-To get started, you'll need:

-## Create a Global Administrator in your Azure AD B2C tenant

-TheAccessHub Admin Tool permissions act on behalf of a Global Administrator to read user information and conduct changes in your Azure AD B2C tenant. Changes to your regular administrators won't affect TheAccessHub Admin Tool interaction with the tenant.

-To create a Global Administrator:

-9. To assign the Global Administrator role, for **User**, select the user's current role.

-10. Select the **Global Administrator** record.

-TheAccessHub Admin Tool uses the Microsoft Graph API to read and make changes to a directory. It acts as a Global Administrator in your tenant. Use the following instructions to add needed permissions.

-4. In the new window, sign in with your Global Administrator account. When you sign in for the first time with the new service account, a prompt to reset your password can appear.

-* **Connection URL**: enter a JDBC connection string, such as `jdbc:postgresql://myhost.com:5432/databasename`

-11. Sequence the number of checks. For example, check email first, then first and last name.

-1. Use the credentials N8ID provided to sign in to TheAccessHub Admin Tool.

-6. Use the instructions in [Create user flows](./tutorial-create-user-flows.md?pivots=b2c-custom-policy) to design custom policies in Azure AD B2C.

-|1. |A user attempts to sign in to the web application via their browser.|

-|2.|The web application redirects to Azure AD B2C sign-up and sign-in policy.|

-|3. |Azure AD B2C redirects the user for authentication to the Trusona Authentication Cloud OpenID Connect (OIDC) IdP.|

-|4. |The user is presented with a sign-in web page that asks for their username ΓÇô typically an email address.|

-|5. |The user enters their email address and selects the **Continue** button. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process.|

-|6. |The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.|

-|7. |The authentication assertion is returned to the Trusona cloud service for verification.|

-|8. |Once verified, Trusona Authentication Cloud (IdP) creates an OIDC ID token and then forwards it to Azure AD B2C (Service Provider). Azure AD B2C validates the signature of the token and the issuer against the values in the TrusonaΓÇÖs OpenID discovery document. These details were configured during IdP setup. Once verified, Azure AD B2C issues an OIDC id_token (depending on the scope) and redirects the user back to the initiating application with the token.|

-|9. |The web application (or the developer libraries it uses to implement authentication) retrieves the token and verifies the authenticity of the Azure AD B2C token. If thatΓÇÖs the case, it extracts the claims and pass them to the web application to consume.|

-|10. |Upon verification, user is granted/denied access.|

- The redirect URI is the endpoint to which the authorization server, Azure AD B2C in this case sends the user to. After completing its interaction with the user, an access token or authorization code is sent upon successful authorization. In a production application, it's typically a publicly accessible endpoint where your app is running, like `https://contoso.com/auth-response`. For testing purposes like this tutorial, you can set it to `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like `https://localhost:5000`. You can add and modify redirect Uniform Resource Identifiers (URI) in your registered applications at any time.

- The following restrictions apply to redirect URIs:

-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.

-1. Fill out the form to map the IdP:

-2. Select **Run user flow**. You should be redirected to the Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username ΓÇô typically an email address. If the user's account isn't found in Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential. Azure AD B2C validates the Trusona authentication response and issues an OIDC token. It redirects the user back to the initiating application, for example, `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.

-To enable users to sign in using Trusona Authentication Cloud, you need to define Trusona as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user authentication using a passkey or a hardware security key available on their device, proving the userΓÇÖs identity.

-1. You should be redirected to Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username ΓÇô typically an email address. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.

-* France Central

-When you're deploying onto dedicated hardware (hosts), you're limited in scaling across all App Service plans to the number of cores in this type of environment. An App Service Environment that's deployed on dedicated hosts has 132 vCores available. I1v2 uses two vCores, I2v2 uses four vCores, and I3v2 uses eight vCores per instance. Only I1v2, I2v2, and I3v2 SKU sizes are available on App Service Environment deployed on dedicated hosts.

-**.cmd**, **.bat**, **.exe** (using Windows cmd)<br>**.ps1** (using PowerShell)<br>**.sh** (using Bash)<br>**.php** (using PHP)<br>**.py** (using Python)<br>**.js** (using Node.js)<br>**.jar** (using Java)<br><br>The necessary runtimes to run these file types are already installed on the web app instance.

-To recover a deleted App Configuration store the `Microsoft.AppConfiguration/configurationStores/write` permission is needed. The built-in "Owner" and "Contributor" roles contain this permission by default. The permission can be assigned at the subscription or resource group scope.

-To list deleted App Configuration stores, or get an individual store by name the `Microsoft.AppConfiguration/locations/deletedConfigurationStores/read` permission is needed. To purge a deleted App Configuration store the `Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action` permission is needed. The built-in "Owner" and "Contributor" roles contain these permissions by default. Permissions for reading and purging deleted App Configuration stores must be assigned at the subscription level. This is because deleted configuration stores exist outside of individual resource groups.

-In this tutorial, you adapt the [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master) to use with an Azure Cache for Redis instance instead. The original sample uses a Redis cache deployed as a container to your AKS cluster. Following some simple steps, you can configure the AKS sample voting application to connect to your Azure Cache for Redis instance.

-To run this sample locally, configure your user principal as a Redis User on your Redis instance. The code sample will use your user principal through (DefaultAzureCredential)[https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/?tabs=command-line#use-defaultazurecredential-in-an-application] to connect to Redis instance.

-Follow these [steps](/azure/aks/workload-identity-deploy-cluster) to configure a workload identity for your AKS cluster. Complete the following steps:

- - Enable OIDC issuer and workload identity

- - Skip the step to create user assigned managed identity if you already created your managed identity. If you create a new managed identity, ensure that you create a new Redis User for your managed identity and assign appropriate data access permissions.

- - Create a Kubernetes Service account annotated with the client ID of your user assigned managed identity

- - Create a federated identity credential for your AKS cluster.

-.NET apps undergoing a [migration from the in-process model to the isolated worker][isolated-migration] may encounter this event temporarily during that process. When `FUNCTIONS_WORKER_RUNTIME` is updated to "dotnet-isolated", but the application is still using an in-process model payload, this event may appear until the migration is completed. See the migration guidance for instructions on using deployment slots to prevent this event from appearing in your production environment.

-The event message indicates the current value of `FUNCTIONS_WORKER_RUNTIME` and the detected runtime metadata from the app payload. The values must be aligned, either by deploying an application of the appropriate type or by updating the value of `FUNCTIONS_WORKER_RUNTIME` to match.

-For most applications, the correct resolution is to update the value of [`FUNCTIONS_WORKER_RUNTIME`][fwr]. To do so, on your function app in Azure, set the `FUNCTIONS_WORKER_RUNTIME` [application setting][app-settings] to the [expected value][fwr] for your application payload. When running locally in the Azure Functions Core Tools, you should also add `FUNCTIONS_WORKER_RUNTIME` to the [local.settings.json file](../../functions-develop-local.md#local-settings-file).

-For apps following a migration guide, see that guide for relevant instructions. [Migrating .NET applications to the isolated worker model][isolated-migration] involves first setting `FUNCTIONS_WORKER_RUNTIME` to "dotnet-isolated" before deploying the updated application payload, and this event may appear temporarily between those steps.

-You can use a Bicep file or an Azure Resource Manager (ARM) template to automate the process of deploying your function app. During the deployment, you can use existing Azure resources or create new ones. Automation help's you with these scenarios:

-> The `WEBSITE_RUN_FROM_PACKAGE` app setting does not work with MSDeploy as described in [MSDeploy VS. ZipDeploy](https://github.com/projectkudu/kudu/wiki/MSDeploy-VS.-ZipDeploy). You will receive an error during deployment, such as `ARM-MSDeploy Deploy Failed`. To resolve this error, hange `/MSDeploy` to `/ZipDeploy`.

-|Applied Information Sciences, Inc.|

-To learn about how you can get started with ARM templates, see the following video.

-> [!VIDEO https://learn.microsoft.com/Shows/Azure-Enablement/How-and-why-to-learn-about-ARM-templates/player]

-# Supported server APIs of Socket.IO

- * [Microsoft Entra ID Authentication](#microsoft-entra-id-authentication-preview)

-## Microsoft Entra ID authentication (Preview)

-> Microsoft Entra ID Authentication support for SSH connections within the portal is in Preview and is currently being rolled out.

-Cost allocation doesn't affect your billing invoice. Billing responsibilities don't change. The primary purpose of cost allocation is to help you charge back costs to others. All chargeback processes happen in your organization outside of Azure. Cost allocation helps you charge back costs by showing them as the get reassigned or distributed.

-> The Red Hat Linux Enterprise software reservation plan and renewal are temporarily unavailable. Disregard any renewal emails until the plan is available.

- |**Basics** | Select the subscription where you want to apply your setting, and your [setting type](#sensor-setting-reference). <br><br>Enter a meaningful name and an optional description for your setting. |

- |**Setting** | Define the values for your selected setting type.<br>For details about the options available for each setting type, find your selected setting type in the [Sensor setting reference](#sensor-setting-reference) below. |

-## Sensor setting reference

-Use the following sections to learn more about the individual OT sensor settings available from the Azure portal:

-To focus the Azure device inventory on devices that are in your OT scope, you need to manually edit the subnet list to include only the locally monitored subnets that are in your OT scope.

-1. In the Azure portal, go to **Sites and sensors** > **Sensor settings**.

-

-## Configure a traffic mirroring port with Hyper-V

-Use Windows PowerShell or Hyper-V Manager to attach a SPAN virtual interface to the virtual switch you'd [created earlier](#configure-a-traffic-mirroring-port-with-hyper-v).

-1. Select the newly added SPAN virtual switch you'd configured [earlier](#configure-a-traffic-mirroring-port-with-hyper-v), and run the following command to add a new network adapter:

-1. In the **Hardware** list, under the **Network Adapter** drop-down list, select **Hardware Acceleration** and clear the **Virtual Machine Queue** option for the monitoring network interface.

-## Turn on Microsoft NDIS capture extensions

-Turn on support for [Microsoft NDIS Capture Extensions](/windows-hardware/drivers/network/capturing-extensions) for the virtual switch you'd [created earlier](#configure-a-traffic-mirroring-port-with-hyper-v).

-Configure the mirroring mode on the virtual switch you'd [created earlier](#configure-a-traffic-mirroring-port-with-hyper-v) so that the external port is defined as the mirroring source. This includes configuring the Hyper-V virtual switch (vSwitch_Span) to forward any traffic that comes to the external source port to a virtual network adapter configured as the destination.

-|**vSwitch_Span** | Name of the virtual switch you'd [created earlier](#configure-a-traffic-mirroring-port-with-hyper-v) |

-| **OT networks** | - [Add wildcards to allowlist domain names](#add-wildcards-allowlist-domain-names)<br> - [Added protocol](#added-protocol) <br> - [Improved OT sensor onboarding](#improved-ot-sensor-onboarding) |

-For more information, see [Sensor setting reference](configure-sensor-settings-portal.md#sensor-setting-reference).

-> - When you an Event Grid trigger to add an event subscription using an Azure function, Event Grid fetches the access key for the target function using Event Grid service principal's credentials. The permissions are granted to Event Grid when you register the Event Grid resource provider in their Azure subscription.

-Before you create the dataflow endpoint, assign a role to the managed identity that grants permission to write to the Fabric lakehouse. To learn more, see [Give access to a workspace](/fabric/get-started/give-access-workspaces).

- | Host | The hostname of the Kafka broker in the format `<HOST>.servicebus.windows.net`. |

- | Host | The hostname of the Kafka broker in the format `<HOST>.servicebus.windows.net`. |

-> The steps in this article prepare your cluster for a secure settings deployment, which is a longer but production-ready process. If you want to deploy Azure IoT Operations quickly and run a sample workload with only test settings, see the [Quickstart: Run Azure IoT Operations Preview in Github Codespaces with K3s](../get-started-end-to-end-sample/quickstart-deploy.md) instead.

-1. Get the `objectId` of the Microsoft Entra ID application that the Azure Arc service uses in your tenant.

-1. Get the `objectId` of the Microsoft Entra ID application that the Azure Arc service in your tenant uses and save it as an environment variable.

-> - [Quickstart: Run Azure IoT Operations Preview in Github Codespaces with K3s](../get-started-end-to-end-sample/quickstart-deploy.md)

-Follow the steps in [Quickstart: Run Azure IoT Operations Preview in Github Codespaces with K3s](../get-started-end-to-end-sample/quickstart-deploy.md) to deploy IoT Operations to the level 3 cluster.

-1. Fetch the `objectId` or `id` of the Microsoft Entra ID application that the Azure Arc service uses. The command you use depends on your version of Azure CLI:

-| [Azure Kubernetes Services Edge Essentials](/azure/aks/hybrid/aks-edge-overview) | This Kubernetes implementation runs at the Edge. It provides single- and multi-node Kubernetes clusters for a fault-tolerant Edge configuration. Both K3S and K8S are supported. It runs on embedded or PC-class hardware, like an industrial gateway. |

-| [Azure Storage](/azure/storage/common/storage-introduction) | This cloud service is used to manage the OPC UA certificate store and settings of the Edge Kubernetes workloads. |

-| [Azure Managed Grafana](/azure/managed-grafana/overview) | Azure Managed Grafana is a data visualization platform built on top of the Grafana software by Grafana Labs. Grafana is built as a fully managed service that is hosted and supported by Microsoft. |

-## A cloud-based OPC UA certificate store and persisted storage

-When manufacturers run OPC UA applications, their OPC UA configuration files, keys, and certificates must be persisted. While Kubernetes has the ability to persist these files in volumes, a safer place for them is the cloud, especially on single-node clusters where the volume would be lost when the node fails. This scenario is why the OPC UA applications used in this solution store their configuration files, keys, and certificates in the cloud. This approach also has the advantage of providing a single location for mutually trusted certificates for all OPC UA applications.

-You can read OPC UA Information Models directly from Azure Data Explorer. You can do this by importing the OPC UA nodes defined in the OPC UA Information Model into a table for lookup of more metadata within queries.

-First, configure an Azure Data Explorer (ADX) callout policy for the UA Cloud Library by running the following query on your ADX cluster (make sure you're an ADX cluster administrator, configurable under Permissions in the ADX tab in the Azure portal):

-For best results, change the `Layout` option to `Grouped` and the `Lables` to `name`.

-This reference implementation implements a "digital feedback loop", specifically triggering a command on one of the OPC UA servers in the simulation from the cloud, based on time-series data reaching a certain threshold (the simulated pressure). You can see the pressure of the assembly machine in the Seattle production line being released on regular intervals in the Azure Data Explorer dashboard.

-Clicking on the button deploys all required resources on Microsoft Azure:

-During deployment, you must provide a password for a VM used to host the production line simulation and for UA Cloud Twin. The password must have three of the following attributes: One lower case character, one upper case character, one number, and one special character. The password must be between 12 and 72 characters long.

-> To save cost, the deployment deploys just a single Windows 11 Enterprise VM for both the production line simulation and the base OS for the Azure Kubernetes Services Edge Essentials instance. In production scenarios, the production line simulation isn't required and for the base OS for the Azure Kubernetes Services Edge Essentials instance, we recommend Windows IoT Enterprise Long Term Servicing Channel (LTSC).

-Once the deployment completes, connect to the deployed Windows VM with an RDP (remote desktop) connection. You can download the RDP file in the [Azure portal](https://portal.azure.com) page for the VM, under the **Connect** options. Sign in using the credentials you provided during deployment, open an **Administrator Powershell window**, navigate to the `C:\ManufacturingOntologies-main\Deployment` directory, and run:

-```azurepowershell

-New-AksEdgeDeployment -JsonConfigFilePath .\aksedge-config.json

-After the command is finished, your Azure Kubernetes Services Edge Essentials installation is complete and you can run the production line simulation.

-> [!TIP]

-> To get logs from all your Kubernetes workloads and services at any time, run `Get-AksEdgeLogs` from an **Administrator Powershell window**.

->

-> To check the memory utilization of your Kubernetes cluster, run `Invoke-AksEdgeNodeCommand -Command "sudo cat /proc/meminfo"` from an **Administrator Powershell window**.

-From the deployed VM, open a **Windows command prompt**. Navigate to the `C:\ManufacturingOntologies-main\Tools\FactorySimulation` directory and run the **StartSimulation** command by supplying the following parameters:

-```console

- StartSimulation <EventHubsCS> <StorageAccountCS> <AzureSubscriptionID> <AzureTenantID>

-Parameters:

-| Parameter | Description |

-| | - |

-| EventHubCS | Copy the Event Hubs namespace connection string as described [here](/azure/event-hubs/event-hubs-get-connection-string). |

-| StorageAccountCS | In the Azure portal, navigate to the Storage Account created by this solution. Select "Access keys" from the left-hand navigation menu. Then, copy the connection string for key1. |

-| AzureSubscriptionID | In Azure portal, browse your Subscriptions and copy the ID of the subscription used in this solution. |

-| AzureTenantID | In Azure portal, open the Microsoft Entry ID page and copy your Tenant ID. |

-The following example shows the command with all parameters:

-```console

- StartSimulation Endpoint=sb://ontologies.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=abcdefgh= DefaultEndpointsProtocol=https;AccountName=ontologiesstorage;AccountKey=abcdefgh==;EndpointSuffix=core.windows.net <your-subscription-id> <your-tenant-id>

-> If you have access to several Azure subscriptions, it's worth first logging into the Azure portal from the VM through the web browser. You can also switch Active Directory tenants through the Azure portal UI (in the top-right-hand corner), to make sure you're logged in to the tenant used during deployment. Once logged in, leave the browser window open. This ensures that the StartSimulation script can more easily connect to the right subscription.

->

-> In this solution, the OPC UA application certificate store for UA Cloud Publisher, and the simulated production line's MES and individual machines' store, is located in the cloud in the deployed Azure Storage account.

-## Enable the Kubernetes cluster for management via Azure Arc

-1. On your virtual machine, open an **Administrator PowerShell window**. Navigate to the `C:\ManufacturingOntologies-main\Deployment` directory and run `CreateServicePrincipal`. The two parameters `subscriptionID` and `tenantID` can be retrieved from the Azure portal.

-1. Run `notepad aksedge-config.json` and provide the following information:

- | Attribute | Description |

- | | |

- | Location | The Azure location of your resource group. You can find this location in the Azure portal under the resource group that was deployed for this solution, but remove the spaces in the name! Currently supported regions are eastus, eastus2, westus, westus2, westus3, westeurope, and northeurope. |

- | SubscriptionId | Your subscription ID. In the Azure portal, select on the subscription you're using and copy/paste the subscription ID. |

- | TenantId | Your tenant ID. In the Azure portal, select on Azure Active Directory and copy/paste the tenant ID. |

- | ResourceGroupName | The name of the Azure resource group that was deployed for this solution. |

- | ClientId | The name of the Azure Service Principal previously created. Azure Kubernetes Services uses this service principal to connect your cluster to Arc. |

- | ClientSecret | The password for the Azure Service Principal. |

-1. Save the file, close the PowerShell window, and open a new **Administrator Powershell window**. Navigate back to the `C:\ManufacturingOntologies-main\Deployment` directory and run `SetupArc`.

-You can now manage your Kubernetes cluster from the cloud via the newly deployed Azure Arc instance. In the Azure portal, browse to the Azure Arc instance and select Workloads. The required service token can be retrieved via `Get-AksEdgeManagedServiceToken` from an **Administrator Powershell window** on your virtual machine.

-Make sure you have already started the production line simulation and enabled the Kubernetes Cluster for management via Azure Arc as described in the previous paragraphs. Then, follow these steps:

-1. From the Azure portal, navigate to the Key Vault deployed in this reference solution and add your own identity to the access policies by clicking `Access policies`, `Create`, select the `Keys, Secrets & Certificate Management` template, select `Next`, search for and select your own user identity, select `Next`, leave the Application section blank, select `Next` and finally `Create`.

-1. Enable custom locations for your Arc-connected Kubernetes cluster (called ontologies_cluster) by first logging in to your Azure subscription via `az login` from an **Administrator PowerShell Window** and then running `az connectedk8s enable-features -n "ontologies_cluster" -g "<resourceGroupName>" --features cluster-connect custom-locations`, providing the `resourceGroupName` from the reference solution deployed.

-1. From the Azure portal, deploy Azure IoT Operations by navigating to your Arc-connected kubernetes cluster, select on `Extensions`, `Add`, select `Azure IoT Operations`, and select `Create`. On the Basic page, leave everything as-is. On the Configuration page, set the `MQ Mode` to `Auto`. You don't need to deploy a simulated Programmable Logic Controller (PLC), as this reference solution already contains a much more substantial production line simulation. On the Automation page, select the Key Vault deployed for this reference solution and then copy the `az iot ops init` command automatically generated. From your deployed VM, open a new **Administrator PowerShell Window**, sign in to the correct Azure subscription by running `az login` and then run the `az iot ops init` command with the arguments from the Azure portal. Once the command completes, select `Next` and then close the wizard.

-## Configuring OPC UA security and connectivity for Azure IoT Operations

-Make sure you successfully deployed Azure IoT Operations and all Kubernetes workloads are up and running by navigating to the Arc-enabled Kubernetes resource in the Azure portal.

-1. From the Azure portal, navigate to the Azure Storage deployed in this reference solution, open the `Storage browser` and then `Blob containers`. Here you can access the cloud-based OPC UA certificate store used in this solution. Azure IoT Operations uses Azure Key Vault as the cloud-based OPC UA certificate store so the certificates need to be copied:

- 1. From within the Azure Storage browser's Blob containers, for each simulated production line, navigate to the app/pki/trusted/certs folder, select the assembly, packaging, and test cert file and download it.

- 1. Sign in to your Azure subscription via `az login` from an **Administrator PowerShell Window** and then run `az keyvault secret set --name "<stationName>-der" --vault-name <keyVaultName> --file .<stationName>.der --encoding hex --content-type application/pkix-cert`, providing the `keyVaultName` and `stationName` of each of the 6 stations you downloaded a .der cert file for in the previous step.

-1. From the deployed VM, open a **Windows command prompt** and run `kubectl apply -f secretsprovider.yaml` with the updated secrets provider resource file provided in the `C:\ManufacturingOntologies-main\Tools\FactorySimulation\Station` directory, providing the Key Vault name, the Azure tenant ID, and the station cert file names and aliases you uploaded to Azure Key Vault previously.

-1. From a web browser, sign in to https://iotoperations.azure.com, pick the right Azure directory (top right hand corner) and start creating assets from the production line simulation. The solution comes with two production lines (Munich and Seattle) consisting of three stations each (assembly, test, and packaging):

- 1. For the asset endpoints, enter opc.tcp://assembly.munich in the OPC UA Broker URL field for the assembly station of the Munich production line, etc. Select `Do not use transport authentication certificate` (OPC UA certificate-based mutual authentication between Azure IoT Operations and any connected OPC UA server is still being used).

- 1. For the asset tags, select `Import CSV file` and open the `StationTags.csv` file located in the `C:\ManufacturingOntologies-main\Tools\FactorySimulation\Station` directory.

-1. From the Azure portal, navigate to the Azure Storage deployed in this reference solution, open the `Storage browser` and then `Blob containers`. For each production line simulated, navigate to the `app/pki/rejected/certs` folder and download the Azure IoT Operations certificate file. Then delete the file. Navigate to the `app/pki/trusted/certs` folder and upload the Azure IoT Operations certificate file to this directory.

-1. From the deployed VM, open a **Windows command prompt** and restart the production line simulation by navigating to the `C:\ManufacturingOntologies-main\Tools\FactorySimulation` directory and run the **StopSimulation** command, followed by the **StartSimulation** command.

-1. Follow the instructions as described [here](/azure/iot-operations/get-started/quickstart-add-assets#verify-data-is-flowing) to verify that data is flowing from the production line simulation.

-1. As the last step, connect Azure IoT Operations to the Event Hubs deployed in this reference solution as described [here](/azure/iot-operations/connect-to-cloud/howto-configure-kafka).

-> If you want to display the OEE for a specific shift, select `Custom Time Range` in the `Time Range` drop-down in the top-left hand corner of the ADX Dashboard and enter the date and time from start to end of the shift you're interested in.

-## Use Azure Managed Grafana Service

-You can also use Grafana to create a dashboard on Azure for the solution described in this article. Grafana is used within manufacturing to create dashboards that display real-time data. Azure offers a service named Azure Managed Grafana. With this, you can create cloud dashboards. In this configuration manual, you enable Grafana on Azure and you create a dashboard with data that is queried from Azure Data Explorer and Azure Digital Twins service, using the simulated production line data from this reference solution.

-### Enable Azure Managed Grafana Service

-1. Go to the Azure portal and search for the service 'Grafana' and select the 'Azure Managed Grafana' service.

-1. Go to 'Dashboard' and select 'Import'.

-1. Select the source that you have downloaded and select on 'Save'. You get an error on the page, because two variables aren't set yet. Go to the settings page of the dashboard.

-1. Select on the left on 'Variables' and update the two URLs with the URL of your Azure Digital Twins Service.

-1. Sign in to your Grafana service, and select Alert rules in the menu.

-1. Select 'Create alert rule'.

-1. Give your alert a name and select 'Azure Data Explorer' as data source. Select query in the navigation pane.

-1. In the query field, enter the following query. In this example, we use the 'Seattle' production line.

-1. Select 'table' as output.

-1. Select the 'Save and exit' button.

-In the overview of your alerts, you can now see an alert being triggered when your OEE is below '10'.

-## Connecting the reference solution to Microsoft Power BI

-1. From Power BI, create a new report and select Azure Data Explorer time-series data as a data source via `Get data` -> `Azure` -> `Azure Data Explorer (Kusto)`.

-1. In the popup window, enter the Azure Data Explorer endpoint of your instance (for example `https://erichbtest3adx.eastus2.kusto.windows.net`), the database name (`ontologies`) and the following query:

-1. Select `Load`. This imports the actual cycle time of the Assembly station of the Munich production line for the last hour.

-1. From the `Data view`, select the NodeValue column and select `Don't summarize` in the `Summarization` menu item.

-1. Under `Visualizations`, select the `Line Chart` visualization.

-1. Under `Visualizations`, move the `Timestamp` from the `Data` source to the `X-axis`, select on it and select `Timestamp`.

-1. Under `Visualizations`, move the `NodeValue` from the `Data` source to the `Y-axis`, select on it and select `Median`.

-## Connecting the reference solution to Microsoft Dynamics 365 Field Service

-First, if you're not already a Dynamics 365 Field Service customer, activate a 30 day trial [here](https://dynamics.microsoft.com/field-service/field-service-management-software/free-trial). Remember to use the same Microsoft Entra ID (formerly Azure Active Directory) used while deploying the Manufacturing Ontologies reference solution. Otherwise, you would need to configure cross tenant authentication that isn't part of these instructions!

-2. Give the Azure Logic App a name, place it in the same resource group as the Manufacturing Ontologies reference solution.

-3. Select on 'Workflows'.

-5. Create a new trigger. We start with creating a 'Recurrence' trigger. This checks the database every day if new assets are created. You can change this to happen more often.

-6. In actions, search for `Azure Data Explorer` and select the `Run KQL query` command. Within this query, we check what kind of assets we have. Use the following query to get assets and paste it in the query field:

-1. We first need to create an Azure Data Explorer function to get the right data. Go to your Azure Data Explorer query panel in the Azure portal and run the following code to create a FaultyFieldAssets function:

-2. Create a new workflow in Azure Logic App. Create a 'Recurrence' trigger to start - every 3 minutes. Create as action 'Azure Data Explorer' and select the Run KQL Query.

-4. Select Microsoft Dataverse as action.

-[Version 1](inbound-nat-rules.md) is the legacy approach for assigning an Azure Load BalancerΓÇÖs frontend port to each backend instance. Rules are applied to the backend instanceΓÇÖs network interface card (NIC). For Azure Virtual Machine Scale Sets (VMSS) instances, inbound NAT rules are automatically created/deleted as new instances are scaled up/down. For VMSS instanes use the `Inbound NAT Pool` property to manage Inbound NAT rules version 1.

-The easiest way to identify if your deployments are using version 1 of the feature is by inspecting the load balancerΓÇÖs configuration. If either the `InboundNATPool` property or the `backendIPConfiguration` property within the `InboundNATRule` configuration is populated, then the deployment is version 1 of Inbound NAT rules.

-The tool discovers application technology usage through static code analysis, provides effort estimation, and accelerates code replatforming, helping you to prioritize and move Java applications to Azure. With a set of engines and rules, it can discover and assess different technologies such as Java 11, Java 17, Jakarta EE, Spring, Hibernate, Java Message Service (JMS), and more. It then helps you replatform the Java application to different Azure targets (Azure App Service, Azure Kubernetes Service, Azure Container Apps, and Azure Spring Apps) with specific Azure replatforming rules.

-| Azure Spring Apps | Best practices for deploying an app to Azure Spring Apps. | `azure-spring-apps` |

-* Eclipse TemurinΓäó JDK 11

-* Eclipse TemurinΓäó JDK 17

- azure-spring-apps

-* `targetTechnology`: The technology that the rule targets. In this case, the rule is targeting Azure App Services, Azure Kubernetes Service (AKS), Azure Spring Apps, and Azure Container Apps.

- <targetTechnology id="azure-spring-apps"/>

-To configure the app backend, locate the **/NotificationHub.Sample.API/appsettings.json** file and configure the SQL Server connection string:

-```json

-"ConnectionStrings": {

- "SQLServerConnectionString": "Server=tcp:<SERVER_NAME>,1433;Initial Catalog=<DB_NAME>;Persist Security Info=False;User ID=<DB_USER_NAME>;Password=<PASSWORD>;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"

- },

-```

-Replace `<SERVER_NAME>` with the name of your SQL server, `<DB_NAME>` with your deployed database URL, `<DB_USER_NAME>` with configured username, and `<PASSWORD>` with the configured password.

-SAP offers [Private Link Service](https://blogs.sap.com/2022/06/22/sap-private-link-service-on-azure-is-now-generally-available-ga/) for customers using SAP BTP on Azure. The SAP Private Link Service connects SAP BTP services through a private IP range into customerΓÇÖs Azure network and thus accessible privately through the private link service instead of through the Internet. Contact SAP for availability of this service for SAP RISE/ECS workloads.

-> - Microsoft supports only the Microsoft Sentinel-provided Logstash output plugin discussed here. The current plugin is named **[microsoft-sentinel-log-analytics-logstash-output-plugin](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin)**, v1.1.0. You can [open a support ticket](https://portal.azure.com/#create/Microsoft.Support) for any issues regarding the output plugin.

- - 8.11 - 8.13

-Microsoft Sentinel inherits the Azure Monitor [tamper-proofing and immutability](/azure/azure-monitor/logs/data-security#tamper-proofing-and-immutability) practices. While Azure Monitor is an append-only data platform, it includes provisions to delete data for compliance purposes

-Before you can use that connection string, you'll need to convert it to RabbitMQ's AMQP connection format. So go to the [connection string converter tool](https://amqpconnconverter.github.io/) and paste your connection string in the form, click convert. You'll get a connection string that's RabbitMQ ready. (That website runs everything local in your browser so your data isn't sent over the wire). You can access its source code on [GitHub](https://github.com/amqpconnconverter/amqpconnconverter.github.io).

-Then on the `destination` side of things, choose `AMQP 1.0` as the protocol. In the `URI` field, enter the connecting string that you got from the previous step, were you converted your Azure connection string to the RabbitMQ format. It should look like this:

-6. Convert the Azure Service Bus connection string to RabbitMQ's AMQP format

-1. On the **Managed components** tab, select **Enable Spring Cloud Config Server (preview)**.

-1. On the **Review an create** tab, make sure that **Enable Spring Cloud Config Server (preview)** is set to **Yes**. Select **Create** to create the Enterprise plan instance.

-| [Customer-managed planned failover (preview)](../common/storage-disaster-recovery-guidance.md#customer-managed-planned-failover-preview) | &#x1F7E6; | &#x1F7E6; | &nbsp;&#x2B24; | &nbsp;&#x1F7E6; |

-| [Customer-managed (unplanned) failover](../common/storage-disaster-recovery-guidance.md#customer-managed-unplanned-failover) | &#x2705; | &#x1F7E6; | &nbsp;&#x2B24; | &nbsp;&#x1F7E6; |

->[!NOTE]

-> - Autoscale support for Azure Stack HCI with Azure Virtual Desktop is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-### [Portal](#tab/portal)

- > [!NOTE]

- > You can't change the capacity threshold here. Instead, the setting you entered in **Ramp-up** will carry over to this setting.

- > [!IMPORTANT]

- > - If you've enabled autoscale to force users to sign out during ramp-down, the feature will choose the session host with the lowest number of user sessions (active and disconnected) to shut down. Autoscale will put the session host in drain mode, send those user sessions a notification telling them they'll be signed out, and then sign out those users after the specified wait time is over. After autoscale signs out those user sessions, it then deallocates the VM.

- >

- > - If you haven't enabled forced sign out during ramp-down, you then need to choose whether you want to shut down ΓÇÿVMs have no active or disconnected sessionsΓÇÖ or ΓÇÿVMs have no active sessionsΓÇÖ during ramp-down.

- >

- > - Whether youΓÇÖve enabled autoscale to force users to sign out during ramp-down or not, the [capacity threshold](autoscale-glossary.md#capacity-threshold) and the [minimum percentage of hosts](autoscale-glossary.md#minimum-percentage-of-hosts) are still respected, autoscale will only shut down VMs if all existing user sessions (active and disconnected) in the host pool can be consolidated to fewer VMs without exceeding the capacity threshold.

- >

- > - You can also configure a time limit policy that will apply to all phases to sign out all disconnected users to reduce the [used host pool capacity](autoscale-glossary.md#used-host-pool-capacity). For more information, see [Configure a time limit policy](#configure-a-time-limit-policy).

- > [!NOTE]

- > We highly recommend that you enable Start VM on Connect if you choose not to start your VMs during the ramp-up phase.

-### [PowerShell](#tab/powershell)

-### [Portal](#tab/portal)

-### [PowerShell](#tab/powershell)

-### [Portal](#tab/portal)

-### [PowerShell](#tab/powershell)

-Learn about Azure Virtual Desktop (formerly Windows Virtual Desktop), why it's unique, and what's new in this video:

-> [!IMPORTANT]

-> Start VM on Connect for Azure Stack HCI with Azure Virtual Desktop is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-description: Learn how to onboard a custom IPv6 address prefix using the Azure portal, Azure CLI, or PowerShell.

-# Create a custom IPv6 address prefix

-A custom IPv6 address prefix enables you to bring your own IPv6 ranges to Microsoft and associate it to your Azure subscription. The range would continue to be owned by you, though Microsoft would be permitted to advertise it to the Internet. A custom IP address prefix functions as a regional resource that represents a contiguous block of customer owned IP addresses.

-The steps in this article detail the process to:

-* Prepare a range to provision

-* Provision the range for IP allocation

-* Enable the IPv6 range to be advertised by Microsoft

-For this article, choose between the Azure portal, Azure CLI, or PowerShell to create a custom IPv6 address prefix.

-If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure

-### Create and provision a custom IP address prefix

- | Availability Zones | Select **Zone-redundant**. |

-After the global custom IP prefix is in a **Provisioned** state, regional custom IP prefixes can be created. These ranges must always be of size /64 to be considered valid. The ranges can be created in any region (it doesn't need to be the same as the global custom IP prefix), keeping in mind any geolocation restrictions associated with the original global range. The "children" custom IP prefixes will be advertised locally from the region they're created in. Because the validation is only done for global custom IP prefix provision, no Authorization or Signed message is required. (Because these ranges will be advertised from a specific region, zones can be utilized.)

-| Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

-| ROA expiration date | Enter your ROA expiration date in the **yyyymmdd** format. |

-After the global custom IP prefix is in a **Provisioned** state, regional custom IP prefixes can be created. These ranges must always be of size /64 to be considered valid. The ranges can be created in any region (it doesn't need to be the same as the global custom IP prefix), keeping in mind any geolocation restrictions associated with the original global range. The *children* custom IP prefixes are advertised locally from the region they're created in. Because the validation is only done for global custom IP prefix provision, no Authorization or Signed message is required. (Because these ranges are advertised from a specific region, zones can be utilized.)

-After the global custom IP prefix is in a **Provisioned** state, regional custom IP prefixes can be created. These ranges must always be of size /64 to be considered valid. The ranges can be created in any region (it doesn't need to be the same as the global custom IP prefix), keeping in mind any geolocation restrictions associated with the original global range. The "children" custom IP prefixes will be advertised locally from the region they're created in. Because the validation is only done for global custom IP prefix provision, no Authorization or Signed message is required. (Because these ranges will be advertised from a specific region, zones can be utilized.)

-description: Learn how to onboard a custom IP address prefix using the Azure portal

-mai Last updated 07/25/2024

-# Create a custom IPv4 address prefix using the Azure portal

-A custom IPv4 address prefix enables you to bring your own IPv4 ranges to Microsoft and associate it to your Azure subscription. You maintain ownership of the range while Microsoft would be permitted to advertise it to the Internet. A custom IP address prefix functions as a regional resource that represents a contiguous block of customer owned IP addresses.

-The steps in this article detail the process to:

-* Prepare a range to provision

-* Provision the range for IP allocation

-* Enable the range to be advertised by Microsoft

- - A sample customer range (1.2.3.0/24) is used for this example. This range won't be validated by Azure. Replace the example range with yours.

- - A sample customer range (1.2.3.0/24) is used for this example. This range won't be validated by Azure. Replace the example range with yours.

- - A sample customer range (1.2.3.0/24) is used for this example. This range won't be validated by Azure. Replace the example range with yours.

-## Provisioning steps

-## Create and provision a custom IP address prefix

-## Create a public IP prefix from custom IP prefix

-10. Repeat steps 1-5 to return to the **Overview** page for **myCustomIPPrefix**. You see **myPublicIPPrefix** listed under the **Associated public IP prefixes** section. You can now allocate standard SKU public IP addresses from this prefix. For more information, see [Create a static public IP address from a prefix](manage-public-ip-address-prefix.md#create-a-static-public-ip-address-from-a-prefix).

-## Commission the custom IP address prefix

-The operation is asynchronous. You can check the status by reviewing the **Commissioned state** field for the custom IP prefix. Initially, the status will show the prefix as **Commissioning**, followed in the future by **Commissioned**. The advertisement rollout isn't binary and the range will be partially advertised while still in the **Commissioning** status.

-# [Azure CLI](#tab/azurecli/)

-> Clean up or delete steps aren't shown on this page given the nature of the resource. For information on removing a provisioned custom IP prefix, see [Manage custom IP prefix](manage-custom-ip-address-prefix.md).

-### Provision a custom IP address prefix

-> After the custom IP prefix is in a **Provisioned** state, a child public IP prefix can be created. These public IP prefixes and any public IP addresses can be attached to networking resources. For example, virtual machine network interfaces or load balancer front ends. The IPs won't be advertised and therefore won't be reachable. For more information on a migration of an active prefix, see [Manage a custom IP prefix](manage-custom-ip-address-prefix.md).

-### Commission the custom IP address prefix

-As before, the operation is asynchronous. Use [az network custom-ip prefix show](/cli/azure/network/custom-ip/prefix#az-network-custom-ip-prefix-show) to retrieve the status. The **CommissionedState** field will initially show the prefix as **Commissioning**, followed in the future by **Commissioned**. The advertisement rollout isn't binary and the range will be partially advertised while still in **Commissioning**.

-# [Azure PowerShell](#tab/azurepowershell/)

-> Clean up or delete steps aren't shown on this page given the nature of the resource. For information on removing a provisioned custom IP prefix, see [Manage custom IP prefix](manage-custom-ip-address-prefix.md).

-### Provision a custom IP address prefix

-Sample output is shown below, with some fields removed for clarity:

-### Commission the custom IP address prefix

-As before, the operation is asynchronous. Use [Get-AzCustomIpPrefix](/powershell/module/az.network/get-azcustomipprefix) to retrieve the status. The **CommissionedState** field will initially show the prefix as **Commissioning**, followed in the future by **Commissioned**. The advertisement rollout isn't binary and the range will be partially advertised while still in **Commissioning**.

-* A custom IPv4 prefix must be associated with a single Azure region.

-* You can bring a maximum of five prefixes per region to Azure.

-* A custom IPv4 Prefix must be between /21 and /24; a global (parent) custom IPv6 prefix must be /48.

-* Custom IP prefixes don't support Reverse DNS lookup using Azure-owned zones; customers must onboard their own Reverse Zones to Azure DNS

-> There are several differences between how custom IPv4 and IPv6 prefixes are onboarded and utilized. For more information, see [Differences between using BYOIPv4 and BYOIPv6](create-custom-ip-address-prefix-ipv6-portal.md#differences-between-using-byoipv4-and-byoipv6).

-When a custom IP prefix is in **Provisioned**, **Commissioning**, or **Commissioned** state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range.

-|CLI|[az network public-ip prefix create](/cli/azure/network/public-ip/prefix#az-network-public-ip-prefix-create)|

-### Use the regional commissioning feature

-When a custom IP prefix transitions to a fully **Commissioned** state, the range is being advertised with Microsoft from the local Azure region and globally to the Internet by Microsoft's wide area network. If the range is currently being advertised to the Internet from a location other than Microsoft at the same time, there's the potential for BGP routing instability or traffic loss. In order to ease the transition for a range that is currently "live" outside of Azure, you can utilize a *regional commissioning* feature, which places an onboarded range into a **CommissionedNoInternetAdvertise** state where it's only advertised from within a single Azure region. This state allows for testing of all the attached infrastructure from within this region before advertising this range to the Internet, and fits well with Method 1 in the previous section.

-A custom IP prefix must be clear of public IP prefixes before it can be put into **Decommissioning** state. To ease a migration, you can reverse the regional commissioning feature. You can change a globally commissioned range back to a regionally commissioned status. This change allows you to ensure the range is no longer advertised beyond the scope of a single region before removing any public IP addresses from their respective resources.

-Yes - there are multiple differences for provisioning and commissioning when using BYOIPv6. For more information, see [Create a custom IPv6 address prefix - PowerShell](create-custom-ip-address-prefix-ipv6-portal.md).

-| **[PowerBI](/power-bi/enterprise/service-premium-service-tags)** | Power BI platform backend services and API endpoints.<br/><br/>**Note:** does not include frontend endpoints at the moment (e.g., app.powerbi.com).<br/><br/>Access to frontend endpoints should be provided through AzureCloud tag (Outbound, HTTPS, can be regional). | Both | No | Yes |