-This article provides an introduction to configuring Azure Active Directory(Azure AD) authentication behavior for federated users using Home Realm Discovery (HRD) policy. It covers using auto-acceleration to skip the username entry screen and automatically forward users to federated login endpoints. To learn more about HRD policy, see [Home Realm Discovery](home-realm-discovery-policy.md)

-The following policy auto-accelerates users to an federated identity provider sign-in screen when they're signing in to an application when there's a single domain in your tenant.

-The following policy auto-accelerates users to an federated identity provider sign-in screen when there is more than one federated domain in your tenant. If you have more than one federated domain that authenticates users for applications, you need to specify the domain to auto-accelerate.

-To apply the HRD policy after you have created it, you can assign it to multiple application service principals.

-Because you are using PowerShell, you can use the following cmdlet to list the service principals and their IDs.

-[Prevent sign-in auto-acceleration](prevent-domain-hints-with-home-realm-discovery.md).

-Home Realm Discovery (HRD) is the process that allows Azure Active directory (Azure AD) to determine which identity provider ("IdP") a user needs to authenticate with at sign-in time. When a user signs in to an Azure AD tenant to access a resource, or to the Azure AD common sign-in page, they type a user name (UPN). Azure AD uses that to discover where the user needs to sign in.

-By default, Azure AD attempts to redirect sign-in to the IdP that's configured for a domain if **both** of the following are true:

-|AC.L2-3.1.12 | In todayΓÇÖs world, users access cloud-based applications almost exclusively remotely from unknown or untrusted networks. It's critical to securing this pattern of access to adopt zero trust principals. To meet these controls requirements in a modern cloud world we must verify each access request explicitly, implement least privilege and assume breach.<br><br>Configure named locations to delineate internal vs external networks. Configure conditional access app control to route access via Microsoft Defender for Cloud Apps (MDCA). Configure MDCA to control and monitor all sessions.<br>[Zero Trust Deployment Guide for Microsoft Azure Active Directory](/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/)<br>[Location condition in Azure Active Directory Conditional Access](/azure/active-directory/conditional-access/location-condition.md)<br>[Deploy Cloud App Security Conditional Access App Control for Azure AD apps](/cloud-app-security/proxy-deployment-aad.md)<br>[What is Microsoft Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security.md)<br>[Monitor alerts raised in Microsoft Defender for Cloud Apps](/cloud-app-security/monitor-alerts.md) |

-| AC.L2-3.1.14 | Configure named locations to delineate internal vs external networks. Configure conditional access app control to route access via Microsoft Defender for Cloud Apps (MDCA). Configure MDCA to control and monitor all sessions. Secure devices used by privileged accounts as part of the privileged access story.<br>[Location condition in Azure Active Directory Conditional Access](/azure/active-directory/conditional-access/location-condition.md)<br>[Session controls in Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-session.md)<br>[Securing privileged access overview](/security/compass/overview.md) |

-| AC.L2-3.1.15 | Conditional Access is the Zero Trust control plane to target policies for access to your apps when combined with authentication context. You can apply different policies in those apps. Secure devices used by privileged accounts as part of the privileged access story. Configure conditional access policies to require the use of these secured devices by privileged users when performing privileged commands.<br>[Cloud apps, actions, and authentication context in Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps.md)<br>[Securing privileged access overview](/security/compass/overview.md)<br>[Filter for devices as a condition in Conditional Access policy](/azure/active-directory/conditional-access/concept-condition-filters-for-devices.md) |

-| AC.L2-3.1.18 | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to enforce mobile device configuration and connection profile. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started.md)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management.md) |

-| AC.L2-3.1.21 | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to control the use of portable storage devices on systems. Configure policy settings on the Windows device to completely prohibit or restrict use of portable storage at the OS level. For all other devices where you may be unable to granularly control access to portable storage block download entirely with Microsoft Defender for Cloud Apps. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Configure authentication session management - Azure Active Directory](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started.md)<br>[Restrict USB devices using administrative templates in Microsoft Intune](/mem/intune/configuration/administrative-templates-restrict-usb.md)<br><br>**Microsoft Defender for Cloud Apps**<br>[Create session policies in Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad.md)

-| AU.L2-3.3.1<br><br>AU.L2-3.3.2 | All operations are audited within the Azure AD audit logs. Each audit log entry contains a userΓÇÖs immutable objectID that can be used to uniquely trace an individual system user to each action. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification.<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs.md)<br>[Connect Azure Active Directory data to Microsoft Sentinel](/azure/sentinel/connect-azure-active-directory)<br>[Tutorial: Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |

-| AU.L2-3.3.4 | Azure Service Health notifies you about Azure service incidents so you can take action to mitigate downtime. Configure customizable cloud alerts for Azure Active Directory. <br>[What is Azure Service Health?](/azure/service-health/overview.md)<br>[Three ways to get notified about Azure service issues](https://azure.microsoft.com/blog/three-ways-to-get-notified-about-azure-service-issues/)<br>[Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health/) |

-| AU.L2-3.3.6 | Ensure Azure AD events are included in event logging strategy. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts. <br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs.md)<br>[Connect Azure Active Directory data to Microsoft Sentinel](/azure/sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |

-| AU.L2-3.3.8<br><br>AU.L2-3.3.9 | Azure AD logs are retained by default for 30 days. These logs are unable to modified or deleted and are only accessible to limited set of privileged roles.<br>[Sign-in logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-sign-ins.md)<br>[Audit logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-audit-logs.md)

-| CM.L2-3.4.2 | Adopt a zero-trust security posture. Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce security configuration settings on the device with MDM solutions such as Microsoft Intune. Microsoft Endpoint Configuration Manager(MECM) or group policy objects can also be considered in hybrid deployments and combined with conditional access require hybrid Azure AD joined device.<br><br>**Zero-trust**<br>[Securing identity with Zero Trust](/security/zero-trust/identity.md)<br><br>**Conditional access**<br>[What is conditional access in Azure AD?](/azure/active-directory/conditional-access/overview.md)<br>[Grant controls in Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br><br>**Device policies**<br>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune.md)<br>[What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security.md)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management.md)<br>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview.md) |

-| CM.L2-3.4.5 | Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Customers don't have physical access to the Azure AD datacenters. As such, each physical access restriction above is satisfied by Microsoft and inherited by the customers of Azure AD. Implement Azure AD role based access controls. Eliminate standing privileged access, provide just in time access with approval workflows with Privileged Identity Management.<br>[Overview of Azure Active Directory role-based access control (RBAC)](/azure/active-directory/roles/custom-overview.md)<br>[What is Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure.md)<br>[Approve or deny requests for Azure AD roles in PIM](/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md) |

-| CM.L2-3.4.6 | Configure device management solutions (Such as Microsoft Intune) to implement a custom security baseline applied to organizational systems to remove non-essential applications and disable unnecessary services. Leave only the fewest capabilities necessary for the systems to operate effectively. Configure conditional access to restrict access to compliant or hybrid Azure AD joined devices. <br>[What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune.md)<br>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md) |

-| CM.L2-3.4.7 | Use Application Administrator role to delegate authorized use of essential applications. Use App Roles or group claims to manage least privilege access within application. Configure user consent to require admin approval and don't allow group owner consent. Configure Admin consent request workflows to enable users to request access to applications that require admin consent. Use Microsoft Defender for Cloud Apps to identify unsanctioned/unknown application use. Use this telemetry to then determine essential/non-essential apps.<br>[Azure AD built-in roles - Application Administrator](/azure/active-directory/roles/permissions-reference.md)<br>[Azure AD App Roles - App Roles vs. Groups ](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md)<br>[Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal.md)<br>[Configure group owner consent to apps accessing group data](/azure/active-directory/manage-apps/configure-user-consent-groups?tabs=azure-portal.md)<br>[Configure the admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow.md)<br>[What is Defender for Cloud Apps?](/defender-cloud-apps/what-is-defender-for-cloud-apps.d)<br>[Discover and manage Shadow IT tutorial](/defender-cloud-apps/tutorial-shadow-it.md) |

-| CM.L2-3.4.8 <br><br>CM.L2-3.4.9 | Configure MDM/configuration management policy to prevent the use of unauthorized software. Configure conditional access grant controls to require compliant or hybrid joined device to incorporate device compliance with MDM/configuration management policy into the conditional access authorization decision.<br>[What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune.md)<br>[Conditional Access - Require compliant or hybrid joined devices](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md) |

-| IR.L2-3.6.1 | Implement incident handling and monitoring capabilities. The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<br><br>**Audit events**<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs.md)<br>[Sign-in activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-sign-ins.md)<br>[How To: Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk.md)<br><br>**SIEM integrations**<br>[Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](/azure/sentinel/connect-azure-active-directory.md)[Stream to Azure event hub and other SIEMs](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |

-| MP.L2-3.8.7 | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to control the use of removable media on systems. Deploy and manage Removable Storage Access Control using Intune or Group Policy. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant.md)<br>[Require hybrid Azure AD joined device](/conditional-access/concept-conditional-access-grant#require-hybrid-azure-ad-joined-device.md)<br><br>**Intune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started.md)<br><br>**Removable storage access control**<br>[Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide&preserve-view=true)<br>[Deploy and manage Removable Storage Access Control using group policy](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy?view=o365-worldwide&preserve-view=true) |

-| PS.L2-3.9.2 | Configure provisioning (including disablement upon termination) of accounts in Azure AD from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions.<br><br>**Account provisioning**<br>[What is identity provisioning with Azure AD?](/azure/active-directory/cloud-sync/what-is-provisioning.md)<br>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis.md)<br>[What is Azure AD Connect cloud sync?](/azure/active-directory/cloud-sync/what-is-cloud-sync.md)<br><br>**Revoke all associated authenticators**<br>[Revoke user access in an emergency in Azure Active Directory](/azure/active-directory/enterprise-users/users-revoke-access.md) |

-| SC.L2-3.13.3 | Maintain separate user accounts in Azure Active Directory for everyday productivity use and administrative or system/privileged management. Privileged accounts should be cloud-only or managed accounts and not synchronized from on-premises to protect the cloud environment from on-premises compromise. System/privileged access should only be permitted from a security hardened privileged access workstation (PAW). Configure Conditional Access device filters to restrict access to administrative applications from PAWs that are enabled using Azure Virtual Desktops.<br>[Why are privileged access devices important](/security/compass/privileged-access-devices.md)<br>[Device Roles and Profiles](/security/compass/privileged-access-devices.md)<br>[Filter for devices as a condition in Conditional Access policy](../conditional-access/concept-condition-filters-for-devices.md)<br>[Azure Virtual Desktop](https://azure.microsoft.com/products/virtual-desktop/) |

-| SC.L2-3.13.4 | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to ensure devices are compliant with system hardening procedures. Include compliance with company policy regarding software patches to prevent attackers from exploiting flaws.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started.md)<br><br>9-20 check split tunneling language. |

-| SC.L2-3.13.13 | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to disable the use of mobile code. Where use of mobile code is required monitor the use with endpoint security such as Microsoft Defender for Endpoint.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started.md)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |

-| SI.L2-3.14.7 | Consolidate telemetry: Azure AD logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM), or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started.md)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |

-| IA.L2-3.5.3 | The following are definitions for the terms used for this control area:<li>**Local Access** - Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.<li>**Network Access** - Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (for example, local area network, wide area network, Internet).<li>**Privileged User** - A user that's authorized (and therefore, trusted) to perform security-relevant functions that ordinary users aren't authorized to perform.<br><br>Breaking down the above requirement means:<li>All users are required MFA for network/remote access.<li>Only privileged users are required MFA for local access. If regular user accounts have administrative rights only on their computers, they're not a ΓÇ£privileged accountΓÇ¥ and don't require MFA for local access.<br><br> You're responsible for configuring Conditional Access to require multifactor authentication. Enable Azure AD Authentication methods that meet AAL2 and above.<br>[Grant controls in Conditional Access policy - Azure Active Directory](/azure/active-directory/conditional-access/concept-conditional-access-grant.md)<br>[Achieve NIST authenticator assurance levels with Azure Active Directory](/azure/active-directory/standards/nist-overview.md)<br>[Authentication methods and features - Azure Active Directory](/azure/active-directory/authentication/concept-authentication-methods.md) |

-| IA.L2-3.5.4 | All Azure AD Authentication methods at AAL2 and above are replay resistant.<br>[Achieve NIST authenticator assurance levels with Azure Active Directory](/azure/active-directory/standards/nist-overview.md) |

-| IA.L2-3.5.6 | Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame.<br><br>**Determine inactivity**<br>[Manage inactive user accounts in Azure AD](/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md)<br>[Manage stale devices in Azure AD](/azure/active-directory/devices/manage-stale-devices.md)<br><br>**Remove or disable accounts**<br>[Working with users in Microsoft Graph](/graph/api/resources/users.md)<br>[Get a user](/graph/api/user-get?tabs=http)<br>[Update user](/graph/api/user-update?tabs=http)<br>[Delete a user](/graph/api/user-delete?tabs=http)<br><br>**Work with devices in Microsoft Graph**<br>[Get device](/graph/api/device-get?tabs=http)<br>[Update device](/graph/api/device-update?tabs=http)<br>[Delete device](/graph/api/device-delete?tabs=http)<br><br>**[Use Azure AD PowerShell](/powershell/module/azuread/)**<br>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser.md)<br>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser.md)<br>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice.md)<br>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice.md) |

-| IA.L2-3.5.9 | An Azure AD user initial password is a temporary single use password that once successfully used is immediately required to be changed to a permanent password. Microsoft strongly encourages the adoption of passwordless authentication methods. Users can bootstrap Passwordless authentication methods using Temporary Access Pass (TAP). TAP is a time and use limited passcode issued by an admin that satisfies strong authentication requirements. Use of passwordless authentication along with the time and use limited TAP completely eliminates the use of passwords (and their reuse).<br>[Add or delete users - Azure Active Directory](/azure/active-directory/fundamentals/add-users-azure-active-directory.md)<br>[Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods](/azure/active-directory/authentication/howto-authentication-temporary-access-pass.md)<br>[Passwordless authentication](/security/business/solutions/passwordless-authentication?ef_id=369464fc2ba818d0bd6507de2cde3d58:G:s&OCID=AIDcmmdamuj0pc_SEM_369464fc2ba818d0bd6507de2cde3d58:G:s&msclkid=369464fc2ba818d0bd6507de2cde3d58) |

-Azure API Management provides you the ability to customize the content of developer portal pages using a set of templates that configure their content. Using [DotLiquid](http://dotliquidmarkup.org/) syntax and the editor of your choice, such as [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers), and a provided set of localized [String resources](api-management-template-resources.md#strings), [Glyph resources](api-management-template-resources.md#glyphs), and [Page controls](api-management-page-controls.md), you have great flexibility to configure the content of the pages as you see fit using these templates.

-Azure API Management provides you the ability to customize the content of developer portal pages using a set of templates that configure their content. Using [DotLiquid](http://dotliquidmarkup.org/) syntax and the editor of your choice, such as [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers), and a provided set of localized [String resources](api-management-template-resources.md#strings), [Glyph resources](api-management-template-resources.md#glyphs), and [Page controls](api-management-page-controls.md), you have great flexibility to configure the content of the pages as you see fit using these templates.

-+ [Template resources](api-management-template-resources.md)

-Templates are used to customize the content of system-generated developer portal pages (for example, API docs, products, user authentication, etc.). Using [DotLiquid](http://dotliquidmarkup.org/) syntax, and a provided set of localized string resources, icons, and page controls, you have great flexibility to configure the content of the pages as you see fit.

-The template editing pane contains the markup that controls the appearance and behavior of the corresponding page in the developer portal. The markup in the template uses the [DotLiquid](http://dotliquidmarkup.org/) syntax. One popular editor for DotLiquid is [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers). Any changes made to the template during editing are displayed in real-time in the browser, but are not visible to your customers until you [save](#to-save-a-template) and [publish](#to-publish-a-template) the template.

-Azure API Management provides you the ability to customize the content of developer portal pages using a set of templates that configure their content. Using [DotLiquid](http://dotliquidmarkup.org/) syntax and the editor of your choice, such as [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers), and a provided set of localized [String resources](api-management-template-resources.md#strings), [Glyph resources](api-management-template-resources.md#glyphs), and [Page controls](api-management-page-controls.md), you have great flexibility to configure the content of the pages as you see fit using these templates.

-Azure API Management provides you the ability to customize the content of developer portal pages using a set of templates that configure their content. Using [DotLiquid](http://dotliquidmarkup.org/) syntax and the editor of your choice, such as [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers), and a provided set of localized [String resources](api-management-template-resources.md#strings), [Glyph resources](api-management-template-resources.md#glyphs), and [Page controls](api-management-page-controls.md), you have great flexibility to configure the content of the pages as you see fit using these templates.

-1. The dropdown list contains all the virtual networks in your subscription in the same region. Select an empty preexisting subnet or create a new subnet.

-# Parameters

-$resourceGroupName = '<group-name>'

-$subscriptionId = '<subscription-guid>'

-# Configure VNet Integration

-$subnetResourceId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$vNetName/subnets/$integrationSubnetName"

-$webApp = Get-AzResource -ResourceType Microsoft.Web/sites -ResourceGroupName $resourceGroupName -ResourceName $siteName

-In PowerShell Function Apps, you may optionally have a `profile.ps1` which runs when a function app starts to run (otherwise know as a *[cold start](#cold-start)*. For more information, see [PowerShell profile](#powershell-profile).

- **RHEL/CeonOS**

-³ Also supported on Arm64-based machines.

-

- - The log file must be stored on a local drive of the machine on which Azure Monitor Agent is running.

- - The log file must not allow circular logging, log rotation where the file is overwritten with new entries or renaming where a file is moved and a new file with the same name is opened.

-Open the IIS log on the agent machine to verify logs are in W3C format.

-# Collect data from virtual machines with Azure Monitor Agent

-

- - The log file must be stored on a local drive of the machine on which Azure Monitor Agent is running.

- - Each entry in the log file must be delineated with an end of line.

- - The log file must not allow circular logging, log rotation where the file is overwritten with new entries or renaming where a file is moved and a new file with the same name is opened.

-Since you're charged for any data you collect in a Log Analytics workspace, you should limit data collection from your agent to only the event data that you need. The basic configuration in the Azure portal provides you with a limited ability to filter out events.

-Data is exported without a filter. For example, when you configure a data export rule for a *SecurityEvent* table, all data sent to the *SecurityEvent* table is exported starting from the configuration time.

-The snapshots created by Azure Backup are stored in the resource group within your Azure subscription and incur Snapshot Storage charges. ForTo more details about the snapshot pricing, see [Managed Disk Pricing](https://azure.microsoft.com/pricing/details/managed-disks/). Because the snapshots aren't copied to the Backup Vault, Azure Backup doesn't charge a Protected Instance fee and Backup Storage cost doesn't apply.

-> You can also see all existing transcriptions and their Transcription IDs for a given Speech resource by using [GetTranscriptions](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/GetTranscriptions) request.

-Pronunciation Assessment evaluates three aspects of pronunciation: accuracy, fluency, and completeness. At the bottom of **Assessment result**, you can see **Pronunciation score**, **Accuracy score**, **Fluency score**, and **Completeness score**. The **Pronunciation score** is overall score indicating the pronunciation quality of the given speech. This overall score is aggregated from **Accuracy score**, **Fluency score**, and **Completeness score** with weight.

-# Quickstart: Orchestration workflow (preview)

-This article describes the architectures and methods supported for connecting your Microsoft Defender for IoT OT sensors to the cloud. An integral part of the Microsoft Defender for IoT service is the managed cloud service in Azure that acts as the central security monitoring portal for aggregating security information collected from network monitoring sensors and security agents. In order to ensure the security of IoT/OT at a global scale, the service supports millions of concurrent telemetry sources securely and reliably.

-For more information, see [Choose a sensor connection method](connect-sensors.md#choose-a-sensor-connection-method).

-> To ensure that your network is ready, we recommend that you first run the migration in a lab or testing environment so that you can safely validate your Azure service configurations.

-Microsoft Defender for IoT provides comprehensive protocol support. In addition to embedded protocol support, you can secure IoT and OT devices running proprietary and custom protocols, or protocols that deviate from any standard. Using the Horizon Open Development Environment (ODE) SDK, developers can create dissector plugins that decode network traffic based on defined protocols. Traffic is analyzed by services to provide complete monitoring, alerting, and reporting. Use Horizon to:

-Yes you can! The Microsoft Defender for IoT platform on-premises solution is deployed as a physical or virtual sensor appliance that passively ingests network traffic (via SPAN, RSPAN, or TAP) to analyze, discover, and continuously monitor IT, OT, and IoT networks. For larger enterprises, multiple sensors can aggregate their data to an on-premises management console.

-The Microsoft Defender for IoT sensor connects to a SPAN port or network TAP and immediately begins collecting ICS network traffic via passive (agentless) monitoring. It has zero impact on OT networks since it isnΓÇÖt placed in the data path and doesnΓÇÖt actively scan OT devices.

-You can update your sensor network configuration before or after activation. For more information, see [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md#activate-and-set-up-your-sensor).

-You can also [update the sensor network configuration](how-to-manage-individual-sensors.md#update-the-sensor-network-configuration) after activation.

-You can work with CLI [commands](references-work-with-defender-for-iot-cli-commands.md#network-configuration) to [change network configurations](references-work-with-defender-for-iot-cli-commands.md#network-configuration).

-You can continue to work with Defender for IoT features even if the activation file has expired.

-Following sensor installation, a local self-signed certificate is generated and used to access the sensor web application. When logging in to the sensor for the first time, Administrator users are prompted to provide an SSL/TLS certificate.

- :::image type="content" source="media/how-to-manage-individual-sensors/connection-string-screen.png" alt-text="Copy the connection string from this screen.":::

- `sudo nano /etc/samba/user`

-

-

-

-

-

-

-

- 1. Select **Browse** to select your downloaded backup file. The sensor will start to restore from the selected backup file.

-

- 1. When the restore process is complete, select **Close**.

-Define SMTP mail server settings for the sensor so that you configure the sensor to send data to other servers.

-Make sure you can reach the SMTP server from the [sensor's management port](/best-practices/understand-network-architecture).

-

-This procedure describes how to download a diagnostics log to send to support in connection with a specific support ticket.

-1. Go to the Defender for IoT **Updates** page.

-1. Sign in to the management console.

-1. On the side menu, select **System Settings**.

-1. In the **Select Threat Intelligence Data** section, select the plus sign (**+**).

-

- :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/red-exclamation-example.png" alt-text="Mismatch of enabled engines.":::

-When the default sensor backup location is changed, the on-premises management console automatically retrieves the files from the new location on the sensor or an external location, provided that the console has permission to access the location.

-You can use the on-premises management console to maintain up to nine backups for each managed sensor, provided that the backed-up files don't exceed the maximum backup space that's allocated.

-The available space is calculated based on the management console model you're working with:

-The default allocation is displayed in the **Sensor Backup Schedule** dialog box.

-There's no storage limit when you're backing up to an external server. You must, however, define an upper allocation limit in the **Sensor Backup Schedule** > **Custom Path** field. The following numbers and characters are supported: `/, a-z, A-Z, 0-9, and _`.

-Sensor backup files are automatically named in the following format: `<sensor name>-backup-version-<version>-<date>.tar`. For example: `Sensor_1-backup-version-2.6.0.102-2019-06-24_09:24:55.tar`.

-1. Select a calendar interval, date, and time zone. The time format is based on a 24-hour clock. For example, enter 6:00 PM as **18:00**.

- - To back up to an external server, enable the **Custom Path** toggle and enter a location. The following numbers and characters are supported: `/, a-z, A-Z, 0-9, and, _`.

-1. Select **Save**.

-### Receiving backup notifications for sensors

-Failures might occur because:

-1. Create a shared folder in the external SMB server.

-1. Get the folder path, username, and password required to access the SMB server.

-1. In Defender for IoT, make a directory for the backups:

- ```

-

-1. Edit or create credentials to share. These are the credentials for the SMB server:

-

-

-1. Mount the directory:

-

-

-Use the options on the **Sites and sensor** page and a sensor details page to do any of the following tasks. If you're on the **Sites and sensors** page, select multiple sensors to apply your actions in bulk using toolbar options. For individual sensors, use the **Sites and sensors** toolbar options, the **...** options menu at the right of a sensor row, or the options on a sensor details page.

-| **Download endpoint details** (Public preview) | Available from the **Sites and sensors** toolbar **More actions** menu, for OT sensor versions 22.x only. <br><br>Download the list of endpoints that must be enabled as secure endpoints from OT network sensors. Make sure that HTTPS traffic is enabled over port 443 to the listed endpoints for your sensor to connect to Azure. Outbound allow rules are defined once for all OT sensors onboarded to the same subscription.<br><br>To enable this option, select a sensor with a supported software version, or a site with one or more sensors with supported versions. |

-> [Visualize data](/azure/sentinel/get-visibility.md)

-> [Create custom analytics rules](/azure/sentinel/detect-threats-custom.md)

-> [Investigate incidents](/sentinel/investigate-cases)

-> [Investigate entities](/azure/sentinel/entity-pages.md)

-> [Use playbooks with automation rules](/azure/sentinel/tutorial-respond-threats-playbook.md)

-> Currently, having both the Microsoft Defender for IoT and the [Microsoft Defender for Cloud](/azure/sentinel/data-connectors-reference.md#microsoft-defender-for-cloud) data connectors enabled on the same Microsoft Sentinel workspace simultaneously may result in duplicate alerts in Microsoft Sentinel. We recommend that you disconnect the Microsoft Defender for Cloud data connector before connecting to Microsoft Defender for IoT.

-For more information, see [Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services](/azure/sentinel/connect-azure-windows-microsoft-services.md).

- |**Password** | Select the user type, either **Local** or **Active Directory User**. <br><br>For local users, enter a password for the user. Password requirements include: <br>- At least eight characters<br>- Both lowercase and uppercase alphabetic characters<br>- At least one numbers<br>- At least one symbol<br><br>Local user passwords can only be modified by **Admin** users.|

- |**Domain Controller Port** | The port on which your LDAP is configured. |

-1. Select **Next**. A system-generated password for your sensor appears for you to use for the selected user. Make sure to write the password down as it won't be shown again.

-By default, on-premises users are signed out of their sessions after 30 minutes of inactivity. Admin users can use the local CLI to either turn this feature on or off, or to adjust the inactivity thresholds.

-For more information, see [Work with Defender for IoT CLI commands](references-work-with-defender-for-iot-cli-commands.md).

-description: This article describes Defender for IoT CLI commands for sensors and on-premises management consoles.

-# Work with Defender for IoT CLI commands

-This article describes CLI commands for sensors and on-premises management consoles. The commands are accessible to the following users:

-For more information, see [Default privileged on-premises users](roles-on-premises.md#default-privileged-on-premises-users)..

-To start working in the CLI, connect using a terminal, such as PuTTY, using one of the privileged users.

-## Create local alert exclusion rules

-You can create a local alert exclusion rule by entering the following command into the CLI:

-```azurecli-interactive

-alerts exclusion-rule-create [-h] -n NAME [-ts TIMES] [-dir DIRECTION]

-[-dev DEVICES] [-a ALERTS]

-```

-The following attributes can be used with the alert exclusion rules:

-| Attribute | Description |

-|--|--|

-| [-h] | Prints the help information for the command. |

-| -n NAME | The name of the rule being created. |

-| [-ts TIMES] | The time span for which the rule is active. This should be specified as:<br />`xx:yy-xx:yy`<br />You can define more than one time period by using a comma between them. For example: `xx:yy-xx:yy, xx:yy-xx:yy`. |

-| [-dir DIRECTION] | The direction in which the rule is applied. This should be specified as:<br />`both | src | dst` |

-| [-dev DEVICES] | The IP address and the address type of the devices to be excluded by the rule, specified as:<br />`ip-x.x.x.x`<br />`mac-xx:xx:xx:xx:xx:xx`<br />`subnet: x.x.x.x/x` |

-| [-a ALERTS] | The name of the alert that the rule will exclude:<br />`0x00000`<br />`0x000001` |

-## Append local alert exclusion rules

-You can append local alert exclusion rules by entering the following command in the CLI:

-```azurecli-interactive

-alerts exclusion-rule-append [-h] -n NAME [-ts TIMES] [-dir DIRECTION]

-[-dev DEVICES] [-a ALERTS]

-```

-The attributes used here are the same as the attributes explained in the Create local alert exclusion rules section. The difference in the usage is that here the attributes are applied on the existing rules.

-## Show local alert exclusion rules

-Enter the following command to present the existing list of exclusion rules:

-```azurecli-interactive

-alerts exclusion-rule-list [-h] -n NAME [-ts TIMES] [-dir DIRECTION]

-[-dev DEVICES] [-a ALERTS]

-```

-## Delete local alert exclusion rules

-You can delete an existing alert exclusion rule by entering the following command:

-```azurecli-interactive

-alerts exclusion-rule-remove [-h] -n NAME [-ts TIMES] [-dir DIRECTION]

-[-dev DEVICES] [-a ALERTS]

-```

-The following attribute can be used with the alert exclusion rules:

-| Attribute | Description|

-| | - |

-| -n NAME | The name of the rule to be deleted. |

-## Sync time from the NTP server

-You can enable, or disable a time sync from a specified NTP server.

-### Enable NTP sync

-Enter the following command to periodically retrieve the time from the specified NTP server:

-```azurecli-interactive

-ntp enable IP

-```

-The attribute that you can define within the command is the IP address of the NTP server.

-### Disable NTP sync

-Enter the following command to disable the time sync with the specified NTP server:

-```azurecli-interactive

-ntp disable IP

-```

-The attribute that you can define within the command is the IP address of the NTP server.

-## Network configuration

-The following table describes the commands available to configure your network options for Microsoft Defender for IoT:

-|Name|Command|Description|

-|--|-|--|

-|Ping|`ping IP`| Ping an address outside the Defender for IoT platform.|

-|Blink|`network blink`| Locate a connection by causing the interface lights to blink. |

-|Reconfigure the network |`network edit-settings`| Enable a change in the network configuration parameters. |

-|Show network settings |`network list`|Displays the network adapter parameters. |

-|Validate the network configuration |`network validate` |Presents the output network settings. <br /> <br />For example: <br /> <br />Current Network Settings: <br /> interface: eth0 <br /> ip: 10.100.100.1 <br />subnet: 255.255.255.0 <br />default gateway: 10.100.100.254 <br />dns: 10.100.100.254 <br />monitor interfaces: eth1|

-|Import a certificate |`certificate import FILE` |Imports the HTTPS certificate. You'll need to specify the full path, which leads to a \*.crt file. |

-|Show the date |`date` |Returns the current date on the host in GMT format. |

-## Network capture filter configuration

-The `network capture-filter` command allows administrators to eliminate network traffic that doesn't need to be analyzed. You can filter traffic by using an include list, or an exclude list. This command doesn't support the malware detection engine.

-```azurecli-interactive

-network capture-filter

-```

-After you enter the command, you'll be prompted with the following question:

->`Would you like to supply devices and subnet masks you wish to include in the capture filter? [Y/N]:`

-Select `Y` to open a nano file where you can add a device, channel, port, and subset according to the following syntax:

-| Attribute | Description |

-|--|--|

-| 1.1.1.1 | Includes all of the traffic for this device. |

-| 1.1.1.1,2.2.2.2 | Includes all of the traffic for this channel. |

-| 1.1.1,2.2.2 | Includes all of the traffic for this subnet. |

-Separate arguments by dropping a row.

-When you include a device, channel, or subnet, the sensor processes all the valid traffic for that argument, including ports and traffic that wouldn't usually be processed.

-You'll then be asked the following question:

->`Would you like to supply devices and subnet masks you wish to exclude from the capture filter? [Y/N]:`

-Select `Y` to open a nano file where you can add a device, channel, port, and subsets according to the following syntax:

-| Attribute | Description |

-|--|--|

-| 1.1.1.1 | Excludes all the traffic for this device. |

-| 1.1.1.1,2.2.2.2 | Excludes all the traffic for this channel, meaning all the traffic between two devices. |

-| 1.1.1.1,2.2.2.2,443 | Excludes all the traffic for this channel by port. |

-| 1.1.1 | Excludes all the traffic for this subnet. |

-| 1.1.1,2.2.2 | Excludes all the traffic for between subnets. |

-Separate arguments by dropping a row.

-When you exclude a device, channel, or subnet, the sensor will exclude all the valid traffic for that argument.

-### Ports

-Include or exclude UDP and TCP ports for all the traffic.

->`502`: single port

->`502,443`: both ports

->`Enter tcp ports to include (delimited by comma or Enter to skip):`

->`Enter udp ports to include (delimited by comma or Enter to skip):`

->`Enter tcp ports to exclude (delimited by comma or Enter to skip):`

->`Enter udp ports to exclude (delimited by comma or Enter to skip):`

-### Components

-You're asked the following question:

->`In which component do you wish to apply this capture filter?`

-Your options are:ΓÇ»`all`, `dissector`, `collector`, `statistics-collector`, `rpc-parser`, or `smb-parser`.

-In most common use cases, we recommend that you select `all`. Selecting `all` doesn't include the malware detection engine, which isn't supported by this command.

-### Custom base capture filter

-The base capture filter is the baseline for the components. For example, the filter determines which ports are available to the component.

-Select `Y` for all of the following options. All of the filters are added to the baseline after the changes are set. If you make a change, it will overwrite the existing baseline.

->`Would you like to supply a custom base capture filter for the dissector component? [Y/N]:`

->`Would you like to supply a custom base capture filter for the collector component? [Y/N]:`

->`Would you like to supply a custom base capture filter for the statistics-collector component? [Y/N]:`

->`Would you like to supply a custom base capture filter for the rpc-parser component? [Y/N]:`

->`Would you like to supply a custom base capture filter for the smb-parser component? [Y/N]:`

->`Type Y for "internal" otherwise N for "all-connected" (custom operation mode enabled) [Y/N]:`

-If you choose to exclude a subnet such as 1.1.1:

-We recommend that you select `internal`.

-> Your choices are used for all the filters in the tool and are not session dependent. In other words, you can't ever choose `internal` for some filters and `all-connected` for others.

-### Comments

-You can view filters inΓÇ»```/var/cyberx/properties/cybershark.properties```:

-You can restore the default configuration by entering the following code for the cyberx user:

-```azurecli-interactive

-sudo cyberx-xsense-capture-filter -p all -m all-connected

-```

-## Define client and server hosts

-If Defender for IoT didn't automatically detect the client, and server hosts, enter the following command to set the client and server hosts:

-```azurecli-interactive

-directions [-h] [--identifier IDENTIFIER] [--port PORT] [--remove] [--add]

-[--tcp] [--udp]

-```

-You can use the following attributes with the `directions` command:

-| Attribute | Description |

-|--|--|

-| [-h] | Prints help information for the command. |

-| [--identifier IDENTIFIER] | The server identifier. |

-| [--port PORT] | The server port. |

-| [--remove] | Removes a client or server host from the list. |

-| [--add] | Adds a client or server host to the list. |

-| [--tcp] | Use TCP when communicating with this host. |

-| [--udp] | Use UDP when communicating with this host. |

-## System actions

-The following table describes the commands available to perform various system actions within Defender for IoT:

-|Name|Code|Description|

-|-|-|--|

-|Show the date|`date`|Returns the current date on the host in GMT format.|

-|Reboot the host|`system reboot`|Reboots the host device.|

-|Shut down the host|`system shutdown`|Shuts down the host.|

-|Back up the system|`system backup`|Initiates an immediate backup (an unscheduled backup).|

-|Restore the system from a backup|`system restore`|Restores from the most recent backup.|

-|List the backup files|`system backup-list`|Lists the available backup files.|

-|Display the status of all Defender for IoT platform services|`system sanity`|Checks the performance of the system by listing the current status of all Defender for IoT platform services.|

-|Show the software version|`system version`|Displays the version of the software currently running on the system.|

-## Deploy SSL and TLS certificates to appliances

-Enter the following command to import SSL and TLS enterprise certificates into the CLI:

-```azurecli-interactive

-cyberx-xsense-certificate-import

-```

-To use the tool, you need to upload the certificate files to the device. You can do this through tools such as WinSCP or Wget.

-The command supports the following input flags:

-| Flag | Description |

-|--|--|

-| -h | Shows the command-line help syntax. |

-| --crt | The path to the certificate file (.crt extension). |

-| --key | The \*.key file. Key length should be a minimum of 2,048 bits. |

-| --chain | Path to the certificate chain file (optional). |

-| --pass | Passphrase used to encrypt the certificate (optional). |

-| --passphrase-set | The default is **False**, **unused**. <br />Set to **True** to use the previous passphrase supplied with the previous certificate (optional). |

-When you're using the tool:

-## Sign out of a support shell

-You're automatically signed out of an SSH session after an inactive period of 300 seconds.

-To sign out of your session manually, enter the following command:

-```azurecli-interactive

-logout

-```

-## Next steps

-For more information, see [Defender for IoT API sensor and management console APIs](references-work-with-defender-for-iot-apis.md).

-# [From each sensor](#tab/sensor)

-This procedure describes how to manually download the new sensor software version and then run your update directly on the sensor console.

-**To update sensor software directly from the sensor console**:

-* [Azure DNS private zones SDK](/dotnet/api/overview/azure/privatedns/management)

-* Learn about some of the other key [networking capabilities](../networking/fundamentals/networking-overview.md) of Azure.

-Manifest-based file ingestion provides end-users and systems a robust mechanism for loading metadata in Microsoft Energy Data Services Preview instance. A manifest is a JSON document that has a pre-determined structure for capturing entities that conform to the [OSDU&trade;](https://osduforum.org/) Well-known Schema (WKS) definitions.

-Manifest-based file ingestion doesn't understand the contents of the file or doesn't parse the file. It just creates a metadata record for the file and makes it searchable. It doesn't infer or does anything on top of the file.

-## Understanding the manifest

-The manifest schema has containers for the following entities

-## Manifest-based file ingestion workflow steps

-1. A manifest is submitted to the Workflow Service using the manifest ingestion workflow name (for example, "Osdu_ingest")

-2. Once the request is validated and the user authorization is complete, the workflow service will load and initiate the manifest ingestion workflow.

-3. The first step is to check the syntax of the manifest.

- 1. Retrieve the **kind** property of the manifest

- 2. Retrieve the **schema definition** from the Schema service for the manifest kind

- 3. Validate that the manifest is syntactically correct according to the manifest schema definitions.

- 4. For each Reference data, Master data, Work Product, Work Product Component, and Dataset, do the following activities:

- 1. Retrieve the **kind** property.

- 2. Retrieve the **schema definition** from the Schema service for the kind

- 3. Validate that the entity is syntactically correct according to the schema definition and submits the manifest to the Workflow Service

- 4. Validate that mandatory attributes exist in the manifest

- 5. Validate that all property values follow the patterns defined in the schemas

- 6. Validate that no extra properties are present in the manifest

- 5. Any entity that doesn't pass the syntax check is rejected

-4. The content is checked for a series of validation rules

- 1. Validation of referential integrity between Work Product Components and Datasets

- 1. There are no orphan Datasets defined in the WP (each Dataset belongs to a WPC)

- 2. Each Dataset defined in the WPC is described in the WP Dataset block

- 3. Each WPC is linked to at least

- 2. Validation that referenced parent data exists

- 3. Validation that Dataset file paths aren't empty

-5. Process the contents into storage

- 1. Write each valid entity into the data platform via the Storage API

- 2. Capture the ID generated to update surrogate-keys where surrogate-keys are used

-6. Workflow exits

-## Manifest ingestion components

-* **Workflow Service** is a wrapper service on top of the Airflow workflow engine, which orchestrates the ingestion workflow. Airflow is the chosen workflow engine by the [OSDU&trade;](https://osduforum.org/) community to orchestrate and run ingestion workflows. Airflow isn't directly exposed to clients, instead its features are accessed through the workflow service.

-* **File Service** is used to upload files, file collections, and other types of source data to the data platform.

-* **Storage Service** is used to save the manifest records into the data platform.

-* **Airflow engine** is the workflow engine that executes DAGs (Directed Acyclic Graphs).

-* **Schema Service** stores schemas used in the data platform. Schemas are being referenced during the Manifest-based file ingestion.

-* **Entitlements Service** manages access groups. This service is used during the ingestion for verification of ingestion permissions. This service is also used during the metadata record retrieval for validation of "read" writes.

-## Manifest ingestion workflow sequence

-You can have a maximum of 200 IP Groups per firewall with a maximum 5000 individual IP addresses or IP prefixes per each IP Group.

-* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

-* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

-You are now ready to run the applications.

-* You must have a MLflow model registered in your workspace. Particularly, this example will register a model trained for the [Diabetes dataset](https://www4.stat.ncsu.edu/~boos/var.select/diabetes.html).

-# [Python](#tab/sdk)

-# [Python](#tab/sdk)

-# [Python](#tab/sdk)

- # [Python](#tab/sdk)

- # [Python](#tab/sdk)

- # [Python](#tab/sdk)

- # [Python](#tab/sdk)

- Once created, we need to set the traffic to this deployment.

- endpoint.traffic = {blue_deployment.name: 100}

- ml_client.begin_create_or_update(endpoint)

-Once your deployment completes, your deployment is ready to serve request. One of the easier ways to test the deployment is by using a sample request file along with the `invoke` method.

-# [Python](#tab/sdk)

- deployment_name=deployment.name,

- # [Python](#tab/sdk)

- # [Python](#tab/sdk)

- # [Python](#tab/sdk)

-# [Python](#tab/sdk)

- ```azurecli

- ```

- )

-

- sample_request = { "input_data": json.loads(samples.to_json(orient="split", index=False)) }

- Get the scoring URI:

- ```python

- scoring_uri = deployment_client.get_endpoint(endpoint=endpoint_name)["properties"]["scoringUri"]

- ```

-

- Let's create the headers:

- ```python

- headers = {

- 'Content-Type':'application/json',

- 'Authorization':('Bearer '+ endpoint_secret_key),

- }

- ```

- Call the endpoint and its default deployment:

- req = requests.post(scoring_uri, json=sample_request, headers=headers)

- req.json()

-You can inspect the model signature of your model by opening the MLmodel file associated with your MLflow model. For more details about how signatures work in MLflow see [Signatures in MLflow](concept-mlflow-models.md#signatures).

-For more information about MLflow built-in deployment tools see [MLflow documentation section](https://www.mlflow.org/docs/latest/models.html#built-in-deployment-tools).

-You may be used to author scoring scripts to customize how inference is executed for your models. This is particularly the case when you are using features like `autolog` in MLflow that automatically log models for you as the best of the knowledge of the framework. However, you may need to run inference in a different way.

-For those cases, you can either [change how your model is being logged in the training routine](#change-how-your-model-is-logged-during-training) or [customize inference with a scoring script](#customize-inference-with-a-scoring-script)

-When you log a model using either `mlflow.autolog` or using `mlflow.<flavor>.log_model`, the flavor used for the model decides how inference should be executed and what gets returned by the model. MLflow doesn't enforce any specific behavior in how the `predict()` function generates results. There are scenarios where you probably want to do some pre-processing or post-processing before and after your model is executed.

-A solution to this scenario is to implement machine learning pipelines that moves from inputs to outputs directly. Although this is possible (and sometimes encourageable for performance considerations), it may be challenging to achieve. For those cases, you probably want to [customize how your model does inference using a custom models](how-to-log-mlflow-models.md?#logging-custom-models).

-If you want to customize how inference is executed for MLflow models (or opt-out for no-code deployment) you can refer to [Customizing MLflow model deployments (Online Endpoints)](how-to-deploy-mlflow-models-online-endpoints.md#customizing-mlflow-model-deployments) and [Customizing MLflow model deployments (Batch Endpoints)](how-to-mlflow-batch.md#customizing-mlflow-models-deployments-with-a-scoring-script).

-> When you opt-in to indicate a scoring script, you also need to provide an environment for deployment.

-> * [Soft delete for blobs](/azure/storage/soft-delete-blob-overview.md).

-Learn more about [Managing a workspace](how-to-manage-workspace.md).

-# Replicate data into Azure Database for MySQL Flexible Server

-> [!Note]

-> Configuring Data-in replication for zone-redundant high availability servers is not supported.

-The [*mysql system database*](https://dev.mysql.com/doc/refman/5.7/en/system-schema.html) on the source server isn't replicated. In addition, changes to accounts and permissions on the source server aren't replicated. If you create an account on the source server and this account needs to access the replica server, manually create the same account on the replica server. To understand what tables are contained in the system database, see the [MySQL manual](https://dev.mysql.com/doc/refman/5.7/en/system-schema.html).

-### Data-in replication not supported on HA enabled servers

-It is not supported to configure Data-in replication for servers which have high availability (HA) option enabled. On HA enabled servers, the stored procedures for replication `mysql.az_replication_*` won't be available.

-> [!Tip]

->If you are using HA server as a source server, MySQL native binary log (binlog) file position-based replication would fail, when failover happens on the server. If replica server supports GTID based replication, we should configure GTID based replication.

-### Filtering

-Modifying the parameter `replicate_wild_ignore_table` used to create replication filter for tables, is currently not supported for Azure Database for MySQL -Flexible server.

-# How to configure Azure Database for MySQL Flexible Server Data-in replication

-> [!NOTE]

-2. Create the same user accounts and corresponding privileges.

-2. Networking Requirements

- * If private access is in use, make sure that you have connectivity between Source server and the Vnet in which the replica server is hosted.

-

-3. Turn on binary logging.

- If `log_bin` is returned with the value "OFF" and your source server is running on-premises or on virtual machines where you can access the configuration file (my.cnf), you can follow the steps below:

- 2. Open the configuration file to edit it and locate **mysqld** section in the file.

- 3. In the mysqld section, add following line:

- 4. Restart the MySQL service on source server (or Restart) for the changes to take effect.

- 5. After the server is restarted, verify that binary logging is enabled by running the same query as before:

-4. Configure the source server settings.

-5. Create a new replication role and set up permission.

- **SQL Command**

- *Replication with SSL*

- To require SSL for all user connections, use the following command to create a user:

- ```sql

- CREATE USER 'syncuser'@'%' IDENTIFIED BY 'yourpassword';

- GRANT REPLICATION SLAVE ON *.* TO ' syncuser'@'%' REQUIRE SSL;

- ```

- *Replication without SSL*

- If SSL isn't required for all connections, use the following command to create a user:

- ```sql

- CREATE USER 'syncuser'@'%' IDENTIFIED BY 'yourpassword';

- GRANT REPLICATION SLAVE ON *.* TO ' syncuser'@'%';

- ```

- **MySQL Workbench**

- To create the replication role in MySQL Workbench, open the **Users and Privileges** panel from the **Management** panel, and then select **Add Account**.

- :::image type="content" source="./media/how-to-data-in-replication/users-privileges.png" alt-text="Users and Privileges":::

- Type in the username into the **Login Name** field.

- :::image type="content" source="./media/how-to-data-in-replication/sync-user.png" alt-text="Sync user":::

- Select the **Administrative Roles** panel and then select **Replication Slave** from the list of **Global Privileges**. Then select **Apply** to create the replication role.

- :::image type="content" source="./media/how-to-data-in-replication/replication-slave.png" alt-text="Replication Slave":::

-6. Set the source server to read-only mode.

- Before starting to dump out the database, the server needs to be placed in read-only mode. While in read-only mode, the source will be unable to process any write transactions. Evaluate the impact to your business and schedule the read-only window in an off-peak time if necessary.

- ```sql

- FLUSH TABLES WITH READ LOCK;

- SET GLOBAL read_only = ON;

- ```

-7. Get binary log file name and offset.

- Run the [`show master status`](https://dev.mysql.com/doc/refman/5.7/en/show-master-status.html) command to determine the current binary log file name and offset.

- ```sql

- show master status;

- ```

- The results should appear similar to the following. Make sure to note the binary file name for use in later steps.

- :::image type="content" source="./media/how-to-data-in-replication/master-status.png" alt-text="Master Status Results":::

-3. Set source server to read/write mode.

-4. Restore dump file to new server.

->[!Note]

->* If you want to avoid setting the database to read only when you dump and restore, you can use [mydumper/myloader](../concepts-migrate-mydumper-myloader.md).

-

- It's recommended to pass this parameter in as a variable. For more information, see the following examples.

- > [!NOTE]

- > * If you used mydumper/myloader to dump the database then you can get the master_log_file and master_log_pos from the */backup/metadata* file.

-2. Start replication.

-3. Check replication status.

- To know the correct status of replication, please refer to replication metrics - **Replica IO Status** and **Replica SQL Status** under monitoring blade.

-

- If the `Seconds_Behind_Master` is "0", replication is working well. `Seconds_Behind_Master` indicates how late the replica is. If the value isn't "0", it means that the replica is processing updates.

-# Quickstart: Use the Azure portal to create an Azure Database for MySQL flexible server

-description: Learn how to create an Azure Network Watcher in an Azure region by using the Azure portal or other technologies, and how to delete a Network Watcher.

-When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There's no impact to your resources or associated charge for automatically enabling Network Watcher.

-#### Opt-out of Network Watcher automatic enablement

-> Opting-out of Network Watcher automatic enablement is a permanent change. Once you opt-out, you cannot opt-in without contacting [support](https://azure.microsoft.com/support/options/).

-1. Log into the [Azure portal](https://portal.azure.com) with an account that has the necessary permissions.

-2. Select **More services**.

-3. In the **All services** screen, enter **Network Watcher** in the **Filter services** search box and select it from the search result.

-You can select all the subscriptions you want to enable Network Watcher for. This action creates a Network Watcher in every region that is available.

-

-When you enable Network Watcher using the portal, the name of the Network Watcher instance is automatically set to *NetworkWatcher_region_name* where *region_name* corresponds to the Azure region where the instance is enabled. For example, a Network Watcher enabled in the West Central US region is named *NetworkWatcher_westcentralus*.

-If you wish to customize the name of a Network Watcher instance and the resource group it's placed into, you can use PowerShell, the Azure CLI, the REST API, or ARMClient methods described in the sections that follow. In each option, the resource group must exist before you create a Network Watcher in it.

-## Create a Network Watcher with PowerShell

-To create an instance of Network Watcher, run the following example:

-```powershell

-New-AzNetworkWatcher -Name "NetworkWatcher_westcentralus" -ResourceGroupName "NetworkWatcherRG" -Location "West Central US"

-## Create a Network Watcher with the Azure CLI

-To create an instance of Network Watcher, run the following example:

-```azurecli

-## Create a Network Watcher with the REST API

-The ARMclient is used to call the REST API using PowerShell. The ARMClient is found on chocolatey at [ARMClient on Chocolatey](https://chocolatey.org/packages/ARMClient)

-### Log in with ARMClient

-$apiversion = "2016-09-01"

-To create an instance of Network Watcher, refer this [Quickstart Template](https://azure.microsoft.com/resources/templates/networkwatcher-create/)

-## Delete a Network Watcher in the portal

-1. Navigate to **All Services** > **Networking** > **Network Watcher**.

-2. Select the overview tab, if you're not already there. Use the dropdown to select the subscription you want to disable network watcher in.

-3. Expand the list of locations for your chosen subscription by selecting on the arrow. For any given, use the 3 dots on the right to access the context menu.

-4. Select **Disable network watcher** to start disabling. You'll be asked to confirm this step. Select **Yes** to continue.

-On the portal, you'll have to do this individually for every region in every subscription.

-## Delete a Network Watcher with PowerShell

-To delete an instance of Network Watcher, run the following example:

-```powershell

-New-AzResourceGroup -Name NetworkWatcherRG -Location westcentralus

-New-AzNetworkWatcher -Name NetworkWatcher_westcentralus -ResourceGroupName NetworkWatcherRG -Location westcentralus

-Remove-AzNetworkWatcher -Name NetworkWatcher_westcentralus -ResourceGroupName NetworkWatcherRG

-Now that you have an instance of Network Watcher, learn about the features available:

-* [Topology](./view-network-topology.md)

-* [Virtual Network Gateway troubleshooting](network-watcher-troubleshoot-overview.md)

- - You must have **python 2.7** or **3** installed on the Linux machine.<br>Use the `python --version` or `python3 --version` command to check.

-For more information, see the [MDTI portal](https://ti.defender.microsoft.com) and [What is Microsoft Defender Threat Intelligence?](/../../defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md)

- client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>">);

- client = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>">);

-> * Verify that the Azure account has replication permissions.

-> Tutorials show you the simplest deployment path for a scenario. They use default options where possible, and don't show all possible settings and paths. For detailed instructions, review the article in the How To section of the Site Recovery Table of Contents.

-> [!NOTE]

-> Some of the concepts of using Azure Site Recovery for Azure VMware Solution overlap with disaster recovery of on-prem VMware VMs and hence documentation will be cross-referenced accordingly.

-## Before you start

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin. Then sign in to the [Azure portal](https://portal.azure.com).

-## Verify account permissions

-## Create a Recovery Services vault

-1. From the Azure portal menu, select **Create a resource**, and search the Marketplace for **Recovery**.

-2. Select **Backup and Site Recovery** from the search results, and in the Backup and Site Recovery page, click **Create**.

-3. In the **Create Recovery Services vault** page, select the **Subscription**. We're using **Contoso Subscription**.

-4. In **Resource group**, select an existing resource group or create a new one. For this tutorial we're using **contosoRG**.

-5. In **Vault name**, enter a friendly name to identify the vault. For this set of tutorials we're using **ContosoVMVault**.

-6. In **Region**, select the region in which the vault should be located. We're using **West Europe**.

-7. Select **Review + create**.

- 

- The new vault will now be listed in **Dashboard** > **All resources**, and on the main **Recovery Services vaults** page.

-## Set up an Azure network

- Azure VMware Solution VMs are replicated to Azure managed disks. When failover occurs, Azure VMs are created from these managed disks, and joined to the Azure network you specify in this procedure.

-1. In the [Azure portal](https://portal.azure.com), select **Create a resource** > **Networking** > **Virtual network**.

-2. Keep **Resource Manager** selected as the deployment model.

-3. In **Name**, enter a network name. The name must be unique within the Azure resource group. We're using **ContosoASRnet** in this tutorial.

-4. In **Address space**, enter the virtual network's address range in CDR notation. We're using **10.1.0.0/24**.

-5. In **Subscription**, select the subscription in which to create the network.

-6. Specify the **Resource group** in which the network will be created. We're using the existing resource group **contosoRG**.

-7. In **Location**, select the same region as that in which the Recovery Services vault was created. In our tutorial it's **West Europe**. The network must be in the same region as the vault.

-8. In **Address range**, enter the range for the network. We're using **10.1.0.0/24**, and not using a subnet.

-9. We're leaving the default options of basic DDoS protection, with no service endpoint, or firewall on the network.

-9. Select **Create**.

- 

-The virtual network takes a few seconds to create. After it's created, you'll see it in the Azure portal dashboard.

-> [!div class="nextstepaction"]

-> [Prepare infrastructure](avs-tutorial-prepare-avs.md)

-> * Verify that your Azure account has replication permissions.

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin.

-The new vault appears on **Dashboard** > **All resources**, and on the main **Recovery Services vaults** page.

- :::image type="Protection state" source="media/tutorial-prepare-azure/create-network.png" alt-text="Screenshot of the Create virtual network options.":::

-1. In **Create storage account** page, under the **IP addresses** tab, do the following:

- :::image type="content" source="./media/tutorial-prepare-azure/new-vault-settings.png" alt-text="Screenshot of the Create Recovery Services vault page.":::

- :::image type="Protection state" source="media/tutorial-prepare-azure/create-network.png" alt-text="Screenshot of the Create virtual network options.":::

-1. In **Create storage account** page, under the **IP addresses** tab, do the following:

- :::image type="Protection state" source="media/tutorial-prepare-azure/delete-ip-address.png" alt-text="Screenshot of the delete address space.":::

- :::image type="Protection state" source="media/tutorial-prepare-azure/add-ip-address-space.png" alt-text="Screenshot of the adding IP.":::

- :::image type="Content" source="media/tutorial-prepare-azure/homepage-ip-address.png" alt-text="Screenshot of the add virtual network options.":::

-> This tutorial requires you to [use a function to assign roles](authentication-authorization.md?tabs=function#role-management). Function-based role management is currently in preview.

-description: Learn to use different authorization providers to secure your static app.

-# Authentication and authorization for Azure Static Web Apps

-Azure Static Web Apps provides a streamlined authentication experience. By default, you have access to a series of pre-configured providers, or the option to [register a custom provider](./authentication-custom.md).

- - To restrict an authentication provider, [block access](#block-an-authentication-provider) with a custom route rule. Configuring a custom provider also disables pre-configured providers.

- - Azure Active Directory¹

- - GitHub

- - Twitter

-¹ The preconfigured Azure Active Directory provider allows any Microsoft Account to sign in. To restrict login to a specific Active Directory tenant, configure a [custom Azure Active Directory provider](authentication-custom.md?tabs=aad).

-The subjects of authentication and authorization significantly overlap with routing concepts, which are detailed in the [application configuration guide](configuration.md#routes).

-## System folder

-Azure Static Web Apps uses the `/.auth` system folder to provide access to authorization-related APIs. Rather than exposing any of the routes under the `/.auth` folder directly to end users, consider creating [routing rules](configuration.md#routes) to create friendly URLs.

-## Login

-| Authorization provider | Login route |

-| Azure Active Directory | `/.auth/login/aad` |

-For example, to log in with GitHub you could include a link like the following snippet:

-If you chose to support more than one provider, then you need to expose a provider-specific link for each on your website.

-You can use a [route rule](./configuration.md#routes) to map a default provider to a friendly route like _/login_.

-### Post login redirect

-If you want a user to return to a specific page after login, provide a full qualified URL in `post_login_redirect_uri` query string parameter.

-For example:

-Additionally, you can redirect unauthenticated users back to the referring page after they log in. To configure this behavior, create a [response override](configuration.md#response-overrides) rule that sets `post_login_redirect_uri` to `.referrer`.

-For example:

-## Logout

-The `/.auth/logout` route logs users out from the website. You can add a link to your site navigation to allow the user to log out as shown in the following example.

-You can use a [route rule](./configuration.md#routes) to map a friendly route like _/logout_.

-### Post logout redirect

-If you want a user to return to a specific page after logout, provide a URL in `post_logout_redirect_uri` query string parameter.

-You may want to restrict your app from using an authentication provider. For instance, your app may want to standardize only on [providers that expose email addresses](#provider-user-details).

-## Roles

-Every user who accesses a static web app belongs to one or more roles. There are two built-in roles that users can belong to:

-Beyond the built-in roles, you can assign custom roles to users, and reference them in the _staticwebapp.config.json_ file.

-## Role management

-# [Invitations](#tab/invitations)

-### Add a user to a role

-To add a user to a role, you generate invitations that allow you to associate users to specific roles. Roles are defined and maintained in the _staticwebapp.config.json_ file.

-<a name="invitations" id="invitations"></a>

-#### Create an invitation

-Invitations are specific to individual authorization-providers, so consider the needs of your app as you select which providers to support. Some providers expose a user's email address, while others only provide the site's username.

-<a name="provider-user-details" id="provider-user-details"></a>

-| Authorization provider | Exposes a user's |

-| - | - |

-| Azure Active Directory | email address |

-| GitHub | username |

-| Twitter | username |

-1. Go to a Static Web Apps resource in the [Azure portal](https://portal.azure.com).

-1. Under _Settings_, select **Role Management**.

-2. Select **Invite**.

-3. Select an _Authorization provider_ from the list of options.

-4. Add either the username or email address of the recipient in the _Invitee details_ box.

- - For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.

-5. Select the domain of your static site from the _Domain_ drop-down.

- - The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.

-6. Add a comma-separated list of role names in the _Role_ box.

-7. Enter the maximum number of hours you want the invitation to remain valid.

- - The maximum possible limit is 168 hours, which is 7 days.

-8. Select **Generate**.

-9. Copy the link from the _Invite link_ box.

-10. Email the invitation link to the person you're granting access to your app.

-When the user selects the link in the invitation, they're prompted to log in with their corresponding account. Once successfully logged-in, the user is associated with the selected roles.

-> [!CAUTION]

-> Make sure your route rules don't conflict with your selected authentication providers. Blocking a provider with a route rule would prevent users from accepting invitations.

-### Update role assignments

-1. Go to a Static Web Apps resource in the [Azure portal](https://portal.azure.com).

-1. Under _Settings_, select **Role Management**.

-2. Select the user in the list.

-3. Edit the list of roles in the _Role_ box.

-4. Select **Update**.

-### Remove user

-1. Go to a Static Web Apps resource in the [Azure portal](https://portal.azure.com).

-1. Under _Settings_, select **Role Management**.

-1. Locate the user in the list.

-1. Check the checkbox on the user's row.

-2. Select **Delete**.

-As you remove a user, keep in mind the following items:

-1. Removing a user invalidates their permissions.

-1. Worldwide propagation may take a few minutes.

-1. If the user is added back to the app, the [`userId` changes](user-information.md).

-# [Function (preview)](#tab/function)

-Instead of using the built-in invitations system, you can use a serverless function to programmatically assign roles to users when they log in.

-To assign custom roles in a function, you can define an API function that is automatically called after each time a user successfully authenticates with an identity provider. The function is passed the user's information from the provider. It must return a list of custom roles that are assigned to the user.

-Example uses of this function include:

-> [!NOTE]

-> The ability to assign roles via a function is only available when [custom authentication](authentication-custom.md) is configured.

->

-> When this feature is enabled, any roles assigned via the built-in invitations system are ignored.

-### Configure a function for assigning roles

-To configure Static Web Apps to use an API function as the role assignment function, add a `rolesSource` property to the `auth` section of your app's [configuration file](configuration.md). The value of the `rolesSource` property is the path to the API function.

-```json

-{

- "auth": {

- "rolesSource": "/api/GetRoles",

- "identityProviders": {

- // ...

- }

- }

-}

-```

-> [!NOTE]

-> Once configured, the role assignment function can no longer be accessed by external HTTP requests.

-### Create a function for assigning roles

-After defining the `rolesSource` property in your app's configuration, add an [API function](apis-functions.md) in your static web app at the path you specified. You can use a managed function app or a bring your own function app.

-Each time a user successfully authenticates with an identity provider, the specified function is called via the POST method. The function is passed a JSON object in the request body that contains the user's information from the provider. For some identity providers, the user information also includes an `accessToken` that the function can use to make API calls using the user's identity.

-This is an example payload from Azure Active Directory:

-```json

-{

- "identityProvider": "aad",

- "userId": "72137ad3-ae00-42b5-8d54-aacb38576d76",

- "userDetails": "ellen@contoso.com",

- "claims": [

- {

- "typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

- "val": "ellen@contoso.com"

- },

- {

- "typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",

- "val": "Contoso"

- },

- {

- "typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",

- "val": "Ellen"

- },

- {

- "typ": "name",

- "val": "Ellen Contoso"

- },

- {

- "typ": "http://schemas.microsoft.com/identity/claims/objectidentifier",

- "val": "7da753ff-1c8e-4b5e-affe-d89e5a57fe2f"

- },

- {

- "typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

- "val": "72137ad3-ae00-42b5-8d54-aacb38576d76"

- },

- {

- "typ": "http://schemas.microsoft.com/identity/claims/tenantid",

- "val": "3856f5f5-4bae-464a-9044-b72dc2dcde26"

- },

- {

- "typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",

- "val": "ellen@contoso.com"

- },

- {

- "typ": "ver",

- "val": "1.0"

- }

- ],

- "accessToken": "eyJ0eXAiOiJKV..."

-}

-```

-The function can use the user's information to determine which roles to assign to the user. It must return an HTTP 200 response with a JSON body containing a list of custom role names to assign to the user.

-For example, to assign the user to the `Reader` and `Contributor` roles, return the following response:

-```json

-{

- "roles": [

- "Reader",

- "Contributor"

- ]

-}

-```

-If you do not want to assign any additional roles to the user, return an empty `roles` array.

-To learn more, see [Tutorial: Assign custom roles with a function and Microsoft Graph](assign-roles-microsoft-graph.md).

-## Remove personal identifying information

-When you grant consent to an application as an end user, the application has access to your email address or your username depending on the identity provider. Once this information is provided, the owner of the application decides how to manage personally identifying information.

-To remove personally identifying information from the Azure Static Web Apps platform, and prevent the platform from providing this information on future requests, submit a request using the URL:

-To prevent the platform from providing this information on future requests to individual apps, submit a request to the following URL:

-Note that if you are using Azure Active Directory, use `aad` as the value for the `<AUTHENTICATION_PROVIDER_NAME>` placeholder.

-## Restrictions

-See the [Quotas article](quotas.md) for general restrictions and limitations.

-> [Access user authentication and authorization data](user-information.md)

-* [Default authentication providers](authentication-authorization.md#login), don't require settings in the configuration file.

-| [Assign custom roles with a function](authentication-authorization.md?tabs=function#role-management) | - | Γ£ö |

-| Authorization (custom roles) | Maximum of 25 end-users that may belong to custom roles via [invitations](authentication-authorization.md?tabs=invitations#role-management) | Maximum of 25 end-users that may belong to custom roles via [invitations](authentication-authorization.md?tabs=invitations#role-management), or unlimited end-users that may be assigned custom roles via [serverless function](authentication-authorization.md?tabs=function#role-management) |

-1. In the first cell of the python notebook, set the value of the `storage_account` variable to the name of the primary storage account.

-The setup script requires [Synapse-Python38-CPU.yml](https://github.com/Azure-Samples/Synapse/blob/main/Spark/Python/Synapse-Python38-CPU.yml) which is the list of libraries shipped in the default python env in Synapse spark.

- # one-time synapse python setup

-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/traffic-manager-minchild).

-| Credential | Name | Example |

-| | - | - |

-| Private key | [IDENTIFIER]-sshkey | DEV-WEEU-SAP01-sid-sshkey |

-| Public key | [IDENTIFIER]-sshkey-pub | DEV-WEEU-SAP01-sid-sshkey-pub |

-| Username | [IDENTIFIER]-username | DEV-WEEU-SAP01-sid-username |

-| Password | [IDENTIFIER]-password | DEV-WEEU-SAP01-sid-password |

-| sidadm Password | [IDENTIFIER]-[SID]-sap-password | DEV-WEEU-SAP01-X00-sap-password |