->To integrate Nevis into your sign-up policy flow, configure the Azure AD B2C environment to use custom policies. </br>See, [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](/tutorial-create-user-flows.md?pivots=b2c-custom-policy).

-5. [Create an Azure Blob storage account](/customize-ui-with-html.md#2-create-an-azure-blob-storage-account).

-7. [Configure CORS](/customize-ui-with-html.md#3-configure-cors).

-Identity provider selection lets users select an action from a list of options. The identity provider selection consists of a pair of two orchestration steps:

- | **Use HTTP-Only Cookie** | Set this value to **Yes** to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. If using Remote Desktop Services, set this value to **No**. |

- | **Use Secure Cookie**| Set this value to **Yes** to transmit cookies over a secure channel such as an encrypted HTTPS request.

- | **Use Persistent Cookie**| Keep this value set to **No**. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](./application-proxy-configure-cookie-settings.md).

- | **Translate URLs in Headers** | Keep this value as **Yes** unless your application required the original host header in the authentication request. |

- | **Translate URLs in Application Body** | Keep this value as **No** unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Set this value to **Yes** if you plan to monitor this application with Microsoft Defender for Cloud Apps. For more information, see [Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |

-1. Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(DisplayName, ΓÇÿ{sync config name}ΓÇÖ)`. This query returns a filtered list of service principals. This can also be acquire via the App Registration node under Azure Active Directory.

- Example: https://graph.microsoft.com/beta/serviceprincipals/653c0018-51f4-4736-a3a3-94da5dcb6862/synchronization/jobs/AD2AADProvisioning.e9287a7367e444c88dc67a531c36d8ec/schema

- - Authenticated SMTP - Used by POP and IMAP client's to send email messages.

-When you acquire an access token using the Microsoft Authentication Library for .NET (MSAL.NET), the token is cached. When the application needs a token, it should attempt to fetch it from the cache first.

-You can monitor the source of the tokens by inspecting the `AuthenticationResult.AuthenticationResultMetadata.TokenSource` property.

-Applications that request tokens for an app identity, with no user involved, by calling `AcquiretTokenForClient` can either rely on MSAL's internal caching, define their own memory token caching or distributed token caching. For instructions and more information, see [Token cache serialization in MSAL.NET](msal-net-token-cache-serialization.md?tabs=aspnet).

-Since no user is involved, there's no reason to call `AcquireTokenSilent`. `AcquireTokenForClient` will look in the cache on its own as there's no API to clear the cache. Cache size is proportional with the number of tenants and resources you need tokens for. Cache size can be managed by setting eviction policies on the underlying cache store, such as MemoryCache, Redis etc.

-Desktop, command-line, and mobile applications should first call the AcquireTokenSilent method to verify if an acceptable token is in the cache. In many cases, it's possible to acquire another token with more scopes based on a token in the cache. It's also possible to refresh a token when it's getting close to expiration (as the token cache also contains a refresh token).

-For authentication flows that require a user interaction, MSAL caches the access, refresh, and ID tokens, and the `IAccount` object, which represents information about a single account. Learn more about [IAccount](/dotnet/api/microsoft.identity.client.iaccount?view=azure-dotnet&preserve-view=true). For application flows, such as [client credentials](msal-authentication-flows.md#client-credentials), only access tokens are cached, because the `IAccount` object and ID token require a user, and the refresh token isn't applicable.

-In public client applications, clearing the cache is achieved by removing the accounts from the cache. This doesn't remove the session cookie, which is in the browser.

-For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions for a given resource that represent what a client application can access on behalf of the user.For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).

- "ClientId": "Enter_the_Application_(client)_ID_here"

-In ASP.NET Core web apps (and web APIs), the application is protected because you have a `Authorize` attribute on the controllers or the controller actions. This attribute checks that the user is authenticated. Prior to the release of .NET 6, the code initializaation wis in the *Startup.cs* file. New ASP.NET Core projects with .NET 6 no longer contain a *Startup.cs* file. Taking its place is the *Program.cs* file. The rest of this tutorial pertains to .NET 5 or lower.

-If a guest user has not yet redeemed their invitation, you can resend the invitation email.

-6. If the user has not yet accepted the invitation, Select the **Yes** option to resend.

-In this tutorial, you sent bulk invitations to guest users outside of your organization. Next, learn how the invitation redemption process works, and how to enforce multi-factor authentication for guest users.

-> These lists don't apply to users in your directory. By default, they don't apply to OneDrive for Business and SharePoint allowlist or blocklists. These lists are separate, but you can enable [SharePoint-OneDrive B2B integration](/sharepoint/sharepoint-azureb2b-integration.md).

-## September 2017

-### Hotfix for Identity Manager

-**Type:** Changed feature

-**Service category:** Identity Manager

-**Product capability:** Identity lifecycle management

-A hotfix roll-up package (build 4.4.1642.0) is available as of September 25, 2017, for Identity Manager 2016 Service Pack 1. This roll-up package:

-For more information, see [Hotfix rollup package (build 4.4.1642.0) is available for Identity Manager 2016 Service Pack 1](https://support.microsoft.com/help/4021562).

-> [!NOTE]

-> The user's employee hire date is used as the start time for the Temporary Access Pass. Please make sure that the TAP lifetime task setting and the [time portion of your user's hire date](how-to-lifecycle-workflow-sync-attributes.md#importance-of-time) are set appropriately so that the TAP is still valid when the user starts their first day.

-When a compatible user joins your organization, Lifecycle Workflows allow you to automatically generate a Temporary Access Pass(TAP), and have it sent to the new user's manager.

-**Activation duration**- How long the password is active.

-**One time use**- If the password is one use only.

-

-> [!NOTE]

-> The employee hire date is the same as the startDateTime used for the tapLifetimeInMinutes parameter.

-Azure AD Connect installs an on-premises service which orchestrates synchronization between Active Directory and Azure Active Directory. The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements. These credentials are not used to connect to your on-premises forests or Azure Active Directory.

-The sync service can run under different accounts. It can run under a Virtual Service Account (VSA), a Managed Service Account (gMSA/sMSA), or a regular User Account. The supported options were changed with the 2017 April release and 2021 March release of Azure AD Connect when you do a fresh installation. If you upgrade from an earlier release of Azure AD Connect, these additional options are not available.

-|Virtual Service Account|Express and custom, 2017 April and later| A Virtual Service Account is used for all express installations, except for installations on a Domain Controller. When using custom installation, it is the default option unless another option is used.|

-|Managed Service Account|Express and custom, 2021 March and later|A standalone Managed Service Account prefixed with ADSyncMSA_ is created during installation for express installations when installed on a Domain Controller. When using custom installation, it is the default option unless another option is used.|

-|User Account|Express and custom, 2017 April to 2021 March|A User Account prefixed with AAD_ is created during installation for express installations when installed on a Domain Controller. When using custom installation, it is the default option unless another option is used.|

-> If you use Connect with a build from 2017 March or earlier, then you should not reset the password on the service account since Windows destroys the encryption keys for security reasons. You cannot change the account to any other account without reinstalling Azure AD Connect. If you upgrade to a build from 2017 April or later, then it is supported to change the password on the service account, but you cannot change the account used.

-> You can only set the service account on first installation. It is not supported to change the service account after the installation has been completed. If you need to change the service account password, this is supported and instructions can be found [here](how-to-connect-sync-change-serviceacct-pass.md).

-A Virtual Service Account is a special type of managed local account that does not have a password and is automatically managed by Windows.

-The Virtual Service Account cannot be used on a Domain Controller due to [Windows Data Protection API (DPAPI)](/previous-versions/ms995355(v=msdn.10)) issues.

-If you use a remote SQL Server, then we recommend to using a group managed service account. For more information on how to prepare your Active Directory for group Managed Service account, see [Group Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).

-It is also supported to use a standalone managed service account. However, these can only be used on the local machine and there is no benefit to using them over the default Virtual Service Account.

-This account is a managed domain account that does not have a password and is automatically managed by Windows.

-The account is created with a long complex password that does not expire.

-If you use a full SQL Server, then the service account is the DBO of the created database for the sync engine. The service will not function as intended with any other permission. A SQL login is also created.

-There are several different reasons why you would have multiple Active Directory forests and there are several different deployment topologies. Common models include an account-resource deployment and GAL syncΓÇÖed forests after a merger & acquisition. But even if there are pure models, hybrid models are common as well. The default configuration in Azure AD Connect sync does not assume any particular model but depending on how user matching was selected in the installation guide, different behaviors can be observed.

-In this topic, we will go through how the default configuration behaves in certain topologies. We will go through the configuration and the Synchronization Rules Editor can be used to look at the configuration.

-* A disabled account will contribute userPrincipalName and sourceAnchor, unless it is a linked mailbox, if there is no active account to be found.

-* Azure AD Connect does not support synchronizing [Primary Group memberships](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771489(v=ws.11)) to Azure AD.

-* Azure AD Connect does not support synchronizing [Dynamic Distribution Group memberships](/Exchange/recipients/dynamic-distribution-groups/dynamic-distribution-groups) to Azure AD.

- * An Active Directory group whose proxyAddress attribute has value *{"X500:/0=contoso.com/ou=users/cn=testgroup"}* will not be mail-enabled in Azure AD. It does not have an SMTP address.

-Having contacts representing a user in a different forest is common after a merger & acquisition where a GALSync solution is bridging two or more Exchange forests. The contact object is always joining from the connector space to the metaverse using the mail attribute. If there is already a contact object or user object with the same mail address, the objects are joined together. This is configured in the rule **In from AD ΓÇô Contact Join**. There is also a rule named **In from AD ΓÇô Contact Common** with an attribute flow to the metaverse attribute **sourceObjectType** with the constant **Contact**. This rule has very low precedence so if any user object is joined to the same metaverse object, then the rule **In from AD ΓÇô User Common** will contribute the value User to this attribute. With this rule, this attribute will have the value Contact if no user has been joined and the value User if at least one user has been found.

-For example, in a GALSync topology we will find contact objects for everyone in the second forest when we import the first forest. This will stage new contact objects in the AAD Connector. When we later import and synchronize the second forest, we will find the real users and join them to the existing metaverse objects. We will then delete the contact object in AAD and create a new user object instead.

-The assumption is that if a disabled user account is found, then we will not find another active account later and the object is provisioned to Azure AD with the userPrincipalName and sourceAnchor found. In case another active account will join to the same metaverse object, then its userPrincipalName and sourceAnchor will be used.

-When an object has been exported to Azure AD then it is not allowed to change the sourceAnchor anymore. When the object has been exported the metaverse attribute **cloudSourceAnchor** is set with the **sourceAnchor** value accepted by Azure AD. If **sourceAnchor** is changed and not match **cloudSourceAnchor**, the rule **Out to AAD ΓÇô User Join** will throw the error **sourceAnchor attribute has changed**. In this case, the configuration or data must be corrected so the same sourceAnchor is present in the metaverse again before the object can be synchronized again.

-On the **Connect your directories** page, in the Azure AD Connect Wizard, if a network issue occurs, the ADConnectivityTool will automatically use one of its functions to determine what is going on. Any of the following can be considered network issues:

-For example, when we are attempting to add a directory on the **Connect your directories** screen, Azure AD Connect needs to verify this and expects to be able to communicate with a domain controller over port 389. If it cannot, we will see the error that is shown in the screenshot above.

-We are going to call out this function because it can **only** be called manually once the ADConnectivityTool.psm1 has been imported into PowerShell.

-If the user runs this function after a problem is solved (or if no problem exists at all) the output will indicate for the user to go back to the Azure AD Connect Wizard and try inserting the credentials again.

-You can use the synchronization rule editor to edit or create a new synchronization rule. You need to be an advanced user to make changes to synchronization rules. Any wrong changes may result in deletion of objects from your target directory. Please read [Recommended Documents](#recommended-documents) to gain expertise in synchronization rules. To modify a synchronization rule go through following steps:

-* In order to customize a default synchronization rule, clone the existing rule by clicking the ΓÇ£EditΓÇ¥ button on the Synchronization Rules Editor, which will create a copy of the standard default rule and disable it. Save the cloned rule with a precedence less than 100. Precedence determines what rule wins(lower numeric value) a conflict resolution if there is an attribute flow conflict.

-* Please note that in the case where the calculated value of the modified attribute is NULL in your cloned rule and is not NULL in the default standard rule then, the not NULL value will win and will replace the NULL value. If you donΓÇÖt want a NULL value to be replace with a not NULL value then assign AuthoritativeNull in your cloned rule.

-> <li>Only one device registration configuration object can be added to the on-premises Active Directory forest. This feature is not compatible with a topology where the on-premises Active Directory is synchronized to multiple Azure AD directories.</li>

-2. On the device options page, select **Configure device writeback**. Option to **Disable device writeback** will not be available until device writeback is enabled. Click on **Next** to move to the next page in the wizard.

-3. On the writeback page, you will see the supplied domain as the default Device writeback forest.

- b. **Download PowerShell script**: Azure AD Connect auto-generates a PowerShell script that can prepare the active directory for device writeback. In case the enterprise administrator credentials cannot be provided in Azure AD Connect, it is suggested to download the PowerShell script. Provide the downloaded PowerShell script **CreateDeviceContainer.ps1** to the enterprise administrator of the forest where devices will be written back to.

- * If they do not exist already, creates and configures new containers and objects under CN=Device Registration Configuration,CN=Services,CN=Configuration,[forest-dn].

- * If they do not exist already, creates and configures new containers and objects under CN=RegisteredDevices,[domain-dn]. Device objects will be created in this container.

-If the checkbox for device writeback is not enabled even though you have followed the steps above, the following steps will guide you through what the installation wizard is verifying before the box is enabled.

-* If the installation wizard is already running, then any changes will not be detected. In this case, complete the installation wizard and run it again.

-* Verify there is only one configuration object by searching the configuration namespace. If there is more than one, delete the duplicate.

-* On the Device Registration Service object, make sure the attribute msDS-DeviceLocation is present and has a value. Lookup this location and make sure it is present with the objectType msDS-DeviceContainer.

-Azure AD Connect Health service send alerts indicate that your identity infrastructure is not healthy. This article includes alerts titles, descriptions, and remediation steps for each alert. <br />

-Azure AD Connect Health alerts get resolved on a success condition. Azure AD Connect Health Agents detect and report the success conditions to the service periodically. For a few alerts, the suppression is time-based. In other words, if the same error condition is not observed within 72 hours from alert generation, the alert is automatically resolved.

-| Health service data is not up to date | The Health Agent(s) running on one or more servers is not connected to the Health Service and the Health Service is not receiving the latest data from this server. The last data processed by the Health Service is older than 2 Hours. | Ensure that the health agents have outbound connectivity to the required service end points. [Read More](how-to-connect-health-data-freshness.md) |

-| Azure AD Connect Sync Service is not running | Microsoft Azure AD Sync Windows service is not running or could not start. As a result, objects will not synchronize with Azure Active Directory. | Start Microsoft Azure Active Directory Sync Services</b> <ol> <li>Click <b>Start</b>, click <b>Run</b>, type <b>Services.msc</b>, and then click <b>OK</b>.</li> <li>Locate the <b>Microsoft Azure AD Sync service</b>, and then check whether the service is started. If the service isn't started, right-click it, and then click <b>Start</b>. |

-| Connection to Azure Active Directory failed due to authentication failure | Connection to Azure Active Directory failed due to authentication failure. As a result objects will not be synchronized with Azure Active Directory. | Investigate the event log errors for further details. |

-| Password Hash Synchronization heartbeat was skipped in last 120 minutes | Password Hash Synchronization has not connected with Azure Active Directory in the last 120 minutes. As a result, passwords will not be synchronized with Azure Active Directory. | Restart Microsoft Azure Active Directory Sync

-| Password Hash Synchronization has stopped working | Password Hash Synchronization has stopped. As a result passwords will not be synchronized with Azure Active Directory. | Restart Microsoft Azure Active Directory Sync

-|Test Authentication Request (Synthetic Transaction) failed to obtain a token | The test authentication requests (Synthetic Transactions) initiated from this server has failed to obtain a token after 5 retries. This may be caused due to transient network issues, AD DS Domain Controller availability or a mis-configured AD FS server. As a result, authentication requests processed by the federation service may fail. The agent uses the Local Computer Account context to obtain a token from the Federation Service. | Ensure that the following steps are taken to validate the health of the server.<ol><li>Validate that there are no additional unresolved alerts for this or other AD FS servers in your farm.</li><li>Validate that this condition is not a transient failure by logging on with a test user from the AD FS login page available at https://{your_adfs_server_name}/adfs/ls/idpinitiatedsignon.aspx</li><li>Go to <a href="https://testconnectivity.microsoft.com">https://testconnectivity.microsoft.com</a> and choose the ΓÇÿOffice 365ΓÇÖ tab. Perform the ΓÇÿOffice 365 Single Sign-On TestΓÇÖ.</li><li>Verify if your AD FS service name can be resolved from this server by executing the following command from a command prompt on this server. nslookup your_adfs_server_name</li></ol><p>If the service name cannot be resolved, refer to the FAQ section for instructions of adding a HOST file entry of your AD FS service with the IP address of this server. This will allow the synthetic transaction module running on this server to request a token</p> |

-| The proxy server cannot reach the federation server | This AD FS proxy server is unable to contact the AD FS service. As a result, authentication requests processed by this server will fail. | Perform the following steps to validate the connectivity between this server and the AD FS service. <ol><li> Ensure that the firewall between this server and the AD FS service is configured accurately. </li><li> Ensure that DNS resolution for the AD FS service name appropriately points to the AD FS service that resides within the corporate network. This can be achieved through a DNS server that serves this server in the perimeter network or through entries in the HOSTS files for the AD FS service name. </li><li> Validate the network connectivity by opening up the browser on this server and accessing the federation metadata endpoint, which is at `https://<your-adfs-service-name>/federationmetadata/2007-06/federationmetadata.xml` </li> |

-| The SSL Certificate is about to expire | The TLS/SSL certificate used by the Federation servers is about to expire within 90 days. Once expired, any requests that require a valid TLS connection will fail. For example, for Microsoft 365 customers, mail clients will not be able to authenticate. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain the TLS/SSL certificate with the following requirements.<ol type="a"><li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></ol></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS, which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 and later versions:</b> <li> Refer to <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> |

-| AD FS service is not running on the server | Active Directory Federation Service (Windows Service) is not running on this server. Any requests targeted to this server will fail. | To start the Active Directory Federation Service (Windows Service):<ol><li>Log on to the server as an administrator.</li><li> Open services.msc</li><li>Find "Active Directory Federation Services". </li><li>Right-click and select "Start". |

-| DNS for the Federation Service may be misconfigured | The DNS server could be configured to use a CNAME record for the AD FS farm name. It is recommended to use A or AAAA record for AD FS in order for the Windows Integrated Authentication to work seamlessly within your corporate network. | Ensure that the DNS record type of the AD FS farm `<Farm Name>` is not CNAME. Configure it to be an A or AAAA record. |

-| AD FS Auditing is disabled | AD FS Auditing is disabled for the server. AD FS Usage section on the portal will not include data from this server. | If AD FS Audits are not enabled follow these instructions:<ol><li>Grant the AD FS service account the "Generate security audits" right on the AD FS server.<li>Open the local security policy on the server gpedit.msc.</li><li>Navigate to "Computer Configuration\Windows Settings\Local Policies\User Rights Assignment" </li><li>Add the AD FS Service Account to have the "Generate security audits" right.</li></li><li>Run the following command from the command prompt:<br><i>auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable </i></li><li>Update Federation Service Properties to include Success and Failure Audits.<li>In the AD FS console, choose "Edit Federation Service Properties".</li><li>From "Federation Service Properties" dialogue box choose the Events tab and select "Success Audits" and "Failure Audits".</li></li></ol></p><p>After following these steps, AD FS Audit Events should be visible from the Event Viewer. To verify:<ol><li>Go to Event Viewer/ Windows Logs /Security.</li><li>Select Filter Current Logs and select AD FS Auditing from the Event sources drop down. For an active AD FS server with AD FS auditing enabled, events should be visible for the above filtering.</li></ol></p><p>If you have followed these instructions before, but still seeing this alert, it is possible that a Group Policy Object is disabling AD FS auditing. The root cause can be one of the following:<ol><li>AD FS service account is being removed from having the right to Generate Security Audits.</li><li>A custom script in Group Policy Object is disabling success and failure audits based on "Application Generated".</li><li>AD FS configuration is not enabled to generate Success/Failure audits. |

-| The trust between the proxy server and federation server is not valid | The trust between the federation server proxy and the Federation Service could not be established or renewed. | Update the Proxy Trust Certificate on the proxy server. Re-Run the Proxy Configuration Wizard. |

-| Extranet Lockout Protection Disabled for AD FS | The Extranet Lockout Protection feature is DISABLED on your AD FS farm. This feature protects your users from brute force password attacks from the internet and prevents denial of service attacks against your users when AD DS account lockout policies are in effect. With this feature enabled, if the number of failed extranet login attempts for a user (login attempts made via WAP server and AD FS) exceed the 'ExtranetLockoutThreshold' then AD FS servers will stop processing further login attempts for ΓÇÿExtranetObservationWindow' We highly recommend you enable this feature on your AD FS servers. | Run the following command to enable AD FS Extranet Lockout Protection with default values.<br><i>Set-AdfsProperties -EnableExtranetLockout $true</i><br><br>If you have AD lockout policies configured for your users, ensure that the <i>'ExtranetLockoutThreshold'</i> property is set to a value below your AD DS lockout threshold. This ensures that requests that have exceeded the threshold for AD FS are dropped and never validated against your AD DS servers. |

-| Invalid Service Principal Name (SPN) for the AD FS service account | The Service Principal Name of the Federation Service account is not registered or is not unique. As a result, Windows Integrated Authentication from domain-joined clients may not be seamless. | Use [<b>SETSPN -L ServiceAccountName</b>] to list the Service Principals.<br>Use [<b>SETSPN -X</b>] to check for duplicate Service Principal Names.</p><p>If SPN is duplicated for the AD FS service account, remove the SPN from the duplicated account using [<b>SETSPN -d service/namehostname</b>]</p><p>If SPN is not set, use [<b>SETSPN -s {Desired-SPN} {domain_name}\{service_account}</b>] to set the desired SPN for the Federation Service Account. |

-| The Primary AD FS Token Decrypting certificate is about to expire | The Primary AD FS Token Decrypting certificate is about to expire in less than 90 days. AD FS cannot decrypt tokens from trusted claims providers. AD FS cannot decrypt encrypted SSO cookies. The end users will not be able to authenticate to access resources. | If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate.</p><p>If you manage your certificate manually, please follow the below instructions. <b>Obtain a new Token Decrypting Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Key Encipherment".</li><li>Subject or Subject Alternative Name (SAN) do not have any restrictions.</li><li>Note that your Federation Servers and Claims Provider partners need to be able to chain to a trusted root certification authority when validating your Token-Decrypting certificate.</li></ol><b>Decide how your Claims Provider partners will trust the new Token-Decrypting certificate</b><ol type="a"><li>Ask partners to pull the Federation Metadata after updating the certificate.</li><li>Share the public key of the new certificate. (.cer file) with the partners. On the Claims Provider partner's AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust that was created for you. Under Properties/Encryption click "Browse" to select the new Token-Decrypting certificate and click OK.</li></ol><b>Install the certificate in the local certificate store on each of your Federation Server.</b><ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul><b>Ensure that the federation service account has access to the new certificate's private key.</b> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Decrypting Certificate</li><li>You will be presented with a list of certificates that are valid for Token-Decrypting. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer personal store with a private key associated and the certificate has the Key Encipherment as Extended Key Usage.</li><li>Select your new Token-Decrypting certificate and click OK.</li></ol><b>Set the new Token-Decrypting Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Decrypting: existing and the new certificate.</li><li>Select your new Token-Decrypting certificate, right-click, and select Set as primary.</li><li>Leave the old certificate as secondary for roll-over purposes. You should plan to remove the old certificate once you are confident it is no longer needed for roll-over, or when the certificate has expired. </li></ol> |

-| The Primary AD FS Token Signing certificate is about to expire | The AD FS token signing certificate is about to expire within 90 days. AD FS cannot issue signed tokens when this certificate is not valid. | <b>Obtain a new Token Signing Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature". </li><li>Subject or Subject Alternative Name (SAN) does not have any restrictions. </li><li>Note that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.</li></ol><b>Install the certificate in the local certificate store on each Federation Server.</b> <ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><b>Ensure that the Federation Service Account has access to the new certificate's private key.</b> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu.</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Signing Certificate...</li><li>You will be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.</li><li>Select your new Token-Signing certificate and click OK</li></ol><b>Inform all the Relying Parties about the change in Token Signing Certificate.</b><ol type="a"><li>Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.</li><li>Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.</li></a><b>Set the new Token-Signing Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.</li><li>Select your new Token-Signing certificate, right-click, and select Set as <b>primary</b></li><li>Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you are confident it is no longer needed for rollover, or when the certificate has expired. Note that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate. </li></ol> |

-| AD FS SSL certificate is not found in the local certificate store | The certificate with the thumbprint that is configured as the TLS/SSL certificate in the AD FS database was not found in the local certificate store. As a result, any authentication request over the TLS will fail. For example mail client authentication for Microsoft 365 will fail. | Install the certificate with the configured thumbprint in the local certificate store. |

-| The SSL Certificate expired | The TLS/SSL certificate for the AD FS service has expired. As a result, any authentication requests that require a valid TLS connection will fail. For example: mail client authentication will not be able to authenticate for Microsoft 365. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain the TLS/SSL certificate with the following requirements.<li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS, which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 or later versions:</b> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> |

-| The Required end points for Azure Active Directory (for Microsoft 365) are not enabled | The following set of end points required by the Exchange Online Services, Azure AD, and Microsoft 365 are not enabled for the federation service: <li>/adfs/services/trust/2005/usernamemixed</li><li>/adfs/ls/</li> | Enable the required end points for the Microsoft Cloud Services on your federation service.<br>For AD FS in Windows Server 2012R2 or later versions <li> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li></p> |

-| Required SSL bindings are missing or not configured | The TLS bindings required for this federation server to successfully perform authentication are misconfigured. As a result, AD FS cannot process any incoming requests. | For Windows Server 2012 R2</b><br>Open an elevated admin command prompt and execute the following commands: <ol> <li> To view the current TLS binding:<i> Get-AdfsSslCertificate </i> <li> To add new bindings: <i> netsh http add sslcert hostnameport=\<federation service name>:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF} certstorename=MY </i> |

-| The Primary AD FS Token Signing certificate has expired | The AD FS Token Signing certificate has expired. AD FS cannot issue signed tokens when this certificate is not valid. | If Auto-certificate rollover is enabled, AD FS will manage updating the Token Signing Certificate.</p><p>If you manage your certificate manually, follow the below instructions. <ol><li><b>Obtain a new Token Signing Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature". </li><li>Subject or Subject Alternative Name (SAN) does not have any restrictions. </li><li>Remember that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.</li></ol></li><li><b>Install the certificate in the local certificate store on each Federation Server.</b> <ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><li><b>Ensure that the Federation Service Account has access to the new certificate's private key.</b></li><li> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu.</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Signing Certificate...</li><li>You will be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.</li><li>Select your new Token-Signing certificate and click OK</li></ol></li><li><b>Inform all the Relying Parties about the change in Token Signing Certificate.</b><ol type="a"><li>Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.</li><li>Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.</li></ol></li><li><b>Set the new Token-Signing Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.</li><li>Select your new Token-Signing certificate, right-click, and select Set as <b>primary</b></li><li>Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you are confident it is no longer needed for rollover, or when the certificate has expired. Remember that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate. </li></ol></li>|

-| Proxy server is dropping requests for congestion control | This proxy server is currently dropping requests from the extranet due to a higher than normal latency between this proxy server and the federation server. As a result, certain portion of the authentication requests processed by the AD FS Proxy server can fail. | <li>Verify if the network latency between the Federation Proxy Server and the Federation Servers falls within the acceptable range. Refer to the Monitoring Section for trending values of the "Token Request Latency". A latency greater than [1500 ms] should be considered as high latency. If high latency is observed, ensure the network between AD FS and AD FS Proxy servers does not have any connectivity issues.</li><li>Ensure Federation Servers are not overloaded with authentication requests. Monitoring Section provides trending views for Token Requests per second, CPU utilization and Memory consumption.</li><li>If the above items have been verified and this issue is still seen, adjust the congestion avoidance setting on each of the Federation Proxy Servers as per the guidance from the related links. |

-| The AD FS service account is denied access to one of the certificate's private key. | The AD FS service account does not have access to the private key of one of the AD FS certificates on this computer. | Ensure that the AD FS service account is provided access to the TLS, token signing, and token decryption certificates stored in the local computer certificate store.<ol> <li> From Command Line type MMC.</li><li>Go to File->Add/Remove Snap-In</li><li> Select Certificates and click Add. -> Select Computer Account and click Next. -> Select Local Computer and click Finish. Click OK. </li></ol> <br>Open Certificates(Local Computer)/Personal/Certificates.For all the certificates that are used by AD FS:<ol><li>Right-click the certificate.</li><li>Select All Tasks -> Manage Private Keys.</li><li>On the Security Tab under Group or user names ensure that the AD FS service account is present. If not select Add and add the AD FS service account.</li><li>Select the AD FS service account and under "Permissions for \<AD FS Service Account Name>" make sure Read permission is allowed (check mark). |

-| The AD FS SSL certificate does not have a private key | AD FS TLS/SSL certificate was installed without a private key. As a result any authentication request over the SSL will fail. For example, mail client authentication for Microsoft 365 will fail. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain a publicly trusted TLS/SSL certificate with the following requirements.<ol type="a"><li>Certificate installation file contains its private key.</li><li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></ol></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 or later versions:</b> <li> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> |

-| The Primary AD FS Token Decrypting certificate has expired | The Primary AD FS Token Decrypting certificate has expired. AD FS cannot decrypt tokens from trusted claims providers. AD FS cannot decrypt encrypted SSO cookies. The end users will not be able to authenticate to access resources. | <p>If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate.</p><p>If you manage your certificate manually, follow the below instructions.<ol><li><b>Obtain a new Token Decrypting Certificate.</b><ul><li>Ensure that the Enhanced Key Usage (EKU) includes "Key Encipherment".</li><li>Subject or Subject Alternative Name (SAN) do not have any restrictions.</li><li>Note that your Federation Servers and Claims Provider partners need to be able to chain to a trusted root certification authority when validating your Token-Decrypting certificate.</li></ul></li><li><b>Decide how your Claims Provider partners will trust the new Token-Decrypting certificate</b><ul><li>Ask partners to pull the Federation Metadata after updating the certificate.</li><li>Share the public key of the new certificate. (.cer file) with the partners. On the Claims Provider partner's AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust that was created for you. Under Properties/Encryption click "Browse" to select the new Token-Decrypting certificate and click OK.</li></ul></li><li><b>Install the certificate in the local certificate store on each of your Federation Server.</b><ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><li><b>Ensure that the federation service account has access to the new certificate's private key.</b></li><li><b>Add the new certificate to AD FS.</b><ul><li>Launch AD FS Management from the Administrative Tools menu</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Decrypting Certificate</li><li>You will be presented with a list of certificates that are valid for Token-Decrypting. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer personal store with a private key associated and the certificate has the Key Encipherment as Extended Key Usage.</li><li>Select your new Token-Decrypting certificate and click OK.</li></ul></li><li><b>Set the new Token-Decrypting Certificate as Primary.</b><ul><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Decrypting: existing and the new certificate.</li><li>Select your new Token-Decrypting certificate, right-click, and select Set as primary.</li><li>Leave the old certificate as secondary for roll-over purposes. You should plan to remove the old certificate once you are confident it is no longer needed for roll-over, or when the certificate has expired. </li></ul></li> |

-| Domain controller is unreachable via LDAP ping | Domain Controller is not reachable via LDAP Ping. This can be caused due to Network issues or machine issues. As a result, LDAP Pings will fail. | <li>Examine alerts list for related alerts, such as: Domain Controller is not advertising. </li><li>Ensure affected Domain Controller has sufficient disk space. Running out of space will stop the DC from advertising itself as an LDAP server. </li><li> Attempt to find the PDC: Run <br> <i>netdom query fsmo </i> </br> on the affected Domain Controller. <li> Ensure physical network is properly configured/connected. </li> |

-| Domain controller is unable to find a PDC | A PDC is not reachable through this domain controller. This will lead to impacted user logons, unapplied group policy changes, and system time synchronization failure. | <li>Examine alerts list for related alerts that could be impacting your PDC, such as: Domain Controller is not advertising. </li> <li>Attempt to find the PDC: Run <br> <i>netdom query fsmo </i> </br> on the affected Domain Controller.<li>Ensure network is working properly. </li> |

-| Domain controller is unable to find a Global Catalog server | A global catalog server is not reachable from this domain controller. It will result in failed authentications attempted through this Domain Controller. | Examine the alerts list for any <b>Domain Controller is not advertising</b> alerts where the impacted server might be a GC. If there are no advertising alerts, check the SRV records for the GCs. You can check them by running: <br> <i> nltest \/dnsgetdc: [ForestName] \/gc </i> </br> It should list the DCs advertising as GCs. If the list is empty, check the DNS configuration to ensure that the GC has registered the SRV records. The DC is able to find them in DNS. <br />For troubleshooting Global Catalogs, see <a href="/previous-versions/windows/it-pro/windows-2000-server/cc961811(v=technet.10)#ECAA">Advertising as a Global Catalog Server. </a> |

-| Domain controller unable to reach local SYSVOL share | Sysvol contains important elements from Group Policy Objects and scripts to be distributed within DCs of a domain. The DC will not advertise itself as DC and Group Policies will not be applied. | See <a href="https://support.microsoft.com/kb/2958414">How to troubleshoot missing SYSVOL and Netlogon shares </a> |

-| Domain controller is not advertising | This domain controller is not properly advertising the roles it's capable of performing. This can be caused by problems with replication, DNS misconfiguration, critical services not running, or because of the server not being fully initialized. As a result, domain controllers, domain members, and other devices will not be able to locate this domain controller. Additionally, other domain controllers might not be able to replicate from this domain controller. | Examine alerts list for other related alerts such as: Replication is broken. Domain controller time is out of sync. Netlogon service is not running. DFSR and/or NTFRS services are not running. Identify and troubleshoot related DNS problems: Logon to affected Domain controller. Open System Event Log. If events 5774, 5775 or 5781 are present, see <a href="/previous-versions/windows/it-pro/windows-2000-server/bb727055(v=technet.10)#ECAA">Troubleshooting Domain Controller Locator DNS Records Registration Failure</a> Identify and troubleshoot related Windows Time Service Issues: Ensure Windows Time service is running: Run '<b>net start w32time</b>' on the affected Domain Controller. Restart Windows Time Service: Run '<b>net stop w32time</b>' then '<b>net start w32time</b>' on the affected Domain Controller. |

-| GPSVC service is not running | If the service is stopped or disabled, settings configured by the admin will not be applied and applications and components will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is disabled. | Run <br><i>net start gpsvc </i></br> on the affected Domain Controller. |

-| DFSR and/or NTFRS services are not running | If both DFSR and NTFRS services are stopped, Domain Controllers will not be able to replicate SYSVOL data. SYSVOL Data will be out of consistency. | <li>If using DFSR:<ol type="1" > Run '<b>net start dfsr</b>' on the affected Domain Controller. </li><li>If using NTFRS:<ol type="1" >Run '<b>net start ntfrs</b>' on the affected Domain Controller. </li>|

-| Netlogon service is not running | Logon requests, registration, authentication, and locating of domain controllers will be unavailable on this DC. | Run '<b>net start netlogon</b>' on the affected Domain Controller |

-| W32Time service is not running | If Windows Time Service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. | Run '<b>net start win32Time</b>' on the affected Domain Controller |

-| ADWS service is not running | If Active Directory Web Services service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service instances that are running locally on this server. | Run '<b>net start adws</b>' on the affected Domain Controller |

-| Root PDC is not Syncing from NTP Server | If you do not configure the PDC to synchronize time from an external or internal time source, the PDC emulator uses its internal clock and is itself the reliable time source for the forest. If time is not accurate on the PDC itself, all computers will have incorrect time settings. | On the affected Domain Controller, open a command prompt. Stop the Time service: net stop w32time</li> <li>Configure the external time source: <br> <i>w32tm \/config \/manualpeerlist: time.windows.com \/syncfromflags:manual \/reliable:yes </i></br><br>Note: Replace time.windows.com with the address of your desired external time source. Start the Time service: <br> <i>net start w32time </i></br> |

-| Domain controller is quarantined | This Domain Controller is not connected to any of the other working Domain Controllers. This may be caused due to improper configuration. As a result, this DC is not being used and will not replicate from/to anyone. | Enable inbound and outbound replication: Run '<b>repadmin /options ServerName -DISABLE_INBOUND_REPL</b>' on the affected Domain Controller. Run '<b>repadmin /options ServerName -DISABLE_OUTBOUND_REPL</b>' on the affected Domain Controller. Create a new replication connection to another Domain Controller:<ol type="1"><li>Open Active Directory Sites and

-| Outbound Replication is Disabled | DCs with disabled Outbound Replication, will not be able to distribute any changes originating within itself. | To enable outbound replication on the affected Domain Controller, follow these steps: Click Start, click Run, type cmd and then click OK. Type the following text, and then press ENTER:<br><i>repadmin /options -DISABLE_OUTBOUND_REPL </i> |

-| Inbound Replication is Disabled | DCs with disabled Inbound Replication, will not have the latest information. This condition can lead to logon failures. | To enable inbound replication on the affected Domain Controller, follow these steps: Click Start, click Run, type cmd and then click OK. Type the following text, and then press ENTER:<br><i>repadmin /options -DISABLE_INBOUND_REPL</i> </br> |

-| LanmanServer service is not running | If this service is disabled, any services that explicitly depend on it will fail to start. | Run '<b>net start LanManServer</b>' on the affected Domain Controller. |

-| Kerberos Key Distribution Center service is not running | If KDC Service is stopped, users will not be able to authentication through this DC using the Kerberos v5 authentication protocol. | Run '<b>net start kdc</b>' on the affected Domain Controller. |

-| DNS service is not running | If DNS Service is stopped, computers and users using that server for DNS purposes will fail to find resources. | Run '<b>net start dns</b>' on the affected Domain Controller. |

-| DC had USN Rollback | When USN rollbacks occur, modifications to objects and attributes are not inbound replicated by destination domain controllers that have previously seen the USN. Because these destination domain controllers believe they are up to date, no replication errors are reported in Directory Service event logs or by monitoring and diagnostic tools. USN rollback may affect the replication of any object or attribute in any partition. The most frequently observed side effect is that user accounts and computer accounts that are created on the rollback domain controller do not exist on one or more replication partners. Or, the password updates that originated on the rollback domain controller do not exist on replication partners. | There are two approaches to recover from a USN rollback: <p>Remove the Domain Controller from the domain, following these steps: <ol type="1"><li>Remove Active Directory from the domain controller to force it to be a stand-alone server. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <br><a href="https://support.microsoft.com/kb/332199">332199</a> Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server. </li> <li>Shut down the demoted server.</li> <li>On a healthy domain controller, clean up the metadata of the demoted domain controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <br><a href="https://support.microsoft.com/kb/216498">216498</a> How to remove data in Active Directory after an unsuccessful domain controller demotion</li> <li>If the incorrectly restored domain controller hosts operations master roles, transfer these roles to a healthy domain controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <br><a href="https://support.microsoft.com/kb/255504">255504</a> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller</li> <li>Restart the demoted server.</li> <li>If you are required to, install Active Directory on the stand-alone server again.</li> <li>If the domain controller was previously a global catalog, configure the domain controller to be a global catalog. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <br><a href="https://support.microsoft.com/kb/313994">313994</a> How to create or move a global catalog in Windows 2000</li> <li>If the domain controller previously hosted operations master roles, transfer the operations master roles back to the domain controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <br><a href="https://support.microsoft.com/kb/255504">255504</a> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller Restore the system state of a good backup.</li></ol></p> <p>Evaluate whether valid system state backups exist for this domain controller. If a valid system state backup was made before the rolled-back domain controller was incorrectly restored, and the backup contains recent changes that were made on the domain controller, restore the system state from the most recent backup.</p> <p>You can also use the snapshot as a source of a backup. Or you can set the database to give itself a new invocation ID using the procedure in the section "To restore a previous version of a virtual domain controller VHD without system state data backup" in <a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363545(v=ws.10)">this article</a></p></p> |

-We have deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. By utilizing the new V2 endpoint, you will experience noticeable performance gains on export and import to Azure AD. This new endpoint also supports syncing groups with up to 250k members. Using this endpoint also allows you to write back Microsoft 365 unified groups, with no maximum membership limit, to your on-premises Active Directory, when group writeback is enabled. For more information see [Azure AD Connect sync V2 endpoint API](how-to-connect-sync-endpoint-api-v2.md).

-description: This topic describes Azure Active Directory (Azure AD) Seamless Single Sign-On and how it allows you to provide true single sign-on for corporate desktop users inside your corporate network.

-# Azure Active Directory Seamless Single Sign-On

-## What is Azure Active Directory Seamless Single Sign-On?

-Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

-

-Seamless SSO needs the user's device to be domain-joined, but it is not used on Windows 10 [Azure AD joined devices](../devices/concept-azure-ad-join.md) or [hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md). SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works based on the [Primary Refresh Token (PRT)](../devices/concept-primary-refresh-token.md)

-\*Requires Internet Explorer version 11 or later. ([Beginning August 17, 2021, Microsoft 365 apps and services will not support IE 11](https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666).)

-Imports and exports only occur when scheduled, allowing for further insulation from changes occurring within the system, since changes do not automatically propagate to the connected data source. In addition, developers may also create their own connectors for connecting to virtually any data source.

-Connected system (aka connected directory) is referring to the remote system Azure AD Connect sync has connected to and reading and writing identity data to and from.

-Objects in the metaverse cannot be edited directly. All data in the object must be contributed through attribute flow. The metaverse maintains persistent connectors with each connector space. These connectors do not require reevaluation for each synchronization run. This means that Azure AD Connect sync does not have to locate the matching remote object each time. This avoids the need for costly agents to prevent changes to attributes that would normally be responsible for correlating the objects.

-Once the link is established, this evaluation does not reoccur and normal attribute flow can occur between the remote connected data source and the metaverse.

-Whenever a rule determines that a new connector space object needs to be created, it is called provisioning. However, because this operation only takes place within the connector space, it does not carry over into the connected data source until an export is performed.

-Learn more: [Common questions about the Microsoft Authenticator app](/account-billing/common-problems-with-the-microsoft-authenticator-app-12d283d1-bcef-4875-9ae5-ac360e2945dd)

-The word immutable, that is "cannot be changed", is important to this document. Since this attributeΓÇÖs value cannot be changed after it has been set, it is important to pick a design that supports your scenario.

-This topic only talks about sourceAnchor as it relates to users. The same rules apply to all object types, but it is only for users this problem usually is a concern.

-* Should not be based on user's name because these can change

-* Should not be case-sensitive and avoid values that may vary by case

-If the selected sourceAnchor is not of type string, then Azure AD Connect Base64Encode the attribute value to ensure no special characters appear. If you use another federation server than ADFS, make sure your server can also Base64Encode the attribute.

-The sourceAnchor attribute is case-sensitive. A value of ΓÇ£JohnDoeΓÇ¥ is not the same as ΓÇ£johndoeΓÇ¥. But you should not have two different objects with only a difference in case.

-If you have a single forest on-premises, then the attribute you should use is **objectGUID**. This is also the attribute used when you use express settings in Azure AD Connect and also the attribute used by DirSync.

-If you have multiple forests and do not move users between forests and domains, then **objectGUID** is a good attribute to use even in this case.

-If you move users between forests and domains, then you must find an attribute that does not change or can be moved with the users during the move. A recommended approach is to introduce a synthetic attribute. An attribute that could hold something that looks like a GUID would be suitable. During object creation, a new GUID is created and stamped on the user. A custom sync rule can be created in the sync engine server to create this value based on the **objectGUID** and update the selected attribute in ADDS. When you move the object, make sure to also copy the content of this value.

-Another solution is to pick an existing attribute you know does not change. Commonly used attributes include **employeeID**. If you consider an attribute that contains letters, make sure there is no chance the case (upper case vs. lower case) can change for the attribute's value. Bad attributes that should not be used include those attributes with the name of the user. In a marriage or divorce, the name is expected to change, which is not allowed for this attribute. This is also one reason why attributes such as **userPrincipalName**, **mail**, and **targetAddress** are not even possible to select in the Azure AD Connect installation wizard. Those attributes also contain the "\@" character, which is not allowed in the sourceAnchor.

-The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.

-* If you install another Azure AD Connect server, then you must select the same sourceAnchor attribute as previously used. If you have earlier been using DirSync and move to Azure AD Connect, then you must use **objectGUID** since that is the attribute used by DirSync.

-* If the value for sourceAnchor is changed after the object has been exported to Azure AD, then Azure AD Connect sync throws an error and does not allow any more changes on that object before the issue has been fixed and the sourceAnchor is changed back in the source directory.

-By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated. You cannot specify its value when creating on-premises AD objects. As explained in section [sourceAnchor](#sourceanchor), there are scenarios where you need to specify the sourceAnchor value. If the scenarios are applicable to you, you must use a configurable AD attribute (for example, ms-DS-ConsistencyGuid) as the sourceAnchor attribute.

-> Once an on-premises AD object is imported into Azure AD Connect (that is, imported into the AD Connector Space and projected into the Metaverse), you cannot change its sourceAnchor value anymore. To specify the sourceAnchor value for a given on-premises AD object, configure its ms-DS-ConsistencyGuid attribute before it is imported into Azure AD Connect.

- > Only newer versions of Azure AD Connect (1.1.524.0 and after) store information in your Azure AD tenant about the sourceAnchor attribute used during installation. Older versions of Azure AD Connect do not.

-* If information about the sourceAnchor attribute used isn't available, the wizard checks the state of the ms-DS-ConsistencyGuid attribute in your on-premises Active Directory. If the attribute isn't configured on any object in the directory, the wizard uses the ms-DS-ConsistencyGuid as the sourceAnchor attribute. If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute...

-If you have an existing Azure AD Connect deployment which is using objectGUID as the Source Anchor attribute, you can switch it to using ConsistencyGuid instead.

-During the analysis (step 4), if the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by another application and returns an error as illustrated in the diagram below. This error can also occur if you have previously enabled the ConsistencyGuid feature on your primary Azure AD Connect server and you are trying to do the same on your staging server.

- If you are certain that the attribute isn't used by other existing applications, you can suppress the error by restarting the Azure AD Connect wizard with the **/SkipLdapSearch** switch specified. To do so, run the following command in command prompt:

-If you are using Azure AD Connect to manage on-premises AD FS deployment, the Azure AD Connect automatically updates the claim rules to use the same AD attribute as sourceAnchor. This ensures that the ImmutableID claim generated by ADFS is consistent with the sourceAnchor values exported to Azure AD.

-If you are managing AD FS outside of Azure AD Connect or you are using third-party federation servers for authentication, you must manually update the claim rules for ImmutableID claim to be consistent with the sourceAnchor values exported to Azure AD as described in article section [Modify AD FS claim rules](./how-to-connect-fed-management.md#modclaims). The wizard returns the following warning after installation completes:

-Suppose you have deployed Azure AD Connect with the ConsistencyGuid feature enabled, and now you would like to add another directory to the deployment. When you try to add the directory, Azure AD Connect wizard checks the state of the ms-DS-ConsistencyGuid attribute in the directory. If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and returns an error as illustrated in the diagram below. If you are certain that the attribute isn't used by existing applications, you can suppress the error by restarting the Azure AD Connect wizard with the **/SkipLdapSearch** switch specified as described above or you need to contact Support for more information.

-While integrating your on-premises directory with Azure AD, it is important to understand how the synchronization settings can affect the way user authenticates. Azure AD uses userPrincipalName (UPN) to authenticate the user. However, when you synchronize your users, you must choose the attribute to be used for value of userPrincipalName carefully.

-When you are selecting the attribute for providing the value of UPN to be used in Azure one should ensure

-* The attribute values conform to the UPN syntax (RFC 822), that is it should be of the format username\@domain

-In express settings, the assumed choice for the attribute is userPrincipalName. If the userPrincipalName attribute does not contain the value you want your users to sign in to Azure, then you must choose **Custom Installation**.

-It is important to ensure that there is a verified domain for the UPN suffix.

-John is a user in contoso.com. You want John to use the on-premises UPN john\@contoso.com to sign in to Azure after you have synced users to your Azure AD directory contoso.onmicrosoft.com. To do so, you need to add and verify contoso.com as a custom domain in Azure AD before you can start syncing the users. If the UPN suffix of John, for example contoso.com, does not match a verified domain in Azure AD, then Azure AD replaces the UPN suffix with contoso.onmicrosoft.com.

-Some organizations have non-routable domains, like contoso.local, or simple single label domains like contoso. You are not able to verify a non-routable domain in Azure AD. Azure AD Connect can sync to only a verified domain in Azure AD. When you create an Azure AD directory, it creates a routable domain that becomes default domain for your Azure AD for example, contoso.onmicrosoft.com. Therefore, it becomes necessary to verify any other routable domain in such a scenario in case you don't want to sync to the default onmicrosoft.com domain.

-Azure AD Connect detects if you are running in a non-routable domain environment and would appropriately warn you from going ahead with express settings. If you are operating in a non-routable domain, then it is likely that the UPN, of the users, have non-routable suffixes too. For example, if you are running under contoso.local, Azure AD Connect suggests you to use custom settings rather than using express settings. Using custom settings, you are able to specify the attribute that should be used as UPN to sign in to Azure after the users are synced to Azure AD.

-* AADConnect can synchronize the users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial. For more details on options, see https://docs.microsoft.com/azure/azure-government/documentation-government-plan-identity.

-The first task addresses determining the organizations business needs. This task can be broad and scope creep can occur if you are not careful. In the beginning, keep it simple but always remember to plan for a design that will accommodate and facilitate change in the future. Regardless of whether it is a simple design or a complex one, Azure Active Directory is the Microsoft Identity platform that supports Microsoft 365, Microsoft Online Services, and cloud aware applications.

-Microsoft has three main integration scenarios: cloud identities, synchronized identities, and federated identities. You should plan on adopting one of these integration strategies. The strategy you choose can vary. Decisions in choosing one may include, what type of user experience you want to provide, do you have an existing infrastructure, and what is the most cost effective.

-* **Cloud identities**: identities that exist solely in the cloud. In the case of Azure AD, they would reside specifically in your Azure AD directory.

-| **Federated** |Users can have single sign-on (SSO) <br>If a user is terminated or leaves, the account can be immediately disabled and access revoked,<br> Supports advanced scenarios that cannot be accomplished with synchronized |More steps to set up and configure <br> Higher maintenance <br> May require extra hardware for the STS infrastructure <br> May require extra hardware to install the federation server. Other software is required if AD FS is used <br> Require extensive setup for SSO <br> Critical point of failure if the federation server is down, users wonΓÇÖt be able to authenticate |

-If you have a third-party IdP or are going to use one to provide federation with Azure AD, you need to be aware of the following supported capabilities:

-You must also be aware of what capabilities will not be available:

-This task defines the tools that will be used to synchronize the organizationΓÇÖs on-premises data to the cloud and what topology you should use. Because, most organizations use Active Directory, information on using Azure AD Connect to address the questions above is provided in some detail. For environments that do not have Active Directory, there is information about using FIM 2010 R2 or MIM 2016 to help plan this strategy. However, future releases of Azure AD Connect will support LDAP directories, so depending on your timeline, this information may be able to assist.

-Over the years, several synchronization tools have existed and used for various scenarios. Currently Azure AD Connect is the go to tool of choice for all supported scenarios. AAD Sync and DirSync are also still around and may even be present in your environment now.

-The single forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single instance of Azure AD. This topology is going to be used in a most scenarios and is the expected topology when using Azure AD Connect Express installation as shown in the figure below.

-It is common for large and even small organizations to have multiple forests, as shown in Figure 5.

-* UPN and Source Anchor (immutable id) will come from this forest

-* If there is no mailbox on the user, then any forest may be used to contribute values

-* If you have a linked mailbox, then there is also another account in a different forest used to sign in.

-If the above are not true and you have more than one active account or more than one mailbox, Azure AD Connect will pick one and ignore the other. If you have linked mailboxes but no other account, accounts will not be exported to Azure AD and that user will not be a member of any groups. This behavior is different from how it was in the past with DirSync and is intentional to better support multi-forest scenarios. A multi-forest scenario is shown in the figure below.

-It is recommended to have just a single directory in Azure AD for an organization. However, it is supported if a 1:1 relationship is kept between an Azure AD Connect sync server and an Azure AD directory. For each instance of Azure AD, you need an installation of Azure AD Connect. Also, Azure AD, by design is isolated and users in one instance of Azure AD, will not be able to see users in another instance.

-It is possible and supported to connect one on-premises instance of Active Directory to multiple Azure AD directories as shown in the figure below:

-* Users in one instance of Azure AD will only be able to see users from their instance. They will not be able to see users in the other instances

-* Mutual exclusivity also applies to write-back. Thus, some write-back features are not supported with this topology since it is assumed to be a single on-premises configuration.

-The following items are not supported and should not be chosen as an implementation:

-* It is not supported to have multiple Azure AD Connect sync servers connecting to the same Azure AD directory even if they are configured to synchronize mutually exclusive set of object

-* It is unsupported to sync the same user to multiple Azure AD directories.

-* It is also unsupported to make a configuration change to make users in one Azure AD to appear as contacts in another Azure AD directory.

-* It is also unsupported to modify Azure AD Connect sync to connect to multiple Azure AD directories.

-* Azure AD directories are by design isolated. It is unsupported to change the configuration of Azure AD Connect sync to read data from another Azure AD directory in an attempt to build a common and unified GAL between the directories. It is also unsupported to export users as contacts to another on-premises AD using Azure AD Connect sync.

-In this task, you will define the multi-factor authentication strategy to use. Azure AD Multi-Factor Authentication comes in two different versions. One is a cloud-based and the other is on-premises based using the Azure MFA Server. Based on the evaluation you did above you can determine which solution is the correct one for your strategy. Use the table below to determine which design option best fulfills your companyΓÇÖs security requirement:

-description: Determine monitoring and reporting capabilities for the hybrid identity solution that can be leveraged by IT to take actions to identify and mitigate a potential threats

-Large or medium organizations most likely will have a [security incident response](/previous-versions/tn-archive/cc700825(v=technet.10)) in place to help IT take actions accordingly to the level of incident. The identity management system is an important component in the incident response process because it can be used to help identifying who performed a specific action against the target. The hybrid identity solution must be able to provide monitoring and reporting capabilities that can be leveraged by IT to take actions to identify and mitigate a potential threat. In a typical incident response plan you will have the following phases as part of the plan:

-* Does your company has a security incident response in place?

-During damage control and risk reduction-phase, it is important to quickly reduce the actual and potential effects of an attack. That action that you will take at this point can make the difference between a minor and a major one. The exact response will depend on your organization and the nature of the attack that you face. If the initial assessment concluded that an account was compromised, you will need to enforce policy to block this account. ThatΓÇÖs just one example where the identity management system will be leveraged. Use the questions below to help you design your hybrid identity solution while taking into consideration how policies will be enforced to react to an ongoing incident:

- * If yes, does the current solution integrate with the hybrid identity management system that you are going to adopt?

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Define data protection strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md) will go over the options available and advantages/disadvantages of each option. By having answered those questions you will select which option best suits your business needs.

-Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Microsoft 365. This is a great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync (AADSync) as these tools are now deprecated and do not work anymore.

-If you are running DirSync, there are two ways you can upgrade: In-place upgrade and parallel deployment. An in-place upgrade is recommended for most customers and if you have a recent operating system and less than 50,000 objects. In other cases, it is recommended to do a parallel deployment where your DirSync configuration is moved to a new server running Azure AD Connect.

-| [Upgrade from Azure AD Sync](how-to-upgrade-previous-version.md) |<li>If you are moving from Azure AD Sync.</li> |

-It is supported to upgrade from any DirSync release currently being used.

-The Azure AD Connector for FIM/MIM has **not** been announced as deprecated. It is at **feature freeze**; no new functionality is added and it receives no bug fixes. Microsoft recommends customers using it to plan to move from it to Azure AD Connect. It is strongly recommended to not start any new deployments using it. This Connector will be announced deprecated in the future.

-The [Microsoft Cloud Germany](https://www.microsoft.de/cloud-deutschland) is a sovereign cloud operated by a German data trustee.

-This cloud has been supported by earlier releases of DirSync. From build 1.1.180 of Azure AD Connect, the next generation of the cloud is supported. This generation is using US-only based endpoints and have a different list of URLs to open in your proxy server.

-The MsExchUserHoldPolcies and cloudMsExchUserHoldPolicies attributes allow on-premises AD and Azure AD to determine which users are under a hold depending on whether they are using on-premises Exchange or Exchange on-line.

-By default cloudMsExchUserHoldPolicies are synchronized by Azure AD Connect directly to the cloudMsExchUserHoldPolicies attribute in the metaverse. Then, if msExchUserHoldPolicies is not null in the metaverse, the attribute in flowed out to Active Directory.

-The msExchangeUserHoldPolicies are a single authority attribute. A single authority attribute can be set on an object (in this case, user object) in the on-premises directory or in the cloud directory. The Start of Authority rules dictate, that if the attribute is synchronized from on-premises, then Azure AD will not be allowed to update this attribute.

-To allow users to set a hold policy on a user object in the cloud, the cloudMSExchangeUserHoldPolicies attribute is used. This attribute is used because Azure AD cannot set msExchangeUserHoldPolicies directly based on the rules explained above. This attribute will then synchronize back to the on-premises directory if, the msExchangeUserHoldPolicies is not null and replace the current value of msExchangeUserHoldPolicies.

- * You need to allow your proxy to also allow traffic to https://secure.aadcdn.microsoftonline-p.com if you use Multi-Factor Authentication.

-* **AAD:** Azure Active Directory

-* Import from AAD: Azure Active Directory objects are brought into AAD CS.

-* Export to AAD: After running Synchronization, objects are exported from AAD CS to **Azure Active Directory**.

-* We will start our search from the **Metaverse** and look at the attribute mapping from source to target.

-* Now click on the **Import Attribute Flow**, this shows flow of attributes from **Active Directory Connector Space** to the **Metaverse**. **Sync Rule** column shows which **Synchronization Rule** contributed to that attribute. **Data Source** column shows you the attributes from the **Connector Space**. **Metaverse Attribute** column shows you the attributes in the **Metaverse**. You can look for the attribute not syncing here. If you don't find the attribute here, then this is not mapped and you have to create new custom **Synchronization Rule** to map the attribute.

-* Similarly, you can view the **Azure Active Directory Connector Space** object and can generate the **Preview** to view attribute flow from **Metaverse** to the **Connector Space** and vice versa, this way you can investigate why an attribute is not syncing.

-This error appears if the endpoint **https://secure.aadcdn.microsoftonline-p.com** cannot be reached and your Hybrid Identity Administrator has MFA enabled.

- Empty div just to act as an alias for the "Connect To MS Online Failed" header

-### Connect To MS Online Failed

-3. You will be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.

-Now that we have an Azure AD tenant, we will create a Hybrid Identity Administratoristrator account. This account is used to create the Azure AD Connector account during Azure AD Connect installation. The Azure AD Connector account is used to write information to Azure AD. To create the Hybrid Identity Administrator account do the following.

-3. Provide a name and username for this user. This will be your Global Admin for the tenant. You will also want to change the **Directory role** to **Hybrid Identity Administrator.** You can also show the temporary password. When you are done, select **Create**.</br>

-6. To ensure that it is verified, click the Verify button.</br>

-Now it is time to download and install Azure AD Connect. Once it has been installed we will run through the express installation. Do the following:

-2. Sign-in with a user account that was created in our new tenant. You will need to sign-in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign-in on-premises.

-3. You will be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.

-Now that we have an Azure AD tenant, we will create a Hybrid Identity Administratoristrator account. This account is used to create the Azure AD Connector account during Azure AD Connect installation. The Azure AD Connector account is used to write information to Azure AD. To create the Hybrid Identity Administrator account do the following.

-3. Provide a name and username for this user. This will be your Hybrid Identity Administrator for the tenant. You will also want to change the **Directory role** to **Hybrid Identity Administrator.** You can also show the temporary password. When you are done, select **Create**.</br>

-5. Change the password for the Hybrid Identity Administrator to something that you will remember.

-Now it is time to download and install Azure AD Connect. Once it has been installed we will run through the express installation. Do the following:

-We will now verify that the users that we had in our on-premises directory have been synchronized and now exist in out Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are synchronized do the following.

-2. Sign-in with a user account that was created in our new tenant. You will need to sign-in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign-in on-premises.</br>

- - The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is <app-name>/slots/<slot-name>.

-| Common use cases | Workloads that are contained within a single Azure resource. <br/> Workloads for which you need independent identities. <br/> For example, an application that runs on a single virtual machine. | Workloads that run on multiple resources and can share a single identity. <br/> Workloads that need pre-authorization to a secure resource, as part of a provisioning flow. <br/> Workloads where resources are recycled frequently, but permissions should stay consistent. <br/> For example, a workload where multiple virtual machines need to access the same resource. |

-With Azure Active Directory (Azure AD), part of Microsoft Entra, you can provide users just-in-time membership in the group and just-in-time ownership of the group using the Azure AD Privileged Identity Management for Groups feature. These groups can be used to govern access to a variety of scenarios that include Azure AD roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and 3rd party applications.

-PIM for Groups is part of Azure AD Privileged Identity Management ΓÇô alongside with PIM for Azure AD Roles and PIM for Azure Resources, PIM for Groups enables users to activate the ownership or membership of an Azure AD security group or Microsoft 365 group. Groups can be used to govern access to a variety of scenarios that include Azure AD roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and 3rd party applications.

-# Tutorial: Azure Active Directory integration with Asana

- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

-### Configure Azure AD SSO

- 

-4. On the **Basic SAML Configuration** section, perform the following steps:

- 

- a. In the **Sign on URL** text box, type the URL:

- b. In the **Identifier (Entity ID)** text box, type the URL:

- `https://app.asana.com/`

- c. In the **Reply URL (Assertion Consumer Service URL)** text box, type the URL:

-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.

- 

-6. On the **Set up Asana** section, copy the appropriate URL(s) as per your requirement.

- 

-1. In a different browser window, sign-on to your Asana application. To configure SSO in Asana, access the workspace settings by clicking the workspace name on the top right corner of the screen. Then, click on **\<your workspace name\> Settings**.

-Today we use our digital identity at work, at home, and across every app, service, and device we use. ItΓÇÖs made up of everything we say, do, and experience in our livesΓÇöpurchasing tickets for an event, checking into a hotel, or even ordering lunch. Currently, our identity and all our digital interactions are owned and controlled by other parties, some of whom we arenΓÇÖt even aware of.

-Generally, users grant consent to several apps and devices. This approach requires a high degree of vigilance on the user's part to track who has access to what information. On the enterprise front, collaboration with consumers and partners requires high-touch orchestration to securely exchange data in a way that maintains privacy and security for all involved.

-Decentralized Identifiers (DIDs) are different. DIDs are user-generated, self-owned, globally unique identifiers rooted in decentralized systems like ION. They possess unique characteristics, like greater assurance of immutability, censorship resistance, and tamper evasiveness. These attributes are critical for any ID system that is intended to provide self-ownership and user control.

-Today, Alice provides a username and password to log onto WoodgroveΓÇÖs networked environment. Woodgrove is deploying a verifiable credential solution to provide a more manageable way for Alice to prove that she is an employee of Woodgrove. Proseware accepts verifiable credentials issued by Woodgrove as proof of employment to offer corporate discounts as part of their corporate discount program.

-Alice requests Woodgrove Inc for a proof of employment verifiable credential. Woodgrove Inc attests Alice's identity and issues a signed verifiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employment on the Proseware site. After a successful presentation of the credential, Proseware offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she has presented her proof of employment verifiable credential.

-Microsoft Entra Verified ID is a decentralized identity solution that helps you safeguard your organization. The service allows you to issue and verify credentials. Issuers can use the Verified ID service to issue their own customized verifiable credentials. Verifiers can use the service's free REST API to easily request and accept verifiable credentials in their apps and services. In both cases, you will have to configure your Azure AD tenant so that you can use it to either issue your own verifiable credentials, or verify the presentation of a user's verifiable credentials that were issued by another organization. In case you are both an issuer and a verifier, you can use a single Azure AD tenant to both issue your own verifiable credentials as well as verify those of others.

-If you have selected ION as the trust system, you will not see the DID registration section as it is not applicable for ION and you only have to distribute the did-configuration.json file.

-A [persistent volume (PV)][persistent-volume] represents a piece of storage that's provisioned for use with Kubernetes pods. A PV can be used by one or many pods and can be dynamically or statically provisioned. If multiple pods need concurrent access to the same storage volume, you can use Azure Files to connect by using the [Server Message Block (SMB)][smb-overview] or [NFS protocol][nfs-overview]. This article shows you how to dynamically create an Azure Files share for use by multiple pods in an AKS cluster. For static provisioning, see [Manually create and use a volume with an Azure Files share][azure-files-storage-provision.md#statically-provision-a-volume].

-[access-modes]: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes

-[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply

-[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

-[kubernetes-storage-classes]: https://kubernetes.io/docs/concepts/storage/storage-classes/

-[kubernetes-volumes]: https://kubernetes.io/docs/concepts/storage/persistent-volumes/

-[managed-disk-pricing-performance]: https://azure.microsoft.com/pricing/details/managed-disks/

-[vhd-disk-feature]: https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/deploy/example/disk

-[access-tier-file-share]: ../storage/files/storage-files-planning#storage-tiers.md

-[access-tier-storage-account]: ../storage/blobs/access-tiers-overview.md

-[azure-tags]: ../azure-resource-manager/management/tag-resources.md

-[azure-disk-volume]: azure-disk-volume.md

-[azure-files-pvc]: azure-files-dynamic-pv.md

-[azure-files-pvc-manual]: azure-files-volume.md

-[premium-storage]: ../virtual-machines/disks-types.md

-[az-disk-list]: /cli/azure/disk#az_disk_list

-[az-snapshot-create]: /cli/azure/snapshot#az_snapshot_create

-[az-disk-create]: /cli/azure/disk#az_disk_create

-[az-disk-show]: /cli/azure/disk#az_disk_show

-[aks-quickstart-cli]: ./learn/quick-kubernetes-deploy-cli.md

-[aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md

-[aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md

-[install-azure-cli]: /cli/azure/install-azure-cli

-[storage-class-concepts]: concepts-storage.md#storage-classes

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[use-tags]: use-tags.md

-[zrs-account-type]: ../storage/common/storage-redundancy.md#zone-redundant-storage

-The guidance found in this article is focused on Azure Kubernetes Services you're building or operating on Azure and includes design and configuration checklists, recommended design, and configuration options. Before applying sustainable software engineering principles to your application, review the priorities, needs, and trade-offs of your application.

-Sustainability ΓÇô just like security ΓÇô is a shared responsibility between the cloud provider and the customer or partner designing and deploying AKS clusters on the platform. Deploying AKS does not automatically make it sustainable, even if the [data centers are optimized for sustainability](https://infrastructuremap.microsoft.com/fact-sheets). Applications that aren't optimized may still emit more carbon than necessary.

-Azure Font Door and Application Gateway help manage traffic from web applications while Azure Web Application Firewall provides protection against OWASP top 10 attacks and load shedding bad bots. Using these capabilities helps remove unnecessary data transmission and reduces the burden on the cloud infrastructure, with lower bandwidth and less infrastructure requirements.

-> [Azure Well-Architected Framework review of AKS](/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service)

- To automate unattended PowerShell tasks, a service principal must have **server administrator** privileges on the Analysis Services server being managed. This article describes how to add a service principal to the server administrators role on an Azure AS server. You can do this using SQL Server Management Studio or a Resource Manager template.

-You can configure server administrators using SQL Server Management Studio (SSMS). To complete this task, you must have [server administrator](analysis-services-server-admins.md) permissions on the Azure AS server.

-1. In SSMS, connect to your Azure AS server.

- 

-A managed identity can also be added to the Analysis Services Admins list. For example, you might have a [Logic App with a system-assigned managed identity](../logic-apps/create-managed-service-identity.md), and want to grant it the ability to administer your Analysis Services server.

-

- 

- 

- 

- 

-### To backup by using SSMS

-1. In SSMS, right-click a database > **Back Up**.

-This article describes assuring high availability for Azure Analysis Services servers.

-For QPU and Memory limits for developer, basic, and standard tiers, see the [Azure Analysis Services pricing page](https://azure.microsoft.com/pricing/details/analysis-services/).

-Once you've created a server and deployed a tabular model to it, clients can connect and begin exploring data. This article describes connecting to an Azure Analysis Services resource by using the Excel desktop app. Connecting to an Azure Analysis Services resource is not supported in Excel for the web or Excel for Mac.

- 

- 

-Once you've created a server in Azure, and deployed a tabular model to it, users in your organization are ready to connect and begin exploring data.

- :::image type="content" source="media/analysis-services-connect-pbi/aas-sign-in.png" alt-text="Sign in to Azure AS":::

- 

- 

- 

-Your sample model is using cache memory resources. If you are not using your sample model for testing, you should remove it from your server.

- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.analysisservices%2Fanalysis-services-create%2Fazuredeploy.json)

- 

- 

-When creating tabular 1400 and higher model projects in Visual Studio, by default you do not specify a data provider when connecting to a data source by using **Get Data**. Tabular 1400 and higher models use [Power Query](/power-query/power-query-what-is-power-query) connectors to manage connections, data queries, and mashups between the data source and Analysis Services. These are sometimes referred to as *structured* data source connections in that connection property settings are set for you. You can, however, enable legacy data sources for a model project in Visual Studio. When enabled, you can use **Table Import Wizard** to connect to certain data sources traditionally supported in tabular 1200 and lower models as *legacy*, or *provider* data sources. When specified as a provider data source, you can specify a particular data provider and other advanced connection properties. For example, you can connect to a SQL Server Data Warehouse instance or even an Azure SQL Database as a legacy data source. You can then select the OLE DB Driver for SQL Server MSOLEDBSQL data provider. In this case, selecting an OLE DB data provider may provide improved performance over the Power Query connector.

-When using the Table Import Wizard in Visual Studio, connections to any data source require a data provider. A default data provider is selected for you. You can change the data provider if needed. The type of provider you choose can depend on performance, whether or not the model is using in-memory storage or DirectQuery, and which Analysis Services platform you deploy your model to.

-

-

-

-In some cases, DAX queries to an Oracle data source may return unexpected results. This can be due to the provider being used for the data source connection.

-> Before you deploy, make sure you can process the data in your tables. In Visual Studio, click **Model** > **Process** > **Process All**. If processing fails, you cannot successfully deploy.

-

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-Use [Get-AzResource](/powershell/module/az.resources/get-azresource) to get the the gateway ResourceID. Then connect the gateway resource to an existing or new server by specifying **-GatewayResourceID** in [Set-AzAnalysisServicesServer](/powershell/module/az.analysisservices/set-azanalysisservicesserver) or [New-AzAnalysisServicesServer](/powershell/module/az.analysisservices/new-azanalysisservicesserver).

-It's recommended you create your Azure gateway resource in the same subscription as your server. However, you can configure your servers to connect to a gateway resource in another subscription. Connecting to a gateway resource in another subscription is not supported when configuring existing server settings or creating a new server in the portal, but can be configured by using PowerShell. To learn more, see [Connect gateway resource to server](analysis-services-gateway-install.md#connect-gateway-resource-to-server).

-The gateway creates an outbound connection to Azure Service Bus. It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 through 9354. The gateway does not require inbound ports.

-You may need to include IP addresses for your data region in your firewall. You can download the [Microsoft Azure Datacenter IP list](https://www.microsoft.com/download/details.aspx?id=56519). This list is updated weekly. The IP Addresses listed in the Azure Datacenter IP list are in CIDR notation. To learn more, see [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).

- 

-

-Besides updates that occur in the service, there is a natural movement of services across nodes due to load balancing. Node movements are an expected part of a cloud service. Azure Analysis Services tries to minimize impacts from node movements, but it's impossible to eliminate them entirely.

-In addition to node movements, there are other failures that can occur. For example, a data source database system might be offline or network connectivity is lost. If during refresh, a partition has 10 million rows and a failure occurs at the 9 millionth row, there is no way to restart refresh at the point of failure. The service has to start again from the beginning.

-Besides the REST API, there are other approaches you can use to minimize potential issues during long running refresh operations. The main goal is to avoid having to restart the refresh operation from the beginning, and instead perform refreshes in smaller batches that can be committed in stages.

-Whether using REST or custom logic, client application queries can still return inconsistent or intermediate results while batches are being processed. If consistent data returned by client application queries is required while processing is happening, and model data is in an intermediate state, you can use [scale-out](analysis-services-scale-out.md) with read-only query replicas.

-Enabling Azure DDoS Protection for API Management is currently available only for instances deployed (injected) in a VNet in [external mode](api-management-using-with-vnet.md).

-Currently, Azure DDoS Protection can't be enabled for the following API Management configurations:

-* Instances deployed in a VNet in [internal mode](api-management-using-with-internal-vnet.md)

- * The instance must be deployed in an Azure VNet in [external mode](api-management-using-with-vnet.md)

- * The instance to be configured with an Azure public IP address resource, which is supported only on the API Management `stv2` [compute platform](compute-infrastructure.md).

- * If the instance is hosted on the `stv1` platform, you must [migrate](compute-infrastructure.md#how-do-i-migrate-to-the-stv2-platform) to the `stv2` platform.

-You can also run a package from an external URL, such as Azure Blob Storage. You can use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files to your Blob storage account. You should use a private storage container with a [Shared Access Signature (SAS)](../vs-azure-tools-storage-manage-with-storage-explorer.md#generate-a-sas-in-storage-explorer) or [use a managed identity](#fetch-a-package-from-azure-blob-storage-using-a-managed-identity) to enable the App Service runtime to access the package securely.

-### Fetch a package from Azure Blob Storage using a managed identity

-| `WEBSITE_WARMUP_PATH` | A relative path to ping to warm up the app, beginning with a slash. The default is `/`, which pings the root path. The specific path can be pinged by an unauthenticated client, such as Azure Traffic Manager, even if [App Service authentication](overview-authentication-authorization.md) is set to reject unauthenticated clients. (NOTE: This app setting does not change the path used by AlwaysOn.) ||

-| `WEBSITE_HOSTNAME` | Read-only. Primary hostname for the app. Custom hostnames are not accounted for here. ||

-| `WEBSITE_ADD_SITENAME_BINDINGS_IN_APPHOST_CONFIG` | After slot swaps, the app may experience unexpected restarts. This is because after a swap, the hostname binding configuration goes out of sync, which by itself doesn't cause restarts. However, certain underlying storage events (such as storage volume failovers) may detect these discrepancies and force all worker processes to restart. To minimize these types of restarts, set the app setting value to `1`on all slots (default is`0`). However, do not set this value if you are running a Windows Communication Foundation (WCF) application. For more information, see [Troubleshoot swaps](deploy-staging-slots.md#troubleshoot-swaps)||

-The following table shows environment variables prefixes that App Service uses for various purposes.

-| `DEPLOYMENT_BRANCH`| For [local Git](deploy-local-git.md) or [cloud Git](deploy-continuous-deployment.md) deployment (such as GitHub), set to the branch in Azure you want to deploy to. By default, it is `master`. |

-| `MSDEPLOY_RENAME_LOCKED_FILES` | Set to `1` to attempt to rename DLLs if they can't be copied during a WebDeploy deployment. This setting is not applicable if `WEBSITE_WEBDEPLOY_USE_SCM` is set to `false`. |

-| `SCM_COMMAND_IDLE_TIMEOUT` | Time-out in seconds for each command that the build process launches to wait before without producing any output. After that, the command is considered idle and killed. The default is `60` (one minute). In Azure, there's also a general idle request timeout that disconnects clients after 230 seconds. However, the command will still continue running server-side after that. | |

-| `WEBSITE_SCM_IDLE_TIMEOUT_IN_MINUTES` | Time-out in minutes for the SCM (Kudu) site. The default is `20`. | |

-| `AZURE_JAVA_APP_PATH` | Environment variable can be used by custom scripts So they have a location for app.jar after it's copied to local | |

-| `WEBSITE_JAVA_JAR_FILE_NAME` | The .jar file to use. Appends .jar if the string does not end in .jar. Defaults to app.jar ||

-| `WEBSITE_JAVA_WAR_FILE_NAME` | The .war file to use. Appends .war if the string does not end in .war. Defaults to app.war ||

-| `WEBSITE_SKIP_ALL_BINDINGS_IN_APPHOST_CONFIG` | Set to `true` or `1` to skip all bindings in `applicationHost.config`. The default is `false`. If your app triggers a restart because `applicationHost.config` is updated with the swapped hostnames of th slots, set this variable to `true` to avoid a restart of this kind. If you are running a Windows Communication Foundation (WCF) app, do not set this variable. ||

-| `DOCKER_REGISTRY_SERVER_URL` | URL of the registry server, when running a custom container in App Service. For security, this variable is not passed on to the container. | `https://<server-name>.azurecr.io` |

-| `DOCKER_REGISTRY_SERVER_USERNAME` | Username to authenticate with the registry server at `DOCKER_REGISTRY_SERVER_URL`. For security, this variable is not passed on to the container. ||

-| `DOCKER_REGISTRY_SERVER_PASSWORD` | Password to authenticate with the registry server at `DOCKER_REGISTRY_SERVER_URL`. For security, this variable is not passed on to the container. ||

-| `WEBSITES_PORT` | For a custom container, the custom port number on the container for App Service to route requests to. By default, App Service attempts automatic port detection of ports 80 and 8080. This setting is *not* injected into the container as an environment variable. ||

-| `WEBSITE_DISABLE_CROSS_STAMP_SCALE` | By default, apps are allowed to scale across stamps if they use Azure Files or a Docker container. Set to `1` or `true` to disable cross-stamp scaling within the app's region. The default is `0`. Custom Docker containers that set `WEBSITES_ENABLE_APP_SERVICE_STORAGE` to `true` or `1` cannot scale cross-stamps because their content is not completely encapsulated in the Docker container. |

-| `DIAGNOSTICS_TEXTTRACETURNOFFPERIOD` | Time-out in milliseconds to keep application logging enabled. The default is `43200000` (12 hours). ||

-| `WEBSITE_SKIP_CONTENTSHARE_VALIDATION` | If you set the shared storage connection of your app (using `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`) to a Key Vault reference, the app cannot resolve the key vault reference at app creation or update if one of the following conditions is true: <br/>- The app accesses the key vault with a system-assigned identity.<br/>- The app accesses the key vault with a user-assigned identity, and the key vault is [locked with a VNet](../key-vault/general/overview-vnet-service-endpoints.md).<br/>To avoid errors at create or update time, set this variable to `1`. |

-| `WEBSITE_DELAY_CERT_DELETION` | This env var can be set to 1 by users in order to ensure that a certificate that a worker process is dependent upon is not deleted until it exits. |

-| `WEBSITE_AUTH_DISABLE_IDENTITY_FLOW` | When set to `true`, disables assigning the thread principal identity in ASP.NET-based web applications (including v1 Function Apps). This is designed to allow developers to protect access to their site with auth, but still have it use a separate login mechanism within their app logic. The default is `false`. |

-| `WEBSITE_AUTH_HIDE_DEPRECATED_SID` | `true` or `false`. The default value is `false`. This is a setting for the legacy Azure Mobile Apps integration for Azure App Service. Setting this to `true` resolves an issue where the SID (security ID) generated for authenticated users might change if the user changes their profile information. Changing this value may result in existing Azure Mobile Apps user IDs changing. Most apps do not need to use this setting. |

-| `WEBSITE_AUTH_NONCE_DURATION`| A _timespan_ value in the form `_hours_:_minutes_:_seconds_`. The default value is `00:05:00`, or 5 minutes. This setting controls the lifetime of the [cryptographic nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) generated for all browser-driven logins. If a login fails to complete in the specified time, the login flow will be retried automatically. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the `login.nonce.nonceExpirationInterval` configuration value. |

-| `WEBSITE_AUTH_PRESERVE_URL_FRAGMENT` | When set to `true` and users click on app links that contain URL fragments, the login process will ensure that the URL fragment part of your URL does not get lost in the login redirect process. For more information, see [Customize sign-in and sign-out in Azure App Service authentication](configure-authentication-customize-sign-in-out.md#preserve-url-fragments). |

-| `WEBSITE_AUTH_ENCRYPTION_KEY` | By default, the automatically generated key is used as the encryption key. To override, set to a desired key. This is recommended if you want to share tokens or sessions across multiple apps. If specified, it supercedes the `MACHINEKEY_DecryptionKey` setting. |

-| `WEBSITE_AUTH_SIGNING_KEY` | By default, the automatically generated key is used as the signing key. To override, set to a desired key. This is recommended if you want to share tokens or sessions across multiple apps. If specified, it supercedes the `MACHINEKEY_ValidationKey` setting. |

-| `WEBSITE_HEALTHCHECK_MAXPINGFAILURES` | The maximum number of failed pings before removing the instance. Set to a value between `2` and `100`. When you are scaling up or out, App Service pings the Health check path to ensure new instances are ready. For more information, see [Health check](monitor-instances-health-check.md).|

-`AzureWebJobsSecretStorageType` | [App settings reference for Azure Functions](../azure-functions/functions-app-settings.md) |

-| `WEBSITE_USE_PLACEHOLDER` | Set to `0` to disable the placeholder functions optimization on the consumption plan. The placeholder is an optimization that [improves the cold start](../azure-functions/functions-scale.md#cold-start-behavior). |

- > It's assumed that DNS has been configured to point the web server name (in this example, www.fabrikam.com) to your web server's IP address. If not, you can edit the [hosts file](https://answers.microsoft.com/en-us/windows/forum/all/how-to-edit-host-file-in-windows-10/7696f204-2aaf-4111-913b-09d6917f7f3d) to resolve the name.

-You can use Azure PowerShell to [configure the hosting of multiple web sites](multiple-site-overview.md) when you create an [application gateway](overview.md). In this article, you define backend address pools using virtual machines scale sets. You then configure listeners and rules based on domains that you own to make sure web traffic arrives at the appropriate servers in the pools. This article assumes that you own multiple domains and uses examples of *www.contoso.com* and *www.fabrikam.com*.

-For tracking changes in files on both Windows and Linux, Change Tracking and Inventory uses MD5 hashes of the files. The feature uses the hashes to detect if changes have been made since the last inventory.

-Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview), VMware ([Arc-enabled VMware vSphere](../vmware-vsphere/index.yml) preview), and System Center Virtual Machine Manager (SCVMM) ([Arc-enabled SCVMM](../system-center-virtual-machine-manager/index.yml) preview).

-Arc resource bridge is a packaged virtual machine that hosts a *management* Kubernetes cluster and requires no user management. The virtual machine is deployed on the on-premises infrastructure, and an ARM resource of Arc resource bridge is created in Azure. The two resources are then connected, allowing VM self-service and management from Azure. The on-premises resource bridge uses guest management to tag local resources, making them available in Azure.

-All management operations are performed from Azure, so no local configuration is required on the appliance.

-To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the custom locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted, and you won't be able to start or stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.

-Azure Arc resource bridge currently supports the following Azure regions:

-The following private cloud environments and their versions are officially supported for the Azure Arc resource bridge:

-* VMware vSphere version 6.7

-* To onboard the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.

-* To read, modify, and delete the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.

-The Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol.

-* Learn more about [provisioning and managing on-premises Windows and Linux VMs running on Azure Stack HCI clusters](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).

-### Failure due to previous failed deployments

-If an Arc resource bridge deployment fails, subsequent deployments may fail due to residual cached folders remaining on the machine.

-To prevent this from happening, be sure to run the `az arcappliance delete` command after any failed deployment. This command must be run with the latest `arcappliance` Azure CLI extension. To ensure that you have the latest version installed on your machine, run the following command:

-If the failed deployment is not successfully removed, residual cached folders may cause future Arc resource bridge deployments to fail. This may cause the error message `Unavailable desc = connection closed before server preface received` to surface when various `az arcappliance` commands are run, including `prepare` and `delete`.

-To resolve this error, the .wssd\python and .wssd\kva folders in the user profile directory need to be deleted on the machine where the Arc resource bridge CLI commands are being run. You can delete these manually by navigating to the user profile directory (typically C:\Users\<username>), then deleting the .wssd\python and/or .wssd\kva folders. After they are deleted, try the command again.

-In the Consumption and Premium plans, Azure Functions scales CPU and memory resources by adding additional instances of the Functions host. The number of instances is determined on the number of events that trigger a function.

-Function code files are stored on Azure Files shares on the function's main storage account. When you delete the main storage account of the function app, the function code files are deleted and cannot be recovered.

-The unit of scale for Azure Functions is the function app. When the function app is scaled out, additional resources are allocated to run multiple instances of the Azure Functions host. Conversely, as compute demand is reduced, the scale controller removes function host instances. The number of instances is eventually "scaled in" to zero when no functions are running within a function app.

-After your function app has been idle for a number of minutes, the platform may scale the number of instances on which your app runs down to zero. The next request has the added latency of scaling from zero to one. This latency is referred to as a _cold start_. The number of dependencies required by your function app can impact the cold start time. Cold start is more of an issue for synchronous operations, such as HTTP triggers that must return a response. If cold starts are impacting your functions, consider running in a Premium plan or in a Dedicated plan with the **Always on** setting enabled.

-Scaling can vary on a number of factors, and scale differently based on the trigger and language selected. There are a few intricacies of scaling behaviors to be aware of:

-* **Scale efficiency:** For Service Bus triggers, use _Manage_ rights on resources for the most efficient scaling. With _Listen_ rights, scaling isn't as accurate because the queue length can't be used to inform scaling decisions. To learn more about setting rights in Service Bus access policies, see [Shared Access Authorization Policy](../service-bus-messaging/service-bus-sas.md#shared-access-authorization-policies). For Event Hub triggers, see the [this scaling guidance](#event-hubs-trigger).

-## Limit scale out

-## Event Hubs trigger

-For example, consider an Event Hub as follows:

-When your function is first enabled, there is only one instance of the function. Let's call the first function instance `Function_0`. The `Function_0` function has a single instance of [EventProcessorHost](/dotnet/api/microsoft.azure.eventhubs.processor) that holds a lease on all ten partitions. This instance is reading events from partitions 0-9. From this point forward, one of the following happens:

-* **An additional function instance is added**: If the Functions scaling logic determines that `Function_0` has more messages than it can process, a new function app instance (`Function_1`) is created. This new function also has an associated instance of [EventProcessorHost](/dotnet/api/microsoft.azure.eventhubs.processor). As the underlying Event Hubs detect that a new host instance is trying read messages, it load balances the partitions across the host instances. For example, partitions 0-4 may be assigned to `Function_0` and partitions 5-9 to `Function_1`.

-As scaling occurs, `N` instances is a number greater than the number of event hub partitions. This pattern is used to ensure [EventProcessorHost](/dotnet/api/microsoft.azure.eventhubs.processor) instances are available to obtain locks on partitions as they become available from other instances. You are only charged for the resources used when the function instance executes. In other words, you are not charged for this over-provisioning.

-description: Reference documentation for the Azure Functions app settings or environment variables.

-App settings in a function app contain configuration options that affect all functions for that function app. When you run locally, these settings are accessed as local [environment variables](functions-develop-local.md#local-settings-file). This article lists the app settings that are available in function apps.

-There are other function app configuration options in the [host.json](functions-host-json.md) file and in the [local.settings.json](functions-develop-local.md#local-settings-file) file.

-Example connection string values are truncated for readability.

-> [!NOTE]

-> You can use application settings to override host.json setting values without having to change the host.json file itself. This is helpful for scenarios where you need to configure or modify specific host.json settings for a specific environment. This also lets you change host.json settings without having to republish your project. To learn more, see the [host.json reference article](functions-host-json.md#override-hostjson-values). Changes to function app settings require your function app to be restarted.

-The connection string for Application Insights. When possible, use `APPLICATIONINSIGHTS_CONNECTION_STRING` instead of `APPINSIGHTS_INSTRUMENTATIONKEY`. Using `APPLICATIONINSIGHTS_CONNECTION_STRING` is required in the following cases:

-+ When your function app requires the added customizations supported by using the connection string.

-+ When your Application Insights instance runs in a sovereign cloud, which requires a custom endpoint.

-|AZURE_FUNCTION_PROXY_DISABLE_LOCAL_CALL|`false`|Calls with a backend URL pointing to a function in the local function app are forwarded directly to the function. This is the default value. |

-This setting controls whether the characters `%2F` are decoded as slashes in route parameters when they are inserted into the backend URL.

-In version 2.x and later versions of the Functions runtime, configures app behavior based on the runtime environment. This value is read during initialization, and can be set to any value. Only the values of `Development`, `Staging`, and `Production` are honored by the runtime. When this application setting isn't present when running in Azure, the environment is assumed to be `Production`. Use this setting instead of `ASPNETCORE_ENVIRONMENT` if you need to change the runtime environment in Azure to something other than `Production`. The Azure Functions Core Tools set `AZURE_FUNCTIONS_ENVIRONMENT` to `Development` when running on a local computer, and this can't be overridden in the local.settings.json file. To learn more, see [Environment-based Startup class and methods](/aspnet/core/fundamentals/environments#environment-based-startup-class-and-methods).

-A host ID must be between 1 and 32 characters, contain only lowercase letters, numbers, and dashes, not start or end with a dash, and not contain consecutive dashes. An easy way to generate an ID is to take a GUID, remove the dashes, and make it lower case, such as by converting the GUID `1835D7B5-5C98-4790-815D-072CC94C6F71` to the value `1835d7b55c984790815d072cc94c6f71`.

-`true` means disable the default landing page that is shown for the root URL of a function app. Default is `false`.

-A comma-delimited list of beta features to enable. Beta features enabled by these flags are not production ready, but can be enabled for experimental use before they go live.

-Indicates the Kubernetes Secrets resource used for storing keys. Supported only when running in Kubernetes. Requires that `AzureWebJobsSecretStorageType` be set to `kubernetes`. When `AzureWebJobsKubernetesSecretName` isn't set, the repository is considered read-only. In this case, the values must be generated before deployment. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.

-The client ID of the user-assigned managed identity or the app registration used to access the vault where keys are stored. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`. Supported in version 4.x and later versions of the Functions runtime.

-The secret for client ID of the user-assigned managed identity or the app registration used to access the vault where keys are stored. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`. Supported in version 4.x and later versions of the Functions runtime.

-The name of a key vault instance used to store keys. This setting is only supported for version 3.x of the Functions runtime. For version 4.x, instead use `AzureWebJobsSecretStorageKeyVaultUri`. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`.

-The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: `Get`,`Set`, `List`, and `Delete`. <br/>When running locally, the developer identity is used, and settings must be in the [local.settings.json file](functions-develop-local.md#local-settings-file).

-The tenant ID of the app registration used to access the vault where keys are stored. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`. Supported in version 4.x and later versions of the Functions runtime. To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

-The URI of a key vault instance used to store keys. Supported in version 4.x and later versions of the Functions runtime. This is the recommended setting for using a key vault instance for key storage. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`.

-The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: `Get`,`Set`, `List`, and `Delete`. <br/>When running locally, the developer identity is used, and settings must be in the [local.settings.json file](functions-develop-local.md#local-settings-file).

-|AzureWebJobsSecretStorageType|`blob`|Keys are stored in a Blob storage container in the account provided by the `AzureWebJobsStorage` setting. This is the default behavior when `AzureWebJobsSecretStorageType` isn't set.<br/>To specify a different storage account, use the `AzureWebJobsSecretStorageSas` setting to indicate the SAS URL of a second storage account. |

-|AzureWebJobsSecretStorageType | `files` | Keys are persisted on the file system. This is the default for Functions v1.x.|

-Requires that [FUNCTIONS\_WORKER\_SHARED\_MEMORY\_DATA\_TRANSFER\_ENABLED](#functions_worker_shared_memory_data_transfer_enabled) be set to `1`.

-Dictates whether editing in the Azure portal is enabled. Valid values are "readwrite" and "readonly".

-The version of the Functions runtime that hosts your function app. A tilde (`~`) with major version means use the latest version of that major version (for example, "~3"). When new versions for the same major version are available, they are automatically installed in the function app. To pin the app to a specific version, use the full version number (for example, "3.0.12345"). Default is "~3". A value of `~1` pins your app to version 1.x of the runtime. For more information, see [Azure Functions runtime versions overview](functions-versions.md). A value of `~4` means that your app runs on version 4.x of the runtime, which supports .NET 6.0.

-Requires that [FUNCTIONS\_EXTENSION\_VERSION](#functions_extension_version) be set to `~3`.

-Specifies the maximum number of language worker processes, with a default value of `1`. The maximum value allowed is `10`. Function invocations are evenly distributed among language worker processes. Language worker processes are spawned every 10 seconds until the count set by FUNCTIONS\_WORKER\_PROCESS\_COUNT is reached. Using multiple language worker processes is not the same as [scaling](functions-scale.md). Consider using this setting when your workload has a mix of CPU-bound and I/O-bound invocations. This setting applies to all language runtimes, except for .NET running in process (`dotnet`).

-This setting lets you override the base URL of the Python Package Index, which by default is `https://pypi.org/simple`. Use this setting when you need to run a remote build using custom dependencies that are found in a package index repository compliant with PEP 503 (the simple repository API) or in a local directory that follows the same format.

-The value for this setting indicates an extra index URL for custom packages for Python apps, to use in addition to the `--index-url`. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index. Should follow the same rules as --index-url.

-## PYTHON\_ISOLATE\_WORKER\_DEPENDENCIES (Preview)

-The configuration is specific to Python function apps. It defines the prioritization of module loading order. When your Python function apps face issues related to module collision (e.g. when you're using protobuf, tensorflow, or grpcio in your project), configuring this app setting to `1` should resolve your issue. By default, this value is set to `0`. This flag is currently in Preview.

-|PYTHON\_ISOLATE\_WORKER\_DEPENDENCIES|`0`| Prioritize loading the Python libraries from internal Python worker's dependencies. Third-party libraries defined in requirements.txt may be shadowed. |

-The configuration is specific to Python function apps. Setting this to `1` allows the worker to load in [Python worker extensions](functions-reference-python.md#python-worker-extensions) defined in requirements.txt. It enables your function app to access new features provided by third-party packages. It may also change the behavior of function load and invocation in your app. Please ensure the extension you choose is trustworthy as you bear the risk of using it. Azure Functions gives no express warranties to any extensions. For how to use an extension, please visit the extension's manual page or readme doc. By default, this value sets to `0`.

-Specifies the maximum number of threads that a Python language worker would use to execute function invocations, with a default value of `1` for Python version `3.8` and below. For Python version `3.9` and above, the value is set to `None`. Note that this setting does not guarantee the number of threads that would be set during executions. The setting allows Python to expand the number of threads to the specified value. The setting only applies to Python functions apps. Additionally, the setting applies to synchronous functions invocation and not for coroutines.

-+ When you don't set a `WEBSITE_CONTENTSHARE` value for the main function app or any apps in slots, unique share values are generated for you. This is the recommended approach for an ARM template deployment.

-Valid values are either a URL that resolves to the location of a deployment package file, or `1`. When set to `1`, the package must be in the `d:\home\data\SitePackages` folder. When using zip deployment with this setting, the package is automatically uploaded to this location. In preview, this setting was named `WEBSITE_RUN_FROM_ZIP`. For more information, see [Run your functions from a package file](run-functions-from-deployment-package.md).

-The [WEBSITE_CONTENTAZUREFILECONNECTIONSTRING](#website_contentazurefileconnectionstring) and [WEBSITE_CONTENTSHARE](#website_contentshare) settings have additional validation checks to ensure that the app can be properly started. Creation of application settings will fail if the Function App cannot properly call out to the downstream Storage Account or Key Vault due to networking constraints or other limiting factors. When WEBSITE_SKIP_CONTENTSHARE_VALIDATION is set to `1`, the validation check is skipped; otherwise the value defaults to `0` and the validation will take place.

-If validation is skipped and either the connection string or content share are not valid, the app will be unable to start properly and will only serve HTTP 500 errors.

-> WEBSITE_VNET_ROUTE_ALL is a legacy app setting that has been replaced by the [vnetRouteAllEnabled configuration setting](../app-service/configure-vnet-integration-routing.md).

-Some configurations must be maintained at the App Service level as site settings, such as language versions. These settings are usually set in the portal, by using REST APIs, or by using Azure CLI or Azure PowerShell. The following are site settings that could be required, depending on your runtime language, OS, and versions:

-Following setting the library version, update your application settings to [isolate the dependencies](./functions-app-settings.md#python_isolate_worker_dependencies-preview) by adding `PYTHON_ISOLATE_WORKER_DEPENDENCIES` with the value `1` to your application settings. Locally, this is set in the `local.settings.json` file as seen below:

-description: Deploy Serverless Java Apps with Quarkus on Azure Functions

-# Deploy Serverless Java Apps with Quarkus on Azure Functions

-In this article, you'll develop, build, and deploy a serverless Java app with Quarkus on Azure Functions. This article uses Quarkus Funqy and its built-in support for Azure Functions HTTP trigger for Java. Using Quarkus with Azure Functions gives you the power of the Quarkus programming model with the scale and flexibility of Azure Functions. When you're finished, you'll run serverless [Quarkus](https://quarkus.io) applications on Azure Functions and continuing to monitor the application on Azure.

-* [Azure CLI](/cli/azure/overview), installed on your own computer.

-* [An Azure Account](https://azure.microsoft.com/)

-* [Java JDK 17](/azure/developer/java/fundamentals/java-support-on-azure) with JAVA_HOME configured appropriately. This article was written with Java 17 in mind, but Azure functions and Quarkus support older versions of Java as well.

-* [Apache Maven 3.8.1+](https://maven.apache.org)

-## A first look at the sample application

-Clone the sample code for this guide. The sample is on [GitHub](https://github.com/Azure-Samples/quarkus-azure).

-Explore the sample function. Open the file *functions-quarkus/src/main/java/io/quarkus/GreetingFunction.java*. The `@Funq` annotation makes your method (e.g. `funqyHello`) a serverless function. Azure Functions Java has its own set of Azure-specific annotations, but these annotations are not necessary when using Quarkus on Azure Functions in a simple capacity as we're doing here. For more information on the Azure Functions Java annotations, see [Azure Functions Java developer guide](/azure/azure-functions/functions-reference-java).

-Unless you specify otherwise, the function's name is taken to be same as the method name. You can also define the function name with a parameter to the annotation, as shown here.

-The name is important: the name becomes a part of the REST URI to invoke the function, as shown later in the article.

-## Test the Serverless Function locally

-Use `mvn` to run `Quarkus Dev mode` on your local terminal. Running Quarkus in this way enables live reload with background compilation. When you modify your Java files and/or your resource files and refresh your browser, these changes will automatically take effect.

-A browser refresh triggers a scan of the workspace. If any changes are detected, the Java files are recompiled and the application is redeployed. Your redeployed application services the request. If there are any issues with compilation or deployment an error page will let you know.

-Replace `yourResourceGroupName` with a resource group name. Function app names must be globally unique across all of Azure. Resource group names must be globally unique within a subscription. This article achieves the necessary uniqueness by prepending the resource group name to the function name. For this reason, consider prepending some unique identifier to any names you create that must be unique. A useful technique is to use your initials followed by today's date in `mmdd` format. The resourceGroup is not necessary for this part of the instructions, but it's required later. For simplicity, the maven project requires the property be defined.

-1. Invoke Quarkus dev mode.

- The output should look like this.

-1. Access the function using the `CURL` command on your local terminal.

- The output should look like this.

-### Add Dependency injection to function

-Dependency injection in Quarkus is provided by the open standard technology Jakarta EE Contexts and Dependency Injection (CDI). For a high level overview on injection in general, and CDI in specific, see the [Jakarta EE tutorial](https://eclipse-ee4j.github.io/jakartaee-tutorial/#injection).

-1. Add a new function that uses dependency injection

- Create a *GreetingService.java* file in the *functions-quarkus/src/main/java/io/quarkus* directory. Make the source code of the file be the following.

- `GreetingService` is an injectable bean that implements a `greeting()` method returning a string `Welcome...` message with a parameter `name`.

-1. Open the existing the *functions-quarkus/src/main/java/io/quarkus/GreetingFunction.java* file. Replace the class with the below code to add a new field `gService` and method `greeting`.

-1. Access the new function `greeting` using the `CURL` command on your local terminal.

- The output should look like this.

- > `Live Coding` (also referred to as dev mode) allows you to run the app and make changes on the fly. Quarkus will automatically re-compile and reload the app when changes are made. This is a powerful and efficient style of developing that you'll use throughout the tutorial.

- Before moving forward to the next step, stop Quarkus Dev Mode by pressing `CTRL-C`.

-## Deploy the Serverless App to Azure Functions

-1. If you haven't already, sign in to your Azure subscription by using the [az login](/cli/azure/reference-index) command and follow the on-screen directions.

- > If you've multiple Azure tenants associated with your Azure credentials, you must specify which tenant you want to sign in to. You can do this with the `--tenant` option. For example, `az login --tenant contoso.onmicrosoft.com`.

- Once you've signed in successfully, the output on your local terminal should look similar to the following.

-1. Build and deploy the functions to Azure

- The *pom.xml* you generated in the previous step uses the `azure-functions-maven-plugin`. Running `mvn install` generates config files and a staging directory required by the `azure-functions-maven-plugin`. For `yourResourceGroupName`, use the value you used previously.

-1. During deployment, sign in to Azure. The `azure-functions-maven-plugin` is configured to prompt for Azure sign in each time the project is deployed. Examine the build output. During the build, you'll see output similar to the following.

- Do as the output says and authenticate to Azure using the browser and provided device code. Many other authentication and configuration options are available. The complete reference documentation for `azure-functions-maven-plugin` is available at [Azure Functions: Configuration Details](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Functions:-Configuration-Details).

-1. After authenticating, the build should continue and complete. The output should include `BUILD SUCCESS` near the end.

- You can also find the `URL` to trigger your function on Azure in the output log.

- It will take a while for the deployment to complete. In the meantime, let's explore Azure Functions in the portal.

-## Access and Monitor the Serverless Function on Azure

-Sign in to the Portal and ensure you've selected the same tenant and subscription used in the Azure CLI. You can visit the portal at [https://aka.ms/publicportal](https://aka.ms/publicportal).

-1. Type `Function App` in the search bar at the top of the Azure portal and press Enter. Your function should be deployed and show up with the name `<yourResourceGroupName>-function-quarkus`.

- :::image type="content" source="media/functions-create-first-quarkus/azure-function-app.png" alt-text="The function app in the portal":::

- Select the `function name`. you'll see the function app's detail information such as **Location**, **Subscription**, **URL**, **Metrics**, and **App Service Plan**.

-1. In the detail page, select the `URL`.

- :::image type="content" source="media/functions-create-first-quarkus/azure-function-app-detail.png" alt-text="The function app detail page in the portal":::

- Then, you'll see if your function is "up and running" now.

- :::image type="content" source="media/functions-create-first-quarkus/azure-function-app-ready.png" alt-text="The function welcome page":::

-1. Invoke the `greeting` function using `CURL` command on your local terminal.

- > Replace `YOUR_HTTP_TRIGGER_URL` with your own function URL that you find in Azure portal or output.

- The output should look similar to the following.

- You can also access the other function (`funqyHello`).

- The output should be the same as you observed above.

- If you want to exercise the basic metrics capability in the Azure portal, try invoking the function within a shell for loop, as shown here.

- After a while, you'll see some metrics data in the portal, as shown next.

- :::image type="content" source="media/functions-create-first-quarkus/portal-metrics.png" alt-text="Function metrics in the portal":::

- Now that you've opened your Azure function in the portal, here are some more features accessible from the portal.

- * Monitor the performance of your Azure function. For more information, see [Monitoring Azure Functions](/azure/azure-functions/monitor-functions).

- * Explore telemetry. For more information, see [Analyze Azure Functions telemetry in Application Insights](/azure/azure-functions/analyze-telemetry-data).

- * Set up logging. For more information, see [Enable streaming execution logs in Azure Functions](/azure/azure-functions/streaming-logs).

-If you don't need these resources, you can delete them by running the following command in the Cloud Shell or on your local terminal:

-In this guide, you learned how to:

-> * Run Quarkus dev mode

-> * Deploy a Funqy app to Azure functions using the `azure-functions-maven-plugin`

-> * Examine the performance of the function in the portal

-To learn more about Azure Functions and Quarkus, see the following articles and references.

-Virtual network address translation (NAT) simplifies outbound-only internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. An NAT can be useful for Azure Functions or Web Apps that need to consume a third-party service that uses an allowlist of IP address as a security measure. To learn more, see [What is Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md).

-> For the best experience in this tutorial, choose .NET for runtime stack and choose Windows for operating system. Also, create you function app in the same region as your virtual network.

-The function app can now access the virtual network. Next, you'll add an HTTP-triggered function to the function app.

-## Update function configuration

-Now, you must add an application setting `WEBSITE_VNET_ROUTE_ALL` set to a value of `1`. This setting forces outbound traffic through the virtual network and associated NAT gateway. Without this setting, internet traffic isn't routed through the integrated virtual network, and you'll see the same outbound IPs.

-1. Navigate to your function app in the Azure portal and select **Configuration** from the left-hand menu.

-1. Under **Application settings**, select **+ New application setting** and complete use the following values to fill out the fields:

- |Field Name |Value |

- |||

- |**Name** |WEBSITE_VNET_ROUTE_ALL|

- |**Value** |1|

-1. Select **OK** to close the new application setting dialog.

-1. Select **Save** and then **Continue** to save the settings.

-The function app's now configured to route traffic through its associated virtual network.

-> [Azure Functions networking options](functions-networking-options.md)

-> [!IMPORTANT]

-> To successfully deploy your application by using Azure Resource Manager, it's important to understand how resources are deployed in Azure. In the following example, top-level configurations are applied by using `siteConfig`. It's important to set these configurations at a top level, because they convey information to the Functions runtime and deployment engine. Top-level information is required before the child **sourcecontrols/web** resource is applied. Although it's possible to configure these settings in the child-level **config/appSettings** resource, in some cases your function app must be deployed *before* **config/appSettings** is applied. For example, when you're using functions with [Logic Apps](../logic-apps/index.yml), your functions are a dependency of another resource.

-# [Bicep](#tab/bicep)

-```bicep

-resource functionApp 'Microsoft.Web/sites@2022-03-01' = {

- name: functionAppName

- location: location

- kind: 'functionapp'

- properties: {

- serverFarmId: hostingPlan.id

- siteConfig: {

- alwaysOn: true

- appSettings: [

- {

- name: 'FUNCTIONS_EXTENSION_VERSION'

- value: '~3'

- }

- {

- name: 'Project'

- value: 'src'

- }

- dependsOn: [

- storageAccount

- ]

-}

-resource config 'Microsoft.Web/sites/config@2022-03-01' = {

- parent: functionApp

- name: 'appsettings'

- properties: {

- AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value}'

- AzureWebJobsDashboard: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value}'

- FUNCTIONS_EXTENSION_VERSION: '~3'

- FUNCTIONS_WORKER_RUNTIME: 'dotnet'

- Project: 'src'

- }

- dependsOn: [

- sourcecontrol

- storageAccount

- ]

-}

-resource sourcecontrol 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {

- parent: functionApp

- name: 'web'

- properties: {

- repoUrl: repoUrl

- branch: branch

- isManualIntegration: true

- }

-}

-```

-# [JSON](#tab/json)

-```json

-"resources": [

- {

- "type": "Microsoft.Web/sites",

- "apiVersion": "2022-03-01",

- "name": "[variables('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp",

- "properties": {

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "alwaysOn": true,

- "appSettings": [

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~3"

- },

- {

- "name": "Project",

- "value": "src"

- },

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

- },

- {

- "type": "Microsoft.Web/sites/config",

- "apiVersion": "2022-03-01",

- "name": "[format('{0}/{1}', variables('functionAppName'), 'appsettings')]",

- "properties": {

- "AzureWebJobsStorage": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}', variables('storageAccountName'), listKeys(variables('storageAccountName'), '2021-09-01').keys[0].value)]",

- "AzureWebJobsDashboard": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}', variables('storageAccountName'), listKeys(variables('storageAccountName'), '2021-09-01').keys[0].value)]",

- "FUNCTIONS_EXTENSION_VERSION": "~3",

- "FUNCTIONS_WORKER_RUNTIME": "dotnet",

- "Project": "src"

- },

- "dependsOn": [

- "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",

- "[resourceId('Microsoft.Web/sites/sourcecontrols', variables('functionAppName'), 'web')]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

- ]

- },

- {

- "type": "Microsoft.Web/sites/sourcecontrols",

- "apiVersion": "2022-03-01",

- "name": "[format('{0}/{1}', variables('functionAppName'), 'web')]",

- "properties": {

- "repoUrl": "[parameters('repoURL')]",

- "branch": "[parameters('branch')]",

- "isManualIntegration": true

- },

- "dependsOn": [

- "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"

- ]

- }

-]

-```

-> [!TIP]

-> This Bicep/ARM template uses the [Project](https://github.com/projectkudu/kudu/wiki/Customizing-deployments#using-app-settings-instead-of-a-deployment-file) app settings value, which sets the base directory in which the Functions deployment engine (Kudu) looks for deployable code. In our repository, our functions are in a subfolder of the **src** folder. So, in the preceding example, we set the app settings value to `src`. If your functions are in the root of your repository, or if you're not deploying from source control, you can remove this app settings value.

-| 4.x (recommended) | PowerShell 7.2 (recommended) | .NET 6 |

-Support for PowerShell 7.0 in Azure Functions ended on 3 December 2022. To use PowerShell 7.2 when running locally, you need to add the setting `"FUNCTIONS_WORKER_RUNTIME_VERSION" : "7.2"` to the `Values` array in the local.setting.json file in the project root. When running locally on PowerShell 7.2, your local.settings.json file looks like the following example:

-Support for PowerShell 7.0 in Azure Functions ended on 3 December 2022. Your function app must be running on version 4.x to be able to upgrade to PowerShell 7.2. To learn how to do this, see [View and update the current runtime version](set-runtime-version.md#view-and-update-the-current-runtime-version).

-> If your package contains certain libraries that might collide with worker's dependencies (for example, protobuf, tensorflow, or grpcio), configure [`PYTHON_ISOLATE_WORKER_DEPENDENCIES`](functions-app-settings.md#python_isolate_worker_dependencies-preview) to `1` in app settings to prevent your application from referring to worker's dependencies. This feature is in preview.

-* If none of these suggestions resolves the issue, go to `https://<app-name>.scm.azurewebsites.net/DebugConsole` and view the content under `/home/site/wwwroot`.

-* Set the application setting [PYTHON_ISOLATE_WORKER_DEPENDENCIES](functions-app-settings.md#python_isolate_worker_dependencies-preview) to a value of `1`.

-When the collision occurs between slots, you may need to mark this setting as a slot setting. To learn how to create app settings, see [Work with application settings](functions-how-to-use-azure-function-app-settings.md#settings).

-Look at the timestamps of the log files and open the latest to see that latest timestamps are present in the log files. The default location for IIS log files is C:\\inetpub\\LogFiles\\W3SVC1.

-Use the [Set-AzDiagnosticSetting](/powershell/module/az.monitor/set-azdiagnosticsetting) cmdlet to create a diagnostic setting with [Azure PowerShell](../powershell-samples.md). See the documentation for this cmdlet for descriptions of its parameters.

-The following example PowerShell cmdlet creates a diagnostic setting by using all three destinations.

-Set-AzDiagnosticSetting -Name KeyVault-Diagnostics -ResourceId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault -Category AuditEvent -MetricCategory AllMetrics -Enabled $true -StorageAccountId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount -WorkspaceId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/oi-default-east-us/providers/microsoft.operationalinsights/workspaces/myworkspace -EventHubAuthorizationRuleId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.EventHub/namespaces/myeventhub/authorizationrules/RootManageSharedAccessKey

-[Read more about Azure platform logs](./platform-logs-overview.md)

-| Azure NetApp Files cross-region replication | Generally available (GA) | [Limited](cross-region-replication-introduction.md#supported-region-pairs) |

-* [Azure NetApp Files REST API using PowerShell](develop-rest-api-powershell.md)

-description: Learn about Azure NetApp Files, an enterprise-class, high-performance, metered file storage service that supports any workload type and is highly available.

-Azure NetApp Files is an Azure native, first-party, enterprise-class, high-performance file storage service. You can select service and performance levels, create NetApp accounts, capacity pools, volumes, and manage data protection.

-The Azure NetApp Files documentation provides instructions on creating and managing volumes by using Azure NetApp Files.

- Kerberos requires that you create at least one machine account in Active Directory. The account information you provide is used for creating the accounts for both SMB *and* NFSv4.1 Kerberos volumes. This machine is account is created automatically during volume creation.

- AD Server and KDC IP can be the same server. This information is used to create the SPN machine account used by Azure NetApp Files. After the machine account is created, Azure NetApp Files will use DNS Server records to locate additional KDC servers as needed.

- > Ensure that you have configured the Active Directory connection settings. A machine account will be created in the organizational unit (OU) that is specified in the Active Directory connection settings. The settings are used by the LDAP client to authenticate with your Active Directory.

- * It must be an AD DS domain user account in the same domain where the Azure NetApp Files machine accounts are created.

- * It must have the permission to create machine accounts (for example, AD domain join) in the AD DS organizational unit path specified in the **Organizational unit path option** of the AD connection.

-* The AD connection admin account supports Kerberos AES-128 and Kerberos AES-256 encryption types for authentication with AD DS for Azure NetApp Files machine account creation (for example, AD domain join operations).

- This is the naming prefix for new machine accounts created in AD DS for Azure NetApp Files SMB, dual protocol, and NFSv4.1 Kerberos volumes.

- Azure NetApp Files will create additional machine accounts in AD DS as needed.

- This is the LDAP path for the organizational unit (OU) where SMB server machine accounts will be created. That is, `OU=second level, OU=first level`. For example, if you want to use an OU called `ANF` created at the root of the domain, the value would be `OU=ANF`.

- >DNS PTR records for the AD DS machine account(s) must be created in the AD DS **Organizational Unit** specified in the Azure NetApp Files AD connection for LDAP Signing to work.

-## What is the password rotation policy for the Active Directory machine account for SMB volumes?

-The Azure NetApp Files service has a policy that automatically updates the password on the Active Directory machine account that is created for SMB volumes. This policy has the following properties:

-To see when the password was last updated on the Azure NetApp Files SMB machine account, check the `pwdLastSet` property on the computer account using the [Attribute Editor](create-volumes-dual-protocol.md#access-active-directory-attribute-editor) in the **Active Directory Users and Computers** utility:

-https://support.microsoft.com/topic/april-12-2022-kb5012670-monthly-rollup-cae43d16-5b5d-43ea-9c52-9174177c6277), the policy that automatically updates the Active Directory machine account password for SMB volumes has been suspended until a fix is deployed.

-| SMB Server (Computer Account) Prefix | Naming prefix for the machine account in Active Directory that Azure NetApp Files will use for the creation of new accounts. See footnote.* | Yes | Existing volumes need to be mounted again as the mount is changed for SMB shares and NFS Kerberos volumes.* | Renaming the SMB server prefix after you create the Active Directory connection is disruptive. You'll need to remount existing SMB shares and NFS Kerberos volumes after renaming the SMB server prefix as the mount path will change. |

-| Organizational Unit Path | The LDAP path for the organizational unit (OU) where SMB server machine accounts will be created. `OU=second level`, `OU=first level`| No | If you are using Azure NetApp Files with Azure Active Directory Domain Services (AADDS), the organizational path is `OU=AADDC Computers` when you configure Active Directory for your NetApp Account. | Machine accounts will be placed under the OU specified. If not specified, the default of `OU=Computers` is used by default. |

-| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-C1C8\". Reason: Kerberos Error: Invalid credentials were given Details: Error: Machine account creation procedure failed\n [ 563] Loaded the preliminary configuration.\n**[ 670] FAILURE: Could not authenticate as 'test@contoso.com':\n** Unknown user (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)\n. "}]}` | <ul><li>Make sure that the username entered is correct. </li> <li>Make sure that the user is part of the Administrator group that has the privilege to create machine accounts. </li> <li> If you use Azure AD DS, make sure that the user is part of the Azure AD group `Azure AD DC Administrators`. </li></ul> |

-* If dynamic DNS updates are not used, you need to manually create an A record and a PTR record for the AD DS machine account(s) created in the AD DS **Organizational Unit** (specified in the Azure NetApp Files AD connection) to support Azure NetApp FIles LDAP Signing, LDAP over TLS, SMB, dual-protocol, or Kerberos NFSv4.1 volumes.

-description: Describes the Microsoft.Common.DropDown UI element for Azure portal. Use to select from available options when deploying a managed application.

-The DropDown element has different options which determine its appearance in the portal.

- "name": "element1",

- "type": "Microsoft.Common.DropDown",

- "label": "Example drop down",

- "placeholder": "",

- "defaultValue": ["Value two"],

- "toolTip": "",

- "multiselect": true,

- "selectAll": true,

- "filter": true,

- "filterPlaceholder": "Filter items ...",

- "multiLine": true,

- "defaultDescription": "A value for selection",

- "constraints": {

- "allowedValues": [

- {

- "label": "Value one",

- "description": "The value to select for option 1.",

- "value": "one"

- },

- {

- "label": "Value two",

- "description": "The value to select for option 2.",

- "value": "two"

- }

- ],

- "required": true

- },

- "visible": true

-* For an introduction to creating UI definitions, see [Getting started with CreateUiDefinition](create-uidefinition-overview.md).

-* For a description of common properties in UI elements, see [CreateUiDefinition elements](create-uidefinition-elements.md).

- * [Azure IoT Tools](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools)

-* [Visual Studio Code](https://code.visualstudio.com/) on your development machine. Make sure you have the [Azure IoT Tools extension](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools).

-* [Visual Studio Code](https://code.visualstudio.com/) on your development machine. Make sure you have the [Azure IoT Tools extension](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools).

-* The [Azure IoT Tools extension](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools), installed in Visual Studio Code

- * [Azure IoT Tools](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools)

- * [Azure IoT Tools](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools)

- * [Azure IoT Tools](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools)

-> Azure VMware Solution management virtual machines (VMs) won't honor a default route from on-premises.

-If you're routing back to your on-premises networks by using only a default route advertised toward Azure, vCenter Server and NSX-T Manager VMs won't be compatible with that route.

-To reach vCenter Server and NSX-T Manager, provide specific routes from on-premises to allow traffic to have a return path to those networks.

-7. Test the connection. Open your preferred browser and navigate to the different websites hosted on your Azure VMware Solution environment, for example, http://www.fabrikam.com.

-You can easily see the models you have available for both inference and fine-tuning in your resource by using the [Models API](/rest/api/cognitiveservices/azureopenai/models/list).

-This article provides the best practices on how to use the sender authentication methods that help prevent attackers from sending messages that look like they come from your domain.

-## Email authentication

-SPF [RFC 7208](https://tools.ietf.org/html/rfc7208) is a mechanism that allows domain owners to publish and maintain, via a standard DNS TXT record, a list of systems authorized to send email on their behalf.

-DKIM [RFC 6376](https://tools.ietf.org/html/rfc6376) allows an organization to claim responsibility for transmitting a message in a way that can be validated by the recipient

-DMARC [RFC 7489](https://tools.ietf.org/html/rfc7489) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling.

-| | [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-microsoft-teams) | ✔️* |

-As a developer it can be nice to have the ability to check and display to end users the current microphone volume. ACS calling API exposes this information using `getVolume`. The `getVolume` value is a number ranging from 0 to 100 (with 0 noting zero audio detected, 100 as the max level detectable). This value iss sampled every 200 ms to get near real time value of volume.

-Sample code to get volume of selected microphone. This example shows how to generate the volume level by accessing `getVolume`.

-//Get the vaolume of the local audio source

- |Brazil South<br/>Canada Central<br/>Central US<br/>East US<br/>East US 2<br/>South Central US<br/>US Government Virginia<br/>West US 2<br/>West US 3 |France Central<br/>Germany West Central<br/>North Europe<br/>Norway East<br/>West Europe<br/>UK South |South Africa North<br/> |Australia East<br/>Central India<br/>Japan East<br/>Korea Central<br/>Southeast Asia<br/>East Asia<br/> |

-* Region conversions to availability zones aren't currently supported. To enable availability zone support in a region, the registry must either be created in the desired region, with availability zone support enabled, or a replicated region must be added with availability zone support enabled.

-* The availability zone is per region, once the replications are created, their states cannot be changed, except by deleting and re-creating the replications.

-1. Optionally, configure additional registry settings, and then select **Review + create**.

-| Composite indexing| Detects the accounts where queries could benefit from composite indexes and recommend using them. Composite indexes can dramatically improve the performance and throughput consumption of some queries.|

-| ORDER BY queries with high RU/s charge| Detects containers issuing ORDER BY queries with high RU/s charge and recommends exploring composite indexes.|

-You can select the compute and storage settings independently for

-worker nodes and the coordinator node in a cluster.

-Compute resources are provided as vCores, which represent

-the logical CPU of the underlying hardware. The storage size for

-provisioning refers to the capacity available to the coordinator

-and worker nodes in your cluster. The storage

-includes database files, temporary files, transaction logs, and

-the Postgres server logs.

-| IOPS | Up to 3 IOPS/GiB | Up to 3 IOPS/GiB |

-| 0.5 | 1,536 |

-| 1 | 3,072 |

-| 2 | 6,148 |

-| 2 | 3,072 | 6,144 | 12,296 |

-| 3 | 4,608 | 9,216 | 18,444 |

-| 4 | 6,144 | 12,288 | 24,592 |

-| 5 | 7,680 | 15,360 | 30,740 |

-| 6 | 9,216 | 18,432 | 36,888 |

-| 7 | 10,752 | 21,504 | 43,036 |

-| 8 | 12,288 | 24,576 | 49,184 |

-| 9 | 13,824 | 27,648 | 55,332 |

-| 10 | 15,360 | 30,720 | 61,480 |

-| 11 | 16,896 | 33,792 | 67,628 |

-| 12 | 18,432 | 36,864 | 73,776 |

-| 13 | 19,968 | 39,936 | 79,924 |

-| 14 | 21,504 | 43,008 | 86,072 |

-| 15 | 23,040 | 46,080 | 92,220 |

-| 16 | 24,576 | 49,152 | 98,368 |

-| 17 | 26,112 | 52,224 | 104,516 |

-| 18 | 27,648 | 55,296 | 110,664 |

-| 19 | 29,184 | 58,368 | 116,812 |

-| 20 | 30,720 | 61,440 | 122,960 |

-**Next steps**

-> Exchanges will be unavailable for Azure reserved instances for compute services purchased on or after **January 1, 2024**. Microsoft launched Azure savings plan for compute and it's designed to help you save broadly on predictable compute usage. The savings plan provides more flexibility needed to accommodate changes such as virtual machine series and regions. With savings plan providing the flexibility automatically, we’re adjusting our reservations exchange policy. You can continue to exchange VM sizes (with instance size flexibility) but we'll no longer support exchanging instance series or regions for Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations. For a limited time you may [trade-in](../savings-plan/reservation-trade-in.md) your Azure reserved instances for compute for a savings plan. Or, you may continue to use and purchase reservations for those predictable, stable workloads where you know the specific configuration you’ll need and want additional savings. Learn more about [Azure savings plan for compute](../savings-plan/index.yml) and how it works with reservations.

-A policy controls the total number of Analytics Units (AUs) your Data Lake Analytics account can use. By default, the value is set to 250. For example, if this value is set to 250 AUs, you can have one job running with 250 AUs assigned to it, or 10 jobs running with 25 AUs each. Additional jobs that are submitted are queued until the running jobs are finished. When running jobs are finished, AUs are freed up for the queued jobs to run.

-2. Click **Limits and policies**.

-4. Click **Save**.

-2. Click **Limits and policies**.

-4. Click **Save**.

-When your users run U-SQL jobs, the Data Lake Analytics service keeps all related files. These files include the U-SQL script, the DLL files referenced in the U-SQL script, compiled resources, and statistics. The files are in the /system/ folder of the default Azure Data Lake Storage account. This policy controls how long these resources are stored before they are automatically deleted (the default is 30 days). You can use these files for debugging, and for performance-tuning of jobs that you'll rerun in the future.

-2. Click **Limits and policies**.

-4. Click **Save**.

-There is a default policy set on every account. The default policy applies to all users of the account. You can create additional policies for specific users and groups.

-2. Click **Limits and policies**.

-3. Under **Job Submission Limits**, click the **Add Policy** button. Then, select or enter the following settings:

-4. Click **Ok**.

-2. Click **Limits and policies**.

-4. To see the **Delete** and **Edit** options, in the rightmost column of the table, click `...`.## Additional resources for job policies

-`PackageDeploymentTool.exe` provides the programming and command-line interfaces that help to deploy U-SQL databases. The SDK is included in the [U-SQL SDK Nuget package](https://www.nuget.org/packages/Microsoft.Azure.DataLake.USQL.SDK/), located at `build/runtime/PackageDeploymentTool.exe`.

-Pay attention to the big differences between these two jobs. Those differences are probably causing the performance problems. To check further, use the steps in the following diagram:

-In this step, you can verify the selected objects in the **Export object list** box. If there are any errors, select **Previous** to go back and correctly configure the objects that you want to export.

-Open a U-SQL job in Data Lake Tools for Visual Studio. Click **Vertex Execution View** in the bottom left corner. You may be prompted to load profiles first and it can take some time depending on your network connectivity.

-The **Vertex selector** on the left lets you select vertices by features (such as top 10 data read, or choose by stage). One of the most commonly-used filters is to see the **vertices on critical path**. The **Critical path** is the longest chain of vertices of a U-SQL job. Understanding the critical path is useful for optimizing your jobs by checking which vertex takes the longest time.

-* Process Name: The name of the vertex instance. It is composed of different parts in StageName|VertexName|VertexRunInstance. For example, the SV7_Split[62].v1 vertex stands for the second running instance (.v1, index starting from 0) of Vertex number 62 in Stage SV7_Split.

-Learn how to manage Azure Data Lake Analytics accounts, data sources, users, and jobs using the Azure CLI. To see management topics using other tools, click the tab select above.

-Before running any Data Lake Analytics jobs, you must have a Data Lake Analytics account. Unlike Azure HDInsight, you don't pay for an Analytics account when it is not running a job. You only pay for the time when it is running a job. For more information, see [Azure Data Lake Analytics Overview](data-lake-analytics-overview.md).

-storage account. The default Data Lake storage account is used to store job metadata and job audit logs. After you have created an Analytics account, you can add additional Data Lake Storage accounts and/or Azure Storage account.

-### Add additional Blob storage accounts

-### Add additional Data Lake Store accounts

-The following command updates the specified Data Lake Analytics account with an additional Data Lake Store account:

-* Create an Azure Active Directory (AAD) application and retrieve its **Client ID**, **Tenant ID**, and **Key**. For more information about AAD applications and instructions on how to get a client ID, see [Create Active Directory application and service principal using portal](../active-directory/develop/howto-create-service-principal-portal.md). The Reply URI and Key is available from the portal once you have the application created and key generated.

-2. Right-click on the project on the left-hand side of your screen and click **Add Framework Support**. Choose **Maven** and click **OK**.

-# Configure user access to job information to job information in Azure Data Lake Analytics

-If the necessary permissions are not configured, the user may see an error: `Graph data not available - You don't have permissions to access the graph data.`

-description: Learn how to use the intelligence of Cognitive capabilities in U-SQL. This code samples help you get started.

-1. From the Visual Studio select **File > New > Project > U-SQL Project**.

-2. Click **OK**. Visual Studio creates a solution with a Script.usql file.

-7. From **Solution Explorer**, right-click **Script.usql**, and then click **Build Script**.

-8. From **Solution Explorer**, right-click **Script.usql**, and then click **Submit Script**.

-9. If you haven't connected to your Azure subscription, you will be prompted to enter your Azure account credentials.

-10. Click **Submit**. Submission results and job link are available in the Results window when the submission is completed.

-11. Click the **Refresh** button to see the latest job status and refresh the screen.

-1. From **Server Explorer**, expand **Azure**, expand **Data Lake Analytics**, expand your Data Lake Analytics account, expand **Storage Accounts**, right-click the Default Storage, and then click **Explorer**.

-description: Learn about the U-SQL UDO programmability Azure Data Lake Analytics to enable you create good USQL script.

-description: Learn about the U-SQL UDT and UDAGG programmability in Azure Data Lake Analytics to enable you create good USQL script.

-U-SQL cannot implicitly serialize or de-serialize arbitrary UDTs when the UDT is passed between vertices in rowsets. This means that the user has to provide an explicit formatter by using the IFormatter interface. This provides U-SQL with the serialize and de-serialize methods for the UDT.

-UDTs currently cannot be used in GROUP BY. If UDT is used in GROUP BY, the following error is thrown:

-To define a UDT, we have to:

-**SqlUserDefinedType** is used to mark a type definition in an assembly as a user-defined type (UDT) in U-SQL. The properties on the attribute reflect the physical characteristics of the UDT. This class cannot be inherited.

-* **Intermediate**: Specifies that the source or destination context is not a persisted store.

-As a regular C# type, a U-SQL UDT definition can include overrides for operators such as +/==/!=. It can also include static methods. For example, if we are going to use this UDT as a parameter to a U-SQL MIN aggregate function, we have to define < operator override.

-As mentioned earlier, UDT can be used in SELECT expressions, but cannot be used in OUTPUTTER/EXTRACTOR without custom serialization. It either has to be serialized as a string with `ToString()` or used with a custom OUTPUTTER/EXTRACTOR.

-User-defined aggregates are any aggregation-related functions that are not shipped out-of-the-box with U-SQL. The example can be an aggregate to perform custom math calculations, string concatenations, manipulations with strings, and so on.

-**SqlUserDefinedAggregate** indicates that the type should be registered as a user-defined aggregate. This class cannot be inherited.

-Here is an example of UDAGG:

-**SqlUserDefinedApplier** indicates that the type should be registered as a user-defined applier. This class cannot be inherited.

-It is important to understand that custom appliers only output columns and values that are defined with `output.Set` method call.

-Here is the user-defined applier example:

-It is a typical tab-delimited TSV file with a properties column that contains car properties such as make and model. Those properties must be parsed to the table columns. The applier that's provided also enables you to generate a dynamic number of properties in the result rowset, based on the parameter that's passed. You can generate either all properties or a specific set of properties only.

-The **SqlUserDefinedCombiner** attribute indicates that the type should be registered as a user-defined combiner. This class cannot be inherited.

-**SqlUserDefinedCombiner** is used to define the Combiner mode property. It is an optional attribute for a user-defined combiner definition.

-After enumerating both rowsets, we are going to loop through all rows. For each row in the left rowset, we are going to find all rows that satisfy the condition of our combiner.

-In this use-case scenario, we are building an analytics report for the retailer. The goal is to find all products that cost more than $20,000 and that sell through the website faster than through the regular retailer within a certain time frame.

-Here is the base U-SQL script. You can compare the logic between a regular JOIN and a combiner:

-The **SqlUserDefinedExtractor** attribute indicates that the type should be registered as a user-defined extractor. This class cannot be inherited.

-**SqlUserDefinedOutputter** attribute indicates that the type should be registered as a user-defined outputter. This class cannot be inherited.

-Note that it's important to flush the data buffer to the file after each row iteration. In addition, the `StreamWriter` object must be used with the Disposable attribute enabled (default) and with the **using** keyword:

-**SqlUserDefinedProcessor** indicates that the type should be registered as a user-defined processor. This class cannot be inherited.

-The **SqlUserDefinedReducer** attribute indicates that the type should be registered as a user-defined reducer. This class cannot be inherited.

-It is important to understand that custom reducer only outputs values that are defined with the `output.Set` method call.

-* Usage of dedicated named data frames called `inputFromUSQL` and `outputToUSQL` respectively to pass data between U-SQL and R. Input and output DataFrame identifier names are fixed (that is, users cannot change these predefined names of input and output DataFrame identifiers).

-* The `Factor` datatype is not supported in U-SQL.

-* U-SQL datasets cannot have duplicate column names.

-* Readonly column cannot be part of the output dataframe. Because readonly columns are automatically injected back in the U-SQL table if it is a part of output schema of UDO.

-* Currently, U-SQL does not support Combiner UDOs for prediction using partitioned models generated using Reducer UDOs. Users can declare the partitioned models as resource and use them in their R Script (see sample code `ExtR_PredictUsingLMRawStringReducer.usql`)

-Every vertex has a limited amount of memory assigned to it. Because the input and output DataFrames must exist in memory in the R code, the total size for the input and output cannot exceed 500 MB.

-First, create an R custom module and zip it and then upload the zipped R custom module file to your ADL store. In the example, we will upload magittr_1.5.zip to the root of the default ADLS account for the ADLA account we are using. Once you upload the module to ADL store, declare it as use DEPLOY RESOURCE to make it available in your U-SQL script and call `install.packages` to install it.

-In most cases, you should not be impacted by backwards-incompatibility.

-The most common backwards-incompatibilities that the checker is likely to identify are (we generated this list by running the checker on our own internal ADLA jobs), which libraries are impacted (note: that you may call the libraries only indirectly, thus it is important to take required action #1 to check if your jobs are impacted), and possible actions to remedy. Note: In almost all cases for our own jobs, the warnings turned out to be false positives due to the narrow natures of most breaking changes.

- - When calling TaskFactory.FromAsync, the implementation of the IAsyncResult.CompletedSynchronously property must be correct for the resulting task to complete. That is, the property must return true if, and only if, the implementation completed synchronously. Previously, the property was not checked.

- - For apps that target the .NET Framework 4.5.2 or previous versions, writing an invalid surrogate pair using exception fallback handling does not always throw an exception. For apps that target the .NET Framework 4.6, attempting to write an invalid surrogate pair throws an `ArgumentException`.

- - Suggested Action: Ensure you are not writing an invalid surrogate pair that will cause argument exception

- - Suggested Action: Ensure you are inserting the amount of `<BR />` you expect to see so no random behavior is seen in production job

- - Suggested Action: Ensure you are handling the new expected behavior when there is null authorization policy

- - In .NET Framework 4.6.2, a number of changes were made to support previously unsupported paths (both in length and format). Checks for proper drive separator (colon) syntax were made more correct, which had the side effect of blocking some URI paths in a few select Path APIs where they used to be tolerated.

- - Starting with the .NET Framework 4.6.2, there is a change in how `T:System.Security.Claims.ClaimsIdentity` constructors with an `T:System.Security.Principal.IIdentity` parameter set the `P:System.Security.Claims.ClaimsIdentify.Actor` property. If the `T:System.Security.Principal.IIdentity` argument is a `T:System.Security.Claims.ClaimsIdentity` object, and the `P:System.Security.Claims.ClaimsIdentify.Actor` property of that `T:System.Security.Claims.ClaimsIdentity` object is not `null`, the `P:System.Security.Claims.ClaimsIdentify.Actor` property is attached by using the `M:System.Security.Claims.ClaimsIdentity.Clone` method. In the Framework 4.6.1 and earlier versions, the `P:System.Security.Claims.ClaimsIdentify.Actor` property is attached as an existing reference. Because of this change, starting with the .NET Framework 4.6.2, the `P:System.Security.Claims.ClaimsIdentify.Actor` property of the new `T:System.Security.Claims.ClaimsIdentity` object is not equal to the `P:System.Security.Claims.ClaimsIdentify.Actor` property of the constructor's `T:System.Security.Principal.IIdentity` argument. In the .NET Framework 4.6.1 and earlier versions, it is equal.

- - In the .NET framework 4.6.2 and earlier versions, the DataContractJsonSerializer did not serialize some special control characters, such as \b, \f, and \t, in a way that was compatible with the ECMAScript V6 and V8 standards. Starting with the .NET Framework 4.7, serialization of these control characters is compatible with ECMAScript V6 and V8.

-When you submit U-SQL jobs from either Visual Studio, the ADL SDK or the Azure Data Lake Analytics portal, your job will use the currently available default runtime. New versions of the U-SQL runtime are released on a regular basis and include both minor updates and security fixes.

-You can also choose a custom runtime version; either because you want to try out a new update, need to stay on an older version of a runtime, or were provided with a hotfix for a reported problem where you cannot wait for the regular new update.

-In rare cases, Microsoft Support may pin a different version of a runtime as the default for your account. Please ensure that you revert this pin as soon as possible. If you remain pinned to that version, it will expire at some later date.

-3. Optionally, click **Filter** to help you find the jobs by **Time Range**, **Job Name**, and **Author** values.

-The available runtime versions change over time. The default runtime is always called "default" and we keep at least the previous runtime available for some time as well as make special runtimes available for a variety of reasons. Explicitly named runtimes generally follow the following format (italics are used for variable parts and [] indicates optional parts):

-1. A script or some user-code is changing behavior from one release to the next. Such breaking changes are normally communicated ahead of time with the publication of release notes. If you encounter such a breaking change, contact Microsoft Support to report this breaking behavior (in case it has not been documented yet) and submit your jobs against the older runtime version.

-2. You have been using a non-default runtime either explicitly or implicitly when it has been pinned to your account, and that runtime has been removed after some time. If you encounter missing runtimes, upgrade your scripts to run with the current default runtime. If you need additional time, contact Microsoft Support

- **Solution**: Please use Newtonsoft.Json file v12.0.2 or lower.

-2. Customers might see temporary files and folders on their store. Those are produced as part of the normal job execution, but are usually deleted before the customers see them. Under certain circumstances, which are rare and random, they might remain visible for a period of time. They are eventually deleted, and are never counted as part of user storage, or generate any form of charges whatsoever. Depending on the customers' job logic they might cause issues. For instance, if the job enumerates all files in the folder and then compares file lists, it might fail because of the unexpected temporary files being present. Similarly, if a downstream job enumerates all files from a given folder for further processing, it might also enumerate the temp files.

- **Solution**: A fix is identified in the runtime where the temp files will be stored in account level temp folder than the current output folder. The temp files will be written in this new temp folder and will be deleted at the end the job execution.

- Since this fix is handling the customer data, it is extremely important to have this fix well validated within MSFT before it is released. It is expected to have this fix available as beta runtime in the middle of year 2021 and as default runtime in the second half of year 2021.

-az devcenter dev environment create -g <resource-group-name> --dev-center-name <devcenter-name> \

-description: 'This quickstart shows you how to configure a Microsoft Dev Box Preview project, create a dev box pool and provide access to dev boxes for your users.'

-<!--

- Customer intent:

- As a Dev Box Project Admin I want to configure projects so that I can provide Dev Boxes for my users.

- -->

-# Quickstart: Configure a Microsoft Dev Box Preview project

-To enable developers to self-serve dev boxes in projects, you must configure dev box pools that specify the dev box definitions and network connections used when dev boxes are created. Dev box users create dev boxes using the dev box pool.

-In this quickstart, you'll perform the following tasks:

-* [Create a dev box pool](#create-a-dev-box-pool)

-* [Provide access to a dev box project](#provide-access-to-a-dev-box-project)

-## Create a dev box pool

-A dev box pool is a collection of dev boxes that you manage together. You must have a pool before users can create a dev box, and all dev boxes created in the pool will be in the same region.

-The following steps show you how to create a dev box pool associated with a project. You'll use an existing dev box definition and network connection in the dev center to configure a dev box pool.

-If you don't have an available dev center with an existing dev box definition and network connection, follow the steps in [Quickstart: Configure the Microsoft Dev Box Preview service](quickstart-configure-dev-box-service.md) to create them.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the search box, type *Projects* and then select **Projects** from the list.

- <!-- :::image type="content" source="./media/quickstart-configure-dev-box-projects/discovery-via-azure-portal.png" alt-text="Screenshot showing the Azure portal with the search box highlighted."::: -->

-3. Open the project in which you want to create the dev box pool.

-

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::

-4. Select **Dev box pools** and then select **+ Create**.

-

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-pool-grid-empty.png" alt-text="Screenshot of the list of dev box pools within a project. The list is empty.":::

-1. On the **Create a dev box pool** page, enter the following values:

- |Name|Value|

- |-|-|

- |**Name**|Enter a name for the pool. The pool name is visible to developers to select when they're creating dev boxes, and must be unique within a project.|

- |**Dev box definition**|Select an existing dev box definition. The definition determines the base image and size for the dev boxes created within this pool.|

- |**Network connection**|Select an existing network connection. The network connection determines the region of the dev boxes created within this pool.|

- |**Dev Box Creator Privileges**|Select Local Administrator or Standard User.|

- |**Enable Auto-stop**|Yes is the default. Select No to disable an Auto-stop schedule. You can configure an Auto-stop schedule after the pool has been created.|

- |**Stop time**| Select a time to shutdown all the dev boxes in the pool. All Dev Boxes in this pool will be shut down at this time, everyday.|

- |**Time zone**| Select the time zone that the stop time is in.|

- |**Licensing**| Select this check box to confirm that your organization has Azure Hybrid Benefit licenses that you want to apply to the dev boxes in this pool. |

- :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-pool-create.png" alt-text="Screenshot of the Create dev box pool dialog.":::

-6. Select **Add**.

-

-7. Verify that the new dev box pool appears in the list. You may need to refresh the screen.

-The dev box pool will be deployed and health checks will be run to ensure the image and network pass the validation criteria to be used for dev boxes. The screenshot below shows four dev box pools, each with a different status.

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-pool-grid-populated.png" alt-text="Screenshot showing a list of existing pools.":::

-## Provide access to a dev box project

-Before users can create dev boxes based on the dev box pools in a project, you must provide access for them through a role assignment. The Dev Box User role enables dev box users to create, manage and delete their own dev boxes. You must have sufficient permissions to a project before you can add users to it.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-

-1. In the search box, type *Projects* and then select **Projects** from the list.

-1. Select the project you want to provide your team members access to.

-

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::

-1. Select **Access Control (IAM)** from the left menu.

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/access-control-tab.png" alt-text="Screenshot showing the Project Access control page with the Access Control link highlighted.":::

-1. Select **Add** > **Add role assignment**.

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::

-1. On the Add role assignment page, search for *devcenter dev box user*, select the **DevCenter Dev Box User** built-in role, and then select **Next**.

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-user-role.png" alt-text="Screenshot showing the Add role assignment search box highlighted.":::

-1. On the Members page, select **+ Select Members**.

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/dev-box-user-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::

-1. On the **Select members** pane, select the Active Directory Users or Groups you want to add, and then select **Select**.

- :::image type="content" source="./media/quickstart-configure-dev-box-projects/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::

-1. On the Add role assignment page, select **Review + assign**.

-The user will now be able to view the project and all the pools within it. They can create dev boxes from any of the pools and manage those dev boxes from the [developer portal](https://aka.ms/devbox-portal).

-## Project admins

-The Microsoft Dev Box service makes it possible for you to delegate administration of projects to a member of the project team. Project administrators can assist with the day-to-day management of projects for their team, like creating and managing dev box pools. To provide users permissions to manage projects, add them to the DevCenter Project Admin role. The tasks in this quickstart can be performed by project admins. To learn how to add a user to the Project Admin role, see [Provide access to projects for project admins](how-to-project-admin.md).

-## Next steps

-In this quickstart, you created a dev box pool within an existing project and assigned a user permission to create dev boxes based on the new pool.

-To learn about how to create to your dev box and connect to it, advance to the next quickstart:

-> [!div class="nextstepaction"]

-> [Create a dev box](./quickstart-create-dev-box.md)

-description: 'This quickstart shows you how to configure the Microsoft Dev Box Preview service to provide dev boxes for your users. You will create a dev center, add a network connection, and then create a dev box definition, and a project.'

-This quickstart describes how to configure the Microsoft Dev Box service by using the Azure portal to enable development teams to self-serve dev boxes.

-The following steps show you how to create and configure a dev center.

-1. In the search box, type *Dev centers* and then select **Dev centers** from the list.

- <!-- :::image type="content" source="./media/quickstart-configure-dev-box-service/discovery-via-azure-portal.png" alt-text="Screenshot showing the Azure portal with the search box highlighted."::: -->

- :::image type="content" source="./media/quickstart-configure-dev-box-service/create-devcenter-basics.png" alt-text="Screenshot showing the Create dev center Basics tab.":::

- :::image type="content" source="./media/quickstart-configure-dev-box-service/create-devcenter-tags.png" alt-text="Screenshot showing the Create dev center Tags tab.":::

- :::image type="content" source="./media/quickstart-configure-dev-box-service/azure-notifications.png" alt-text="Screenshot showing Azure portal notifications pane.":::

- - **Hybrid AD join:** To learn how to join your AD DS domain-joined computers to Azure AD from an on-premises Active Directory Domain Services (AD DS) environment, see [Plan your hybrid Azure Active Directory join deployment](../active-directory/devices/hybrid-azuread-join-plan.md).

-Follow these steps to create a network connection:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the search box, type *Network connections* and then select **Network connections** from the list.

- :::image type="content" source="./media/quickstart-configure-dev-box-service/network-connections-empty.png" alt-text="Screenshot showing the Network Connections page with Create highlighted.":::

- :::image type="content" source="./media/quickstart-configure-dev-box-service/create-native-network-connection-full-blank.png" alt-text="Screenshot showing the create network connection basics tab with Azure Active Directory join highlighted.":::

- :::image type="content" source="./media/quickstart-configure-dev-box-service/create-hybrid-network-connect