+ # When prompted to provide domain credentials use the userprincipalname format for the username instead of domain\username

+Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential (get-credential)

+> Running against another domain by supplying the credential in domain\username format will connect over NTLM, and then it fails. However, using the userprincipalname format for the domain administrator will ensure RPC bind to the DC is attempted using Kerberos correctly. If the users are in the Protected Users security group in Active Directory, complete these steps to resolve the issue: Sign in as another domain user in **ADConnect** and donΓÇÖt supply "-domainCredential". The Kerberos ticket of the user that's currently signed in is used. You can confirm by executing `whoami /groups` to validate whether the user has the required permissions in Active Directory to execute the preceding command.

+These include Microsoft Edge, Chrome, Firefox, and Safari. For more information, see [Browser support of FIDO2 passwordless authentication](fido2-compatibility.md).

+For devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher.

+Hybrid-joined devices must run Windows 10 version 2004 or higher.

+- **Enforce attestation** setting to **Yes** requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. For more information, see [What is a Microsoft-compatible security key?](concept-authentication-passwordless.md#fido2-security-key-providers)

+- **Enforce key restrictions** should be set to **Yes** only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their Authenticator Attestation GUID (AAGUID). You can work with your security key provider to determine the AAGUID of a device. If the key is already registered, you can find the AAGUID by viewing the authentication method details of the key for the user.

+ >[!WARNING]

+ >Key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

+ - When a Conditional Access policy is enabled with this user action, you must set **Identity** > **Devices** > **Overview** > **Device Settings** - `Devices to be Microsoft Entra joined or Microsoft Entra registered require multifactor authentication` to **No**. Otherwise, the Conditional Access policy with this user action isn't properly enforced. More information about this device setting can found in [Configure device settings](../devices/manage-device-identities.md#configure-device-settings).

+If you haven't integrated Microsoft Entra logs with Azure Monitor logs, you need to take the following steps before the workbook loads:

+1. [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).

+**Time range**: Select a time range from 4 hours to as far back as 90 days. If you select a time range further back than when you integrated the Microsoft Entra logs with Azure Monitor, only sign-ins after the time of integration appear.

+> When downloading the sign-in logs, choose JSON format to include Conditional Access report-only result data.

+For more information about how to stream Microsoft Entra sign-in logs to a Log Analytics workspace, see the article [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).

+- For more information about Microsoft Entra workbooks, see the article, [How to use Azure Monitor workbooks for Microsoft Entra reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md).

+[  ](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png#lightbox)

+Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Microsoft Entra sign-in logs to a Log Analytics workspace, see the article [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).

+- [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)

+* [Sign-in problems with Conditional Access](troubleshoot-conditional-access.md) ΓÇô Understand unexpected sign-in outcomes related to Conditional Access using error messages and Microsoft Entra sign-in log.

+The Microsoft Entra sign-in log is a valuable source of information when troubleshooting why and how a Conditional Access policy applied in your environment. For more information about troubleshooting unexpected sign-in outcomes related to Conditional Access, see the article [Troubleshooting sign-in problems with Conditional Access](troubleshoot-conditional-access.md#service-dependencies).

+This information can be gathered from the user, their device, or the Microsoft Entra sign-in log.

+- [What is Microsoft Entra monitoring?](../reports-monitoring/overview-monitoring.md)

+* To set up a service principal with password, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps) or [Create an Azure service principal with Azure CLI](/cli/azure/azure-cli-sp-tutorial-2).

+If you have GDAP relationships in your tenant, you will see a notification banner on the **Delegated Administration** page in the Microsoft Entra admin center. Select the notification banner to see and manage GDAP relationships in the **Partners** page in Microsoft Admin Center.

+You can put a self-service sign-up product like Microsoft Power BI or Azure RMS into a **Delete** state to be immediately deleted in the Microsoft Entra admin center:

+This article describes two ways to take over a DNS domain name in an unmanaged directory in Microsoft Entra ID. When a self-service user signs up for a cloud service that uses Microsoft Entra ID, they're added to an unmanaged Microsoft Entra directory based on their email domain. For more about self-service or "viral" sign-up for a service, see [What is self-service sign-up for Microsoft Entra ID?](directory-self-service-signup.md)

+ > This setting only restricts access of group information in **My Groups**. It does not restrict access to group information via other methods like Microsoft Graph API calls or the Microsoft Entra admin center.

+> A Microsoft Entra ID P1 or P2 license is required for users to request to join a security group or Microsoft 365 group and for owners to approve or deny membership requests. Without a Microsoft Entra ID P1 or P2 license, users can still manage their groups in the MyApp Groups Access panel, but they can't create a group that requires owner approval and they can't request to join a group.

+- Deploy an automated provisioning and deprovisioning solution. Deprovisioning users from applications is an effective way of revoking access, especially for applications that use sessions tokens. Develop a process to deprovision users to apps that don't support automatic provisioning and deprovisioning. Ensure applications revoke their own session tokens and stop accepting Microsoft Entra access tokens even if they're still valid.

+Migrating tenant restriction policies from v1 to v2 is a one-time operation. After migration, no client-side changes are required. You can make any subsequent policy changes via the Microsoft Entra admin center.

+The following tables show the licensing requirements for Microsoft Entra ID Governance features.

+The following licenses are available for use with Microsoft Entra ID Governance in the commercial cloud. The choice of licenses you need in a tenant depends on the features you're using in that tenant.

+- **Microsoft Entra ID P1** - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.

+- **Microsoft Entra ID P2** - Microsoft Entra ID P2 is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.

+- **Microsoft Entra ID Governance** - Microsoft Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers, as two products **Microsoft Entra ID Governance** and **Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2**. These products contain the basic identity governance capabilities that were in Microsoft Entra ID P2, and additional advanced identity governance capabilities.

+Microsoft Entra ID Governance products are not yet available in the US government or US national clouds.

+### Governance products and prerequisites

+The Microsoft Entra ID Governance capabilities are currently available in two products in the commercial cloud. These two products provide the same identity governance capabilities. The difference between the two products is that they have different prerequisites.

+#### Microsoft Entra ID object deletion threshold

+If you have an implementation topology with Microsoft Entra Connect and Microsoft Entra Connect cloud sync, both exporting to the same Microsoft Entra ID Tenant, or if you completely moved from using Microsoft Entra Connect to Microsoft Entra Connect cloud sync, you might get the following export error message when you're deleting or moving multiple objects out of the defined scope:

+

+This error isn't related to the [Microsoft Entra Connect Cloud Sync accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md). It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra ID directory from Microsoft Entra Connect.

+If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Connect cloud sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command:

+```PowerShell

+Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039-c6b1-48a5-9ba7-28fe88f83980"

+```

+During the next provisioning cycle, the objects that were marked for deletion should be deleted from the Azure AD directory successfully.

+Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets.

+Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets.

+Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets.

+Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets.

+* [Microsoft Entra sign-in log](../reports-monitoring/concept-sign-ins.md)

+| Azure SQL | [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) |

+| Azure SQL Managed Instance | [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) |

+* Use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets

+* Use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets

+- [Microsoft Entra synchronization API overview](/graph/api/resources/synchronization-overview)

+1. Select **Provision Microsoft Entra users**.

+1. Select **Provision Microsoft Entra users**.

+Privileged Identity Management (PIM) in Microsoft Entra ID, enables you to view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Microsoft Entra logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).

+Groups in Microsoft Entra ID can be classified as either role-assignable or non-role-assignable. Additionally, any group can be enabled or not enabled for use with Microsoft Entra Privileged Identity Management (PIM) for Groups. These are independent properties of the group. Any Microsoft Entra security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group doesn't have to be role-assignable group to be enabled in PIM for Groups.

+With Privileged Identity Management (PIM) and Microsoft Entra ID, you can configure activation of group membership and ownership to require approval. You can also choose users or groups from your Microsoft Entra organization as delegated approvers.

+* Enforce **Multifactor authentication** to activate any role

+Privileged Identity Management (PIM) lets you know when important events occur in your Microsoft Entra organization, such as when a role is assigned or activated. Privileged Identity Management keeps you informed by sending you and other participants email notifications. These emails might also include links to relevant tasks, such activating or renewing a role. This article describes what these emails look like, when they are sent, and who receives them.

+You can use the Microsoft Entra Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Microsoft Entra logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). If you want to see the full audit history of activity in your organization in Microsoft Entra ID including administrator, end user, and synchronization activity, you can use the [Microsoft Entra security and activity reports](../reports-monitoring/overview-reports.md).

+ Title: Microsoft Entra SSO integration with Kairos Business

+description: Learn how to configure single sign-on between Microsoft Entra ID and Kairos Business.

+# Microsoft Entra SSO integration with Kairos Business

+In this tutorial, you'll learn how to integrate Kairos Business with Microsoft Entra ID. When you integrate Kairos Business with Microsoft Entra ID, you can:

+* Control in Microsoft Entra ID who has access to Kairos Business.

+* Enable your users to be automatically signed-in to Kairos Business with their Microsoft Entra accounts.

+* Manage your accounts in one central location.

+## Prerequisites

+To integrate Microsoft Entra ID with Kairos Business, you need:

+* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Kairos Business single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

+* Kairos Business supports **IDP** initiated SSO.

+* Kairos Business supports **Just In Time** user provisioning.

+## Add Kairos Business from the gallery

+To configure the integration of Kairos Business into Microsoft Entra ID, you need to add Kairos Business from the gallery to your list of managed SaaS apps.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.

+1. In the **Add from the gallery** section, type **Kairos Business** in the search box.

+1. Select **Kairos Business** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Microsoft Entra SSO for Kairos Business

+Configure and test Microsoft Entra SSO with Kairos Business using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Kairos Business.

+To configure and test Microsoft Entra SSO with Kairos Business, perform the following steps:

+1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature.

+ 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon.

+ 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on.

+1. **[Configure Kairos Business SSO](#configure-kairos-business-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Kairos Business test user](#create-kairos-business-test-user)** - to have a counterpart of B.Simon in Kairos Business that is linked to the Microsoft Entra ID representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Microsoft Entra SSO

+Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Kairos Business** > **Single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type one of the following value/pattern:

+ | **Identifier** |

+ ||

+ | `KairoBusiness`|

+ | `<KairoBusiness_ENTITY_ID>`|

+ > [!NOTE]

+ > <KairoBusiness_ENTITY_ID> is not real. Update this with the actual value.

+ b. In the **Reply URL** text box, type the URL:

+ `https://www.dimepkairos.com.br/Dimep/Account/SamlLogon`

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Kairos Business** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create a Microsoft Entra ID test user

+In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Select **New user** > **Create new user**, at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Display name** field, enter `B.Simon`.

+ 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Select **Review + create**.

+1. Select **Create**.

+### Assign the Microsoft Entra ID test user

+In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Kairos Business.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Kairos Business**.

+1. In the app's overview page, select **Users and groups**.

+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.

+ 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+ 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+ 1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Kairos Business SSO

+To configure single sign-on on **Kairos Business** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Microsoft Entra admin center to [Kairos Business support team](mailto:dimep@dimep.com.br). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Kairos Business test user

+In this section, a user called Britta Simon is created in Kairos Business. Kairos Business supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Kairos Business, a new one is created after authentication.

+## Test SSO

+In this section, you test your Microsoft Entra single sign-on configuration with following options.

+

+* Click on Test this application in Microsoft Entra admin center and you should be automatically signed in to the Kairos Business for which you set up the SSO.

+

+* You can use Microsoft My Apps. When you click the Kairos Business tile in the My Apps, you should be automatically signed in to the Kairos Business for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Kairos Business you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: Microsoft Entra SSO integration with Senomix Timesheets

+description: Learn how to configure single sign-on between Microsoft Entra ID and Senomix Timesheets.

+# Microsoft Entra SSO integration with Senomix Timesheets

+In this tutorial, you'll learn how to integrate Senomix Timesheets with Microsoft Entra ID. When you integrate Senomix Timesheets with Microsoft Entra ID, you can:

+* Control in Microsoft Entra ID who has access to Senomix Timesheets.

+* Enable your users to be automatically signed-in to Senomix Timesheets with their Microsoft Entra accounts.

+* Manage your accounts in one central location.

+## Prerequisites

+To integrate Microsoft Entra ID with Senomix Timesheets, you need:

+* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Senomix Timesheets single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

+* Senomix Timesheets supports both **SP and IDP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Senomix Timesheets from the gallery

+To configure the integration of Senomix Timesheets into Microsoft Entra ID, you need to add Senomix Timesheets from the gallery to your list of managed SaaS apps.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.

+1. In the **Add from the gallery** section, type **Senomix Timesheets** in the search box.

+1. Select **Senomix Timesheets** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Microsoft Entra SSO for Senomix Timesheets

+Configure and test Microsoft Entra SSO with Senomix Timesheets using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Senomix Timesheets.

+To configure and test Microsoft Entra SSO with Senomix Timesheets, perform the following steps:

+1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature.

+ 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon.

+ 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on.

+1. **[Configure Senomix Timesheets SSO](#configure-senomix-timesheets-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Senomix Timesheets test user](#create-senomix-timesheets-test-user)** - to have a counterpart of B.Simon in Senomix Timesheets that is linked to the Microsoft Entra ID representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Microsoft Entra SSO

+Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Senomix Timesheets** > **Single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type the URL:

+ `https://timesheet.senomix.com/`

+ b. In the **Reply URL** text box, type the URL using the following pattern:

+ `https://www.senomix.com/simplesaml/module.php/saml/sp/saml2-acs.php/<CUSTOMER_AZURE_TENANT_ID>`

+ c. In the **Relay State** text box, type the URL using the following pattern:

+ `https://www.senomix.com/saml_sso/<CUSTOMER_AZURE_TENANT_ID>`

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** text box, type one of the following URL/pattern:

+ | **Sign on URL** |

+ ||

+ |`https://www.senomix.com/timesheet`|

+ |`https://www.senomix.com/saml_sso/<CUSTOMER_AZURE_TENANT_ID>`|

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Reply URL, Relay State and Sign on URL. Contact [Senomix Timesheets support team](mailto:support@senomix.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center.

+

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Senomix Timesheets** section, copy the appropriate URL(s) based on your requirement.

+ 

+

+### Create a Microsoft Entra ID test user

+In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Select **New user** > **Create new user**, at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Display name** field, enter `B.Simon`.

+ 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Select **Review + create**.

+1. Select **Create**.

+### Assign the Microsoft Entra ID test user

+In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Senomix Timesheets.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Senomix Timesheets**.

+1. In the app's overview page, select **Users and groups**.

+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.

+ 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+ 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+ 1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Senomix Timesheets SSO

+To configure single sign-on on **Senomix Timesheets** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Microsoft Entra admin center to [Senomix Timesheets support team](mailto:support@senomix.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Senomix Timesheets test user

+In this section, you create a user called B.Simon in Senomix Timesheets. Work with [Senomix Timesheets support team](mailto:support@senomix.com) to add the users in the Senomix Timesheets platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Microsoft Entra single sign-on configuration with following options.

+

+#### SP initiated:

+

+* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Senomix Timesheets Sign on URL where you can initiate the login flow.

+

+* Go to Senomix Timesheets Sign-on URL directly and initiate the login flow from there.

+

+#### IDP initiated:

+

+* Click on **Test this application** in Microsoft Entra admin center and you should be automatically signed in to the Senomix Timesheets for which you set up the SSO.

+

+You can also use Microsoft My Apps to test the application in any mode. When you click the Senomix Timesheets tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Senomix Timesheets for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Senomix Timesheets you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: Microsoft Entra SSO integration with Splashtop Secure Workspace

+description: Learn how to configure single sign-on between Microsoft Entra ID and Splashtop Secure Workspace.

+# Microsoft Entra SSO integration with Splashtop Secure Workspace

+In this tutorial, you'll learn how to integrate Splashtop Secure Workspace with Microsoft Entra ID. When you integrate Splashtop Secure Workspace with Microsoft Entra ID, you can:

+* Control in Microsoft Entra ID who has access to Splashtop Secure Workspace.

+* Enable your users to be automatically signed-in to Splashtop Secure Workspace with their Microsoft Entra accounts.

+* Manage your accounts in one central location.

+## Prerequisites

+To integrate Microsoft Entra ID with Splashtop Secure Workspace, you need:

+* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Splashtop Secure Workspace single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

+* Splashtop Secure Workspace supports **SP** initiated SSO.

+* Splashtop Secure Workspace supports **Just In Time** user provisioning.

+## Add Splashtop Secure Workspace from the gallery

+To configure the integration of Splashtop Secure Workspace into Microsoft Entra ID, you need to add Splashtop Secure Workspace from the gallery to your list of managed SaaS apps.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.

+1. In the **Add from the gallery** section, type **Splashtop Secure Workspace** in the search box.

+1. Select **Splashtop Secure Workspace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Microsoft Entra SSO for Splashtop Secure Workspace

+Configure and test Microsoft Entra SSO with Splashtop Secure Workspace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Splashtop Secure Workspace.

+To configure and test Microsoft Entra SSO with Splashtop Secure Workspace, perform the following steps:

+1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature.

+ 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon.

+ 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on.

+1. **[Configure Splashtop Secure Workspace SSO](#configure-splashtop-secure-workspace-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Splashtop Secure Workspace test user](#create-splashtop-secure-workspace-test-user)** - to have a counterpart of B.Simon in Splashtop Secure Workspace that is linked to the Microsoft Entra ID representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Microsoft Entra SSO

+Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Splashtop Secure Workspace** > **Single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ `https://<ORG.ORG_NAME>.us.ssw.splashtop.com/realms/<ORG.ENTITY_ID>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<ORG.ORG_NAME>.us.ssw.splashtop.com/realms/<ORG.ORG_NAME>/broker/<ORG.ENTITY_ID>/endpoint`

+ c. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<ORG.ORG_NAME>.us.ssw.splashtop.com`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Splashtop Secure Workspace support team](mailto:support-ssw@splashtop.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Splashtop Secure Workspace** section, copy the appropriate URL(s) based on your requirement.

+ 

+

+### Create a Microsoft Entra ID test user

+In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Select **New user** > **Create new user**, at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Display name** field, enter `B.Simon`.

+ 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Select **Review + create**.

+1. Select **Create**.

+### Assign the Microsoft Entra ID test user

+In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Splashtop Secure Workspace.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Splashtop Secure Workspace**.

+1. In the app's overview page, select **Users and groups**.

+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.

+ 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+ 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+ 1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Splashtop Secure Workspace SSO

+To configure single sign-on on **Splashtop Secure Workspace** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Microsoft Entra admin center to [Splashtop Secure Workspace support team](mailto:support-ssw@splashtop.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Splashtop Secure Workspace test user

+In this section, a user called B.Simon is created in Splashtop Secure Workspace. Splashtop Secure Workspace supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Splashtop Secure Workspace, a new one is created when you attempt to access Splashtop Secure Workspace.

+## Test SSO

+In this section, you test your Microsoft Entra single sign-on configuration with following options.

+

+* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Splashtop Secure Workspace Sign-on URL where you can initiate the login flow.

+

+* Go to Splashtop Secure Workspace Sign-on URL directly and initiate the login flow from there.

+

+* You can use Microsoft My Apps. When you click the Splashtop Secure Workspace tile in the My Apps, this will redirect to Splashtop Secure Workspace Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Splashtop Secure Workspace you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: Microsoft Entra SSO integration with Treasury Intelligence Solutions (TIS)

+description: Learn how to configure single sign-on between Microsoft Entra ID and Treasury Intelligence Solutions (TIS).

+# Microsoft Entra SSO integration with Treasury Intelligence Solutions (TIS)

+In this tutorial, you'll learn how to integrate Treasury Intelligence Solutions (TIS) with Microsoft Entra ID. When you integrate Treasury Intelligence Solutions (TIS) with Microsoft Entra ID, you can:

+* Control in Microsoft Entra ID who has access to Treasury Intelligence Solutions (TIS).

+* Enable your users to be automatically signed-in to Treasury Intelligence Solutions (TIS) with their Microsoft Entra accounts.

+* Manage your accounts in one central location.

+## Prerequisites

+To integrate Microsoft Entra ID with Treasury Intelligence Solutions (TIS), you need:

+* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Treasury Intelligence Solutions (TIS) single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

+* Treasury Intelligence Solutions (TIS) supports both **SP and IDP** initiated SSO.

+## Add Treasury Intelligence Solutions (TIS) from the gallery

+To configure the integration of Treasury Intelligence Solutions (TIS) into Microsoft Entra ID, you need to add Treasury Intelligence Solutions (TIS) from the gallery to your list of managed SaaS apps.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.

+1. In the **Add from the gallery** section, type **Treasury Intelligence Solutions (TIS)** in the search box.

+1. Select **Treasury Intelligence Solutions (TIS)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Microsoft Entra SSO for Treasury Intelligence Solutions (TIS)

+Configure and test Microsoft Entra SSO with Treasury Intelligence Solutions (TIS) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Treasury Intelligence Solutions (TIS).

+To configure and test Microsoft Entra SSO with Treasury Intelligence Solutions (TIS), perform the following steps:

+1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature.

+ 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon.

+ 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on.

+1. **[Configure Treasury Intelligence Solutions (TIS) SSO](#configure-treasury-intelligence-solutions-tis-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Treasury Intelligence Solutions (TIS) test user](#create-treasury-intelligence-solutions-tis-test-user)** - to have a counterpart of B.Simon in Treasury Intelligence Solutions (TIS) that is linked to the Microsoft Entra ID representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Microsoft Entra SSO

+Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Treasury Intelligence Solutions (TIS)** > **Single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type one of the following URLs:

+ | Environment | URL |

+ |-|-|

+ | Production| `https://eu.tispayments.com` , `https://us.tispayments.com` |

+ | Staging | `https://eu-test.tispayments.com` , `https://us-test.tispayments.com` |

+ b. In the **Reply URL** text box, type one of the following URLs:

+ | Environment | URL |

+ |-|-|

+ | Production| `https://login.eu.tispayments.com/iam-server/SamlSsoLogin` , `https://login.us.tispayments.com/iam-server/SamlSsoLogin` |

+ | Staging | `https://login.eu-test.tispayments.com/iam-server/SamlSsoLogin` , `https://login.us-test.tispayments.com/iam-server/SamlSsoLogin` |

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type any one of the URLs:

+ | Environment | URL |

+ |-|-|

+ | Production| `https://login.eu.tispayments.com` , `https://login.us.tispayments.com` |

+ | Staging | `https://login.eu-test.tispayments.com` , `https://login.us-test.tispayments.com` |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.

+ 

+### Create a Microsoft Entra ID test user

+In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Select **New user** > **Create new user**, at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Display name** field, enter `B.Simon`.

+ 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Select **Review + create**.

+1. Select **Create**.

+### Assign the Microsoft Entra ID test user

+In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Treasury Intelligence Solutions (TIS).

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Treasury Intelligence Solutions (TIS)**.

+1. In the app's overview page, select **Users and groups**.

+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.

+ 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+ 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+ 1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Treasury Intelligence Solutions (TIS) SSO

+To configure single sign-on on **Treasury Intelligence Solutions** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Microsoft Entra admin center to [Treasury Intelligence Solutions support team](mailto:support@tispayments.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Treasury Intelligence Solutions (TIS) test user

+In this section, you create a user called B.Simon in Treasury Intelligence Solutions (TIS). Work with [Treasury Intelligence Solutions (TIS) support team](mailto:support@tispayments.com) to add the users in the Treasury Intelligence Solutions (TIS) platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Microsoft Entra single sign-on configuration with following options.

+

+#### SP initiated:

+

+* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Treasury Intelligence Solution (TIS) Sign on URL where you can initiate the login flow.

+

+* Go to Treasury Intelligence Solution (TIS) Sign-on URL directly and initiate the login flow from there.

+

+#### IDP initiated:

+

+* Click on **Test this application** in Microsoft Entra admin center and you should be automatically signed in to the Treasury Intelligence Solution (TIS) for which you set up the SSO.

+

+You can also use Microsoft My Apps to test the application in any mode. When you click the Treasury Intelligence Solution (TIS) tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Treasury Intelligence Solution for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Treasury Intelligence Solutions (TIS) you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+#Customer intent: As a Microsoft Entra Verified ID issuer, verifier or developer, I want to know what's new in the product so that I can make full use of the functionality as it becomes available.

+- Introducing the Microsoft Entra Verified ID [Services partner gallery](services-partners.md) listing trusted partners that can help accelerate your Microsoft Entra Verified ID implementation.

+- *Public preview* - Entitlement Management customers can now create access packages that leverage Microsoft Entra Verified ID [learn more](../../active-directory/governance/entitlement-management-verified-id-settings.md)

+- Microsoft Entra Verified ID now reports events in the [audit log](../../active-directory/reports-monitoring/concept-audit-logs.md). Only management changes made via the Admin API are currently logged. Issuance or presentations of verifiable credentials aren't reported in the audit log. The log entries have a service name of `Verified ID` and the activity will be `Create authority`, `Update contract`, etc.

+- We're rolling out several features to improve the overall experience of creating verifiable credentials in the Microsoft Entra Verified ID platform:

+ - Administrators can create a Verified Employee Managed Credential using the [new quick start](how-to-use-quickstart-verifiedemployee.md). The Verified Employee is a verifiable credential of type verifiedEmployee that is based on a predefined set of claims from your tenant's directory.

+ - (new) [Creating a tenant for development](how-to-create-a-free-developer-account.md).

+- The last 7 days of utilization data are analyzed. Note that you can change your lookback period in the configurations. The available lookback periods are 7, 14, 21, 30, 60, and 90 days. After changing the lookback period, please be aware that it may take up to 48 hours for the recommendations to be updated.

+- The last 7 days of utilization data are analyzed. Note that you can change your lookback period in the configurations. The available lookback periods are 7, 14, 21, 30, 60, and 90 days. After changing the lookback period, please be aware that it may take up to 48 hours for the recommendations to be updated.

+## AI Services

+### You are close to exceeding storage quota of 2GB. Create a Standard search service

+You're close to exceeding storage quota of 2GB. Create a Standard search service. Indexing operations stop working when storage quota is exceeded.

+Learn more about [Service limits in Azure Cognitive Search](/azure/search/search-limits-quotas-capacity).

+### You are close to exceeding storage quota of 50MB. Create a Basic or Standard search service

+You're close to exceeding storage quota of 50MB. Create a Basic or Standard search service. Indexing operations stop working when storage quota is exceeded.

+Learn more about [Service limits in Azure Cognitive Search](/azure/search/search-limits-quotas-capacity).

+### You are close to exceeding your available storage quota. Add more partitions if you need more storage

+You're close to exceeding your available storage quota. Add extra partitions if you need more storage. After exceeding storage quota, you can still query, but indexing operations no longer work.

+Learn more about [Service limits in Azure Cognitive Search](/azure/search/search-limits-quotas-capacity)

+### Quota Exceeded for this resource

+We have detected that the quota for your resource has been exceeded. You can wait for it to automatically get replenished soon, or to get unblocked and use the resource again now, you can upgrade it to a paid SKU.

+Learn more about [Cognitive Service - CognitiveServiceQuotaExceeded (Quota Exceeded for this resource)](/azure/cognitive-services/plan-manage-costs#pay-as-you-go).

+### Upgrade your application to use the latest API version from Azure OpenAI

+We have detected that you have an Azure OpenAI resource that is being used with an older API version. Use the latest REST API version to take advantage of the latest features and functionality.

+Learn more about [Cognitive Service - CogSvcApiVersionOpenAI (Upgrade your application to use the latest API version from Azure OpenAI)](/azure/cognitive-services/openai/reference).

+### Upgrade your application to use the latest API version from Azure OpenAI

+We have detected that you have an Azure OpenAI resource that is being used with an older API version. Use the latest REST API version to take advantage of the latest features and functionality.

+Learn more about [Cognitive Service - API version: OpenAI (Upgrade your application to use the latest API version from Azure OpenAI)](/azure/cognitive-services/openai/reference).

+## Analytics

+### Your cluster running Ubuntu 16.04 is out of support

+We detected that your HDInsight cluster still uses Ubuntu 16.04 LTS. End of support for Azure HDInsight clusters on Ubuntu 16.04 LTS began on November 30, 2022. Existing clusters run as is without support from Microsoft. Consider rebuilding your cluster with the latest images.

+Learn more about [HDInsight cluster - ubuntu1604HdiClusters (Your cluster running Ubuntu 16.04 is out of support)](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions).

+### Upgrade your HDInsight cluster

+We detected your cluster isn't using the latest image. We recommend customers to use the latest versions of HDInsight images as they bring in the best of open source updates, Azure updates and security fixes. HDInsight release happens every 30 to 60 days. Consider moving to the latest release.

+Learn more about [HDInsight cluster - upgradeHDInsightCluster (Upgrade your HDInsight Cluster)](/azure/hdinsight/hdinsight-release-notes).

+### Your cluster was created one year ago

+We detected your cluster was created one year ago. As part of the best practices, we recommend you to use the latest HDInsight images as they bring in the best of open source updates, Azure updates and security fixes. The recommended maximum duration for cluster upgrades is less than six months.

+Learn more about [HDInsight cluster - clusterOlderThanAYear (Your cluster was created one year ago)](/azure/hdinsight/hdinsight-overview-before-you-start#keep-your-clusters-up-to-date).

+### Your Kafka cluster disks are almost full

+The data disks used by Kafka brokers in your HDInsight cluster are almost full. When that happens, the Apache Kafka broker process can't start and fails because of the disk full error. To mitigate, find the retention time for every topic, back up the files that are older and restart the brokers.

+Learn more about [HDInsight cluster - KafkaDiskSpaceFull (Your Kafka Cluster Disks are almost full)](https://aka.ms/kafka-troubleshoot-full-disk).

+### Creation of clusters under custom VNet requires more permission

+Your clusters with custom VNet were created without VNet joining permission. Ensure that the users who perform create operations have permissions to the Microsoft.Network/virtualNetworks/subnets/join action before September 30, 2023.

+Learn more about [HDInsight cluster - EnforceVNetJoinPermissionCheck (Creation of clusters under custom VNet requires more permission)](https://aka.ms/hdinsightEnforceVnet).

+### Deprecation of Kafka 1.1 in HDInsight 4.0 Kafka cluster

+Starting July 1, 2020, you can't create new Kafka clusters with Kafka 1.1 on HDInsight 4.0. Existing clusters run as is without support from Microsoft. Consider moving to Kafka 2.1 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

+Learn more about [HDInsight cluster - KafkaVersionRetirement (Deprecation of Kafka 1.1 in HDInsight 4.0 Kafka cluster)](https://aka.ms/hdiretirekafka).

+### Deprecation of Older Spark Versions in HDInsight Spark cluster

+Starting July 1, 2020, you can't create new Spark clusters with Spark 2.1 and 2.2 on HDInsight 3.6, and Spark 2.3 on HDInsight 4.0. Existing clusters run as is without support from Microsoft.

+Learn more about [HDInsight cluster - SparkVersionRetirement (Deprecation of Older Spark Versions in HDInsight Spark cluster)](https://aka.ms/hdiretirespark).

+### Enable critical updates to be applied to your HDInsight clusters

+HDInsight service is applying an important certificate related update to your cluster. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources associated with your clusters and applying this update. Take actions to allow HDInsight service to create or modify network resources such as Load balancer, Network interface and Public IP address, associated with your clusters before January 13, 2021 05:00 PM UTC. The HDInsight team is performing updates between January 13, 2021 05:00 PM UTC and January 16, 2021 05:00 PM UTC. Failure to apply this update might result in your clusters becoming unhealthy and unusable.

+Learn more about [HDInsight cluster - GCSCertRotation (Enable critical updates to be applied to your HDInsight clusters)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+### Drop and recreate your HDInsight clusters to apply critical updates

+The HDInsight service has attempted to apply a critical certificate update on all your running clusters. However, due to some custom configuration changes, we're unable to apply the certificate updates on some of your clusters.

+Learn more about [HDInsight cluster - GCSCertRotationRound2 (Drop and recreate your HDInsight clusters to apply critical updates)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+### Drop and recreate your HDInsight clusters to apply critical updates

+The HDInsight service has attempted to apply a critical certificate update on all your running clusters. However, due to some custom configuration changes, we're unable to apply the certificate updates on some of your clusters. Drop and recreate your cluster before January 25, 2021 to prevent the cluster from becoming unhealthy and unusable.

+Learn more about [HDInsight cluster - GCSCertRotationR3DropRecreate (Drop and recreate your HDInsight clusters to apply critical updates)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+### Apply critical updates to your HDInsight clusters

+The HDInsight service has attempted to apply a critical certificate update on all your running clusters. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources associated with your clusters and applying this update. Remove or update your policy assignment to allow HDInsight service to create or modify network resources such as load balancer, network interface and public IP address, associated with your clusters. Do this before January 21, 2021 05:00 PM UTC when the HDInsight team is performing updates between January 21, 2021 05:00 PM UTC and January 23, 2021 05:00 PM UTC. To verify the policy update, you can try to create network resources in the same resource group and subnet where your cluster is. Failure to apply this update might result in your clusters becoming unhealthy and unusable. You can also drop and recreate your cluster before January 25, 2021 to prevent the cluster from becoming unhealthy and unusable. The HDInsight service sends another notification if we failed to apply the update to your clusters.

+Learn more about [HDInsight cluster - GCSCertRotationR3PlanPatch (Apply critical updates to your HDInsight clusters)](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md).

+### Action required: Migrate your A8ΓÇôA11 HDInsight cluster before 1 March 2021

+You're receiving this notice because you have one or more active A8, A9, A10 or A11 HDInsight cluster. The A8-A11 virtual machines (VMs) are retired in all regions on 1 March 2021. After that date, all clusters using A8-A11 are deallocated. Migrate your affected clusters to another HDInsight supported VM (https://azure.microsoft.com/pricing/details/hdinsight/) before that date. For more information, see 'Learn More' link or contact us at askhdinsight@microsoft.com

+Learn more about [HDInsight cluster - VM Deprecation (Action required: Migrate your A8ΓÇôA11 HDInsight cluster before 1 March 2021)](https://azure.microsoft.com/updates/a8-a11-azure-virtual-machine-sizes-will-be-retired-on-march-1-2021/).

+### Cloud Services (classic) is retiring. Migrate off before 31 August 2024

+Cloud Services (classic) is retiring. Migrate off before 31 August 2024 to avoid any loss of data or business continuity.

+Learn more about [Resource - Cloud Services Retirement (Cloud Services (classic) is retiring. Migrate off before 31 August 2024)](https://aka.ms/ExternalRetirementEmailMay2022).

+We have identified that you're using standard disks with your premium-capable virtual machines and we recommend you consider upgrading the standard disks to premium disks. For any single instance virtual machine using premium storage for all operating system disks and data disks, we guarantee virtual machine connectivity of at least 99.9%. Consider these factors when making your upgrade decision. The first is that upgrading requires a VM reboot and this process takes 3-5 minutes to complete. The second is if the VMs in the list are mission-critical production VMs, evaluate the improved availability against the cost of premium disks.

+Learn more about [Virtual machine - Rhui3ToRhui4MigrationV2 (Update your firewall configurations to allow new RHUI 4 IPs)](https://aka.ms/rhui-server-list).

+### Virtual machines in your subscription are running on images that have been scheduled for deprecation

+Virtual machines in your subscription are running on images that have been scheduled for deprecation. Once the image is deprecated, new VMs can't be created from the deprecated image. Upgrade to a newer version of the image to prevent disruption to your workloads.

+Learn more about [Virtual machine - VMRunningDeprecatedOfferLevelImage (Virtual machines in your subscription are running on images that have been scheduled for deprecation)](https://aka.ms/DeprecatedImagesFAQ).

+### Virtual machines in your subscription are running on images that have been scheduled for deprecation

+Virtual machines in your subscription are running on images that have been scheduled for deprecation. Once the image is deprecated, new VMs can't be created from the deprecated image. Upgrade to a newer SKU of the image to prevent disruption to your workloads.

+Learn more about [Virtual machine - VMRunningDeprecatedPlanLevelImage (Virtual machines in your subscription are running on images that have been scheduled for deprecation)](https://aka.ms/DeprecatedImagesFAQ).

+### Virtual machines in your subscription are running on images that have been scheduled for deprecation

+Virtual machines in your subscription are running on images that have been scheduled for deprecation. Once the image is deprecated, new VMs can't be created from the deprecated image. Upgrade to newer version of the image to prevent disruption to your workloads.

+Learn more about [Virtual machine - VMRunningDeprecatedImage (Virtual machines in your subscription are running on images that have been scheduled for deprecation)](https://aka.ms/DeprecatedImagesFAQ).

+### Use Availability zones for better resiliency and availability

+Availability Zones (AZ) in Azure help protect your applications and data from datacenter failures. Each AZ is made up of one or more datacenters equipped with independent power, cooling, and networking. By designing solutions to use zonal VMs, you can isolate your VMs from failure in any other zone.

+Learn more about [Virtual machine - AvailabilityZoneVM (Use Availability zones for better resiliency and availability)](/azure/reliability/availability-zones-overview).

+### Access to mandatory URLs missing for your Azure Virtual Desktop environment

+In order for a session host to deploy and register to Azure Virtual Desktop properly, you need to add a set of URLs to the allowed list, in case your virtual machine runs in a restricted environment. After visiting the "Learn More" link, you see the minimum list of URLs you need to unblock to have a successful deployment and functional session host. For specific URL(s) missing from allowed list, you might also search your application event log for event 3702.

+Learn more about [Virtual machine - SessionHostNeedsAssistanceForUrlCheck (Access to mandatory URLs missing for your Azure Virtual Desktop environment)](../virtual-desktop/safe-url-list.md).

+### Update your firewall configurations to allow new RHUI 4 IPs

+Your Virtual Machine Scale Sets start receiving package content from RHUI4 servers on October 12, 2023. If you're allowing RHUI 3 IPs [https://aka.ms/rhui-server-list] via firewall and proxy, allow the new RHUI 4 IPs [https://aka.ms/rhui-server-list] to continue receiving RHEL package updates.

+Learn more about [Virtual machine scale set - Rhui3ToRhui4MigrationVMSS (Update your firewall configurations to allow new RHUI 4 IPs)](https://aka.ms/rhui-server-list).

+Virtual Machine Scale Sets in your subscription are running on images that have been scheduled for deprecation. Once the image is deprecated, your Virtual Machine Scale Sets workloads would no longer scale out. Upgrade to a newer version of the image to prevent disruption to your workload.

+Virtual Machine Scale Sets in your subscription are running on images that have been scheduled for deprecation. Once the image is deprecated, your Virtual Machine Scale Sets workloads would no longer scale out. Upgrade to newer plan of the image to prevent disruption to your workload.

+## Containers

+### Increase the minimal replica count for your container app

+We detected the minimal replica count set for your container app might be lower than optimal. Consider increasing the minimal replica count for better availability.

+Learn more about [Microsoft App Container App - ContainerAppMinimalReplicaCountTooLow (Increase the minimal replica count for your container app)](https://aka.ms/containerappscalingrules).

+### Renew custom domain certificate

+We detected the custom domain certificate you uploaded is near expiration. Renew your certificate and upload the new certificate for your container apps.

+Learn more about [Microsoft App Container App - ContainerAppCustomDomainCertificateNearExpiration (Renew custom domain certificate)](https://aka.ms/containerappcustomdomaincert).

+### A potential networking issue has been identified with your Container Apps environment that requires it to be re-created to avoid DNS issues

+A potential networking issue has been identified for your Container Apps environments. To prevent this potential networking issue, create a new Container Apps environment, re-create your Container Apps in the new environment, and delete the old Container Apps environment

+Learn more about [Managed Environment - CreateNewContainerAppsEnvironment (A potential networking issue has been identified with your Container Apps Environment that requires it to be re-created to avoid DNS issues)](https://aka.ms/createcontainerapp).

+### Domain verification required to renew your App Service Certificate

+You have an App Service certificate that's currently in a Pending Issuance status and requires domain verification. Failure to validate domain ownership results in an unsuccessful certificate issuance. Domain verification isn't automated for App Service certificates and requires your action.

+Learn more about [App Service Certificate - ASCDomainVerificationRequired (Domain verification required to renew your App Service Certificate)](https://aka.ms/ASCDomainVerificationRequired).

+### Clusters having node pools using unrecommended B-Series

+Cluster has one or more node pools using an unrecommended burstable VM SKU. With burstable VMs, full vCPU capability 100% is unguaranteed. Make sure B-series VMs aren't used in a Production environment.

+Learn more about [Kubernetes service - ClustersUsingBSeriesVMs (Clusters having node pools using unrecommended B-Series)](/azure/virtual-machines/sizes-b-series-burstable).

+### Upgrade to Standard tier for mission-critical and production clusters

+This cluster has more than 10 nodes and hasn't enabled the Standard tier. The Kubernetes Control Plane on the Free tier comes with limited resources and isn't intended for production use or any cluster with 10 or more nodes.

+Learn more about [Kubernetes service - UseStandardpricingtier (Upgrade to Standard tier for mission-critical and production clusters)](/azure/aks/uptime-sla).

+### Pod Disruption Budgets Recommended

+Pod Disruption budgets recommended. Improve service high availability.

+Learn more about [Kubernetes service - PodDisruptionBudgetsRecommended (Pod Disruption Budgets Recommended)](../aks/operator-best-practices-scheduler.md#plan-for-availability-using-pod-disruption-budgets).

+### Upgrade to the latest agent version of Azure Arc-enabled Kubernetes

+Upgrade to the latest agent version for the best Azure Arc enabled Kubernetes experience, improved stability and new functionality.

+Learn more about [Kubernetes - Azure Arc - Arc-enabled K8s agent version upgrade (Upgrade to the latest agent version of Azure Arc-enabled Kubernetes)](https://aka.ms/ArcK8sAgentUpgradeDocs).

+## Databases

+### Replication - Add a primary key to the table that currently does not have one

+Based on our internal monitoring, we have observed significant replication lag on your replica server. This lag is occurring because the replica server is replaying relay logs on a table that lacks a primary key. To ensure that the replica can synchronize with the primary and keep up with changes, add primary keys to the tables in the primary server. Once the primary keys are added, recreate the replica server.

+Learn more about [Azure Database for MySQL flexible server - MySqlFlexibleServerReplicaMissingPKfb41 (Replication - Add a primary key to the table that currently doesn't have one)](/azure/mysql/how-to-troubleshoot-replication-latency#no-primary-key-or-unique-key-on-a-table).

+### High Availability - Add primary key to the table that currently does not have one

+Our internal monitoring system has identified significant replication lag on the High Availability standby server. The standby server replaying relay logs on a table that lacks a primary key, is the main cause of the lag. To address this issue and adhere to best practices, we recommend you add primary keys to all tables. Once you add the primary keys, proceed to disable and then re-enable High Availability to mitigate the problem.

+Learn more about [Azure Database for MySQL flexible server - MySqlFlexibleServerHAMissingPKcf38 (High Availability - Add primary key to the table that currently doesn't have one.)](/azure/mysql/how-to-troubleshoot-replication-latency#no-primary-key-or-unique-key-on-a-table).

+### Availability might be impacted from high memory fragmentation. Increase fragmentation memory reservation to avoid potential impact

+Fragmentation and memory pressure can cause availability incidents during a failover or management operations. Increasing reservation of memory for fragmentation helps in reducing the cache failures when running under high memory pressure. Memory for fragmentation can be increased via maxfragmentationmemory-reserved setting available in advanced settings blade.

+Learn more about [Redis Cache Server - RedisCacheMemoryFragmentation (Availability might be impacted from high memory fragmentation. Increase fragmentation memory reservation to avoid potential impact.)](https://aka.ms/redis/recommendations/memory-policies).

+### Enable Azure backup for SQL on your virtual machines

+Enable backups for SQL databases on your virtual machines using Azure backup and realize the benefits of zero-infrastructure backup, point-in-time restore, and central management with SQL AG integration.

+Learn more about [SQL virtual machine - EnableAzBackupForSQL (Enable Azure backup for SQL on your virtual machines)](/azure/backup/backup-azure-sql-database).

+### Improve PostgreSQL availability by removing inactive logical replication slots

+Our internal telemetry indicates that your PostgreSQL server might have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. Inactive logical replication can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY take action. Either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

+Learn more about [PostgreSQL server - OrcasPostgreSqlLogicalReplicationSlots (Improve PostgreSQL availability by removing inactive logical replication slots)](https://aka.ms/azure_postgresql_logical_decoding).

+### Improve PostgreSQL availability by removing inactive logical replication slots

+Our internal telemetry indicates that your PostgreSQL flexible server might have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. Inactive logical replication slots can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY take action. Either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

+Learn more about [Azure Database for PostgreSQL flexible server - OrcasPostgreSqlFlexibleServerLogicalReplicationSlots (Improve PostgreSQL availability by removing inactive logical replication slots)](https://aka.ms/azure_postgresql_flexible_server_logical_decoding).

+We noticed that your Azure Cosmos DB container is configured with the Lazy indexing mode, which might impact the freshness of query results. We recommend switching to Consistent mode.

+We found a high number of metadata operations on your account. Your data in Azure Cosmos DB, including metadata about your databases and collections, is distributed across partitions. Metadata operations have a system-reserved request unit (RU) limit. A high number of metadata operations can cause rate limiting. Avoid rate limiting by using static Azure Cosmos DB client instances in your code, and caching the names of databases and collections.

+There's a critical bug in version 2.6.13 and lower, of the Azure Cosmos DB Async Java SDK v2 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. These service errors happen after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container. Note: There's a critical hotfix for the Async Java SDK v2, however we still highly recommend you migrate to the [Java SDK v4](../cosmos-db/sql/sql-api-sdk-java-v4.md).

+There's a critical bug in version 4.15 and lower of the Azure Cosmos DB Java SDK v4 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. These service errors happen after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container.

+## Integration

+### Upgrade to the latest FarmBeats API version

+We have identified calls to a FarmBeats API version that is scheduled for deprecation. We recommend switching to the latest FarmBeats API version to ensure uninterrupted access to FarmBeats, latest features, and performance improvements.

+Learn more about [Azure FarmBeats - FarmBeatsApiVersion (Upgrade to the latest FarmBeats API version)](https://aka.ms/FarmBeatsPaaSAzureAdvisorFAQ).

+### Upgrade to the latest ADMA Java SDK version

+We have identified calls to an Azure Data Manager for Agriculture (ADMA) Java SDK version that is scheduled for deprecation. We recommend switching to the latest SDK version to ensure uninterrupted access to ADMA, latest features, and performance improvements.

+Learn more about [Azure FarmBeats - FarmBeatsJavaSdkVersion (Upgrade to the latest ADMA Java SDK version)](https://aka.ms/FarmBeatsPaaSAzureAdvisorFAQ).

+### Upgrade to the latest ADMA DotNet SDK version

+We have identified calls to an ADMA DotNet SDK version that is scheduled for deprecation. We recommend switching to the latest SDK version to ensure uninterrupted access to ADMA, latest features, and performance improvements.

+Learn more about [Azure FarmBeats - FarmBeatsDotNetSdkVersion (Upgrade to the latest ADMA DotNet SDK version)](https://aka.ms/FarmBeatsPaaSAzureAdvisorFAQ).

+### Upgrade to the latest ADMA JavaScript SDK version

+We have identified calls to an ADMA JavaScript SDK version that is scheduled for deprecation. We recommend switching to the latest SDK version to ensure uninterrupted access to ADMA, latest features, and performance improvements.

+Learn more about [Azure FarmBeats - FarmBeatsJavaScriptSdkVersion (Upgrade to the latest ADMA JavaScript SDK version)](https://aka.ms/FarmBeatsPaaSAzureAdvisorFAQ).

+### Upgrade to the latest ADMA Python SDK version

+We have identified calls to an ADMA Python SDK version that is scheduled for deprecation. We recommend switching to the latest SDK version to ensure uninterrupted access to ADMA, latest features, and performance improvements.

+Learn more about [Azure FarmBeats - FarmBeatsPythonSdkVersion (Upgrade to the latest ADMA Python SDK version)](https://aka.ms/FarmBeatsPaaSAzureAdvisorFAQ).

+### SSL/TLS renegotiation blocked

+SSL/TLS renegotiation attempt blocked. Renegotiation happens when a client certificate is requested over an already established connection. When it's blocked, reading 'context.Request.Certificate' in policy expressions returns 'null.' To support client certificate authentication scenarios, enable 'Negotiate client certificate' on listed hostnames. For browser-based clients, enabling this option might result in a certificate prompt being presented to the client.

+Learn more about [Api Management - TlsRenegotiationBlocked (SSL/TLS renegotiation blocked)](/azure/api-management/api-management-howto-mutual-certificates-for-clients).

+### Hostname certificate rotation failed

+API Management service failed to refresh hostname certificate from Key Vault. Ensure that certificate exists in Key Vault and API Management service identity is granted secret read access. Otherwise, API Management service can't retrieve certificate updates from Key Vault, which might lead to the service using stale certificate and runtime API traffic being blocked as a result.

+Learn more about [Api Management - HostnameCertRotationFail (Hostname certificate rotation failed)](https://aka.ms/apimdocs/customdomain).

+## Internet of Things

+### Upgrade device client SDK to a supported version for IotHub

+Some or all of your devices are using outdated SDK and we recommend you upgrade to a supported version of SDK. See the details in the recommendation.

+Learn more about [IoT hub - UpgradeDeviceClientSdk (Upgrade device client SDK to a supported version for IotHub)](https://aka.ms/iothubsdk).

+### IoT Hub Potential Device Storm Detected

+A device storm is when two or more devices are trying to connect to the IoT Hub using the same device ID credentials. When the second device (B) connects, it causes the first one (A) to become disconnected. Then (A) attempts to reconnect again, which causes (B) to get disconnected.

+Learn more about [IoT hub - IoTHubDeviceStorm (IoT Hub Potential Device Storm Detected)](https://aka.ms/IotHubDeviceStorm).

+### Upgrade Device Update for IoT Hub SDK to a supported version

+Your Device Update for IoT Hub Instance is using an outdated version of the SDK. We recommend you upgrade to the latest version for the latest fixes, performance improvements, and new feature capabilities.

+Learn more about [IoT hub - DU_SDK_Advisor_Recommendation (Upgrade Device Update for IoT Hub SDK to a supported version)](/azure/iot-hub-device-update/understand-device-update).

+### IoT Hub Quota Exceeded Detected

+We have detected that your IoT Hub has exceeded its daily message quota. To prevent your IoT Hub exceeding its daily message quota in the future, add units or increase the SKU level.

+Learn more about [IoT hub - IoTHubQuotaExceededAdvisor (IoT Hub Quota Exceeded Detected)](/azure/iot-hub/troubleshoot-error-codes#403002-iothubquotaexceeded).

+### Upgrade device client SDK to a supported version for Iot Hub

+Some or all of your devices are using outdated SDK and we recommend you upgrade to a supported version of SDK. See the details in the link given.

+Learn more about [IoT hub - UpgradeDeviceClientSdk (Upgrade device client SDK to a supported version for IotHub)](https://aka.ms/iothubsdk).

+### Upgrade Edge Device Runtime to a supported version for Iot Hub

+Some or all of your Edge devices are using outdated versions and we recommend you upgrade to the latest supported version of the runtime. See the details in the link given.

+Learn more about [IoT hub - UpgradeEdgeSdk (Upgrade Edge Device Runtime to a supported version for Iot Hub)](https://aka.ms/IOTEdgeSDKCheck).

+## Media

+### Increase Media Services quotas or limits to ensure continuity of service

+Your media account is about to hit its quota limits. Review current usage of Assets, Content Key Policies and Stream Policies for the media account. To avoid any disruption of service, request quota limits to be increased for the entities that are closer to hitting quota limit. You can request quota limits to be increased by opening a ticket and adding relevant details to it. Don't create extra Azure Media accounts in an attempt to obtain higher limits.

+Learn more about [Media Service - AccountQuotaLimit (Increase Media Services quotas or limits to ensure continuity of service.)](https://aka.ms/ams-quota-recommendation/).

+## Networking

+### Check Point virtual machine might lose Network Connectivity

+We have identified that your virtual machine might be running a version of Check Point image that might lose network connectivity during a platform servicing operation. We recommend that you upgrade to a newer version of the image. Contact Check Point for further instructions on how to upgrade your image.

+Learn more about [Virtual machine - CheckPointPlatformServicingKnownIssueA (Check Point virtual machine might lose Network Connectivity.)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk151752&partition=Advanced&product=CloudGuard).

+### Upgrade to the latest version of the Azure Connected Machine agent

+The Azure Connected Machine agent is updated regularly with bug fixes, stability enhancements, and new functionality. Upgrade your agent to the latest version for the best Azure Arc experience.

+Learn more about [Connected Machine agent - Azure Arc - ArcServerAgentVersion (Upgrade to the latest version of the Azure Connected Machine agent)](../azure-arc/servers/manage-agent.md).

+### Switch Secret version to ΓÇÿLatestΓÇÖ for the Azure Front Door customer certificate

+We recommend configuring the Azure Front Door (AFD) customer certificate secret to ΓÇÿLatestΓÇÖ for the AFD to refer to the latest secret version in Azure Key Vault, so that the secret can be automatically rotated.

+Learn more about [Front Door Profile - SwitchVersionBYOC (Switch Secret version to ΓÇÿLatestΓÇÖ for the Azure Front Door customer certificate)](https://aka.ms/how-to-configure-https-custom-domain#certificate-renewal-and-changing-certificate-types).

+### Validate domain ownership by adding DNS TXT record to DNS provider.

+Validate domain ownership by adding DNS TXT record to DNS provider.

+Learn more about [Front Door Profile - ValidateDomainOwnership (Validate domain ownership by adding DNS TXT record to DNS provider.)](https://aka.ms/how-to-add-custom-domain#domain-validation-state).

+### Revalidate domain ownership for the Azure Front Door managed certificate renewal

+Azure Front Door can't automatically renew the managed certificate because the domain isn't CNAME mapped to AFD endpoint. Revalidate domain ownership for the managed certificate to be automatically renewed.

+Learn more about [Front Door Profile - RevalidateDomainOwnership (Revalidate domain ownership for the Azure Front Door managed certificate renewal)](https://aka.ms/how-to-add-custom-domain#domain-validation-state).

+### Renew the expired Azure Front Door customer certificate to avoid service disruption

+Some of the customer certificates for Azure Front Door Standard and Premium profiles expired. Renew the certificate in time to avoid service disruption.

+Learn more about [Front Door Profile - RenewExpiredBYOC (Renew the expired Azure Front Door customer certificate to avoid service disruption.)](https://aka.ms/how-to-configure-https-custom-domain#use-your-own-certificate).

+### Avoid hostname override to ensure site integrity

+Try to avoid overriding the hostname when configuring Application Gateway. Having a domain on the frontend of Application Gateway different than the one used to access the backend, can potentially lead to cookies or redirect URLs being broken. A different frontend domain isn't a problem in all situations, and certain categories of backends like REST APIs, are less sensitive in general. Make sure the backend is able to deal with the domain difference, or update the Application Gateway configuration so the hostname doesn't need to be overwritten towards the backend. When used with App Service, attach a custom domain name to the Web App and avoid use of the `*.azurewebsites.net` host name towards the backend.

+Learn more about [Application gateway - AppGatewayHostOverride (Avoid hostname override to ensure site integrity)](https://aka.ms/appgw-advisor-usecustomdomain).

+### Azure WAF RuleSet CRS 3.1/3.2 has been updated with Log4j 2 vulnerability rule

+In response to Log4j 2 vulnerability (CVE-2021-44228), Azure Web Application Firewall (WAF) RuleSet CRS 3.1/3.2 has been updated on your Application Gateway to help provide extra protection from this vulnerability. The rules are available under Rule 944240 and no action is needed to enable them.

+Learn more about [Application gateway - AppGwLog4JCVEPatchNotification (Azure WAF RuleSet CRS 3.1/3.2 has been updated with log4j2 vulnerability rule)](https://aka.ms/log4jcve).

+### Extra protection to mitigate Log4j 2 vulnerability (CVE-2021-44228)

+To mitigate the impact of Log4j 2 vulnerability, we recommend these steps:

+1) Upgrade Log4j 2 to version 2.15.0 on your backend servers. If upgrade isn't possible, follow the system property guidance link provided.

+2) Take advantage of WAF Core rule sets (CRS) by upgrading to WAF SKU.

+Learn more about [Application gateway - AppGwLog4JCVEGenericNotification (Additional protection to mitigate Log4j2 vulnerability (CVE-2021-44228))](https://aka.ms/log4jcve).

+### Update VNet permission of Application Gateway users

+To improve security and provide a more consistent experience across Azure, all users must pass a permission check before creating or updating an Application Gateway in a Virtual Network. The users or service principals must include at least Microsoft.Network/virtualNetworks/subnets/join/action permission.

+Learn more about [Application gateway - AppGwLinkedAccessFailureRecmmendation (Update VNet permission of Application Gateway users)](https://aka.ms/agsubnetjoin).

+### Use version-less Key Vault secret identifier to reference the certificates

+We strongly recommend that you use a version-less secret identifier to allow your application gateway resource to automatically retrieve the new certificate version, whenever available. Example: https://myvault.vault.azure.net/secrets/mysecret/

+Learn more about [Application gateway - AppGwAdvisorRecommendationForCertificateUpdate (Use version-less Key Vault secret identifier to reference the certificates)](https://aka.ms/agkvversion).

+We have detected that ExpressRoute Monitor on Network Performance Monitor isn't currently monitoring your ExpressRoute circuit. ExpressRoute monitor provides end-to-end monitoring capabilities including: loss, latency, and performance from on-premises to Azure and Azure to on-premises

+### Add at least one more endpoint to the profile, preferably in another Azure region

+Profiles require more than one endpoint to ensure availability if one of the endpoints fails. We also recommend that endpoints be in different regions.

+Learn more about [Traffic Manager profile - GeneralProfile (Add at least one more endpoint to the profile, preferably in another Azure region)](https://aka.ms/AA1o0x4).

+### Add an endpoint configured to "All (World)"

+For geographic routing, traffic is routed to endpoints based on defined regions. When a region fails, there's no predefined failover. Having an endpoint where the Regional Grouping is configured to "All (World)" for geographic profiles avoids traffic black holing and guarantee service remains available.

+Learn more about [Traffic Manager profile - GeographicProfile (Add an endpoint configured to \""All (World)\"")](https://aka.ms/Rf7vc5).

+### Add or move one endpoint to another Azure region

+All endpoints associated to this proximity profile are in the same region. Users from other regions might experience long latency when attempting to connect. Adding or moving an endpoint to another region improves overall performance for proximity routing and provide better availability in case all endpoints in one region fail.

+Learn more about [Traffic Manager profile - ProximityProfile (Add or move one endpoint to another Azure region)](https://aka.ms/Ldkkdb).

+### Move to production gateway SKUs from Basic gateways

+The VPN gateway Basic SKU is designed for development or testing scenarios. Move to a production SKU if you're using the VPN gateway for production purposes. The production SKUs offer higher number of tunnels, BGP support, active-active, custom IPsec/IKE policy in addition to higher stability and availability.

+Learn more about [Virtual network gateway - BasicVPNGateway (Move to production gateway SKUs from Basic gateways)](https://aka.ms/aa_basicvpngateway_learnmore).

+### Use NAT gateway for outbound connectivity

+Prevent risk of connectivity failures due to SNAT port exhaustion by using NAT gateway for outbound traffic from your virtual networks. NAT gateway scales dynamically and provides secure connections for traffic headed to the internet.

+Learn more about [Virtual network - natGateway (Use NAT gateway for outbound connectivity)](/azure/load-balancer/load-balancer-outbound-connections#2-associate-a-nat-gateway-to-the-subnet).

+## SAP for Azure

+### Enable the 'concurrent-fencing' parameter in Pacemaker cofiguration in ASCS HA setup in SAP workloads

+The concurrent-fencing parameter when set to true, enables the fencing operations to be performed in parallel. Set this parameter to 'true' in the pacemaker cluster configuration for ASCS HA setup.

+Learn more about [Central Server Instance - ConcurrentFencingHAASCSRH (Enable the 'concurrent-fencing' parameter in Pacemaker cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Ensure that stonith is enabled for the Pacemaker cofiguration in ASCS HA setup in SAP workloads

+In a Pacemaker cluster, the implementation of node level fencing is done using STONITH (Shoot The Other Node in the Head) resource. Ensure that 'stonith-enable' is set to 'true' in the HA cluster configuration of your SAP workload.

+Learn more about [Central Server Instance - StonithEnabledHAASCSRH (Ensure that stonith is enabled for the Pacemaker cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set the stonith timeout to 144 for the cluster cofiguration in ASCS HA setup in SAP workloads

+Set the stonith timeout to 144 for HA cluster as per recommendation for SAP on Azure.

+Learn more about [Central Server Instance - StonithTimeOutHAASCS (Set the stonith timeout to 144 for the cluster cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the corosync token in Pacemaker cluster to 30000 for ASCS HA setup in SAP workloads

+The corosync token setting determines the timeout that is used directly or as a base for real token timeout calculation in HA clusters. Set the corosync token to 30000 as per recommendation for SAP on Azure to allow memory-preserving maintenance.

+Learn more about [Central Server Instance - CorosyncTokenHAASCSRH (Set the corosync token in Pacemaker cluster to 30000 for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set the expected votes parameter to 2 in Pacemaker cofiguration in ASCS HA setup in SAP workloads

+In a two node HA cluster, set the quorum votes to 2 as per recommendation for SAP on Azure.

+Learn more about [Central Server Instance - ExpectedVotesHAASCSRH (Set the expected votes parameter to 2 in Pacemaker cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set 'token_retransmits_before_loss_const' to 10 in Pacemaker cluster in ASCS HA setup in SAP workloads

+The corosync token_retransmits_before_loss_const determines how many token retransmits the system attempts before timeout in HA clusters. Set the totem.token_retransmits_before_loss_const to 10 as per recommendation for ASCS HA setup.

+Learn more about [Central Server Instance - TokenRestransmitsHAASCSSLE (Set 'token_retransmits_before_loss_const' to 10 in Pacemaker cluster in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the corosync token in Pacemaker cluster to 30000 for ASCS HA setup in SAP workloads

+The corosync token setting determines the timeout that is used directly or as a base for real token timeout calculation in HA clusters. Set the corosync token to 30000 as per recommendation for SAP on Azure to allow memory-preserving maintenance.

+Learn more about [Central Server Instance - CorosyncTokenHAASCSSLE (Set the corosync token in Pacemaker cluster to 30000 for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the 'corosync max_messages' in Pacemaker cluster to 20 for ASCS HA setup in SAP workloads

+The corosync max_messages constant specifies the maximum number of messages allowed to be sent by one processor once the token is received. We recommend you set to 20 times the corosync token parameter in Pacemaker cluster configuration.

+Learn more about [Central Server Instance - CorosyncMaxMessagesHAASCSSLE (Set the 'corosync max_messages' in Pacemaker cluster to 20 for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the 'corosync consensus' in Pacemaker cluster to 36000 for ASCS HA setup in SAP workloads

+The corosync parameter 'consensus' specifies in milliseconds how long to wait for consensus to be achieved before starting a new round of membership in the cluster configuration. We recommend that you set 1.2 times the corosync token in Pacemaker cluster configuration for ASCS HA setup.

+Learn more about [Central Server Instance - CorosyncConsensusHAASCSSLE (Set the 'corosync consensus' in Pacemaker cluster to 36000 for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the expected votes parameter to 2 in the cluster cofiguration in ASCS HA setup in SAP workloads

+In a two node HA cluster, set the quorum parameter expected_votes to 2 as per recommendation for SAP on Azure.

+Learn more about [Central Server Instance - ExpectedVotesHAASCSSLE (Set the expected votes parameter to 2 in the cluster cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the two_node parameter to 1 in the cluster cofiguration in ASCS HA setup in SAP workloads

+In a two node HA cluster, set the quorum parameter 'two_node' to 1 as per recommendation for SAP on Azure.

+Learn more about [Central Server Instance - TwoNodesParametersHAASCSSLE (Set the two_node parameter to 1 in the cluster cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the 'corosync join' in Pacemaker cluster to 60 for ASCS HA setup in SAP workloads

+The corosync join timeout specifies in milliseconds how long to wait for join messages in the membership protocol. We recommend that you set 60 in Pacemaker cluster configuration for ASCS HA setup.

+Learn more about [Central Server Instance - CorosyncJoinHAASCSSLE (Set the 'corosync join' in Pacemaker cluster to 60 for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Ensure that stonith is enabled for the cluster cofiguration in ASCS HA setup in SAP workloads

+In a Pacemaker cluster, the implementation of node level fencing is done using STONITH (Shoot The Other Node in the Head) resource. Ensure that 'stonith-enable' is set to 'true' in the HA cluster configuration.

+Learn more about [Central Server Instance - StonithEnabledHAASCS (Ensure that stonith is enabled for the cluster cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set stonith-timeout to 900 in Pacemaker configuration with Azure fence agent for ASCS HA setup

+Set the stonith-timeout to 900 for reliable function of the Pacemaker for ASCS HA setup. This stonith-timeout setting is applicable if you're using Azure fence agent for fencing with either managed identity or service principal.

+Learn more about [Central Server Instance - StonithTimeOutHAASCSSLE (Set stonith-timeout to 900 in Pacemaker configuration with Azure fence agent for ASCS HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Enable the 'concurrent-fencing' parameter in Pacemaker cofiguration in ASCS HA setup in SAP workloads

+The concurrent-fencing parameter when set to true, enables the fencing operations to be performed in parallel. Set this parameter to 'true' in the pacemaker cluster configuration for ASCS HA setup.

+Learn more about [Central Server Instance - ConcurrentFencingHAASCSSLE (Enable the 'concurrent-fencing' parameter in Pacemaker cofiguration in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Create the softdog config file in Pacemaker configuration for ASCS HA setup in SAP workloads

+The softdog timer is loaded as a kernel module in linux OS. This timer triggers a system reset if it detects that the system has hung. Ensure that the softdog configuration file is created in the Pacemaker cluster for ASCS HA setup.

+Learn more about [Central Server Instance - SoftdogConfigHAASCSSLE (Create the softdog config file in Pacemaker configuration for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Ensure the softdog module is loaded in for Pacemaker in ASCS HA setup in SAP workloads

+The softdog timer is loaded as a kernel module in linux OS. This timer triggers a system reset if it detects that the system has hung. First ensure that you created the softdog configuration file, then load the softdog module in the Pacemaker configuration for ASCS HA setup.

+Learn more about [Central Server Instance - softdogmoduleloadedHAASCSSLE (Ensure the softdog module is loaded in for Pacemaker in ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Ensure that there is one instance of fence_azure_arm in Pacemaker configuration for ASCS HA setup

+The fence_azure_arm is an I/O fencing agent for Azure Resource Manager. Ensure that there's one instance of fence_azure_arm in the pacemaker configuration for ASCS HA setup. The fence_azure_arm requirement is applicable if you're using Azure fence agent for fencing with either managed identity or service principal.

+Learn more about [Central Server Instance - FenceAzureArmHAASCSSLE (Ensure that there's one instance of fence_azure_arm in Pacemaker configuration for ASCS HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Enable HA ports in the Azure Load Balancer for ASCS HA setup in SAP workloads

+Enable HA ports in the Load balancing rules for HA set up of ASCS instance in SAP workloads. Open the load balancer, select 'load balancing rules' and add/edit the rule to enable the recommended settings.

+Learn more about [Central Server Instance - ASCSHAEnableLBPorts (Enable HA ports in the Azure Load Balancer for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance).

+### Enable Floating IP in the Azure Load balancer for ASCS HA setup in SAP workloads

+Enable floating IP in the load balancing rules for the Azure Load Balancer for HA set up of ASCS instance in SAP workloads. Open the load balancer, select 'load balancing rules' and add/edit the rule to enable the recommended settings.

+Learn more about [Central Server Instance - ASCSHAEnableFloatingIpLB (Enable Floating IP in the Azure Load balancer for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance).

+### Set the Idle timeout in Azure Load Balancer to 30 minutes for ASCS HA setup in SAP workloads

+To prevent load balancer timeout, make sure that all Azure Load Balancing Rules have: 'Idle timeout (minutes)' set to the maximum value of 30 minutes. Open the load balancer, select 'load balancing rules' and add/edit the rule to enable the recommended settings.

+Learn more about [Central Server Instance - ASCSHASetIdleTimeOutLB (Set the Idle timeout in Azure Load Balancer to 30 minutes for ASCS HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Disable TCP timestamps on VMs placed behind Azure Load Balancer in ASCS HA setup in SAP workloads

+Disable TCP timestamps on VMs placed behind Azure Load Balancer. Enabled TCP timestamps cause the health probes to fail due to TCP packets being dropped by the VM's guest OS TCP stack. Dropped TCP packets cause the load balancer to mark the endpoint as down.

+Learn more about [Central Server Instance - ASCSLBHADisableTCP (Disable TCP timestamps on VMs placed behind Azure Load Balancer in ASCS HA setup in SAP workloads)](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-november-2021/ba-p/2807619#network-settings-and-tuning-for-sap-on-azure).

+### Enable stonith in the cluster cofiguration in HA enabled SAP workloads for VMs with Redhat OS

+In a Pacemaker cluster, the implementation of node level fencing is done using STONITH (Shoot The Other Node in the Head) resource. Ensure that 'stonith-enable' is set to 'true' in the HA cluster configuration of your SAP workload.

+Learn more about [Database Instance - StonithEnabledHARH (Enable stonith in the cluster cofiguration in HA enabled SAP workloads for VMs with Redhat OS)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set the stonith timeout to 144 for the cluster cofiguration in HA enabled SAP workloads

+Set the stonith timeout to 144 for HA cluster as per recommendation for SAP on Azure.

+Learn more about [Database Instance - StonithTimeoutHASLE (Set the stonith timeout to 144 for the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Enable stonith in the cluster cofiguration in HA enabled SAP workloads for VMs with SUSE OS

+In a Pacemaker cluster, the implementation of node level fencing is done using STONITH (Shoot The Other Node in the Head) resource. Ensure that 'stonith-enable' is set to 'true' in the HA cluster configuration.

+Learn more about [Database Instance - StonithEnabledHASLE (Enable stonith in the cluster cofiguration in HA enabled SAP workloads for VMs with SUSE OS)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set stonith-timeout to 900 in Pacemaker configuration with Azure fence agent for HANA DB HA setup

+Set the stonith-timeout to 900 for reliable functioning of the Pacemaker for HANA DB HA setup. This setting is important if you're using the Azure fence agent for fencing with either managed identity or service principal.

+Learn more about [Database Instance - StonithTimeOutSuseHDB (Set stonith-timeout to 900 in Pacemaker configuration with Azure fence agent for HANA DB HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the corosync token in Pacemaker cluster to 30000 for HA enabled HANA DB for VM with Redhat OS

+The corosync token setting determines the timeout that is used directly or as a base for real token timeout calculation in HA clusters. Set the corosync token to 30000 as per recommendation for SAP on Azure to allow memory-preserving maintenance.

+Learn more about [Database Instance - CorosyncTokenHARH (Set the corosync token in Pacemaker cluster to 30000 for HA enabled HANA DB for VM with Redhat OS)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads

+In a two node HA cluster, set the quorum votes to 2 as per recommendation for SAP on Azure.

+Learn more about [Database Instance - ExpectedVotesParamtersHARH (Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set the corosync token in Pacemaker cluster to 30000 for HA enabled HANA DB for VM with SUSE OS

+The corosync token setting determines the timeout that is used directly or as a base for real token timeout calculation in HA clusters. Set the corosync token to 30000 as per recommendation for SAP on Azure to allow memory-preserving maintenance.

+Learn more about [Database Instance - CorosyncTokenHASLE (Set the corosync token in Pacemaker cluster to 30000 for HA enabled HANA DB for VM with SUSE OS)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set parameter PREFER_SITE_TAKEOVER to 'true' in the Pacemaker cofiguration for HANA DB HA setup

+The parameter PREFER_SITE_TAKEOVER in SAP HANA topology defines if the HANA SR resource agent prefers to takeover to the secondary instance instead of restarting the failed primary locally. Set it to 'true' for reliable function of HANA DB HA setup.

+Learn more about [Database Instance - PreferSiteTakeOverHARH (Set parameter PREFER_SITE_TAKEOVER to 'true' in the Pacemaker cofiguration for HANA DB HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Enable the 'concurrent-fencing' parameter in the Pacemaker cofiguration for HANA DB HA setup

+The concurrent-fencing parameter when set to true, enables the fencing operations to be performed in parallel. Set this parameter to 'true' in the pacemaker cluster configuration for HANA DB HA setup.

+Learn more about [Database Instance - ConcurrentFencingHARH (Enable the 'concurrent-fencing' parameter in the Pacemaker cofiguration for HANA DB HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability-rhel).

+### Set parameter PREFER_SITE_TAKEOVER to 'true' in the cluster cofiguration in HA enabled SAP workloads

+The parameter PREFER_SITE_TAKEOVER in SAP HANA topology defines if the HANA SR resource agent prefers to takeover to the secondary instance instead of restarting the failed primary locally. Set it to 'true' for reliable function of HANA DB HA setup.

+Learn more about [Database Instance - PreferSiteTakeoverHDB (Set parameter PREFER_SITE_TAKEOVER to 'true' in the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set 'token_retransmits_before_loss_const' to 10 in Pacemaker cluster in HA enabled SAP workloads

+The corosync token_retransmits_before_loss_const determines how many token retransmits are attempted before timeout in HA clusters. Set the totem.token_retransmits_before_loss_const to 10 as per recommendation for HANA DB HA setup.

+Learn more about [Database Instance - TokenRetransmitsHDB (Set 'token_retransmits_before_loss_const' to 10 in Pacemaker cluster in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads

+Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads.

+Learn more about [Database Instance - ExpectedVotesSuseHDB (Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the two_node parameter to 1 in the cluster cofiguration in HA enabled SAP workloads

+In a two node HA cluster, set the quorum parameter 'two_node' to 1 as per recommendation for SAP on Azure.

+Learn more about [Database Instance - TwoNodeParameterSuseHDB (Set the two_node parameter to 1 in the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Enable the 'concurrent-fencing' parameter in the cluster cofiguration in HA enabled SAP workloads

+The concurrent-fencing parameter when set to true, enables the fencing operations to be performed in parallel. Set this parameter to 'true' in the pacemaker cluster configuration for HANA DB HA setup.

+Learn more about [Database Instance - ConcurrentFencingSuseHDB (Enable the 'concurrent-fencing' parameter in the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the 'corosync join' in Pacemaker cluster to 60 for HA enabled HANA DB in SAP workloads

+The corosync join timeout specifies in milliseconds how long to wait for join messages in the membership protocol. We recommend that you set 60 in Pacemaker cluster configuration for HANA DB HA setup.

+Learn more about [Database Instance - CorosyncHDB (Set the 'corosync join' in Pacemaker cluster to 60 for HA enabled HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the 'corosync max_messages' in Pacemaker cluster to 20 for HA enabled HANA DB in SAP workloads

+The corosync max_messages constant specifies the maximum number of messages allowed to be sent by one processor once the token is received. We recommend that you set 20 times the corosync token parameter in Pacemaker cluster configuration.

+Learn more about [Database Instance - CorosyncMaxMessageHDB (Set the 'corosync max_messages' in Pacemaker cluster to 20 for HA enabled HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the 'corosync consensus' in Pacemaker cluster to 36000 for HA enabled HANA DB in SAP workloads

+The corosync parameter 'consensus' specifies in milliseconds how long to wait for consensus to be achieved before starting a new round of membership in the cluster configuration. We recommend that you set 1.2 times the corosync token in Pacemaker cluster configuration for HANA DB HA setup.

+Learn more about [Database Instance - CorosyncConsensusHDB (Set the 'corosync consensus' in Pacemaker cluster to 36000 for HA enabled HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Create the softdog config file in Pacemaker configuration for HA enable HANA DB in SAP workloads

+The softdog timer is loaded as a kernel module in linux OS. This timer triggers a system reset if it detects that the system has hung. Ensure that the softdog configuration file is created in the Pacemaker cluster for HANA DB HA setup.

+Learn more about [Database Instance - SoftdogConfigSuseHDB (Create the softdog config file in Pacemaker configuration for HA enable HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Ensure that there is one instance of fence_azure_arm in Pacemaker configuration for HANA DB HA setup

+The fence_azure_arm is an I/O fencing agent for Azure Resource Manager. Ensure that there's one instance of fence_azure_arm in the pacemaker configuration for HANA DB HA setup. The fence_azure-arm instance requirement is applicable if you're using Azure fence agent for fencing with either managed identity or service principal.

+Learn more about [Database Instance - FenceAzureArmSuseHDB (Ensure that there's one instance of fence_azure_arm in Pacemaker configuration for HANA DB HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Ensure the softdog module is loaded in for Pacemaker in HA enabled HANA DB in SAP workloads

+The softdog timer is loaded as a kernel module in linux OS. This timer triggers a system reset if it detects that the system has hung. First ensure that you created the softdog configuration file, then load the softdog module in the Pacemaker configuration for HANA DB HA setup.

+Learn more about [Database Instance - SoftdogModuleSuseHDB (Ensure the softdog module is loaded in for Pacemaker in HA enabled HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Set the Idle timeout in Azure Load Balancer to 30 minutes for HANA DB HA setup in SAP workloads

+To prevent load balancer timeout, make sure that all Azure Load Balancing Rules have: 'Idle timeout (minutes)' set to the maximum value of 30 minutes. Open the load balancer, select 'load balancing rules' and add/edit the rule to enable the recommended settings.

+Learn more about [Database Instance - DBHASetIdleTimeOutLB (Set the Idle timeout in Azure Load Balancer to 30 minutes for HANA DB HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Enable Floating IP in the Azure Load balancer for HANA DB HA setup in SAP workloads

+Enable floating IP in the load balancing rules for the Azure Load Balancer for HA set up of HANA DB instance in SAP workloads. Open the load balancer, select 'load balancing rules' and add/edit the rule to enable the recommended settings.

+Learn more about [Database Instance - DBHAEnableFloatingIpLB (Enable Floating IP in the Azure Load balancer for HANA DB HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Enable HA ports in the Azure Load Balancer for HANA DB HA setup in SAP workloads

+Enable HA ports in the Load balancing rules for HA set up of HANA DB instance in SAP workloads. Open the load balancer, select 'load balancing rules' and add/edit the rule to enable the recommended settings.

+Learn more about [Database Instance - DBHAEnableLBPorts (Enable HA ports in the Azure Load Balancer for HANA DB HA setup in SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

+### Disable TCP timestamps on VMs placed behind Azure Load Balancer in HANA DB HA setup in SAP workloads

+Disable TCP timestamps on VMs placed behind Azure Load Balancer. Enabled TCP timestamps cause the health probes to fail due to TCP packets being dropped by the VM's guest OS TCP stack. Dropped TCP packets cause the load balancer to mark the endpoint as down.

+Learn more about [Database Instance - DBLBHADisableTCP (Disable TCP timestamps on VMs placed behind Azure Load Balancer in HANA DB HA setup in SAP workloads)](/azure/load-balancer/load-balancer-custom-probe-overview).

+## Storage

+### Enable soft delete for your Recovery Services vaults

+The soft delete option helps you retain your backup data in the Recovery Services vault for an extra duration after deletion. The extra duration gives you an opportunity to retrieve the data before it's permanently deleted.

+Learn more about [Recovery Services vault - AB-SoftDeleteRsv (Enable soft delete for your Recovery Services vaults)](../backup/backup-azure-security-feature-cloud.md).

+### Enable Cross Region Restore for your recovery Services Vault

+Enabling cross region restore for your geo-redundant vaults

+Learn more about [Recovery Services vault - Enable CRR (Enable Cross Region Restore for your Recovery Services Vault)](../backup/backup-azure-arm-restore-vms.md#cross-region-restore).

+### Enable Backups on your virtual machines

+Enable backups for your virtual machines and secure your data

+Learn more about [Virtual machine (classic) - EnableBackup (Enable Backups on your virtual machines)](../backup/backup-overview.md).

+### Configure blob backup

+Configure blob backup

+Learn more about [Storage Account - ConfigureBlobBackup (Configure blob backup)](/azure/backup/blob-backup-overview).

+### Turn on Azure Backup to get simple, reliable, and cost-effective protection for your data

+Keep your information and applications safe with robust, one click backup from Azure. Activate Azure Backup to get cost-effective protection for a wide range of workloads including VMs, SQL databases, applications, and file shares.

+Learn more about [Subscription - AzureBackupService (Turn on Azure Backup to get simple, reliable, and cost-effective protection for your data)](/azure/backup/).

+### You have ADLS Gen1 Accounts Which Need to be Migrated to ADLS Gen2

+As previously announced, Azure Data Lake Storage Gen1 will be retired on February 29, 2024. We highly recommend that you migrate your data lake to Azure Data Lake Storage Gen2. Azure Data Lake Storage Gen2 offers advanced capabilities designed for big data analytics, and is built on top of Azure Blob Storage.

+Learn more about [Data lake store account - ADLSGen1_Deprecation (You have ADLS Gen1 Accounts Which Needs to be Migrated to ADLS Gen2)](https://azure.microsoft.com/updates/action-required-switch-to-azure-data-lake-storage-gen2-by-29-february-2024/).

+### Enable Soft Delete to protect your blob data

+After enabling the soft delete option, deleted data transitions to a soft deleted state instead of being permanently deleted. When data is overwritten, a soft deleted snapshot is generated to save the state of the overwritten data. You can configure the amount of time soft deleted data is recoverable before it permanently expires.

+Learn more about [Storage Account - StorageSoftDelete (Enable Soft Delete to protect your blob data)](https://aka.ms/softdelete).

+### Use Managed Disks for storage accounts reaching capacity limit

+We have identified that you're using Premium SSD Unmanaged Disks in Storage account(s) that are about to reach Premium Storage capacity limit. To avoid failures when the limit is reached, we recommend migrating to Managed Disks that don't have account capacity limit. This migration can be done through the portal in less than 5 minutes.

+Learn more about [Storage Account - StoragePremiumBlobQuotaLimit (Use Managed Disks for storage accounts reaching capacity limit)](https://aka.ms/premium_blob_quota).

+### Use Managed Disks to improve data reliability

+Virtual machines in an Availability Set with disks that share either storage accounts or storage scale units aren't resilient to single storage scale unit failures during outages. Migrate to Azure Managed Disks to ensure that the disks of different VMs in the Availability Set are sufficiently isolated to avoid a single point of failure.

+Learn more about [Availability set - ManagedDisksAvSet (Use Managed Disks to improve data reliability)](https://aka.ms/aa_avset_manageddisk_learnmore).

+### Implement disaster recovery strategies for your Azure NetApp Files Resources

+To avoid data or functionality loss in the event of a regional or zonal disaster, implement common disaster recovery techniques such as cross region replication or cross zone replication for your Azure NetApp Files volumes

+Learn more about [Volume - ANFCRRCZRRecommendation (Implement disaster recovery strategies for your Azure NetApp Files Resources)](https://aka.ms/anfcrr).

+### Azure NetApp Files Enable Continuous Availability for SMB Volumes

+Recommendation to enable SMB volume for Continuous Availability.

+Learn more about [Volume - anfcaenablement (Azure NetApp Files Enable Continuous Availability for SMB Volumes)](https://aka.ms/anfdoc-continuous-availability).

+### Review SAP configuration for timeout values used with Azure NetApp Files

+High availability of SAP while used with Azure NetApp Files relies on setting proper timeout values to prevent disruption to your application. Review the documentation to ensure your configuration meets the timeout values as noted in the documentation.

+Learn more about [Volume - SAPTimeoutsANF (Review SAP configuration for timeout values used with Azure NetApp Files)](/azure/sap/workloads/get-started).

+## Web

+### Consider scaling out your App Service Plan to avoid CPU exhaustion

+Your App reached >90% CPU over the last couple of days. High CPU utilization can lead to runtime issues with your apps, to solve this you could scale out your app.

+Learn more about [App service - AppServiceCPUExhaustion (Consider scaling out your App Service Plan to avoid CPU exhaustion)](https://aka.ms/antbc-cpu).

+### Fix the backup database settings of your App Service resource

+Your app's backups are consistently failing due to invalid DB configuration, you can find more details in backup history.

+Learn more about [App service - AppServiceFixBackupDatabaseSettings (Fix the backup database settings of your App Service resource)](https://aka.ms/antbc).

+### Consider scaling up your App Service Plan SKU to avoid memory exhaustion

+The App Service Plan containing your app reached >85% memory allocated. High memory consumption can lead to runtime issues with your apps. Investigate which app in the App Service Plan is exhausting memory and scale up to a higher plan with more memory resources if needed.

+Learn more about [App service - AppServiceMemoryExhaustion (Consider scaling up your App Service Plan SKU to avoid memory exhaustion)](https://aka.ms/antbc-memory).

+### Scale up your App Service resource to remove the quota limit

+Your app is part of a shared App Service plan and has met its quota multiple times. Once quota is met, your web app canΓÇÖt accept incoming requests. To remove the quota, upgrade to a Standard plan.

+Learn more about [App service - AppServiceRemoveQuota (Scale up your App Service resource to remove the quota limit)](https://aka.ms/ant-asp).

+### Use deployment slots for your App Service resource

+You have deployed your application multiple times over the last week. Deployment slots help you manage changes and help you reduce deployment impact to your production web app.

+Learn more about [App service - AppServiceUseDeploymentSlots (Use deployment slots for your App Service resource)](https://aka.ms/ant-staging).

+### Fix the backup storage settings of your App Service resource

+Your app's backups are consistently failing due to invalid storage settings, you can find more details in backup history.

+Learn more about [App service - AppServiceFixBackupStorageSettings (Fix the backup storage settings of your App Service resource)](https://aka.ms/antbc).

+### Move your App Service resource to Standard or higher and use deployment slots

+You have deployed your application multiple times over the last week. Deployment slots help you manage changes and help you reduce deployment impact to your production web app.

+Learn more about [App service - AppServiceStandardOrHigher (Move your App Service resource to Standard or higher and use deployment slots)](https://aka.ms/ant-staging).

+### Consider scaling out your App Service Plan to optimize user experience and availability

+Consider scaling out your App Service Plan to at least two instances to avoid cold start delays and service interruptions during routine maintenance.

+Learn more about [App Service plan - AppServiceNumberOfInstances (Consider scaling out your App Service Plan to optimize user experience and availability.)](https://aka.ms/appsvcnuminstances).

+### Application code needs fixing when the worker process crashes due to Unhandled Exception

+We identified the following thread that resulted in an unhandled exception for your App and the application code must be fixed to prevent impact to application availability. A crash happens when an exception in your code terminates the process.

+Learn more about [App service - AppServiceProactiveCrashMonitoring (Application code must be fixed as worker process crashed due to Unhandled Exception)](https://azure.github.io/AppService/2020/08/11/Crash-Monitoring-Feature-in-Azure-App-Service.html).

+### Consider changing your App Service configuration to 64-bit

+We identified your application is running in 32-bit and the memory is reaching the 2GB limit. Consider switching to 64-bit processes so you can take advantage of the extra memory available in your Web Worker role. This action triggers a web app restart, so schedule accordingly.

+Learn more about [App service 32-bit limitations](/troubleshoot/azure/app-service/web-apps-performance-faqs#i-see-the-message-worker-process-requested-recycle-due-to-percent-memory-limit-how-do-i-address-this-issue).

+### Upgrade your Azure Fluid Relay client library

+You have recently invoked the Azure Fluid Relay service with an old client library. Your Azure Fluid Relay client library must now be upgraded to the latest version to ensure your application remains operational. Upgrading provides the most up-to-date functionality and enhancements in performance and stability. For more information on the latest version to use and how to upgrade, see the following article.

+Learn more about [FluidRelay Server - UpgradeClientLibrary (Upgrade your Azure Fluid Relay client library)](https://github.com/microsoft/FluidFramework).

+### Consider upgrading the hosting plan of the Static Web App(s) in this subscription to Standard SKU

+The combined bandwidth used by all the Free SKU Static Web Apps in this subscription is exceeding the monthly limit of 100GB. Consider upgrading these apps to Standard SKU to avoid throttling.

+Learn more about [Static Web App - StaticWebAppsUpgradeToStandardSKU (Consider upgrading the hosting plan of the Static Web App(s) in this subscription to Standard SKU.)](https://azure.microsoft.com/pricing/details/app-service/static/).

+# Use summarization Docker containers on-premises

+You can see the token context length supported by each model in the [model summary table](#model-summary-table-and-region-availability).

+You can see the token context length supported by each model in the [model summary table](#model-summary-table-and-region-availability).

+GPT-4 version 0314 is the first version of the model released. Version 0613 is the second version of the model and adds function calling support.

+| `gpt-4` ² (0314) | East US¹, France Central¹ | N/A³ | 8,192 | September 2021 |

+| `gpt-4-32k` ² (0314) | East US¹, France Central¹ | N/A³ | 32,768 | September 2021 |

+| `gpt-4` (0613) | Australia East¹, Canada East, East US¹, East US 2¹, France Central¹, Japan East¹, Sweden Central, Switzerland North, UK South¹ | N/A³ | 8,192 | September 2021 |

+| `gpt-4-32k` (0613) | Australia East¹, Canada East, East US¹, East US 2¹, France Central¹, Japan East¹, Sweden Central, Switzerland North, UK South¹ | N/A³ | 32,768 | September 2021 |

+³ Fine-tuning is not supported for GPT-4 models.

+GPT-3.5 Turbo version 0301 is the first version of the model released. Version 0613 is the second version of the model and adds function calling support.

+* Store your embeddings and perform vector (similarity) search using your choice of Azure service:

+ * [Azure Cognitive Search](../../../search/vector-search-overview.md)

+ * [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md)

+ * [Azure Cosmos DB for NoSQL](../../../cosmos-db/vector-search.md)

+ * [Azure Cosmos DB for PostgreSQL](../../../cosmos-db/postgresql/howto-use-pgvector.md)

+ * [Azure Cache for Redis](../../../azure-cache-for-redis/cache-tutorial-vector-similarity.md)

+* Store your embeddings and perform vector (similarity) search using your choice of Azure service:

+ * [Azure Cognitive Search](../../../search/vector-search-overview.md)

+ * [Azure Cosmos DB for MongoDB vCore](../../../cosmos-db/mongodb/vcore/vector-search.md)

+ * [Azure Cosmos DB for NoSQL](../../../cosmos-db/vector-search.md)

+ * [Azure Cosmos DB for PostgreSQL](../../../cosmos-db/postgresql/howto-use-pgvector.md)

+ * [Azure Cache for Redis](../../../azure-cache-for-redis/cache-tutorial-vector-similarity.md)

+ apiVersion: v1

+ metadata:

+ name: mypod

+ spec:

+ containers:

+ - name: mypod

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ resources:

+ requests:

+ cpu: 100m

+ memory: 128Mi

+ limits:

+ cpu: 250m

+ memory: 256Mi

+ volumeMounts:

+ - mountPath: /mnt/azure

+ name: volume

+ volumes:

+ - name: volume

+ persistentVolumeClaim:

+ claimName: my-azurefile

+> Azure Files supports Azure Premium file shares. The minimum file share capacity is 100 GiB. We recommend using Azure Premium file shares instead of Standard file shares because Premium file shares offers higher performance, low-latency disk support for I/O-intensive workloads.

+[azure-netapp-files-mount-options-best-practices]: ../azure-netapp-files/performance-linux-mount-options.md#rsize-and-wsize

+## Stop cluster upgrades automatically on API breaking changes

+> This method requires you to use the Azure CLI version 2.53 or `aks-preview` Azure CLI extension version 0.5.134 or later. This method isn't recommended, as deprecated APIs in the targeted Kubernetes version may not work long term. We recommend to removing them as soon as possible after the upgrade completes.

+| config.service.auth.tokenAudience | Audience of token used for Azure AD authentication | No | `https://azure-api.net/configuration` | v2.3+ |

+## Sovereign clouds

+Here is an overview of settings that need to be configured to be able to work with sovereign clouds

+| Name | Public | Azure China | US Government |

+|--||--|-|

+| config.service.auth.tokenAudience | `https://azure-api.net/configuration` (Default) | `https://azure-api.cn/configuration` | `https://azure-api.us/configuration` |

+1. To manually renew the certificate instead, select **Manual Renew**. You can request to manually renew your certificate 60 days before expiration, but [the maximum expiration date will be 397 days](https://www.godaddy.com/help/important-notification-about-ssl-offerings-9322).

+> [!NOTE]

+>

+> To ensure the proper functioning of the webhook, it's essential to enable the **Basic Auth Publishing Credentials** option within your Web App. Failure to do so may result in a 401 unauthorized error for the webhook.

+>To verify whether **Basic Auth Publishing Credentials** is enabled, follow these steps:

+>

+> - Navigate to your Web App's **Configuration > General Settings**.

+> - Look for the **Platform Setting** section, where you will find the **Basic Auth Publishing Credentials** option.

+### Unable to update Az modules while using the Hybrid Worker

+#### Issue

+The Hybrid Runbook Worker jobs failed as it was unable to import Az modules.

+#### Resolution

+As a workaround, you can follow these steps:

+1. Go to the folder : C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.1722.0\HybridAgent

+1. Edit the file with the name *Orchestrator.Sandbox.exe.config*

+1. Add the following lines inside the `<assemblyBinding>` tags:

+```xml

+<dependentAssembly>

+ <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />

+ <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />

+</dependentAssembly>

+```

+### Unable to update Az modules while using the Hybrid Worker

+#### Issue

+The Hybrid Runbook Worker jobs failed as it was unable to import Az modules.

+#### Resolution

+As a workaround, you can follow these steps:

+1. Go to the folder : C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.1722.0\HybridAgent

+1. Edit the file with the name *Orchestrator.Sandbox.exe.config*

+1. Add the following lines inside the `<assemblyBinding>` tags:

+```xml

+<dependentAssembly>

+ <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />

+ <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />

+</dependentAssembly>

+```

+> [!NOTE]

+> The workaround replaces the file with the original if you restart MMA/server either by enabling solution or patching. For both these scenarios, we recommend that you replace the contents.

+Azure Monitor Application Insights, a feature of [Azure Monitor](..\overview.md), excels in Application Performance Management (APM) for live web applications.

+## Experiences

+Application Insights provides many experiences to enhance the performance, reliability, and quality of your applications.

+### Investigate

+- [Application dashboard](overview-dashboard.md): An at-a-glance assessment of your application's health and performance.

+- [Application map](app-map.md): A visual overview of application architecture and components' interactions.

+- [Live metrics](live-stream.md): A real-time analytics dashboard for insight into application activity and performance.

+- [Transaction search](diagnostic-search.md): Trace and diagnose transactions to identify issues and optimize performance.

+- [Availability view](availability-overview.md): Proactively monitor and test the availability and responsiveness of application endpoints.

+- Performance view: Review application performance metrics and potential bottlenecks.

+- Failures view: Identify and analyze failures in your application to minimize downtime.

+### Monitoring

+- [Alerts](../alerts/alerts-overview.md): Monitor a wide range of aspects of your application and trigger various actions.

+- [Metrics](../essentials/metrics-getting-started.md): Dive deep into metrics data to understand usage patterns and trends.

+- [Diagnostic settings](../essentials/diagnostic-settings.md): Configure streaming export of platform logs and metrics to the destination of your choice.

+- [Logs](../logs/log-analytics-overview.md): Retrieve, consolidate, and analyze all data collected into Azure Monitoring Logs.

+- [Workbooks](../visualize/workbooks-overview.md): Create interactive reports and dashboards that visualize application monitoring data.

+### Usage

+- [Users, sessions, and events](usage-segmentation.md): Determine when, where, and how users interact with your web app.

+- [Funnels](usage-funnels.md): Analyze conversion rates to identify where users progress or drop off in the funnel.

+- [Flows](usage-flows.md): Visualize user paths on your site to identify high engagement areas and exit points.

+- [Cohorts](usage-cohorts.md): Group users by shared characteristics to simplify trend identification, segmentation, and performance troubleshooting.

+### Code analysis

+- [Profiler](../profiler/profiler-overview.md): Capture, identify, and view performance traces for your application.

+- [Code optimizations](../insights/code-optimizations.md): Harness AI to create better and more efficient applications.

+- [Snapshot debugger](../snapshot-debugger/snapshot-debugger.md): Automatically collect debug snapshots when exceptions occur in .NET application

+## Logic model

+The logic model diagram visualizes components of Application Insights and how they interact.

+> [!Note]

+> Firewall settings must be adjusted for data to reach ingestion endpoints. For more information, see [IP addresses used by Azure Monitor](./ip-addresses.md).

+For detailed information about instrumenting applications to enable Application Insights, see [data collection basics](opentelemetry-overview.md).

+### How do I instrument an application?

+For detailed information about instrumenting applications to enable Application Insights, see [data collection basics](opentelemetry-overview.md).

+### How do I use Application Insights?

+After enabling Application Insights by [instrumenting an application](opentelemetry-overview.md), we suggest first checking out [Live metrics](live-stream.md) and the [Application map](app-map.md).

+### How many Application Insights resources should I deploy?

+To understand the number of Application Insights resources required to cover your application or components across environments, see the [Application Insights deployment planning guide](separate-resources.md).

+### Troubleshooting

+Review dedicated [troubleshooting articles](/troubleshoot/azure/azure-monitor/welcome-azure-monitor) for Application Insights.

+- [Data collection basics](opentelemetry-overview.md)

+- [Automatic instrumentation overview](codeless-overview.md)

+- [Application dashboard](overview-dashboard.md)

+- [Live metrics](live-stream.md)

+- [Transaction search](diagnostic-search.md)

+- [Availability overview](availability-overview.md)

+- [Users, sessions, and events](usage-segmentation.md)

+[Microsoft Defender for Servers (part of Defender for Cloud)](../../security-center/index.yml) [bills by the number of monitored services](https://azure.microsoft.com/pricing/details/defender-for-cloud/). It provides 500 MB per server per day of data allocation that's applied to the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security):

+- [Update](/azure/azure-monitor/reference/tables/update) and [UpdateSummary](/azure/azure-monitor/reference/tables/updatesummary) when the Update Management solution isn't running in the workspace or solution targeting is enabled.

+If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data. To learn more on how Microsoft Sentinel customers can benefit, please see the [Microsoft Sentinel Pricing page](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).

+> Column names must start with a letter and can consist of up to 45 alphanumeric characters and underscores (`_`). `_ResourceId`, `id`, `_ResourceId`, `_SubscriptionId`, `TenantId`, `Type`, `UniqueId`, and `Title` are reserved column names.

+> - `_ResourceId`, `id`, `_ResourceId`, `_SubscriptionId`, `TenantId`, `Type`, `UniqueId`, and `Title` are reserved column names.

+> - `_ResourceId`, `id`, `_ResourceId`, `_SubscriptionId`, `TenantId`, `Type`, `UniqueId`, and `Title` are reserved column names.

+1. Select **Azure Event Hubs Data Receiver** and select **Next**.

+1. Select **Managed identity** for **Assign access to** and click **Select members**. Select **Data collection rule**, search for your data collection rule by name, and click **Select**.

+ :::image type="content" source="media/ingest-logs-event-hub/assign-access-to-managed-identity.png" lightbox="media/ingest-logs-event-hub/assign-access-to-managed-identity.png" alt-text="Screenshot that shows how to assign access to managed identity.":::

+1. Select **Review + assign** and verify the details before saving your role assignment.

+> Column names must start with a letter and can consist of up to 45 alphanumeric characters and underscores (`_`). `_ResourceId`, `id`, `_ResourceId`, `_SubscriptionId`, `TenantId`, `Type`, `UniqueId`, and `Title` are reserved column names. Custom columns you add to an Azure table must have the suffix `_CF`.

+## Azure Monitor Private Link Scope (AMPLS)

+> [!NOTE]

+> `AZ_BATCH_AUTHENTICATION_TOKEN` is deprecated and will be retired on September 30, 2024. See the [announcement](https://azure.microsoft.com/updates/azure-batch-task-authentication-token-will-be-retired-on-30-september-2024/) for details and alternative implementation.

+| AZ_BATCH_AUTHENTICATION_TOKEN | An authentication token that grants access to a limited set of Batch service operations. This environment variable is only present if the [authenticationTokenSettings](/rest/api/batchservice/task/add#authenticationtokensettings) are set when the [task is added](/rest/api/batchservice/task/add#request-body). The token value is used in the Batch APIs as credentials to create a Batch client, such as in the [BatchClient.Open() .NET API](/dotnet/api/microsoft.azure.batch.batchclient.open#Microsoft_Azure_Batch_BatchClient_Open_Microsoft_Azure_Batch_Auth_BatchTokenCredentials_). The token doesn't support private networking. | All tasks. | OAuth2 access token |

+| Toll-Free |- | - | - | Public Preview\* |

+- **Channel**. Organizations can reach consumers through the phone system, apps, SMS, or consumer communication platforms.

+ Title: Set up a test tenant for Microsoft Teams Direct Routing with Azure Communications Gateway

+description: Learn how to configure Azure Communications Gateway and Microsoft 365 for a Microsoft Teams Direct Routing customer for testing.

+#CustomerIntent: As someone deploying Azure Communications Gateway, I want to test my deployment so that I can be sure that calls work.

+# Configure a test customer for Microsoft Teams Direct Routing with Azure Communications Gateway

+Testing Microsoft Teams Direct Routing requires some test numbers in a Microsoft 365 tenant, as if you're providing service to a real customer. We call this tenant (which you control) a _test customer tenant_, corresponding to your _test customer_ (to which you allocate the test numbers). Setting up a test customer requires configuration in the test customer tenant and on Azure Communications Gateway. This article explains how to set up that configuration. You can then configure test users and numbers in the tenant and start testing.

+> [!TIP]

+> When you onboard a real customer, you'll typically need to ask them to change their tenant's configuration, because your organization won't have permission. You'll still need to make configuration changes on Azure Communications Gateway.

+>

+> For more information about how Azure Communications Gateway and Microsoft Teams use tenant configuration to route calls, see [Support for multiple customers with the Microsoft Teams multitenant model](interoperability-teams-direct-routing.md#support-for-multiple-customers-with-the-microsoft-teams-multitenant-model).

+## Prerequisites

+You must have a Microsoft 365 tenant that you can use as a test customer. You must have at least one number that you can allocate to this test customer.

+You must have completed the following procedures.

+- [Prepare to deploy Azure Communications Gateway](prepare-to-deploy.md)

+- [Deploy Azure Communications Gateway](deploy.md)

+- [Connect Azure Communications Gateway to Microsoft Teams Direct Routing](connect-teams-direct-routing.md)

+Your organization must have integrated with Azure Communications Gateway's Provisioning API. Someone in your organization must be able to make requests using the Provisioning API during this procedure.

+You must be able to sign in to the Microsoft 365 admin center for your test customer tenant as a Global Administrator.

+## Choose a DNS subdomain label to use to identify the customer

+Choose a DNS label to identify the test customer. This label is used to create a subdomain of each per-region domain name for your Azure Communications Gateway. Microsoft Phone System and Azure Communications Gateway use this subdomain to match calls to tenants.

+The label can only contain letters, numbers, underscores and dashes. It can be up to 63 characters in length. You must not use wildcard subdomains or subdomains with multiple labels.

+For example, you could allocate the label `test`. Azure Communications Gateway's per-region domain names might be `pstn-region1.xyz.commsgw.azure.example.com` and `pstn-region2.xyz.commsgw.azure.example.com`. The label combined with the per-region domain names would therefore create the customer-specific domain names `test.pstn-region1.xyz.commsgw.azure.example.com` and `test.pstn-region2.xyz.commsgw.azure.example.com`.

+Make a note of the label you choose and the corresponding subdomains.

+## Start registering the subdomains in the customer tenant and get DNS TXT values

+To route calls to a customer tenant, the customer tenant must be configured with the customer-specific per-region domain names that you allocated in [Choose a DNS subdomain label to use to identify the customer](#choose-a-dns-subdomain-label-to-use-to-identify-the-customer). Microsoft 365 then requires you (as the carrier) to create DNS records that use a verification code that Microsoft 365 supplies in the customer tenant.

+1. Sign into the Microsoft 365 admin center for the customer tenant as a Global Administrator.

+1. Using [Add a subdomain to the customer tenant and verify it](/microsoftteams/direct-routing-sbc-multiple-tenants#add-a-subdomain-to-the-customer-tenant-and-verify-it):

+ 1. Register the first customer-specific per-region domain name (for example `test.pstn-region1.xyz.commsgw.azure.example.com`).

+ 1. Start the verification process using TXT records.

+ 1. Note the TXT value that Microsoft 365 provides.

+1. Repeat the previous step for the second customer-specific per-region domain name.

+> [!IMPORTANT]

+> Don't complete the verification process yet. You must carry out [Use Azure Communications Gateway's Provisioning API to configure the customer and generate DNS records](#use-azure-communications-gateways-provisioning-api-to-configure-the-customer-and-generate-dns-records) first.

+## Use Azure Communications Gateway's Provisioning API to configure the customer and generate DNS records

+Azure Communications Gateway includes a DNS server. You must use Azure Communications Gateway to create the DNS records required to verify the customer subdomain. To generate the records, provision the details of the customer tenant and the DNS TXT values on Azure Communications Gateway.

+1. Use Azure Communications Gateway's Provisioning API to configure the customer as an account. The request must:

+ - Enable Direct Routing for the account.

+ - Specify the label for the subdomain that you chose (for example, `test`).

+ - Specify the DNS TXT values from [Start registering the subdomains in the customer tenant and get DNS TXT values](#start-registering-the-subdomains-in-the-customer-tenant-and-get-dns-txt-values). These values allow Azure Communications Gateway to generate DNS records for the subdomain.

+2. Use the Provisioning API to confirm that the DNS records have been generated, by checking the `direct_routing_provisioning_state` for the account.

+## Finish verifying the domains in the customer tenant

+When you have used Azure Communications Gateway to generate the DNS records for the customer subdomains, verify the subdomains in the Microsoft 365 admin center for your customer tenant.

+1. Sign into the Microsoft 365 admin center for the customer tenant as a Global Administrator.

+1. Select **Settings** > **Domains**.

+1. Finish verifying the two customer-specific per-region domain names by following [Add a subdomain to the customer tenant and verify it](/microsoftteams/direct-routing-sbc-multiple-tenants#add-a-subdomain-to-the-customer-tenant-and-verify-it).

+## Configure the customer tenant's call routing to use Azure Communications Gateway

+In the customer tenant, [configure a call routing policy](/microsoftteams/direct-routing-voice-routing) (also called a voice routing policy) with a voice route that routes calls to Azure Communications Gateway.

+- Set the PSTN gateway to the customer-specific per-region domain names for Azure Communications Gateway (for example, `test.pstn-region1.xyz.commsgw.azure.example.com` and `test.pstn-region2.xyz.commsgw.azure.example.com`).

+- Don't configure any users to use the call routing policy yet.

+## Next step

+> [!div class="nextstepaction"]

+> [Configure test numbers](configure-test-numbers-teams-direct-routing.md)

+ Title: Set up test numbers for Microsoft Teams Direct Routing with Azure Communications Gateway

+description: Learn how to configure Azure Communications Gateway and Microsoft 365 with Microsoft Teams Direct Routing numbers for testing.

+#CustomerIntent: As someone deploying Azure Communications Gateway, I want to test my deployment so that I can be sure that calls work.

+# Configure test numbers for Microsoft Teams Direct Routing with Azure Communications Gateway

+To test Microsoft Teams Direct Routing with Azure Communications Gateway, you need a test customer tenant with test users and numbers. By following this article, you can set up the required user and number configuration in the customer Microsoft 365 tenant, on Azure Communications Gateway and in your network. You can then start testing.

+> [!TIP]

+> When you allocate numbers to a real customer, you'll typically need to ask them to change their tenant's configuration, because your organization won't have permission. You'll still need to make configuration changes on Azure Communications Gateway and to your network.

+## Prerequisites

+You must have at least one number that you can allocate to your test tenant.

+You must have completed the following procedures.

+- [Prepare to deploy Azure Communications Gateway](prepare-to-deploy.md)

+- [Deploy Azure Communications Gateway](deploy.md)

+- [Connect Azure Communications Gateway to Microsoft Teams Direct Routing](connect-teams-direct-routing.md)

+- [Configure a test customer for Microsoft Teams Direct Routing](configure-test-customer-teams-direct-routing.md)

+Your organization must have integrated with Azure Communications Gateway's Provisioning API. Someone in your organization must be able to make requests using the Provisioning API during this procedure.

+You must be able to sign in to the Microsoft 365 admin center for your test customer tenant as a Global Administrator.

+## Configure the test numbers on Azure Communications Gateway with the Provisioning API

+In [Configure a test customer for Microsoft Teams Direct Routing with Azure Communications Gateway](configure-test-customer-teams-direct-routing.md), you configured Azure Communications Gateway with an account for the test customer.

+Use Azure Communications Gateway's Provisioning API to provision the details of the numbers you chose under the account. Enable each number for Teams Direct Routing.

+## Update your network's routing configuration

+Update your network configuration to route calls involving the test numbers to Azure Communications Gateway. For more information about how to route calls to Azure Communications Gateway, see [Call routing requirements](reliability-communications-gateway.md#call-routing-requirements).

+## Configure users in the test customer tenant

+### Create a user and assign a Teams Phone license

+Follow [Create a user and assign the license](/microsoftteams/direct-routing-enable-users#create-a-user-and-assign-the-license).

+If you are migrating users from Skype for Business Server Enterprise Voice, you must also [ensure that the user is homed online](/microsoftteams/direct-routing-enable-users#ensure-that-the-user-is-homed-online).

+### Configure phone numbers for the user and enable enterprise voice

+Follow [Configure the phone number and enable enterprise voice](/microsoftteams/direct-routing-enable-users#create-a-user-and-assign-the-license) to assign phone numbers and enable calling.

+### Assign Teams Only mode to users

+Follow [Assign Teams Only mode to users to ensure calls land in Microsoft Teams](/microsoftteams/direct-routing-enable-users#assign-teams-only-mode-to-users-to-ensure-calls-land-in-microsoft-teams). This step ensures that incoming calls ring in the Microsoft Teams client.

+### Assign the voice routing policy with Azure Communications Gateway to users

+In [Configure a test customer for Microsoft Teams Direct Routing with Azure Communications Gateway](configure-test-customer-teams-direct-routing.md), you set up a voice route that route calls to Azure Communications Gateway. Assign the voice route to the test users by following the steps for assigning voice routing policies in [Configure call routing for Direct Routing](/microsoftteams/direct-routing-voice-routing).

+## Next step

+> [!div class="nextstepaction"]

+> [Prepare for live traffic](prepare-for-live-traffic-teams-direct-routing.md)

+description: After deploying Azure Communications Gateway, you can configure it to connect to the Operator Connect and Teams Phone Mobile environments.

+# Connect Azure Communications Gateway to Operator Connect or Teams Phone Mobile

+## Add the Project Synergy application to your Azure tenancy

+>This step and the next step ([Assign an Admin user to the Project Synergy application](#assign-an-admin-user-to-the-project-synergy-application)) set you up as an Operator in the Teams Phone Mobile (TPM) and Operator Connect (OC) environments. If you've already gone through onboarding, go to [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource).

+## Assign an Admin user to the Project Synergy application

+## Find the Object ID and Application ID for your Azure Communication Gateway resource

+Each Azure Communications Gateway resource automatically receives a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md), which Azure Communications Gateway uses to connect to the Operator Connect environment. You need to find the Object ID and Application ID of the managed identity, so that you can connect Azure Communications Gateway to the Operator Connect or Teams Phone Mobile environment in [Set up application roles for Azure Communications Gateway](#set-up-application-roles-for-azure-communications-gateway) and [Add the Application ID for Azure Communications Gateway to Operator Connect](#add-the-application-id-for-azure-communications-gateway-to-operator-connect).

+## Set up application roles for Azure Communications Gateway

+Azure Communications Gateway contains services that need to access the Operator Connect API on your behalf. To enable this access, you must grant specific application roles to the system-assigned managed identity for Azure Communications Gateway under the Project Synergy Enterprise Application. You created the Project Synergy Enterprise Application in [Add the Project Synergy application to your Azure tenancy](#add-the-project-synergy-application-to-your-azure-tenancy).

+> Granting permissions has two parts: configuring the system-assigned managed identity for Azure Communications Gateway with the appropriate roles (this step) and adding the application ID of the managed identity to the Operator Connect or Teams Phone Mobile environment. You'll add the application ID to the Operator Connect or Teams Phone Mobile environment later, in [Add the Application ID for Azure Communications Gateway to Operator Connect](#add-the-application-id-for-azure-communications-gateway-to-operator-connect).

+1. Run the following cmdlet, replacing *`<CommunicationsGatewayObjectID>`* with the Object ID you noted down in [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource).

+## Provide additional information to your onboarding team

+## Test your Operator Connect portal access

+## Add the Application ID for Azure Communications Gateway to Operator Connect

+You must enable the Azure Communications Gateway application within the Operator Connect or Teams Phone Mobile environment. Enabling the application allows Azure Communications Gateway to use the roles that you set up in [Set up application roles for Azure Communications Gateway](#set-up-application-roles-for-azure-communications-gateway).

+To enable the application, add the Application ID of the system-assigned managed identity representing Azure Communications Gateway to your Operator Connect or Teams Phone Mobile environment. You found this ID in [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource).

+## Register your deployment's domain name in Active Directory

+ Title: Connect Azure Communications Gateway to Microsoft Teams Direct Routing

+description: After deploying Azure Communications Gateway, you can configure it to connect to the Microsoft Phone System for Microsoft Teams Direct Routing.

+ - template-how-to-pattern

+# Connect Azure Communications Gateway to Microsoft Teams Direct Routing

+After you have deployed Azure Communications Gateway, you need to connect it to the Microsoft Phone System and to your core network.

+This article describes how to start setting up Azure Communications Gateway for Microsoft Teams Direct Routing. When you have finished the steps in this article, you can set up test users for test calls and prepare for live traffic.

+## Prerequisites

+You must have carried out all the steps in [Deploy Azure Communications Gateway](deploy.md).

+Your organization must have integrated with Azure Communications Gateway's Provisioning API.

+You must have **Reader** access to the subscription into which Azure Communications Gateway is deployed.

+You must be able to sign in to the Microsoft 365 admin center for your tenant as a Global Administrator.

+## Find your Azure Communication Gateway's domain names

+Microsoft Teams only sends traffic to domains that you've confirmed that you own. Your Azure Communications Gateway deployment automatically receives an autogenerated fully qualified domain name (FQDN) and regional subdomains of this domain.

+1. Sign in to the [Azure portal](https://azure.microsoft.com/).

+1. In the search bar at the top of the page, search for your Communications Gateway resource.

+1. Select your Communications Gateway resource. Check that you're on the **Overview** of your Azure Communications Gateway resource.

+1. Select **Properties**.

+1. Find the field named **Domain**. This name is your deployment's _base domain name_.

+1. In each **Service Location** section, find the **Hostname** field. This field provides the _per-region domain name_. Your deployment has two service regions and therefore two per-region domain names.

+1. Note down the base domain name and the per-region domain names. You'll need these values in the next steps.

+## Register the base domain name for Azure Communications Gateway in your tenant

+You need to register the base domain for Azure Communications Gateway in your tenant and verify it. Registering and verifying the base domain proves that you control the domain.

+> [!TIP]

+> If the base domain name is a subdomain of a domain already registered and verified in this tenant:

+> - You must register Azure Communications Gateway's base domain name.

+> - Microsoft 365 automatically verifies the base domain name.

+Follow the instructions [to add a base domain to your tenant](/microsoftteams/direct-routing-sbc-multiple-tenants#add-a-base-domain-to-the-tenant-and-verify-it). Use the base domain name that you found in [Find your Azure Communication Gateway's domain names](#find-your-azure-communication-gateways-domain-names).

+If Microsoft 365 prompts you to verify the domain name:

+1. Select DNS TXT records as your verification method with **Add a TXT record instead**.

+1. Select **Next**, and note the TXT value that Microsoft 365 provides.

+1. Provide the TXT value to your onboarding team as part of [Provide additional information to your onboarding team](#provide-additional-information-to-your-onboarding-team).

+Don't try to finish verifying the domain name until your onboarding team has confirmed that DNS records with the TXT value have been set up.

+## Provide additional information to your onboarding team

+Before your onboarding team can finish onboarding you to the Microsoft Teams Direct Routing environment, you need to provide them with some additional information.

+1. Wait for your onboarding team to provide you with a form to collect the additional information.

+1. Complete the form and give it to your onboarding team.

+If you don't already have an onboarding team, contact azcog-enablement@microsoft.com, providing your Azure subscription ID and contact details.

+## Finish verifying the base domain name in Microsoft 365

+> [!NOTE]

+> If Microsoft 365 did not prompt you to verify the domain in [Register the base domain name for Azure Communications Gateway in your tenant](#register-the-base-domain-name-for-azure-communications-gateway-in-your-tenant), skip this step.

+After your onboarding team confirm the DNS records have been set up, finish verifying the base domain name in the Microsoft 365 admin center.

+1. Sign into the Microsoft 365 admin center as a Global Administrator.

+1. Select **Settings** > **Domains**.

+1. Select the base domain.

+1. On the **Choose your online services** page, clear all options and select **Next**.

+1. Select **Finish** on the **Update DNS settings** page.

+1. Ensure that the status is **Setup complete**.

+## Set up a user or resource account with the base domain and an appropriate license

+To activate the base domain in Microsoft 365, you must have at least one user or resource account licensed for Microsoft Teams. For more information, including the licenses you can use, see [Activate the domain name](/microsoftteams/direct-routing-sbc-multiple-tenants#activate-the-domain-name).

+## Connect your tenant to Azure Communications Gateway

+You most configure your Microsoft 365 tenant with two SIP trunks to Azure Communications Gateway. Each trunk connects to one of the per-region domain names that you found in [Find your Azure Communication Gateway's domain names](#find-your-azure-communication-gateways-domain-names).

+Follow [Connect your Session Border Controller (SBC) to Direct Routing](/microsoftteams/direct-routing-connect-the-sbc), using the following configuration settings.

+| Teams Admin Center setting | PowerShell parameter | Value to use (Admin Center / PowerShell) |

+| -- | -- | |

+| **Add an FQDN for the SBC** | `FQDN` |The regional domain of Azure Communications Gateway |

+| **Enabled** | `Enabled` | On / True |

+| **SIP signaling port** | `SipSignalingPort` | 5063 |

+| **Send SIP options** | `SendSIPOptions` | On / True |

+| **Forward call history** | `ForwardCallHistory` | On / True|

+| **Forward P-Asserted-identity (PAI) header** | `ForwardPAI` | On / True |

+| **Concurrent call capacity** | `MaxConcurrentSessions` | Leave as default |

+| **Failover response codes** | `FailoverResponseCodes` |Leave as default|

+| **Failover times (seconds)** | `FailoverTimeSeconds` |Leave as default|

+| **SBC supports PIDF/LO for emergency calls** | `PidfloSupported` | On / True |

+| - | `MediaBypass` |- / False|

+## Next step

+> [!div class="nextstepaction"]

+> [Configure a test customer](configure-test-customer-teams-direct-routing.md)

+## Collect basic information for deploying an Azure Communications Gateway

+ |The voice codecs to use between Azure Communications Gateway and your network. |**Call Handling: Supported codecs**|

+ |Whether your Azure Communications Gateway resource should handle emergency calls as standard calls or directly route them to the Emergency Routing Service Provider (US only; only for Operator Connect or Teams Phone Mobile). |**Call Handling: Emergency call handling**|

+ |A list of dial strings used for emergency calling.|**Call Handling: Emergency dial strings**|

+ |Whether to use an autogenerated `*.commsgw.azure.com` domain name or to use a subdomain of your own domain by delegating it to Azure Communications Gateway. For more information on this choice, see [the guidance on creating a network design](prepare-to-deploy.md#create-a-network-design). | **DNS: Domain name options** |

+ |(Required if you choose an autogenerated domain) The scope at which the autogenerated domain name label for Azure Communications Gateway is unique. Communications Gateway resources are assigned an autogenerated domain name label that depends on the name of the resource. Selecting **Tenant** gives a resource with the same name in the same tenant but a different subscription the same label. Selecting **Subscription** gives a resource with the same name in the same subscription but a different resource group the same label. Selecting **Resource Group** gives a resource with the same name in the same resource group the same label. Selecting **No Re-use** means the label doesn't depend on the name, resource group, subscription or tenant. |**DNS: Auto-generated Domain Name Scope**|

+ | (Required if you choose a delegated domain) The domain to delegate to this Azure Communications Gateway deployment | **DNS: DNS domain name** |

+## Collect configuration values for service regions

+## Collect configuration values for each communications service

+Collect the values for the communications services that you're planning to support.

+> [!IMPORTANT]

+> Some options apply to multiple services, as shown by **Options common to multiple communications services** in the following tables. You must choose configuration that is suitable for all the services that you plan to support.

+For Microsoft Teams Direct Routing:

+|**Value**|**Field name(s) in Azure portal**|

+|||

+| IP addresses or address ranges (in CIDR format) in your network that should be allowed to connect to the Provisioning API, in a comma-separated list. Use of the Provisioning API is required to provision Azure Communications Gateway with numbers for Direct Routing. | **Options common to multiple communications

+| Whether to add a custom SIP header to messages entering your network by using Azure Communications Gateway's Provisioning API | **Options common to multiple communications

+| (Only if you choose to add a custom SIP header) The name of any custom SIP header | **Options common to multiple communications

+For Operator Connect:

+|**Value**|**Field name(s) in Azure portal**|

+|||

+| Whether to add a custom SIP header to messages entering your network by using Azure Communications Gateway's Provisioning API | **Options common to multiple communications

+| (Only if you choose to add a custom SIP header) The name of any custom SIP header | **Options common to multiple communications

+| (Only if you choose to add a custom SIP header) IP addresses or address ranges (in CIDR format) in your network that should be allowed to connect to the Provisioning API, in a comma-separated list. | **Options common to multiple communications

+For Teams Phone Mobile:

+|**Value**|**Field name(s) in Azure portal**|

+|||

+|The number used in Teams Phone Mobile to access the Voicemail Interactive Voice Response (IVR) from native dialers.|**Teams Phone Mobile: Teams voicemail pilot number**|

+| How you plan to use Mobile Control Point (MCP) to route Teams Phone Mobile calls to Microsoft Phone System. Choose from **Integrated** (to deploy MCP in Azure Communications Gateway), **On-premises** (to use an existing on-premises MCP) or **None** (if you'll use another method to route calls). |**Teams Phone Mobile: MCP**|

+## Collect test line and number configuration values

+ |A name for the test line. |**Name**|

+ |The phone number for the test line, in E.164 format and including the country code. |**Phone Number**|

+ |The purpose of the test line: **Manual** (for manual test calls by you and/or Microsoft staff during integration testing) or **Automated** (for automated validation with Microsoft Teams test suites - Operator Connect and Teams Phone Mobile only).|**Testing purpose**|

+> For Operator Connect and Teams Phone Mobile, you must configure at least six automated test lines. We recommend nine automated test lines (to allow simultaneous tests).

+## Decide if you want tags

+## Start creating an Azure Communications Gateway resource

+1. Use the information you collected in [Collect basic information for deploying an Azure Communications Gateway](#collect-basic-information-for-deploying-an-azure-communications-gateway) to fill out the fields in the **Basics** configuration tab and then select **Next: Service Regions**.

+1. Use the information you collected in [Collect configuration values for service regions](#collect-configuration-values-for-service-regions) to fill out the fields in the **Service Regions** tab and then select **Next: Communications Services**.

+1. Select the communications services that you want to support in the **Communications Services** configuration tab, use the information that you collected in [Collect configuration values for each communications service](#collect-configuration-values-for-each-communications-service) to fill out the fields, and then select **Next: Test Lines**.

+1. Use the information that you collected in [Collect test line and number configuration values](#collect-test-line-and-number-configuration-values) to fill out the fields in the **Test Lines** configuration tab and then select **Next: Tags**.

+## Submit your Azure Communications Gateway configuration

+## Wait for provisioning to complete

+## Connect Azure Communications Gateway to your networks

+ 1. Sign in to the [Azure portal](https://azure.microsoft.com/).

+ 1. In the search bar at the top of the page, search for your Communications Gateway resource.

+## Configure domain delegation with Azure DNS

+> [!NOTE]

+> If you decided to use an automatically allocated `*.commsgw.azure.com` domain name for Azure Communications Gateway, skip this step.

+If you chose to delegate a subdomain when you created Azure Communications Gateway, you must update the name server (NS) records for this subdomain to point to name servers created for you in your Azure Communications Gateway deployment.

+1. Sign in to the [Azure portal](https://azure.microsoft.com/).

+1. In the search bar at the top of the page, search for your Communications Gateway resource.

+1. On the **Overview** page for your Azure Communications Gateway resource, find the four name servers that have been created for you.

+1. Note down the names of these name servers, including the trailing `.` at the end of the address.

+1. Follow [Delegate the domain](../dns/dns-delegate-domain-azure-dns.md#delegate-the-domain) and [Verify the delegation](../dns/dns-delegate-domain-azure-dns.md#verify-the-delegation) to configure all four name servers in your NS records. We recommend configuring a time-to-live (TTL) of two days.

+> [Integrate with Azure Communications Gateway's Provisioning API](integrate-with-provisioning-api.md)

+ Title: Emergency calling for Operator Connect and Teams Phone Mobile with Azure Communications Gateway

+description: Understand Azure Communications Gateway's support for emergency calling with Operator Connect and Teams Phone Mobile

+Unless you choose to route emergency calls directly to an Emergency Routing Service Provider (US only), Azure Communications Gateway routes emergency calls to your network with this PIDF-LO location information unaltered. It is your responsibility to ensure that these emergency calls are properly routed to an appropriate Public Safety Answering Point (PSAP). For more information on how Microsoft Teams handles emergency calls, see [the Microsoft Teams documentation on managing emergency calling](/microsoftteams/what-are-emergency-locations-addresses-and-call-routing) and the considerations for [Operator Connect](/microsoftteams/considerations-operator-connect) or [Teams Phone Mobile](/microsoftteams/considerations-teams-phone-mobile).

+Azure Communications Gateway identifies emergency calls based on the dialing strings configured when you [deploy Azure Communications Gateway](deploy.md). These strings are also used by Microsoft Teams to identify emergency calls.

+ Title: Emergency calling for Microsoft Teams Direct Routing with Azure Communications Gateway

+description: Understand Azure Communications Gateway's support for emergency calling with Microsoft Teams Direct Routing

+# Emergency calling for Microsoft Teams Direct Routing with Azure Communications Gateway

+Azure Communications Gateway supports Microsoft Teams Direct Routing subscribers making emergency calls from Microsoft Teams clients. This article describes how Azure Communications Gateway routes these calls to your network and the key facts you'll need to consider.

+## Overview of emergency calling with Azure Communications Gateway

+If a subscriber uses a Microsoft Teams client to make an emergency call and the subscriber's number is associated with Azure Communications Gateway, Microsoft Phone System routes the call to Azure Communications Gateway. The call has location information encoded in a PIDF-LO (Presence Information Data Format Location Object) SIP body.

+Azure Communications Gateway routes emergency calls to your network with this PIDF-LO location information unaltered. It is your responsibility to:

+- Ensure that these emergency calls are properly routed to an appropriate Public Safety Answering Point (PSAP).

+- Configure the SIP trunks to Azure Communications Gateway in your tenant to support PIDF-LO. You typically do this when you [set up Direct Routing support](connect-teams-direct-routing.md#connect-your-tenant-to-azure-communications-gateway).

+For more information on how Microsoft Teams handles emergency calls, see [the Microsoft Teams documentation on managing emergency calling](/microsoftteams/what-are-emergency-locations-addresses-and-call-routing) and the [considerations for Direct Routing](/microsoftteams/considerations-direct-routing).

+## Emergency numbers and location information

+Azure Communications Gateway identifies emergency calls based on the dialing strings configured when you [deploy Azure Communications Gateway](deploy.md). These strings are also used by Microsoft Teams to identify emergency calls.

+Microsoft Teams always sends location information on SIP INVITEs for emergency calls. This information can come from:

+- [Dynamic locations](/microsoftteams/configure-dynamic-emergency-calling), based on the location of the client used to make the call.

+ - Enterprise administrators must add physical locations associated with network connectivity into the Location Information Server (LIS) in Microsoft Teams.

+ - When Microsoft Teams clients make an emergency call, they obtain their physical location based on their network location.

+- Static locations that your customers assign.

+## Next steps

+- Learn about [the key concepts in Microsoft Teams emergency calling](/microsoftteams/what-are-emergency-locations-addresses-and-call-routing).

+- Learn about [dynamic emergency calling in Microsoft Teams](/microsoftteams/configure-dynamic-emergency-calling).

+Setting up Azure Communications Gateway requires planning your deployment, deploying your Azure Communications Gateway resource, and integrating with your chosen communications services.

+> Some steps in the deployment and integration process can require days or weeks to complete. For example, you might need to arrange Microsoft Azure Peering Service (MAPS) connectivity before you can deploy, wait for onboarding, or wait for a specific date to launch your service. We recommend that you read through any documentation from your onboarding team and the procedures in [Deploy Azure Communications Gateway](#deploy-azure-communications-gateway) and [Integrate with your chosen communications services](#integrate-with-your-chosen-communications-services) before you start deploying.

+## Learn about and plan for Azure Communications Gateway

+For Operator Connect and Teams Phone Mobile, also read:

+For Microsoft Teams Direct Routing, also read:

+- [Overview of interoperability of Azure Communications Gateway with Microsoft Teams Direct Routing](interoperability-teams-direct-routing.md).

+- [Emergency calling for Microsoft Teams Direct Routing with Azure Communications Gateway](emergency-calling-teams-direct-routing.md)

+Read through the procedures in [Deploy Azure Communications Gateway](#deploy-azure-communications-gateway) and [Integrate with your chosen communications services](#integrate-with-your-chosen-communications-services) and use those procedures as input into your planning for deployment, testing and going live. You need to work with an onboarding team (from Microsoft or one that you arrange yourself) during these phases, so ensure that you discuss timelines and requirements with this team.

+## Deploy Azure Communications Gateway

+1. [Prepare to deploy Azure Communications Gateway](prepare-to-deploy.md) describes the steps you need to take before you can start creating your Azure Communications Gateway resource. You might need to refer to some of the articles listed in [Learn about and plan for Azure Communications Gateway](#learn-about-and-plan-for-azure-communications-gateway).

+1. [Integrate with Azure Communications Gateway's Provisioning API](integrate-with-provisioning-api.md) describes how to integrate with the Provisioning API. Integrating with the API is:

+ - Required for Microsoft Teams Direct Routing.

+ - Optional for Operator Connect: only required to add custom headers to messages entering your core network.

+ - Not supported for Teams Phone Mobile.

+## Integrate with your chosen communications services

+1. [Connect Azure Communications Gateway to Operator Connect or Teams Phone Mobile](connect-operator-connect.md) describes how to set up Azure Communications Gateway for Operator Connect and Teams Phone Mobile, including onboarding to the Operator Connect and Teams Phone Mobile environments.

+Use the following procedures to integrate with Microsoft Teams Direct Routing.

+1. [Connect Azure Communications Gateway to Microsoft Teams Direct Routing](connect-teams-direct-routing.md) describes how to connect Azure Communications Gateway to the Microsoft Phone System for Microsoft Teams Direct Routing.

+1. [Configure a test customer for Microsoft Teams Direct Routing](configure-test-customer-teams-direct-routing.md) describes how to configure Azure Communications Gateway and Microsoft 365 with a test customer.

+1. [Configure test numbers for Microsoft Teams Direct Routing](configure-test-numbers-teams-direct-routing.md) describes how to configure Azure Communications Gateway and Microsoft 365 with a test numbers.

+1. [Prepare for live traffic with Microsoft Teams Direct Routing and Azure Communications Gateway](prepare-for-live-traffic-teams-direct-routing.md) describes how to test your deployment and launch your service.

+ Title: Get ready to use Azure Communications Gateway's Provisioning API (preview)

+description: Learn how to integrate with the Provisioning API (preview) for Azure Communications Gateway. The Provisioning API allows you to configure customers and associated numbers.

+# Integrate with Azure Communications Gateway's Provisioning API (preview)

+This article explains when you need to integrate with Azure Communications Gateway's Provisioning API (preview) and provides a high-level overview of getting started. It's aimed at software developers working for telecommunications providers.

+The Provisioning API allows you to configure Azure Communications Gateway with the details of your customers and the numbers that you have assigned to them. It's a REST API.

+Whether you need to integrate with the REST API depends on your chosen communications service.

+|Communications service |Provisioning API integration |Purpose |

+||||

+|Microsoft Teams Direct Routing |Required |- Configure the subdomain associated with each Direct Routing customer<br>- Generate DNS records specific to each customer (as required by the Microsoft 365 environment).<br>- Indicate that numbers are enabled for Direct Routing.<br>- (Optional) Configure a custom header for messages to your network|

+|Operator Connect|Optional|(Optional) Configure a custom header for messages to your network|

+|Teams Phone Mobile|Not supported|N/A|

+## Prerequisites

+You must have completed [Deploy Azure Communications Gateway](deploy.md).

+You must have access to a machine with an IP address that is permitted to access the Provisioning API (preview). This allowlist of IP addresses (or ranges) was configured as part of [deploying Azure Communications Gateway](deploy.md#collect-configuration-values-for-each-communications-service).

+## Learn about the API and plan your BSS client changes

+To integrate with the Provisioning API (preview), you need to create (or update) a BSS client that can contact it. The Provisioning API supports a machine-to-machine [OAuth 2.0](/azure/active-directory/develop/v2-protocols) client credentials authentication flow. Your client authenticates and makes authorized API calls as itself, without the interaction of users.

+## Configure your BSS client to connect to Azure Communications Gateway

+The Provisioning API (preview) is available on port 443 of your Azure Communications Gateway's base domain.

+> [!TIP]

+> To find the base domain:

+> 1. Sign in to the Azure portal.

+> 1. Navigate to the **Overview** of your Azure Communications Gateway resource and select **Properties**.

+> 1. Find the field named **Domain**.

+The following steps summarize the Azure configuration you need.

+1. Register your BSS client in the same Azure tenant as your Azure Communications Gateway deployment. This process creates an app registration.

+1. Assign yourself as an owner for the app registration.

+1. Configure the app registration with the scopes for the API. This configuration indicates to Azure that your application is permitted to access the Provisioning API.

+1. As an administrator for the tenant, allow the application to use the app roles that you assigned.

+> [!NOTE]

+> For more information about the resources in the Provisioning API and the Azure configuration required, [make a support request](request-changes.md).

+## Next steps

+- [Connect to Operator Connect or Teams Phone Mobile](connect-operator-connect.md)

+- [Connect to Microsoft Teams Direct Routing](connect-teams-direct-routing.md)

+ Title: Overview of Operator Connect and Teams Phone Mobile with Azure Communications Gateway

+## Compliance with Certified SBC specifications

+## Call control integration for Teams Phone Mobile

+## Providing call duration data to Microsoft Teams

+ Title: Overview of Microsoft Teams Direct Routing with Azure Communications Gateway

+description: Understand how Azure Communications Gateway works with Microsoft Teams Direct Routing and your fixed network

+# Overview of interoperability of Azure Communications Gateway with Microsoft Teams Direct Routing

+Azure Communications Gateway is a certified SBC for Microsoft Teams Direct Routing, allowing telecommunications operators and service providers to provide their customers with PSTN connectivity from Microsoft Teams. Azure Communications Gateway can manipulate signaling and media to meet the requirements of your networks and the Microsoft Phone System, which powers Microsoft Teams Direct Routing.

+In this article, you learn:

+- Where Azure Communications Gateway fits in your network.

+- How Azure Communications Gateway supports many customers.

+- Which signaling and media interworking features it offers.

+> [!IMPORTANT]

+> You must be a telecommunications operator or service provider to use Azure Communications Gateway.

+## Role and position in the network

+Azure Communications Gateway sits at the edge of your fixed line network. It connects this network to the Microsoft Phone System, allowing you to support Microsoft Teams Direct Routing. The following diagram shows where Azure Communications Gateway sits in your network.

+ Architecture diagram showing Azure Communications Gateway connecting to the Microsoft Phone System and a fixed operator network over SIP and RTP. Azure Communications Gateway and the Microsoft Phone System connect multiple customers to the operator network. Azure Communications Gateway also has a provisioning API to which a BSS client in the operator's management network must connect. Azure Communications Gateway contains certified SBC function.

+Calls flow from endpoints in your networks through Azure Communications Gateway and the Microsoft Phone System into Microsoft Teams clients.

+## Compliance with Certified SBC specifications

+Azure Communications Gateway supports the Microsoft specifications for Certified SBCs for Microsoft Teams Direct Routing. For more information about certification and these specifications, see [Session Border Controllers certified for Direct Routing](/microsoftteams/direct-routing-border-controllers).

+Azure Communications Gateway includes multiple features that allow your network to meet the requirements for Direct Routing, including:

+- [Identifying the customer tenant for Microsoft Phone System](#identifying-the-customer-tenant-for-microsoft-phone-system)

+- [SIP interworking](#sip-signaling)

+- [Media interworking](#rtp-and-srtp-media)

+## Support for multiple customers with the Microsoft Teams multitenant model

+An Azure Communications Gateway deployment is designed to support Direct Routing for many tenants. Its design allows you to provide Microsoft Teams calling services to many customers, each with many users. It uses the carrier tenant and customer tenant model described in the [Microsoft Teams documentation on configuring a Session Border Controller for multiple tenants](/microsoftteams/direct-routing-sbc-multiple-tenants). In this model:

+- Your own configuration for Microsoft Teams is defined in your organization's tenant: the _carrier tenant_.

+- Each of your customers has its own _customer tenant_, representing the configuration for that customer.

+Your Azure Communications Gateway deployment always receives an FQDN (fully qualified domain name) when it's created. You use this FQDN as the _base domain_ for your carrier tenant.

+> [!TIP]

+> You can provide your own base domain to use with Azure Communications Gateway, or use the domain name that Azure automatically allocates. For more information, see [Topology hiding with domain delegation](#topology-hiding-with-domain-delegation).

+Azure Communications Gateway also receives two per-region subdomains of the base domain (one per region).

+Each of your customers needs _customer subdomains_ of these per-region domains. Azure Communications Gateway includes one of these subdomains in the Contact header of each message it sends to the Microsoft Phone System: the presence of the subdomain allows the Microsoft Phone System to identify the customer tenant for each message. For more information, see [Identifying the customer tenant for Microsoft Phone System](#identifying-the-customer-tenant-for-microsoft-phone-system).

+For each customer, you must:

+- Choose a suitable subdomain. The label for the subdomain must:

+ - Contain only letters, numbers, underscores and dashes.

+ - Be up to 63 characters in length.

+ - Not contain a wildcard or multiple labels separated by `.`.

+- Configure Azure Communications Gateway with this information, as part of "account" configuration available over the Provisioning API.

+- Liaise with the customer to update their tenant with the appropriate subdomain, by following the [Microsoft Teams documentation for registering subdomain names in customer tenants](/microsoftteams/direct-routing-sbc-multiple-tenants#register-a-subdomain-name-in-a-customer-tenant).

+As part of arranging updates to customer tenants, you must create DNS records containing a verification code (provided by Microsoft 365 when the customer updates their tenant with the domain name) on a DNS server that you control. These records allow Microsoft 365 to verify that the customer tenant is authorized to use the domain name. Azure Communications Gateway provides the DNS server that you must use. You must obtain the verification code from the customer and upload it with Azure Communications Gateway's Provisioning API to generate the DNS TXT records that verify the domain.

+> [!TIP]

+> For a walkthrough of setting up a customer tenant and subdomain for your testing, see [Configure a test customer for Microsoft Teams Direct Routing with Azure Communications Gateway](configure-test-customer-teams-direct-routing.md). When you onboard a real customer, you'll need to follow a similar process, but you'll typically need to ask them to carry out the steps that need access to their tenant.

+## Support for caller ID screening

+Microsoft Teams Direct Routing allows a customer admin to assign any phone number to a user in their tenant, even if you haven't assigned that number to them in your network. This lack of validation presents a risk of caller ID spoofing.

+To prevent caller ID spoofing, Azure Communications Gateway screens all Direct Routing calls originating from Microsoft Teams. This screening ensures that customers can only place calls from numbers that you have assigned to them. However, you can disable this screening on a per-customer basis, as part of "account" configuration available over the Provisioning API.

+The following diagram shows the call flow for an INVITE from a number that has been assigned to a customer. In this case, Azure Communications Gateway's configuration for the number also includes custom header configuration, so Azure Communications Gateway adds a custom header with the contents.

+ Call flow diagram showing an invite from a number assigned to a customer. Azure Communications Gateway checks its internal database to determine if the calling number is assigned to a customer. The number is assigned, so Azure Communications Gateway allows the call. The number configuration on Azure Communications Gateway includes custom header contents. Azure Communications Gateway adds the header contents as an X-MS-Operator-Content header before forwarding the call to the operator network.

+> [!NOTE]

+> The name of the custom header must be configured as part of [deploying Azure Communications Gateway](deploy.md#collect-configuration-values-for-each-communications-service). The name is the same for all messages. In this example, the name of the custom header is `X-MS-Operator-Content`.

+The following diagram shows the call flow for an INVITE from a number that hasn't been assigned to a customer. Azure Communications Gateway rejects the call with a 403.

+ Call flow diagram showing an invite from a number not assigned to a customer. Azure Communications Gateway checks its internal database to determine if the calling number is assigned to a customer. The number isn't assigned, so Azure Communications Gateway rejects the call with 403.

+## Identifying the customer tenant for Microsoft Phone System

+The Microsoft Phone System uses the domains in the Contact header of messages to identify the tenant for each message. Azure Communications Gateway automatically rewrites Contact headers on messages towards the Microsoft Phone System. so that they include the appropriate per-customer domain. This process removes the need for your core network to map between numbers and per-customer domains.

+You must provision Azure Communications Gateway with each number assigned to a customer for Direct Routing. This provisioning uses Azure Communications Gateway's Provisioning API.

+The following diagram shows how Azure Communications Gateway rewrites Contact headers on messages sent from the operator network to the Microsoft Phone System with Direct Routing.

+ Call flow diagram showing an invite for +14255550100 sent from an operator network to Azure Communications Gateway. Azure Communications Gateway uses an internal database to find the appropriate customer subdomain for the number and updates the Contact header with the subdomain. Azure Communications Gateway then routes the invite to the Microsoft Phone System.

+## SIP signaling

+Azure Communications Gateway automatically interworks calls to support requirements for Direct Routing:

+- Updating Contact headers to route messages correctly, as described in [Identifying the customer tenant for Microsoft Phone System](#identifying-the-customer-tenant-for-microsoft-phone-system).

+- SIP over TLS

+- X-MS-SBC header (describing the SBC function)

+- Strict rules on a= attribute lines in SDP bodies

+- Strict rules on call transfer handling

+These features are part of Azure Communications Gateway's [compliance with Certified SBC specifications](#compliance-with-certified-sbc-specifications) for Microsoft Teams Direct Routing.

+You can arrange more interworking function as part of your initial network design or at any time by raising a support request for Azure Communications Gateway. For example, you might need extra interworking configuration for:

+- Advanced SIP header or SDP message manipulation

+- Support for reliable provisional messages (100rel)

+- Interworking between early and late media

+- Interworking away from inband DTMF tones

+- Placing the unique tenant ID elsewhere in SIP messages to make it easier for your network to consume, for example in `tgrp` parameters

+## RTP and SRTP media

+The Microsoft Phone System typically requires SRTP for media. Azure Communications Gateway supports both RTP and SRTP, and can interwork between them. Azure Communications Gateway offers further media manipulation features to allow your networks to interoperate with the Microsoft Phone System.

+### Media handling for calls

+You must select the codecs that you want to support when you deploy Azure Communications Gateway. If the Microsoft Phone System doesn't support these codecs, Azure Communications Gateway can perform transcoding (converting between codecs) on your behalf.

+Microsoft Teams Direct Routing requires core networks to support ringback tones (ringing tones) during call transfer. Core networks must also support comfort noise. If your core networks can't meet these requirements, Azure Communications Gateway can inject media into calls.

+### Media interworking options

+Azure Communications Gateway offers multiple media interworking options. For example, you might need to:

+- Change handling of RTCP

+- Control bandwidth allocation

+- Prioritize specific media traffic for Quality of Service

+For full details of the media interworking features available in Azure Communications Gateway, raise a support request.

+## Topology hiding with domain delegation

+The domain for your Azure Communications Gateway deployment is visible to customer administrators in their Microsoft 365 admin center. By default, each Azure Communications Gateway deployment receives an automatically generated domain name similar to `a1b2c3d4efghij5678.commsgw.azure.example.com`.

+To hide the details of your deployment, you can configure Azure Communications Gateway to use a subdomain of your own base domain. Customer administrators see subdomains of this domain in their Microsoft 365 admin center. This process uses [DNS delegation with Azure DNS](../dns/dns-domain-delegation.md). You must configure DNS delegation as part of deploying Azure Communications Gateway.

+## Next steps

+- Learn about [monitoring Azure Communications Gateway](monitor-azure-communications-gateway.md).

+- Learn about [requesting changes to Azure Communications Gateway](request-changes.md).

+description: Azure Communications Gateway provides telecoms operators with the capabilities and network functions required to connect their network to Microsoft Teams.

+Azure Communications Gateway enables Microsoft Teams calling through the Operator Connect, Teams Phone Mobile and Microsoft Teams Direct Routing programs. It provides Voice and IT integration with Microsoft Teams across both fixed and mobile networks. It's certified as part of the Operator Connect Accelerator program.

+Azure Communications Gateway provides advanced SIP, RTP and HTTP interoperability functions (including Teams Certified SBC function) so that you can integrate with Operator Connect, Teams Phone Mobile or Microsoft Teams Direct Routing quickly, reliably and in a secure manner.

+Traffic from all enterprises shares a single SIP trunk, using a multitenant format. This multitenant format ensures the solution is suitable for both the SMB and Enterprise markets.

+## Provisioning and API integration for Operator Connect and Teams Phone Mobile

+Azure Communications Gateway also automatically integrates with Operator Connect APIs to upload call duration data to Microsoft Teams. For more information, see [Providing call duration data to Microsoft Teams](interoperability-operator-connect.md#providing-call-duration-data-to-microsoft-teams).

+## Multitenant support and caller ID screening for Direct Routing

+Microsoft Teams Direct Routing's multitenant model for carrier telecommunications operators requires inbound messages to Microsoft Teams to indicate the Microsoft tenant associated with your customers. Azure Communications Gateway automatically updates the SIP signaling to indicate the correct tenant, using information that you provision onto Azure Communications Gateway. This process removes the need for your core network to map between numbers and customer tenants. For more information, see [Identifying the customer tenant for Microsoft Phone System](interoperability-teams-direct-routing.md#identifying-the-customer-tenant-for-microsoft-phone-system).

+Microsoft Teams Direct Routing allows a customer admin to assign any phone number to a user, even if you haven't assigned that number to them. This lack of validation presents a risk of caller ID spoofing. Azure Communications Gateway automatically screens all Direct Routing calls originating from Microsoft Teams. This screening ensures that customers can only place calls from numbers that you have assigned to them. However, you can disable this screening on a per-customer basis if necessary. For more information, see [Support for caller ID screening](interoperability-teams-direct-routing.md#support-for-caller-id-screening).

+ - Operator Connect and Microsoft Teams Direct Routing are fixed networks.

+ - Teams Phone Mobile is a mobile network.

+> A Microsoft Teams Direct Routing user is any telephone number configured with Direct Routing on Azure Communications Gateway. Billing for the user starts as soon as you have configured the number.

+>

+> An Operator Connect or Teams Phone Mobile user is any telephone number that meets all the following criteria.

+ Title: Prepare for Operator Connect or Teams Phone Mobile live traffic with Azure Communications Gateway

+ |[Operator Connect portal](https://operatorconnect.microsoft.com/) | `Admin` role or `PartnerSettings.Read` and `NumberManagement.Write` roles (configured on the Project Synergy enterprise application that you set up when [you connected to Operator Connect or Teams Phone Mobile](connect-operator-connect.md#add-the-project-synergy-application-to-your-azure-tenancy))|

+## Ask your onboarding team to register your test enterprise tenant

+## Assign numbers to test users in your tenant

+## Carry out integration testing and request changes

+## Run a connectivity test and upload proof

+1. Provide your onboarding team with proof that BFD is enabled. You should have enabled BFD when you [connected Azure Communications Gateway to your networks](deploy.md#connect-azure-communications-gateway-to-your-networks) as part of deploying. For example, if you have a Cisco router, you can provide configuration similar to the following.

+## Get your go-to-market resources approved

+## Test raising a ticket

+## Learn about monitoring Azure Communications Gateway

+## Verify API integration

+## Arrange synthetic testing

+## Schedule launch

+ Title: Prepare for Microsoft Teams Direct Routing live traffic with Azure Communications Gateway

+description: After deploying Azure Communications Gateway, you and your onboarding team must carry out further integration work before you can launch your Microsoft Teams Direct Routing service.

+# Prepare for live traffic with Microsoft Teams Direct Routing and Azure Communications Gateway

+Before you can launch your Operator Connect or Teams Phone Mobile service, you and your onboarding team must:

+- Test your service.

+- Prepare for launch.

+In this article, you learn about the steps you and your onboarding team must take.

+> [!TIP]

+> In many cases, your onboarding team is from Microsoft, provided through the [Included Benefits](onboarding.md) or through a separate arrangement.

+> [!IMPORTANT]

+> Some steps can require days or weeks to complete. We recommend that you read through these steps in advance to work out a timeline.

+## Prerequisites

+You must have completed the following procedures.

+- [Prepare to deploy Azure Communications Gateway](prepare-to-deploy.md)

+- [Deploy Azure Communications Gateway](deploy.md)

+- [Connect Azure Communications Gateway to Microsoft Teams Direct Routing](connect-teams-direct-routing.md)

+- [Configure a test customer for Microsoft Teams Direct Routing](configure-test-customer-teams-direct-routing.md)

+- [Configure test numbers for Microsoft Teams Direct Routing](configure-test-numbers-teams-direct-routing.md)

+## Carry out integration testing and request changes

+Network integration includes identifying SIP interoperability requirements and configuring devices to meet these requirements. For example, this process often includes interworking header formats and/or the signaling & media flows used for call hold and session refresh.

+You must test typical call flows for your network. Your onboarding team will provide an example test plan that we recommend you follow. Your test plan should include call flow, failover, and connectivity testing.

+- If you decide that you need changes to Azure Communications Gateway, ask your onboarding team. Microsoft must make the changes for you.

+- If you need changes to the configuration of devices in your core network, you must make those changes.

+## Test raising a ticket

+You must test that you can raise tickets in the Azure portal to report problems with Azure Communications Gateway. See [Get support or request changes for Azure Communications Gateway](request-changes.md).

+## Learn about monitoring Azure Communications Gateway

+Your staff can use a selection of key metrics to monitor Azure Communications Gateway. These metrics are available to anyone with the Reader role on the subscription for Azure Communications Gateway. See [Monitoring Azure Communications Gateway](monitor-azure-communications-gateway.md).

+## Next steps

+- Learn about [getting support and requesting changes for Azure Communications Gateway](request-changes.md).

+- Learn about [monitoring Azure Communications Gateway](monitor-azure-communications-gateway.md).

+## Arrange onboarding

+You need an onboarding partner to deploy Azure Communications Gateway. If you're not eligible for onboarding to Microsoft Teams through Azure Communications Gateway's [Included Benefits](onboarding.md) or you haven't arranged alternative onboarding with Microsoft through a separate arrangement, you need to arrange an onboarding partner yourself.

+## Ensure you have a suitable support plan

+## Choose the Azure tenant to use

+We recommend that you use an existing Azure Active Directory tenant for Azure Communications Gateway, because using an existing tenant uses your existing identities for fully integrated authentication. If you need to manage identities separately from the rest of your organization, create a new dedicated tenant first.

+The Operator Connect and Teams Phone Mobile environments inherit identities and configuration permissions from your Azure Active Directory tenant through a Microsoft application called Project Synergy. You must add this application to your Azure Active Directory tenant as part of [Connect Azure Communications Gateway to Operator Connect or Teams Phone Mobile](connect-operator-connect.md) (if your tenant does not already contain this application).

+## Get access to Azure Communications Gateway for your Azure subscription

+## Create a network design

+Connectivity between your networks and Azure Communications Gateway must meet any relevant network connectivity specifications.

+Ensure your network is set up as shown in the following diagram and has been configured in accordance with any network connectivity specifications that you've been issued for your chosen communications services. You must have two Azure Regions with cross-connect functionality. For more information on the reliability design for Azure Communications Gateway, see [Reliability in Azure Communications Gateway](reliability-communications-gateway.md).

+You must decide whether you want Azure Communications Gateway to have an autogenerated `*.commsgw.azure.com` domain name or a subdomain of a domain you already own, using [domain delegation with Azure DNS](../dns/dns-domain-delegation.md). Domain delegation provides topology hiding and might increase customer trust, but requires giving us full control over the subdomain that you delegate. For Microsoft Teams Direct Routing, choose domain delegation if you don't want customers to see an `*.commsgw.azure.com` in their Microsoft 365 admin centers.

+If you plan to route emergency calls through Azure Communications Gateway for Operator Connect or Teams Phone Mobile, read [Emergency calling for Operator Connect and Teams Phone Mobile with Azure Communications Gateway](emergency-calling-operator-connect.md) to learn about your options.

+## Configure MAPS or ExpressRoute

+Connect your network to Azure:

+> This section provides a brief overview of Azure Communications Gateway's interoperability features. For detailed information about interoperability with a specific communications service, see:

+> - [Interoperability of Azure Communications Gateway with Operator Connect and Teams Phone Mobile](interoperability-operator-connect.md).

+> - [Interoperability of Azure Communications Gateway with Microsoft Teams Direct Routing](interoperability-teams-direct-routing.md).

+Connectivity between your networks and Azure Communications Gateway must meet any relevant network connectivity specifications.

+- Learn about [interoperability for Operator Connect and Teams Phone Mobile](interoperability-operator-connect.md)

+- Learn about [interoperability for Microsoft Teams Direct Routing](interoperability-teams-direct-routing.md)

+- Customer data provisioned on Azure Communications Gateway or present in call metadata.

+Azure Communications Gateway doesn't store content data, but it does store customer data.

+- Customer data provisioned on Azure Communications Gateway includes configuration of numbers for specific communications services. It's needed to match numbers to these communications services and (optionally) make number-specific changes to calls, such as adding custom headers.

+- Temporary customer data from call metadata is stored for a maximum of 30 days and used to provide statistics. After 30 days, data from call metadata is no longer accessible to perform diagnostics or analysis of individual calls. Anonymized statistics and logs produced based on customer data are available after the 30 days limit.

+Azure Communications Gateway stores all data at rest securely, including provisioned customer and number configuration and any temporary customer data, such as call records. Azure Communications Gateway uses standard Azure infrastructure, with platform-managed encryption keys, to provide server-side encryption compliant with a range of security standards including FedRAMP. For more information, see [encryption of data at rest](../security/fundamentals/encryption-overview.md).

+You must manage the certificates that your network presents to Azure Communications Gateway. By default, Azure Communications Gateway supports the DigiCert Global Root G2 certificate and the Baltimore CyberTrust Root certificate as root certificate authority (CA) certificates. If the certificate that your network presents to Azure Communications Gateway uses a different root CA certificate, you must provide this certificate to your onboarding team when you [connect Azure Communications Gateway to your networks](deploy.md#connect-azure-communications-gateway-to-your-networks).

+We manage the certificate that Azure Communications Gateway uses to connect to your network and Microsoft Phone System. Azure Communications Gateway's certificate uses the DigiCert Global Root G2 certificate as the root CA certificate. If your network doesn't already support this certificate as a root CA certificate, you must download and install this certificate when you [connect Azure Communications Gateway to your networks](deploy.md#connect-azure-communications-gateway-to-your-networks).

+description: Discover what's new in Azure Communications Gateway for Operator Connect, Teams Phone Mobile and Microsoft Teams Direct Routing. Learn how to get started with the latest features.

+## October 2023

+### Support for multitenant Microsoft Teams Direct Routing

+From October 2023, Azure Communications Gateway supports providing PSTN connectivity to Microsoft Teams through Direct Routing. You can provide Microsoft Teams calling services to many customers, each with many users, with minimal disruption to your existing network. Azure Communications Gateway automatically updates the SIP signaling to indicate the correct tenant, without needing changes to your core network to map between numbers and customer tenants.

+Azure Communications Gateway can screen Direct Routing calls originating from Microsoft Teams to ensure that the number is enabled for Direct Routing. This screening reduces the risk of caller ID spoofing, because it prevents customer administrators assigning numbers that you haven't allocated to the customer.

+For more information about Direct Routing with Azure Communications Gateway, see [Overview of interoperability of Azure Communications Gateway with Microsoft Teams Direct Routing](interoperability-teams-direct-routing.md). For an overview of deploying and configuring Azure Communications Gateway for Direct Routing, see [Get started with Azure Communications Gateway](get-started.md).

+* A [Consumption or Standard logic app resource](../logic-apps/logic-apps-overview.md#resource-environment-differences) with a blank workflow.

+ > [!NOTE]

+ >

+ > If you created a Standard logic app workflow, make sure to create a *stateful* workflow.

+ > The Recurrence trigger is currently unavailable for stateless workflows.

+Based on whether your workflow is [Consumption or Standard](../logic-apps/logic-apps-overview.md#resource-environment-differences), follow the corresponding steps:

+1. In the [Azure portal](https://portal.azure.com), open your logic app resource and blank workflow.

+1. [Follow these general steps to add the **Schedule** built-in trigger named **Recurrence**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-trigger).

+ 

+ | **Frequency** | `frequency` | Yes | String | The unit of time for the recurrence: **Second**, **Minute**, **Hour**, **Day**, **Week**, or **Month** <br><br>**Important**: If you select the **Day**, **Week**, or **Month** frequency, and you specify a future start date and time, make sure that you set up the recurrence in advance. Otherwise, the workflow might skip the first recurrence. <br><br>- **Day**: Set up the daily recurrence at least 24 hours in advance. <br><br>- **Week**: Set up the weekly recurrence at least 7 days in advance. <br><br>- **Month**: Set up the monthly recurrence at least one month in advance. |

+1. Review the following considerations when you use the **Recurrence** trigger:

+ * If you don't specify a specific [start date and time](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#start-time), the first recurrence runs immediately when you save the workflow or deploy the logic app resource, despite your trigger's recurrence setup. To avoid this behavior, provide a start date and time for when you want the first recurrence to run.

+ * If you don't specify any other advanced scheduling options, such as specific times to run future recurrences, those recurrences are based on the last run time. As a result, the start times for those recurrences might drift due to factors such as latency during storage calls.

+ * To make sure that your workflow doesn't miss a recurrence, especially when the frequency is in days or longer, try the following options:

+

+ * Provide a start date and time for the recurrence and the specific times to run subsequent recurrences. You can use the properties named **At these hours** and **At these minutes**, which are available only for the **Day** and **Week** frequencies.

+ * For Consumption logic app workflows, use the [Sliding Window trigger](../connectors/connectors-native-sliding-window.md), rather than the Recurrence trigger.

+ * If you deploy a disabled Consumption workflow that has a Recurrence trigger using an ARM template, the trigger instantly fires when you enable the workflow unless you set the **Start time** parameter before deployment.

+1. To set advanced scheduling options, open the **Add new parameter** list. Any options that you select appear on the trigger after selection.

+ 

+ 

+ > The trigger shows a preview for your specified recurrence only when you select **Day** or **Week** as the frequency.

+1. Now continue building your workflow with other actions.

+### [Standard](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your logic app resource and blank workflow.

+1. [Follow these general steps to add the **Schedule** built-in trigger named **Recurrence**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+1. Set the interval and frequency for the recurrence. In this example, set these properties to run your workflow every week, for example:

+ 

+ | Property | JSON name | Required | Type | Description |

+ |-|--|-||-|

+ | **Interval** | `interval` | Yes | Integer | A positive integer that describes how often the workflow runs based on the frequency. Here are the minimum and maximum intervals: <br><br>- Month: 1-16 months <br>- Week: 1-71 weeks <br>- Day: 1-500 days <br>- Hour: 1-12,000 hours <br>- Minute: 1-72,000 minutes <br>- Second: 1-9,999,999 seconds<br><br>For example, if the interval is 6, and the frequency is "Month", then the recurrence is every 6 months. |

+ | **Frequency** | `frequency` | Yes | String | The unit of time for the recurrence: **Second**, **Minute**, **Hour**, **Day**, **Week**, or **Month** <br><br>**Important**: If you select the **Day**, **Week**, or **Month** frequency, and you specify a future start date and time, make sure that you set up the recurrence in advance. Otherwise, the workflow might skip the first recurrence. <br><br>- **Day**: Set up the daily recurrence at least 24 hours in advance. <br><br>- **Week**: Set up the weekly recurrence at least 7 days in advance. <br><br>- **Month**: Set up the monthly recurrence at least one month in advance. |

+ | **Time Zone** | `timeZone` | No | String | Applies only when you specify a start time because this trigger doesn't accept [UTC offset](https://en.wikipedia.org/wiki/UTC_offset). Select the time zone that you want to apply. |

+ | **Start Time** | `startTime` | No | String | Provide a start date and time, which has a maximum of 49 years in the future and must follow the [ISO 8601 date time specification](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) in [UTC date time format](https://en.wikipedia.org/wiki/Coordinated_Universal_Time), but without a [UTC offset](https://en.wikipedia.org/wiki/UTC_offset): <br><br>YYYY-MM-DDThh:mm:ss if you select a time zone <br><br>-or- <br><br>YYYY-MM-DDThh:mm:ssZ if you don't select a time zone <br><br>So for example, if you want September 18, 2020 at 2:00 PM, then specify "2020-09-18T14:00:00" and select a time zone such as Pacific Standard Time. Or, specify "2020-09-18T14:00:00Z" without a time zone. <br><br>**Important:** If you don't select a time zone, you must add the letter "Z" at the end without any spaces. This "Z" refers to the equivalent [nautical time](https://en.wikipedia.org/wiki/Nautical_time). If you select a time zone value, you don't need to add a "Z" to the end of your **Start time** value. If you do, Logic Apps ignores the time zone value because the "Z" signifies a UTC time format. <br><br>For simple schedules, the start time is the first occurrence, while for complex schedules, the trigger doesn't fire any sooner than the start time. [*What are the ways that I can use the start date and time?*](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#start-time) |

+ | **On These Days** | `weekDays` | No | String or string array | If you select "Week", you can select one or more days when you want to run the workflow: **Monday**, **Tuesday**, **Wednesday**, **Thursday**, **Friday**, **Saturday**, and **Sunday** |

+ | **At These Hours** | `hours` | No | Integer or integer array | If you select "Day" or "Week", you can select one or more integers from 0 to 23 as the hours of the day for when you want to run the workflow. <br><br>For example, if you specify "10", "12" and "14", you get 10 AM, 12 PM, and 2 PM for the hours of the day, but the minutes of the day are calculated based on when the recurrence starts. To set specific minutes of the day, for example, 10:00 AM, 12:00 PM, and 2:00 PM, specify those values by using the property named **At these minutes**. |

+ | **At These Minutes** | `minutes` | No | Integer or integer array | If you select "Day" or "Week", you can select one or more integers from 0 to 59 as the minutes of the hour when you want to run the workflow. <br><br>For example, you can specify "30" as the minute mark and using the previous example for hours of the day, you get 10:30 AM, 12:30 PM, and 2:30 PM. <br><br>**Note**: Sometimes, the timestamp for the triggered run might vary up to 1 minute from the scheduled time. If you need to pass the timestamp exactly as scheduled to subsequent actions, you can use template expressions to change the timestamp accordingly. For more information, see [Date and time functions for expressions](../logic-apps/workflow-definition-language-functions-reference.md#date-time-functions). |

+ 

+ > [!NOTE]

+ >

+ > The trigger shows a preview for your specified recurrence only when you select **Day** or **Week** as the frequency.

+1. Review the following considerations when you use the **Recurrence** trigger:

+ * If you don't specify a specific [start date and time](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#start-time), the first recurrence runs immediately when you save the workflow or deploy the logic app resource, despite your trigger's recurrence setup. To avoid this behavior, provide a start date and time for when you want the first recurrence to run.

+ * If you don't specify any other advanced scheduling options, such as specific times to run future recurrences, those recurrences are based on the last run time. As a result, the start times for those recurrences might drift due to factors such as latency during storage calls.

+ * To make sure that your workflow doesn't miss a recurrence, especially when the frequency is in days or longer, try providing a start date and time for the recurrence and the specific times to run subsequent recurrences. You can use the properties named **At These hours** and **At These minutes**, which are available only for the **Day** and **Week** frequencies.

+ For example, suppose that today is Friday, September 4, 2020. The following Recurrence trigger doesn't fire *any sooner* than the specified start date and time, which is Friday, September 18, 2020 at 8:00 AM Pacific Time. However, the recurrence schedule is set for 10:30 AM, 12:30 PM, and 2:30 PM on Mondays only. The first time that the trigger fires and creates a workflow instance is on Monday at 10:30 AM. To learn more about how start times work, see these [start time examples](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#start-time).

+ Future runs happen at 12:30 PM and 2:30 PM on the same day. Each recurrence creates their own workflow instance. After that, the entire schedule repeats all over again next Monday. [*What are some other example occurrences?*](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md#example-recurrences)

+ 

+* [Built-in connectors for Azure Logic Apps](built-in.md)

+ * **Registry REST API endpoint for certificates** - Azure container registry uses a wildcard SSL certificate for all subdomains. When connecting to the Azure container registry using SSL, the client must be able to download the certificate for the TLS handshake. In such cases, `azurecr.io` must also be accessible.

+See [Use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters (Preview)](/azure/aks/image-integrity?tabs=azure-cli) and [Ratify on Azure](https://ratify.dev/docs/1.0/quickstarts/ratify-on-azure/) to get started into verifying and auditing signed images before deploying them on AKS.

+[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/

+Your Azure free account includes a *specified quantity* of free services for 12 months and a set of services that are always free. Only some tiers of services are available for free within certain quantities. For example, Azure has many virtual machines intended for different needs. The free account includes access to three types of VMs for freeΓÇöthe B1S, B2pts v2 (ARM-based), and B2ats v2 (AMD-based) burstable VMs that are usable for up to 750 hours per month. By staying in the free account limits, you can use the free services in various configurations. For more information about the Azure free account and the products that are available for free, see [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/).

+## Usage and authentication notes

+### API notes

+Here's some general information for calling the Azure Digital Twins APIs directly.

+Here's some more information about authentication for API requests.

+* One way to generate a bearer token for Azure Digital Twins API requests is with the [az account get-access-token](/cli/azure/account#az-account-get-access-token()) CLI command. For detailed instructions, see [Get bearer token](how-to-use-postman-with-digital-twins.md#get-bearer-token).

+### SDK notes

+The underlying SDK for Azure Digital Twins is `Azure.Core`. See the [Azure namespace documentation](/dotnet/api/azure) for reference on the SDK infrastructure and types.

+Here's some more information about authentication with the SDKs.

+* Start by instantiating the `DigitalTwinsClient` class. The constructor requires credentials that can be obtained with different kinds of authentication methods in the `Azure.Identity` package. For more on `Azure.Identity`, see its [namespace documentation](/dotnet/api/azure.identity).

+* You may find the `InteractiveBrowserCredential` useful while getting started, but there are several other options, including credentials for [managed identity](/dotnet/api/azure.identity.interactivebrowsercredential), which you'll likely use to authenticate [Azure functions set up with MSI](../app-service/overview-managed-identity.md) against Azure Digital Twins. For more about `InteractiveBrowserCredential`, see its [class documentation](/dotnet/api/azure.identity.interactivebrowsercredential).

+Here's some more information about functions and returned data.

+* All service functions throw an exception for any return status of 400 or above. Make sure you wrap calls into a `try` section, and catch at least `RequestFailedExceptions`. For more about this type of exception, see its [reference documentation](/dotnet/api/azure.requestfailedexception).

+* Most service methods return `Response<T>` or (`Task<Response<T>>` for the asynchronous calls), where `T` is the class of return object for the service call. The [Response](/dotnet/api/azure.response-1) class encapsulates the service return and presents return values in its `Value` field.

+* Service methods with paged results return `Pageable<T>` or `AsyncPageable<T>` as results. For more about the `Pageable<T>` class, see its [reference documentation](/dotnet/api/azure.pageable-1); for more about `AsyncPageable<T>`, see its [reference documentation](/dotnet/api/azure.asyncpageable-1).

+You'll also need to grant the following **RBAC permissions** to the system-assigned managed identity of your Azure Digital Twins instance so that it can access input and output files in the Azure Blob Storage container:

+Finally, generate a bearer token that can be used in your requests to the Jobs API. For instructions, see [Get bearer token](how-to-use-postman-with-digital-twins.md#get-bearer-token).

+It's also possible to cancel a running import job with the [Cancel operation](/rest/api/digital-twins/dataplane/jobs/import-jobs-cancel) from the Jobs API. Once the job has been canceled and is no longer running, you can delete it.

+* Import Jobs are not atomic operations. There is no rollback in the case of failure, partial job completion, or usage of the [Cancel operation](/rest/api/digital-twins/dataplane/jobs/import-jobs-cancel).

+2. Next, use the [az account get-access-token](/cli/azure/account#az-account-get-access-token()) command to get a bearer token with access to the Azure Digital Twins service. In this command, you'll pass in the resource ID for the Azure Digital Twins service endpoint, in order to get an access token that can access Azure Digital Twins resources.

+[Azure Dev Tools for Teaching Management portal](https://azureforeducation.microsoft.com/Order)

+Sixty days before your membership expires, you'll receive email reminders to renew your subscription. In a renewal email, you can select the [renewal link](https://azureforeducation.microsoft.com/Order).

+1. Navigate to the [Azure Dev Tools for Teaching Management portal](https://azureforeducation.microsoft.com/Order).

+## September 2023

+### General Availability Fixed Pricing for Azure Data Manager for Energy

+Azure Data Manager for Energy is now available in Brazil South Region. Both developer tier and standard tier are available in Brazil South region. You can now select Brazil South as your preferred region when creating Azure Data Manage for Energy resource, using the [Azure portal](https://ms.portal.azure.com/#create/Microsoft.AzureDataManagerforEnergy)".

+ExpressRoute Traffic Collector can handle up to 300,000 flows a minute. In the event this limit is reached, excess flows are dropped. For more information, see [count of flows metric](expressroute-monitoring-metrics-alerts.md#count-of-flow-records-processedsplit-by-instances-or-expressroute-circuit) on a circuit.

+### Does ExpressRoute Traffic Collector support ExpressRoute provider ports?

+For supported ExpressRoute provider ports contact ErTCasks@microsoft.com.

+You can associate a single ExpressRoute Direct circuit with multiple ExpressRoute Traffic Collectors deployed in different Azure region within a given geo-political region. It's recommended that you associate your ExpressRoute Direct circuit with multiple ExpressRoute Traffic Collectors as part of your disaster recovery and high availability plan.

+ Title: Configure Traffic Collector for ExpressRoute Direct

+# Configure Traffic Collector for ExpressRoute Direct

+- For ExpressRoute provider support contact ErTCasks@microsoft.com.

+1. On the **Add Circuits** page, select the checkbox next to the circuit you would like Traffic Collector to monitor and then select **Add**. Select **Next** to configure where logs get forwarded to.

+ Title: Azure ExpressRoute Traffic Collector

+# Azure ExpressRoute Traffic Collector

+Flow logs are collected at an interval of every 1 minute. All packets collected for a given flow get aggregated and imported into a Log Analytics workspace for further analysis. During flow collection, not every packet is captured into its own flow record. ExpressRoute Traffic Collector uses a sampling rate of 1:4096, meaning 1 out of every 4096 packets gets captured. Therefore, sampling rate short flows (in total bytes) might not get collected. This sampling size doesn't affect network traffic analysis when sampled data is aggregated over a longer period of time. Flow collection time and sampling rate are fixed and can't be changed.

+| Column | Type | Description |

+|--|--|--|

+| ATCRegion | string | ExpressRoute Traffic Collector (ATC) deployment region. |

+| ATCResourceId | string | Azure resource ID of ExpressRoute Traffic Collector (ATC). |

+| BgpNextHop | string | Border Gateway Protocol (BGP) next hop as defined in the routing table. |

+| DestinationIp | string | Destination IP address. |

+| DestinationPort | int | TCP destination port. |

+| Dot1qCustomerVlanId | int | Dot1q Customer VlanId. |

+| Dot1qVlanId | int | Dot1q VlanId. |

+| DstAsn | int | Destination Autonomous System Number (ASN). |

+| DstMask | int | Mask of destination subnet. |

+| DstSubnet | string | Destination subnet of destination IP. |

+| ExRCircuitDirectPortId | string | Azure resource ID of Express Route Circuit's direct port. |

+| ExRCircuitId | string | Azure resource ID of Express Route Circuit. |

+| ExRCircuitServiceKey | string | Service key of Express Route Circuit. |

+| FlowRecordTime | datetime | Timestamp (UTC) when Express Route Circuit emitted this flow record. |

+| Flowsequence | long | Flow sequence of this flow. |

+| IcmpType | int | Protocol type as specified in IP header. |

+| IpClassOfService | int | IP Class of service as specified in IP header. |

+| IpProtocolIdentifier | int | Protocol type as specified in IP header. |

+| IpVerCode | int | IP version as defined in the IP header. |

+| MaxTtl | int | Maximum time to live (TTL) as defined in the IP header. |

+| MinTtl | int | Minimum time to live (TTL) as defined in the IP header. |

+| NextHop | string | Next hop as per forwarding table. |

+| NumberOfBytes | long | Total number of bytes of packets captured in this flow. |

+| NumberOfPackets | long | Total number of packets captured in this flow. |

+| OperationName | string | The specific ExpressRoute Traffic Collector operation that emitted this flow record. |

+| PeeringType | string | Express Route Circuit peering type. |

+| Protocol | int | Protocol type as specified in IP header. |

+| \_ResourceId | string | A unique identifier for the resource that the record is associated with |

+| SchemaVersion | string | Flow record schema version. |

+| SourceIp | string | Source IP address. |

+| SourcePort | int | TCP source port. |

+| SourceSystem | string | |

+| SrcAsn | int | Source Autonomous System Number (ASN). |

+| SrcMask | int | Mask of source subnet. |

+| SrcSubnet | string | Source subnet of source IP. |

+| \_SubscriptionId | string | A unique identifier for the subscription that the record is associated with |

+| TcpFlag | int | TCP flag as defined in the TCP header. |

+| TenantId | string | |

+| TimeGenerated | datetime | Timestamp (UTC) when the ExpressRoute Traffic Collector emitted this flow record. |

+| Type | string | The name of the table |

+| Region | Region Name |

+| | -- |

+| North American | <ul><li>Canada East</li><li>Canada Central</li><li>Central US</li><li>Central US EUAP</li><li>North Central US</li><li>South Central US</li><li>West Central US</li><li>East US</li><li>East US 2</li><li>West US</li><li>West US 2</li><li>West US 3</li></ul> |

+| South America | <ul><li>Brazil South</li><li>Brazil Southeast</li></ul> |

+| Europe | <ul><li>West Europe</li><li>North Europe</li><li>UK South</li><li>UK West</li><li>France Central</li><li>France South</li><li>Germany North</li><li>Sweden Central</li><li>Sweden South</li><li>Switzerland North</li><li>Switzerland West</li><li>Norway East</li><li>Norway West</li></ul> |

+| Asia | <ul><li>East Asia</li><li>Central India</li><li>South India</li><li>Japan West</li><li>Korea South</li><li>UAE North</li></ul> |

+| Africa | <ul><li>South Africa North</li><li>South Africa West</li></ul> |

+| Pacific | <ul><li>Australia Central</li><li>Australia Central 2</li><li>Australia East</li><li>Australia Southeast</li></ul> |

+## Pricing

+| Zone | Gateway per hour | Data processed per GB |

+| - | - | |

+| Zone 1 | $0.60/hour | $0.10/GB |

+| Zone 2 | $0.80/hour | $0.20/GB |

+| Zone 3 | $0.80/hour | $0.20/GB |

+As new features are released to preview, some of them are behind a feature flag. To enable the functionality in your environment, you must enable the feature flag on your subscription. These features are applied at the subscription level for all firewalls (virtual network firewalls and SecureHub firewalls).

+This article is updated to reflect the features that are currently in preview with instructions to enable them. When the features move to General Availability (GA), they're available to all customers without the need to enable a feature flag.

+Starting in August 2023, this preview is automatically enabled on all firewalls and no action is required to enable this functionality.

+Azure Firewall predefined workbooks are two selections away and fully available from the **Monitoring** section in the Azure Firewall portal UI.

+### Parallel IP Group updates (preview)

+You can now update multiple IP Groups in parallel at the same time. This is useful for administrators who want to make configuration changes more quickly and at scale, especially when making those changes using a dev ops approach (templates, ARM template, CLI, and PowerShell).

+For more information, see [IP Groups in Azure Firewall](ip-groups.md#parallel-ip-group-updates-preview).

+ Title: Azure Firewall with Microsoft Sentinel overview

+description: This article shows you how you can optimize security using the Azure Firewall solution for Microsoft Sentinel.

+# Azure Firewall with Microsoft Sentinel overview

+You can now get both detection and prevention in the form of an easy-to-deploy Azure Firewall solution for Azure Sentinel.

+Security is a constant balance between proactive and reactive defenses. They're both equally important, and neither can be neglected. Effectively protecting your organization means constantly optimizing both prevention and detection.

+Combining prevention and detection allows you to ensure that you both prevent sophisticated threats when you can, while also maintaining an *assume breach mentality* to detect and quickly respond to cyber attacks.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Key capabilities

+When you integrate Azure Firewall with Microsoft Sentinel, you enable the following capabilities:

+- Monitor and visualize Azure Firewall activities

+- Detect threats and apply AI-assisted investigation capabilities

+- Automate responses and correlation to other sources

+The entire experience is packaged as a solution in the Microsoft Sentinel marketplace, which means it can be deployed relatively easily.

+## Deploy and enable the Azure Firewall solution for Microsoft Sentinel

+You can quickly deploy the solution from the Content hub. From your Microsoft Sentinel workspace, select **Analytics** and then **More content at Content hub**. Search for and select **Azure Firewall** and then select **Install**.

+Once installed, select **Manage** follow all the steps in the wizard, pass validation, and create the solution. With just a few selections, all content, including connectors, detections, workbooks, and playbooks are deployed in your Microsoft Sentinel workspace.

+## Monitor and visualize Azure Firewall activities

+The Azure Firewall workbook allows you to visualize Azure Firewall events. With this workbook, you can:

+- Learn about your application and network rules

+- See statistics for firewall activities across URLs, ports, and addresses

+- Filter by firewall and resource group

+- Dynamically filter per category with easy-to-read data sets when investigating an issue in the logs.

+The workbook provides a single dashboard for ongoing monitoring of your firewall activity. When it comes to threat detection, investigation, and response, the Azure Firewall solution also provides built-in detection and hunting capabilities.

+## Detect threats and use AI-assisted investigation capabilities

+The solutionΓÇÖs detection rules provide Microsoft Sentinel a powerful method for analyzing Azure Firewall signals to detect traffic representing malicious activity patterns traversing through the network. This allows rapid response and remediation of the threats.

+The attack stages an adversary pursues within the firewall solution are segmented based on the [MITRE ATT&CK](https://attack.mitre.org/) framework. The MITRE framework is a series of steps that trace stages of a cyber attack from the early reconnaissance stages to the exfiltration of data. The framework helps defenders understand and combat ransomware, security breaches, and advanced attacks.

+The solution includes detections for common scenarios an adversary might use as part of the attack, spanning from the discovery stage (gaining knowledge about the system and internal network) through the command-and-control (C2) stage (communicating with compromised systems to control them) to the exfiltration stage (adversary trying to steal data from the organization).

+| Detection rule | What does it do? | What does it indicate? |

+| | | |

+| Port scan | Identifies a source IP scanning multiple open ports on the Azure Firewall. | Malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. |

+| Port sweep | Identifies a source IP scanning the same open ports on the Azure Firewall different IPs. | Malicious scanning of a port by an attacker trying to reveal IPs with specific vulnerable ports open in the organization. |

+| Abnormal deny rate for source IP | Identifies an abnormal deny rate for a specific source IP to a destination IP based on machine learning done during a configured period. | Potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but Azure Firewall rules blocks it. |

+| Abnormal Port to protocol | Identifies communication for a well-known protocol over a nonstandard port based on machine learning done during an activity period. | Malicious communication (C2) or exfiltration by attackers trying to communicate over known ports (SSH, HTTP) but donΓÇÖt use the known protocol headers that match the port number. |

+| Multiple sources affected by the same TI destination | Identifies multiple machines that are trying to reach out to the same destination blocked by threat intelligence (TI) in the Azure Firewall. | An attack on the organization by the same attack group trying to exfiltrate data from the organization. |

+### Hunting queries

+Hunting queries are a tool for the security researcher to look for threats in the network of an organization, either after an incident has occurred or proactively to discover new or unknown attacks. To do this, security researchers look at several indicators of compromise (IOCs). The built-in Azure Sentinel hunting queries in the Azure Firewall solution give security researchers the tools they need to find high-impact activities from the firewall logs. Several examples include:

+| Hunting query | What does it do? | What does it indicate? |

+| | | |

+| First time a source IP connects to destination port | Helps to identify a common indication of an attack (IOA) when a new host or IP tries to communicate with a destination using a specific port. | Based on learning the regular traffic during a specified period. |

+| First time source IP connects to a destination | Helps to identify an IOA when malicious communication is done for the first time from machines that never accessed the destination before. | Based on learning the regular traffic during a specified period. |

+| Source IP abnormally connects to multiple destinations | Identifies a source IP that abnormally connects to multiple destinations. | Indicates initial access attempts by attackers trying to jump between different machines in the organization, exploiting lateral movement path or the same vulnerability on different machines to find vulnerable machines to access. |

+| Uncommon port for the organization | Identifies abnormal ports used in the organization network. | An attacker can bypass monitored ports and send data through uncommon ports. This allows the attackers to evade detection from routine detection systems. |

+| Uncommon port connection to destination IP | Identifies abnormal ports used by machines to connect to a destination IP. | An attacker can bypass monitored ports and send data through uncommon ports. This can also indicate an exfiltration attack from machines in the organization by using a port that has never been used on the machine for communication. |

+### Automate response and correlation to other sources

+Lastly, the Azure Firewall also includes Azure Sentinel playbooks, which enable you to automate response to threats. For example, say the firewall logs an event where a particular device on the network tries to communicate with the Internet via the HTTP protocol over a nonstandard TCP port. This action triggers a detection in Azure Sentinel. The playbook automates a notification to the security operations team via Microsoft Teams, and the security analysts can block the source IP address of the device with a single selection. This prevents it from accessing the Internet until an investigation can be completed. Playbooks allow this process to be much more efficient and streamlined.

+## Real world example

+LetΓÇÖs look at what the fully integrated solution looks like in a real-world scenario.

+### The attack and initial prevention by Azure Firewall

+A sales representative in the company has accidentally opened a phishing email and opened a PDF file containing malware. The malware immediately tries to connect to a malicious website but Azure Firewall blocks it. The firewall detected the domain using the Microsoft threat intelligence feed it consumes.

+### The response

+The connection attempt triggers a detection in Azure Sentinel and starts the playbook automation process to notify the security operations team via a Teams channel. There, the analyst can block the computer from communicating with the Internet. The security operations team then notifies the IT department which removes the malware from the sales representativeΓÇÖs computer. However, taking the proactive approach and looking deeper, the security researcher applies the Azure Firewall hunting queries and runs the **Source IP abnormally connects to multiple destinations** query. This reveals that the malware on the infected computer tried to communicate with several other devices on the broader network and tried to access several of them. One of those access attempts succeeded, as there was no proper network segmentation to prevent the lateral movement in the network, and the new device had a known vulnerability the malware exploited to infect it.

+### The result

+The security researcher removed the malware from the new device, completed mitigating the attack, and discovered a network weakness in the process.

+## Next step

+> [!div class="nextstepaction"]

+> [Learn more about Microsoft Sentinel](../sentinel/overview.md)

+>

+> [Microsoft security](https://www.microsoft.com/en-us/security/business)

+## Parallel IP Group updates (preview)

+You can now update multiple IP Groups in parallel at the same time. This is particularly useful for administrators who want to make configuration changes more quickly and at scale, especially when making those changes using a dev ops approach (templates, ARM, CLI, and Azure PowerShell).

+With this support, you can now:

+- Update 20 IP Groups at a time

+- Update the firewall and firewall policy during IP Group updates

+- Use the same IP Group in parent and child policy

+- Update multiple IP Groups referenced by firewall policy or classic firewall simultaneously

+- Receive new and improved error messages

+ - Fail and succeed states

+ For example, if there is an error with one IP Group update out of 20 parallel updates, the other updates proceed, and the errored IP Group fails. In addition, if the IP Group update fails, and the firewall is still healthy, the firewall remains in a *Succeeded* state. To check if the IP Group update has failed or succeeded, you can view the status on the IP Group resource.

+| Yes | /sub/ | /foo/ | contoso.com/sub/image/1.jpg | /foo/image/1.jpg |

+overall compliance % = (compliant + exempt + unknown + protected) / (compliant + exempt + unknown + non-compliant + conflicting + error + protected)

+ "effect": "deployIfNotExists",

+|Workload |Load Based |Schedule Based|

+## Tenant registration

+If you're trying to onboard a new tenant to HDInsight on AKS, you need to provide consent to first party App of HDInsight on AKS to Access API. This app will try to provision the application used to authenticate cluster users and groups.

+> [!NOTE]

+> Resource owner would be able to run the command to provision the first party service principal on the given tenant.

+**Commands**:

+```azurecli

+az ad sp create --id d3d1a4fe-edb2-4b09-bc39-e41d342323d6

+```

+```azurepowershell

+New-AzureADServicePrincipal -AppId d3d1a4fe-edb2-4b09-bc39-e41d342323d6

+```

+| Trino | Support for [Trino catalogs](./trino/trino-add-catalogs.md), [Trino CLI Support](./trino/trino-ui-command-line-interface.md), [DBeaver](./trino/trino-ui-dbeaver.md) support for query submission, Add or remove [plugins](./trino/trino-custom-plugins.md) and [connectors](./trino/trino-connectors.md), Support for [logging query](./trino/trino-query-logging.md) events, Support for [scan query statistics](./trino/trino-scan-stats.md) for any [Connector](./trino/trino-connectors.md) in Trino dashboard, Support for Trino [dashboard](./trino/trino-ui.md) to monitor queries, [Query Caching](./trino/trino-caching.md), Integration with PowerBI, Integration with [Apache Superset](./trino/trino-superset.md), Redash, Support for multiple [connectors](./trino/trino-connectors.md) |

+## Release date: September 7, 2023

+|CVE | Severity| CVE Title| Remark |

+|-|-|-|-|

+|[CVE-2023-38156](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38156)| Important | Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability |Included on 2308221128 image |

+|[CVE-2023-36419](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36419) | Important | Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability | Apply [Script action](https://hdiconfigactions2.blob.core.windows.net/msrc-script/script_action.sh) on your clusters |

+* The max length of cluster name will be changed to 45 from 59 characters, to improve the security posture of clusters. This change will be implemented by September 30, 2023.

+ * Request quotas increase directly from the My Quota page, which will be a direct API call, which is faster. If the APdI call fails, then customers need to create a new support request for quota increase.

+ * Plan to introduce a change in non-ESP ABFS clusters, which restricts non-Hadoop group users from executing Hadoop commands for storage operations. This change to improve cluster security posture. Customers need to plan for the updates before September 30, 2023.ΓÇ»

+Purge protection is an optional Key Vault behavior and is **not enabled by default**. Purge protection can only be enabled once soft-delete is enabled. Purge protection is recommended when using keys for encryption to prevent data loss. Most Azure services that integrate with Azure Key Vault, such as Storage, require purge protection to prevent data loss.

+Purge Protection can be turned on via [CLI](./key-vault-recovery.md?tabs=azure-cli), [PowerShell](./key-vault-recovery.md?tabs=azure-powershell) or [Portal](./key-vault-recovery.md?tabs=azure-portal).

+ > For Virtual Machine Scale Set backends, you will need to remove the load balancer association in the Networking settings. Once removed, you will also need to [**update the instances**](../virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-policy.md#performing-manual-upgrades)

+ `C:\psping {storage-account-host-name}.file.core.windows.net:443`

+> [!NOTE]

+>

+> Each message with 837_P, 837_I, or 837_D type requires a separate agreement.

+ Edit your `schemaReferences` section to look like the following example:

+* Can run multiple small jobs in parallel. One job per vCPU can run in parallel while the rest of the jobs are queued.

+If you set up the replication appliance manually, then make sure that it complies with the requirements summarized in the table. When you set up the Azure Migrate replication appliance as an VMware VM using the OVA template provided in the Azure Migrate hub, the appliance is set up with Windows Server 2016, and complies with the support requirements.

+Azure Private endpoints support application security groups for network security. Private endpoints can be associated with an existing ASG in your current infrastructure alongside virtual machines and other network resources.

+In this section, you will import a Postman collection containing a "buggy" workflow that you will fix in this tutorial.

+Reciprocal Rank Fusion (RRF) is an algorithm that evaluates the search scores from multiple, previously ranked results to produce a unified result set. In Azure Cognitive Search, RRF is used whenever there are two or more queries that execute in parallel. Each query produces a ranked result set, and RRF is used to merge and homogenize the rankings into a single result set, returned in the query response. Examples of scenarios where RRF is always used include [*hybrid search*](hybrid-search-overview.md) and multiple vector queries executing concurrently.

+1. Determine whether to use the default analyzer (`"analyzer": null`) or a different analyzer. [Analyzers](search-analyzers.md) are used to tokenize text fields during indexing and query execution.

+ For multi-lingual strings, consider a [language analyzer](index-add-language-analyzers.md).

+ For hyphenated strings or special characters, consider [specialized analyzers](index-add-custom-analyzers.md#built-in-analyzers). One example is [keyword](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/core/KeywordAnalyzer.html) that treats the entire contents of a field as a single token. This behavior is useful for data like zip codes, IDs, and some product names. For more information, see [Partial term search and patterns with special characters](search-query-partial-matching.md).

+Full text search is an approach in information retrieval that matches on plain text content stored in an index. For example, given a query string "hotels in San Diego on the beach", the search engine looks for content containing those terms. To make scans more efficient, query strings undergo lexical analysis: lower-casing all terms, removing stop words like "the", and reducing terms to primitive root forms. When matching terms are found, the search engine retrieves documents, ranks them in order of relevance, and returns the top results.

+Query execution can be complex. This article is for developers who need a deeper understanding of how full text search works in Azure Cognitive Search. For text queries, Azure Cognitive Search seamlessly delivers expected results in most scenarios, but occasionally you might get a result that seems "off" somehow. In these situations, having a background in the four stages of Lucene query execution (query parsing, lexical analysis, document matching, scoring) can help you identify specific changes to query parameters or index configuration that produce the desired outcome.

+In Azure Cognitive Search, a query is a read-only request against the docs collection of a single search index, with parameters that both inform query execution and shape the response coming back.

+ "top": "10",

+**Key points:**

+Parameters used to shape the response:

+Azure Cognitive Search supports query constructs for a broad range of scenarios, from free-form text search, to highly specified query patterns, to vector search. All queries execute over a search index that stores searchable content.

+| Query form | Parameter | Searchable content | Description |

+||--|-|

+| [full text search](search-lucene-query-architecture.md) | `search` | Inverted indexes of tokenized terms. | Full text queries iterate over inverted indexes that are structured for fast scans, where a match can be found in potentially any field, within any number of search documents. Text is analyzed and tokenized for full text search.|

+| [Vector search](vector-search-overview.md) | `vectors` | Vector indexes of generated embeddings. | Vector queries iterate over vector fields in a search index. |

+| [Hybrid search](hybrid-search-overview.md) | `search`, `vectors` | All of the above, in a single search index. | Combines text search and vector search in a single query request. Text search works on plain text content in "searchable" and "filterable" fields. Vector search works on content in vector fields. |

+| Others | `filters`, `facets`, `search=''&queryType=full` | Plain text and alphanumeric content.| Raw content, extracted verbatim from source documents, supporting filters and pattern matching queries like geo-spatial search, fuzzy search, and fielded search. |

+This article brings focus to queries that work on plain text and alphanumeric content, extracted intact from original source, used for filters and other specialized query forms.

+[Autocomplete or suggested results](search-add-autocomplete-suggestions.md) are alternatives to **`search`** that fire successive query requests based on partial string inputs (after each character) in a search-as-you-type experience. You can use **`autocomplete`** and **`suggestions`** parameter together or separately, as described in [this walkthrough](tutorial-csharp-type-ahead-and-suggestions.md), but you can't use them with **`search`**. Both completed terms and suggested queries are derived from index contents. The engine never returns a string or suggestion that is nonexistent in your index. For more information, see [Autocomplete (REST API)](/rest/api/searchservice/autocomplete) and [Suggestions (REST API)](/rest/api/searchservice/suggestions).

+> Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, [**2023-07-01-Preview REST APIs**](/rest/api/searchservice/index-preview), and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).

+Vector search is an approach in information retrieval that uses numeric representations of content for search scenarios. Because the content is numeric rather than plain text, the search engine matches on vectors that are the most similar to the query, with no requirement for matching on exact terms.

+You could also begin with the [vector quickstart](search-get-started-vector.md) or the [code samples on GitHub](https://github.com/Azure/cognitive-search-vector-pr).

+Vector support is in the Azure SDKs for [.NET](https://www.nuget.org/packages/Azure.Search.Documents/11.5.0-beta.4), [Python](https://pypi.org/project/azure-search-documents/11.4.0b8/), and [JavaScript](https://www.npmjs.com/package/@azure/search-documents/v/12.0.0-beta.2).

+Approximate Nearest Neighbor search (ANN) is a class of algorithms for finding matches in vector space. This class of algorithms employs different data structures or data partitioning methods to significantly reduce the search space to accelerate query processing. The specific approach depends on the algorithm. While this approach sacrifices some accuracy, these algorithms offer scalable and faster retrieval of approximate nearest neighbors, which makes them ideal for balancing accuracy and efficiency in modern information retrieval applications. You can adjust the parameters of your algorithm to fine-tune the recall, latency, memory, and disk footprint requirements of your search application.

+1. Provide a name for this token in the _Name_ field, for example *myfirstswadeployment*.

+1. Select an _Expiration_ for the token, the default is 30 days.

+1. You should see **Connect to this NFS share from Linux** along with sample commands to use NFS on your Linux distribution and a mounting script that contains the required mount options. For other recommended mount options, see [Mount NFS Azure file share on Linux](storage-files-how-to-mount-nfs-shares.md#mount-options).

+1. Select the **Backup** tab. By default, [backup is enabled](../../backup/backup-azure-files.md) when you create an Azure file share using the Azure portal. If you want to disable backup for the file share, uncheck the **Enable backup** checkbox. If you want backup enabled, you can either leave the defaults or create a new Recovery Services Vault in the same region and subscription as the storage account. To create a new backup policy, select **Create a new policy**.

+1. Select the **Backup** tab. By default, [backup is enabled](../../backup/backup-azure-files.md) when you create an Azure file share using the Azure portal. If you want to disable backup for the file share, uncheck the **Enable backup** checkbox. If you want backup enabled, you can either leave the defaults or create a new Recovery Services Vault in the same region and subscription as the storage account. To create a new backup policy, select **Create a new policy**.