 GB|

-|-|-|-|

-|Standard F8s v2|8|16 GB|

-|Standard F16s v2|16|32 GB|

-|Standard F32s v2|32|64 GB|

-## Master node sizes

-The following master / infrastructure node sizes are supported by the Azure Red Hat OpenShift REST API:

-|Size|vCPU|RAM|

-|-|-|-|

-|Standard D4s v3|4|16 GB|

-|Standard D8s v3|8|32 GB|

-|Standard D16s v3|16|64 GB|

-|Standard D32s v3|32|128 GB|

-## Next steps

-Try the [Create a Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial.

- | Region | Select **West US 2** |

-# Azure Active Directory Authentication with PostgreSQL Flexible Server Preview

-> [!NOTE]

-> Azure Active Directory Authentication for PostgreSQL Flexible Server is currently in preview.

-| PG bouncer support | No | Planned for GA |

-# Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server (preview)

-> [!NOTE]

-> Azure Active Directory authentication for Azure Database for PostgreSQL - Flexible Server is currently in preview.

-# Manage Azure Active Directory roles in Azure Database for PostgreSQL - Flexible Server Preview

-> [!NOTE]

-> Azure Active Directory Authentication for PostgreSQL Flexible Server is currently in preview.

-Azure Database for PostgreSQL Flexible Servers uses Security Labels associated with database roles to store Azure AD mapping. During preview, we don't provide a function to associate existing Azure AD roles.

-|Mobile Packet Core |Firewall, Routers, & SD-WAN |RAN Partners (software) |

-|||||

-|Celona | 128 Technology | AirHop |

-|Expeto | Arista | ASOCS |

-|HSS by HPE | Fortinet | Celona |

-| Nokia Digital Automation Cloud | NetFoundry | Commscope|

-|G+D | Multitech |Celona |

-|Gemalto | Sierra Wireless |Commscope |

-|IDEMIA | |Nokia |

-Advanced resource sets is off by default in all new Microsoft Purview instances. Advanced resource sets can be enabled from **Account information** in the management hub.

-## 6 Set up policy

-Azure Cognitive Search has an optional [built-in policy](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F76a56461-9dc0-40f0-82f5-2453283afa2f) to enforce usage of CMK on individual objects defined in a search service. In this step, you'll apply this policy to your search service and set up your search service to enforce this policy.

-1. Set up the [policy scope](../governance/policy/concepts/scope.md). In the **Parameters** section, uncheck **Only show parameters...** and set **Effect** to **Deny**

-1. Call the [Services - Create or Update API](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to enable CMK policy enforcement.

-Create a new search resource using PowerShell and the **Az.Search** module.

-Create a new search resource using PowerShell and the **Az.Search** module.

-Create a new search resource using PowerShell and the **Az.Search** module.

-> The CEF via AMA connector is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> [!NOTE]

-> On February 28th 2023, we will introduce [changes to the CommonSecurityLog table schema](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/upcoming-changes-to-the-commonsecuritylog-table/ba-p/3643232). This means that custom queries will require being reviewed and updated. Out-of-the-box content (detections, hunting queries, workbooks, parsers, etc.) will be updated by Microsoft Sentinel.