+# Enable accidental deletions prevention in the Azure AD provisioning service

+If you encounter an accidental deletion you'll see it on the provisioning status page. It will say **Provisioning has been quarantined. See quarantine details for more information**.

+ - SingleAppRoleAssignments is not compatible with setting scope to "Sync All users and groups."

+1. Azure AD verifies the certificate revocation list to make sure the certificate is not revoked and is valid. Azure AD identifies the user in the tenant by using the [username binding configured](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy) on the tenant by mapping the certificate field value to user attribute value.

+1. If a unique user is found and the user has a conditional access policy and needs multifactor authentication (MFA) and the [certificate authentication binding rule](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy) satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication.

+- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)

+An administrator needs to enable CBA for the tenant to make the sign-in with certificate option available for users. For more information, see [Step 3: Configure authentication binding policy](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy).

+Make sure the user is trying to sign in with the correct username. This error happens when a unique user can't be found using the [username binding](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy) on the certificate fields.

+For more information, see [Step 4: Configure username binding policy](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy).

+In both cases, the error can be resolved by making sure the user is in scope for Azure AD CBA. For more information, see [Step 2: Enable CBA on the tenant](how-to-certificate-based-authentication.md#step-2-enable-cba-on-the-tenant).

+ Title: Workload identity federation for app considerations

+description: Important considerations and restrictions for creating a federated identity credential on an app.

+# Important considerations and restrictions for federated identity credentials

+This article describes important considerations, restrictions, and limitations for federated identity credentials on Azure AD apps and user-assigned managed identities.

+For more information on the scenarios enabled by federated identity credentials, see [workload identity federation overview](workload-identity-federation.md).

+## General federated identity credential considerations

+*Applies to: applications and user-assigned managed identities (public preview)*

+Anyone with permissions to create an app registration and add a secret or certificate can add a federated identity credential to an app. If the **Users can register applications** switch in the [User Settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings) blade is set to **No**, however, you won't be able to create an app registration or configure the federated identity credential. Find an admin to configure the federated identity credential on your behalf, someone in the Application Administrator or Application Owner roles.

+Federated identity credentials don't consume the Azure AD tenant service principal object quota.

+## Unsupported regions (user-assigned managed identities)

+*Applies to: user-assigned managed identities (public preview)*

+The creation of federated identity credentials is available on user-assigned managed identities created in most Azure regions during public. However, creation of federated identity credentials is **not supported** on user-assigned managed identities in the following regions:

+- Germany North

+- Sweden South

+- Sweden Central

+- Switzerland West

+- Brazil Southeast

+- East Asia

+- Southeast Asia

+- Switzerland West

+- South Africa West

+- Qatar Central

+- Australia Central

+- Australia Central2

+- Norway West

+Support for creating federated identity credentials in these regions will be rolled out gradually except East Asia where support won't be provided.

+Resources in these regions can still use federated identity credentials created in other, supported regions.

+## Supported signing algorithms and issuers

+*Applies to: applications and user-assigned managed identities (public preview)*

+Only issuers that provide tokens signed using the RS256 algorithm are supported for token exchange using workload identity federation. Exchanging tokens signed with other algorithms may work, but have not been tested.

+## Azure Active Directory issuers aren't supported

+*Applies to: applications and user-assigned managed identities (public preview)*

+Creating a federation between two Azure AD identities from the same or different tenants isn't supported. When creating a federated identity credential, configuring the *issuer* (the URL of the external identity provider) with the following values isn't supported:

+- *.login.microsoftonline.com

+- *.login.windows.net

+- *.login.microsoft.com

+- *.sts.windows.net

+While it's possible to create a federated identity credential with an Azure AD issuer, attempts to use it for authorization fail with error `AADSTS700222: AAD-issued tokens may not be used for federated identity flows`.

+## Time for federated credential changes to propagate

+*Applies to: applications and user-assigned managed identities (public preview)*

+It takes time for the federated identity credential to be propagated throughout a region after being initially configured. A token request made several minutes after configuring the federated identity credential may fail because the cache is populated in the directory with old data. During this time window, an authorization request might fail with error message: `AADSTS70021: No matching federated identity record found for presented assertion.`

+To avoid this issue, wait a short time after adding the federated identity credential before requesting a token to ensure replication completes across all nodes of the authorization service. We also recommend adding retry logic for token requests. Retries should be done for every request even after a token was successfully obtained. Eventually after the data is fully replicated the percentage of failures will drop.

+## Concurrent updates aren't supported (user-assigned managed identities)

+*Applies to: user-assigned managed identities (public preview)*

+Creating multiple federated identity credentials under the same user-assigned managed identity concurrently triggers concurrency detection logic, which causes requests to fail with 409-conflict HTTP status code.

+When you use automation or Azure Resource Manager templates (ARM templates) to create federated identity credentials under the same parent identity, create the federated credentials sequentially. Federated identity credentials under different managed identities can be created in parallel without any restrictions.

+The following Azure Resource Manager template (ARM template) example creates three new federated identity credentials sequentially on a user-assigned managed identity by using the *dependsOn* property:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "userAssignedIdentities_parent_uami_name": {

+ "defaultValue": "parent_uami",

+ "type": "String"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities",

+ "apiVersion": "2022-01-31-preview",

+ "name": "[parameters('userAssignedIdentities_parent_uami_name')]",

+ "location": "eastus"

+ },

+ {

+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",

+ "apiVersion": "2022-01-31-preview",

+ "name": "[concat(parameters('userAssignedIdentities_parent_uami_name'), '/fic01')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent_uami_name'))]"

+ ],

+ "properties": {

+ "issuer": "https://kubernetes-oauth.azure.com",

+ "subject": "fic01",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",

+ "apiVersion": "2022-01-31-preview",

+ "name": "[concat(parameters('userAssignedIdentities_parent_uami_name'), '/fic02')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent_uami_name'))]",

+ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentities_parent_uami_name'), 'fic01')]"

+ ],

+ "properties": {

+ "issuer": "https://kubernetes-oauth.azure.com",

+ "subject": "fic02",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",

+ "apiVersion": "2022-01-31-preview",

+ "name": "[concat(parameters('userAssignedIdentities_parent_uami_name'), '/fic03')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent_uami_name'))]",

+ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentities_parent_uami_name'), 'fic02')]"

+ ],

+ "properties": {

+ "issuer": "https://kubernetes-oauth.azure.com",

+ "subject": "fic03",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+ }

+ ]

+}

+```

+## Azure policy

+*Applies to: applications and user-assigned managed identities (public preview)*

+It is possible to use a deny [Azure Policy](/azure/governance/policy/overview) as in the following ARM template example:

+```json

+{

+"policyRule": {

+ "if": {

+ "field": "type",

+ "equals": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"

+ },

+ "then": {

+ "effect": "deny"

+ }

+ }

+}

+```

+## Throttling limits

+*Applies to: user-assigned managed identities (public preview)*

+The following table describes limits on requests to the user-assigned managed identities REST APIS. If you exceed a throttling limit, you receive an HTTP 429 error.

+| Operation | Requests-per-second per Azure AD tenant | Requests-per-second per subscription | Requests-per-second per resource |

+|-|-|-|-|

+| [Create or update](/rest/api/managedidentity/user-assigned-identities/create-or-update) requests | 10 | 2 | 0.25 |

+| [Get](/rest/api/managedidentity/user-assigned-identities/get) requests | 30 | 10 | 0.5 |

+| [List by resource group](/rest/api/managedidentity/user-assigned-identities/list-by-resource-group) or [List by subscription](/rest/api/managedidentity/user-assigned-identities/list-by-subscription) requests | 15 | 5 | 0.25 |

+| [Delete](/rest/api/managedidentity/user-assigned-identities/delete) requests | 10 | 2 | 0.25 |

+## Errors

+*Applies to: applications and user-assigned managed identities (public preview)*

+The following error codes may be returned when creating, updating, getting, listing, or deleting federated identity credentials.

+| HTTP code | Error message | Comments |

+|-|-|-|

+| 405 | The request format was unexpected: Support for federated identity credentials not enabled. | Federated identity credentials aren't enabled in this region. Refer to ΓÇ£Currently Supported regionsΓÇ¥. |

+| 400 | Federated identity credentials must have exactly 1 audience.| Currently, federated identity credentials support a single audience ΓÇ£api://AzureADTokenExchangeΓÇ¥.|

+| 400 | Federated Identity Credential from HTTP body has empty properties | All federated identity credential properties are mandatory. |

+| 400 | Federated Identity Credential name '{ficName}' is invalid. | Alphanumeric, dash, underscore, no more than 3-120 symbols. First symbol is alphanumeric. |

+| 404 | The parent user-assigned identity doesn't exist. | Check user assigned identity name in federated identity credentials resource path. |

+| 400 | Issuer and subject combination already exists for this Managed Identity. | This is a constraint. List all federated identity credentials associated with the user-assigned identity to find existing federated identity credential. |

+| 409 | Conflict | Concurrent write request to federated identity credential resources under the same user-assigned identity has been denied.

+ Title: Create a trust relationship between a user-assigned managed identity and an external identity provider

+description: Set up a trust relationship between a user-assigned managed identity in Azure AD and an external identity provider. This allows a software workload outside of Azure to access Azure AD protected resources without using secrets or certificates.

+zone_pivot_groups: identity-wif-mi-methods

+#Customer intent: As an application developer, I want to configure a federated credential on a user-assigned managed identity so I can create a trust relationship with an external identity provider and use workload identity federation to access Azure AD protected resources without managing secrets.

+# Configure a user-assigned managed identity to trust an external identity provider (preview)

+This article describes how to manage a federated identity credential on a user-assigned managed identity in Azure Active Directory (Azure AD). The federated identity credential creates a trust relationship between a user-assigned managed identity and an external identity provider (IdP). Configuring a federated identity credential on a system-assigned managed identity is not supported.

+After you configure your user-assigned managed identity to trust an external IdP, configure your external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload uses the access token to access Azure AD protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).

+In this article, you learn how to create, list, and delete federated identity credentials on a user-assigned managed identity.

+## Important considerations and restrictions

+To learn more about supported regions, time to propagate federated credential updates, supported issuers and more, read [Important considerations and restrictions for federated identity credentials](workload-identity-federation-considerations.md).

+## Prerequisites

+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](/azure/active-directory/managed-identities-azure-resources/overview). Be sure to review the [difference between a system-assigned and user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).

+- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.

+- Get the information for your external IdP and software workload, which you need in the following steps.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.

+- [Create a user-assigned manged identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity)

+- Find the object ID of the user-assigned managed identity, which you need in the following steps.

+## Configure a federated identity credential on a user-assigned managed identity

+In the [Azure portal](https://portal.azure.com), navigate to the user-assigned managed identity you created. Under **Settings** in the left nav bar, select **Federated credentials (preview)** and then **Add Credential**.

+In the **Federated credential scenario** dropdown box, select your scenario.

+### GitHub Actions deploying Azure resources

+For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value. The values must exactly match the configuration in the [GitHub workflow](https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions#on). For more info, read the [examples](#entity-type-examples).

+Add a **Name** for the federated credential.

+The **Issuer**, **Audiences**, and **Subject identifier** fields autopopulate based on the values you entered.

+Click **Add** to configure the federated credential.

+#### Entity type examples

+##### Branch example

+For a workflow triggered by a push or pull request event on the main branch:

+```yml

+on:

+ push:

+ branches: [ main ]

+ pull_request:

+ branches: [ main ]

+```

+Specify an **Entity type** of **Branch** and a **GitHub branch name** of "main".

+##### Environment example

+For Jobs tied to an environment named "production":

+```yml

+on:

+ push:

+ branches:

+ - main

+jobs:

+ deployment:

+ runs-on: ubuntu-latest

+ environment: production

+ steps:

+ - name: deploy

+ # ...deployment-specific steps

+```

+Specify an **Entity type** of **Environment** and a **GitHub environment name** of "production".

+##### Tag example

+For example, for a workflow triggered by a push to the tag named "v2":

+```yml

+on:

+ push:

+ # Sequence of patterns matched against refs/heads

+ branches:

+ - main

+ - 'mona/octocat'

+ - 'releases/**'

+ # Sequence of patterns matched against refs/tags

+ tags:

+ - v2

+ - v1.*

+```

+Specify an **Entity type** of **Tag** and a **GitHub tag name** of "v2".

+##### Pull request example

+For a workflow triggered by a pull request event, specify an **Entity type** of **Pull request**

+### Kubernetes accessing Azure resources

+Fill in the **Cluster issuer URL**, **Namespace**, **Service account name**, and **Name** fields:

+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer-preview) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+- **Service account name** is the name of the Kubernetes service account, which provides an identity for processes that run in a Pod.

+- **Namespace** is the service account namespace.

+- **Name** is the name of the federated credential, which can't be changed later.

+Click **Add** to configure the federated credential.

+### Other

+Select the **Other issuer** scenario from the dropdown menu.

+Specify the following fields (using a software workload running in Google Cloud as an example):

+- **Name** is the name of the federated credential, which can't be changed later.

+- **Subject identifier**: must match the `sub` claim in the token issued by the external identity provider. In this example using Google Cloud, *subject* is the Unique ID of the service account you plan to use.

+- **Issuer**: must match the `iss` claim in the token issued by the external identity provider. A URL that complies with the OIDC Discovery spec. Azure AD uses this issuer URL to fetch the keys that are necessary to validate the token. For Google Cloud, the *issuer* is "https://accounts.google.com".

+Click **Add** to configure the federated credential.

+## List federated identity credentials on a user-assigned managed identity

+In the [Azure portal](https://portal.azure.com), navigate to the user-assigned managed identity you created. Under **Settings** in the left nav bar and select **Federated credentials (preview)**.

+The federated identity credentials configured on that user-assigned managed identity are listed.

+## Delete a federated identity credential from a user-assigned managed identity

+In the [Azure portal](https://portal.azure.com), navigate to the user-assigned managed identity you created. Under **Settings** in the left nav bar and select **Federated credentials (preview)**.

+The federated identity credentials configured on that user-assigned managed identity are listed.

+To delete a specific federated identity credential, select the **Delete** icon for that credential.

+## Prerequisites

+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](/azure/active-directory/managed-identities-azure-resources/overview). Be sure to review the [difference between a system-assigned and user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).

+- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.

+- Get the information for your external IdP and software workload, which you need in the following steps.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.

+- [Create a user-assigned manged identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azcli#create-a-user-assigned-managed-identity-1)

+- Find the object ID of the user-assigned managed identity, which you need in the following steps.

+## Configure a federated identity credential on a user-assigned managed identity

+Run the [az identity federated-credential create](/cli/azure/identity/federated-credential#az-identity-federated-credential-create) command to create a new federated identity credential on your user-assigned managed identity (specified by the object ID of the app). Specify the *name*, *issuer*, *subject*, and other parameters.

+```azurecli

+az login

+# set variables

+location="centralus"

+subscription="{subscription-id}"

+rg="fic-test-rg"

+# user assigned identity name

+uaId="fic-test-ua"

+# federated identity credential name

+ficId="fic-test-fic-name"

+# create prerequisites if required.

+# otherwise make sure that existing resources names are set in variables above

+az account set --subscription $subscription

+az group create --location $location --name $rg

+az identity create --name $uaId --resource-group $rg --location $location --subscription $subscription

+# Create/update a federated identity credential

+az identity federated-credential create --name $ficId --identity-name $uaId --resource-group $rg --issuer 'https://aks.azure.com/issuerGUID' --subject 'system:serviceaccount:ns:svcaccount' --audiences 'api://AzureADTokenExchange'

+```

+## List federated identity credentials on a user-assigned managed identity

+Run the [az identity federated-credential list](/cli/azure/identity/federated-credential#az-identity-federated-credential-list) command to read all the federated identity credentials configured on a user-assigned managed identity:

+```azurecli

+az login

+# Set variables

+rg="fic-test-rg"

+# User assigned identity name

+uaId="fic-test-ua"

+# Read all federated identity credentials assigned to the user-assigned managed identity

+az identity federated-credential list --identity-name $uaId --resource-group $rg

+```

+## Get a federated identity credential on a user-assigned managed identity

+Run the [az identity federated-credential show](/cli/azure/identity/federated-credential#az-identity-federated-credential-show) command to show a federated identity credential (by ID):

+```azurecli

+az login

+# Set variables

+rg="fic-test-rg"

+# User assigned identity name

+uaId="fic-test-ua"

+# Federated identity credential name

+ficId="fic-test-fic-name"

+# Show the federated identity credential

+az identity federated-credential show --name $ficId --identity-name $uaId --resource-group $rg

+```

+## Delete a federated identity credential from a user-assigned managed identity

+Run the [az identity federated-credential delete](/cli/azure/identity/federated-credential#az-identity-federated-credential-delete) command to delete a federated identity credential under an existing user assigned identity.

+```azure cli

+az login

+# Set variables

+# in Linux shell remove $ from set variable statement

+$rg="fic-test-rg"

+# User assigned identity name

+$uaId="fic-test-ua"

+# Federated identity credential name

+$ficId="fic-test-fic-name"

+az identity federated-credential delete --name $ficId --identity-name $uaId --resource-group $rg

+```

+## Prerequisites

+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](/azure/active-directory/managed-identities-azure-resources/overview). Be sure to review the [difference between a system-assigned and user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).

+- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.

+- Get the information for your external IdP and software workload, which you need in the following steps.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.

+- [Create a user-assigned manged identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-arm#create-a-user-assigned-managed-identity-3)

+- Find the object ID of the user-assigned managed identity, which you need in the following steps.

+## Template creation and editing

+Resource Manager templates help you deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based. You can:

+- Use a [custom template from Azure Marketplace](../../azure-resource-manager/templates/deploy-portal.md#deploy-resources-from-custom-template) to create a template from scratch or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).

+- Derive from an existing resource group by exporting a template. You can export them from either [the original deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates) or from the [current state of the deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates).

+- Use a local [JSON editor (such as VS Code)](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md), and then upload and deploy by using PowerShell or the Azure CLI.

+- Use the Visual Studio [Azure Resource Group project](../../azure-resource-manager/templates/create-visual-studio-deployment-project.md) to create and deploy a template.

+## Configure a federated identity credential on a user-assigned managed identity

+Federated identity credential and parent user assigned identity can be created or updated be means of template below. You can [deploy ARM templates](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal) from the [Azure portal](https://portal.azure.com).

+All of the template parameters are mandatory.

+There is a limit of 3-120 characters for a federated identity credential name length. It must be alphanumeric, dash, underscore. First symbol is alphanumeric only.

+You must add exactly 1 audience to a federated identity credential, this gets verified during token exchange. Use ΓÇ£api://AzureADTokenExchangeΓÇ¥ as the default value.

+List, Get, and Delete operations are not available with template. Refer to Azure CLI for these operations. By default, all child federated identity credentials are created in parallel, which triggers concurrency detection logic and causes the deployment to fail with a 409-conflict HTTP status code. To create them sequentially, specify a chain of dependencies using the *dependsOn* property.

+Make sure that any kind of automation creates federated identity credentials under the same parent identity sequentially. Federated identity credentials under different managed identities can be created in parallel without any restrictions.

+```json

+{

+ΓÇ» ΓÇ» "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ΓÇ» ΓÇ» "contentVersion": "1.0.0.0",

+ΓÇ» ΓÇ» "variables": {},

+ΓÇ» ΓÇ» "parameters": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "location": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "westcentralus",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Location for identities resources. FIC should be enabled in this region."

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "userAssignedIdentityName": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "FIC_UA",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Name of the User Assigned identity (parent identity)"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredential": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "testCredential",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Name of the Federated Identity Credential"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredentialIssuer": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "https://aks.azure.com/issuerGUID",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Federated Identity Credential token issuer"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredentialSubject": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "system:serviceaccount:ns:svcaccount",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Federated Identity Credential token subject"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredentialAudience": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": " api://AzureADTokenExchange",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Federated Identity Credential audience. Single value is only supported."

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» "resources": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "Microsoft.ManagedIdentity/userAssignedIdentities",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "apiVersion": "2018-11-30",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "name": "[parameters('userAssignedIdentityName')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "location": "[parameters('location')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "tags": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "firstTag": "ficTest"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "resources": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "apiVersion": "2022-01-31-PREVIEW",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "name": "[concat(parameters('userAssignedIdentityName'), '/', parameters('federatedIdentityCredential'))]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "dependsOn": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ],

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "properties": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "issuer": "[parameters('federatedIdentityCredentialIssuer')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "subject": "[parameters('federatedIdentityCredentialSubject')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "audiences": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "[parameters('federatedIdentityCredentialAudience')]"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ]

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ]

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ]

+}

+```

+## Prerequisites

+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](/azure/active-directory/managed-identities-azure-resources/overview). Be sure to review the [difference between a system-assigned and user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).

+- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.

+- Get the information for your external IdP and software workload, which you need in the following steps.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.

+- You can run all the commands in this article either in the cloud or locally:

+ - To run in the cloud, use [Azure Cloud Shell](../../cloud-shell/overview.md).

+ - To run locally, install [curl](https://curl.haxx.se/download.html) and the [Azure CLI](/cli/azure/install-azure-cli).

+- [Create a user-assigned manged identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-rest#create-a-user-assigned-managed-identity-4)

+- Find the object ID of the user-assigned managed identity, which you need in the following steps.

+## Obtain a bearer access token

+1. If you're running locally, sign in to Azure through the Azure CLI.

+ ```

+ az login

+ ```

+1. Obtain an access token by using [az account get-access-token](/cli/azure/account#az-account-get-access-token).

+ ```azurecli-interactive

+ az account get-access-token

+ ```

+## Configure a federated identity credential on a user-assigned managed identity

+Create or update a federated identity credential on the specified user-assigned managed identity.

+```bash

+curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/provider

+s/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/federatedIdenti

+tyCredentials/<FEDERATED IDENTITY CREDENTIAL NAME>?api-version=2022-01-31-preview' -X PUT -d '{"properties": "{ "properties": { "issuer": "<ISSUER>", "subject": "<SUBJECT>", "audiences": [ "api://AzureADTokenExchange" ] }}"}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+```

+```http

+PUT https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/federatedIdentityCredentials/<FEDERATED IDENTITY CREDENTIAL NAME>?api-version=2022-01-31-preview

+{

+ "properties": {

+ "issuer": "https://oidc.prod-aks.azure.com/IssuerGUID",

+ "subject": "system:serviceaccount:ns:svcaccount",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+}

+```

+**Request headers**

+|Request header |Description |

+|||

+|*Content-Type* | Required. Set to `application/json`. |

+|*Authorization* | Required. Set to a valid `Bearer` access token. |

+**Request body**

+|Name |Description |

+|||

+|properties.audiences | Required. The list of audiences that can appear in the issued token. |

+|properties.issuer | Required. The URL of the issuer to be trusted. |

+|properties.subject | Required. The identifier of the external identity. |

+## List federated identity credentials on a user-assigned managed identity

+List all the federated identity credentials on the specified user-assigned managed identity.

+```bash

+curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials?api-version=2022-01-31-preview' -H "Content-Type: application/json" -X GET -H "Authorization: Bearer <ACCESS TOKEN>"

+```

+```http

+GET

+https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials?api-version=2022-01-31-preview

+```

+**Request headers**

+|Request header |Description |

+|||

+|*Content-Type* | Required. Set to `application/json`. |

+|*Authorization* | Required. Set to a valid `Bearer` access token. |

+## Get a federated identity credential on a user-assigned managed identity

+Get a federated identity credential on the specified user-assigned managed identity.

+```bash

+curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials/<FEDERATED IDENTITY CREDENTIAL RESOURCENAME>?api-version=2022-01-31-preview' -X GET -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+```

+```http

+GET

+https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials/<FEDERATED IDENTITY CREDENTIAL RESOURCENAME>?api-version=2022-01-31-preview

+```

+**Request headers**

+|Request header |Description |

+|||

+|*Content-Type* | Required. Set to `application/json`. |

+|*Authorization* | Required. Set to a valid `Bearer` access token. |

+## Delete a federated identity credential from a user-assigned managed identity

+Delete a federated identity credentials on the specified user-assigned managed identity.

+```bash

+curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials/<FEDERATED IDENTITY CREDENTIAL RESOURCENAME>?api-version=2022-01-31-preview' -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+```

+```http

+DELETE

+https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/<RESOURCE NAME>/federatedIdentityCredentials/<FEDERATED IDENTITY CREDENTIAL RESOURCENAME>?api-version=2022-01-31-preview

+```

+**Request headers**

+|Request header |Description |

+|||

+|*Content-Type* | Required. Set to `application/json`. |

+|*Authorization* | Required. Set to a valid `Bearer` access token. |

+## Next steps

+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).

+## Important considerations and restrictions

+To learn more about supported regions, time to propagate federated credential updates, supported issuers and more, read [Important considerations and restrictions for federated identity credentials](workload-identity-federation-considerations.md).

+You use workload identity federation to configure an Azure AD app registration or user-assigned managed identity to trust tokens from an external identity provider (IdP), such as GitHub. Once that trust relationship is created, your software workload can exchange trusted tokens from the external IdP for access tokens from Microsoft identity platform. Your software workload then uses that access token to access the Azure AD protected resources to which the workload has been granted access. This eliminates the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.

+- Workloads running on Kubernetes. Establish a trust relationship between your app or user-assigned managed identity in Azure AD and a Kubernetes workload (described in the [workload identity overview](/azure/aks/workload-identity-overview)).

+Create a trust relationship between the external IdP and an app or user-assigned managed identity in Azure AD by configuring a [federated identity credential](/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-beta&preserve-view=true). The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure the federated identity credential on an app registration in the Azure portal or through Microsoft Graph. A federated credential is configured on a user-assigned managed identity through the Azure portal, Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The steps for configuring the trust relationship will differ, depending on the scenario and external IdP.

+1. Microsoft identity platform checks the [trust relationship](workload-identity-federation-create-trust.md) on the app registration or user-assigned managed identity and validates the external token against the Open ID Connect (OIDC) issuer URL on the external IdP.

+- How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust.md) on an app registration.

+- How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust-user-assigned-managed-identity.md) on a user-assigned managed identity.

+> [!NOTE]

+> Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.

+ Title: PowerShell and Microsoft Graph examples for group licensing - Azure AD | Microsoft Docs

+# PowerShell and Microsoft Graph examples for group-based licensing in Azure AD

+| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |

+## March 2022

+

+### Tenant enablement of combined security information registration for Azure Active Directory

+**Type:** Plan for change

+**Service category:** MFA

+**Product capability:** Identity Security & Protection

+

+We announced in April 2020 General Availability of our new combined registration experience, enabling users to register security information for multi-factor authentication and self-service password reset at the same time, which was available for existing customers to opt in. We're happy to announce the combined security information registration experience will be enabled to all non-enabled customers after September 30, 2022. This change doesn't impact tenants created after August 15, 2020, or tenants located in the China region. For more information, see: [Combined security information registration for Azure Active Directory overview](../authentication/concept-registration-mfa-sspr-combined.md).

+

+

+### Public preview - New provisioning connectors in the Azure AD Application Gallery - March 2022

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** Third Party Integration

+

+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

+- [AlexisHR](../saas-apps/alexishr-provisioning-tutorial.md)

+- [embed signage](../saas-apps/embed-signage-provisioning-tutorial.md)

+- [Joyn FSM](../saas-apps/joyn-fsm-provisioning-tutorial.md)

+- [KPN Grip](../saas-apps/kpn-grip-provisioning-tutorial.md)

+- [MURAL Identity](../saas-apps/mural-identity-provisioning-tutorial.md)

+- [Palo Alto Networks SCIM Connector](../saas-apps/palo-alto-networks-scim-connector-provisioning-tutorial.md)

+- [Tap App Security](../saas-apps/tap-app-security-provisioning-tutorial.md)

+- [Yellowbox](../saas-apps/yellowbox-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

+

+

+### Public preview - Azure AD Recommendations

+**Type:** New feature

+**Service category:** Reporting

+**Product capability:** Monitoring & Reporting

+

+Azure AD Recommendations is now in public preview. This feature provides personalized insights with actionable guidance to help you identify opportunities to implement Azure AD best practices, and optimize the state of your tenant. For more information, see: [What is Azure Active Directory recommendations](../reports-monitoring/overview-recommendations.md)

+

+

+### Public Preview: Dynamic administrative unit membership for users and devices

+**Type:** New feature

+**Service category:** RBAC role

+**Product capability:** Access Control

+

+Administrative units now support dynamic membership rules for user and device members. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership will be automatically maintained by Azure AD. For more information, see:[Administrative units in Azure Active Directory](../roles/administrative-units.md).

+

+

+### Public Preview: Devices in Administrative Units

+**Type:** New feature

+**Service category:** RBAC role

+**Product capability:** AuthZ/Access Delegation

+

+Devices can now be added as members of administrative units. This enables scoped delegation of device permissions to a specific set of devices in the tenant. Built-in and custom roles are also supported. For more information, see: [Administrative units in Azure Active Directory](../roles/administrative-units.md).

+

+

+### New Federated Apps available in Azure AD Application gallery - March 2022

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** Third Party Integration

+

+In March 2022 we've added the following 29 new applications in our App gallery with Federation support:

+[Informatica Platform](../saas-apps/informatica-platform-tutorial.md), [Buttonwood Central SSO](../saas-apps/buttonwood-central-sso-tutorial.md), [Blockbax](../saas-apps/blockbax-tutorial.md), [Datto Workplace Single Sign On](../saas-apps/datto-workplace-tutorial.md), [Atlas by Workland](https://atlas.workland.com/), [Simply.Coach](https://app.simply.coach/signup), [Benevity](https://benevity.com/), [Engage Absence Management](https://engage.honeydew-health.com/users/sign_in), [LitLingo App Authentication](https://www.litlingo.com/litlingo-deployment-guide), [ADP EMEA French HR Portal mon.adp.com](../saas-apps/adp-emea-french-hr-portal-tutorial.md), [Ready Room](https://app.readyroom.net/), [Rainmaker UPSMQDEV](https://upsmqdev.rainmaker.aero/rainmaker.security.web/), [Axway CSOS](../saas-apps/axway-csos-tutorial.md), [Alloy](https://alloyapp.io/), [U.S. Bank Prepaid](../saas-apps/us-bank-prepaid-tutorial.md), [EdApp](https://admin.edapp.com/login), [GoSimplo](https://app.gosimplo.com/External/Microsoft/Signup), [Snow Atlas SSO](https://www.snowsoftware.io/), [Abacus.AI](https://alloyapp.io/), [Culture Shift](../saas-apps/culture-shift-tutorial.md), [StaySafe Hub](https://hub.staysafeapp.net/login), [OpenLearning](../saas-apps/openlearning-tutorial.md), [Draup, Inc](https://draup.com/platformlogin/), [Air](../saas-apps/air-tutorial.md), [Regulatory Lab](https://clientidentification.com/), [SafetyLine](https://slmonitor.com/login), [Zest](../saas-apps/zest-tutorial.md), [iGrafx Platform](../saas-apps/igrafx-platform-tutorial.md), [Tracker Software Technologies](../saas-apps/tracker-software-technologies-tutorial.md)

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

+

+### Public Preview - New APIs for fetching transitive role assignments and role permissions

+**Type:** New feature

+**Service category:** RBAC role

+**Product capability:** Access Control

+

+1. **transitiveRoleAssignments** - Last year the ability to assign Azure AD roles to groups was created. Originally it took four calls to fetch all direct, and transitive, role assignments of a user. This new API call allows it all to be done via one API call. For more information, see:

+[List transitiveRoleAssignment - Microsoft Graph beta | Microsoft Docs](/graph/api/rbacapplication-list-transitiveroleassignments).

+2. **unifiedRbacResourceAction** - Developers can use this API to list all role permissions and their descriptions in Azure AD. This API can be thought of as a dictionary that can help build custom roles without relying on UX. For more information, see:

+[List resourceActions - Microsoft Graph beta | Microsoft Docs](/graph/api/unifiedrbacresourcenamespace-list-resourceactions).

+

+## September 2022

+### General Availability - Device-based conditional access on Linux Desktops

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** SSO

+This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

+- Users can register their Linux devices with Azure AD.

+- Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device based conditional access on Linux Desktops.

+- If compliant, users can use Edge Browser to enable Single-Sign on to M365/Azure resources and satisfy device-based Conditional Access policies.

+For more information, see:

+- [Azure AD registered devices](../devices/concept-azure-ad-register.md)

+- [Plan your Azure Active Directory device deployment](../devices/plan-device-deployment.md)

+### General Availability - Azure AD SCIM Validator

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Outbound to SaaS Applications

+Independent Software Vendors(ISVs) and developers can self-test their SCIM endpoints for compatibility: We have made it easier for ISVs to validate that their endpoints are compatible with the SCIM-based Azure AD provisioning services. This is now in general availability (GA) status.

+For more information, see: [Tutorial: Validate a SCIM endpoint](../app-provisioning/scim-validator-tutorial.md)

+### General Availability - prevent accidental deletions

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Outbound to SaaS Applications

+Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service will pause, provide you visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

+For more information, see: [Enable accidental deletions prevention in the Azure AD provisioning service](../app-provisioning/accidental-deletions.md)

+### General Availability - Identity Protection Anonymous and Malicious IP for ADFS on-premises logins

+**Type:** New feature

+**Service category:** Identity Protection

+**Product capability:** Identity Security & Protection

+Identity protection expands its Anonymous and Malicious IP detections to protect ADFS sign-ins. This will automatically apply to all customers who have AD Connect Health deployed and enabled, and will show up as the existing "Anonymous IP" or "Malicious IP" detections with a token issuer type of "AD Federation Services".

+For more information, see: [What is risk?](../identity-protection/concept-identity-protection-risks.md)

+### New Federated Apps available in Azure AD Application gallery - September 2022

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** 3rd Party Integration

+In September 2022 we've added the following 15 new applications in our App gallery with Federation support:

+[RocketReach SSO](../saas-apps/rocketreach-sso-tutorial.md), [Arena EU](../saas-apps/arena-eu-tutorial.md), [Zola](../saas-apps/zola-tutorial.md), [FourKites SAML2.0 SSO for Tracking](../saas-apps/fourkites-tutorial.md), [Syniverse Customer Portal](../saas-apps/syniverse-customer-portal-tutorial.md), [Rimo](https://rimo.app/), [Q Ware CMMS](https://qware.app/), [Mapiq (OIDC)](https://app.mapiq.com/), [NICE Cxone](../saas-apps/nice-cxone-tutorial.md), [dominKnow|ONE](../saas-apps/dominknowone-tutorial.md), [Waynbo for Azure AD](https://webportal-eu.waynbo.com/Login), [innDex](https://web.inndex.co.uk/azure/authorize), [Profiler Software](https://www.profiler.net.au/), [Trotto go links](https://trot.to/_/auth/login), [AsignetSSOIntegration](../saas-apps/asignet-sso-tutorial.md).

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

+ The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS Connector (see Determine your AD DS Connector Account). The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the target AD object (this account must be different from the ADConnectorAccountDN account). This is typically the Enterprise or Domain Administrator.

+Set-ADSyncRestrictedPermissions -ADConnectorAccountDN 'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -Credential $credential

+- The ADSync database used should contain a synchronization state that is relatively recent. The last synchronization activity with the existing ADSync database should be within the last three weeks, otherwise a full import from Azure AD will be required to update the directory watermark.

+ 1. Start Windows PowerShell and enter.

+ `Set-ADSyncScheduler -SyncCycleEnabled $false`

+ `Get-ADSyncScheduler`

+8. Restart the **Microsoft Azure AD Sync** service under Windows Service Control Manager. This is to ensure that any reference to the old password is removed from the memory cache.

+## Teams Meeting Notes known issues and workarounds

+Teams Meeting Notes is a feature that allows users to take notes during their Teams meeting. This support document describes the feature in detail: [Take meeting notes in Teams](https://support.microsoft.com/office/take-meeting-notes-in-teams-3eadf032-0ef8-4d60-9e21-0691d317d103).

+**Known issues** <br>

+When a userΓÇÖs UPN changes, the meeting notes created under the old UPN are no longer accessible by that user or any other user via Microsoft Teams or the Meeting Notes URL.

+**Workaround**<br>

+After the UPN change, users can recover the meeting notes they lost access to by downloading them from OneDrive (navigate to My Files -> Microsoft Teams Data -> Wiki). New meeting notes created after the UPN change are not affected and should behave as normal.

+> [!div class="nextstepaction"]

+> [Install Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594)

+>

+Learn how to use [workload identity federation for managed identities](/azure/active-directory/develop/workload-identity-federation) to access Azure Active Directory (Azure AD) protected resources without managing secrets.

+Learn how to use [workload identity federation for managed identities](/azure/active-directory/develop/workload-identity-federation) to access Azure Active Directory (Azure AD) protected resources without managing secrets.

+Learn how to use [workload identity federation for managed identities](/azure/active-directory/develop/workload-identity-federation) to access Azure Active Directory (Azure AD) protected resources without managing secrets.

+Learn how to use [workload identity federation for managed identities](/azure/active-directory/develop/workload-identity-federation) to access Azure Active Directory (Azure AD) protected resources without managing secrets.

+* [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing)

+* Use [workload identity federation for managed identities](/azure/active-directory/develop/workload-identity-federation) to access Azure Active Directory (Azure AD) protected resources without managing secrets

+* Use [workload identity federation for managed identities](/azure/active-directory/develop/workload-identity-federation) to access Azure Active Directory (Azure AD) protected resources without managing secrets

+| Azure Cosmos DB | [Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account](../../cosmos-db/how-to-setup-rbac.md) |

+ Title: "Tutorial: Use managed identity to access Azure Resource Manager - Windows - Azure AD"

+ Title: 'Tutorial: Azure AD SSO integration with Evovia'

+description: Learn how to configure single sign-on between Azure Active Directory and Evovia.

+# Tutorial: Azure AD SSO integration with Evovia

+In this tutorial, you'll learn how to integrate Evovia with Azure Active Directory (Azure AD). When you integrate Evovia with Azure AD, you can:

+* Control in Azure AD who has access to Evovia.

+* Enable your users to be automatically signed-in to Evovia with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Evovia single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Evovia supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Evovia from the gallery

+To configure the integration of Evovia into Azure AD, you need to add Evovia from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Evovia** in the search box.

+1. Select **Evovia** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Azure AD SSO for Evovia

+Configure and test Azure AD SSO with Evovia using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Evovia.

+To configure and test Azure AD SSO with Evovia, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Evovia SSO](#configure-evovia-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Evovia test user](#create-evovia-test-user)** - to have a counterpart of B.Simon in Evovia that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Evovia** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+

+ 1. In the **Reply URL** text box, type the URL:

+ `https://secure.evovia.com/saml/acs`

+ 1. In the **Sign-on URL** text box, type the URL:

+ `https://secure.evovia.com`

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Evovia.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Evovia**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Evovia SSO

+To configure single sign-on on **Evovia** side, you need to send the **App Federation Metadata Url** to [Evovia support team](mailto:support@evovia.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Evovia test user

+In this section, you create a user called Britta Simon in Evovia. Work with [Evovia support team](mailto:support@evovia.com) to add the users in the Evovia platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Evovia Sign-on URL where you can initiate the login flow.

+* Go to Evovia Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Evovia tile in the My Apps, this will redirect to Evovia Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Evovia you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ | email | user.userprincipalname |

+ | given_name | user.givenname |

+Once you configure Headspace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. If you wish to configure the application in **SP** initiated mode, click **Set additional URLs** and type a URL in the **Relay State** text box using the following pattern: `https://<CustomerDomain>.lusid.com/app/home`

+ > These values are not real. Update these values with the actual Identifier, Reply URL, and Relay State URL. Contact [LUSID support team](mailto:support@finbourne.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ Title: 'Tutorial: Azure AD SSO integration with Mapiq'

+description: Learn how to configure single sign-on between Azure Active Directory and Mapiq.

+# Tutorial: Azure AD SSO integration with Mapiq

+In this tutorial, you'll learn how to integrate Mapiq with Azure Active Directory (Azure AD). When you integrate Mapiq with Azure AD, you can:

+* Control in Azure AD who has access to Mapiq.

+* Enable your users to be automatically signed-in to Mapiq with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Mapiq single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Mapiq supports **SP** initiated SSO.

+* Mapiq supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Mapiq from the gallery

+To configure the integration of Mapiq into Azure AD, you need to add Mapiq from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Mapiq** in the search box.

+1. Select **Mapiq** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Azure AD SSO for Mapiq

+Configure and test Azure AD SSO with Mapiq using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mapiq.

+To configure and test Azure AD SSO with Mapiq, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Mapiq SSO](#configure-mapiq-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Mapiq test user](#create-mapiq-test-user)** - to have a counterpart of B.Simon in Mapiq that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Mapiq** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Reply URL** text box, type the URL:

+ `https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer`

+ b. In the **Sign-on URL** text box, type the URL:

+ `https://app.mapiq.com`

+1. Mapiq application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Mapiq application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | displayname | user.displayname |

+ | department | user.department |

+ | businessunit | user.companyname |

+ | office | user.officelocation |

+ | jobTitle | user.jobtitle |

+ | country | user.country |

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mapiq.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Mapiq**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Mapiq SSO

+To configure single sign-on on **Mapiq** side, you need to send the **App Federation Metadata Url** to [Mapiq support team](mailto:support@mapiq.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Mapiq test user

+In this section, a user called B.Simon is created in Mapiq. Mapiq supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Mapiq, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Mapiq Sign-on URL where you can initiate the login flow.

+* Go to Mapiq Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Mapiq tile in the My Apps, this will redirect to Mapiq Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Mapiq you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ b. In the **Sign-on URL** textbox, type the URL provided by Zola:

+ `https://app.zola.fr?company=<MYCOMPANYID>`

+ `https://app.zola.fr/dashboard-v2`

+ > [!NOTE]

+ > The Sign-on URL value is not real. Update the value with the actual Sign on URL. Contact [Zola support team](mailto:tech@zola.fr) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+* Click on **Test this application** in Azure portal. This will redirect to Zola Sign on URL where you can initiate the login flow.

+* Go to Zola Sign on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Zola tile in the My Apps, this will redirect to Zola Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+[`Containerd`](https://containerd.io/) is an [OCI](https://opencontainers.org/) (Open Container Initiative) compliant core container runtime that provides the minimum set of required functionality to execute containers and manage images on a node. It was [donated](https://www.cncf.io/announcement/2017/03/29/containerd-joins-cloud-native-computing-foundation/) to the Cloud Native Compute Foundation (CNCF) in March of 2017. The current Moby (upstream Docker) version that AKS uses already uses and is built on top of `containerd`, as shown above.

+> Clusters with Linux node pools created on Kubernetes v1.19 or greater default to `containerd` for its container runtime. Clusters with node pools on a earlier supported Kubernetes versions receive Docker for their container runtime. Linux node pools will be updated to `containerd` once the node pool Kubernetes version is updated to a version that supports `containerd`.

+>

+> `containerd` with Windows Server 2019 node pools is generally available, and is the only container runtime option in Kubernetes 1.21 and higher. You can continue using Docker node pools and clusters on versions earlier than 1.23, but Docker is no longer supported as of September 2022. For more information, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].

+>

+> It is highly recommended you test your workloads on AKS node pools with `containerd` before using clusters with a Kubernetes version that supports `containerd` for your node pools.

+* For `containerd`, we recommend using [`crictl`](https://kubernetes.io/docs/tasks/debug-application-cluster/crictl) as a replacement CLI instead of the Docker CLI for **troubleshooting** pods, containers, and container images on Kubernetes nodes (for example, `crictl ps`).

+* `Containerd` sets up logging using the standardized `cri` logging format (which is different from what you currently get from docker's json driver). Your logging solution needs to support the `cri` logging format (like [Azure Monitor for Containers](../azure-monitor/containers/container-insights-enable-new-cluster.md))

+ * If you currently extract application logs or monitoring data from Docker Engine, use [Container insights](../azure-monitor/containers/container-insights-enable-new-cluster.md) instead. Additionally AKS doesn't support running any out of band commands on the agent nodes that could cause instability.

+ * Building images and directly using the Docker engine using the methods above isn't recommended. Kubernetes isn't fully aware of those consumed resources, and those approaches present numerous issues detailed [here](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) and [here](https://securityboulevard.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1/), for example.

+* Building images - You can continue to use your current docker build workflow as normal, unless you're building images inside your AKS cluster. In this case, consider switching to the recommended approach for building images using [ACR Tasks](../container-registry/container-registry-quickstart-task-cli.md), or a more secure in-cluster option like [docker buildx](https://github.com/docker/buildx).

+By default, when creating a new cluster or adding a new node pool to an existing cluster, the disk size is determined by the number for vCPUs, which is based on the VM SKU. The default values are shown in the following table:

+> Default OS disk sizing is only used on new clusters or node pools when Ephemeral OS disks are not supported and a default OS disk size isn't specified. The default OS disk size may impact the performance or cost of your cluster, but you can change the sizing of the OS disk at any time after cluster or node pool creation. This default disk sizing affects clusters or node pools created in July 2022 or later.

+Like the temporary disk, an ephemeral OS disk is included in the price of the virtual machine, so you don't incur more storage costs.

+>When you don't explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given node pool configuration.

+If you chose to use an ephemeral OS, the OS disk must fit in the VM cache. The sizes for VM cache are available in the [Azure documentation](../virtual-machines/dv3-dsv3-series.md) in parentheses next to IO throughput ("cache size in GiB").

+If you chose to use the AKS default VM size [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with the default OS disk size of 100 GB, this VM size supports ephemeral OS but only has 86 GB of cache size. This configuration would default to managed disks if you don't explicitly specify it. If you do request an ephemeral OS, you'll receive a validation error.

+If you request the same [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with a 60GB OS disk, this configuration would default to ephemeral OS: the requested size of 60GB is smaller than the maximum cache size of 86 GB.

+If you select the [Standard_D8s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) SKU with 100 GB OS disk, this VM size supports ephemeral OS and has 200 GB of cache space. If you don't specify the OS disk type, the node pool would receive ephemeral OS by default.

+The latest generation of VM series doesn't have a dedicated cache, but only temporary storage. Let's assume to use the [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with the default OS disk size of 100 GiB as an example. This VM size supports ephemeral OS disks but only has 75 GiB of temporary storage. This configuration would default to managed OS disks if you don't explicitly specify it. If you do request an ephemeral OS disk, you'll receive a validation error.

+If you request the same [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with a 60 GiB OS disk, this configuration would default to ephemeral OS disks. The requested size of 60 GiB is smaller than the maximum temporary storage of 75 GiB.

+If you chose to use [Standard_E4bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) SKU with 100 GiB OS disk, this VM size supports ephemeral OS and has 150 GiB of temporary storage. If you don't specify the OS disk type, the node pool is provisioned with an ephemeral OS by default.

+> With ephemeral OS you can deploy VM and instance images up to the size of the VM cache. In the AKS case, the default node OS disk configuration uses 128 GB, which means that you need a VM size that has a cache larger than 128 GB. The default Standard_DS2_v2 has a cache size of 86 GB, which isn't large enough. The Standard_DS3_v2 has a cache size of 172 GB, which is large enough. You can also reduce the default size of the OS disk by using `--node-osdisk-size`. The minimum size for AKS images is 30 GB.

+The [Node Restriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission controller limits the Node and Pod objects a kubelet can modify. Node Restriction is on by default in AKS 1.24+ clusters. If you're using an older version, use the below commands to create a cluster with Node Restriction or update an existing cluster to add Node Restriction.

+This enables an OIDC Issuer URL of the provider which allows the API server to discover public signing keys.

+> Enable/disable OIDC Issuer changes the current service account token issuer to a new value, which causes some down time and make API server restart. If the application pods based on service account token keep in failed status after enable/disable OIDC Issuer, it's recommended to restart the pods manually.

+* The `aks-preview` extension version 0.5.50 or higher

+* Kubernetes version 1.19.x or higher

+### Install the aks-preview Azure CLI extension

+To install the aks-preview extension, run the following command:

+az extension add --name aks-preview

+Run the following command to update to the latest version of the extension released:

+```azurecli

+Create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer (preview). The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:

+az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer

+Update an AKS cluster using the [az aks update][az-aks-update] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer (preview). The following example updates a cluster named *myAKSCluster*:

+az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer

+To get the OIDC Issuer URL, run the following command. Replace the default values for the cluster name and the resource group name.

+az aks show -n myAKScluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-update]: /cli/azure/aks#az-aks-update

+Cluster extensions provide an Azure Resource Manager driven experience for installation and lifecycle management of services like Azure Machine Learning (ML) on an AKS cluster. This feature enables:

+In this article, you'll learn about:

+> If you have enabled [AAD-based pod identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it,

+> we recommend you first review [Migrate to workload identity][migrate-workload-identity] to understand our

+> recommendations and options to set up your cluster to use an Azure AD workload identity (preview).

+> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities

+> to federate with any external identity providers.

+### Set up the Azure CLI extension for cluster extensions

+You'll also need the `k8s-extension` Azure CLI extension. Install the extension by running the following command:

+> The Cluster Extensions service is unable to retain sensitive information for more than 48 hours. If the cluster extension agents don't have network connectivity for more than 48 hours and can't determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension instance.

+| `--auto-upgrade-minor-version` | Boolean property that specifies if the extension minor version will be upgraded automatically or not. Default: `true`. If this parameter is set to true, you can't set `version` parameter, as the version will be dynamically updated. If set to `false`, extension won't be auto-upgraded even for patch versions. |

+| `--configuration-settings` | Settings that can be passed into the extension to control its functionality. Pass values as space separated `key=value` pairs after the parameter name. If this parameter is used in the command, then `--configuration-settings-file` can't be used in the same command. |

+| `--configuration-protected-settings` | These settings are not retrievable using `GET` API calls or `az k8s-extension show` commands, and are thus used to pass in sensitive settings. Pass values as space separated `key=value` pairs after the parameter name. If this parameter is used in the command, then `--configuration-protected-settings-file` can't be used in the same command. |

+| `--release-train` | Extension authors can publish versions in different release trains such as `Stable`, `Preview`, etc. If this parameter isn't set explicitly, `Stable` is used as default. This parameter can't be used when `autoUpgradeMinorVersion` parameter is set to `false`. |

+| `--extension-type` | The type of extension you want to install on the cluster. For example: Microsoft.AzureML.Kubernetes |

+| `--auto-upgrade-minor-version` | Boolean property that specifies if the extension minor version will be upgraded automatically or not. Default: `true`. If this parameter is set to true, you cannot set `version` parameter, as the version will be dynamically updated. If set to `false`, extension won't be auto-upgraded even for patch versions. |

+| `--configuration-settings` | Settings that can be passed into the extension to control its functionality. Only the settings that require an update need to be provided. The provided settings would be replaced with the provided values. Pass values as space separated `key=value` pairs after the parameter name. If this parameter is used in the command, then `--configuration-settings-file` can't be used in the same command. |

+| `--configuration-protected-settings` | These settings are not retrievable using `GET` API calls or `az k8s-extension show` commands, and are thus used to pass in sensitive settings. When you update a setting, all settings are expected to be specified. If some settings are omitted, those settings would be considered obsolete and deleted. Pass values as space separated `key=value` pairs after the parameter name. If this parameter is used in the command, then `--configuration-protected-settings-file` can't be used in the same command. |

+| `--release-train` | Extension authors can publish versions in different release trains such as `Stable`, `Preview`, etc. If this parameter isn't set explicitly, `Stable` is used as default. This parameter can't be used when `autoUpgradeMinorVersion` parameter is set to `false`. |

+[migrate-workload-identity]: workload-identity-overview.md

+You can authenticate, authorize, secure, and control access to Kubernetes clusters in a variety of ways:

+* Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need.

+* With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure using Azure Active Directory and Azure RBAC.

+Before assigning permissions to users with Kubernetes RBAC, you'll define user permissions as a *Role*. Grant permissions within a namespace using roles.

+There are two levels of access needed to fully operate an AKS cluster:

+| `kubelet` | Required to grant MSI access to ACR. |

+| `container insights` | Required to grant permission to the Log Analytics workspace. |

+1. Run `kubectl` commands.

+The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of an Azure key vault as a secret store with an Azure Kubernetes Service (AKS) cluster via a [CSI volume][kube-csi].

+- If restricting Ingress to the cluster, ensure Ports 9808 and 8095 are open.

+- An [Azure Active Directory pod identity][aad-pod-identity] (preview)

+- An [Azure Active Directory workload identity][aad-workload-identity] (preview)

+The Azure Key Vault design makes sharp distinctions between keys, secrets, and certificates. The Key Vault serviceΓÇÖs certificates features were designed to make use of its key and secret capabilities. When a key vault certificate is created, an addressable key and secret are also created with the same name. The key allows key operations, and the secret allows the retrieval of the certificate value as a secret.

+[aad-workload-identity]: workload-identity-overview.md

+[kubernetes-version-support]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy

+## Use Azure AD workload identity (preview)

+An Azure AD workload identity (preview) is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL).

+> [!NOTE]

+> This authentication method replaces pod-managed identity (preview).

+### Prerequisites

+- Installed the latest version of the `aks-preview` extension, version 0.5.102 or later. To learn more, see [How to install extensions][how-to-install-extensions].

+Azure AD workload identity (preview) is supported on both Windows and Linux clusters.

+### Configure workload identity

+1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription.

+ ```azurecli

+ az account set --subscription "subscriptionID"

+ ```

+2. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.

+ ```azurecli

+ az account set --subscription "subscriptionID"

+ ```

+ ```azurecli

+ az identity create --name "userAssignedIdentityName" --resource-group "resourceGroupName" --location "location" --subscription "subscriptionID"

+ ```

+3. You need to set an access policy that grants the workload identity permission to access the Key Vault secrets, access keys, and certificates. The rights are assigned using the [az keyvault set-policy][az-keyvault-set-policy] command as shown below.

+ ```azurecli

+ az keyvault set-policy -n $KEYVAULT_NAME --key-permissions get --spn $APPLICATION_CLIENT_ID

+ az keyvault set-policy -n $KEYVAULT_NAME --secret-permissions get --spn $APPLICATION_CLIENT_ID

+ az keyvault set-policy -n $KEYVAULT_NAME --certificate-permissions get --spn $APPLICATION_CLIENT_ID

+ ```

+4. Run the [az aks show][az-aks-show] command to get the AKS cluster OIDC issuer URL, and replace the default value for the cluster name and the resource group name.

+ ```azurecli

+ az aks show --resource-group resourceGroupName --name clusterName --query "oidcIssuerProfile.issuerUrl" -otsv

+ ```

+ > [!NOTE]

+ > If the URL is empty, verify you have installed the latest version of the `aks-preview` extension, version 0.5.102 or later. Also verify you've [enabled the

+ > OIDC issuer][enable-oidc-issuer] (preview).

+5. Establish a federated identity credential between the Azure AD application and the service account issuer and subject. Get the object ID of the Azure AD application. Update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.

+ ```bash

+ export APPLICATION_OBJECT_ID="$(az ad app show --id ${APPLICATION_CLIENT_ID} --query id -otsv)"

+ export SERVICE_ACCOUNT_NAME=serviceAccountName

+ export SERVICE_ACCOUNT_NAMESPACE=serviceAccountNamespace

+ ```

+ Then add the federated identity credential by first copying and pasting the following multi-line input in the Azure CLI.

+ ```azurecli

+ cat <<EOF > body.json

+ {

+ "name": "kubernetes-federated-credential",

+ "issuer": "${SERVICE_ACCOUNT_ISSUER}",

+ "subject": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}",

+ "description": "Kubernetes service account federated credential",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+ EOF

+ ```

+ Next, use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the Managed Identity, the service account issuer, and the subject. Replace the values `resourceGroupName`, `userAssignedIdentityName`, and `federatedIdentityName`.

+ ```azurecli

+ az identity federated-credential create --name federatedIdentityName --identity-name userAssignedIdentityName --resource-group resourceGroupName --issuer ${AKS_OIDC_ISSUER} --subject ${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}"

+ ```

+6. Deploy your secretproviderclass and application by setting the `clientID` in the `SecretProviderClass` to the client ID of the Azure AD application.

+ ```bash

+ clientID: "${APPLICATION_CLIENT_ID}"

+ ```

+## Use pod-managed identities

+Azure Active Directory (Azure AD) pod-managed identities (preview) use AKS primitives to associate managed identities for Azure resources and identities in Azure AD with pods. You can use these identities to grant access to the Azure Key Vault Secrets Provider for Secrets Store CSI driver.

+### Use an Azure AD pod-managed identity

+> Before you begin this step, [enable system-assigned managed identity][enable-system-assigned-identity] on your AKS cluster's VMs or scale sets.

+[workload-identity-overview]: workload-identity-overview.md

+[how-to-install-extensions]: /cli/azure/azure-cli-extensions-overview#how-to-install-extensions

+[az-aks-show]: /cli/azure/aks#az-aks-show

+[az-rest]: /cli/azure/reference-index#az-rest

+[az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az-identity-federated-credential-create

+[enable-oidc-issuer]: cluster-configuration.md#oidc-issuer-preview

+**Best practice guidance** - Don't define credentials in your application code. Use managed identities for Azure resources to let your pod request access to other resources. A digital vault, such as Azure Key Vault, should also be used to store and retrieve digital keys and credentials. Pod-managed identities are intended for use with Linux pods and container images only.

+ * [Azure Active Directory workload identity][aad-workload-identity] (preview)

+#### Use an Azure AD workload identity (preview)

+A workload identity is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the [Azure SDK][azure-sdk-download] or the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL).

+For more information about workload identities, see [Configure an AKS cluster to use Azure AD workload identities with your applications][aad-workload-identity]

+* [Use workload managed identities for Azure resources with AKS][aad-workload-identity] (preview)

+[azure-sdk-download]: https://azure.microsoft.com/downloads/

+[aad-workload-identity]: workload-identity-overview.md

+[microsoft-authentication-library]: ../active-directory/develop/msal-overview.md

+ Title: Tutorial - Use a workload identity with an application on Azure Kubernetes Service (AKS)

+description: In this Azure Kubernetes Service (AKS) tutorial, you deploy an Azure Kubernetes Service cluster and configure an application to use a workload identity.

+# Tutorial: Use a workload identity with an application on Azure Kubernetes Service (AKS)

+Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this tutorial, you will:

+* Deploy an AKS cluster using the Azure CLI with OpenID Connect Issuer and managed identity.

+* Create an Azure Key Vault and secret.

+* Create an Azure Active Directory workload identity and Kubernetes service account

+* Configure the managed identity for token federation

+* Deploy the workload and verify authentication with the workload identity.

+This tutorial assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts].

+- This article requires version 2.40.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+- You have installed the latest version of the `aks-preview` extension, version 0.5.102 or later.

+- The identity you are using to create your cluster has the appropriate minimum permissions. For more information on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)][aks-identity-concepts].

+- If you have multiple Azure subscriptions, select the appropriate subscription ID in which the resources should be billed using the

+[az account][az-account] command.

+## Create a resource group

+An [Azure resource group][azure-resource-group] is a logical group in which Azure resources are deployed and managed. When you create a resource group, you are prompted to specify a location. This location is:

+* The storage location of your resource group metadata.

+* Where your resources will run in Azure if you don't specify another region during resource creation.

+The following example creates a resource group named *myResourceGroup* in the *eastus* location.

+Create a resource group using the [az group create][az-group-create] command.

+```azurecli-interactive

+az group create --name myResourceGroup --location eastus

+```

+The following output example resembles successful creation of the resource group:

+```json

+{

+ "id": "/subscriptions/<guid>/resourceGroups/myResourceGroup",

+ "location": "eastus",

+ "managedBy": null,

+ "name": "myResourceGroup",

+ "properties": {

+ "provisioningState": "Succeeded"

+ },

+ "tags": null

+}

+```

+## Install the aks-preview Azure CLI extension

+To install the aks-preview extension, run the following command:

+```azurecli

+az extension add --name aks-preview

+```

+Run the following command to update to the latest version of the extension released:

+```azurecli

+az extension update --name aks-preview

+```

+## Create AKS cluster

+Create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:

+```azurecli-interactive

+az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys

+```

+After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+> [!NOTE]

+> When you create an AKS cluster, a second resource group is automatically created to store the AKS resources. For more information, see [Why are two resource groups created with AKS?][aks-two-resource-groups].

+To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default value for the arguments `-n`, which is the name of the cluster and `-g`, the resource group name:

+```bash

+export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"

+```

+## Export environmental variables

+To help simplify steps to configure creating Azure Key Vault and other identities required, the steps below define

+environmental variables for reference on the cluster.

+Run the following commands to create these variables. Replace the default values for `RESOURCE_GROUP`, `LOCATION`, `KEYVAULT_SECRET_NAME`, `SERVICE_ACCOUNT_NAME`, `SUBSCRIPTION`, `UAID`, and `FICID`.

+```bash

+# environment variables for the Azure Key Vault resource

+export KEYVAULT_NAME="azwi-kv-tutorial"

+export KEYVAULT_SECRET_NAME="my-secret"

+export RESOURCE_GROUP="resourceGroupName"

+export LOCATION="westcentralus"

+# environment variables for the Kubernetes Service account & federated identity credential

+export SERVICE_ACCOUNT_NAMESPACE="default"

+export SERVICE_ACCOUNT_NAME="workload-identity-sa"

+# environment variables for the Federated Identity

+export SUBSCRIPTION="{your subscription ID}"

+# user assigned identity name

+export UAID="fic-test-ua"

+# federated identity name

+export FICID="fic-test-fic-name"

+```

+## Create an Azure Key Vault and secret

+Use the Azure CLI [az keyvault create][az-keyvault-create] command to create a Key Vault in the resource group created earlier.

+```azurecli

+az keyvault create --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --name "${KEYVAULT_NAME}"

+```

+The output of this command shows properties of the newly created key vault. Take note of the two properties listed below:

+* **Name**: The Vault name you provided to the `--name` parameter above.

+* **vaultUri**: In the example, this is `https://<your-unique-keyvault-name>.vault.azure.net/`. Applications that use your vault through its REST API must use this URI.

+At this point, your Azure account is the only one authorized to perform any operations on this new vault.

+To add a secret to the vault, you need to run the Azure CLI [az keyvault secret set][az-keyvault-secret-set] command to create it. The password is the value you specified for the environment variable `KEYVAULT_SECRET_NAME` and stores the value of **Hello!** in it.

+```azurecli

+az keyvault secret set --vault-name "${KEYVAULT_NAME}" --name "${KEYVAULT_SECRET_NAME}" --value 'Hello!'

+```

+## Create a managed identity and grant permissions to access the secret

+Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.

+```azurecli

+az account set --subscription "${SUBSCRIPTION}"

+```

+```azurecli

+az identity create --name "${UAID}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --subscription "${SUBSCRIPTION}"

+```

+Next, you need to set an access policy for the managed identity to access the Key Vault secret by running the following commands:

+```bash

+export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${UAID}" --query 'clientId' -otsv)"

+```

+```azurecli

+az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"

+```

+### Create Kubernetes service account

+Create a Kubernetes service account and annotate it with the client ID of the Managed Identity created in the previous step. Use the [az aks get-credentials][az-aks-get-credentials] command and replace the default value for the cluster name and the resource group name.

+```azurecli

+az aks get-credentials -n myAKSCluster -g "${RESOURCE_GROUP}"

+```

+Copy and paste the following multi-line input in the Azure CLI.

+```bash

+cat <<EOF | kubectl apply -f -

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ annotations:

+ azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}

+ labels:

+ azure.workload.identity/use: "true"

+ name: ${SERVICE_ACCOUNT_NAME}

+ namespace: ${SERVICE_ACCOUNT_NAMESPACE}

+EOF

+```

+The following output resembles successful creation of the identity:

+```output

+Serviceaccount/workload-identity-sa created

+```

+## Establish federated identity credential

+Use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the managed identity, the service account issuer, and the subject.

+```azurecli

+az identity federated-credential create --name ${FICID} --identity-name ${UAID} --resource-group ${RESOURCE_GROUP} --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}

+```

+> [!NOTE]

+> It takes a few seconds for the federated identity credential to be propagated after being initially added. If a token request is made immediately after adding the federated identity credential, it might lead to failure for a couple of minutes as the cache is populated in the directory with old data. To avoid this issue, you can add a slight delay after adding the federated identity credential.

+## Deploy the workload

+Run the following to deploy a pod that references the service account created in the previous step.

+```bash

+cat <<EOF | kubectl apply -f -

+apiVersion: v1

+kind: Pod

+metadata:

+ name: quick-start

+ namespace: ${SERVICE_ACCOUNT_NAMESPACE}

+spec:

+ serviceAccountName: ${SERVICE_ACCOUNT_NAME}

+ containers:

+ - image: ghcr.io/azure/azure-workload-identity/msal-go

+ name: oidc

+ env:

+ - name: KEYVAULT_NAME

+ value: ${KEYVAULT_NAME}

+ - name: SECRET_NAME

+ value: ${KEYVAULT_SECRET_NAME}

+ nodeSelector:

+ kubernetes.io/os: linux

+EOF

+```

+The following output resembles successful creation of the pod:

+```output

+pod/quick-start created

+```

+To check whether all properties are injected properly by the webhook, use

+the [kubectl describe][kubelet-describe] command:

+```bash

+kubectl describe pod quick-start

+```

+To verify that pod is able to get a token and access the secret from the Key Vault, use the

+[kubectl logs][kubelet-logs] command:

+```bash

+kubectl logs quick-start

+```

+The following output resembles successful access of the token:

+```output

+I1013 22:49:29.872708 1 main.go:30] "successfully got secret" secret="Hello!"

+```

+## Clean up resources

+If you plan to continue on to work with subsequent tutorials, you may wish to leave these resources in place.

+When no longer needed, you can run the following Kubectl and the Azure CLI commands to remove the resource group and all related resources.

+```bash

+kubectl delete pod quick-start

+```

+```bash

+kubectl delete sa "${SERVICE_ACCOUNT_NAME}" --namespace "${SERVICE_ACCOUNT_NAMESPACE}"

+```

+```azurecli

+az group delete --name "${RESOURCE_GROUP}"

+```

+## Next steps

+In this tutorial, you deployed a Kubernetes cluster and then deployed a simple container application to

+test working with an Azure AD workload identity (preview).

+This tutorial is for introductory purposes. For guidance on a creating full solutions with AKS for production, see [AKS solution guidance][aks-solution-guidance].

+<!-- EXTERNAL LINKS -->

+[kubelet-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

+[kubelet-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs

+<!-- INTERNAL LINKS -->

+[kubernetes-concepts]: ../concepts-clusters-workloads.md

+[aks-identity-concepts]: ../concepts-identity.md

+[az-account]: /cli/azure/account

+[azure-resource-group]: ../../azure-resource-manager/management/overview.md

+[az-group-create]: /cli/azure/group#az-group-create

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[aks-two-resource-groups]: ../faq.md#why-are-two-resource-groups-created-with-aks

+[az-keyvault-create]: /cli/azure/keyvault#az-keyvault-create

+[az-keyvault-secret-set]: /cli/azure/keyvault/secret#az-keyvault-secret-set

+[az-account-set]: /cli/azure/account#az-account-set

+[az-identity-create]: /cli/azure/identity#az-identity-create

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az-identity-federated-credential-create

+[aks-tutorial]: ../tutorial-kubernetes-prepare-app.md

+[aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here

+> **Best practice guidance**

+> **Best practice guidance**

+> **Best practice guidance**

+>

+> We recommend you review [Azure AD workload identity][workload-identity-overview] (preview).

+> This authentication method replaces pod-managed identity (preview), which integrates with the

+> Kubernetes native capabilities to federate with any external identity providers on behalf of the

+> application.

+> **Best practice guidance**

+>

+For even more granular control of container actions, you can also use built-in Linux security features such as *AppArmor* and *seccomp*.

+1. Implement features through a pod manifest.

+> Currently, Kubernetes environments aren't completely safe for hostile multi-tenant usage. Additional security features, like *Microsoft Defender for Containers* *AppArmor*, *seccomp*,*Pod Security Admission*, or Kubernetes RBAC for nodes, efficiently block exploits.

+To see AppArmor in action, the following example creates a profile that prevents writing to files.

+1. Copy and paste the following content:

+AppArmor profiles are added using the `apparmor_parser` command.

+1. With the pod deployed, verify the *hello-apparmor* pod shows a *blocked* status by running the following command:

+ kubectl get pods

+* Annotating within a pod YAML manifest to associate with the seccomp filter.

+To see seccomp in action, create a filter that prevents changing permissions on a file.

+1. Copy and paste the following content:

+1. View pod status using the [kubectl get pods][kubectl-get] command.

+ * The `chmod` command is prevented from running by the seccomp filter, as shown in the following example output:

+ kubectl get pods

+> **Best practice guidance**

+>

+* Bug or security fixes

+Select-Object -Property Name, ControlPlaneProfileKubernetesVersion -ExpandProperty ControlPlaneProfileUpgrade |

+Format-Table -Property *

+> Test new minor versions in a dev test environment and validate that your workload remains healthy with the new Kubernetes version.

+> ### [Azure CLI](#tab/azure-cli)

+> ```azurecli-interactive

+> az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes-version KUBERNETES_VERSION

+> ```

+> ### [Azure PowerShell](#tab/azure-powershell)

+> ```azurepowershell-interactive

+> Set-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster -KubernetesVersion <KUBERNETES_VERSION>

+> ```

+>

+Unattended upgrades apply updates to the Linux node OS, but the image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node will receive all the security and kernel updates available during the automatic check every night but will remain unpatched until all checks and restarts are complete. You can use node image upgrade to check for and update node images used by your cluster. For more information on node image upgrade, see [Azure Kubernetes Service (AKS) node image upgrade][node-image-upgrade].

+[workload-identity-overview]: workload-identity-overview.md

+* Accounts could have access to unnecessary resources and services.

+* Tracking credentials used to make changes can be difficult.

+In this article, we discuss what recommended practices a cluster operator can follow to manage access and identity for AKS clusters. You'll learn how to:

+> * Authenticate AKS cluster users with Azure Active Directory (Azure AD).

+> * Use a [managed identity][managed-identities] to authenticate pods with other services.

+> **Best practice guidance**

+>

+> Deploy AKS clusters with [Azure AD integration][azure-ad-integration]. Using Azure AD centralizes the identity management layer. Any change in user account or group status is automatically updated in access to the AKS cluster. Scope users or groups to the minimum permissions amount using [Roles, ClusterRoles, or Bindings](#use-kubernetes-role-based-access-control-kubernetes-rbac).

+Your Kubernetes cluster developers and application owners need access to different resources. Kubernetes lacks an identity management solution for you to control the resources with which users can interact. Instead, you can integrate your cluster with an existing identity solution like Azure AD, an enterprise-ready identity management solution.

+1. The developer's request is successful based on previous validation of Azure AD group membership and Kubernetes RBAC and policies.

+>

+For example, you create a role with full access to resources in the namespace named *finance-app*, as shown in the following example YAML manifest:

+You then create a *RoleBinding* and bind the Azure AD user *developer1\@contoso.com* to it, as shown in the following YAML manifest:

+When *developer1\@contoso.com* is authenticated against the AKS cluster, they have full permissions to resources in the *finance-app* namespace. In this way, you logically separate and control access to resources. Use Kubernetes RBAC with Azure AD-integration.

+To learn how to use Azure AD groups to control access to Kubernetes resources using Kubernetes RBAC, see [Control access to cluster resources using role-based access control and Azure Active Directory identities in AKS][azure-ad-rbac].

+## Use Azure RBAC

+> **Best practice guidance**

+>

+There are two levels of access needed to fully operate an AKS cluster:

+* Access the AKS resource on your Azure subscription.

+ * Control scaling or upgrading your cluster using the AKS APIs

+ * Pull your `kubeconfig`.

+ To learn how to control access to the AKS resource and the `kubeconfig`, see [Limit access to cluster configuration file](control-kubeconfig-access.md).

+* Access to the Kubernetes API.

+ * [Kubernetes RBAC](#use-kubernetes-role-based-access-control-kubernetes-rbac) (traditionally) or

+ To learn how to granularly grant permissions to the Kubernetes API using Azure RBAC, see [Use Azure RBAC for Kubernetes authorization](manage-azure-rbac.md).

+## Use pod-managed identities

+> **Best practice guidance**

+>

+> Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Azure AD.

+To access other Azure resources, like Cosmos DB, Key Vault, or Blob Storage, the pod needs authentication credentials. You could define authentication credentials with the container image or inject them as a Kubernetes secret. Either way, you would need to manually create and assign them. Usually, these credentials are reused across pods and aren't regularly rotated.

+With pod-managed identities (preview) for Azure resources, you automatically request access to services through Azure AD. Pod-managed identities is currently in preview for AKS. Refer to the [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started.

+> [!NOTE]

+> If you have enabled [Azure AD pod-managed identity][aad-pod-identity] on your AKS cluster or are considering implementing it,

+> we recommend you first review the [workload identity overview][workload-identity-overview] article to understand our

+> recommendations and options to set up your cluster to use an Azure AD workload identity (preview).

+> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities

+> to federate with any external identity providers.

+Azure Active Directory pod-managed identity (preview) supports two modes of operation:

+* **Standard** mode: In this mode, the following 2 components are deployed to the AKS cluster:

+ * [Managed Identity Controller(MIC)](https://azure.github.io/aad-pod-identity/docs/concepts/mic/): A Kubernetes controller that watches for changes to pods, [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes [AzureAssignedIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureassignedidentity/) as needed. Specifically, when a pod is scheduled, the MIC assigns the managed identity on Azure to the underlying virtual machine scale set used by the node pool during the creation phase. When all pods using the identity are deleted, it removes the identity from the virtual machine scale set of the node pool, unless the same managed identity is used by other pods. The MIC takes similar actions when AzureIdentity or AzureIdentityBinding are created or deleted.

+ * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node. It redirects requests to itself and validates if the pod has access to the identity it's requesting a token for, and fetch the token from the Azure Active Directory tenant on behalf of the application.

+* **Managed** mode: In this mode, there's only NMI. The identity needs to be manually assigned and managed by the user. For more information, see [Pod Identity in Managed Mode](https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/). In this mode, when you use the [az aks pod-identity add](/cli/azure/aks/pod-identity#az-aks-pod-identity-add) command to add a pod identity to an Azure Kubernetes Service (AKS) cluster, it creates the [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) in the namespace specified by the `--namespace` parameter, while the AKS resource provider assigns the managed identity specified by the `--identity-resource-id` parameter to virtual machine scale set of each node pool in the AKS cluster.

+> If you instead decide to install the Azure Active Directory pod-managed identity using the [AKS cluster add-on](./use-azure-ad-pod-identity.md), setup uses the `managed` mode.

+* Identity assignment on the virtual machine scale set of a node pool can take up 40-60s. With cronjobs or applications that require access to the identity and can't tolerate the assignment delay, it's best to use `managed` mode as the identity is pre-assigned to the virtual machine scale set of the node pool. Either manually or using the [az aks pod-identity add](/cli/azure/aks/pod-identity#az-aks-pod-identity-add) command.

+* In `standard` mode, MIC requires write permissions on the virtual machine scale set used by the AKS cluster and `Managed Identity Operator` permission on the user-assigned managed identities. When running in `managed mode`, since there's no MIC, the role assignments aren't required.

+Instead of manually defining credentials for pods, pod-managed identities request an access token in real time, using it to access only their assigned resources. In AKS, there are two components that handle the operations to allow pods to use managed identities:

+When pods request a security token from Azure Active Directory to access to an Azure resource, network rules redirect the traffic to the NMI server.

+ * Identifies pods requesting access to Azure resources based on their remote address.

+ * Queries the Azure Resource Provider.

+1. The NMI server requests an access token from Azure AD based on the pod's identity mapping.

+1. Azure AD provides access to the NMI server, which is returned to the pod.

+ * This access token can be used by the pod to then request access to resources in Azure.

+

+1. Cluster operator creates a service account to map identities when pods request access to resources.

+To use Pod-managed identities, see [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md).

+* [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md)

+[azure-ad-integration]: managed-aad.md

+[managed-identities]: ../active-directory/managed-identities-azure-resources/overview.md

+[azure-ad-rbac]: azure-ad-rbac.md

+[aad-pod-identity]: ./use-azure-ad-pod-identity.md

+[use-azure-ad-pod-identity]: ./use-azure-ad-pod-identity.md#create-an-identity

+[workload-identity-overview]: workload-identity-overview.md

+> We recommend you review [Azure AD workload identity][workload-identity-overview] (preview).

+> This authentication method replaces pod-managed identity (preview), which integrates with the

+> Kubernetes native capabilities to federate with any external identity providers on behalf of the

+> application.

+<!-- LINKS - internal -->

+[workload-identity-overview]: workload-identity-overview.md

+* If the cluster has Azure AD pod-managed identity (`aad-pod-identity`) enabled, Node-Managed Identity (NMI) pods modify the nodes'

+ iptables to intercept calls to the Azure Instance Metadata (IMDS) endpoint. This configuration means any

+> [!NOTE]

+> If you are considering implementing [Azure AD pod-managed identity][aad-pod-identity] on your AKS cluster,

+> we recommend you first review the [workload identity overview][workload-identity-overview] article to understand our

+> recommendations and options to set up your cluster to use an Azure AD workload identity (preview).

+> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities

+> to federate with any external identity providers.

+| OSS project | aad-pod-identity | Enables applications to access cloud resources securely with Microsoft Azure Active Directory (Azure AD) | NA | Steps to grant permission at https://github.com/Azure/aad-pod-identity#role-assignment.

+To update an AKS cluster currently using a service principal to work with a system-assigned managed identity, run the following CLI command.

+When creating and using your own VNet, attached Azure disk, static IP address, route table or user-assigned kubelet identity where the resources are outside of the worker node resource group, the Azure CLI adds the role assignment automatically. If you are using an ARM template or other method, you need to use the Principal ID of the cluster managed identity to perform a role assignment.

+> If you are not using the Azure CLI but using your own VNet, attached Azure disk, static IP address, route table or user-assigned kubelet identity that are outside of the worker node resource group, it's recommended to use [user-assigned control plane identity][Bring your own control plane managed identity]. For system-assigned control plane identity, we cannot get the identity ID before creating cluster, which delays role assignment from taking effect.

+```

+>

+Azure CLI version 2.26.0 or later installed. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* Only works with a user-assigned managed cluster.

+* China East and China North regions in Azure China 21Vianet aren't currently supported.

+[workload-identity-overview]: workload-identity-overview.md

+[aad-pod-identity]: use-azure-ad-pod-identity.md

+ Title: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workload identity (preview)

+description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with an Azure AD workload identity (preview).

+# Deploy and configure workload identity (preview) on an Azure Kubernetes Service (AKS) cluster

+Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this article, you will:

+* Deploy an AKS cluster using the Azure CLI that includes the OpenID Connect Issuer and an Azure AD workload identity (preview)

+* Grant access to your Azure Key Vault

+* Create an Azure Active Directory (Azure AD) workload identity and Kubernetes service account

+* Configure the managed identity for token federation.

+This article assumes you have a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts]. If you aren't familiar with Azure AD workload identity (preview), see the following [Overview][workload-identity-overview] article.

+- This article requires version 2.40.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+- You've installed the latest version of the `aks-preview` extension, version 0.5.102 or later.

+- The identity you're using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)][aks-identity-concepts].

+- If you have multiple Azure subscriptions, select the appropriate subscription ID in which the resources should be billed using the

+[az account][az-account] command.

+## Install the aks-preview Azure CLI extension

+To install the aks-preview extension, run the following command:

+```azurecli

+az extension add --name aks-preview

+```

+Run the following command to update to the latest version of the extension released:

+```azurecli

+az extension update --name aks-preview

+```

+## Create AKS cluster

+Create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:

+```azurecli-interactive

+az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys

+```

+After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+> [!NOTE]

+> When you create an AKS cluster, a second resource group is automatically created to store the AKS resources. For more information, see [Why are two resource groups created with AKS?][aks-two-resource-groups].

+To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default values for the cluster name and the resource group name.

+```bash

+export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"

+```

+## Create a managed identity and grant permissions to access Azure Key Vault

+This step is necessary if you need to access secrets, keys, and certificates that are mounted in Azure Key Vault from a pod. Perform the following steps to configure access with a managed identity. These steps assume you have an Azure Key Vault already created and configured in your subscription. If you don't have one, see [Create an Azure Key Vault using the Azure CLI][create-key-vault-azure-cli].

+Before proceeding, you need the following information:

+* Name of the Key Vault

+* Resource group holding the Key Vault

+You can retrieve this information using the Azure CLI command: [az keyvault list][az-keyvault-list].

+1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.

+ ```azurecli

+ az account set --subscription "subscriptionID"

+ ```

+ ```azurecli

+ az identity create --name "userAssignedIdentityName" --resource-group "resourceGroupName" --location "location" --subscription "subscriptionID"

+ ```

+2. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:

+ ```bash

+ export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "resourceGroupName" --name "userAssignedIdentityName" --query 'clientId' -otsv)"

+ ```

+ ```azurecli

+ az keyvault set-policy --name "keyVaultName" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"

+ ```

+## Create Kubernetes service account

+Create a Kubernetes service account and annotate it with the client ID of the managed identity created in the previous step. Use the [az aks get-credentials][az-aks-get-credentials] command and replace the values for the cluster name and the resource group name.

+```azurecli

+az aks get-credentials -n myAKSCluster -g MyResourceGroup

+```

+Copy and paste the following multi-line input in the Azure CLI, and update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.

+```bash

+cat <<EOF | kubectl apply -f -

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ annotations:

+ azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}

+ labels:

+ azure.workload.identity/use: "true"

+ name: serviceAccountName

+ namespace: serviceAccountNamspace

+EOF

+```

+The following output resembles successful creation of the identity:

+```output

+Serviceaccount/workload-identity-sa created

+```

+## Establish federated identity credential

+Use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the managed identity, the service account issuer, and the subject. Replace the values `resourceGroupName`, `userAssignedIdentityName`, `federatedIdentityName`, `serviceAccountNamespace`, and `serviceAccountName`.

+```azurecli

+az identity federated-credential create --name federatedIdentityName --identity-name userAssignedIdentityName --resource-group resourceGroupName --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:serviceAccountNamespace:serviceAccountName

+```

+> [!NOTE]

+> It takes a few seconds for the federated identity credential to be propagated after being initially added. If a token request is made immediately after adding the federated identity credential, it might lead to failure for a couple of minutes as the cache is populated in the directory with old data. To avoid this issue, you can add a slight delay after adding the federated identity credential.

+## Next steps

+In this article, you deployed a Kubernetes cluster and configured it to use a workload identity in preparation for application workloads to authenticate with that credential. Now you're ready to deploy your application and configure it to use the workload identity with the latest version of the [Azure Identity][azure-identity-libraries] client library. If you can't rewrite your application to use the latest client library version, you can [set up your application pod][workload-identity-migration] to authenticate using managed identity with workload identity as a short-term migration solution.

+<!-- EXTERNAL LINKS -->

+<!-- INTERNAL LINKS -->

+[kubernetes-concepts]: concepts-clusters-workloads.md

+[workload-identity-overview]: workload-identity-overview.md

+[create-key-vault-azure-cli]: ../key-vault/general/quick-create-cli.md

+[az-keyvault-list]: /cli/azure/keyvaultt#az-keyvault-list

+[aks-identity-concepts]: concepts-identity.md

+[az-account]: /cli/azure/account

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[aks-two-resource-groups]: faq.md#why-are-two-resource-groups-created-with-aks

+[az-account-set]: /cli/azure/account#az-account-set

+[az-identity-create]: /cli/azure/identity#az-identity-create

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az-identity-federated-credential-create

+[workload-identity-migration]: workload-identity-migration-sidecar.md

+[azure-identity-libraries]: ../active-directory/develop/reference-v2-libraries.md

+ Title: Modernize your Azure Kubernetes Service (AKS) application with a workload identity sidecar

+description: In this Azure Kubernetes Service (AKS) article, you learn how to configure your Azure Kubernetes Service pod to authenticate with the workload identity sidecar.

+# Modernize application authentication with workload identity sidecar

+If your Kubernetes application runs on Azure Kubernetes Service (AKS) and is using a managed identity to securely access resources in Azure, you can set up a migration sidecar ensuring a smooth transition using the new Azure Identity SDK and minimize downtime. This sidecar intercepts Instance Metadata Service (IMDS) traffic and routes them to Azure Active Directory (Azure AD) using OpenID Connect (OIDC). This enables you to migrate from using managed identity with pod identity to workload identity, until you can migrate your applications to use the latest version of Azure Identity SDK.

+This article shows you how to set up your application pod to authenticate using managed identity with workload identity as a short-term migration solution.

+## Before you begin

+- The Azure CLI version 2.40.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+## Create a managed identity

+If you don't have a managed identity created and assigned to your pod, perform the following steps to create and grant the necessary permissions to storage, Key Vault, or whatever resources your application needs to authenticate with in Azure.

+1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.

+ ```azurecli

+ az account set --subscription "subscriptionID"

+ ```

+ ```azurecli

+ az identity create --name "userAssignedIdentityName" --resource-group "resourceGroupName" --location "location" --subscription "subscriptionID"

+ ```

+ ```bash

+ export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "resourceGroupName" --name "userAssignedIdentityName" --query 'clientId' -otsv)"

+ ```

+2. Grant the managed identity the permissions required to access the resources in Azure it requires.

+3. To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default values for the cluster name and the resource group name.

+ ```bash

+ export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"

+ ```

+## Create Kubernetes service account

+If you don't have a dedicated Kubernetes service account created for this application, perform the following steps to create and then annotate it with the client ID of the managed identity created in the previous step. Use the [az aks get-credentials][az-aks-get-credentials] command and replace the values for the cluster name and the resource group name.

+```azurecli

+az aks get-credentials -n myAKSCluster -g "${RESOURCE_GROUP}"

+```

+Copy and paste the following multi-line input in the Azure CLI.

+```bash

+cat <<EOF | kubectl apply -f -

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ annotations:

+ azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}

+ labels:

+ azure.workload.identity/use: "true"

+ name: ${SERVICE_ACCOUNT_NAME}

+ namespace: ${SERVICE_ACCOUNT_NAMESPACE}

+EOF

+```

+The following output resembles successful creation of the identity:

+```output

+Serviceaccount/workload-identity-sa created

+```

+## Establish federated identity credential

+Use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the managed identity, the service account issuer, and the subject. Replace the values `resourceGroupName`, `userAssignedIdentityName`, `federatedIdentityName`, `serviceAccountNamespace`, and `serviceAccountName`.

+```azurecli

+az identity federated-credential create --name federatedIdentityName --identity-name userAssignedIdentityName --resource-group resourceGroupName --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}

+```

+> [!NOTE]

+> It takes a few seconds for the federated identity credential to be propagated after being initially added. If a token request is made immediately after adding the federated identity credential, it might lead to failure for a couple of minutes as the cache is populated in the directory with old data. To avoid this issue, you can add a slight delay after adding the federated identity credential.

+## Deploy the workload

+If your application is using managed identity and still relies on IMDS to get an access token, you can use the workload identity migration sidecar to start migrating to workload identity. This sidecar is a migration solution and in the long-term applications, you should modify their code to use the latest Azure Identity SDKs that support client assertion.

+To update or deploy the workload, add these pod annotations only if you want to use the migration sidecar. You inject the following [annotation][pod-annotations] values to use the sidecar in your pod specification:

+* `azure.workload.identity/inject-proxy-sidecar` - value is `true` or `false`

+* `azure.workload.identity/proxy-sidecar-port` - value is the desired port for the proxy sidecar. The default value is `8080`.

+When a pod with the above annotations is created, the Azure Workload Identity mutating webhook automatically injects the init-container and proxy sidecar to the pod spec.

+The webhook that is already running adds the following YAML snippets to the pod deployment. The following is an example of the mutated pod spec:

+```yml

+apiVersion: v1

+kind: Pod

+metadata:

+ name: httpbin-pod

+ labels:

+ app: httpbin

+spec:

+ serviceAccountName: workload-identity-sa

+ initContainers:

+ - name: init-networking

+ image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v0.13.0

+ securityContext:

+ capabilities:

+ add:

+ - NET_ADMIN

+ drop:

+ - ALL

+ privileged: true

+ runAsUser: 0

+ env:

+ - name: PROXY_PORT

+ value: "8080"

+ containers:

+ - name: nginx

+ image: nginx:alpine

+ ports:

+ - containerPort: 80

+ - name: proxy

+ image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v0.13.0

+ ports:

+ - containerPort: 8080

+```

+This configuration applies to any configuration where a pod is being created. After updating or deploying your application, you can verify the pod is in a running state using the [kubectl describe pod][kubectl-describe] command. Replace the value `podName` with the image name of your deployed pod.

+```bash

+kubectl describe pods podName -c azwi-proxy

+```

+To verify that pod is passing IMDS transactions, use the [kubectl logs][kubelet-logs] command. Replace the value `podName` with the image name of your deployed pod:

+```bash

+kubectl logs podName

+```

+The following log output resembles successful communication through the proxy sidecar. Verify that the logs show a token is successfully acquired and the GET operation is successful.

+```output

+I0926 00:29:29.968723 1 proxy.go:97] proxy "msg"="starting the proxy server" "port"=8080 "userAgent"="azure-workload-identity/proxy/v0.13.0-12-gc8527f3 (linux/amd64) c8527f3/2022-09-26-00:19"

+I0926 00:29:29.972496 1 proxy.go:173] proxy "msg"="received readyz request" "method"="GET" "uri"="/readyz"

+I0926 00:29:30.936769 1 proxy.go:107] proxy "msg"="received token request" "method"="GET" "uri"="/metadata/identity/oauth2/token?resource=https://management.core.windows.net/api-version=2018-02-01&client_id=<client_id>"

+I0926 00:29:31.101998 1 proxy.go:129] proxy "msg"="successfully acquired token" "method"="GET" "uri"="/metadata/identity/oauth2/token?resource=https://management.core.windows.net/api-version=2018-02-01&client_id=<client_id>"

+```

+## Remove pod-managed identity

+After you've completed your testing and the application is successfully able to get a token using the proxy sidecar, you can remove the Azure AD pod-managed identity mapping for the pod from your cluster, and then remove the identity.

+1. Run the [az aks pod-identity delete][az-aks-pod-identity-delete] command to remove the identity from your pod. This should only be done after all pods in the namespace using the pod-managed identity mapping have migrated to use the sidecar.

+ ```azurecli

+ az aks pod-identity delete --name podIdentityName --namespace podIdentityNamespace --resource-group myResourceGroup --cluster-name myAKSCluster

+ ```

+## Next steps

+This article showed you how to set up your pod to authenticate using a workload identity as a migration option. For more information about Azure AD workload identity (preview), see the following [Overview][workload-identity-overview] article.

+<!-- INTERNAL LINKS -->

+[pod-annotations]: workload-identity-overview.md#pod-annotations

+[az-identity-create]: /cli/azure/identity#az-identity-create

+[az-account-set]: /cli/azure/account#az-account-set

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[workload-identity-overview]: workload-identity-overview.md

+[az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az-identity-federated-credential-create

+[az-aks-pod-identity-delete]: /cli/azure/aks/pod-identity#az-aks-pod-identity-delete

+<!-- EXTERNAL LINKS -->

+[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

+ Title: Use an Azure AD workload identities (preview) on Azure Kubernetes Service (AKS)

+description: Learn about Azure Active Directory workload identity (preview) for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.

+# Use an Azure AD workload identity (preview) on Azure Kubernetes Service (AKS)

+Today with Azure Kubernetes Service (AKS), you can assign [managed identities at the pod-level][use-azure-ad-pod-identity], which has been a preview feature. This pod-managed identity allows the hosted workload or application access to resources through Azure Active Directory (Azure AD). For example, a workload stores files in Azure Storage, and when it needs to access those files, the pod authenticates itself against the resource as an Azure managed identity. This authentication method has been replaced with [Azure Active Directory (Azure AD) workload identities][azure-ad-workload-identity] (preview), which integrate with the Kubernetes native capabilities to federate with any external identity providers. This approach is simpler to use and deploy, and overcomes several limitations in Azure AD pod-managed identity:

+- Removes the scale and performance issues that existed for identity assignment

+- Supports Kubernetes clusters hosted in any cloud or on-premises

+- Supports both Linux and Windows workloads

+- Removes the need for Custom Resource Definitions and pods that intercept [Azure Instance Metadata Service][azure-instance-metadata-service] (IMDS) traffic

+- Avoids the complicated and error-prone installation steps such as cluster role assignment from the previous iteration

+Azure AD workload identity works especially well with the Azure Identity client library using the [Azure SDK][azure-sdk-download] and the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL) if you're using [application registration][azure-ad-application-registration]. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources.

+This article helps you understand this new authentication feature, and reviews the options available to plan your migration phases and project strategy.

+## Dependencies

+- AKS supports Azure AD workload identities on version 1.24 and higher.

+- The Azure CLI version 2.40.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+- The `aks-preview` extension version 0.5.102 or later.

+- The following are the minimum versions of the [Azure Identity][azure-identity-libraries] client library supported:

+ * [.NET][dotnet-azure-identity-client-library] 1.5.0

+ * [Java][java-azure-identity-client-library] 1.4.0

+ * [JavaScript][javascript-azure-identity-client-library] 2.0.0

+ * [Python][python-azure-identity-client-library] 1.7.0

+## Limitations

+- You can only have 20 federated identities.

+- It takes a few seconds for the federated identity credential to be propagated after being initially added.

+## How it works

+In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library or the Microsoft Authentication Library.

+The following table describes the required OIDC issuer endpoints for Azure AD workload identity:

+|Endpoint |Description |

+|||

+|`{IssuerURL}/.well-known/openid-configuration` |Also known as the OIDC discovery document. This contains the metadata about the issuer's configurations. |

+|`{IssuerURL}/openid/v1/jwks` |This contains the public signing key(s) that Azure AD uses to verify the authenticity of the service account token. |

+The following diagram summarizes the authentication sequence using OpenID Connect.

+## Service account labels and annotations

+Azure AD workload identity supports the following mappings related to a service account:

+- One-to-one where a service account references an Azure AD object.

+- Many-to-one where multiple service accounts references the same Azure AD object.

+- One-to-many where a service account references multiple Azure AD objects by changing the client ID annotation.

+> [!NOTE]

+> If the service account annotations are updated, you need to restart the pod for the changes to take effect.

+If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think of a service account as an Azure Identity, except a service account is part of the core Kubernetes API, rather than a [Custom Resource Definition][custom-resource-definition] (CRD). The following describes a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for an Azure AD access token.

+### Service account labels

+|Label |Description |Recommended value |Required |

+|||||

+|`azure.workload.identity/use` |Represents the service account<br> is to be used for workload identity. |true |Yes |

+### Service account annotations

+|Annotation |Description |Default |

+|--||--|

+|`azure.workload.identity/client-id` |Represents the Azure AD application<br> client ID to be used with the pod. ||

+|`azure.workload.identity/tenant-id` |Represents the Azure tenant ID where the<br> Azure AD application is registered. |AZURE_TENANT_ID environment variable extracted<br> from `azure-wi-webhook-config` ConfigMap.|

+|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the<br> projected service account token. It's an optional field that you configure to prevent downtime<br> caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. |3600<br> Supported range is 3600-86400.|

+### Pod annotations

+|Annotation |Description |Default |

+|--||--|

+|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. ¹ |3600<br> Supported range is 3600-86400. |

+|`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |

+|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true |

+|`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8080 |

+ ¹ Takes precedence if the service account is also annotated.

+## How to migrate to workload identity

+On a cluster that is already running a pod-managed identity, you can configure it to use workload identity one of two ways. The first option allows you to use the same configuration you've implemented for pod-managed identity today. You just need to annotate the service account within the namespace with the identity, and it enables workload identity to inject the annotations into the pods.

+The second option is to rewrite your application to use the latest version of the Azure Identity client library.

+To help streamline and ease the migration process, we've developed a migration sidecar that converts the IMDS transactions your application makes over to [OpenID Connect][openid-connect-overview] (OIDC). The migration sidecar isn't intended to be a long-term solution, but a way to get up and running quickly on workload identity. Running the migration sidecar within your application proxies the application IMDS transactions over to OIDC. The alternative approach is to upgrade to a supported version of the [Azure Identity][azure-identity-libraries] client library, which supports OIDC authentication.

+The following table summarizes our migration or deployment recommendations for workload identity.

+|Scenario |Description |

+|||

+| New or existing cluster deployment [runs a supported version](#dependencies) of Azure Identity client library | No migration steps are required.<br> Sample deployment resources:<br> - [Deploy and configure workload identity on a new cluster][deploy-configure-workload-identity-new-cluster]<br> - [Tutorial: Use a workload identity with an application on AKS][tutorial-use-workload-identity] |

+| New or existing cluster deployment [runs an unsupported version](#dependencies) of Azure Identity client library| Update container image to use a supported version of the Azure Identity SDK, or use the [migration sidecar][workload-identity-migration-sidecar]. |

+## Next steps

+* To learn how to set up your pod to authenticate using a workload identity as a migration option, see [Modernize application authentication with workload identity][workload-identity-migration-sidecar].

+* See the tutorial [Use a workload identity with an application on Azure Kubernetes Service (AKS)][tutorial-use-workload-identity], which helps you deploy an Azure Kubernetes Service cluster and configure a sample application to use a workload identity.

+<!-- EXTERNAL LINKS -->

+[azure-sdk-download]: https://azure.microsoft.com/downloads/

+[custom-resource-definition]: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/

+<!-- INTERNAL LINKS -->

+[use-azure-ad-pod-identity]: use-azure-ad-pod-identity.md

+[azure-ad-workload-identity]: ../active-directory/develop/workload-identities-overview.md

+[azure-instance-metadata-service]: ../virtual-machines/linux/instance-metadata-service.md

+[microsoft-authentication-library]: ../active-directory/develop/msal-overview.md

+[azure-ad-application-registration]: ../active-directory/develop/application-model.md#register-an-application

+[install-azure-cli]: /cli/azure/install-azure-cli

+[azure-identity-libraries]: ../active-directory/develop/reference-v2-libraries.md

+[openid-connect-overview]: ../active-directory/develop/v2-protocols-oidc.md

+[deploy-configure-workload-identity-new-cluster]: workload-identity-deploy-cluster.md

+[tutorial-use-workload-identity]: ./learn/tutorial-kubernetes-workload-identity.md

+[workload-identity-migration-sidecar]: workload-identity-migration-sidecar.md

+[dotnet-azure-identity-client-library]: /dotnet/api/overview/azure/identity-readme

+[java-azure-identity-client-library]: /java/api/overview/azure/identity-readme

+[javascript-azure-identity-client-library]: /javascript/api/overview/azure/identity-readme

+[python-azure-identity-client-library]: /python/api/overview/azure/identity-readme

+This article uses Health check in the Azure portal to monitor App Service instances. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. Your [App Service plan](./overview-hosting-plans.md) should be scaled to two or more instances to fully utilize Health check. The Health check path should check critical components of your application. For example, if your application depends on a database and a messaging system, the Health check endpoint should connect to those components. If the application can't connect to a critical component, then the path should return a 500-level response code to indicate the app is unhealthy. Also, if the path does not return a response within 1 minute the health check ping is considered unhealthy.

+If your app is only scaled to one instance and becomes unhealthy, it will not be removed from the load balancer because that would take down your application entirely. However, after one hour of continuous unhealthy pings, the instance is replaced. Scale out to two or more instances to get the rerouting benefit of Health check. If your app is running on a single instance, you can still use Health check's [monitoring](#monitoring) feature to keep track of your application's health.

+### Is Health check following the application code configured redirects between the default domain and the custom domain?

+No, the Health check feature is pinging the path of the default domain of the web application. If there is a redirect from the default domain to a custom domain, then the status code that Health check is returning is not going to be a 200 but a redirect (301), which is going to mark the worker unhealthy.

+App access allows you to configure if access is available through the default (public) endpoint. If the setting has never been configured, the default behavior is to enable access unless a private endpoint exists after which it will be implicitly disabled. You have the ability to explicitly configure this behavior to either enabled or disabled even if private endpoints exist.

+ * Norway East

+To upgrade your version 4 Azure Cache for Redis instance, see [How to upgrade an existing Redis 4 cache to Redis 6](cache-how-to-upgrade.md). If your cache instances have geo-replication enabled, youΓÇÖre required to unlink the caches before upgrade.

+Idempotent functions are especially recommended with timer triggers. For example, if you have something that absolutely must run once a day, write it so it can run anytime during the day with the same results. The function can exit when there's no work for a particular day. Also if a previous run failed to complete, the next run should pick up where it left off. This is particularly important for message-based bindings that retry on failure. For more information, see [Designing Azure Functions for identical input](functions-idempotent.md).

+You can view and set the `LinuxFxVersion` by using the Azure CLI. To know the list of available `LinuxFxVersion`, use [az functionapp list-runtimes](/cli/azure/functionapp#az-functionapp-list-runtimes) command.

+ Title: Deploy Start/Stop VMs v2 to an Azure subscription

+# Deploy Start/Stop VMs v2 to an Azure subscription

+Perform the steps in this article in sequence to install the Start/Stop VMs v2 feature. After completing the setup process, configure the schedules to customize it to your requirements.

+Keep the following considerations in mind before and during deployment:

+The deployment is initiated from the [Start/Stop VMs v2 GitHub organization](https://github.com/microsoft/startstopv2-deployments/blob/main/README.md). While this feature is intended to manage all of your VMs in your subscription across all resource groups from a single deployment within the subscription, you can install another instance of it based on the operations model or requirements of your organization. It also can be configured to centrally manage VMs across multiple subscriptions.

+The Start/Stop VMs v2 feature starts or stops Azure Virtual Machines instances across multiple subscriptions. It starts or stops virtual machines on user-defined schedules, provides insights through [Azure Application Insights](../../azure-monitor/app/app-insights-overview.md), and send optional notifications by using [action groups](../../azure-monitor/alerts/action-groups.md). For most scenarios, Start/Stop VMs can manage virtual machines deployed and managed both by Azure Resource Manager and by Azure Service Manager (classic), which is [deprecated](../../virtual-machines/classic-vm-deprecation.md).

+This new version of Start/Stop VMs v2 provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the [original version](../../automation/automation-solution-vm-management.md) available with Azure Automation, but it's designed to take advantage of newer technology in Azure.

+> We've added a plan (**AZ - Availability Zone**) to our Start/Stop MVs v2 solution to enable a high-availability offering. You can now choose between Consumption and Availability Zone plans before you start your deployment. In most cases, the monthly cost of the Availability Zone plan is higher when compared to the Consumption plan.

+An HTTP trigger function endpoint is created to support the schedule and sequence scenarios included with the feature, as shown in the following table.

+|Scheduled |HTTP |This function is for both scheduled and sequenced scenario (differentiated by the payload schema). It's the entry point function called from the Logic App and takes the payload to process the VM start or stop operation. |

+- **Sequenced** - Start and stop actions are based on a schedule targeting VMs with pre-defined sequencing tags. Only two named tags are supported - `sequencestart` and `sequencestop`. **ststv2_vms_Sequenced_start** and **ststv2_vms_Sequenced_stop** configure the sequenced start and stop.

+ The proper way to use the sequence functionality is to create a tag named `sequencestart` on each VM you wish to be started in a sequence. The tag value needs to be an integer ranging from 1 to N for each VM in the respective scope. The tag is optional and if not present, the VM simply won't participate in the sequencing. The same criteria applies to stopping VMs with only the tag name being different and use `sequencestop` in this case. You have to configure both the tags in each VM to get start and stop action. If two or more VMs share the same tag value, those VMs would be started or stopped at the same time.

+All trace logging data from the function app execution is sent to your connected Application Insights instance. You can view the telemetry data stored in Application Insights from a set of pre-defined visualizations presented in a shared [Azure dashboard](../../azure-portal/azure-portal-dashboards.md).

+Specifying a list of VMs can be used when you need to perform the start and stop action on a specific set of virtual machines, and across multiple subscriptions. This option doesn't support specifying a list of VMs to exclude.

+ Title: Adding preactions to schedules in Start/Stop VMs v2 (Azure)

+description: This article shows you how to add a preaction to your Start/Stop VMs v2 schedules.

+# Adding pre-actions to schedules in Start/Stop VMs v2

+Pre-actions are a set of actions in Start/Stop VMs v2 that execute before scheduled start or stop actions. Some scenarios for using pre-actions before a start or stop action include:

+ - Create a backup of an Azure SQL Database.

+ - Send a message to Azure Application Insights.

+ - Call an external API.

+Because Start/Stop VMs v2 uses [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) to manage its schedules, it's easy to add one or more pre-actions before the main action. To learn more about Logic Apps, see the [Logic Apps documentation](../../logic-apps/logic-apps-overview.md).

+This article describes how to use the Logic Apps Designer in the Azure portal to add an HTTP request pre-action to an existing scheduled start action in Start/Stop VMs v2. In your implementation, the pre-action can be any action supported by Logic Apps.

+> [!NOTE]

+> At this time, Start/Stop VMs v2 only supports pre-actions, which are run before the execution of the main action. Because Log Apps runs Start/Stop VMs v2 actions asynchronously, there's currently no way to trigger a post-action that occurs after the main action completes.

+## Prerequisites

+You must first complete the steps in [Deploy Start/Stop VMs v2 to an Azure subscription][deployment article], or else complete a default deployment from the [Start Stop V2 Deployments GitHub repository](https://github.com/microsoft/startstopv2-deployments). Logic app and action names are based on the ones in a default deployment of Start/Stop VMs v2.

+## Create an HTTP request pre-action

+The steps in this section require the `ststv2_vms_Scheduled_start` logic app that was created and deployed when you completed the [deployment article]. However, the same basic process is used for all scheduled actions.

+ 1. In the [Azure portal](https://portal.azure.com), search for and navigate to the resource group you created when you deployed Start/Stop VMs v2.

+

+ 1. In the resource group, choose the logic app named `ststv2_vms_Scheduled_start`, which represents the default scheduled start action.

+ 1. In **Overview** page of the logic app, select **Edit**.

+ 1. In the Logic Apps Designer page, select **Function-Try** and then select **Add an action**.

+ :::image type="content" source="./media/pre-actions/add-action-button.png" alt-text="Screenshot of the Logic Apps designer showing Add an Action button location.":::

+ 5. Choose **HTTP**, select the HTTP **Method**, and add the **URL**. This HTTP request will be the pre-action for the scheduled start action, after you change the action order in **Function-Try**. You can also configure the HTTP action at a later time.

+ 6. Drag the **Scheduled** action below the new **HTTP** action in the **Function-Try** step. The pre-action must come before the scheduled action in the step. Your app should now look like the following example:

+ :::image type="content" source="./media/pre-actions/pre-action-configured.png" alt-text="Screenshot of the Logic Apps designer showing the actions in the correct order.":::

+At this point, you've defined a pre-action that's run before the start action scheduled by `ststv2_vms_Scheduled_start`.

+## Next steps

+If you have issues working with Start/Stop VMs v2, see the [Troubleshoot Guide](troubleshoot.md). For more assistance, you can also create an issue in the [Start Stop V2 Deployments GitHub repository](https://github.com/microsoft/startstopv2-deployments/issues).

+[deployment article]: deploy.md

+| [App Service](../../app-service/index.yml) | &#x2705; | &#x2705; |

+| [SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) | &#x2705; | &#x2705; |

+| [SQL Server Stretch Database](../../sql-server-stretch-database/index.yml) | &#x2705; | &#x2705; |

+| [Virtual Network NAT](../../virtual-network/nat-gateway/index.yml) | &#x2705; | &#x2705; |

+*Last updated: September 2022*

+| [App Service](../../app-service/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [Azure Monitor](../../azure-monitor/index.yml) (incl. [Application Insights](../../azure-monitor/app/app-insights-overview.md) and [Log Analytics](../../azure-monitor/logs/data-platform-logs.md)) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

+| [Traffic Manager](../../traffic-manager/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) and the new [workspace-based Application Insights resources](../app/create-workspace-resource.md). Each sample includes a template file and a parameters file with sample values to provide to the template.

+The following sample creates a [workspace-based Application Insights resource](../app/create-workspace-resource.md).

+### What if I see the message ***Error retrieving data*** while navigating Application Insights in the Azure portal?

+This error indicates that the browser was unable to call into a required API or the API returned a failure response. To troubleshoot the behavior, open a browser [InPrivate window](https://support.microsoft.com/microsoft-edge/browse-inprivate-in-microsoft-edge-cd2c9a48-0bc4-b98e-5e46-ac40c84e27e2) and [disable any browser extensions](https://support.microsoft.com/microsoft-edge/add-turn-off-or-remove-extensions-in-microsoft-edge-9c0ec68c-2fbc-2f2c-9ff0-bdc76f46b026) that are running, then identify if you can still reproduce the portal behavior. If the portal error still occurs, try testing with other browsers, or other machines, investigate DNS or other network related issues from the client machine where the API calls are failing. If the portal error persists and requires further investigations, then [collect a browser network trace](https://learn.microsoft.com/azure/azure-portal/capture-browser-trace) while you reproduce the unexpected portal behavior and open a support case from the Azure portal.

+* When the API limit has been exceeded, the HTTP response code is **429**. For example:

+ curl -X GET -H "Authorization: Bearer [TOKEN]" -H "Content-Type: application/json" https://management.azure.com/subscriptions/[SUBSCRIPTION_ID]/providers/Microsoft.Web/sites?api-version=2022-05-01

+`https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts?api-version=2022-05-01`

+curl -X GET -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts?api-version=2022-05-01

+curl -X GET -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE/capacityPools?api-version=2022-05-01

+curl -X GET -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE/capacityPools/CAPACITYPOOLGOESHERE/volumes?api-version=2022-05-01

+curl -X GET -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE/capacityPools/CAPACITYPOOLGOESHERE/volumes/VOLUMEGOESHERE/snapshots?api-version=2022-05-01

+curl -d @<filename> -X PUT -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE?api-version=2022-05-01

+curl -d @<filename> -X PUT -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE/capacityPools/CAPACITYPOOLGOESHERE?api-version=2022-05-01

+curl -d @<filename> -X PUT -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE/capacityPools/CAPACITYPOOLGOESHERE/volumes/MYNEWVOLUME?api-version=2022-05-01

+curl -d @<filename> -X PUT -H "Authorization: Bearer TOKENGOESHERE" -H "Content-Type: application/json" https://management.azure.com/subscriptions/SUBIDGOESHERE/resourceGroups/RESOURCEGROUPGOESHERE/providers/Microsoft.NetApp/netAppAccounts/NETAPPACCOUNTGOESHERE/capacityPools/CAPACITYPOOLGOESHERE/volumes/MYNEWVOLUME/Snapshots/SNAPNAME?api-version=2022-05-01

+> Conversion between Basic and Standard networking features in either direction is not currently supported.

+>

+> Additionally, you can create Basic volumes from Basic volume snapshots and Standard volumes from Standard volume snapshots. Creating a Basic volume from a Standard volume snapshot is not supported. Creating a Standard volume from a Basic volume snapshot is not supported.

+1. From the NetApp Account view, go to **Capacity pools**, and select the capacity pool that you want to resize.

+2. Right-click the capacity pool name or select the "…" icon at the end of the capacity pool row to display the context menu. Select **Resize**.

+3. In the Resize pool window, specify the pool size. Select **OK**.

+1. From the NetApp Account view, go to **Volumes**, and select the volume that you want to resize.

+2. Right-click the volume name or select the "…" icon at the end of the volume's row to display the context menu. Select **Resize**.

+3. In the Update volume quota window, specify the quota for the volume. Select **OK**.

+The REST API specification and example code for Azure NetApp Files are available through the [resource-manager GitHub directory](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager/Microsoft.NetApp/stable).

+| Number of cross-region replication data protection volumes (destination volumes) | 10 | Yes |

+| .NET | [Azure/azure-sdk-for-net](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/netapp) |

+| Python | [Azure/azure-sdk-for-python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/netapp) |

+| Go | [Azure/azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go/tree/main/services/netapp) |

+| Java | [Azure/azure-sdk-for-java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/netapp) |

+| JavaScript | [Azure/azure-sdk-for-js](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/netapp/arm-netapp) |

+* You can create Basic volumes from Basic volume snapshots and Standard volumes from Standard volume snapshots. Creating a Basic volume from a Standard volume snapshot is not supported. Creating a Standard volume from a Basic volume snapshot is not supported.

+The REST API specification for Azure NetApp Files is published through [GitHub](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager):

+`https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager`

+ Invoke-RestMethod -Method Get -Headers $headers -Uri https://management.azure.com/subscriptions/$SubId/providers/Microsoft.Web/sites?api-version=2022-05-01

+`https://management.azure.com/subscriptions/$SUBID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.NetApp/netAppAccounts?api-version=2022-05-01`

+Invoke-RestMethod -Method Get -Headers $headers -Uri https://management.azure.com/subscriptions/$SUBID/resourceGroups/$ResourceGroup/providers/Microsoft.NetApp/netAppAccounts?api-version=2022-05-01 | ConvertTo-Json

+Invoke-RestMethod -Method Get -Headers $headers -Uri https://management.azure.com/subscriptions/$SUBID/resourceGroups/$ResourceGroup/providers/Microsoft.NetApp/netAppAccounts/$ANFACCOUNT/capacityPools?api-version=2022-05-01 | ConvertTo-Json

+Invoke-RestMethod -Method Get -Headers $headers -Uri https://management.azure.com/subscriptions/$SUBID/resourceGroups/$ResourceGroup/providers/Microsoft.NetApp/netAppAccounts/$ANFACCOUNT/capacityPools/$ANFCAPACITYPOOL/volumes?api-version=2022-05-01 | ConvertTo-Json

+Invoke-RestMethod -Method Get -Headers $headers -Uri https://management.azure.com/subscriptions/$SUBID/resourceGroups/$ResourceGroup/providers/Microsoft.NetApp/netAppAccounts/$ANFACCOUNT/capacityPools/$ANFCAPACITYPOOL/volumes/$ANFVOLUME/snapshots?api-version=2022-05-01 | ConvertTo-Json

+The REST API specification and example code for Azure NetApp Files are available through the [resource-manager GitHub directory](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager/Microsoft.NetApp/stable).

+1. From the Manage NetApp Account blade, select **Volumes**.

+2. Right-click the name of the volume that you want to resize or select the `…` icon at the end of the volume's row to display the context menu.

+1. From the Manage NetApp Account blade, select the capacity pool that you want to resize.

+2. Right-click the capacity pool name or select the `…` icon at the end of the capacity pool’s row to display the context menu.

+The REST API for the Azure NetApp Files service defines HTTP operations against resources such as the NetApp account, the capacity pool, the volumes, and snapshots. The REST API specification for Azure NetApp Files is published through the [Azure NetApp Files Resource Manager GitHub page](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager)]. You can find [example code for use with REST APIs](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager/Microsoft.NetApp/stable/2020-06-01/examples) in GitHub.

+The REST API for the Azure NetApp Files service defines HTTP operations against resources such as the NetApp account, the capacity pool, the volumes, and snapshots. The [REST API specification for Azure NetApp Files](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager) is published through GitHub.

+There's no change in resource limits for Azure NetApp Files beyond the quota changes described in this article.

+Yes. See the [Volume AutoGrow Workflow Example GitHub page](https://github.com/ANFTechTeam/ANFCapacityManager/blob/main/ResizeWorkflow.md).

+[The ANFCapacityManager logic app is provided as-is and is not supported by NetApp or Microsoft](https://github.com/ANFTechTeam/ANFCapacityManager#disclaimer). You're encouraged to modify to fit your specific environment or requirements. You should test the functionality before deploying it to any business critical or production environments.

+You can submit bugs and feature requests by selecting **New Issue** on the [ANFCapacityManager GitHub page](https://github.com/ANFTechTeam/ANFCapacityManager/issues).

+>[!CAUTION]

+>**The OTA update on Azure Percept DK is no longer supported. For information on how to proceed, please visit [Update the Azure Percept DK over a USB-C cable connection](./how-to-update-via-usb.md).**

+>[!CAUTION]

+>**The OTA update on Azure Percept DK is no longer supported. For information on how to proceed, please visit [Update the Azure Percept DK over a USB-C cable connection](./how-to-update-via-usb.md).**

+>[!CAUTION]

+>**The OTA update on Azure Percept DK is no longer supported. For information on how to proceed, please visit [Update the Azure Percept DK over a USB-C cable connection](./how-to-update-via-usb.md).**

+>[!CAUTION]

+>**The OTA update on Azure Percept DK is no longer supported. For information on how to proceed, please visit [Update the Azure Percept DK over a USB-C cable connection](./how-to-update-via-usb.md).**

+ "use-recent-api-versions": {

+ "level": "warning"

+ },

+ Title: Linter rule - use recent API versions

+description: Linter rule - use recent API versions

+# Linter rule - use recent API versions

+This rule looks for resource API versions that are older than 730 days. It is recommended to use the most recent API versions.

+> [!NOTE]

+> This rule is off by default, change the level in [bicepconfig.json](./bicep-config-linter.md) to enable it.

+## Linter rule code

+Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:

+`use-recent-api-versions`

+## Solution

+Use the most recent API version, or one that is no older than 730 days.

+## Next steps

+For more information about the linter, see [Use Bicep linter](./linter.md).

+- [use-recent-api-versions](./linter-rule-use-recent-api-versions.md)

+> [!IMPORTANT]

+> Azure Resource Manager will only support Transport Layer Security (TLS) 1.2 or later by Fall 2023. For more information, see [Migrating to TLS 1.2 for Azure Resource Manager](tls-support.md).

+ Title: TLS version supported by Azure Resource Manager

+description: Describes the deprecation of TLS versions prior to 1.2 in Azure Resource Manager

+# Migrating to TLS 1.2 for Azure Resource Manager

+Transport Layer Security (TLS) is a security protocol that establishes encryption channels over computer networks. TLS 1.2 is the current industry standard and is supported by Azure Resource Manager. For backwards compatibility, Azure Resource Manager also supports earlier versions, such as TLS 1.0 and 1.1, but that support is ending.

+To ensure that Azure is compliant with regulatory requirements, and provide improved security for our customers, **Azure Resource Manager will stop supporting protocols older than TLS 1.2 by Fall 2023.**

+This article provides guidance for removing dependencies on older security protocols.

+## Why migrate to TLS 1.2

+TLS encrypts data sent over the internet to prevent malicious users from accessing private, sensitive information. The client and server perform a TLS handshake to verify each other's identity and determine how they'll communicate. During the handshake, each party identifies which TLS versions they use. The client and server can communicate if they both support a common version.

+TLS 1.2 is more secure and faster than its predecessors.

+Azure Resource Manager is the deployment and management service for Azure. You use Azure Resource Manager to create, update, and delete resources in your Azure account. To strengthen security and mitigate against any future protocol downgrade attacks, Azure Resource Manager will no longer support TLS 1.1 or earlier. To continue using Azure Resource Manager, make sure all of your clients that call Azure use TLS 1.2 or later.

+## Prepare for migration to TLS 1.2

+We recommend the following steps as you prepare to migrate your clients to TLS 1.2:

+* Update your operating system to the latest version.

+* Update your development libraries and frameworks to their latest versions.

+ For example, Python 3.6 and 3.7 support TLS 1.2.

+* Fix hardcoded instances of security protocols older than TLS 1.2.

+* Notify your customers and partners of your product or service's migration to TLS 1.2.

+For a more detailed guidance, see the [checklist to deprecate older TLS versions](/security/engineering/solving-tls1-problem#figure-1-security-protocol-support-by-os-version) in your environment.

+## Quick tips

+* Windows 8+ has TLS 1.2 enabled by default.

+* Windows Server 2016+ has TLS 1.2 enabled by default.

+* When possible, avoid hardcoding the protocol version. Instead, configure your applications to always defer to your operating system's default TLS version.

+ For example, you can enable the `SystemDefaultTLSVersion` flag in .NET Framework applications to defer to your operating system's default version. This approach lets your applications take advantage of future TLS versions.

+ If you can't avoid hardcoding, specify TLS 1.2.

+* Upgrade applications that target .NET Framework 4.5 or earlier. Instead, use .NET Framework 4.7 or later because these versions support TLS 1.2.

+ For example, Visual Studio 2013 doesn't support TLS 1.2. Instead, use at least the latest release of Visual Studio 2017.

+* You can use [Qualys SSL Labs](https://www.ssllabs.com/) to identify which TLS version is requested by clients connecting to your application.

+* You can use [Fiddler](https://www.telerik.com/fiddler) to identify which TLS version your client uses when you send out HTTPS requests.

+## Next steps

+* [Solving the TLS 1.0 Problem, 2nd Edition](/security/engineering/solving-tls1-problem) ΓÇô deep dive into migrating to TLS 1.2.

+* [How to enable TLS 1.2 on clients](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client) ΓÇô for Microsoft Endpoint Configuration Manager.

+* [Configure Transport Layer Security (TLS) for a client application](../../storage/common/transport-layer-security-configure-client-version.md) ΓÇô contains instructions to update TLS version in PowerShell

+* [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment) ΓÇô contains information on updating TLS version for WinHTTP.

+* [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls) ΓÇô best practices when configuring security protocols for applications targeting .NET Framework.

+* [TLS best practices with the .NET Framework](https://github.com/dotnet/docs/issues/4675) ΓÇô GitHub to ask questions about best practices with .NET Framework.

+* [Troubleshooting TLS 1.2 compatibility with PowerShell](https://github.com/microsoft/azure-devops-tls12) ΓÇô probe to check TLS 1.2 compatibility and identify issues when incompatible with PowerShell.

+When creating a new ARM-based account, you have an option to import your content from the trial account into the new ARM-based account free of charge.

+Only the accountΓÇÖs admin can add or remove users. When using paid accounts, you are only able to invite Azure AD users.

+1. In the **Share this account with others** dialog, enter an email address of a person you want to invite to your Azure Video Indexer account:

+|Indexing Logs| Monitor the indexing process from upload to indexing and Re-indexing when needed|

+|`search` | String | Allows you to control the initial search term.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?search=azure` renders the insights filtered by the word "Azure". |

+|`sort` | Strings separated by comma | Allows you to control the sorting of an insight.<br/>Each sort consists of 3 values: widget name, property and order, connected with '_' `sort=name_property_order`<br/>Available options:<br/>widgets: keywords, audioEffects, labels, sentiments, emotions, keyframes, scenes, namedEntities and spokenLanguage.<br/>property: startTime, endTime, seenDuration, name and ID.<br/>order: asc and desc.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?sort=labels_id_asc,keywords_name_desc` renders the labels sorted by ID in ascending order and keywords sorted by name in descending order.|

+For more information, see [supported browsers](video-indexer-get-started.md#supported-browsers).

+You can access Azure Video Indexer capabilities in three ways:

+* Azure Video Indexer portal: An easy-to-use solution that lets you evaluate the product, manage the account, and customize models (as described in this article).

+* API integration: All of Azure Video Indexer's capabilities are available through a REST API, which lets you integrate the solution into your apps and infrastructure. To get started, seeΓÇ»[Use Azure Video Indexer REST API](video-indexer-use-apis.md).

+* Embeddable widget: Lets you embed the Azure Video Indexer insights, player, and editor experiences into your app. For more information, seeΓÇ»[Embed visual widgets in your application](video-indexer-embed-widgets.md).

+If you're using the website, the insights are added as metadata and are visible in the portal. If you're using APIs, the insights are available as a JSON file. This quickstart shows you how to sign in to the Azure Video Indexer [website](https://www.videoindexer.ai/) and how to upload your first video.

+You can access Azure Video Indexer capabilities in three ways:

+* Azure Video Indexer portal: An easy-to-use solution that lets you evaluate the product, manage the account, and customize models.

+ For more information about the portal, see [Get started with the Azure Video Indexer website](video-indexer-get-started.md).

+* API integration: All of Azure Video Indexer's capabilities are available through a REST API, which lets you integrate the solution into your apps and infrastructure.

+ To get started as a developer, seeΓÇ»[Use Azure Video Indexer REST API](video-indexer-use-apis.md).

+* Embeddable widget: Lets you embed the Azure Video Indexer insights, player, and editor experiences into your app.

+ For more information, seeΓÇ»[Embed visual widgets in your application](video-indexer-embed-widgets.md).

+If you're using the website, the insights are added as metadata and are visible in the portal. If you're using APIs, the insights are available as a JSON file.

+The following list shows the supported browsers that you can use for the Azure Video Indexer website and for your apps that embed the widgets. The list also shows the minimum supported browser version:

+- Edge, version: 16

+- Firefox, version: 54

+- Chrome, version: 58

+- Safari, version: 11

+- Opera, version: 44

+- Opera Mobile, version: 59

+- Android Browser, version: 81

+- Samsung Browser, version: 7

+- Chrome for Android, version: 87

+- Firefox for Android, version: 83

+* For the API integration, seeΓÇ»[Use Azure Video Indexer REST API](video-indexer-use-apis.md).

+* To embed widgets, seeΓÇ»[Embed visual widgets in your application](video-indexer-embed-widgets.md).

+* For detailed introduction, visit our [introduction lab](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/IntroToVideoIndexer.md).

+ At the end of the workshop, you'll have a good understanding of the kind of information that can be extracted from video and audio content, you'll be more prepared to identify opportunities related to content intelligence, pitch video AI on Azure, and demo several scenarios on Azure Video Indexer.

+Learn how to [get started with Azure Video Indexer](video-indexer-get-started.md).

+Microsoft will regularly apply important updates to the Azure VMware Solution for new features and software lifecycle management. You'll receive a notification through Azure Service Health that includes the timeline of the maintenance. For more information, see [Host maintenance and lifecycle management](concepts-private-clouds-clusters.md#host-maintenance-and-lifecycle-management).

+Once complete, newer versions of VMware solution components will appear. If you notice any issues or have any questions, contact our support team by opening a support ticket.

+- [Azure Public IPv4 address to NSX-T Data Center Edge](#azure-public-ipv4-address-to-nsx-t-data-center-edge)

+## Azure Public IPv4 address to NSX-T Data Center Edge

+This option brings an allocated Azure Public IPv4 address directly to the NSX-T Data Center Edge for consumption. It allows the Azure VMware Solution private cloud to directly consume and apply public network addresses in NSX-T Data Center as required. These addresses are used for the following types of connections:

+- Load balancing using VMware NSX Advanced Load Balancer and other third-party Network Virtual Appliances

+ - Scale ΓÇô the soft limit of 64 Azure Public IPv4 addresses can be increased by request to 1,000s of Azure Public IPs allocated if required by an application.

+ - Flexibility ΓÇô An Azure Public IPv4 address can be applied anywhere in the NSX-T Data Center ecosystem. It can be used to provide SNAT or DNAT, on load balancers like VMwareΓÇÖs NSX Advanced Load Balancer, or third-party Network Virtual Appliances. It can also be used on third-party Network Virtual Security Appliances on VMware segments or directly on VMs.

+ - Regionality ΓÇô the Azure Public IPv4 address to the NSX-T Data Center Edge is unique to the local SDDC. For ΓÇ£multi private cloud in distributed regions,ΓÇ¥ with local exit to Internet intentions, itΓÇÖs much easier to direct traffic locally versus trying to control default route propagation for a security or SNAT service hosted in Azure. If you've two or more Azure VMware Solution private clouds connected with a Public IP configured, they can both have a local exit.

+- If you need to run a third-party Network Virtual Appliance to conform to existing standards for security inspection or streamlined opex, you have two options. You can run your Azure Public IPv4 address in Azure native with the default route method or run it in Azure VMware Solution using Azure Public IPv4 address to NSX-T Data Center Edge.

+- There are scale limits on how many Azure Public IPv4 addresses can be allocated to a Network Virtual Appliance running in native Azure or provisioned on Azure Firewall. The Azure Public IPv4 address to NSX-T Data Center Edge option allows for much higher allocations (1,000s versus 100s).

+- Use an Azure Public IPv4 address to the NSX-T Data Center Edge for a localized exit to the internet from each private cloud in its local region. Using multiple Azure VMware Solution private clouds in several Azure regions that need to communicate with each other and the internet, it can be challenging to match an Azure VMware Solution private cloud with a security service in Azure. The difficulty is due to the way a default route from Azure works.

+The Long Audio API provides asynchronous synthesis of long-form text to speech. Publishers and audio content platforms can create long audio content in a batch. For example: audio books, news articles, and documents. The Long Audio API can create synthesized audio longer than 10 minutes.

+> [!TIP]

+> You can also use the [Speech SDK](speech-sdk.md) to create synthesized audio longer than 10 minutes by iterating over the text and synthesizing it in chunks. For a C# example, see [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_synthesis_samples.cs).

+The Long Audio API is asynchronous and doesn't return synthesized audio in real time. You submit text files to be synthesized, poll for the status, and download the audio output when the status indicates success.

+* Is a single plain text (.txt) or SSML text (.txt). Don't use compressed files such as ZIP.

+ * For plain text, each paragraph is separated by pressing **Enter/Return**. See [plain text input example](https://github.com/Azure-Samples/Cognitive-Speech-TTS/blob/master/CustomVoice-API-Samples/Java/en-US.txt).

+* If you're using public neural voice, replace `<voice_name>` with the desired output voice.

+| Create | 400 | The voice synthesis isn't enabled in this region. | Change the speech resource key with a supported region. |

+| | 400 | This model can't be used in the voice synthesis: {modelID}. | Make sure the {modelID}'s state is correct. |

+| | 400 | The region for the request doesn't match the region for the model: {modelID}. | Make sure the {modelID}'s region match with the request's region. |

+| | 400 | The voice name {voiceName} isn't found in the input file. | The input SSML voice name isn't aligned with the model ID. |

+| | 404 | The model declared in the voice synthesis definition can't be found: {modelID}. | Make sure the {modelID} is correct. |

+| All | 429 | There are too many requests. | The client is allowed to submit up to five requests to the server per second for each Azure account. Reduce the request amount per second. |

+| GetByID | 404 | The specified entity can't be found. | Make sure the synthesis ID is correct. |

+Before you use the speech-to-text REST API for short audio, understand that you need to complete a token exchange as part of authentication to access the service. For more information, see [Authentication](#authentication).

+## Authentication

+> [!TIP]

+> Use cases for the text-to-speech REST API are limited. Use it only in cases where you can't use the [Speech SDK](speech-sdk.md). For example, with the Speech SDK you can [subscribe to events](how-to-speech-synthesis.md#subscribe-to-synthesizer-events) for more insights about the text-to-speech processing and results.

+Before you use the text-to-speech REST API, understand that you need to complete a token exchange as part of authentication to access the service. For more information, see [Authentication](#authentication).

+You can use the `tts.speech.microsoft.com/cognitiveservices/voices/list` endpoint to get a full list of voices for a specific region or endpoint. Prefix the voices list endpoint with a region to get a list of voices for that region. For example, to get a list of voices for the `westus` region, use the `https://westus.tts.speech.microsoft.com/cognitiveservices/voices/list` endpoint. For a list of all supported regions, see the [regions](regions.md) documentation.

+> [!NOTE]

+> [Voices and styles in preview](language-support.md?tabs=stt-tts) are only available in three service regions: East US, West Europe, and Southeast Asia.

+Here's an example curl command:

+```curl

+curl --location --request GET 'https://YOUR_RESOURCE_REGION.tts.speech.microsoft.com/cognitiveservices/voices/list' \

+--header 'Ocp-Apim-Subscription-Key: YOUR_RESOURCE_KEY'

+```

+### Sample response

+You should receive a response with a JSON body that includes all supported locales, voices, gender, styles, and other details. This JSON example shows partial results to illustrate the structure of a response:

+```json

+[

+ // Redacted for brevity

+ "Name": "Microsoft Server Speech Text to Speech Voice (en-US, JennyNeural)",

+ "DisplayName": "Jenny",

+ "LocalName": "Jenny",

+ "ShortName": "en-US-JennyNeural",

+ "Gender": "Female",

+ "Locale": "en-US",

+ "LocaleName": "English (United States)",

+ "StyleList": [

+ "assistant",

+ "chat",

+ "customerservice",

+ "newscast",

+ "angry",

+ "cheerful",

+ "sad",

+ "excited",

+ "friendly",

+ "terrified",

+ "shouting",

+ "unfriendly",

+ "whispering",

+ "hopeful"

+ ],

+ "SampleRateHertz": "24000",

+ "VoiceType": "Neural",

+ "Status": "GA",

+ "ExtendedPropertyMap": {

+ "IsHighQuality48K": "True"

+ },

+ "WordsPerMinute": "152"

+ // Redacted for brevity

+ "Name": "Microsoft Server Speech Text to Speech Voice (en-US, JennyMultilingualNeural)",

+ "DisplayName": "Jenny Multilingual",

+ "LocalName": "Jenny Multilingual",

+ "ShortName": "en-US-JennyMultilingualNeural",

+ "Gender": "Female",

+ "Locale": "en-US",

+ "LocaleName": "English (United States)",

+ "SecondaryLocaleList": [

+ "de-DE",

+ "en-AU",

+ "en-CA",

+ "en-GB",

+ "es-ES",

+ "es-MX",

+ "fr-CA",

+ "fr-FR",

+ "it-IT",

+ "ja-JP",

+ "ko-KR",

+ "pt-BR",

+ "zh-CN"

+ ],

+ "SampleRateHertz": "24000",

+ "VoiceType": "Neural",

+ "Status": "GA",

+ "WordsPerMinute": "190"

+ },

+ // Redacted for brevity

+ {

+ "Name": "Microsoft Server Speech Text to Speech Voice (ga-IE, OrlaNeural)",

+ "DisplayName": "Orla",

+ "LocalName": "Orla",

+ "ShortName": "ga-IE-OrlaNeural",

+ "Gender": "Female",

+ "Locale": "ga-IE",

+ "LocaleName": "Irish (Ireland)",

+ "SampleRateHertz": "24000",

+ "VoiceType": "Neural",

+ "Status": "GA",

+ "WordsPerMinute": "139"

+ },

+ // Redacted for brevity

+ {

+ "Name": "Microsoft Server Speech Text to Speech Voice (zh-CN, YunxiNeural)",

+ "DisplayName": "Yunxi",

+ "LocalName": "云希",

+ "ShortName": "zh-CN-YunxiNeural",

+ "Gender": "Male",

+ "Locale": "zh-CN",

+ "LocaleName": "Chinese (Mandarin, Simplified)",

+ "StyleList": [

+ "narration-relaxed",

+ "embarrassed",

+ "fearful",

+ "cheerful",

+ "disgruntled",

+ "serious",

+ "angry",

+ "sad",

+ "depressed",

+ "chat",

+ "assistant",

+ "newscast"

+ ],

+ "SampleRateHertz": "24000",

+ "VoiceType": "Neural",

+ "Status": "GA",

+ "RolePlayList": [

+ "Narrator",

+ "YoungAdultMale",

+ "Boy"

+ ],

+ "WordsPerMinute": "293"

+ },

+ // Redacted for brevity

+The `cognitiveservices/v1` endpoint allows you to convert text to speech by using [Speech Synthesis Markup Language (SSML)](speech-synthesis-markup.md).

+## Authentication

+> You're billed for each character that's converted to speech, including punctuation. Although the SSML document itself is not billable, optional elements that are used to adjust how the text is converted to speech, like phonemes and pitch, are counted as billable characters. For more information, see [text-to-speech pricing notes](text-to-speech.md#pricing-note).

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `version` | Indicates the version of the SSML specification used to interpret the document markup. The current version is 1.0.| Required|

+| `xml:lang` | Specifies the language of the root document. The value can contain a lowercase, two-letter language code, for example, `en`. Or the value can contain the language code and uppercase country/region, for example, `en-US`. | Required |

+| `xmlns` | Specifies the URI to the document that defines the markup vocabulary (the element types and attribute names) of the SSML document. The current URI is http://www.w3.org/2001/10/synthesis. | Required |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+This example uses the `en-US-JennyNeural` voice. For a complete list of supported voices, see [Language support](language-support.md?tabs=stt-tts).

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `style` | Specifies the speaking style. Speaking styles are voice specific. | Required if adjusting the speaking style for a neural voice. If you're using `mstts:express-as`, the style must be provided. If an invalid value is provided, this element is ignored. |

+| `styledegree` | Specifies the intensity of the speaking style. **Accepted values**: 0.01 to 2 inclusive. The default value is 1, which means the predefined style intensity. The minimum unit is 0.01, which results in a slight tendency for the target style. A value of 2 results in a doubling of the default style intensity. | Optional. If you don't set the `style` attribute, the `styledegree` attribute is ignored. Speaking style degree adjustments are supported for Chinese (Mandarin, Simplified) neural voices.|

+| `role`| Specifies the speaking role-play. The voice acts as a different age and gender, but the voice name isn't changed. | Optional. Role adjustments are supported for these Chinese (Mandarin, Simplified) neural voices: `zh-CN-XiaomoNeural`, `zh-CN-XiaoxuanNeural`, `zh-CN-YunxiNeural`, and `zh-CN-YunyeNeural`. |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| Voice | Primary and default locale | Secondary locales |

+| -- | | - |

+| `en-US-JennyMultilingualNeural` | `en-US` | `de-DE`, `en-AU`, `en-CA`, `en-GB`, `es-ES`, `es-MX`, `fr-CA`, `fr-FR`, `it-IT`, `ja-JP`, `ko-KR`, `pt-BR`, `zh-CN` |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `time` | Specifies the absolute duration of a pause in seconds or milliseconds (ms). This value should be set less than 5,000 ms. Examples of valid values are `2s` and `500ms`. | Optional |

+Here are more details about the `strength` attribute.

+| Strength | Relative duration |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `type` | Specifies the location of silence to be added: <ul><li>`Leading` ΓÇô At the beginning of text </li><li>`Tailing` ΓÇô At the end of text </li><li>`Sentenceboundary` ΓÇô Between adjacent sentences </li></ul> | Required |

+| `Value` | Specifies the absolute duration of a pause in seconds or milliseconds. This value should be set less than 5,000 ms. Examples of valid values are `2s` and `500ms`.| Required |

+> For a list of locales that support phonemes, see footnotes in the [language support](language-support.md?tabs=stt-tts) table.

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `alphabet` | Specifies the phonetic alphabet to use when you synthesize the pronunciation of the string in the `ph` attribute. The string that specifies the alphabet must be specified in lowercase letters. The following options are the possible alphabets that you can specify:<ul><li>`ipa` &ndash; See [SSML phonetic alphabets](speech-ssml-phonetic-sets.md)</li><li>`sapi` &ndash; See [SSML phonetic alphabets](speech-ssml-phonetic-sets.md)</li><li>`ups` &ndash; See [Universal Phone Set](https://documentation.help/Microsoft-Speech-Platform-SDK-11/17509a49-cae7-41f5-b61d-07beaae872ea.htm)</li></ul><br>The alphabet applies only to the `phoneme` in the element. | Optional |

+| `ph` | A string containing phones that specify the pronunciation of the word in the `phoneme` element. If the specified string contains unrecognized phones, text-to-speech rejects the entire SSML document and produces none of the speech output specified in the document. | Required if using phonemes |

+> For a list of locales that support custom lexicon, see footnotes in the [language support](language-support.md?tabs=stt-tts) table.

+> [!NOTE]

+> The `lexicon` element is not supported by the [Long Audio API](long-audio-api.md).

+To define how multiple entities are read, you can create a custom lexicon, which is stored as a `.xml` or `.pls` file. The following code is a sample `.xml` file.

+> The `lexeme` element is case sensitive in the custom lexicon. For example, if you only provide a phoneme for the `lexeme` "Hello," it won't work for the `lexeme` "hello."

+The Speech service defines a phonetic set for these locales: `en-US`, `fr-FR`, `de-DE`, `es-ES`, `ja-JP`, `zh-CN`, `zh-HK`, and `zh-TW`. For more information on the detailed Speech service phonetic alphabet, see the [Speech service phonetic sets](speech-ssml-phonetic-sets.md).

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `pitch` | Indicates the baseline pitch for the text. You can express the pitch as:<ul><li>An absolute value: Expressed as a number followed by "Hz" (Hertz). For example, `<prosody pitch="600Hz">some text</prosody>`.</li><li>A relative value:<ul><li>As a relative number: Expressed as a number preceded by "+" or "-" and followed by "Hz" or "st" that specifies an amount to change the pitch. For example: `<prosody pitch="+80Hz">some text</prosody>` or `<prosody pitch="-2st">some text</prosody>`. The "st" indicates the change unit is semitone, which is half of a tone (a half step) on the standard diatonic scale.<li>As a percentage: Expressed as a number preceded by "+" (optionally) or "-" and followed by "%", indicating the relative change. For example: `<prosody pitch="50%">some text</prosody>` or `<prosody pitch="-50%">some text</prosody>`.</li></ul></li><li>A constant value:<ul><li>x-low</li><li>low</li><li>medium</li><li>high</li><li>x-high</li><li>default</li></ul></li></ul> | Optional |

+| `contour` | Contour now supports neural voice. Contour represents changes in pitch. These changes are represented as an array of targets at specified time positions in the speech output. Each target is defined by sets of parameter pairs. For example: <br/><br/>`<prosody contour="(0%,+20Hz) (10%,-2st) (40%,+10Hz)">`<br/><br/>The first value in each set of parameters specifies the location of the pitch change as a percentage of the duration of the text. The second value specifies the amount to raise or lower the pitch by using a relative value or an enumeration value for pitch (see `pitch`). | Optional |

+| `range`| A value that represents the range of pitch for the text. You can express `range` by using the same absolute values, relative values, or enumeration values used to describe `pitch`.| Optional |

+| `rate` | Indicates the speaking rate of the text. You can express `rate` as:<ul><li>A relative value: <ul><li>As a relative number: Expressed as a number that acts as a multiplier of the default. For example, a value of *1* results in no change in the original rate. A value of *0.5* results in a halving of the original rate. A value of *2* results in twice the original rate.</li><li>As a percentage: Expressed as a number preceded by "+" (optionally) or "-" and followed by "%", indicating the relative change. For example: `<prosody rate="50%">some text</prosody>` or `<prosody rate="-50%">some text</prosody>`.</li></ul><li>A constant value:<ul><li>x-slow</li><li>slow</li><li>medium</li><li>fast</li><li>x-fast</li><li>default</li></ul></li></ul> | Optional |

+| `volume` | Indicates the volume level of the speaking voice. You can express the volume as:<ul><li>An absolute value: Expressed as a number in the range of 0.0 to 100.0, from *quietest* to *loudest*. An example is 75. The default is 100.0.</li><li>A relative value: <ul><li>As a relative number: Expressed as a number preceded by "+" or "-" that specifies an amount to change the volume. Examples are +10 or -5.5.</li><li>As a percentage: Expressed as a number preceded by "+" (optionally) or "-" and followed by "%", indicating the relative change. For example: `<prosody volume="50%">some text</prosody>` or `<prosody volume="+3%">some text</prosody>`.</li></ul><li>A constant value:<ul><li>silent</li><li>x-soft</li><li>soft</li><li>medium</li><li>loud</li><li>x-loud</li><li>default</li></ul></li></ul> | Optional |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `interpret-as` | Indicates the content type of an element's text. For a list of types, see the following table.| Required |

+| `format`| Provides additional information about the precise formatting of the element's text for content types that might have ambiguous formats. SSML defines formats for content types that use them. See the following table. | Optional |

+| `detail` | Indicates the level of detail to be spoken. For example, this attribute might request that the speech synthesis engine pronounce punctuation marks. There are no standard values defined for `detail`. | Optional |

+| interpret-as | format | Interpretation |

+| -- | | -- |

+| `address`| None | The text is spoken as an address. The speech synthesis engine pronounces:<br /><br />`I'm at <say-as interpret-as="address">150th CT NE, Redmond, WA</say-as>`<br /><br />As "I'm at 150th Court Northeast Redmond Washington."|

+| `cardinal`, `number` |None| The text is spoken as a cardinal number. The speech synthesis engine pronounces:<br /><br />`There are <say-as interpret-as="cardinal">3</say-as> alternatives`<br /><br />As "There are three alternatives."|

+| `characters`, `spell-out` | | The text is spoken as individual letters (spelled out). The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="characters">test</say-as>`<br /><br />As "T E S T." |

+| `date` | dmy, mdy, ymd, ydm, ym, my, md, dm, d, m, y | The text is spoken as a date. The `format` attribute specifies the date's format (*d=day, m=month, and y=year*). The speech synthesis engine pronounces:<br /><br />`Today is <say-as interpret-as="date" format="mdy">10-19-2016</say-as>`<br /><br />As "Today is October nineteenth two thousand sixteen." |

+| `digits`, `number_digit` | None | The text is spoken as a sequence of individual digits. The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="number_digit">123456789</say-as>`<br /><br />As "1 2 3 4 5 6 7 8 9." |

+| `fraction` | None | The text is spoken as a fractional number. The speech synthesis engine pronounces:<br /><br /> `<say-as interpret-as="fraction">3/8</say-as> of an inch`<br /><br />As "three eighths of an inch." |

+| `ordinal` |None | The text is spoken as an ordinal number. The speech synthesis engine pronounces:<br /><br />`Select the <say-as interpret-as="ordinal">3rd</say-as> option`<br /><br />As "Select the third option."|

+| `telephone` | None | The text is spoken as a telephone number. The `format` attribute can contain digits that represent a country code. Examples are "1" for the United States or "39" for Italy. The speech synthesis engine can use this information to guide its pronunciation of a phone number. The phone number might also include the country code, and if so, takes precedence over the country code in the `format` attribute. The speech synthesis engine pronounces:<br /><br />`The number is <say-as interpret-as="telephone" format="1">(888) 555-1212</say-as>`<br /><br />As "My number is area code eight eight eight five five five one two one two." |

+| `time` | hms12, hms24 | The text is spoken as a time. The `format` attribute specifies whether the time is specified by using a 12-hour clock (hms12) or a 24-hour clock (hms24). Use a colon to separate numbers representing hours, minutes, and seconds. Here are some valid time examples: 12:35, 1:14:32, 08:15, and 02:50:45. The speech synthesis engine pronounces:<br /><br />`The train departs at <say-as interpret-as="time" format="hms12">4:00am</say-as>`<br /><br />As "The train departs at four A M." |

+| `duration` | hms, hm, ms | The text is spoken as a duration. The `format` attribute specifies the duration's format (*h=hour, m=minute, and s=second*). The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="duration">01:18:30</say-as>`<br /><br /> As "one hour eighteen minutes and thirty seconds".<br />Pronounces:<br /><br />`<say-as interpret-as="duration" format="ms">01:18</say-as>`<br /><br /> As "one minute and eighteen seconds".<br />This tag is only supported on English and Spanish. |

+| `name` |None | The text is spoken as a person's name. The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="name">ED</say-as>`<br /><br />As [æd]. <br />In Chinese names, some characters pronounce differently when they appear in a family name. For example, the speech synthesis engine says 仇 in <br /><br />`<say-as interpret-as="name">仇先生</say-as>`<br /><br /> As [qiú] instead of [chóu]. |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `src` | Specifies the location/URL of the background audio file. | Required if using background audio in your SSML document |

+| `volume` | Specifies the volume of the background audio file. **Accepted values**: `0` to `100` inclusive. The default value is `1`. | Optional |

+| `fadein` | Specifies the duration of the background audio fade-in as milliseconds. The default value is `0`, which is the equivalent to no fade in. **Accepted values**: `0` to `10000` inclusive. | Optional |

+| `fadeout` | Specifies the duration of the background audio fade-out in milliseconds. The default value is `0`, which is the equivalent to no fade out. **Accepted values**: `0` to `10000` inclusive. | Optional|

+You can use the `bookmark` element in SSML to reference a specific location in the text or tag sequence. Then you will use the Speech SDK and subscribe to the `BookmarkReached` event to get the offset of each marker in the audio stream. The `bookmark` element won't be spoken. For more information, see [Subscribe to synthesizer events](how-to-speech-synthesis.md#subscribe-to-synthesizer-events).

+A viseme is the visual description of a phoneme in spoken language. It defines the position of the face and mouth while a person is speaking. You can use the `mstts:viseme` element in SSML to request viseme output. For more information, see [Get facial position with viseme](how-to-speech-synthesis-viseme.md).

+| Attribute | Description | Required or optional |

+| - | - | -- |

+| `type` | Specifies the type of viseme output.<ul><li>`redlips_front` ΓÇô lip-sync with viseme ID and audio offset output </li><li>`FacialExpression` ΓÇô blend shapes output</li></ul> | Required |

+- [How to synthesize speech](how-to-speech-synthesis.md)

+- [Language support: Voices, locales, languages](language-support.md?tabs=stt-tts)

+ [Sentiment analysis and opinion mining](./sentiment-opinion-mining/overview.md) are pre-configured features that help you find out what people think of your brand or topic by mining text for clues about positive or negative sentiment, and can associate them with specific aspects of the text.

+* **Learned Best Action**: The Personalizer service uses the current model to decide the best action based on past data.

+* Learn about [ethics and responsible use](ethics-responsible-use.md)

+* Personalizer Inference Explainabiltiy is now available as a Public Preview. Enabling inference explainability returns feature scores on every Rank API call, providing insight into how influential each feature is to the actions chosen by your Personalizer model. [Learn more about Inference Explainability](concepts-features.md#inference-explainability).

+| Email | [npm](https://www.npmjs.com/package/@azure/communication-email) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Email) | [PyPi](https://pypi.org/project/azure-communication-email/) | [Maven](https://search.maven.org/artifact/com.azure/azure-communication-email) | - | - | - |

+- **Missing required information like Opt-in Image URL** - If there is no Opt-in option, provide a good justification.

+In Standard logic app workflows, peek-lock operations are available only for *stateless* workflows, not stateful workflows.

+ Title: 'Quickstart: Deploy an existing container image with the command line'

+description: Deploy an existing container image to Azure Container Apps with the Azure CLI or PowerShell.

+# Quickstart: Deploy an existing container image with the command line

+This article reviews two flows for encrypting data with a customer-managed key:

+* Encrypt data with a customer-managed key stored in a standard Azure Key Vault

+* Encrypt data with a customer-managed key stored in a network-protected Azure Key Vault with [Trusted Services](../key-vault/general/network-security.md) enabled.

+## Encrypt data with a customer-managed key stored in a standard Azure Key Vau

+## Encrypt data with a customer-managed key in a network protected Azure Key Vault with Trusted Services enabled

+### Create a Key Vault resource

+Create an Azure Key Vault using [Azure portal](../key-vault/general/quick-create-portal.md), [Azure CLI](../key-vault/general/quick-create-cli.md), or [Azure PowerShell](../key-vault/general/quick-create-powershell.md). To start, do not apply any network-limitations so we can add necessary keys to the vault. In subsequent steps, we will add network-limitations and enable trusted services.

+For the properties of your key vault, use the following guidelines:

+* Name: A unique name is required.

+* Subscription: Choose a subscription.

+* Under Resource Group, either choose an existing resource group, or create new and enter a resource group name.

+* In the Location pull-down menu, choose a location.

+* You can leave the other options to their defaults or pick based on additional requirements.

+> [!IMPORTANT]

+> When using customer-managed keys to encrypt an ACI deployment template, it is recommended that the following two properties be set on the key vault, Soft Delete and Do Not Purge. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.

+### Generate a new key

+Once your key vault is created, navigate to the resource in Azure portal. On the left navigation menu of the resource blade, under Settings, click **Keys**. On the view for "Keys," click "Generate/Import" to generate a new key. Use any unique Name for this key, and any other preferences based on your requirements. Make sure to capture key name and version for subsequent steps.

+

+### Create a user-assigned managed identity for your container group

+Create an identity in your subscription using the [az identity create](/cli/azure/identity#az-identity-create) command. You can use the same resource group used to create the key vault, or use a different one.

+```azurecli-interactive

+az identity create \

+ --resource-group myResourceGroup \

+ --name myACIId

+```

+To use the identity in the following steps, use the [az identity show](/cli/azure/identity#az-identity-show) command to store the identity's service principal ID and resource ID in variables.

+```azurecli-interactive

+# Get service principal ID of the user-assigned identity

+spID=$(az identity show \

+ --resource-group myResourceGroup \

+ --name myACIId \

+ --query principalId --output tsv)

+```

+### Set access policy

+Create a new access policy for allowing the user-assigned identity to access and unwrap your key for encryption purposes.

+```azurecli-interactive

+az keyvault set-policy \

+ --name mykeyvault \

+ --resource-group myResourceGroup \

+ --object-id $spID \

+ --key-permissions get unwrapKey

+ ```

+### Modify Azure Key Vault's network permissions

+The following commands set up an Azure Firewall for your Azure Key Vault and allow Azure Trusted Services such as ACI access.

+```azurecli-interactive

+az keyvault update \

+ --name mykeyvault \

+ --resource-group myResourceGroup \

+ --default-action Deny

+ ```

+```azurecli-interactive

+az keyvault update \

+ --name mykeyvault \

+ --resource-group myResourceGroup \

+ --bypass AzureServices

+ ```

+### Modify your JSON deployment template

+> [!IMPORTANT]

+> Encrypting deployment data with a customer-managed key is available in the 2022-09-01 API version or newer. The 2022-09-01 API version is only available via ARM or REST. If you have any issues with this, please reach out to Azure Support.

+Once the key vault key and access policy are set up, add the following properties to your ACI deployment template. Learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](./container-instances-multi-container-group.md).

+* Under `resources`, set `apiVersion` to `2022-09-01`.

+* Under the container group properties section of the deployment template, add an `encryptionProperties`, which contains the following values:

+ * `vaultBaseUrl`: the DNS Name of your key vault. This can be found on the overview blade of the key vault resource in Portal

+ * `keyName`: the name of the key generated earlier

+ * `keyVersion`: the current version of the key. This can be found by clicking into the key itself (under "Keys" in the Settings section of your key vault resource)

+ * `identity`: this is the resource URI of the Managed Identity instance created earlier

+* Under the container group properties, add a `sku` property with value `Standard`. The `sku` property is required in API version 2022-09-01.

+* Under resources, add the `identity` object required to use Managed Identity with ACI, which contains the following values:

+ * `type`: the type of the identity being used (either user-assigned or system-assigned). This case will be set to "UserAssigned"

+ * `userAssignedIdentities`: the resourceURI of the same user-assigned identity used above in the `encryptionProperties` object.

+The following template snippet shows these additional properties to encrypt deployment data:

+```json

+[...]

+"resources": [

+ {

+ "name": "[parameters('containerGroupName')]",

+ "type": "Microsoft.ContainerInstance/containerGroups",

+ "apiVersion": "2019-12-01",

+ "location": "[resourceGroup().location]",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId": {}

+ }

+ },

+ "properties": {

+ "encryptionProperties": {

+ "vaultBaseUrl": "https://example.vault.azure.net",

+ "keyName": "acikey",

+ "keyVersion": "xxxxxxxxxxxxxxxx",

+ "identity": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId"

+ },

+ "sku": "Standard",

+ "containers": {

+ [...]

+ }

+ }

+ }

+]

+```

+Following is a complete template, adapted from the template in [Tutorial: Deploy a multi-container group using a Resource Manager template](./container-instances-multi-container-group.md).

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "containerGroupName": {

+ "type": "string",

+ "defaultValue": "myContainerGroup",

+ "metadata": {

+ "description": "Container Group name."

+ }

+ }

+ },

+ "variables": {

+ "container1name": "aci-tutorial-app",

+ "container1image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",

+ "container2name": "aci-tutorial-sidecar",

+ "container2image": "mcr.microsoft.com/azuredocs/aci-tutorial-sidecar"

+ },

+ "resources": [

+ {

+ "name": "[parameters('containerGroupName')]",

+ "type": "Microsoft.ContainerInstance/containerGroups",

+ "apiVersion": "2022-09-01",

+ "location": "[resourceGroup().location]",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId": {}

+ }

+ },

+ "properties": {

+ "encryptionProperties": {

+ "vaultBaseUrl": "https://example.vault.azure.net",

+ "keyName": "acikey",

+ "keyVersion": "xxxxxxxxxxxxxxxx",

+ "identity": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId"

+ },

+ "sku": "Standard",

+ "containers": [

+ {

+ "name": "[variables('container1name')]",

+ "properties": {

+ "image": "[variables('container1image')]",

+ "resources": {

+ "requests": {

+ "cpu": 1,

+ "memoryInGb": 1.5

+ }

+ },

+ "ports": [

+ {

+ "port": 80

+ },

+ {

+ "port": 8080

+ }

+ ]

+ }

+ },

+ {

+ "name": "[variables('container2name')]",

+ "properties": {

+ "image": "[variables('container2image')]",

+ "resources": {

+ "requests": {

+ "cpu": 1,

+ "memoryInGb": 1.5

+ }

+ }

+ }

+ }

+ ],

+ "osType": "Linux",

+ "ipAddress": {

+ "type": "Public",

+ "ports": [

+ {

+ "protocol": "tcp",

+ "port": "80"

+ },

+ {

+ "protocol": "tcp",

+ "port": "8080"

+ }

+ ]

+ }

+ }

+ }

+ ],

+ "outputs": {

+ "containerIPv4Address": {

+ "type": "string",

+ "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups/', parameters('containerGroupName'))).ipAddress.ip]"

+ }

+ }

+}

+```

+### Deploy your resources

+If you created and edited the template file on your desktop, you can upload it to your Cloud Shell directory by dragging the file into it.

+Create a resource group with the [az group create][az-group-create] command.

+```azurecli-interactive

+az group create --name myResourceGroup --location eastus

+```

+Deploy the template with the [az deployment group create][az-deployment-group-create] command.

+```azurecli-interactive

+az deployment group create --resource-group myResourceGroup --template-file deployment-template.json

+```

+Within a few seconds, you should receive an initial response from Azure. Once the deployment completes, all data related to it persisted by the ACI service will be encrypted with the key you provided.

+| Brazil South | 4 | 16 | 2 | 8 | 50 | N/A | Y |

+| Southeast Asia | 4 | 16 | 4 | 16 | 50 | P100, V100 | Y |

+| UAE North | 4 | 16 | 4 | 16 | 50 | N/A | N |

+| West US 3 | 4 | 16 | N/A | N/A | 50 | N/A | N |

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. For more information on how to configure it, click [here](configure-synapse-link.md).

+* Well-defined schema representation, default option for SQL (CORE) and Gremlin API accounts.

+the MongoDB `_id` field is fundamental to every collection in MongoDB and originally has a hexadecimal representation. As you can see in the table above, `Full Fidelity Schema` will preserve its characteristics, creating a challenge for its visualization in Azure Synapse Analytics. For correct visualization, you must convert the `_id` datatype as below:

+#### Full fidelity schema for SQL or Gremlin API accounts

+There are two possible backup polices and to understand how to use them, the following details about Cosmos DB backups are very important:

+When `transactional TTL` is smaller than `analytical TTL`, some data only exists in analytical store and won't be in the restored container. Again, you have two possible situations:

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. For more information on how to configure it, click [here](configure-synapse-link.md).

+<!-- You can open a hosted native Cassandra shell (CQLSH v5.0.1) directly from the Data Explorer in the [Azure portal](../data-explorer.md) or the [Azure Cosmos DB Explorer](https://cosmos.azure.com/). Before enabling the CQL shell, you must [enable the Notebooks](../notebooks-overview.md) feature in your account (if not already enabled, you will be prompted when clicking on `Open Cassandra Shell`).

+description: Learn how to trigger custom partitioning from Azure Synapse Spark notebook using Azure Synapse Link for Azure Cosmos DB. It explains the configuration options.

+To use custom partitioning, you must enable Azure Synapse Link on your Azure Cosmos DB account. To learn more, see [how to configure Azure Synapse Link](configure-synapse-link.md). Custom partitioning execution can be triggered from Azure Synapse Spark notebook using Azure Synapse Link for Azure Cosmos DB.

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. For more information on how to configure it, click [here](configure-synapse-link.md).

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing Graphs using Azure CLI.

+You can also check the training module on how to [configure Azure Synapse Link for Azure Cosmos DB.](/training/modules/configure-azure-synapse-link-with-azure-cosmos-db/)

+The first step to use Synapse Link is to enable it for your Azure Cosmos DB database account.

+##### Use Azure CLI to enable Synapse Link for Azure Synapse Link for Gremlin API account.

+Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. Use the CLI command below to enable Synapse Link for your Gremlin API account:

+```cli

+az cosmosdb create --capabilities EnableGremlin --name MyCosmosDBGremlinDatabaseAccount --resource-group MyResourceGroup --enable-analytical-storage true

+```

+For existing Gremlin API accounts, replace `create` with `update`.

+##### Use Azure CLI to enable Synapse Link for Azure Synapse Link for Gremlin API Graphs

+Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing Graphs using Azure CLI. Use the CLI command below to enable Synapse Link for your Gremlin API graphs:

+```cli

+az cosmosdb gremlin graph create --g MyResourceGroup --a MyCosmosDBGremlinDatabaseAccount --d MyGremlinDB --n MyGraph --analytical-storage-ttl ΓÇô1

+```

+For existing graphs, replace `create` with `update`.

+* Check the training module on how to [configure Azure Synapse Link for Azure Cosmos DB.](/training/modules/configure-azure-synapse-link-with-azure-cosmos-db/)

+* [Create a Jupyter notebook](notebooks-overview.md) and analyze your data.

+At the moment the [Mongo shell](https://devblogs.microsoft.com/cosmosdb/preview-native-mongo-shell/) and [Cassandra shell](https://devblogs.microsoft.com/cosmosdb/announcing-native-cassandra-shell-preview/) integrations in the Cosmos DB Data Explorer, and the [Jupyter Notebooks service](./notebooks-overview.md), aren't supported with VNET access. This integration is currently in active development.

+ Title: |

+ Jupyter Notebooks in Azure Cosmos DB (preview)

+description: |

+ Create and use built-in Jupyter Notebooks in Azure Cosmos DB to interactively run queries.

+# Jupyter Notebooks in Azure Cosmos DB (preview)

+> [!IMPORTANT]

+> The Jupyter Notebooks feature of Azure Cosmos DB is currently in a preview state and is progressively rolling out to all customers over time.

+Jupyter Notebooks is an open-source interactive developer environment (IDE) that's designed to create, execute, and share documents that contain live code, equations, visualizations, and narrative text.

+Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and your Azure Cosmos DB accounts, making them convenient and easy to use. Developers, data scientists, engineers, and analysts can use the familiar Jupyter Notebooks experience to perform common tasks. These common tasks include:

+- data exploration

+- data cleaning

+- data transformations

+- numerical simulations

+- statistical modeling

+- data visualization

+- machine learning

+Azure Cosmos DB supports both C# and Python notebooks for the APIs for SQL, Cassandra, Gremlin, Table, and MongoDB. Inside the notebook, you can take advantage of built-in commands and features that make it easy to create Azure Cosmos DB resources. You can also use the built-in commands to upload, query, and visualize your data in Azure Cosmos DB.

+## Benefits of Jupyter Notebooks

+Jupyter Notebooks were originally developed for data science applications written in Python and R. However, they can be used in various ways for different kinds of projects, including:

+### Data visualization

+Jupyter Notebooks allow you to visualize data in the form of a shared notebook that renders a data set as a graphic. You can create visualizations, make interactive changes to the shared code and data set, and share the results.

+### Code sharing

+Services like GitHub provides ways to share code, but they're largely non-interactive. With a Jupyter Notebook, you can view code, execute it, and display the results directly in the Azure portal.

+### Live interactions with code

+Code in a Jupyter Notebook is dynamic; you can edit it and run the updates incrementally in real time. You can also embed user controls (for example, sliders or text input fields) that are used as input sources for code, demos, or Proof of Concepts (POCs).

+### Documentation of code samples and outcomes of data exploration

+If you have a piece of code and you want to explain line-by-line how it works, you can embed it in a Jupyter Notebook. You can add interactivity along with the documentation at the same time.

+### Built-in commands for Azure Cosmos DB

+Azure Cosmos DB's built-in magic commands make it easy to interact with your account. You can use commands like %%upload and %%sql to upload data into a container and query it using [SQL API syntax](sql-query-getting-started.md). You don't need to write extra custom code.

+### All in one place environment

+Jupyter Notebooks combines multiple assets into a single document including:

+- code

+- rich text

+- images

+- videos

+- animations

+- mathematical equations

+- plots

+- maps

+- interactive figures

+- widgets

+- graphical user interfaces

+## Components of a Jupyter Notebook

+Jupyter Notebooks can include several types of components, each organized into discrete blocks or cells:

+### Text and HTML

+Plain text, or text annotated in the markdown syntax to generate HTML, can be inserted into the document at any point. CSS styling can also be included inline or added to the template used to generate the notebook.

+### Code and output

+Jupyter Notebooks support Python and C# code. The results of the executed code appear immediately after the code blocks, and the code blocks can be executed multiple times in any order you like.

+### Visualizations

+You can generate graphics and charts from the code by using modules like Matplotlib, Plotly, Bokeh, and others. Similar to the output, these visualizations appear inline next to the code that generates them. Similar to the output, these visualizations appear inline next to the code that generates them.

+### Multimedia

+Because Jupyter Notebooks are built on web technology, they can display all the types of multimedia supported by a web page. You can include them in a notebook as HTML elements, or you can generate them programmatically by using the `IPython.display` module.

+### Data

+You can import the data from Azure Cosmos containers or the results of queries into a Jupyter Notebook programmatically. Use built-in magic commands to upload or query data in Azure Cosmos DB.

+## Next steps

+To get started with built-in Jupyter Notebooks in Azure Cosmos DB, see the following articles:

+- [Create your first notebook in an Azure Cosmos DB SQL API account](sql/tutorial-create-notebook.md)

+- [Review the FAQ on Jupyter Notebook support](notebooks-faq.yml)

+How eventual is eventual consistency? For the average case, can we offer staleness bounds with respect to version history and time. The [**Probabilistically Bounded Staleness (PBS)**](http://pbs.cs.berkeley.edu/) metric tries to quantify the probability of staleness and shows it as a metric.

+To view the PBS metric, go to your Azure Cosmos account in the Azure portal. Open the **Metrics (Classic)** pane, and select the **Consistency** tab. Look at the graph named **Probability of strongly consistent reads based on your workload (see PBS)**.

+ Title: |

+ Tutorial: Create a Jupyter Notebook in Azure Cosmos DB SQL API to analyze and visualize data (preview)

+description: |

+ Learn how to use built-in Jupyter notebooks to import data to Azure Cosmos DB SQL API, analyze the data, and visualize the output.

+# Tutorial: Create a Jupyter Notebook in Azure Cosmos DB SQL API to analyze and visualize data (preview)

+> [!IMPORTANT]

+> The Jupyter Notebooks feature of Azure Cosmos DB is currently in a preview state and is progressively rolling out to all customers over time.

+This article describes how to use the Jupyter Notebooks feature of Azure Cosmos DB to import sample retail data to an Azure Cosmos DB SQL API account. You'll see how to use the Azure Cosmos DB magic commands to run queries, analyze the data, and visualize the results.

+## Prerequisites

+- [Azure Cosmos DB SQL API account](create-cosmosdb-resources-portal.md#create-an-azure-cosmos-db-account) (configured with serverless throughput)

+## Create a new notebook

+In this section, you'll create the Azure Cosmos database, container, and import the retail data to the container.

+1. Navigate to your Azure Cosmos DB account and open the **Data Explorer.**

+1. Select **New Notebook**.

+ :::image type="content" source="media/tutorial-create-notebook/new-notebook-option.png" lightbox="media/tutorial-create-notebook/new-notebook-option.png" alt-text="Screenshot of the Data Explorer with the 'New Notebook' option highlighted.":::

+1. In the confirmation dialog that appears, select **Create**.

+ > [!NOTE]

+ > A temporary workspace will be created to enable you to work with Jupyter Notebooks. When the session expires, any notebooks in the workspace will be removed.

+1. Select the kernel you wish to use for the notebook.

+### [Python](#tab/python)

+### [C#](#tab/csharp)

+> [!TIP]

+> Now that the new notebook has been created, you can rename it to something like **VisualizeRetailData.ipynb**.

+## Create a database and container using the SDK

+### [Python](#tab/python)

+1. Start in the default code cell.

+1. Import any packages you require for this tutorial.

+ ```python

+ import azure.cosmos

+ from azure.cosmos.partition_key import PartitionKey

+ ```

+1. Create a database named **RetailIngest** using the built-in SDK.

+ ```python

+ database = cosmos_client.create_database_if_not_exists('RetailIngest')

+ ```

+1. Create a container named **WebsiteMetrics** with a partition key of `/CartID`.

+ ```python

+ container = database.create_container_if_not_exists(id='WebsiteMetrics', partition_key=PartitionKey(path='/CartID'))

+ ```

+1. Select **Run** to create the database and container resource.

+ :::image type="content" source="media/tutorial-create-notebook/run-cell.png" alt-text="Screenshot of the 'Run' option in the menu.":::

+### [C#](#tab/csharp)

+1. Start in the default code cell.

+1. Import any packages you require for this tutorial.

+ ```csharp

+ using Microsoft.Azure.Cosmos;

+ ```

+1. Create a new instance of the client type using the built-in SDK.

+ ```csharp

+ var cosmosClient = new CosmosClient(Cosmos.Endpoint, Cosmos.Key);

+ ```

+1. Create a database named **RetailIngest**.

+ ```csharp

+ Database database = await cosmosClient.CreateDatabaseIfNotExistsAsync("RetailIngest");

+ ```

+1. Create a container named **WebsiteMetrics** with a partition key of `/CartID`.

+ ```csharp

+ Container container = await database.CreateContainerIfNotExistsAsync("WebsiteMetrics", "/CartID");

+ ```

+1. Select **Run** to create the database and container resource.

+ :::image type="content" source="media/tutorial-create-notebook/run-cell.png" alt-text="Screenshot of the 'Run' option in the menu.":::

+## Import data using magic commands

+1. Add a new code cell.

+1. Within the code cell, add the following magic command to upload, to your existing container, the JSON data from this url: <https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData.json>

+ ```python

+ %%upload --databaseName RetailIngest --containerName WebsiteMetrics --url https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData.json

+ ```

+1. Select **Run Active Cell** to only run the command in this specific cell.

+ :::image type="content" source="media/tutorial-create-notebook/run-active-cell.png" alt-text="Screenshot of the 'Run Active Cell' option in the menu.":::

+ > [!NOTE]

+ > The import command should take 5-10 seconds to complete.

+1. Observe the output from the run command. Ensure that **2,654** documents were imported.

+ ```output

+ Documents successfully uploaded to WebsiteMetrics

+ Total number of documents imported:

+ Success: 2654

+ Failure: 0

+ Total time taken : 00:00:04 hours

+ Total RUs consumed : 27309.660000001593

+ ```

+## Visualize your data

+### [Python](#tab/python)

+1. Create another new code cell.

+1. In the code cell, use a SQL query to populate a [Pandas DataFrame](https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.DataFrame.html#pandas.DataFrame).

+ ```python

+ %%sql --database RetailIngest --container WebsiteMetrics --output df_cosmos

+ SELECT c.Action, c.Price as ItemRevenue, c.Country, c.Item FROM c

+ ```

+1. Select **Run Active Cell** to only run the command in this specific cell.

+1. Create another new code cell.

+1. In the code cell, output the top **10** items from the dataframe.

+ ```python

+ df_cosmos.head(10)

+ ```

+1. Select **Run Active Cell** to only run the command in this specific cell.

+1. Observe the output of running the command.

+ | | Action | ItemRevenue | Country | Item |

+ | | | | | |

+ | **0** | Purchased | 19.99 | Macedonia | Button-Up Shirt |

+ | **1** | Viewed | 12.00 | Papua New Guinea | Necklace |

+ | **2** | Viewed | 25.00 | Slovakia (Slovak Republic) | Cardigan Sweater |

+ | **3** | Purchased | 14.00 | Senegal | Flip Flop Shoes |

+ | **4** | Viewed | 50.00 | Panama | Denim Shorts |

+ | **5** | Viewed | 14.00 | Senegal | Flip Flop Shoes |

+ | **6** | Added | 14.00 | Senegal | Flip Flop Shoes |

+ | **7** | Added | 50.00 | Panama | Denim Shorts |

+ | **8** | Purchased | 33.00 | Palestinian Territory | Red Top |

+ | **9** | Viewed | 30.00 | Malta | Green Sweater |

+1. Create another new code cell.

+1. In the code cell, import the **pandas** package to customize the output of the dataframe.

+ ```python

+ import pandas as pd

+ pd.options.display.html.table_schema = True

+ pd.options.display.max_rows = None

+

+ df_cosmos.groupby("Item").size()

+ ```

+1. Select **Run Active Cell** to only run the command in this specific cell.

+1. In the output, select the **Line Chart** option to view a different visualization of the data.

+ :::image type="content" source="media/tutorial-create-notebook/pandas-python-line-chart.png" alt-text="Screenshot of the Pandas dataframe visualization for the data as a line chart.":::

+### [C#](#tab/csharp)

+1. Create a new code cell.

+1. In the code cell, create a new C# class to represent an item in the container.

+ ```csharp

+ public class Record

+ {

+ public string Action { get; set; }

+ public decimal Price { get; set; }

+ public string Country { get; set; }

+ public string Item { get; set; }

+ }

+ ```

+1. Create another new code cell.

+1. In the code cell, add code to [execute a SQL query using the SDK](quickstart-dotnet.md#query-items) storing the output of the query in a variable of type <xref:System.Collections.Generic.List%601> named **results**.

+ ```csharp

+ using System.Collections.Generic;

+

+ var query = new QueryDefinition(

+ query: "SELECT c.Action, c.Price, c.Country, c.Item FROM c"

+ );

+

+ FeedIterator<Record> feed = container.GetItemQueryIterator<Record>(

+ queryDefinition: query

+ );

+

+ var results = new List<Record>();

+ while (feed.HasMoreResults)

+ {

+ FeedResponse<Record> response = await feed.ReadNextAsync();

+ foreach (Record result in response)

+ {

+ results.Add(result);

+ }

+ }

+ ```

+1. Create another new code cell.

+1. In the code cell, create a dictionary by adding unique permutations of the **Item** field as the key and the data in the **Price** field as the value.

+ ```csharp

+ var dictionary = new Dictionary<string, decimal>();

+ foreach(var result in results)

+ {

+ dictionary.TryAdd (result.Item, result.Price);

+ }

+ dictionary

+ ```

+1. Select **Run Active Cell** to only run the command in this specific cell.

+1. Observe the output with unique combinations of the **Item** and **Price** fields.

+ ```output

+ ...

+ Denim Jacket:31.99

+ Fleece Jacket:65

+ Sandals:12

+ Socks:3.75

+ Sandal:35.5

+ Light Jeans:80

+ ...

+ ```

+1. Create another new code cell.

+1. In the code cell, output the **results** variable.

+ ```csharp

+ results

+ ```

+1. Select **Run Active Cell** to only run the command in this specific cell.

+1. In the output, select the **Box Plot** option to view a different visualization of the data.

+ :::image type="content" source="media/tutorial-create-notebook/pandas-csharp-box-plot.png" alt-text="Screenshot of the Pandas dataframe visualization for the data as a box plot.":::

+## Persist your notebook

+1. In the **Notebooks** section, open the context menu for the notebook you created for this tutorial and select **Download**.

+ :::image type="content" source="media/tutorial-create-notebook/download-notebook.png" alt-text="Screenshot of the notebook context menu with the 'Download' option.":::

+ > [!TIP]

+ > To save your work permanently, save your notebooks to a GitHub repository or download the notebooks to your local machine before the session ends.

+## Next steps

+- [Learn about the Jupyter Notebooks feature in Azure Cosmos DB](../notebooks-overview.md)

+- [Review the FAQ on Jupyter Notebook support](../notebooks-faq.yml)

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. For more information on how to configure it, click [here](configure-synapse-link.md).

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. For more information on how to configure it, click [here](configure-synapse-link.md).

+> [!NOTE]

+> Synapse Link for Gremlin API is now in preview. You can enable Synapse Link in your new or existing graphs using Azure CLI. For more information on how to configure it, check the [configuration documentation](configure-synapse-link.md).

+With Azure Synapse Link, you can run analytical queries against an Azure Cosmos DB analytical store, a column store representation of your data, while the transactional operations are processed using provisioned throughput for the transactional workload, over the Cosmos DB row-based transactional store. The analytical workload is independent of the transactional workload traffic, not consuming any of the provisioned throughput of your operational data.

+* Although analytical store data is not backed up, and therefore cannot be restored, you can rebuild your analytical store by reenabling Synapse Link in the restored container. Check the [analytical store documentation](analytical-store-introduction.md) for more information.

+* Currently Synapse Link isn't fully compatible with continuous backup mode. Check the [analytical store documentation](analytical-store-introduction.md) for more information.

+* Check the training module on how to [Design hybrid transactional and analytical processing using Azure Synapse Analytics](/training/modules/design-hybrid-transactional-analytical-processing-using-azure-synapse-analytics/)

+* [Create a Jupyter notebook](notebooks-overview.md) and analyze your data.

+The following table shows the templates related to SAP connectors that can be found in the Azure Data Factory template gallery:

+ string CLIENTID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

+Metadata on files is transferred by default when users upload data via SMB to your Data Box. The metadata includes access control lists (ACLs), file attributes, and timestamps. If you don't want this, use **ACLs for Azure Files** to disable or enable this feature.

+To enable transfer of ACLs for Azure Files:

+2. **Enable** ACLs for Azure Files.

+ 

+ Title: Creating a Defender EASM Azure resource

+description: This article explains how to create an Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource using the Azure portal.

+# Creating a Defender EASM Azure resource

+This article explains how to create a Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource using the Azure portal.

+Creating the EASM Azure resource involves two steps:

+- Create an EASM resource in the resource group

+Before you create a Defender EASM resource group, we recommend that you are familiar with how to access and use the [Microsoft Azure portal](https://ms.portal.azure.com/) and read the [Defender EASM Overview article](index.md) for key context on the product. You will need:

+- A valid Azure subscription or free Defender EASM trial account. If you donΓÇÖt have an [Azure subscription](/azure/guides/developer/azure-developer-guide#understanding-accounts-subscriptions-and-billing), create a free Azure account before you begin.

+ - **Region**: Specify an Azure location. This location is where the resource group stores metadata about the resource. For compliance reasons, you may want to specify where that metadata is stored. In general, we recommend that you specify a location where most of your resources will be. Using the same location can simplify your template. The following regions are supported:

+

+ - southcentralus

+ - eastus, australiaeast

+ - westus3

+ - swedencentral

+ - eastasia

+ - japaneast

+## Create resources in a resource group

+After you create a resource group, you can create EASM resources within the group by searching for EASM within the Azure portal.

+1. Select ΓÇ£Create a resourceΓÇ¥ in the Azure portal.

+ - **Region**: Select an Azure location. The following regions are supported:

+

+ - southcentralus

+ - eastus, australiaeast

+ - westus3

+ - swedencentral

+ - eastasia

+ - japaneast

+7. Select **Refresh** to see the status of the resource creation. Once finished, you can go to the Resource to get started.

+- [Understanding dashboards](understanding-dashboards.md)

+# [Azure cloud](#tab/azure)

+# [Azure for US Government](#tab/azure-for-us-government)

+| Name | Source type | Source | Protocol | Destination ports | Destination type | Destination |

+| | -- | - | -- | -- | - | |

+| Rule Name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 443 | FQDN | login.microsoftonline.us |

+| Rule Name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 443 | Service Tag | WindowsVirtualDesktop, AzureMonitor |

+|Rule Name|IP Address or Group|IP Group or VNet or Subnet IP Address|TCP|443|FQDN|gcs.monitoring.core.usgovcloudapi.net|

+| Rule Name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP, UDP | 53 | IP Address | * |

+| Rule name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 1688 | IP address | kms.core.usgovcloudapi.net|

+| Rule name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 443 | FQDN | mrsglobalstugviffx.blob.core.usgovcloudapi.net |

+| Rule name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 443 | FQDN | wvdportalstorageblob.blob.core.usgovcloudapi.net |

+| Rule Name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 80 | IP Address | 169.254.169.254, 168.63.129.16 |

+| Rule name | IP Address or Group | IP Group or VNet or Subnet IP Address | TCP | 80 | FQDN | ocsp.msocsp.com |

+> * Origins may specify not to cache specific responses using the Cache-Control header with a value of no-cache, private, or no-store. When used in an HTTP response from the origin server to the Azure Front Door POPs, Azure Front Door supports Cache-control directives and honors caching behaviors for Cache-Control directives in [RFC 7234 - Hypertext Transfer Protocol (HTTP/1.1): Caching (ietf.org)](https://www.rfc-editor.org/rfc/rfc7234#section-5.2.2.8).

+|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |

+|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) |

+|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |

+|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |

+|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |

+|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) |

+|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |

+|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |

+|[Non-internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb91dfba-c30d-4263-9add-9c2384e659a6) |Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) |

+|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) |

+|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |

+|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) |

+|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) |

+|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40cec1dd-a100-4920-b15b-3024fe8901ab) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit.json) |

+|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |

+|[Private endpoint connections on Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F009a0c92-f5b4-4776-9b66-4ed2b4775563) |Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at [https://docs.microsoft.com/azure/batch/private-connectivity](https://docs.microsoft.com/azure/batch/private-connectivity). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_PrivateEndpoints_AuditIfNotExists.json) |

+|[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |

+|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |

+|[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) |Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](https://aka.ms/defender-for-dns) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) |

+|[Azure Defender for open-source relational databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a9fbe0d-c5c4-4da8-87d8-f4fd77338835) |Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at [https://aka.ms/AzDforOpenSourceDBsDocu](https://aka.ms/AzDforOpenSourceDBsDocu). Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnOpenSourceRelationalDatabases_Audit.json) |

+|[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) |

+|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |

+|[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) |

+|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) |

+|[Guest Configuration extension should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae89ebca-1c92-4898-ac2c-9f63decb045c) |To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) |

+|[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |

+|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |

+|[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) |

+|[Kubernetes clusters should be accessible only over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc) |audit, Audit, deny, Deny, disabled, Disabled |[8.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |

+|[Kubernetes clusters should disable automounting API credentials](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F423dd1ba-798e-40e4-9c4d-b6902674b423) |Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json) |

+|[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[7.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) |

+|[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) |

+|[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) |

+|[Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd26f7642-7545-4e18-9b75-8c9bbdee3a9a) |The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol) |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) |

+|[App Service apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) |

+|[Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) |

+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |

+|[Windows machines should meet requirements for 'Security Settings - Account Policies'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff2143251-70de-4e81-87a8-36cee5a2f29d) |Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |

+|[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |

+|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |

+|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |

+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |

+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |

+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |